pam_faillock: use vendor specific faillock.conf as fallback

Use the vendor directory defined by --enable-vendordir=DIR configure
option as fallback for the distribution provided default config file
if there is no configuration in /etc.

* modules/pam_faillock/pam_faillock.8.xml: Describe this.
* modules/pam_faillock/faillock.h [VENDOR_SCONFIGDIR]
(VENDOR_FAILLOCK_DEFAULT_CONF): New macro.
* modules/pam_faillock/pam_faillock.c (read_config_file)
[VENDOR_FAILLOCK_DEFAULT_CONF]: Try to open VENDOR_FAILLOCK_DEFAULT_CONF
file when FAILLOCK_DEFAULT_CONF file does not exist.

Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/423

3 files changed, 29 insertions, 1 deletions

diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h
index a6081077..c3f157ef 100644
--- a/modules/pam_faillock/faillock.h
+++ b/modules/pam_faillock/faillock.h
@@ -68,6 +68,9 @@ struct tally_data {
 
 #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
 #define FAILLOCK_DEFAULT_CONF SCONFIGDIR "/faillock.conf"
+#ifdef VENDOR_SCONFIGDIR
+#define VENDOR_FAILLOCK_DEFAULT_CONF VENDOR_SCONFIGDIR "/faillock.conf"
+#endif
 
 int open_tally(const char *dir, const char *user, uid_t uid, int create);
 int read_tally(int fd, struct tally_data *tallies);
diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml
index 58c16442..79bcbbd0 100644
--- a/modules/pam_faillock/pam_faillock.8.xml
+++ b/modules/pam_faillock/pam_faillock.8.xml
@@ -134,10 +134,17 @@
                  <option>conf=/path/to/config-file</option>
                </term>
                <listitem>
-                 <para>
+                 <para condition="without_vendordir">
                    Use another configuration file instead of the default
                    <filename>/etc/security/faillock.conf</filename>.
                  </para>
+                 <para condition="with_vendordir">
+                   Use another configuration file instead of the default
+                   which is to use the file
+                   <filename>/etc/security/faillock.conf</filename> or,
+                   if that one is not present, the file
+                   <filename>%vendordir%/security/faillock.conf</filename>.
+                 </para>
                </listitem>
             </varlistentry>
         </variablelist>
@@ -328,6 +335,15 @@ session  required       pam_selinux.so open
           <para>the config file for pam_faillock options</para>
         </listitem>
       </varlistentry>
+      <varlistentry condition="with_vendordir">
+        <term><filename>%vendordir%/security/faillock.conf</filename></term>
+        <listitem>
+          <para>
+            the config file for pam_faillock options. It will be used if
+            <filename>/etc/security/faillock.conf</filename> does not exist.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
index 8328fbae..932d4281 100644
--- a/modules/pam_faillock/pam_faillock.c
+++ b/modules/pam_faillock/pam_faillock.c
@@ -192,6 +192,15 @@ read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
 	char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
 
 	f = fopen(cfgfile, "r");
+#ifdef VENDOR_FAILLOCK_DEFAULT_CONF
+	if (f == NULL && errno == ENOENT && cfgfile == default_faillock_conf) {
+	  /*
+	   * If the default configuration file in /etc does not exist,
+	   * try the vendor configuration file as fallback.
+	   */
+	  f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r");
+	}
+#endif
 	if (f == NULL) {
 		/* ignore non-existent default config file */
 		if (errno == ENOENT && cfgfile == default_faillock_conf)