Accepting request 725565 from Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/725565 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=96
2019-09-07 09:24:03 +00:00 · 2019-09-07 09:24:03 +00:00 · 87f5d03c6d
commit 87f5d03c6d
parent c55b360cf6 9b6fc55e33
11 changed files with 266 additions and 198 deletions
--- a/Linux-PAM-1.3.1.tar.xz
+++ b/Linux-PAM-1.3.1.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db
 size 912332
--- a/14
+++ b/14
@ -0,0 +1,14 @@
 <services>
  <service name="tar_scm" mode="disabled">
    <param name="version">1.3.1</param>
    <param name="versionformat">1.3.1+git%cd.%h</param>
    <param name="url">git://github.com/linux-pam/linux-pam.git</param>
    <param name="scm">git</param>
    <param name="changesgenerate">enable</param>
  </service>
  <service name="recompress" mode="disabled">
    <param name="compression">xz</param>
    <param name="file">*.tar</param>
  </service>
  <service name="set_version" mode="disabled"/>
 </services>
--- a/6
+++ b/6
@ -0,0 +1,6 @@
 <servicedata>
  <service name="tar_scm">
    <param name="url">git://github.com/linux-pam/linux-pam.git</param>
    <param name="changesrevision">e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15</param>
 </service>
 </servicedata>
--- a/encryption_method_nis.diff
+++ b/encryption_method_nis.diff
@ -1,71 +0,0 @@
 --- modules/pam_unix/pam_unix_passwd.c
 +++ modules/pam_unix/pam_unix_passwd.c	2016/04/11 13:49:32
@@ -840,6 +840,29 @@
 		 * rebuild the password database file.
 		 */
 +
 +		/* if it is a NIS account, check for special hash algo */
 +		if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
 +		  /* preset encryption method with value from /etc/login.defs */
 +		  int j;
 +		  char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
 +		  if (val) {
 +		    for (j = 0; j < UNIX_CTRLS_; ++j) {
 +		      if (unix_args[j].token && unix_args[j].is_hash_algo
 +			  && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
 +			break;
 +		      }
 +		    }
 +		    if (j >= UNIX_CTRLS_) {
 +		      pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
 +		    } else {
 +		      ctrl &= unix_args[j].mask;  /* for turning things off */
 +		      ctrl |= unix_args[j].flag;  /* for turning things on  */
 +		    }
 +		    free (val);
 +		  }
 +		}
 +
 		/*
 		 * First we encrypt the new password.
 		 */
 --- modules/pam_unix/support.c
 +++ modules/pam_unix/support.c	2016/04/11 13:49:32
@@ -31,8 +31,8 @@
 #include "support.h"
 #include "passverify.h"
 -static char *
 -search_key (const char *key, const char *filename)
 +char *
 +_unix_search_key (const char *key, const char *filename)
 {
   FILE *fp;
   char *buf = NULL;
@@ -153,7 +153,7 @@
 	}
 	/* preset encryption method with value from /etc/login.defs */
 -	val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
 +	val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
 	if (val) {
 	  for (j = 0; j < UNIX_CTRLS_; ++j) {
 	    if (unix_args[j].token && unix_args[j].is_hash_algo
@@ -171,7 +171,7 @@
 	  /* read number of rounds for crypt algo */
 	  if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
 -	    val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
 +	    val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
 	    if (val) {
 	      *rounds = strtol(val, NULL, 10);
 --- modules/pam_unix/support.h
 +++ modules/pam_unix/support.h	2016/04/11 13:49:32
@@ -174,4 +174,5 @@
 extern int _unix_run_verify_binary(pam_handle_t *pamh,
 			unsigned int ctrl, const char *user, int *daysleft);
 +extern char *_unix_search_key(const char *key, const char *filename);
 #endif /* _PAM_UNIX_SUPPORT_H */
--- a/etc.environment
+++ b/etc.environment
@ -1,5 +0,0 @@
 #
 # This file is parsed by pam_env module
 #
 # Syntax: simple "KEY=VAL" pairs on seperate lines
 #
--- a/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz
+++ b/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5203477a4c8ea91e038e08f18efeb3836aa7b395de8b518f405eb3f43ea7fdbf
 size 530264
--- a/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
+++ b/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:89397d7cb52e6a331b766d6219c6aaf3e3cc57c384ef8223f10c1f0ff4217bac
 size 64012
--- a/pam-login_defs-check.sh
+++ b/pam-login_defs-check.sh
@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
 	sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
 	LC_ALL=C sort -u >pam-login_defs-vars.lst
-if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3e1ae01b1e928c53c828f64ab412be6267eb1018 ; then
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then
 	echo "does not match!" >&2
 	echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,64 @@
 -------------------------------------------------------------------
 Thu Aug 22 20:29:24 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 - Replace old $RPM_* shell vars by macros.
 - Avoid unnecessary invocation of subshells.
 - Shorten recipe for constructing securetty contents on s390.
 -------------------------------------------------------------------
 Mon Aug 19 14:45:43 CEST 2019 - kukuk@suse.de
 - usr-etc-support.patch: Add support for /usr/etc/pam.d
 -------------------------------------------------------------------
 Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de
 - encryption_method_nis.diff: obsolete, NIS clients shouldn't
  require DES anymore.
 - etc.environment: removed, the sources contain the same
 -------------------------------------------------------------------
 Mon Aug 19 11:28:31 UTC 2019 - kukuk@suse.com
 - Update to version 1.3.1+git20190807.e31dd6c:
  * pam_tty_audit: Manual page clarification about password logging
  * pam_get_authtok_verify: Avoid duplicate password verification
  * Mention that ./autogen.sh is needeed to be run if you check out the sources from git
  * pam_unix: Correct MAXPASS define name in the previous two commits.
  * Restrict password length when changing password
  * Trim password at PAM_MAX_RESP_SIZE chars
  * pam_succeed_if: Request user data only when needed
  * pam_tally2: Remove unnecessary fsync()
  * Fixed a grammer mistake
  * Fix documentation for pam_wheel
  * Fix a typo in the documentation
  * pam_lastlog: Improve silent option documentation
  * pam_lastlog: Respect PAM_SILENT flag
  * Fix regressions from the last commits.
  * Replace strndupa with strncpy
  * build: ignore pam_lastlog when logwtmp is not available.
  * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
  * pam_motd: Cleanup the code and avoid unnecessary logging
  * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
  * Move the duplicated search_key function to pam_modutil.
  * pam_unix: Use pam_syslog instead of helper_log_err.
  * pam_unix: Report unusable hashes found by checksalt to syslog.
  * Revert "pam_unix: Add crypt_default method, if supported."
  * pam_unix: Add crypt_default method, if supported.
  * Revert part of the commit 4da9febc
  * pam_unix: Add support for (gost-)yescrypt hashing methods.
  * pam_unix: Fix closing curly brace. (#77)
  * pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
  * pam_unix: Prefer a gensalt function, that supports auto entropy.
  * pam_motd: Fix segmentation fault when no motd_dir specified (#76)
  * pam_motd: Support multiple motd paths specified, with filename overrides (#69)
  * pam_unix: Use bcrypt b-variant for computing new hashes.
  * pam_tally, pam_tally2: fix grammar and spelling (#54)
  * Fix grammar of messages printed via pam_prompt
  * pam_stress: do not mark messages for translation
  * pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
  * pam_unix: remove obsolete _unix_read_password prototype
 -------------------------------------------------------------------
 Thu May  2 23:55:30 CEST 2019 - sbrabec@suse.com
--- a/pam.spec
+++ b/pam.spec
@ -18,13 +18,49 @@
 #
 %define enable_selinux 1
-
+%define libpam_so_version 0.84.2
 %define libpam_misc_so_version 0.82.1
 %define libpamc_so_version 0.82.1
 Name:           pam
-Url:            http://www.linux-pam.org/
+#
 Version:        1.3.1+git20190807.e31dd6c
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
 Group:          System/Libraries
 URL:            http://www.linux-pam.org/
 Source:         linux-pam-%{version}.tar.xz
 Source1:        Linux-PAM-1.3.1-docs.tar.xz
 Source2:        linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
 Source3:        other.pamd
 Source4:        common-auth.pamd
 Source5:        common-account.pamd
 Source6:        common-password.pamd
 Source7:        common-session.pamd
 Source8:        securetty
 Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Patch0:         fix-man-links.dif
 Patch2:         pam-limit-nproc.patch
 Patch4:         pam-hostnames-in-access_conf.patch
 Patch5:         use-correct-IP-address.patch
 Patch6:         usr-etc-support.patch
 BuildRequires:  audit-devel
 # Remove with next version update:
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
 BuildRequires:  flex
 BuildRequires:  libdb-4_8-devel
 BuildRequires:  libtool
 # All login.defs variables require support from shadow side.
 # Upgrade this symbol version only if new variables appear!
 # Verify by shadow-login_defs-check.sh from shadow source package.
 Requires:       login_defs-support-for-pam >= 1.3.1
 Requires(post): permissions
 %if 0%{?suse_version} > 1320
 BuildRequires:  libdb-4_8-devel
 BuildRequires:  xz
@ -34,59 +70,16 @@ BuildRequires:  pkgconfig(libtirpc)
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
 %define libpam_so_version 0.84.2
 %define libpam_misc_so_version 0.82.1
 %define libpamc_so_version 0.82.1
 #
 Version:        1.3.1
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
 Group:          System/Libraries
 PreReq:         permissions
 %if 0%{?suse_version} >= 1330
 Requires(pre):  group(shadow)
 Requires(pre):  user(root)
 %endif
 # All login.defs variables require support from shadow side.
 # Upgrade this symbol version only if new variables appear!
 # Verify by shadow-login_defs-check.sh from shadow source package.
 # Recent symbol includes variable from encryption_method_nis.diff.
 Requires:       login_defs-support-for-pam >= 1.3.1
 #DL-URL:	https://fedorahosted.org/releases/l/i/linux-pam/
 Source:         Linux-PAM-%{version}.tar.xz
 Source1:        Linux-PAM-%{version}-docs.tar.xz
 Source2:        securetty
 Source3:        other.pamd
 Source4:        common-auth.pamd
 Source5:        common-account.pamd
 Source6:        common-password.pamd
 Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Patch0:         fix-man-links.dif
 Patch2:         pam-limit-nproc.patch
 Patch3:         encryption_method_nis.diff
 Patch4:         pam-hostnames-in-access_conf.patch
 Patch5:         use-correct-IP-address.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  libdb-4_8-devel
 # Remove with next version update:
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
 allows system administrators to set authentication policies without
 having to recompile programs that do authentication.
 %package doc
 Summary:        Documentation for Pluggable Authentication Modules
 Group:          Documentation/HTML
@ -101,10 +94,8 @@ having to recompile programs that do authentication.
 This package contains the documentation.
 %package devel
-Summary:        Include Files and Libraries for PAM-Development
+Summary:        Include Files and Libraries for PAM Development
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
 Requires:       pam = %{version}
@ -117,24 +108,23 @@ having to recompile programs which do authentication.
 This package contains header files and static libraries used for
 building both PAM-aware applications and modules for use with PAM.
 %prep
-%setup -q -n Linux-PAM-%{version} -b 1
+%setup -q -n linux-pam-%{version} -b 1 -a 2
-cp -a %{S:12} .
+cp -av ../Linux-PAM-1.3.1/* .
 cp -a %{SOURCE12} .
 %patch0 -p1
 %patch2 -p1
-%patch3 -p0
+%patch4
 %patch4 -p0
 %patch5 -p1
 %patch6
 %build
 bash ./pam-login_defs-check.sh
-autoreconf -fiv
+./autogen.sh
-export CFLAGS="%optflags -DNDEBUG"
+export CFLAGS="%{optflags} -DNDEBUG"
 %configure \
 	--sbindir=/sbin \
-	--includedir=%_includedir/security \
+	--includedir=%{_includedir}/security \
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
@ -142,83 +132,72 @@ export CFLAGS="%optflags -DNDEBUG"
 	--enable-isadir=../../%{_lib}/security \
        --enable-securedir=/%{_lib}/security
 make %{?_smp_mflags}
-%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam
+gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/linux-pam-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/linux-pam-%{version}/libpam/.libs/ -lpam
 %check
 make %{?_smp_mflags} check
 %install
-mkdir -p $RPM_BUILD_ROOT/etc/pam.d
+mkdir -p %{buildroot}%{_sysconfdir}/pam.d
-mkdir -p $RPM_BUILD_ROOT/usr/include/security
+mkdir -p %{buildroot}%{_prefix}%{_sysconfdir}/pam.d
-mkdir -p $RPM_BUILD_ROOT/%{_lib}/security
+mkdir -p %{buildroot}%{_includedir}/security
-mkdir -p $RPM_BUILD_ROOT/sbin
+mkdir -p %{buildroot}/%{_lib}/security
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_libdir}
+mkdir -p %{buildroot}/sbin
-make DESTDIR=$RPM_BUILD_ROOT install
+mkdir -p -m 755 %{buildroot}%{_libdir}
-/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
+%make_install
 /sbin/ldconfig -n %{buildroot}/%{_lib}
 # Install documentation
-make -C doc install DESTDIR=$RPM_BUILD_ROOT
+%make_install -C doc
 # install /etc/environment
 install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc/environment
 # install securetty
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc
+install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}
 %ifarch s390 s390x
-echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty
+for i in ttyS0 ttyS1 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 sclp_line0 ttysclp0; do
-echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty
+	echo "$i" >>%{buildroot}/%{_sysconfdir}/securetty
-echo "hvc0" >> $RPM_BUILD_ROOT/etc/securetty
+done
 echo "hvc1" >> $RPM_BUILD_ROOT/etc/securetty
 echo "hvc2" >> $RPM_BUILD_ROOT/etc/securetty
 echo "hvc3" >> $RPM_BUILD_ROOT/etc/securetty
 echo "hvc4" >> $RPM_BUILD_ROOT/etc/securetty
 echo "hvc5" >> $RPM_BUILD_ROOT/etc/securetty
 echo "hvc6" >> $RPM_BUILD_ROOT/etc/securetty
 echo "hvc7" >> $RPM_BUILD_ROOT/etc/securetty
 echo "sclp_line0" >> $RPM_BUILD_ROOT/etc/securetty
 echo "ttysclp0" >> $RPM_BUILD_ROOT/etc/securetty
 %endif
 # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
-install -d $RPM_BUILD_ROOT%{_sysconfdir}/security/namespace.d
+install -d %{buildroot}%{_sysconfdir}/security/namespace.d
 # install other.pamd and common-*.pamd
-install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/other
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/other
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/pam.d/common-auth
+install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/common-auth
-install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/common-account
+install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/common-account
-install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/common-password
+install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/common-password
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc/pam.d/common-session
+install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/common-session
-rm $RPM_BUILD_ROOT/%{_lib}/libpam.so
+rm %{buildroot}/%{_lib}/libpam.so
-ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam.so
+ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} %{buildroot}%{_libdir}/libpam.so
-rm $RPM_BUILD_ROOT/%{_lib}/libpamc.so
+rm %{buildroot}/%{_lib}/libpamc.so
-ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpamc.so
+ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} %{buildroot}%{_libdir}/libpamc.so
-rm $RPM_BUILD_ROOT/%{_lib}/libpam_misc.so
+rm %{buildroot}/%{_lib}/libpam_misc.so
-ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam_misc.so
+ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %{buildroot}%{_libdir}/libpam_misc.so
 #
 # Remove crap
 #
-rm -rf $RPM_BUILD_ROOT/%{_lib}/*.la $RPM_BUILD_ROOT/%{_lib}/security/*.la
+find %{buildroot} -type f -name "*.la" -delete -print
 for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
-  ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so
+  ln -f %{buildroot}/%{_lib}/security/pam_unix.so %{buildroot}/%{_lib}/security/$x.so
 done
 #
 # Install READMEs of PAM modules
 #
-DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam
+DOC=%{buildroot}%{_defaultdocdir}/pam
 mkdir -p $DOC/modules
-(
+pushd modules
-  cd modules;
+for i in pam_*/README; do
-  for i in pam_*/README ; do
+	cp -fpv "$i" "$DOC/modules/README.${i%/*}"
-    cp -fpv ${i} $DOC/modules/README.`dirname ${i}`
+done
-  done
+popd
 )
 #
 # pam_tally is deprecated since ages
 #
-rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
+rm -f %{buildroot}/%{_lib}/security/pam_tally.so
-rm -f $RPM_BUILD_ROOT/sbin/pam_tally
+rm -f %{buildroot}/sbin/pam_tally
-rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
+rm -f %{buildroot}%{_mandir}/man8/pam_tally.8*
-rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally
+rm -f %{buildroot}%{_defaultdocdir}/pam/modules/README.pam_tally
 # Install unix2_chkpwd
-install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/
+install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/
-install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
 # Create filelist with translatins
-%{find_lang} Linux-PAM
+%find_lang Linux-PAM
 %verifyscript
 %verify_permissions -e /sbin/unix_chkpwd
@ -232,8 +211,8 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 %postun -p /sbin/ldconfig
 %files -f Linux-PAM.lang
 %defattr(-,root,root)
 %dir %{_sysconfdir}/pam.d
 %dir %{_prefix}%{_sysconfdir}/pam.d
 %dir %{_sysconfdir}/security
 %dir %{_sysconfdir}/security/limits.d
 %dir %{_defaultdocdir}/pam
@ -254,10 +233,10 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 %dir %{_sysconfdir}/security/namespace.d
 %doc NEWS
 %license COPYING
-%doc %{_mandir}/man5/environment.5*
+%{_mandir}/man5/environment.5%{?ext_man}
-%doc %{_mandir}/man5/*.conf.5*
+%{_mandir}/man5/*.conf.5%{?ext_man}
-%doc %{_mandir}/man5/pam.d.5*
+%{_mandir}/man5/pam.d.5%{?ext_man}
-%doc %{_mandir}/man8/*
+%{_mandir}/man8/*
 /%{_lib}/libpam.so.0
 /%{_lib}/libpam.so.%{libpam_so_version}
 /%{_lib}/libpamc.so.0
@ -333,9 +312,9 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 %files devel
 %defattr(644,root,root,755)
-%dir /usr/include/security
+%dir %{_includedir}/security
-%doc %{_mandir}/man3/pam*
+%{_mandir}/man3/pam*
-%doc %{_mandir}/man3/misc_conv.3*
+%{_mandir}/man3/misc_conv.3%{?ext_man}
 %{_includedir}/security/*.h
 %{_libdir}/libpam.so
 %{_libdir}/libpamc.so
--- a/usr-etc-support.patch
+++ b/usr-etc-support.patch
@ -0,0 +1,81 @@
 --- doc/man/pam.8.xml
 +++ doc/man/pam.8.xml	2019/08/16 13:37:44
@@ -53,11 +53,13 @@
     <para>
       Vendor-supplied PAM configuration files might be installed in
 -      the system directory <filename>/usr/lib/pam.d/</filename> instead
 +      the system directory <filename>/usr/lib/pam.d/</filename> or
 +      <filename>/usr/etc/pam.d/</filename> instead
       of the machine configuration directory <filename>/etc/pam.d/</filename>.
       If no machine configuration file is found, the vendor-supplied file
       is used. All files in <filename>/etc/pam.d/</filename> override
 -      files with the same name in <filename>/usr/lib/pam.d/</filename>.
 +      files with the same name in <filename>/usr/lib/pam.d/</filename>,
 +      which override files with the same name in <filename>/usr/etc/pam.d/</filename>.
     </para>
 <para>From the point of view of the system administrator, for whom this
@@ -157,6 +159,16 @@
           </para>
         </listitem>
       </varlistentry>
 +      <term><filename>/usr/etc/pam.d</filename></term>
 +        <listitem>
 +          <para>
 +            the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration
 +	    directory. Files in <filename>/etc/pam.d</filename> and
 +	    <filename>/usr/lib/pam.d</filename> override files with the same
 +	    name in this directory.
 +          </para>
 +        </listitem>
 +      </varlistentry>
     </variablelist>
   </refsect1>
 --- libpam/pam_handlers.c
 +++ libpam/pam_handlers.c	2019/08/16 13:35:31
@@ -329,6 +329,21 @@
 	    *file = f;
 	    return PAM_SUCCESS;
     }
 +
 +    /* System Configuration /usr/etc/pam.d/ */
 +    _pam_drop(p);
 +    if (asprintf (&p, PAM_CONFIG_DIST2_DF, service) < 0) {
 +        pam_syslog(pamh, LOG_CRIT, "asprintf failed");
 +        return PAM_BUF_ERR;
 +    }
 +    D(("opening %s", p));
 +    f = fopen(p, "r");
 +    if (f != NULL) {
 +            *path = p;
 +            *file = f;
 +            return PAM_SUCCESS;
 +    }
 +
     _pam_drop(p);
     return PAM_ABORT;
@@ -447,7 +462,8 @@
 	/* Is there a PAM_CONFIG_D directory? */
 	if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
 -	    (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
 +	    (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
 +	    (stat(PAM_CONFIG_DIST2_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
 	    char *path = NULL;
 	    int read_something=0;
 --- libpam/pam_private.h
 +++ libpam/pam_private.h	2019/08/16 13:33:04
@@ -29,6 +29,9 @@
 #define PAM_CONFIG_DF      "/etc/pam.d/%s"
 #define PAM_CONFIG_DIST_D  "/usr/lib/pam.d"
 #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s"
 +#define PAM_CONFIG_DIST2_D  "/usr/etc/pam.d"
 +#define PAM_CONFIG_DIST2_DF "/usr/etc/pam.d/%s"
 +
 #define PAM_DEFAULT_SERVICE        "other"     /* lower case */