Accepting request 725565 from Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/725565 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=96
2019-09-07 09:24:03 +00:00 · 2019-09-07 09:24:03 +00:00 · 87f5d03c6d
commit 87f5d03c6d
parent c55b360cf6 9b6fc55e33
11 changed files with 266 additions and 198 deletions
--- a/Linux-PAM-1.3.1.tar.xz
+++ b/Linux-PAM-1.3.1.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db
-size 912332
--- a/14
+++ b/14
@ -0,0 +1,14 @@
+<services>
+  <service name="tar_scm" mode="disabled">
+    <param name="version">1.3.1</param>
+    <param name="versionformat">1.3.1+git%cd.%h</param>
+    <param name="url">git://github.com/linux-pam/linux-pam.git</param>
+    <param name="scm">git</param>
+    <param name="changesgenerate">enable</param>
+  </service>
+  <service name="recompress" mode="disabled">
+    <param name="compression">xz</param>
+    <param name="file">*.tar</param>
+  </service>
+  <service name="set_version" mode="disabled"/>
+</services>
--- a/6
+++ b/6
@ -0,0 +1,6 @@
+<servicedata>
+  <service name="tar_scm">
+    <param name="url">git://github.com/linux-pam/linux-pam.git</param>
+    <param name="changesrevision">e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15</param>
+ </service>
+</servicedata>
--- a/encryption_method_nis.diff
+++ b/encryption_method_nis.diff
@ -1,71 +0,0 @@
--- modules/pam_unix/pam_unix_passwd.c
-+++ modules/pam_unix/pam_unix_passwd.c	2016/04/11 13:49:32
-@@ -840,6 +840,29 @@
- 		 * rebuild the password database file.
- 		 */
- 
-+
-+		/* if it is a NIS account, check for special hash algo */
-+		if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
-+		  /* preset encryption method with value from /etc/login.defs */
-+		  int j;
-+		  char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
-+		  if (val) {
-+		    for (j = 0; j < UNIX_CTRLS_; ++j) {
-+		      if (unix_args[j].token && unix_args[j].is_hash_algo
-+			  && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
-+			break;
-+		      }
-+		    }
-+		    if (j >= UNIX_CTRLS_) {
-+		      pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
-+		    } else {
-+		      ctrl &= unix_args[j].mask;  /* for turning things off */
-+		      ctrl |= unix_args[j].flag;  /* for turning things on  */
-+		    }
-+		    free (val);
-+		  }
-+		}
-+
- 		/*
- 		 * First we encrypt the new password.
- 		 */
--- modules/pam_unix/support.c
-+++ modules/pam_unix/support.c	2016/04/11 13:49:32
-@@ -31,8 +31,8 @@
- #include "support.h"
- #include "passverify.h"
- 
-static char *
-search_key (const char *key, const char *filename)
-+char *
-+_unix_search_key (const char *key, const char *filename)
- {
-   FILE *fp;
-   char *buf = NULL;
-@@ -153,7 +153,7 @@
- 	}
- 
- 	/* preset encryption method with value from /etc/login.defs */
-	val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
-+	val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
- 	if (val) {
- 	  for (j = 0; j < UNIX_CTRLS_; ++j) {
- 	    if (unix_args[j].token && unix_args[j].is_hash_algo
-@@ -171,7 +171,7 @@
- 
- 	  /* read number of rounds for crypt algo */
- 	  if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
-	    val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
-+	    val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
- 
- 	    if (val) {
- 	      *rounds = strtol(val, NULL, 10);
--- modules/pam_unix/support.h
-+++ modules/pam_unix/support.h	2016/04/11 13:49:32
-@@ -174,4 +174,5 @@
- 
- extern int _unix_run_verify_binary(pam_handle_t *pamh,
- 			unsigned int ctrl, const char *user, int *daysleft);
-+extern char *_unix_search_key(const char *key, const char *filename);
- #endif /* _PAM_UNIX_SUPPORT_H */
--- a/etc.environment
+++ b/etc.environment
@ -1,5 +0,0 @@
-#
-# This file is parsed by pam_env module
-#
-# Syntax: simple "KEY=VAL" pairs on seperate lines
-#
--- a/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz
+++ b/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5203477a4c8ea91e038e08f18efeb3836aa7b395de8b518f405eb3f43ea7fdbf
+size 530264
--- a/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
+++ b/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:89397d7cb52e6a331b766d6219c6aaf3e3cc57c384ef8223f10c1f0ff4217bac
+size 64012
--- a/pam-login_defs-check.sh
+++ b/pam-login_defs-check.sh
@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
 	sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
 	LC_ALL=C sort -u >pam-login_defs-vars.lst

-if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3e1ae01b1e928c53c828f64ab412be6267eb1018 ; then
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then

 	echo "does not match!" >&2
 	echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Thu Aug 22 20:29:24 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Replace old $RPM_* shell vars by macros.
+- Avoid unnecessary invocation of subshells.
+- Shorten recipe for constructing securetty contents on s390.
+
+-------------------------------------------------------------------
+Mon Aug 19 14:45:43 CEST 2019 - kukuk@suse.de
+
+- usr-etc-support.patch: Add support for /usr/etc/pam.d
+
+-------------------------------------------------------------------
+Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de
+
+- encryption_method_nis.diff: obsolete, NIS clients shouldn't
+  require DES anymore.
+- etc.environment: removed, the sources contain the same
+
+-------------------------------------------------------------------
+Mon Aug 19 11:28:31 UTC 2019 - kukuk@suse.com
+
+- Update to version 1.3.1+git20190807.e31dd6c:
+  * pam_tty_audit: Manual page clarification about password logging
+  * pam_get_authtok_verify: Avoid duplicate password verification
+  * Mention that ./autogen.sh is needeed to be run if you check out the sources from git
+  * pam_unix: Correct MAXPASS define name in the previous two commits.
+  * Restrict password length when changing password
+  * Trim password at PAM_MAX_RESP_SIZE chars
+  * pam_succeed_if: Request user data only when needed
+  * pam_tally2: Remove unnecessary fsync()
+  * Fixed a grammer mistake
+  * Fix documentation for pam_wheel
+  * Fix a typo in the documentation
+  * pam_lastlog: Improve silent option documentation
+  * pam_lastlog: Respect PAM_SILENT flag
+  * Fix regressions from the last commits.
+  * Replace strndupa with strncpy
+  * build: ignore pam_lastlog when logwtmp is not available.
+  * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
+  * pam_motd: Cleanup the code and avoid unnecessary logging
+  * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
+  * Move the duplicated search_key function to pam_modutil.
+  * pam_unix: Use pam_syslog instead of helper_log_err.
+  * pam_unix: Report unusable hashes found by checksalt to syslog.
+  * Revert "pam_unix: Add crypt_default method, if supported."
+  * pam_unix: Add crypt_default method, if supported.
+  * Revert part of the commit 4da9febc
+  * pam_unix: Add support for (gost-)yescrypt hashing methods.
+  * pam_unix: Fix closing curly brace. (#77)
+  * pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
+  * pam_unix: Prefer a gensalt function, that supports auto entropy.
+  * pam_motd: Fix segmentation fault when no motd_dir specified (#76)
+  * pam_motd: Support multiple motd paths specified, with filename overrides (#69)
+  * pam_unix: Use bcrypt b-variant for computing new hashes.
+  * pam_tally, pam_tally2: fix grammar and spelling (#54)
+  * Fix grammar of messages printed via pam_prompt
+  * pam_stress: do not mark messages for translation
+  * pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
+  * pam_unix: remove obsolete _unix_read_password prototype
+
 -------------------------------------------------------------------
 Thu May  2 23:55:30 CEST 2019 - sbrabec@suse.com

--- a/pam.spec
+++ b/pam.spec
@ -18,13 +18,49 @@

 #
 %define enable_selinux 1
-
+%define libpam_so_version 0.84.2
+%define libpam_misc_so_version 0.82.1
+%define libpamc_so_version 0.82.1
 Name:           pam
-Url:            http://www.linux-pam.org/
+#
+Version:        1.3.1+git20190807.e31dd6c
+Release:        0
+Summary:        A Security Tool that Provides Authentication for Applications
+License:        GPL-2.0-or-later OR BSD-3-Clause
+Group:          System/Libraries
+URL:            http://www.linux-pam.org/
+Source:         linux-pam-%{version}.tar.xz
+Source1:        Linux-PAM-1.3.1-docs.tar.xz
+Source2:        linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
+Source3:        other.pamd
+Source4:        common-auth.pamd
+Source5:        common-account.pamd
+Source6:        common-password.pamd
+Source7:        common-session.pamd
+Source8:        securetty
+Source9:        baselibs.conf
+Source10:       unix2_chkpwd.c
+Source11:       unix2_chkpwd.8
+Source12:       pam-login_defs-check.sh
+Patch0:         fix-man-links.dif
+Patch2:         pam-limit-nproc.patch
+Patch4:         pam-hostnames-in-access_conf.patch
+Patch5:         use-correct-IP-address.patch
+Patch6:         usr-etc-support.patch
 BuildRequires:  audit-devel
+# Remove with next version update:
+BuildRequires:  autoconf
+BuildRequires:  automake
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
 BuildRequires:  flex
+BuildRequires:  libdb-4_8-devel
+BuildRequires:  libtool
+# All login.defs variables require support from shadow side.
+# Upgrade this symbol version only if new variables appear!
+# Verify by shadow-login_defs-check.sh from shadow source package.
+Requires:       login_defs-support-for-pam >= 1.3.1
+Requires(post): permissions
 %if 0%{?suse_version} > 1320
 BuildRequires:  libdb-4_8-devel
 BuildRequires:  xz
@ -34,59 +70,16 @@ BuildRequires:  pkgconfig(libtirpc)
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
-%define libpam_so_version 0.84.2
-%define libpam_misc_so_version 0.82.1
-%define libpamc_so_version 0.82.1
-#
-Version:        1.3.1
-Release:        0
-Summary:        A Security Tool that Provides Authentication for Applications
-License:        GPL-2.0-or-later OR BSD-3-Clause
-Group:          System/Libraries
-PreReq:         permissions
 %if 0%{?suse_version} >= 1330
 Requires(pre):  group(shadow)
 Requires(pre):  user(root)
 %endif
-# All login.defs variables require support from shadow side.
-# Upgrade this symbol version only if new variables appear!
-# Verify by shadow-login_defs-check.sh from shadow source package.
-# Recent symbol includes variable from encryption_method_nis.diff.
-Requires:       login_defs-support-for-pam >= 1.3.1
-
-#DL-URL:	https://fedorahosted.org/releases/l/i/linux-pam/
-Source:         Linux-PAM-%{version}.tar.xz
-Source1:        Linux-PAM-%{version}-docs.tar.xz
-Source2:        securetty
-Source3:        other.pamd
-Source4:        common-auth.pamd
-Source5:        common-account.pamd
-Source6:        common-password.pamd
-Source7:        common-session.pamd
-Source8:        etc.environment
-Source9:        baselibs.conf
-Source10:       unix2_chkpwd.c
-Source11:       unix2_chkpwd.8
-Source12:       pam-login_defs-check.sh
-Patch0:         fix-man-links.dif
-Patch2:         pam-limit-nproc.patch
-Patch3:         encryption_method_nis.diff
-Patch4:         pam-hostnames-in-access_conf.patch
-Patch5:         use-correct-IP-address.patch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildRequires:  libdb-4_8-devel
-# Remove with next version update:
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libtool

 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
 allows system administrators to set authentication policies without
 having to recompile programs that do authentication.

-
-
 %package doc
 Summary:        Documentation for Pluggable Authentication Modules
 Group:          Documentation/HTML
@ -101,10 +94,8 @@ having to recompile programs that do authentication.

 This package contains the documentation.

-
-
 %package devel
-Summary:        Include Files and Libraries for PAM-Development
+Summary:        Include Files and Libraries for PAM Development
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
 Requires:       pam = %{version}
@ -117,24 +108,23 @@ having to recompile programs which do authentication.
 This package contains header files and static libraries used for
 building both PAM-aware applications and modules for use with PAM.

-
-
 %prep
-%setup -q -n Linux-PAM-%{version} -b 1
-cp -a %{S:12} .
+%setup -q -n linux-pam-%{version} -b 1 -a 2
+cp -av ../Linux-PAM-1.3.1/* .
+cp -a %{SOURCE12} .
 %patch0 -p1
 %patch2 -p1
-%patch3 -p0
-%patch4 -p0
+%patch4
 %patch5 -p1
+%patch6

 %build
 bash ./pam-login_defs-check.sh
-autoreconf -fiv
-export CFLAGS="%optflags -DNDEBUG"
+./autogen.sh
+export CFLAGS="%{optflags} -DNDEBUG"
 %configure \
 	--sbindir=/sbin \
-	--includedir=%_includedir/security \
+	--includedir=%{_includedir}/security \
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
@ -142,83 +132,72 @@ export CFLAGS="%optflags -DNDEBUG"
 	--enable-isadir=../../%{_lib}/security \
        --enable-securedir=/%{_lib}/security
 make %{?_smp_mflags}
-%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam
+gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/linux-pam-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/linux-pam-%{version}/libpam/.libs/ -lpam

 %check
 make %{?_smp_mflags} check

 %install
-mkdir -p $RPM_BUILD_ROOT/etc/pam.d
-mkdir -p $RPM_BUILD_ROOT/usr/include/security
-mkdir -p $RPM_BUILD_ROOT/%{_lib}/security
-mkdir -p $RPM_BUILD_ROOT/sbin
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_libdir}
-make DESTDIR=$RPM_BUILD_ROOT install
-/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
+mkdir -p %{buildroot}%{_sysconfdir}/pam.d
+mkdir -p %{buildroot}%{_prefix}%{_sysconfdir}/pam.d
+mkdir -p %{buildroot}%{_includedir}/security
+mkdir -p %{buildroot}/%{_lib}/security
+mkdir -p %{buildroot}/sbin
+mkdir -p -m 755 %{buildroot}%{_libdir}
+%make_install
+/sbin/ldconfig -n %{buildroot}/%{_lib}
 # Install documentation
-make -C doc install DESTDIR=$RPM_BUILD_ROOT
-# install /etc/environment
-install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc/environment
+%make_install -C doc
 # install securetty
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc
+install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}
 %ifarch s390 s390x
-echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty
-echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc0" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc1" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc2" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc3" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc4" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc5" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc6" >> $RPM_BUILD_ROOT/etc/securetty
-echo "hvc7" >> $RPM_BUILD_ROOT/etc/securetty
-echo "sclp_line0" >> $RPM_BUILD_ROOT/etc/securetty
-echo "ttysclp0" >> $RPM_BUILD_ROOT/etc/securetty
+for i in ttyS0 ttyS1 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 sclp_line0 ttysclp0; do
+	echo "$i" >>%{buildroot}/%{_sysconfdir}/securetty
+done
 %endif
 # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
-install -d $RPM_BUILD_ROOT%{_sysconfdir}/security/namespace.d
+install -d %{buildroot}%{_sysconfdir}/security/namespace.d
 # install other.pamd and common-*.pamd
-install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/other
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/pam.d/common-auth
-install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/common-account
-install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/common-password
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc/pam.d/common-session
-rm $RPM_BUILD_ROOT/%{_lib}/libpam.so
-ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam.so
-rm $RPM_BUILD_ROOT/%{_lib}/libpamc.so
-ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpamc.so
-rm $RPM_BUILD_ROOT/%{_lib}/libpam_misc.so
-ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam_misc.so
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/other
+install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/common-auth
+install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/common-account
+install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/common-password
+install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/common-session
+rm %{buildroot}/%{_lib}/libpam.so
+ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} %{buildroot}%{_libdir}/libpam.so
+rm %{buildroot}/%{_lib}/libpamc.so
+ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} %{buildroot}%{_libdir}/libpamc.so
+rm %{buildroot}/%{_lib}/libpam_misc.so
+ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %{buildroot}%{_libdir}/libpam_misc.so
 #
 # Remove crap
 #
-rm -rf $RPM_BUILD_ROOT/%{_lib}/*.la $RPM_BUILD_ROOT/%{_lib}/security/*.la
+find %{buildroot} -type f -name "*.la" -delete -print
 for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
-  ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so
+  ln -f %{buildroot}/%{_lib}/security/pam_unix.so %{buildroot}/%{_lib}/security/$x.so
 done
 #
 # Install READMEs of PAM modules
 #
-DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam
+DOC=%{buildroot}%{_defaultdocdir}/pam
 mkdir -p $DOC/modules
-(
-  cd modules;
-  for i in pam_*/README ; do
-    cp -fpv ${i} $DOC/modules/README.`dirname ${i}`
-  done
-)
+pushd modules
+for i in pam_*/README; do
+	cp -fpv "$i" "$DOC/modules/README.${i%/*}"
+done
+popd
 #
 # pam_tally is deprecated since ages
 #
-rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
-rm -f $RPM_BUILD_ROOT/sbin/pam_tally
-rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
-rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally
+rm -f %{buildroot}/%{_lib}/security/pam_tally.so
+rm -f %{buildroot}/sbin/pam_tally
+rm -f %{buildroot}%{_mandir}/man8/pam_tally.8*
+rm -f %{buildroot}%{_defaultdocdir}/pam/modules/README.pam_tally
 # Install unix2_chkpwd
-install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/
-install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
+install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/
+install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
 # Create filelist with translatins
-%{find_lang} Linux-PAM
+%find_lang Linux-PAM

 %verifyscript
 %verify_permissions -e /sbin/unix_chkpwd
@ -232,8 +211,8 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 %postun -p /sbin/ldconfig

 %files -f Linux-PAM.lang
-%defattr(-,root,root)
 %dir %{_sysconfdir}/pam.d
+%dir %{_prefix}%{_sysconfdir}/pam.d
 %dir %{_sysconfdir}/security
 %dir %{_sysconfdir}/security/limits.d
 %dir %{_defaultdocdir}/pam
@ -251,13 +230,13 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 %config(noreplace) %{_sysconfdir}/security/time.conf
 %config(noreplace) %{_sysconfdir}/security/namespace.conf
 %config(noreplace) %{_sysconfdir}/security/namespace.init
-%dir  %{_sysconfdir}/security/namespace.d
+%dir %{_sysconfdir}/security/namespace.d
 %doc NEWS
 %license COPYING
-%doc %{_mandir}/man5/environment.5*
-%doc %{_mandir}/man5/*.conf.5*
-%doc %{_mandir}/man5/pam.d.5*
-%doc %{_mandir}/man8/*
+%{_mandir}/man5/environment.5%{?ext_man}
+%{_mandir}/man5/*.conf.5%{?ext_man}
+%{_mandir}/man5/pam.d.5%{?ext_man}
+%{_mandir}/man8/*
 /%{_lib}/libpam.so.0
 /%{_lib}/libpam.so.%{libpam_so_version}
 /%{_lib}/libpamc.so.0
@ -333,9 +312,9 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/

 %files devel
 %defattr(644,root,root,755)
-%dir /usr/include/security
-%doc %{_mandir}/man3/pam*
-%doc %{_mandir}/man3/misc_conv.3*
+%dir %{_includedir}/security
+%{_mandir}/man3/pam*
+%{_mandir}/man3/misc_conv.3%{?ext_man}
 %{_includedir}/security/*.h
 %{_libdir}/libpam.so
 %{_libdir}/libpamc.so
--- a/usr-etc-support.patch
+++ b/usr-etc-support.patch
@ -0,0 +1,81 @@
+--- doc/man/pam.8.xml
+++ doc/man/pam.8.xml	2019/08/16 13:37:44
+@@ -53,11 +53,13 @@
+ 
+     <para>
+       Vendor-supplied PAM configuration files might be installed in
+-      the system directory <filename>/usr/lib/pam.d/</filename> instead
+      the system directory <filename>/usr/lib/pam.d/</filename> or
+      <filename>/usr/etc/pam.d/</filename> instead
+       of the machine configuration directory <filename>/etc/pam.d/</filename>.
+       If no machine configuration file is found, the vendor-supplied file
+       is used. All files in <filename>/etc/pam.d/</filename> override
+-      files with the same name in <filename>/usr/lib/pam.d/</filename>.
+      files with the same name in <filename>/usr/lib/pam.d/</filename>,
+      which override files with the same name in <filename>/usr/etc/pam.d/</filename>.
+     </para>
+ 
+ <para>From the point of view of the system administrator, for whom this
+@@ -157,6 +159,16 @@
+           </para>
+         </listitem>
+       </varlistentry>
+      <term><filename>/usr/etc/pam.d</filename></term>
+        <listitem>
+          <para>
+            the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration
+	    directory. Files in <filename>/etc/pam.d</filename> and
+	    <filename>/usr/lib/pam.d</filename> override files with the same
+	    name in this directory.
+          </para>
+        </listitem>
+      </varlistentry>
+     </variablelist>
+   </refsect1>
+ 
+--- libpam/pam_handlers.c
+++ libpam/pam_handlers.c	2019/08/16 13:35:31
+@@ -329,6 +329,21 @@
+ 	    *file = f;
+ 	    return PAM_SUCCESS;
+     }
+
+    /* System Configuration /usr/etc/pam.d/ */
+    _pam_drop(p);
+    if (asprintf (&p, PAM_CONFIG_DIST2_DF, service) < 0) {
+        pam_syslog(pamh, LOG_CRIT, "asprintf failed");
+        return PAM_BUF_ERR;
+    }
+    D(("opening %s", p));
+    f = fopen(p, "r");
+    if (f != NULL) {
+            *path = p;
+            *file = f;
+            return PAM_SUCCESS;
+    }
+
+     _pam_drop(p);
+ 
+     return PAM_ABORT;
+@@ -447,7 +462,8 @@
+ 
+ 	/* Is there a PAM_CONFIG_D directory? */
+ 	if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
+-	    (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
+	    (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) ||
+	    (stat(PAM_CONFIG_DIST2_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) {
+ 	    char *path = NULL;
+ 	    int read_something=0;
+ 
+--- libpam/pam_private.h
+++ libpam/pam_private.h	2019/08/16 13:33:04
+@@ -29,6 +29,9 @@
+ #define PAM_CONFIG_DF      "/etc/pam.d/%s"
+ #define PAM_CONFIG_DIST_D  "/usr/lib/pam.d"
+ #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s"
+#define PAM_CONFIG_DIST2_D  "/usr/etc/pam.d"
+#define PAM_CONFIG_DIST2_DF "/usr/etc/pam.d/%s"
+
+ 
+ #define PAM_DEFAULT_SERVICE        "other"     /* lower case */
+