diff --git a/Linux-PAM-1.3.1.tar.xz b/Linux-PAM-1.3.1.tar.xz
deleted file mode 100644
index 506f7a9..0000000
--- a/Linux-PAM-1.3.1.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db
-size 912332
diff --git a/_service b/_service
new file mode 100644
index 0000000..b7a310b
--- /dev/null
+++ b/_service
@@ -0,0 +1,14 @@
+
+
+ 1.3.1
+ 1.3.1+git%cd.%h
+ git://github.com/linux-pam/linux-pam.git
+ git
+ enable
+
+
+ xz
+ *.tar
+
+
+
diff --git a/_servicedata b/_servicedata
new file mode 100644
index 0000000..bf2e116
--- /dev/null
+++ b/_servicedata
@@ -0,0 +1,6 @@
+
+
+ git://github.com/linux-pam/linux-pam.git
+ e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15
+
+
\ No newline at end of file
diff --git a/encryption_method_nis.diff b/encryption_method_nis.diff
deleted file mode 100644
index f812786..0000000
--- a/encryption_method_nis.diff
+++ /dev/null
@@ -1,71 +0,0 @@
---- modules/pam_unix/pam_unix_passwd.c
-+++ modules/pam_unix/pam_unix_passwd.c 2016/04/11 13:49:32
-@@ -840,6 +840,29 @@
- * rebuild the password database file.
- */
-
-+
-+ /* if it is a NIS account, check for special hash algo */
-+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
-+ /* preset encryption method with value from /etc/login.defs */
-+ int j;
-+ char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
-+ if (val) {
-+ for (j = 0; j < UNIX_CTRLS_; ++j) {
-+ if (unix_args[j].token && unix_args[j].is_hash_algo
-+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
-+ break;
-+ }
-+ }
-+ if (j >= UNIX_CTRLS_) {
-+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
-+ } else {
-+ ctrl &= unix_args[j].mask; /* for turning things off */
-+ ctrl |= unix_args[j].flag; /* for turning things on */
-+ }
-+ free (val);
-+ }
-+ }
-+
- /*
- * First we encrypt the new password.
- */
---- modules/pam_unix/support.c
-+++ modules/pam_unix/support.c 2016/04/11 13:49:32
-@@ -31,8 +31,8 @@
- #include "support.h"
- #include "passverify.h"
-
--static char *
--search_key (const char *key, const char *filename)
-+char *
-+_unix_search_key (const char *key, const char *filename)
- {
- FILE *fp;
- char *buf = NULL;
-@@ -153,7 +153,7 @@
- }
-
- /* preset encryption method with value from /etc/login.defs */
-- val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
-+ val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
- if (val) {
- for (j = 0; j < UNIX_CTRLS_; ++j) {
- if (unix_args[j].token && unix_args[j].is_hash_algo
-@@ -171,7 +171,7 @@
-
- /* read number of rounds for crypt algo */
- if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
-- val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
-+ val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
-
- if (val) {
- *rounds = strtol(val, NULL, 10);
---- modules/pam_unix/support.h
-+++ modules/pam_unix/support.h 2016/04/11 13:49:32
-@@ -174,4 +174,5 @@
-
- extern int _unix_run_verify_binary(pam_handle_t *pamh,
- unsigned int ctrl, const char *user, int *daysleft);
-+extern char *_unix_search_key(const char *key, const char *filename);
- #endif /* _PAM_UNIX_SUPPORT_H */
diff --git a/etc.environment b/etc.environment
deleted file mode 100644
index 09697f5..0000000
--- a/etc.environment
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# This file is parsed by pam_env module
-#
-# Syntax: simple "KEY=VAL" pairs on seperate lines
-#
diff --git a/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz b/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz
new file mode 100644
index 0000000..71e65e1
--- /dev/null
+++ b/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5203477a4c8ea91e038e08f18efeb3836aa7b395de8b518f405eb3f43ea7fdbf
+size 530264
diff --git a/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz b/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
new file mode 100644
index 0000000..6e424fe
--- /dev/null
+++ b/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:89397d7cb52e6a331b766d6219c6aaf3e3cc57c384ef8223f10c1f0ff4217bac
+size 64012
diff --git a/pam-login_defs-check.sh b/pam-login_defs-check.sh
index 80ce8fd..d1f9e38 100644
--- a/pam-login_defs-check.sh
+++ b/pam-login_defs-check.sh
@@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst
-if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3e1ae01b1e928c53c828f64ab412be6267eb1018 ; then
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
diff --git a/pam.changes b/pam.changes
index c84e094..e52b4d2 100644
--- a/pam.changes
+++ b/pam.changes
@@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Thu Aug 22 20:29:24 UTC 2019 - Jan Engelhardt
+
+- Replace old $RPM_* shell vars by macros.
+- Avoid unnecessary invocation of subshells.
+- Shorten recipe for constructing securetty contents on s390.
+
+-------------------------------------------------------------------
+Mon Aug 19 14:45:43 CEST 2019 - kukuk@suse.de
+
+- usr-etc-support.patch: Add support for /usr/etc/pam.d
+
+-------------------------------------------------------------------
+Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de
+
+- encryption_method_nis.diff: obsolete, NIS clients shouldn't
+ require DES anymore.
+- etc.environment: removed, the sources contain the same
+
+-------------------------------------------------------------------
+Mon Aug 19 11:28:31 UTC 2019 - kukuk@suse.com
+
+- Update to version 1.3.1+git20190807.e31dd6c:
+ * pam_tty_audit: Manual page clarification about password logging
+ * pam_get_authtok_verify: Avoid duplicate password verification
+ * Mention that ./autogen.sh is needeed to be run if you check out the sources from git
+ * pam_unix: Correct MAXPASS define name in the previous two commits.
+ * Restrict password length when changing password
+ * Trim password at PAM_MAX_RESP_SIZE chars
+ * pam_succeed_if: Request user data only when needed
+ * pam_tally2: Remove unnecessary fsync()
+ * Fixed a grammer mistake
+ * Fix documentation for pam_wheel
+ * Fix a typo in the documentation
+ * pam_lastlog: Improve silent option documentation
+ * pam_lastlog: Respect PAM_SILENT flag
+ * Fix regressions from the last commits.
+ * Replace strndupa with strncpy
+ * build: ignore pam_lastlog when logwtmp is not available.
+ * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
+ * pam_motd: Cleanup the code and avoid unnecessary logging
+ * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
+ * Move the duplicated search_key function to pam_modutil.
+ * pam_unix: Use pam_syslog instead of helper_log_err.
+ * pam_unix: Report unusable hashes found by checksalt to syslog.
+ * Revert "pam_unix: Add crypt_default method, if supported."
+ * pam_unix: Add crypt_default method, if supported.
+ * Revert part of the commit 4da9febc
+ * pam_unix: Add support for (gost-)yescrypt hashing methods.
+ * pam_unix: Fix closing curly brace. (#77)
+ * pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
+ * pam_unix: Prefer a gensalt function, that supports auto entropy.
+ * pam_motd: Fix segmentation fault when no motd_dir specified (#76)
+ * pam_motd: Support multiple motd paths specified, with filename overrides (#69)
+ * pam_unix: Use bcrypt b-variant for computing new hashes.
+ * pam_tally, pam_tally2: fix grammar and spelling (#54)
+ * Fix grammar of messages printed via pam_prompt
+ * pam_stress: do not mark messages for translation
+ * pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
+ * pam_unix: remove obsolete _unix_read_password prototype
+
-------------------------------------------------------------------
Thu May 2 23:55:30 CEST 2019 - sbrabec@suse.com
diff --git a/pam.spec b/pam.spec
index 7fec94b..b22d1dd 100644
--- a/pam.spec
+++ b/pam.spec
@@ -18,13 +18,49 @@
#
%define enable_selinux 1
-
+%define libpam_so_version 0.84.2
+%define libpam_misc_so_version 0.82.1
+%define libpamc_so_version 0.82.1
Name: pam
-Url: http://www.linux-pam.org/
+#
+Version: 1.3.1+git20190807.e31dd6c
+Release: 0
+Summary: A Security Tool that Provides Authentication for Applications
+License: GPL-2.0-or-later OR BSD-3-Clause
+Group: System/Libraries
+URL: http://www.linux-pam.org/
+Source: linux-pam-%{version}.tar.xz
+Source1: Linux-PAM-1.3.1-docs.tar.xz
+Source2: linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
+Source3: other.pamd
+Source4: common-auth.pamd
+Source5: common-account.pamd
+Source6: common-password.pamd
+Source7: common-session.pamd
+Source8: securetty
+Source9: baselibs.conf
+Source10: unix2_chkpwd.c
+Source11: unix2_chkpwd.8
+Source12: pam-login_defs-check.sh
+Patch0: fix-man-links.dif
+Patch2: pam-limit-nproc.patch
+Patch4: pam-hostnames-in-access_conf.patch
+Patch5: use-correct-IP-address.patch
+Patch6: usr-etc-support.patch
BuildRequires: audit-devel
+# Remove with next version update:
+BuildRequires: autoconf
+BuildRequires: automake
BuildRequires: bison
BuildRequires: cracklib-devel
BuildRequires: flex
+BuildRequires: libdb-4_8-devel
+BuildRequires: libtool
+# All login.defs variables require support from shadow side.
+# Upgrade this symbol version only if new variables appear!
+# Verify by shadow-login_defs-check.sh from shadow source package.
+Requires: login_defs-support-for-pam >= 1.3.1
+Requires(post): permissions
%if 0%{?suse_version} > 1320
BuildRequires: libdb-4_8-devel
BuildRequires: xz
@@ -34,59 +70,16 @@ BuildRequires: pkgconfig(libtirpc)
%if %{enable_selinux}
BuildRequires: libselinux-devel
%endif
-%define libpam_so_version 0.84.2
-%define libpam_misc_so_version 0.82.1
-%define libpamc_so_version 0.82.1
-#
-Version: 1.3.1
-Release: 0
-Summary: A Security Tool that Provides Authentication for Applications
-License: GPL-2.0-or-later OR BSD-3-Clause
-Group: System/Libraries
-PreReq: permissions
%if 0%{?suse_version} >= 1330
Requires(pre): group(shadow)
Requires(pre): user(root)
%endif
-# All login.defs variables require support from shadow side.
-# Upgrade this symbol version only if new variables appear!
-# Verify by shadow-login_defs-check.sh from shadow source package.
-# Recent symbol includes variable from encryption_method_nis.diff.
-Requires: login_defs-support-for-pam >= 1.3.1
-
-#DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/
-Source: Linux-PAM-%{version}.tar.xz
-Source1: Linux-PAM-%{version}-docs.tar.xz
-Source2: securetty
-Source3: other.pamd
-Source4: common-auth.pamd
-Source5: common-account.pamd
-Source6: common-password.pamd
-Source7: common-session.pamd
-Source8: etc.environment
-Source9: baselibs.conf
-Source10: unix2_chkpwd.c
-Source11: unix2_chkpwd.8
-Source12: pam-login_defs-check.sh
-Patch0: fix-man-links.dif
-Patch2: pam-limit-nproc.patch
-Patch3: encryption_method_nis.diff
-Patch4: pam-hostnames-in-access_conf.patch
-Patch5: use-correct-IP-address.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-BuildRequires: libdb-4_8-devel
-# Remove with next version update:
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: libtool
%description
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
-
-
%package doc
Summary: Documentation for Pluggable Authentication Modules
Group: Documentation/HTML
@@ -101,10 +94,8 @@ having to recompile programs that do authentication.
This package contains the documentation.
-
-
%package devel
-Summary: Include Files and Libraries for PAM-Development
+Summary: Include Files and Libraries for PAM Development
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: pam = %{version}
@@ -117,24 +108,23 @@ having to recompile programs which do authentication.
This package contains header files and static libraries used for
building both PAM-aware applications and modules for use with PAM.
-
-
%prep
-%setup -q -n Linux-PAM-%{version} -b 1
-cp -a %{S:12} .
+%setup -q -n linux-pam-%{version} -b 1 -a 2
+cp -av ../Linux-PAM-1.3.1/* .
+cp -a %{SOURCE12} .
%patch0 -p1
%patch2 -p1
-%patch3 -p0
-%patch4 -p0
+%patch4
%patch5 -p1
+%patch6
%build
bash ./pam-login_defs-check.sh
-autoreconf -fiv
-export CFLAGS="%optflags -DNDEBUG"
+./autogen.sh
+export CFLAGS="%{optflags} -DNDEBUG"
%configure \
--sbindir=/sbin \
- --includedir=%_includedir/security \
+ --includedir=%{_includedir}/security \
--docdir=%{_docdir}/pam \
--htmldir=%{_docdir}/pam/html \
--pdfdir=%{_docdir}/pam/pdf \
@@ -142,83 +132,72 @@ export CFLAGS="%optflags -DNDEBUG"
--enable-isadir=../../%{_lib}/security \
--enable-securedir=/%{_lib}/security
make %{?_smp_mflags}
-%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam
+gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/linux-pam-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/linux-pam-%{version}/libpam/.libs/ -lpam
%check
make %{?_smp_mflags} check
%install
-mkdir -p $RPM_BUILD_ROOT/etc/pam.d
-mkdir -p $RPM_BUILD_ROOT/usr/include/security
-mkdir -p $RPM_BUILD_ROOT/%{_lib}/security
-mkdir -p $RPM_BUILD_ROOT/sbin
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_libdir}
-make DESTDIR=$RPM_BUILD_ROOT install
-/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
+mkdir -p %{buildroot}%{_sysconfdir}/pam.d
+mkdir -p %{buildroot}%{_prefix}%{_sysconfdir}/pam.d
+mkdir -p %{buildroot}%{_includedir}/security
+mkdir -p %{buildroot}/%{_lib}/security
+mkdir -p %{buildroot}/sbin
+mkdir -p -m 755 %{buildroot}%{_libdir}
+%make_install
+/sbin/ldconfig -n %{buildroot}/%{_lib}
# Install documentation
-make -C doc install DESTDIR=$RPM_BUILD_ROOT
-# install /etc/environment
-install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc/environment
+%make_install -C doc
# install securetty
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc
+install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}
%ifarch s390 s390x
-echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty
-echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc0" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc1" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc2" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc3" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc4" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc5" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc6" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc7" >> $RPM_BUILD_ROOT/etc/securetty
-echo "sclp_line0" >> $RPM_BUILD_ROOT/etc/securetty
-echo "ttysclp0" >> $RPM_BUILD_ROOT/etc/securetty
+for i in ttyS0 ttyS1 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 sclp_line0 ttysclp0; do
+ echo "$i" >>%{buildroot}/%{_sysconfdir}/securetty
+done
%endif
# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
-install -d $RPM_BUILD_ROOT%{_sysconfdir}/security/namespace.d
+install -d %{buildroot}%{_sysconfdir}/security/namespace.d
# install other.pamd and common-*.pamd
-install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/other
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/pam.d/common-auth
-install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/common-account
-install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/common-password
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc/pam.d/common-session
-rm $RPM_BUILD_ROOT/%{_lib}/libpam.so
-ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam.so
-rm $RPM_BUILD_ROOT/%{_lib}/libpamc.so
-ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpamc.so
-rm $RPM_BUILD_ROOT/%{_lib}/libpam_misc.so
-ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam_misc.so
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/other
+install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/common-auth
+install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/common-account
+install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/common-password
+install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/common-session
+rm %{buildroot}/%{_lib}/libpam.so
+ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} %{buildroot}%{_libdir}/libpam.so
+rm %{buildroot}/%{_lib}/libpamc.so
+ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} %{buildroot}%{_libdir}/libpamc.so
+rm %{buildroot}/%{_lib}/libpam_misc.so
+ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %{buildroot}%{_libdir}/libpam_misc.so
#
# Remove crap
#
-rm -rf $RPM_BUILD_ROOT/%{_lib}/*.la $RPM_BUILD_ROOT/%{_lib}/security/*.la
+find %{buildroot} -type f -name "*.la" -delete -print
for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
- ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so
+ ln -f %{buildroot}/%{_lib}/security/pam_unix.so %{buildroot}/%{_lib}/security/$x.so
done
#
# Install READMEs of PAM modules
#
-DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam
+DOC=%{buildroot}%{_defaultdocdir}/pam
mkdir -p $DOC/modules
-(
- cd modules;
- for i in pam_*/README ; do
- cp -fpv ${i} $DOC/modules/README.`dirname ${i}`
- done
-)
+pushd modules
+for i in pam_*/README; do
+ cp -fpv "$i" "$DOC/modules/README.${i%/*}"
+done
+popd
#
# pam_tally is deprecated since ages
#
-rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
-rm -f $RPM_BUILD_ROOT/sbin/pam_tally
-rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
-rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally
+rm -f %{buildroot}/%{_lib}/security/pam_tally.so
+rm -f %{buildroot}/sbin/pam_tally
+rm -f %{buildroot}%{_mandir}/man8/pam_tally.8*
+rm -f %{buildroot}%{_defaultdocdir}/pam/modules/README.pam_tally
# Install unix2_chkpwd
-install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/
-install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/
+install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
# Create filelist with translatins
-%{find_lang} Linux-PAM
+%find_lang Linux-PAM
%verifyscript
%verify_permissions -e /sbin/unix_chkpwd
@@ -232,8 +211,8 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
%postun -p /sbin/ldconfig
%files -f Linux-PAM.lang
-%defattr(-,root,root)
%dir %{_sysconfdir}/pam.d
+%dir %{_prefix}%{_sysconfdir}/pam.d
%dir %{_sysconfdir}/security
%dir %{_sysconfdir}/security/limits.d
%dir %{_defaultdocdir}/pam
@@ -251,13 +230,13 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
%config(noreplace) %{_sysconfdir}/security/time.conf
%config(noreplace) %{_sysconfdir}/security/namespace.conf
%config(noreplace) %{_sysconfdir}/security/namespace.init
-%dir %{_sysconfdir}/security/namespace.d
+%dir %{_sysconfdir}/security/namespace.d
%doc NEWS
%license COPYING
-%doc %{_mandir}/man5/environment.5*
-%doc %{_mandir}/man5/*.conf.5*
-%doc %{_mandir}/man5/pam.d.5*
-%doc %{_mandir}/man8/*
+%{_mandir}/man5/environment.5%{?ext_man}
+%{_mandir}/man5/*.conf.5%{?ext_man}
+%{_mandir}/man5/pam.d.5%{?ext_man}
+%{_mandir}/man8/*
/%{_lib}/libpam.so.0
/%{_lib}/libpam.so.%{libpam_so_version}
/%{_lib}/libpamc.so.0
@@ -333,9 +312,9 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
%files devel
%defattr(644,root,root,755)
-%dir /usr/include/security
-%doc %{_mandir}/man3/pam*
-%doc %{_mandir}/man3/misc_conv.3*
+%dir %{_includedir}/security
+%{_mandir}/man3/pam*
+%{_mandir}/man3/misc_conv.3%{?ext_man}
%{_includedir}/security/*.h
%{_libdir}/libpam.so
%{_libdir}/libpamc.so
diff --git a/usr-etc-support.patch b/usr-etc-support.patch
new file mode 100644
index 0000000..631b095
--- /dev/null
+++ b/usr-etc-support.patch
@@ -0,0 +1,81 @@
+--- doc/man/pam.8.xml
++++ doc/man/pam.8.xml 2019/08/16 13:37:44
+@@ -53,11 +53,13 @@
+
+
+ Vendor-supplied PAM configuration files might be installed in
+- the system directory /usr/lib/pam.d/ instead
++ the system directory /usr/lib/pam.d/ or
++ /usr/etc/pam.d/ instead
+ of the machine configuration directory /etc/pam.d/.
+ If no machine configuration file is found, the vendor-supplied file
+ is used. All files in /etc/pam.d/ override
+- files with the same name in /usr/lib/pam.d/.
++ files with the same name in /usr/lib/pam.d/,
++ which override files with the same name in /usr/etc/pam.d/.
+
+
+ From the point of view of the system administrator, for whom this
+@@ -157,6 +159,16 @@
+
+
+
++ /usr/etc/pam.d
++
++
++ the Linux-PAM vendor configuration
++ directory. Files in /etc/pam.d and
++ /usr/lib/pam.d override files with the same
++ name in this directory.
++
++
++
+
+
+
+--- libpam/pam_handlers.c
++++ libpam/pam_handlers.c 2019/08/16 13:35:31
+@@ -329,6 +329,21 @@
+ *file = f;
+ return PAM_SUCCESS;
+ }
++
++ /* System Configuration /usr/etc/pam.d/ */
++ _pam_drop(p);
++ if (asprintf (&p, PAM_CONFIG_DIST2_DF, service) < 0) {
++ pam_syslog(pamh, LOG_CRIT, "asprintf failed");
++ return PAM_BUF_ERR;
++ }
++ D(("opening %s", p));
++ f = fopen(p, "r");
++ if (f != NULL) {
++ *path = p;
++ *file = f;
++ return PAM_SUCCESS;
++ }
++
+ _pam_drop(p);
+
+ return PAM_ABORT;
+@@ -447,7 +462,8 @@
+
+ /* Is there a PAM_CONFIG_D directory? */
+ if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
+- (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
++ (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
++ (stat(PAM_CONFIG_DIST2_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
+ char *path = NULL;
+ int read_something=0;
+
+--- libpam/pam_private.h
++++ libpam/pam_private.h 2019/08/16 13:33:04
+@@ -29,6 +29,9 @@
+ #define PAM_CONFIG_DF "/etc/pam.d/%s"
+ #define PAM_CONFIG_DIST_D "/usr/lib/pam.d"
+ #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s"
++#define PAM_CONFIG_DIST2_D "/usr/etc/pam.d"
++#define PAM_CONFIG_DIST2_DF "/usr/etc/pam.d/%s"
++
+
+ #define PAM_DEFAULT_SERVICE "other" /* lower case */
+