Accepting request 1045205 from Linux-PAM

- Also obsolete pam_unix-32bit to have clean upgrade path. - Merge pam_unix back into pam, seperate package not needed anymore - Update pam-git.diff to current upstream - pam_env: Use vendor specific pam_env.conf and environment as fallback - pam_shells: Use the vendor directory obsoletes pam_env_econf.patch - Refresh docbook5.patch OBS-URL: https://build.opensuse.org/request/show/1045205 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=126
2022-12-25 14:14:17 +00:00 · 2022-12-25 14:14:17 +00:00 · a42fcc6da5
commit a42fcc6da5
parent dbcb16eb1c a19e1ad91c
6 changed files with 1114 additions and 734 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -1,6 +1,6 @@
 pam
 	requires "(systemd-<targettype> if systemd)"
 	obsoletes "pam_unix-<targettype>"
 	obsoletes "pam_unix-nis-<targettype>"
 pam-extra
 pam-devel
 pam_unix
 	conflicts "pam_unix-nis-<targettype>"
--- a/docbook5.patch
+++ b/docbook5.patch
@ -1,4 +1,4 @@
-From 681e88a5428904b478a37e65154d7cf0ba1a9eb5 Mon Sep 17 00:00:00 2001
+From 55e4d5c4aac39602518dd5d4ce03a4313775180f Mon Sep 17 00:00:00 2001
 From: Stefan Schubert <schubi@suse.de>
 Date: Tue, 25 Oct 2022 16:29:41 +0200
 Subject: [PATCH] doc: Update PAM documentation from DockBook 4 to DocBook 5
@ -14,7 +14,7 @@ doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
 - Using RNG file instead of DTD file for checking XML files.
 configure.ac:
- Added a new option for selecting RNG check file (-enable-docbook-rng)
+- Adding a new option for selecting RNG check file (-enable-docbook-rng)
 - Switching stylesheets to docbook 5
 - Checking DocBook 5 environment instead of DocBook 4 environment
@ -152,7 +152,6 @@ Update from DockBook 4 to DocBook 5
 doc/sag/pam_warn.xml                          |  42 ++--
 doc/sag/pam_wheel.xml                         |  42 ++--
 doc/sag/pam_xauth.xml                         |  42 ++--
 examples/.gitignore                           |   2 +-
 modules/pam_access/README.xml                 |  32 +--
 modules/pam_access/access.conf.5.xml          |  20 +-
 modules/pam_access/pam_access.8.xml           |  63 +++--
@ -163,7 +162,7 @@ Update from DockBook 4 to DocBook 5
 modules/pam_echo/README.xml                   |  29 +--
 modules/pam_echo/pam_echo.8.xml               |  45 ++--
 modules/pam_env/README.xml                    |  34 +--
- modules/pam_env/pam_env.8.xml                 |  59 +++--
+ modules/pam_env/pam_env.8.xml                 |  63 +++--
 modules/pam_env/pam_env.conf.5.xml            |  19 +-
 modules/pam_exec/README.xml                   |  32 +--
 modules/pam_exec/pam_exec.8.xml               |  65 +++--
@ -257,7 +256,7 @@ Update from DockBook 4 to DocBook 5
 modules/pam_wheel/pam_wheel.8.xml             |  59 +++--
 modules/pam_xauth/README.xml                  |  35 +--
 modules/pam_xauth/pam_xauth.8.xml             |  65 +++--
- 236 files changed, 3398 insertions(+), 5101 deletions(-)
+ 235 files changed, 3399 insertions(+), 5102 deletions(-)
 diff --git a/Make.xml.rules.in b/Make.xml.rules.in
 index 27bb510ec..98beb9ed7 100644
@ -292,7 +291,7 @@ index 27bb510ec..98beb9ed7 100644
 #CLEANFILES += $(man_MANS) README
 diff --git a/configure.ac b/configure.ac
-index 2f74d1b49..84cda219d 100644
+index 538195e55..afa749cf6 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -243,26 +243,35 @@ if test x"$enable_debug" = x"yes" ; then
@ -339,7 +338,7 @@ index 2f74d1b49..84cda219d 100644
 AC_SUBST(MAN_STYLESHEET)
 sed "s+MAN_STYLESHEET+$MAN_STYLESHEET+g" <doc/custom-man.xsl.in >doc/custom-man.xsl
-@@ -605,10 +614,10 @@ if test -z "$XSLTPROC"; then
+@@ -608,10 +617,10 @@ if test -z "$XSLTPROC"; then
      enable_docu=no
 fi
 AC_PATH_PROG([XMLLINT], [xmllint],[/bin/true])
@ -9561,7 +9560,7 @@ index 21a9b8555..8becf8700 100644
 +</article>
 \ No newline at end of file
 diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml
-index 75ff862be..bcb16036f 100644
+index d7687d6c9..fb172e17b 100644
 --- a/modules/pam_env/pam_env.8.xml
 +++ b/modules/pam_env/pam_env.8.xml
@@ -1,16 +1,13 @@
@ -9625,7 +9624,7 @@ index 75ff862be..bcb16036f 100644
     <title>DESCRIPTION</title>
     <para>
       The pam_env PAM module allows the (un)setting of environment
-@@ -77,13 +74,13 @@
+@@ -119,13 +116,13 @@
     </para>
   </refsect1>
@ -9641,7 +9640,7 @@ index 75ff862be..bcb16036f 100644
         </term>
         <listitem>
           <para>
-@@ -96,7 +93,7 @@
+@@ -138,7 +135,7 @@
       <varlistentry>
         <term>
@ -9650,7 +9649,7 @@ index 75ff862be..bcb16036f 100644
         </term>
         <listitem>
           <para>
-@@ -108,7 +105,7 @@
+@@ -150,7 +147,7 @@
       <varlistentry>
         <term>
@ -9659,7 +9658,7 @@ index 75ff862be..bcb16036f 100644
         </term>
         <listitem>
           <para>
-@@ -124,7 +121,7 @@
+@@ -166,7 +163,7 @@
       <varlistentry>
         <term>
@ -9668,7 +9667,7 @@ index 75ff862be..bcb16036f 100644
         </term>
         <listitem>
           <para>
-@@ -137,7 +134,7 @@
+@@ -179,7 +176,7 @@
       <varlistentry>
         <term>
@ -9677,7 +9676,7 @@ index 75ff862be..bcb16036f 100644
         </term>
         <listitem>
           <para>
-@@ -153,7 +150,7 @@
+@@ -195,7 +192,7 @@
       <varlistentry>
         <term>
@ -9686,7 +9685,7 @@ index 75ff862be..bcb16036f 100644
         </term>
         <listitem>
           <para>
-@@ -174,7 +171,7 @@
+@@ -216,7 +213,7 @@
     </variablelist>
   </refsect1>
@ -9695,7 +9694,7 @@ index 75ff862be..bcb16036f 100644
     <title>MODULE TYPES PROVIDED</title>
     <para>
       The <option>auth</option> and <option>session</option> module
-@@ -182,7 +179,7 @@
+@@ -224,7 +221,7 @@
     </para>
   </refsect1>
@ -9704,7 +9703,7 @@ index 75ff862be..bcb16036f 100644
     <title>RETURN VALUES</title>
     <variablelist>
       <varlistentry>
-@@ -220,23 +217,23 @@
+@@ -262,25 +259,25 @@
     </variablelist>
   </refsect1>
@ -9713,14 +9712,18 @@ index 75ff862be..bcb16036f 100644
     <title>FILES</title>
     <variablelist>
       <varlistentry>
 -        <term condition="with_vendordir"><filename>/usr/etc/security/pam_env.conf</filename></term>
 -        <term><filename>/etc/security/pam_env.conf</filename></term>
 +        <term condition="with_vendordir">%vendordir%/security/pam_env.conf</term>
 +        <term>/etc/security/pam_env.conf</term>
         <listitem>
           <para>Default configuration file</para>
         </listitem>
       </varlistentry>
       <varlistentry>
 -        <term condition="with_vendordir"><filename>/usr/etc/environment</filename></term>
 -        <term><filename>/etc/environment</filename></term>
 +        <term condition="with_vendordir">%vendordir%/environment</term>
 +        <term>/etc/environment</term>
         <listitem>
           <para>Default environment file</para>
@ -9732,7 +9735,7 @@ index 75ff862be..bcb16036f 100644
         <listitem>
           <para>User specific environment file</para>
         </listitem>
-@@ -244,7 +241,7 @@
+@@ -288,7 +285,7 @@
     </variablelist>
   </refsect1>
@ -9741,7 +9744,7 @@ index 75ff862be..bcb16036f 100644
     <title>SEE ALSO</title>
     <para>
       <citerefentry>
-@@ -262,10 +259,10 @@
+@@ -306,10 +303,10 @@
     </para>
   </refsect1>
@ -9756,7 +9759,7 @@ index 75ff862be..bcb16036f 100644
 +</refentry>
 \ No newline at end of file
 diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml
-index fca046fe3..f88791676 100644
+index 5c0dbcb8c..662ff0a00 100644
 --- a/modules/pam_env/pam_env.conf.5.xml
 +++ b/modules/pam_env/pam_env.conf.5.xml
@@ -1,13 +1,10 @@
@ -9784,8 +9787,8 @@ index fca046fe3..f88791676 100644
 +  <refsect1 xml:id="pam_env.conf-description">
     <title>DESCRIPTION</title>
-     <para>
+     <para condition="with_vendordir">
-@@ -71,7 +68,7 @@
+@@ -87,7 +84,7 @@
     </para>
   </refsect1>
@ -9794,7 +9797,7 @@ index fca046fe3..f88791676 100644
     <title>EXAMPLES</title>
     <para>
       These are some example lines which might be specified in
-@@ -117,7 +114,7 @@
+@@ -133,7 +130,7 @@
     </programlisting>
   </refsect1>
@ -9803,7 +9806,7 @@ index fca046fe3..f88791676 100644
     <title>SEE ALSO</title>
     <para>
       <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
-@@ -127,10 +124,10 @@
+@@ -143,10 +140,10 @@
     </para>
   </refsect1>
@ -16961,7 +16964,7 @@ index 154b97b51..c4da1a060 100644
 +</article>
 \ No newline at end of file
 diff --git a/modules/pam_shells/pam_shells.8.xml b/modules/pam_shells/pam_shells.8.xml
-index 15f476717..67d8ecf16 100644
+index 73b4855a3..b9f90e94a 100644
 --- a/modules/pam_shells/pam_shells.8.xml
 +++ b/modules/pam_shells/pam_shells.8.xml
@@ -1,27 +1,24 @@
@ -16998,7 +17001,7 @@ index 15f476717..67d8ecf16 100644
     <title>DESCRIPTION</title>
-@@ -35,13 +32,13 @@
+@@ -43,13 +40,13 @@
     </para>
   </refsect1>
@ -17014,7 +17017,7 @@ index 15f476717..67d8ecf16 100644
     <title>MODULE TYPES PROVIDED</title>
     <para>
       The <option>auth</option> and <option>account</option>
-@@ -49,7 +46,7 @@
+@@ -57,7 +54,7 @@
     </para>
   </refsect1>
@ -17023,7 +17026,7 @@ index 15f476717..67d8ecf16 100644
     <title>RETURN VALUES</title>
     <variablelist>
       <varlistentry>
-@@ -80,7 +77,7 @@
+@@ -88,7 +85,7 @@
     </variablelist>
      </refsect1>
@ -17032,7 +17035,7 @@ index 15f476717..67d8ecf16 100644
     <title>EXAMPLES</title>
     <para>
       <programlisting>
-@@ -89,7 +86,7 @@ auth  required  pam_shells.so
+@@ -97,7 +94,7 @@ auth  required  pam_shells.so
     </para>
   </refsect1>
@ -17041,7 +17044,7 @@ index 15f476717..67d8ecf16 100644
     <title>SEE ALSO</title>
     <para>
       <citerefentry>
-@@ -107,11 +104,11 @@ auth  required  pam_shells.so
+@@ -115,11 +112,11 @@ auth  required  pam_shells.so
     </para>
   </refsect1>
--- a/pam-git.diff
+++ b/pam-git.diff
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,22 @@
 -------------------------------------------------------------------
 Sat Dec 24 13:31:33 UTC 2022 - Dominique Leuenberger <dleuenberger@suse.com>
 - Also obsolete pam_unix-32bit to have clean upgrade path.
 -------------------------------------------------------------------
 Fri Dec 16 09:37:15 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
 - Merge pam_unix back into pam, seperate package not needed anymore
 -------------------------------------------------------------------
 Thu Dec 15 12:47:53 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
 - Update pam-git.diff to current upstream
  - pam_env: Use vendor specific pam_env.conf and environment as fallback
  - pam_shells: Use the vendor directory
  obsoletes pam_env_econf.patch
 - Refresh docbook5.patch
 -------------------------------------------------------------------
 Tue Dec  6 16:43:49 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
--- a/pam.spec
+++ b/pam.spec
@ -67,9 +67,8 @@ Source15:       Linux-PAM-%{version}.tar.xz.asc
 Patch1:         pam-limit-nproc.patch
 Patch3:         pam-xauth_ownership.patch
 Patch4:         pam-bsc1177858-dont-free-environment-string.patch
-Patch10:        pam_xauth_data.3.xml.patch
+Patch5:        pam_xauth_data.3.xml.patch
 Patch11:        pam-git.diff
 Patch12:        pam_env_econf.patch
 Patch13:        pam_pwhistory-docu.patch
 Patch14:        docbook5.patch
 BuildRequires:  audit-devel
@ -88,8 +87,8 @@ BuildRequires:  pkgconfig(libeconf)
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
-Requires:       pam_unix.so
+Obsoletes:      pam_unix
-Suggests:       pam_unix
+Obsoletes:      pam_unix-nis
 Recommends:     pam-manpages
 %if 0%{?suse_version} >= 1330
 Requires(pre):  group(shadow)
@ -101,18 +100,6 @@ PAM (Pluggable Authentication Modules) is a system security tool that
 allows system administrators to set authentication policies without
 having to recompile programs that do authentication.
 %package -n pam_unix
 Summary:        PAM module for standard UNIX authentication
 Group:          System/Libraries
 Provides:       pam:/%{_lib}/security/pam_unix.so
 Provides:       pam_unix.so
 Conflicts:      pam_unix-nis
 %description -n pam_unix
 This package contains the pam_unix module, which does the standard
 UNIX authentication against the passwd and shadow database. This
 module does not contain NIS support.
 %package extra
 Summary:        PAM module to authenticate against a separate database
 Group:          System/Libraries
@ -181,8 +168,7 @@ cp -a %{SOURCE12} .
 %patch1 -p1
 %patch3 -p1
 %patch4 -p1
-%patch10 -p1
+%patch5 -p1
 %patch12 -p1
 %if %{build_doc}
 %patch13 -p1
 %patch14 -p1
@ -396,6 +382,11 @@ done
 %{_pam_moduledir}/pam_timestamp.so
 %{_pam_moduledir}/pam_tty_audit.so
 %{_pam_moduledir}/pam_umask.so
 %{_pam_moduledir}/pam_unix.so
 %{_pam_moduledir}/pam_unix_acct.so
 %{_pam_moduledir}/pam_unix_auth.so
 %{_pam_moduledir}/pam_unix_passwd.so
 %{_pam_moduledir}/pam_unix_session.so
 %{_pam_moduledir}/pam_usertype.so
 %{_pam_moduledir}/pam_warn.so
 %{_pam_moduledir}/pam_wheel.so
@ -411,14 +402,6 @@ done
 %{_unitdir}/pam_namespace.service
 %{_tmpfilesdir}/pam.conf
 %files -n pam_unix
 %defattr(-,root,root,755)
 %{_pam_moduledir}/pam_unix.so
 %{_pam_moduledir}/pam_unix_acct.so
 %{_pam_moduledir}/pam_unix_auth.so
 %{_pam_moduledir}/pam_unix_passwd.so
 %{_pam_moduledir}/pam_unix_session.so
 %files extra
 %defattr(-,root,root,755)
 %{_pam_moduledir}/pam_userdb.so
--- a/pam_env_econf.patch
+++ b/pam_env_econf.patch
@ -1,576 +0,0 @@
 From 4b427724082fa2b77cccfa572881c5d2940c754e Mon Sep 17 00:00:00 2001
 From: Stefan Schubert <schubi@suse.de>
 Date: Fri, 3 Dec 2021 14:33:20 +0100
 Subject: [PATCH] pam_env: Use vendor specific pam_env.conf and environment as
 fallback
 Use the vendor directory as fallback for a distribution provided default
 config if there is no one in /etc.
 * Makefile.am: Add libeconf setting.
 * pam_env.c: Take care about the fallback configuration in the vendor directory.
 * tst-pam_env-retval.c: Added tests for libeconf.
 * configure.ac: Added ECONF settings for building man pages.
 ---
 configure.ac                         |   7 +-
 modules/pam_env/.gitignore           |   1 +
 modules/pam_env/Makefile.am          |   4 +-
 modules/pam_env/pam_env.c            | 298 +++++++++++++++++++++++----
 modules/pam_env/tst-pam_env-retval.c |  60 ++++++
 7 files changed, 394 insertions(+), 44 deletions(-)
 create mode 100644 modules/pam_env/.gitignore
 diff --git a/configure.ac b/configure.ac
 index 2f74d1b49..51ca0ad25 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -523,6 +523,7 @@ if test "$WITH_ECONF" = "yes" ; then
   PKG_CHECK_MODULES([ECONF], [libeconf], [],
   [AC_CHECK_LIB([econf],[econf_readDirs],[ECONF_LIBS="-leconf"],[ECONF_LIBS=""])])
   if test -n "$ECONF_LIBS" ; then
 +    AC_CHECK_LIB([econf],[econf_errLocation], [], [AC_MSG_ERROR([Please update libeconf])])
     ECONF_CFLAGS="-DUSE_ECONF=1 $ECONF_CFLAGS"
   fi
 fi
@@ -535,7 +536,11 @@ if test -n "$enable_vendordir"; then
 		     [Directory for distribution provided configuration files])
   AC_DEFINE_UNQUOTED([VENDOR_SCONFIGDIR], ["$enable_vendordir/security"],
 		     [Directory for PAM modules distribution provided configuration files])
 -  STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir' --stringparam profile.condition 'with_vendordir'"
 +  if test "$WITH_ECONF" = "yes" ; then
 +    STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir' --stringparam profile.condition 'with_vendordir;with_vendordir_and_with_econf'"
 +  else
 +    STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir' --stringparam profile.condition 'with_vendordir;with_vendordir_and_without_econf"
 +  fi
 else
   STRINGPARAM_VENDORDIR="--stringparam profile.condition 'without_vendordir'"
 fi
 diff --git a/modules/pam_env/.gitignore b/modules/pam_env/.gitignore
 new file mode 100644
 index 000000000..4c5b234b1
 --- /dev/null
 +++ b/modules/pam_env/.gitignore
@@ -0,0 +1 @@
 +tst-pam_env-retval
 diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am
 index 02cd9d375..b99a83ecb 100644
 --- a/modules/pam_env/Makefile.am
 +++ b/modules/pam_env/Makefile.am
@@ -18,14 +18,14 @@ securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
 -	    $(WARN_CFLAGS)
 +	    $(WARN_CFLAGS) -DSYSCONFDIR=\"$(sysconfdir)\" $(ECONF_CFLAGS)
 AM_LDFLAGS = -no-undefined -avoid-version -module
 if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
 securelib_LTLIBRARIES = pam_env.la
 -pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la
 +pam_env_la_LIBADD = $(top_builddir)/libpam/libpam.la $(ECONF_LIBS)
 check_PROGRAMS = tst-pam_env-retval
 tst_pam_env_retval_LDADD = $(top_builddir)/libpam/libpam.la
 diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
 index 64a586454..aabab7992 100644
 --- a/modules/pam_env/pam_env.c
 +++ b/modules/pam_env/pam_env.c
@@ -7,6 +7,9 @@
  */
 #define DEFAULT_ETC_ENVFILE     "/etc/environment"
 +#ifdef VENDORDIR
 +#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/etc/environment")
 +#endif
 #define DEFAULT_READ_ENVFILE    1
 #define DEFAULT_USER_ENVFILE    ".pam_environment"
@@ -25,6 +28,9 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
 +#ifdef USE_ECONF
 +#include <libeconf.h>
 +#endif
 #include <security/pam_modules.h>
 #include <security/pam_modutil.h>
@@ -42,6 +48,9 @@ typedef struct var {
 } VAR;
 #define DEFAULT_CONF_FILE	(SCONFIGDIR "/pam_env.conf")
 +#ifdef VENDOR_SCONFIGDIR
 +#define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf")
 +#endif
 #define BUF_SIZE 8192
 #define MAX_ENV  8192
@@ -56,6 +65,16 @@ typedef struct var {
 /* This is a special value used to designate an empty string */
 static char quote='\0';
 +static void free_string_array(char **array)
 +{
 +    if (array == NULL)
 +      return;
 +    for (char **entry = array; *entry != NULL; ++entry) {
 +      free(*entry);
 +    }
 +    free(array);
 +}
 +
 /* argument parsing */
 #define PAM_DEBUG_ARG       0x01
@@ -68,10 +87,10 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
     int ctrl=0;
     *user_envfile = DEFAULT_USER_ENVFILE;
 -    *envfile = DEFAULT_ETC_ENVFILE;
 +    *envfile = NULL;
     *readenv = DEFAULT_READ_ENVFILE;
     *user_readenv = DEFAULT_USER_READ_ENVFILE;
 -    *conffile = DEFAULT_CONF_FILE;
 +    *conffile = NULL;
     /* step through arguments */
     for (; argc-- > 0; ++argv) {
@@ -119,6 +138,148 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
     return ctrl;
 }
 +#ifdef USE_ECONF
 +
 +#define ENVIRONMENT "environment"
 +#define PAM_ENV "pam_env"
 +
 +static int
 +isDirectory(const char *path) {
 +   struct stat statbuf;
 +   if (stat(path, &statbuf) != 0)
 +       return 0;
 +   return S_ISDIR(statbuf.st_mode);
 +}
 +
 +static int
 +econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim,
 +			   const char *name, const char *suffix, const char *subpath,
 +			   char ***lines)
 +{
 +    econf_file *key_file = NULL;
 +    econf_err error;
 +    size_t key_number = 0;
 +    char **keys = NULL;
 +    const char *base_dir = "";
 +
 +    if (filename != NULL) {
 +      if (isDirectory(filename)) {
 +	/* Set base directory which can be different from root */
 +	D(("filename argument is a directory: %s", filename));
 +	base_dir = filename;
 +      } else {
 +	/* Read only one file */
 +	error = econf_readFile (&key_file, filename, delim, "#");
 +	D(("File name is: %s", filename));
 +	if (error != ECONF_SUCCESS) {
 +	  pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %s", filename,
 +		     econf_errString(error));
 +          if (error == ECONF_NOFILE)
 +            return PAM_IGNORE;
 +          else
 +            return PAM_ABORT;
 +	}
 +      }
 +    }
 +    if (filename == NULL || base_dir[0] != '\0') {
 +      /* Read and merge all setting in e.g. /usr/etc and /etc */
 +      char *vendor_dir = NULL, *sysconf_dir;
 +      if (subpath != NULL && subpath[0] != '\0') {
 +#ifdef VENDORDIR
 +	if (asprintf(&vendor_dir, "%s%s/%s/", base_dir, VENDORDIR, subpath) < 0) {
 +	  pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +	  return PAM_BUF_ERR;
 +	}
 +#endif
 +	if (asprintf(&sysconf_dir, "%s%s/%s/", base_dir, SYSCONFDIR, subpath) < 0) {
 +	  pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +	  free(vendor_dir);
 +	  return PAM_BUF_ERR;
 +	}
 +      } else {
 +#ifdef VENDORDIR
 +	if (asprintf(&vendor_dir, "%s%s/", base_dir, VENDORDIR) < 0) {
 +	  pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +	  return PAM_BUF_ERR;
 +	}
 +#endif
 +	if (asprintf(&sysconf_dir, "%s%s/", base_dir, SYSCONFDIR) < 0) {
 +	  pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +	  free(vendor_dir);
 +	  return PAM_BUF_ERR;
 +	}
 +      }
 +
 +      D(("Read configuration from directory %s and %s", vendor_dir, sysconf_dir));
 +      error = econf_readDirs (&key_file, vendor_dir, sysconf_dir, name, suffix,
 +			      delim, "#");
 +      free(vendor_dir);
 +      free(sysconf_dir);
 +      if (error != ECONF_SUCCESS) {
 +        if (error == ECONF_NOFILE) {
 +	  pam_syslog(pamh, LOG_ERR, "Configuration file not found: %s%s", name, suffix);
 +          return PAM_IGNORE;
 +        } else {
 +          char *error_filename = NULL;
 +          uint64_t error_line = 0;
 +
 +          econf_errLocation(&error_filename, &error_line);
 +          pam_syslog(pamh, LOG_ERR, "Unable to read configuration file %s line %ld: %s",
 +                     error_filename,
 +                     error_line,
 +                     econf_errString(error));
 +          free(error_filename);
 +          return PAM_ABORT;
 +	}
 +      }
 +    }
 +
 +    error = econf_getKeys(key_file, NULL, &key_number, &keys);
 +    if (error != ECONF_SUCCESS && error != ECONF_NOKEY) {
 +      pam_syslog(pamh, LOG_ERR, "Unable to read keys: %s",
 +		 econf_errString(error));
 +      econf_freeFile(key_file);
 +      return PAM_ABORT;
 +    }
 +
 +    *lines = malloc((key_number +1)* sizeof(char**));
 +    if (*lines == NULL) {
 +      pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +      econf_free(keys);
 +      econf_freeFile(key_file);
 +      return PAM_BUF_ERR;
 +    }
 +
 +    (*lines)[key_number] = 0;
 +
 +    for (size_t i = 0; i < key_number; i++) {
 +      char *val;
 +
 +      error = econf_getStringValue (key_file, NULL, keys[i], &val);
 +      if (error != ECONF_SUCCESS) {
 +	pam_syslog(pamh, LOG_ERR, "Unable to get string from key %s: %s",
 +		   keys[i],
 +		   econf_errString(error));
 +      } else {
 +        if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
 +	  pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +          econf_free(keys);
 +          econf_freeFile(key_file);
 +	  free_string_array(*lines);
 +	  free (val);
 +	  return PAM_BUF_ERR;
 +	}
 +	free (val);
 +      }
 +    }
 +
 +    econf_free(keys);
 +    econf_free(key_file);
 +    return PAM_SUCCESS;
 +}
 +
 +#else
 +
 /*
  * This is where we read a line of the PAM config file. The line may be
  * preceded by lines of comments and also extended with "\\\n"
@@ -212,6 +373,52 @@ _assemble_line(FILE *f, char *buffer, int buf_len)
     return used;
 }
 +static int read_file(const pam_handle_t *pamh, const char*filename, char ***lines)
 +{
 +    FILE *conf;
 +    char buffer[BUF_SIZE];
 +
 +    D(("Parsed file name is: %s", filename));
 +
 +    if ((conf = fopen(filename,"r")) == NULL) {
 +      pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s", filename);
 +      return PAM_IGNORE;
 +    }
 +
 +    size_t i = 0;
 +    *lines = malloc((i + 1)* sizeof(char**));
 +    if (*lines == NULL) {
 +      pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +      (void) fclose(conf);
 +      return PAM_BUF_ERR;
 +    }
 +    (*lines)[i] = 0;
 +    while (_assemble_line(conf, buffer, BUF_SIZE) > 0) {
 +      char **tmp = NULL;
 +      D(("Read line: %s", buffer));
 +      tmp = realloc(*lines, (++i + 1) * sizeof(char**));
 +      if (tmp == NULL) {
 +	pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +	(void) fclose(conf);
 +	free_string_array(*lines);
 +	return PAM_BUF_ERR;
 +      }
 +      *lines = tmp;
 +      (*lines)[i-1] = strdup(buffer);
 +      if ((*lines)[i-1] == NULL) {
 +        pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
 +        (void) fclose(conf);
 +        free_string_array(*lines);
 +        return PAM_BUF_ERR;
 +      }
 +      (*lines)[i] = 0;
 +    }
 +
 +    (void) fclose(conf);
 +    return PAM_SUCCESS;
 +}
 +#endif
 +
 static int
 _parse_line(const pam_handle_t *pamh, const char *buffer, VAR *var)
 {
@@ -626,34 +833,38 @@ static int
 _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
 {
     int retval;
 -    char buffer[BUF_SIZE];
 -    FILE *conf;
     VAR Var, *var=&Var;
 -
 -    D(("Called."));
 +    char **conf_list = NULL;
     var->name=NULL; var->defval=NULL; var->override=NULL;
 -    D(("Config file name is: %s", file));
 +    D(("Called."));
 +#ifdef USE_ECONF
 +    /* If "file" is not NULL, only this file will be parsed. */
 +    retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list);
 +#else
 +    /* Only one file will be parsed. So, file has to be set. */
 +    if (file == NULL) /* No filename has been set via argv. */
 +      file = DEFAULT_CONF_FILE;
 +#ifdef VENDOR_DEFAULT_CONF_FILE
     /*
 -     * Lets try to open the config file, parse it and process
 -     * any variables found.
 -     */
 -
 -    if ((conf = fopen(file,"r")) == NULL) {
 -      pam_syslog(pamh, LOG_ERR, "Unable to open config file: %s: %m", file);
 -      return PAM_IGNORE;
 +    * Check whether file is available.
 +    * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
 +    */
 +    struct stat stat_buffer;
 +    if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
 +      file = VENDOR_DEFAULT_CONF_FILE;
     }
 +#endif
 +    retval = read_file(pamh, file, &conf_list);
 +#endif
 -    /* _pam_assemble_line will provide a complete line from the config file,
 -     * with all comments removed and any escaped newlines fixed up
 -     */
 -
 -    while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) {
 -      D(("Read line: %s", buffer));
 +    if (retval != PAM_SUCCESS)
 +      return retval;
 -      if ((retval = _parse_line(pamh, buffer, var)) == GOOD_LINE) {
 +    for (char **conf = conf_list; *conf != NULL; ++conf) {
 +      if ((retval = _parse_line(pamh, *conf, var)) == GOOD_LINE) {
 	retval = _check_var(pamh, var);
 	if (DEFINE_VAR == retval) {
@@ -668,11 +879,10 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
       _clean_var(var);
 -    }  /* while */
 -
 -    (void) fclose(conf);
 +    }  /* for */
     /* tidy up */
 +    free_string_array(conf_list);
     _clean_var(var);        /* We could have got here prematurely,
 			     * this is safe though */
     D(("Exit."));
@@ -683,19 +893,33 @@ static int
 _parse_env_file(pam_handle_t *pamh, int ctrl, const char *file)
 {
     int retval=PAM_SUCCESS, i, t;
 -    char buffer[BUF_SIZE], *key, *mark;
 -    FILE *conf;
 -
 -    D(("Env file name is: %s", file));
 -
 -    if ((conf = fopen(file,"r")) == NULL) {
 -      pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %m", file);
 -      return PAM_IGNORE;
 +    char *key, *mark;
 +    char **env_list = NULL;
 +
 +#ifdef USE_ECONF
 +    retval = econf_read_file(pamh, file, "=", ENVIRONMENT, "", "", &env_list);
 +#else
 +    /* Only one file will be parsed. So, file has to be set. */
 +    if (file == NULL) /* No filename has been set via argv. */
 +      file = DEFAULT_ETC_ENVFILE;
 +#ifdef VENDOR_DEFAULT_ETC_ENVFILE
 +    /*
 +    * Check whether file is available.
 +    * If it does not exist, fall back to VENDOR_DEFAULT_ETC_ENVFILE; file.
 +    */
 +    struct stat stat_buffer;
 +    if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
 +      file = VENDOR_DEFAULT_ETC_ENVFILE;
     }
 +#endif
 +    retval = read_file(pamh, file, &env_list);
 +#endif
 -    while (_assemble_line(conf, buffer, BUF_SIZE) > 0) {
 -	D(("Read line: %s", buffer));
 -	key = buffer;
 +    if (retval != PAM_SUCCESS)
 +        return retval == PAM_IGNORE ? PAM_SUCCESS : retval;
 +
 +    for (char **env = env_list; *env != NULL; ++env) {
 +        key = *env;
 	/* skip leading white space */
 	key += strspn(key, " \n\t");
@@ -767,11 +991,11 @@ _parse_env_file(pam_handle_t *pamh, int ctrl, const char *file)
 	    pam_syslog(pamh, LOG_DEBUG,
 		       "pam_putenv(\"%s\")", key);
 	}
 +	free(*env);
     }
 -    (void) fclose(conf);
 -
     /* tidy up */
 +    free(env_list);
     D(("Exit."));
     return retval;
 }
 diff --git a/modules/pam_env/tst-pam_env-retval.c b/modules/pam_env/tst-pam_env-retval.c
 index 6b9b3065a..99e2e2a54 100644
 --- a/modules/pam_env/tst-pam_env-retval.c
 +++ b/modules/pam_env/tst-pam_env-retval.c
@@ -17,11 +17,18 @@
 #define MODULE_NAME "pam_env"
 #define TEST_NAME "tst-" MODULE_NAME "-retval"
 +#define TEST_NAME_DIR TEST_NAME ".dir"
 static const char service_file[] = TEST_NAME ".service";
 static const char missing_file[] = TEST_NAME ".missing";
 +static const char dir[] = TEST_NAME_DIR;
 +static const char dir_usr[] = TEST_NAME_DIR "/usr";
 +static const char dir_usr_etc[] = TEST_NAME_DIR "/usr/etc";
 +static const char dir_usr_etc_security[] = TEST_NAME_DIR "/usr/etc/security";
 static const char my_conf[] = TEST_NAME ".conf";
 static const char my_env[] = TEST_NAME ".env";
 +static const char usr_env[] = TEST_NAME_DIR "/usr/etc/environment";
 +static const char usr_conf[] = TEST_NAME_DIR "/usr/etc/security/pam_env.conf";
 static struct pam_conv conv;
@@ -30,6 +37,11 @@ setup(void)
 {
 	FILE *fp;
 +	ASSERT_EQ(0, mkdir(dir, 0755));
 +	ASSERT_EQ(0, mkdir(dir_usr, 0755));
 +	ASSERT_EQ(0, mkdir(dir_usr_etc, 0755));
 +	ASSERT_EQ(0, mkdir(dir_usr_etc_security, 0755));
 +
 	ASSERT_NE(NULL, fp = fopen(my_conf, "w"));
 	ASSERT_LT(0, fprintf(fp,
 			     "EDITOR\tDEFAULT=vim\n"
@@ -41,6 +53,18 @@ setup(void)
 			     "test_value=foo\n"
 			     "test2_value=bar\n"));
 	ASSERT_EQ(0, fclose(fp));
 +
 +	ASSERT_NE(NULL, fp = fopen(usr_env, "w"));
 +	ASSERT_LT(0, fprintf(fp,
 +			     "usr_etc_test=foo\n"
 +			     "usr_etc_test2=bar\n"));
 +	ASSERT_EQ(0, fclose(fp));
 +
 +	ASSERT_NE(NULL, fp = fopen(usr_conf, "w"));
 +	ASSERT_LT(0, fprintf(fp,
 +			     "PAGER		DEFAULT=emacs\n"
 +			     "MANPAGER		DEFAULT=less\n"));
 +	ASSERT_EQ(0, fclose(fp));
 }
 static void
@@ -48,6 +72,12 @@ cleanup(void)
 {
 	ASSERT_EQ(0, unlink(my_conf));
 	ASSERT_EQ(0, unlink(my_env));
 +	ASSERT_EQ(0, unlink(usr_env));
 +	ASSERT_EQ(0, unlink(usr_conf));
 +	ASSERT_EQ(0, rmdir(dir_usr_etc_security));
 +	ASSERT_EQ(0, rmdir(dir_usr_etc));
 +	ASSERT_EQ(0, rmdir(dir_usr));
 +	ASSERT_EQ(0, rmdir(dir));
 }
 static void
@@ -191,6 +221,36 @@ main(void)
 	const char *env2[] = { "test_value=foo", "test2_value=bar", NULL };
 	check_env(env2);
 +#if defined (USE_ECONF)	&& defined (VENDORDIR)
 +
 +	/* envfile is a directory. So values will be read from {TEST_NAME_DIR}/usr/etc and {TEST_NAME_DIR}/etc */
 +	ASSERT_NE(NULL, fp = fopen(service_file, "w"));
 +	ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
 +			     "session required %s/.libs/%s.so"
 +			     " conffile=%s envfile=%s/%s/\n",
 +			     cwd, MODULE_NAME,
 +			     "/dev/null",
 +			     cwd, dir));
 +	ASSERT_EQ(0, fclose(fp));
 +
 +	const char *env3[] = {"usr_etc_test=foo", "usr_etc_test2=bar", NULL};
 +	check_env(env3);
 +
 +	/* conffile is a directory. So values will be read from {TEST_NAME_DIR}/usr/etc and {TEST_NAME_DIR}/etc */
 +	ASSERT_NE(NULL, fp = fopen(service_file, "w"));
 +	ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
 +			     "session required %s/.libs/%s.so"
 +			     " conffile=%s/%s/ envfile=%s\n",
 +			     cwd, MODULE_NAME,
 +			     cwd, dir,
 +			     "/dev/null"));
 +	ASSERT_EQ(0, fclose(fp));
 +
 +	const char *env4[] = {"PAGER=emacs", "MANPAGER=less", NULL};
 +	check_env(env4);
 +
 +#endif
 +
 	/* cleanup */
 	cleanup();
 	ASSERT_EQ(0, unlink(service_file));