8 files changed, 47 insertions, 18 deletions

diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
index 56ed591..e540f3a 100644
--- a/modules/pam_unix/Makefile.am
+++ b/modules/pam_unix/Makefile.am
@@ -48,6 +48,12 @@ if STATIC_MODULES
 pam_unix_la_SOURCES += pam_unix_static.c
 endif
 
+securelib_LTLIBRARIES += pam_unix_optfiles.la
+pam_unix_optfiles_la_LDFLAGS = $(pam_unix_la_LDFLAGS)
+pam_unix_optfiles_la_LIBADD = $(pam_unix_la_LIBADD)
+pam_unix_optfiles_la_CFLAGS = $(AM_CFLAGS) -DUSE_OPT_ETC
+pam_unix_optfiles_la_SOURCES = $(pam_unix_la_SOURCES)
+
 bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
 bigcrypt_CFLAGS = $(AM_CFLAGS)
 bigcrypt_LDADD = @LIBCRYPT@
diff --git a/modules/pam_unix/optetc.h b/modules/pam_unix/optetc.h
new file mode 100644
index 0000000..578a3ec
--- /dev/null
+++ b/modules/pam_unix/optetc.h
@@ -0,0 +1,20 @@
+#ifndef OPT_ETC_H
+#define OPT_ETC_H
+
+#ifdef USE_OPT_ETC
+# define PASSWD_FILE "/opt/etc/passwd"
+# define SHADOW_FILE "/opt/etc/shadow"
+# define PW_TMPFILE  "/opt/etc/npasswd"
+# define SH_TMPFILE  "/opt/etc/nshadow"
+# define OPW_TMPFILE "/opt/etc/security/nopasswd"
+# define OLD_PASSWORDS_FILE "/opt/etc/security/opasswd"
+#else
+# define PASSWD_FILE "/etc/passwd"
+# define SHADOW_FILE "/etc/shadow"
+# define PW_TMPFILE  "/etc/npasswd"
+# define SH_TMPFILE  "/etc/nshadow"
+# define OPW_TMPFILE "/etc/security/nopasswd"
+# define OLD_PASSWORDS_FILE "/etc/security/opasswd"
+#endif
+
+#endif /* OPT_ETC_H */
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 0d896b0..c8d690f 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -62,6 +62,8 @@
 
 #include <security/_pam_macros.h>
 
+#include "optetc.h"
+
 /* indicate the following groups are defined */
 
 #ifdef PAM_STATIC
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index c80d47f..bd4fa77 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -49,6 +49,8 @@
 # include "./lckpwdf.-c"
 #endif
 
+#include "optetc.h"
+
 static void
 strip_hpux_aging(char *hash)
 {
@@ -284,12 +286,6 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 	return PAM_SUCCESS;
 }
 
-/* passwd/salt conversion macros */
-
-#define PW_TMPFILE              "/etc/npasswd"
-#define SH_TMPFILE              "/etc/nshadow"
-#define OPW_TMPFILE             "/etc/security/nopasswd"
-
 /*
  * i64c - convert an integer to a radix 64 character
  */
@@ -459,7 +455,7 @@ unix_selinux_confined(void)
     }
 
     /* let's try opening shadow read only */
-    if ((fd=open("/etc/shadow", O_RDONLY)) != -1) {
+    if ((fd=open(SHADOW_FILE, O_RDONLY)) != -1) {
         close(fd);
         confined = 0;
         return confined;
@@ -582,7 +578,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
 #ifdef WITH_SELINUX
     if (SELINUX_ENABLED) {
       security_context_t passwd_context=NULL;
-      if (getfilecon("/etc/passwd",&passwd_context)<0) {
+      if (getfilecon(PASSWD_FILE,&passwd_context)<0) {
         return PAM_AUTHTOK_ERR;
       };
       if (getfscreatecon(&prev_context)<0) {
@@ -732,7 +728,7 @@ PAMH_ARG_DECL(int unix_update_passwd,
 #ifdef WITH_SELINUX
     if (SELINUX_ENABLED) {
       security_context_t passwd_context=NULL;
-      if (getfilecon("/etc/passwd",&passwd_context)<0) {
+      if (getfilecon(PASSWD_FILE,&passwd_context)<0) {
 	return PAM_AUTHTOK_ERR;
       };
       if (getfscreatecon(&prev_context)<0) {
@@ -754,7 +750,7 @@ PAMH_ARG_DECL(int unix_update_passwd,
       goto done;
     }
 
-    opwfile = fopen("/etc/passwd", "r");
+    opwfile = fopen(PASSWD_FILE, "r");
     if (opwfile == NULL) {
 	fclose(pwfile);
 	err = 1;
@@ -815,7 +811,7 @@ PAMH_ARG_DECL(int unix_update_passwd,
 
 done:
     if (!err) {
-	if (!rename(PW_TMPFILE, "/etc/passwd"))
+	if (!rename(PW_TMPFILE, PASSWD_FILE))
 	    pam_syslog(pamh,
 		LOG_NOTICE, "password changed for %s", forwho);
 	else
@@ -857,7 +853,7 @@ PAMH_ARG_DECL(int unix_update_shadow,
 #ifdef WITH_SELINUX
     if (SELINUX_ENABLED) {
       security_context_t shadow_context=NULL;
-      if (getfilecon("/etc/shadow",&shadow_context)<0) {
+      if (getfilecon(SHADOW_FILE,&shadow_context)<0) {
 	return PAM_AUTHTOK_ERR;
       };
       if (getfscreatecon(&prev_context)<0) {
@@ -879,7 +875,7 @@ PAMH_ARG_DECL(int unix_update_shadow,
 	goto done;
     }
 
-    opwfile = fopen("/etc/shadow", "r");
+    opwfile = fopen(SHADOW_FILE, "r");
     if (opwfile == NULL) {
 	fclose(pwfile);
 	err = 1;
@@ -958,7 +954,7 @@ PAMH_ARG_DECL(int unix_update_shadow,
 
  done:
     if (!err) {
-	if (!rename(SH_TMPFILE, "/etc/shadow"))
+	if (!rename(SH_TMPFILE, SHADOW_FILE))
 	    pam_syslog(pamh,
 		LOG_NOTICE, "password changed for %s", forwho);
 	else
diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
index caf7ae8..8725ddf 100644
--- a/modules/pam_unix/passverify.h
+++ b/modules/pam_unix/passverify.h
@@ -10,8 +10,6 @@
 
 #define MAXPASS PAM_MAX_RESP_SIZE  /* the maximum length of a password */
 
-#define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
-
 int
 verify_pwd_hash(const char *p, char *hash, unsigned int nullok);
 
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index b58d7b2..18bca71 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -37,6 +37,8 @@
 #define SELINUX_ENABLED 0
 #endif
 
+#include "optetc.h"
+
 /* this is a front-end for module-application conversations */
 
 int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
@@ -281,7 +283,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name,
 
 	if (!matched && files) {
 		int userlen = strlen(name);
-		passwd = fopen("/etc/passwd", "r");
+		passwd = fopen(PASSWD_FILE, "r");
 		if (passwd != NULL) {
 			while (fgets(buf, sizeof(buf), passwd) != NULL) {
 				if ((buf[userlen] == ':') &&
diff --git a/packaging/pam.spec b/packaging/pam.spec
index fdef5b1..1767ce3 100644
--- a/packaging/pam.spec
+++ b/packaging/pam.spec
@@ -155,6 +155,7 @@ fi
 %{_moduledir}/pam_securetty.so
 %{_moduledir}/pam_succeed_if.so
 %{_moduledir}/pam_unix.so
+%{_moduledir}/pam_unix_optetc.so
 %{_moduledir}/pam_wheel.so
 %{_moduledir}/pam_xauth.so
 %{_moduledir}/pam_filter
diff --git a/packaging/system-auth b/packaging/system-auth
index 4f8b4f0..84323d0 100644
--- a/packaging/system-auth
+++ b/packaging/system-auth
@@ -1,13 +1,17 @@
 #%PAM-1.0
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so try_first_pass nullok
+auth        sufficient    pam_unix_optfiles.so try_first_pass nullok
 auth        required      pam_deny.so
 
-account     required      pam_unix.so
+account     sufficient    pam_unix.so
+account     sufficient    pam_unix_optfiles.so
+account     required      pam_deny.so
 
 # cracklib is disabled in the build.
 # password    required      pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so try_first_pass nullok sha512 shadow
+password    sufficient    pam_unix_optfiles.so try_first_pass nullok sha512 shadow
 password    required      pam_deny.so
 
 session     optional      pam_keyinit.so revoke