#1141076 `pam_start_confdir()` does not use `confdir` for include and substack directives.

Package:
pam
Source:
pam
Submitter:
Ted Lyngmo
Date:
2026-06-29 16:29:01 UTC
Severity:
normal
#1141076#5
Date:
2026-06-29 11:08:45 UTC
From:
To:
`pam_start_confdir()` successfully opens the first service in the
supplied `confdir`. Included services are however expected to be placed
in /etc/pam.d and are therefore not found if they are placed in the
`confdir` that was supplied.

Example:
`$ cat /tmp/ml-login-cli-test`:
```
auth include ml-common-auth
account include ml-common-auth
```

`cat /tmp/test_confdir.c`:
```
#include <security/pam_appl.h>
#include <stdio.h>

static int conv(int, const struct pam_message **, struct pam_response **, void *) {
    return PAM_CONV_ERR;
}

int main() {
    struct pam_conv c = {conv, NULL};
    pam_handle_t *pamh = NULL;
    int ret = pam_start_confdir("ml-login-cli-test", "test", &c, "/tmp", &pamh);
    printf("pam_start_confdir: %d\n", ret);
    if (ret == PAM_SUCCESS) {
        ret = pam_authenticate(pamh, 0);
        printf("pam_authenticate: %d (%s)\n", ret, pam_strerror(pamh, ret));
        pam_end(pamh, ret);
    }
}
```

Compile and run the test:
```
$ cc -std=c23 -o /tmp/test_confdir /tmp/test_confdir.c -Wall -Wextra -lpam
$ strace -e openat /tmp/test_confdir 2>&1 | grep -E 'pam.d|/tmp|ml-'
openat(AT_FDCWD, "/tmp/ml-login-cli-test", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/pam.d/ml-common-auth", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/pam.d/ml-common-auth", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/tmp/other", O_RDONLY) = -1 ENOENT (No such file or directory)
```
As shown in the output, it is not searching in /tmp for ml-common-auth
but goes directly to /etc/pam.d.

Running the same example on Fedora 43 produces the expected output where
it searches for ml-common-auth in /tmp:
```
openat(AT_FDCWD, "/tmp/ml-login-cli-test", O_RDONLY) = 3
openat(AT_FDCWD, "/tmp/ml-common-auth", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/tmp/ml-common-auth", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/tmp/other", O_RDONLY) = -1 ENOENT (No such file or directory)
```

Debian GNU/Linux 13 (trixie)
kernel: 4.18.0-553.123.1.el8_10.x86_64
ldd (Debian GLIBC 2.41-12+deb13u2) 2.41

Best regards,
Ted Lyngmo
#1141076#10
Date:
2026-06-29 14:40:40 UTC
From:
To:
Hi,

Could you check if this is fixed in 1.7.0-6?

Chris
#1141076#15
Date:
2026-06-29 15:20:46 UTC
From:
To:
Hi Chris!

2026-06-29 16:40, Chris Hofstaedtler:

Sure, if it installable via `apt install` somehow I can give it a try at
work (it's in our devcontainer at work so I'll have to try it out tomorrow).

Would something like this do the trick?

I did some light digging in the related source code but I couldn't see
any changes related to how confdir is propagated so I think it'll have
the same issue even in 1.7.2, but I could be wrong of course.

Br,
Ted
#1141076#20
Date:
2026-06-29 16:26:51 UTC
From:
To:
Sure, it's in the "testing" and "unstable" repositories.

If you have testing/unstable in your sources, then I think that
should work.

Chris