.gitignore

@@ -1 +1 @@
-SOURCES/libuser-0.63.tar.xz
+SOURCES/libuser-0.62.tar.xz

.libuser.metadata

@@ -1 +1 @@
-cd6b029165743afaaee58e7d80e767da7a868545 SOURCES/libuser-0.63.tar.xz
+e0fe60dd38f3b5777d0a4ad664725eddd18ef310 SOURCES/libuser-0.62.tar.xz

SOURCES/0001-Fix-errors-with-Werror-format-security.patch

@@ -0,0 +1,52 @@
+From 9317afc8bb7eec656444fc2eecfcd1ea3bfdda82 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Wed, 15 Mar 2017 12:43:03 -0400
+Subject: [PATCH] Fix errors with -Werror=format-security
+
+Recent versions of the Fedora build system treat format-security
+warnings as errors, resulting in failure to build. This patch
+ensures that appropriate format strings are present.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ modules/files.c | 2 +-
+ modules/ldap.c  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/modules/files.c b/modules/files.c
+index 4ef0a57be9f2aad99d82abfae5204009a93e5572..6a7787e28112ba07e0fc44f2887ce1d1540af29e 100644
+--- a/modules/files.c
++++ b/modules/files.c
+@@ -532,11 +532,11 @@ parse_field(const struct format_specifier *format, GValue *value,
+ 	err = NULL;
+ 	ret = lu_value_init_set_attr_from_string(value, format->attribute,
+ 						 string, &err);
+ 	if (ret == FALSE) {
+ 		g_assert(err != NULL);
+-		g_warning(lu_strerror(err));
++		g_warning("%s", lu_strerror(err));
+ 		lu_error_free(&err);
+ 	}
+ 	return ret;
+ }
+ 
+diff --git a/modules/ldap.c b/modules/ldap.c
+index ad10f7394c5735f3180cbab5bc7314301fd83ffc..02e9eb6a0cf10595d730e3dc719f2e848a3491d4 100644
+--- a/modules/ldap.c
++++ b/modules/ldap.c
+@@ -670,11 +670,11 @@ lu_ldap_lookup(struct lu_module *module,
+ 					error = NULL;
+ 					ok = lu_value_init_set_attr_from_string
+ 						(&value, attr, val, &error);
+ 					if (ok == FALSE) {
+ 						g_assert(error != NULL);
+-						g_warning(lu_strerror(error));
++						g_warning("%s", lu_strerror(error));
+ 						lu_error_free(&error);
+ 					} else {
+ 						lu_ent_add_current(ent, attr,
+ 								   &value);
+ 						g_value_unset(&value);
+-- 
+2.12.0
+

SOURCES/0002-Use-2048-bit-keys-in-tests-to-avoid-issues-with-mode.patch

@@ -0,0 +1,40 @@
+From 68e2c532e610e1c91dd10ff176b673d6190adef4 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Mon, 6 Aug 2018 21:43:53 +0200
+Subject: [PATCH] Use 2048-bit keys in tests to avoid issues with modern
+ systems
+
+---
+ tests/default_pw_test | 2 +-
+ tests/ldap_test       | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/default_pw_test b/tests/default_pw_test
+index 6da406cf3f67cee2084e730361d43c88df83b81c..733c85c090e07c87a9a7ef8b58c5396bf5f91197 100755
+--- a/tests/default_pw_test
++++ b/tests/default_pw_test
+@@ -30,7 +30,7 @@ rm -rf "$workdir"
+ mkdir "$workdir"
+ 
+ # Create a SSL key
+-/usr/bin/openssl req -newkey rsa:1024 -keyout "$workdir"/key1 -nodes \
++/usr/bin/openssl req -newkey rsa:2048 -keyout "$workdir"/key1 -nodes \
+     -x509 -days 2 -out "$workdir"/key3 2>/dev/null <<EOF
+ .
+ .
+diff --git a/tests/ldap_test b/tests/ldap_test
+index f82c2795ef283e323f49c8a400d6c628b3a3e331..54609b14d54b2c5638445262e7fb25307ba6db4c 100755
+--- a/tests/ldap_test
++++ b/tests/ldap_test
+@@ -30,7 +30,7 @@ rm -rf "$workdir"
+ mkdir "$workdir"
+ 
+ # Create a SSL key
+-/usr/bin/openssl req -newkey rsa:1024 -keyout "$workdir"/key1 -nodes \
++/usr/bin/openssl req -newkey rsa:2048 -keyout "$workdir"/key1 -nodes \
+     -x509 -days 2 -out "$workdir"/key3 2>/dev/null <<EOF
+ .
+ .
+-- 
+2.14.4
+

SOURCES/0003-Add-audit-events-around-user-life-cycle.patch

@@ -0,0 +1,658 @@
+From 72962208c42ea202f1e31f2f3ac1b523cd545b06 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Fri, 3 Aug 2018 11:33:05 +0200
+Subject: [PATCH] Add audit events around user life cycle
+
+---
+ Makefile.am        | 18 ++++++-------
+ apps/lchage.c      |  5 ++++
+ apps/lchsh.c       |  7 +++++
+ apps/lgroupadd.c   |  5 ++++
+ apps/lgroupdel.c   |  6 +++++
+ apps/lgroupmod.c   | 36 +++++++++++++++++++++++++
+ apps/luseradd.c    | 16 +++++++++++
+ apps/luserdel.c    | 17 ++++++++++++
+ apps/lusermod.c    | 38 +++++++++++++++++++++++++-
+ configure.ac       | 17 ++++++++++++
+ lib/common.c       | 66 +++++++++++++++++++++++++++++++++++++++++++++-
+ lib/user_private.h | 15 +++++++++++
+ 12 files changed, 235 insertions(+), 11 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 080f97e8cc81a77dd0413c3b6fe7fe8002499393..9f099bd71941a869274a502a3130802731d83c24 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -116,7 +116,7 @@ apps_libapputil_la_LDFLAGS = $(GOBJECT_LIBS) -lpam -lpam_misc $(SELINUX_LIBS)
+ 
+ apps_lchage_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_lchage_LDADD = lib/libuser.la $(LTLIBINTL)
+-apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt
++apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
+ 
+ apps_lchfn_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_lchfn_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL)
+@@ -124,19 +124,19 @@ apps_lchfn_LDFLAGS = $(GMODULE_LIBS) -lpopt
+ 
+ apps_lchsh_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_lchsh_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL)
+-apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt
++apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
+ 
+ apps_lgroupadd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_lgroupadd_LDADD = lib/libuser.la $(LTLIBINTL)
+-apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt
++apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
+ 
+ apps_lgroupdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_lgroupdel_LDADD = lib/libuser.la $(LTLIBINTL)
+-apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt
++apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
+ 
+ apps_lgroupmod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_lgroupmod_LDADD = lib/libuser.la $(LTLIBINTL)
+-apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt
++apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
+ 
+ apps_lid_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_lid_LDADD = lib/libuser.la $(LTLIBINTL)
+@@ -152,15 +152,15 @@ apps_lpasswd_LDFLAGS = $(GMODULE_LIBS) -lpopt
+ 
+ apps_luseradd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_luseradd_LDADD = lib/libuser.la $(LTLIBINTL)
+-apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt
++apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
+ 
+ apps_luserdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_luserdel_LDADD = lib/libuser.la $(LTLIBINTL)
+-apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt
++apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
+ 
+ apps_lusermod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
+ apps_lusermod_LDADD = lib/libuser.la $(LTLIBINTL)
+-apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt
++apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
+ 
+ lib_libuser_la_SOURCES = lib/common.c lib/config.c lib/entity.c lib/error.c \
+ 	lib/fs.c lib/getdate.y lib/internal.h lib/misc.c lib/modules.c \
+@@ -170,7 +170,7 @@ lib_libuser_la_CPPFLAGS = $(GMODULE_CFLAGS) -Ilib $(LOCALEDIR_CPPFLAGS) \
+ 	-DMODULEDIR='"$(pkglibdir)"' -DNSCD='"$(NSCD)"' \
+ 	-DSYSCONFDIR='"$(sysconfdir)"'
+ lib_libuser_la_LDFLAGS = $(GMODULE_LIBS) $(CRYPT_LIBS) $(SELINUX_LIBS) \
+-	-version-info 6:2:5
++	$(AUDIT_LIBS) -version-info 6:2:5
+ lib_libuser_la_LIBADD = $(LTLIBINTL)
+ 
+ modules_libuser_files_la_SOURCES = modules/files.c
+diff --git a/apps/lchage.c b/apps/lchage.c
+index bad296ccf0755dd6781b1a2e6397dccb1f7dbd12..1a4f04883062cb11f15a2e34d37e127fef2a374e 100644
+--- a/apps/lchage.c
++++ b/apps/lchage.c
+@@ -29,6 +29,7 @@
+ #include <popt.h>
+ #include <glib.h>
+ #include "../lib/user.h"
++#include "../lib/user_private.h"
+ #include "apputil.h"
+ 
+ #define INVALID_LONG LONG_MIN
+@@ -239,8 +240,12 @@ main(int argc, const char **argv)
+ 			fprintf(stderr,
+ 				_("Failed to modify aging information for %s: "
+ 				  "%s\n"), user, lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_MGMT, "change-age", user,
++				AUDIT_NO_ID, 0);
+ 			return 3;
+ 		}
++		lu_audit_logger(AUDIT_USER_MGMT, "change-age", user,
++				AUDIT_NO_ID, 1);
+ 
+ 		lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
+ 	}
+diff --git a/apps/lchsh.c b/apps/lchsh.c
+index 7c8a9246d4548a7f6fbacce91cdfdf4372799943..555ed2ea7b0d5a90bf37a7f23c398b382ac45a38 100644
+--- a/apps/lchsh.c
++++ b/apps/lchsh.c
+@@ -26,6 +26,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include "../lib/user.h"
++#include "../lib/user_private.h"
+ #include "apputil.h"
+ 
+ int
+@@ -120,6 +121,8 @@ main(int argc, const char **argv)
+ 				      NULL, &error) == FALSE) {
+ 			fprintf(stderr, _("Shell not changed: %s\n"),
+ 				lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
++				AUDIT_NO_ID, 0);
+ 			return 1;
+ 		}
+ 		/* Modify the in-memory structure's shell attribute. */
+@@ -132,9 +135,13 @@ main(int argc, const char **argv)
+ 		if (lu_user_modify(ctx, ent, &error)) {
+ 			g_print(_("Shell changed.\n"));
+ 			lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
++			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
++				AUDIT_NO_ID, 1);
+ 		} else {
+ 			fprintf(stderr, _("Shell not changed: %s\n"),
+ 				lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
++				AUDIT_NO_ID, 0);
+ 			return 1;
+ 		}
+ 	}
+diff --git a/apps/lgroupadd.c b/apps/lgroupadd.c
+index d73ee864adac9e5dbc7d98392190db225d116143..3fa2a1df5ac5838ef256541c07ae6028e4f6a80b 100644
+--- a/apps/lgroupadd.c
++++ b/apps/lgroupadd.c
+@@ -118,6 +118,8 @@ main(int argc, const char **argv)
+ 	if (lu_group_add(ctx, ent, &error) == FALSE) {
+ 		fprintf(stderr, _("Group creation failed: %s\n"),
+ 			lu_strerror(error));
++		lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
++				AUDIT_NO_ID, 0);
+ 		return 2;
+ 	}
+ 
+@@ -127,5 +129,8 @@ main(int argc, const char **argv)
+ 
+ 	lu_end(ctx);
+ 
++	lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
++				AUDIT_NO_ID, 1);
++
+ 	return 0;
+ }
+diff --git a/apps/lgroupdel.c b/apps/lgroupdel.c
+index e0fd6c6d42f55eef82f0790f551721972c129b5f..c5ccbed95cb834719cd109a81e6f979bb737dc71 100644
+--- a/apps/lgroupdel.c
++++ b/apps/lgroupdel.c
+@@ -24,6 +24,7 @@
+ #include <locale.h>
+ #include <popt.h>
+ #include "../lib/user.h"
++#include "../lib/user_private.h"
+ #include "apputil.h"
+ 
+ int
+@@ -90,6 +91,8 @@ main(int argc, const char **argv)
+ 	if (lu_group_delete(ctx, ent, &error) == FALSE) {
+ 		fprintf(stderr, _("Group %s could not be deleted: %s\n"),
+ 			group, lu_strerror(error));
++		lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group,
++				AUDIT_NO_ID, 0);
+ 		return 3;
+ 	}
+ 
+@@ -99,5 +102,8 @@ main(int argc, const char **argv)
+ 
+ 	lu_end(ctx);
+ 
++	lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group,
++			AUDIT_NO_ID, 1);
++
+ 	return 0;
+ }
+diff --git a/apps/lgroupmod.c b/apps/lgroupmod.c
+index 21170e06f37370d7b2f2d936048ae7abf24fd181..0ad0ae4f39d32435b4668ef15ec678d8ea319e5c 100644
+--- a/apps/lgroupmod.c
++++ b/apps/lgroupmod.c
+@@ -138,8 +138,14 @@ main(int argc, const char **argv)
+ 		    == FALSE) {
+ 			fprintf(stderr, _("Failed to set password for group "
+ 				"%s: %s\n"), group, lu_strerror(error));
++			lu_audit_logger(AUDIT_GRP_MGMT,
++					"changing-group-passwd", group,
++					AUDIT_NO_ID, 0);
+ 			return 4;
+ 		}
++		lu_audit_logger(AUDIT_GRP_MGMT,
++				"changing-group-passwd", group,
++				AUDIT_NO_ID, 1);
+ 	}
+ 
+ 	if (cryptedUserPassword) {
+@@ -147,8 +153,14 @@ main(int argc, const char **argv)
+ 				     &error) == FALSE) {
+ 			fprintf(stderr, _("Failed to set password for group "
+ 				"%s: %s\n"), group, lu_strerror(error));
++			lu_audit_logger(AUDIT_GRP_MGMT,
++					"changing-group-passwd", group,
++					AUDIT_NO_ID, 0);
+ 			return 5;
+ 		}
++		lu_audit_logger(AUDIT_GRP_MGMT,
++				"changing-group-passwd", group,
++				AUDIT_NO_ID, 1);
+ 	}
+ 
+ 	if (lock) {
+@@ -156,8 +168,14 @@ main(int argc, const char **argv)
+ 			fprintf(stderr,
+ 				_("Group %s could not be locked: %s\n"), group,
+ 				lu_strerror(error));
++			lu_audit_logger(AUDIT_GRP_MGMT,
++					"changing-group-lock", group,
++					AUDIT_NO_ID, 0);
+ 			return 6;
+ 		}
++		lu_audit_logger(AUDIT_GRP_MGMT,
++				"changing-group-lock", group,
++				AUDIT_NO_ID, 1);
+ 	}
+ 
+ 	if (unlock) {
+@@ -165,8 +183,14 @@ main(int argc, const char **argv)
+ 			fprintf(stderr,
+ 				_("Group %s could not be unlocked: %s\n"),
+ 				group, lu_strerror(error));
++			lu_audit_logger(AUDIT_GRP_MGMT,
++					"changing-group-lock", group,
++					AUDIT_NO_ID, 0);
+ 			return 7;
+ 		}
++		lu_audit_logger(AUDIT_GRP_MGMT,
++				"changing-group-lock", group,
++				AUDIT_NO_ID, 1);
+ 	}
+ 
+ 	change = gid || addAdmins || remAdmins || addMembers || remMembers;
+@@ -241,8 +265,14 @@ main(int argc, const char **argv)
+ 	if (change && lu_group_modify(ctx, ent, &error) == FALSE) {
+ 		fprintf(stderr, _("Group %s could not be modified: %s\n"),
+ 			group, lu_strerror(error));
++		lu_audit_logger(AUDIT_GRP_MGMT,
++				"changing-group-members", group,
++				AUDIT_NO_ID, 0);
+ 		return 8;
+ 	}
++	lu_audit_logger(AUDIT_GRP_MGMT,
++			"changing-group-members", group,
++			AUDIT_NO_ID, 1);
+ 	if (gidNumber != LU_VALUE_INVALID_ID) {
+ 		users = lu_users_enumerate_by_group_full(ctx, gid, &error);
+ 
+@@ -256,8 +286,14 @@ main(int argc, const char **argv)
+ 			fprintf(stderr,
+ 				_("Group %s could not be modified: %s\n"),
+ 				group, lu_strerror(error));
++			lu_audit_logger(AUDIT_GRP_MGMT,
++				"changing-group-id", group,
++				AUDIT_NO_ID, 0);
+ 			return 8;
+ 		}
++		lu_audit_logger(AUDIT_GRP_MGMT,
++			"changing-group-id", group,
++			AUDIT_NO_ID, 1);
+ 	}
+ 
+ 	lu_ent_free(ent);
+diff --git a/apps/luseradd.c b/apps/luseradd.c
+index 7839183c00f892ad50f77f5aed6ada07cd3c125b..9d7f4f10a9c6f849e551f017f05c2e67e4a56259 100644
+--- a/apps/luseradd.c
++++ b/apps/luseradd.c
+@@ -210,8 +210,12 @@ main(int argc, const char **argv)
+ 				lu_error_free(&error);
+ 			}
+ 			lu_end(ctx);
++			lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
++					AUDIT_NO_ID, 0);
+ 			return 1;
+ 		}
++		lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
++				AUDIT_NO_ID, 1);
+ 	}
+ 
+ 	/* Retrieve the group ID. */
+@@ -259,9 +263,13 @@ main(int argc, const char **argv)
+ 	if (lu_user_add(ctx, ent, &error) == FALSE) {
+ 		fprintf(stderr, _("Account creation failed: %s.\n"),
+ 			lu_strerror(error));
++		lu_audit_logger(AUDIT_ADD_USER, "add-user", name,
++					AUDIT_NO_ID, 0);
++
+ 		return 3;
+ 	}
+         lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
++	lu_audit_logger(AUDIT_ADD_USER, "add-user", name, AUDIT_NO_ID, 1);
+ 
+ 	/* If we don't have the the don't-create-home flag, create the user's
+ 	 * home directory. */
+@@ -282,8 +290,12 @@ main(int argc, const char **argv)
+ 					&error) == FALSE) {
+ 			fprintf(stderr, _("Error creating %s: %s.\n"),
+ 				homeDirectory, lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name,
++				uidNumber, 0);
+ 			return 7;
+ 		}
++		lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name,
++				uidNumber, 1);
+ 
+ 		/* Create a mail spool for the user. */
+ 		if (lu_mail_spool_create(ctx, ent, &error) != TRUE) {
+@@ -311,8 +323,12 @@ main(int argc, const char **argv)
+ 			fprintf(stderr, _("Error setting password for user "
+ 					  "%s: %s.\n"), name,
+ 				lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
++					name, uidNumber, 0);
+ 			return 3;
+ 		}
++		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
++					name, uidNumber, 1);
+ 	}
+ 	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
+ 
+diff --git a/apps/luserdel.c b/apps/luserdel.c
+index 2f39a4ffb8ae47ac5dc3c84270b54a8ca68c7403..7e20fa7ea9bf4082967bc6931a8557936bfda0a2 100644
+--- a/apps/luserdel.c
++++ b/apps/luserdel.c
+@@ -26,6 +26,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include "../lib/user.h"
++#include "../lib/user_private.h"
+ #include "apputil.h"
+ 
+ int
+@@ -93,8 +94,12 @@ main(int argc, const char **argv)
+ 	if (lu_user_delete(ctx, ent, &error) == FALSE) {
+ 		fprintf(stderr, _("User %s could not be deleted: %s.\n"),
+ 			user, lu_strerror(error));
++		lu_audit_logger(AUDIT_DEL_USER, "delete-user", user,
++				AUDIT_NO_ID, 0);
+ 		return 3;
+ 	}
++	lu_audit_logger(AUDIT_DEL_USER, "delete-user", user,
++			AUDIT_NO_ID, 1);
+ 
+ 	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
+ 
+@@ -126,9 +131,15 @@ main(int argc, const char **argv)
+ 				fprintf(stderr, _("Group %s could not be "
+ 						  "deleted: %s.\n"), tmp,
+ 					lu_strerror(error));
++				lu_audit_logger_with_group (AUDIT_DEL_GROUP,
++					"delete-group", user, AUDIT_NO_ID,
++					tmp, 0);
+ 				return 7;
+ 			}
+ 		}
++		lu_audit_logger_with_group (AUDIT_DEL_GROUP,
++					    "delete-group", user,
++					    AUDIT_NO_ID, tmp, 1);
+ 		lu_ent_free(group_ent);
+ 		lu_nscd_flush_cache(LU_NSCD_CACHE_GROUP);
+ 	}
+@@ -138,8 +149,14 @@ main(int argc, const char **argv)
+ 			fprintf(stderr,
+ 				_("Error removing home directory: %s.\n"),
+ 				lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_MGMT,
++					"deleting-home-directory", user,
++					AUDIT_NO_ID, 0);
+ 			return 9;
+ 		}
++		lu_audit_logger(AUDIT_USER_MGMT, "deleting-home-directory", user,
++				AUDIT_NO_ID, 1);
++
+ 		/* Delete the user's mail spool. */
+ 		if (lu_mail_spool_remove(ctx, ent, &error) != TRUE) {
+ 			fprintf(stderr, _("Error removing mail spool: %s"),
+diff --git a/apps/lusermod.c b/apps/lusermod.c
+index afec147475736f0b814b5e1f30c77064f3915c20..143157f114c93960fb879d9e6e0c1fb914f3ffcb 100644
+--- a/apps/lusermod.c
++++ b/apps/lusermod.c
+@@ -179,8 +179,13 @@ main(int argc, const char **argv)
+ 			fprintf(stderr,
+ 				_("Failed to set password for user %s: %s.\n"),
+ 				user, lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_CHAUTHTOK, 
++					"updating-password", user,
++					uidNumber, 0);
+ 			return 5;
+ 		}
++		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
++				user, uidNumber, 0);
+ 	}
+ 
+ 	/* If we need to change a user's crypted password, try to change it,
+@@ -192,8 +197,13 @@ main(int argc, const char **argv)
+ 			fprintf(stderr,
+ 				_("Failed to set password for user %s: %s.\n"),
+ 				user, lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_CHAUTHTOK, 
++					"updating-password", user,
++					uidNumber, 0);
+ 			return 6;
+ 		}
++		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
++				user, uidNumber, 0);
+ 	}
+ 
+ 	/* If we need to lock/unlock the user's account, do that. */
+@@ -202,16 +212,26 @@ main(int argc, const char **argv)
+ 			fprintf(stderr,
+ 				_("User %s could not be locked: %s.\n"),
+ 				user, lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_CHAUTHTOK, 
++					"locking-account", user,
++					uidNumber, 0);
+ 			return 7;
+ 		}
++		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "locking-account",
++				user, uidNumber, 0);
+ 	}
+ 	if (unlock) {
+ 		if (lu_user_unlock(ctx, ent, &error) == FALSE) {
+ 			fprintf(stderr,
+ 				_("User %s could not be unlocked: %s.\n"),
+ 				user, lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_CHAUTHTOK, 
++					"unlocking-account", user,
++					uidNumber, 0);
+ 			return 8;
+ 		}
++		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "unlocking-account",
++				user, uidNumber, 0);
+ 	}
+ 
+ 	/* Determine if we actually need to change anything. */
+@@ -274,8 +294,13 @@ main(int argc, const char **argv)
+ 	if (change && (lu_user_modify(ctx, ent, &error) == FALSE)) {
+ 		fprintf(stderr, _("User %s could not be modified: %s.\n"),
+ 			user, lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_MGMT, 
++					"modify-account", user,
++					uidNumber, 0);
+ 		return 9;
+ 	}
++	lu_audit_logger(AUDIT_USER_MGMT, "modify-account",
++			user, uidNumber, 1);
+ 	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
+ 
+ 	/* If the user's name changed, we need to update supplemental
+@@ -322,12 +347,19 @@ main(int argc, const char **argv)
+ 				}
+ 			}
+ 			/* Save the changes to the group. */
+-			if (lu_group_modify(ctx, group, &error) == FALSE)
++			if (lu_group_modify(ctx, group, &error) == FALSE) {
+ 				fprintf(stderr, _("Group %s could not be "
+ 						  "modified: %s.\n"),
+ 					lu_ent_get_first_string(group,
+ 								LU_GROUPNAME),
+ 					lu_strerror(error));
++				lu_audit_logger_with_group(AUDIT_USER_MGMT, 
++						    "update-member-in-group", user, uidNumber,
++						    lu_ent_get_first_string(group, LU_GROUPNAME),0);
++			} else
++				lu_audit_logger_with_group(AUDIT_USER_MGMT, 
++						    "update-member-in-group", user, uidNumber,
++						    lu_ent_get_first_string(group, LU_GROUPNAME),1);
+ 			lu_ent_free(group);
+ 		}
+ 		g_ptr_array_free(groups, TRUE);
+@@ -353,8 +385,12 @@ main(int argc, const char **argv)
+ 			fprintf(stderr, _("Error moving %s to %s: %s.\n"),
+ 				oldHomeDirectory, homeDirectory,
+ 				lu_strerror(error));
++			lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir",
++					user, uidNumber, 0);
+ 			return 12;
+ 		}
++		lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir",
++				user, uidNumber, 1);
+ 	}
+ 	g_free(oldHomeDirectory);
+ 
+diff --git a/configure.ac b/configure.ac
+index 3e68b16a1f65ff5e5e3e905c1ffce8993e562176..0bd4a67d4c77fa1b701d74dbeab908a192dbf4d7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -118,6 +118,23 @@ if test "x$selinux" != xno ; then
+ fi
+ AC_SUBST(SELINUX_LIBS)
+ 
++AC_ARG_WITH(audit,
++AS_HELP_STRING([--with-audit],[log using Linux Audit in addition to syslog]),
++use_audit=$withval,
++use_audit=auto)
++if test x$use_audit != xno ; then
++        AC_SEARCH_LIBS([audit_open], [audit])
++        if test x$ac_cv_search_audit_open = xno ; then
++                if test x$use_audit != xauto ; then
++                        AC_MSG_ERROR([requested Linux Audit, but libaudit was not found])
++                fi
++        else
++                AC_DEFINE(WITH_AUDIT,1,[Define if you want to use Linux Audit.])
++		AUDIT_LIBS=-laudit
++        fi
++fi
++AC_SUBST(AUDIT_LIBS)
++
+ AC_C_CONST
+ AC_TYPE_UID_T
+ AC_TYPE_MODE_T
+diff --git a/lib/common.c b/lib/common.c
+index fc5df7461111908ff3eae59608ce0a51d62e155e..dce7e570ec9c92b56b28f15ab503fb7a641b660e 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -16,9 +16,10 @@
+  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+  */
+ 
+-#include <config.h>
++#include "config.h"
+ #include <glib.h>
+ #include <string.h>
++#include <stdlib.h>
+ 
+ #include "internal.h"
+ #include "user_private.h"
+@@ -111,3 +112,66 @@ lu_common_sgroup_default(struct lu_module *module,
+ 	g_return_val_if_fail(name != NULL, FALSE);
+ 	return lu_common_group_default(module, name, is_system, ent, error);
+ }
++
++#ifdef WITH_AUDIT
++static int audit_fd = 0;
++
++/* result - 1 is "success" and 0 is "failed" */
++void lu_audit_logger(int type, const char *op, const char *name,
++                        unsigned int id, unsigned int result)
++{
++	if (audit_fd == 0) {
++		/* First time through */
++		audit_fd = audit_open();
++		if (audit_fd < 0) {
++			/* You get these only when the kernel doesn't have
++			 * audit compiled in. */
++			if (	   (errno == EINVAL)
++				|| (errno == EPROTONOSUPPORT)
++				|| (errno == EAFNOSUPPORT))
++					return;
++			fputs("Cannot open audit interface - aborting.\n", stderr);
++			exit(EXIT_FAILURE);
++		}
++	}
++	if (audit_fd < 0)
++		return;
++	audit_log_acct_message(audit_fd, type, NULL, op, name, id,
++		NULL, NULL, NULL, (int) result);
++}
++
++/* result - 1 is "success" and 0 is "failed" */
++void lu_audit_logger_with_group (int type, const char *op, const char *name,
++		unsigned int id, const char *grp, unsigned int result)
++{
++	int len;
++	char enc_group[(LOGIN_NAME_MAX*2)+1], buf[1024];
++
++	if (audit_fd == 0) {
++		/* First time through */
++		audit_fd = audit_open();
++		if (audit_fd < 0) {
++			/* You get these only when the kernel doesn't have
++			 * audit compiled in. */
++			if (	   (errno == EINVAL)
++				|| (errno == EPROTONOSUPPORT)
++				|| (errno == EAFNOSUPPORT))
++					return;
++			fputs("Cannot open audit interface - aborting.\n", stderr);
++			exit(EXIT_FAILURE);
++		}
++	}
++	if (audit_fd < 0)
++		return;
++	len = strnlen(grp, sizeof(enc_group)/2);
++	if (audit_value_needs_encoding(grp, len)) {
++		snprintf(buf, sizeof(buf), "%s grp=%s", op,
++			audit_encode_value(enc_group, grp, len));
++	} else {
++		snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp);
++	}
++	audit_log_acct_message(audit_fd, type, NULL, buf, name, id,
++			NULL, NULL, NULL, (int) result);
++}
++#endif
++
+diff --git a/lib/user_private.h b/lib/user_private.h
+index a4869c138d51519539b6939406cdb0fee23ab7f6..02b813c47ee359db774bb85a2aa7aa12e18d3067 100644
+--- a/lib/user_private.h
++++ b/lib/user_private.h
+@@ -34,6 +34,9 @@
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+ #endif
++#ifdef WITH_AUDIT
++#include <libaudit.h>
++#endif
+ #include "user.h"
+ 
+ G_BEGIN_DECLS
+@@ -357,6 +360,18 @@ id_t lu_get_first_unused_id(struct lu_context *ctx, enum lu_entity_type type,
+ /* Append a copy of VALUES to DEST */
+ void lu_util_append_values(GValueArray *dest, GValueArray *values);
+ 
++#ifdef WITH_AUDIT
++void lu_audit_logger(int type, const char *op, const char *name,
++		     unsigned int id, unsigned int result);
++void lu_audit_logger_with_group(int type, const char *op, const char *name,
++				 unsigned int id, const char *grp,
++				 unsigned int result);
++#else
++#define lu_audit_logger(a, b, c, d, e)
++#define lu_audit_logger_with_group(a, b, c, d, e, f)
++#endif
++#define AUDIT_NO_ID	((unsigned int) -1)
++
+ G_END_DECLS
+ 
+ #endif
+-- 
+2.17.1
+

SOURCES/0004-Check-negative-return-of-PyList_Size.patch

@@ -0,0 +1,44 @@
+From 11a7ff7eeefe763be9ade949e8f2a4a2d53f6129 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Mon, 24 Sep 2018 20:51:51 +0200
+Subject: [PATCH 4/7] Check negative return of PyList_Size
+
+Merges:
+https://pagure.io/libuser/issue/28
+
+In case of an error, PyList_Size can return a negative value. We should
+check that case, also to avoid compiler warnings like:
+
+Error: COMPILER_WARNING: [#def41] [warning: defect not occurring in libuser-0.60-9.el7]
+libuser-0.62/python/misc.c: scope_hint: In function 'libuser_admin_prompt'
+libuser-0.62/python/misc.c:160:12: warning: argument 1 range [9223372036854775808, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
+/usr/include/glib-2.0/glib/glist.h:32: included_from: Included from here.
+/usr/include/glib-2.0/glib/ghash.h:33: included_from: Included from here.
+/usr/include/glib-2.0/glib.h:50: included_from: Included from here.
+libuser-0.62/python/misc.c:25: included_from: Included from here.
+/usr/include/glib-2.0/glib/gmem.h:96:10: note: in a call to allocation function 'g_malloc0_n' declared here
+---
+ python/misc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/python/misc.c b/python/misc.c
+index c4ce819bfaeb4296507b504c4647b7676377b631..fcb0ccfebae143fa7c7a43ad60d7e9b231ca8863 100644
+--- a/python/misc.c
++++ b/python/misc.c
+@@ -137,7 +137,12 @@ libuser_admin_prompt(struct libuser_admin *self, PyObject * args,
+ 		return NULL;
+ 	}
+ 	count = PyList_Size(list);
+-	if (count > INT_MAX) {
++	if (count < 0) {
++		PyErr_SetString(PyExc_TypeError,
++				"prompt_list has no size; probably not a list");
++		DEBUG_EXIT;
++		return NULL;
++	} else if (count > INT_MAX) {
+ 		PyErr_SetString(PyExc_ValueError, "too many prompts");
+ 		DEBUG_EXIT;
+ 		return NULL;
+-- 
+2.14.4
+

SOURCES/0005-files.c-Init-char-name-to-NULL.patch

@@ -0,0 +1,60 @@
+From 7acf0fad0ca468f33f86084f36251df5baf3dc94 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Wed, 26 Sep 2018 21:01:59 +0200
+Subject: [PATCH 5/7] files.c: Init char *name to NULL
+
+Merges:
+https://pagure.io/libuser/issue/27
+
+This is mostly to silence coverity warnings. "enum lu_entity_type" has
+three values and several places in the code follow logic as:
+
+char *name;
+if ent->type == user:
+        name = foo()
+if ent->type == group
+        name = bar()
+g_assert(name != NULL)
+
+it shouldn't be possible for ent->type to be anything else but in the
+odd case it is, initializing name to NULL will ensure that name will be
+still NULL after the code falls through the conditions and at least the
+behaviour is defined.
+---
+ modules/files.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/modules/files.c b/modules/files.c
+index 6a7787e28112ba07e0fc44f2887ce1d1540af29e..8c2a282b6448bbfb313b5d4f5eeb28b8240bccd5 100644
+--- a/modules/files.c
++++ b/modules/files.c
+@@ -1501,7 +1501,7 @@ generic_lock(struct lu_module *module, const char *file_suffix, int field,
+ 	     struct lu_ent *ent, enum lock_op op, struct lu_error **error)
+ {
+ 	struct editing *e;
+-	char *value, *new_value, *name;
++	char *value, *new_value, *name = NULL;
+ 	gboolean commit = FALSE, ret = FALSE;
+ 
+ 	/* Get the name which keys the entries of interest in the file. */
+@@ -1561,7 +1561,7 @@ generic_is_locked(struct lu_module *module, const char *file_suffix,
+ 		  int field, struct lu_ent *ent, struct lu_error **error)
+ {
+ 	char *filename;
+-	char *value, *name;
++	char *value, *name = NULL;
+ 	int fd;
+ 	gboolean ret = FALSE;
+ 
+@@ -1752,7 +1752,7 @@ generic_setpass(struct lu_module *module, const char *file_suffix, int field,
+ 		struct lu_error **error)
+ {
+ 	struct editing *e;
+-	char *value, *name;
++	char *value, *name = NULL;
+ 	gboolean ret = FALSE;
+ 
+ 	/* Get the name of this account. */
+-- 
+2.14.4
+

SOURCES/0006-merge_ent_array_duplicates-Only-use-values-if-valid.patch

@@ -0,0 +1,56 @@
+From 8da7fc83aa3e9fd868c6a8da9261b72dae7d29e7 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Wed, 26 Sep 2018 21:38:02 +0200
+Subject: [PATCH 6/7] merge_ent_array_duplicates: Only use values if valid
+
+Merges:
+https://pagure.io/libuser/issue/22
+
+Don't attempt to dereference a NULL pointer
+---
+ lib/user.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/lib/user.c b/lib/user.c
+index ad2bb099c7d12bd91188e69f188c64953b1d9748..2500565a544bb33a5e08d9807a794a42c819a2d2 100644
+--- a/lib/user.c
++++ b/lib/user.c
+@@ -691,10 +691,13 @@ merge_ent_array_duplicates(GPtrArray *array)
+ 			while (attributes != NULL) {
+ 				attr = (const char *)attributes->data;
+ 				values = lu_ent_get_current(current, attr);
+-				for (j = 0; j < values->n_values; j++) {
+-					value = g_value_array_get_nth(values,
+-								      j);
+-					lu_ent_add_current(saved, attr, value);
++				if (values != NULL) {
++					for (j = 0; j < values->n_values; j++) {
++						value = g_value_array_get_nth(
++									values,
++									j);
++						lu_ent_add_current(saved, attr, value);
++					}
+ 				}
+ 				attributes = g_list_next(attributes);
+ 			}
+@@ -705,10 +708,13 @@ merge_ent_array_duplicates(GPtrArray *array)
+ 			while (attributes != NULL) {
+ 				attr = (const char *)attributes->data;
+ 				values = lu_ent_get(current, attr);
+-				for (j = 0; j < values->n_values; j++) {
+-					value = g_value_array_get_nth(values,
+-								      j);
+-					lu_ent_add(saved, attr, value);
++				if (values != NULL) {
++					for (j = 0; j < values->n_values; j++) {
++						value = g_value_array_get_nth(
++									values,
++									j);
++						lu_ent_add(saved, attr, value);
++					}
+ 				}
+ 				attributes = g_list_next(attributes);
+ 			}
+-- 
+2.14.4
+

SOURCES/0007-editing_open-close-fd-after-we-ve-established-its-va.patch

@@ -0,0 +1,33 @@
+From e5536845298b6672a16e5866a823fcf6562c6cf3 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Wed, 26 Sep 2018 21:15:38 +0200
+Subject: [PATCH 7/7] editing_open: close fd after we've established its
+ validity
+
+Merges:
+https://pagure.io/libuser/issue/26
+
+The code used to first close(fd) and only then check if it's != -1.
+Reverse the logic so that the fd is only closed if valid.
+---
+ modules/files.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/files.c b/modules/files.c
+index 8c2a282b6448bbfb313b5d4f5eeb28b8240bccd5..b8bf8a60e5810c0b705bd91efbdf9e27e851cd2b 100644
+--- a/modules/files.c
++++ b/modules/files.c
+@@ -387,9 +387,9 @@ editing_open(struct lu_module *module, const char *file_suffix,
+ 	backup_name = g_strconcat(e->filename, "-", NULL);
+ 	fd = open_and_copy_file(e->filename, backup_name, FALSE, error);
+ 	g_free (backup_name);
+-	close(fd);
+ 	if (fd == -1)
+ 		goto err_fscreate;
++	close(fd);
+ 
+ 	e->new_filename = g_strconcat(e->filename, "+", NULL);
+ 	e->new_fd = open_and_copy_file(e->filename, e->new_filename, TRUE,
+-- 
+2.14.4
+

SOURCES/0008-lgroupmod-Emit-AUDIT_GRP_CHAUTHTOK-not-AUDIT_GRP_MGM.patch

@@ -0,0 +1,48 @@
+From c6a4e9f596c976f71894269e3168567e6118236c Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Wed, 5 Jun 2019 22:16:51 +0200
+Subject: [PATCH] lgroupmod: Emit AUDIT_GRP_CHAUTHTOK, not AUDIT_GRP_MGMT when
+ changing group password
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1670997
+---
+ apps/lgroupmod.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/apps/lgroupmod.c b/apps/lgroupmod.c
+index 0ad0ae4..20be85f 100644
+--- a/apps/lgroupmod.c
++++ b/apps/lgroupmod.c
+@@ -138,12 +138,12 @@ main(int argc, const char **argv)
+ 		    == FALSE) {
+ 			fprintf(stderr, _("Failed to set password for group "
+ 				"%s: %s\n"), group, lu_strerror(error));
+-			lu_audit_logger(AUDIT_GRP_MGMT,
++			lu_audit_logger(AUDIT_GRP_CHAUTHTOK,
+ 					"changing-group-passwd", group,
+ 					AUDIT_NO_ID, 0);
+ 			return 4;
+ 		}
+-		lu_audit_logger(AUDIT_GRP_MGMT,
++		lu_audit_logger(AUDIT_GRP_CHAUTHTOK,
+ 				"changing-group-passwd", group,
+ 				AUDIT_NO_ID, 1);
+ 	}
+@@ -153,12 +153,12 @@ main(int argc, const char **argv)
+ 				     &error) == FALSE) {
+ 			fprintf(stderr, _("Failed to set password for group "
+ 				"%s: %s\n"), group, lu_strerror(error));
+-			lu_audit_logger(AUDIT_GRP_MGMT,
++			lu_audit_logger(AUDIT_GRP_CHAUTHTOK,
+ 					"changing-group-passwd", group,
+ 					AUDIT_NO_ID, 0);
+ 			return 5;
+ 		}
+-		lu_audit_logger(AUDIT_GRP_MGMT,
++		lu_audit_logger(AUDIT_GRP_CHAUTHTOK,
+ 				"changing-group-passwd", group,
+ 				AUDIT_NO_ID, 1);
+ 	}
+-- 
+2.20.1
+

SOURCES/0010-resource-leak.patch

@@ -1,21 +1,7 @@
-commit 009d9238317d152f524ee46c4be1ad2f93c47732
-Author: Jakub Hrozek <jakub.hrozek@posteo.se>
-Date:   Wed Sep 26 21:29:35 2018 +0200
-
-    lu_dispatch: Free tmp on failures
-    
-    Merges:
-    https://pagure.io/libuser/issue/23
-    
-    This makes the code slightly less compact with using an explicit
-    condition instead of the g_return_val_if_fail() shorthand, but freeing
-    tmp on failures.
-
-diff --git a/lib/user.c b/lib/user.c
-index ad2bb09..5709f41 100644
---- a/lib/user.c
-+++ b/lib/user.c
-@@ -980,7 +980,10 @@ lu_dispatch(struct lu_context *context,
+diff -up libuser-0.62/lib/user.c.orig libuser-0.62/lib/user.c
+--- libuser-0.62/lib/user.c.orig	2024-05-07 17:03:45.220514343 +0200
++++ libuser-0.62/lib/user.c	2024-05-07 17:05:17.855649386 +0200
+@@ -986,7 +986,10 @@ lu_dispatch(struct lu_context *context,
  	case user_default:
  	case group_default:
  		/* Make sure we have both name and boolean here. */
@@ -27,7 +13,7 @@ index ad2bb09..5709f41 100644
  		/* Run the checks and preps. */
  		if (run_list(context, context->create_module_names,
  			    logic_and, id,
-@@ -1059,7 +1062,10 @@ lu_dispatch(struct lu_context *context,
+@@ -1065,7 +1068,10 @@ lu_dispatch(struct lu_context *context,
  	case user_setpass:
  	case group_setpass:
  		/* Make sure we have a valid password. */
@@ -39,7 +25,7 @@ index ad2bb09..5709f41 100644
  		/* no break: fall through */
  	case user_removepass:
  	case group_removepass:
-@@ -1088,7 +1094,10 @@ lu_dispatch(struct lu_context *context,
+@@ -1094,7 +1100,10 @@ lu_dispatch(struct lu_context *context,
  	case users_enumerate_by_group:
  	case groups_enumerate_by_user:
  		/* Make sure we have both name and ID here. */

SPECS/libuser.spec

@@ -1,40 +1,48 @@
 Name: libuser
-Version: 0.63
-Release: 15%{?dist}
+Version: 0.62
+Release: 26%{?dist}
+Group: System Environment/Base
 License: LGPLv2+
 URL: https://pagure.io/libuser
 Source: http://releases.pagure.org/libuser/libuser-%{version}.tar.xz
-Patch0001: 0001-man-typo.patch
-Patch0002: 0002-popt-memopy.patch
-Patch0003: 0003-translation.patch
-Patch0004: 0004-resource-leak.patch
-Patch0005: 0005-translation-update.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1608321
+Source1:  libuser-0_62-ja.po
+Source2:  libuser-0_62-zh_CN.po
+Source3:  libuser-0_62-zh_TW.po
+Source4:  libuser-0_62-fr.po
+Source5:  libuser-0_62-it.po
+Source6:  libuser-0_62-de.po
+Source7:  libuser-0_62-ko.po
+Source8:  libuser-0_62-pt_BR.po
+Source9:  libuser-0_62-ru.po
+Source10: libuser-0_62-es.po
 
-BuildRequires: glib2-devel
-BuildRequires: linuxdoc-tools
-BuildRequires: pam-devel
-BuildRequires: popt-devel
-BuildRequires: cyrus-sasl-devel
-BuildRequires: libselinux-devel
-BuildRequires: openldap-devel
-BuildRequires: python3-devel
+# Because we patch configure
+BuildRequires: autoconf gettext-devel automake libtool
+BuildRequires: glib2-devel, linuxdoc-tools, pam-devel, popt-devel
+BuildRequires: cyrus-sasl-devel, libselinux-devel, openldap-devel, python3-devel
 # To make sure the configure script can find it
 BuildRequires: nscd
-BuildRequires: gcc
-# For %%check
-BuildRequires: openldap-clients
-# BuildRequires: openldap-servers
-BuildRequires: openssl
-BuildRequires: make
-BuildRequires: bison
-BuildRequires: libtool
-BuildRequires: gettext-devel
-BuildRequires: gtk-doc
+# We support libaudit
 BuildRequires: audit-libs-devel
-
+# For %%check
+BuildRequires: openldap-clients, openldap-servers, openssl
 Summary: A user and group account administration library
 
-%global __provides_exclude_from ^(%{_libdir}/%{name}|%{python3_sitearch})/.*$
+%define __provides_exclude_from %{python3_sitearch}/.*\.so$
+
+# Patch to address format-security.
+# Submitted upstream at https://pagure.io/libuser/pull-request/17
+Patch1: 0001-Fix-errors-with-Werror-format-security.patch
+Patch2: 0002-Use-2048-bit-keys-in-tests-to-avoid-issues-with-mode.patch
+Patch3: 0003-Add-audit-events-around-user-life-cycle.patch
+Patch4: 0004-Check-negative-return-of-PyList_Size.patch
+Patch5: 0005-files.c-Init-char-name-to-NULL.patch
+Patch6: 0006-merge_ent_array_duplicates-Only-use-values-if-valid.patch
+Patch7: 0007-editing_open-close-fd-after-we-ve-established-its-va.patch
+Patch8: 0008-lgroupmod-Emit-AUDIT_GRP_CHAUTHTOK-not-AUDIT_GRP_MGM.patch
+Patch9: 0009-man-typo.patch
+Patch10: 0010-resource-leak.patch
 
 %description
 The libuser library implements a standardized interface for manipulating
@@ -45,6 +53,7 @@ Sample applications modeled after those included with the shadow password
 suite are included.
 
 %package devel
+Group: Development/Libraries
 Summary: Files needed for developing applications which use libuser
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: glib2-devel%{?_isa}
@@ -54,11 +63,12 @@ The libuser-devel package contains header files, static libraries, and other
 files useful for developing applications with libuser.
 
 %package -n python3-libuser
+%{?python_provide:%python_provide python2-libuser}
 Summary: Python 3 bindings for the libuser library
+Group: Development/Libraries
 Requires: libuser%{?_isa} = %{version}-%{release}
-Provides: python3-libuser = %{version}-%{release}
-Provides: python3-libuser%{?_isa} = %{version}-%{release}
-%{?python_provide:%python_provide python3-libuser}
+Provides: libuser-python3 = %{version}-%{release}
+Obsoletes: libuser-python3 < %{version}-%{release}
 
 %description -n python3-libuser
 The python3-libuser package contains the Python bindings for
@@ -66,33 +76,70 @@ the libuser library, which provides a Python 3 API for manipulating and
 administering user and group accounts.
 
 %prep
-%autosetup -n libuser-%{version} -p1
+%setup -q -n libuser-%{version}
+
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1
+%patch -P 7 -p1
+%patch -P 8 -p1
+%patch -P 9 -p1
+%patch -P 10 -p1
+cp %{SOURCE1}  po/ja.po
+cp %{SOURCE2}  po/zh_CN.po
+cp %{SOURCE3}  po/zh_TW.po
+cp %{SOURCE4}  po/fr.po
+cp %{SOURCE5}  po/it.po
+cp %{SOURCE6}  po/de.po
+cp %{SOURCE7}  po/ko.po
+cp %{SOURCE8}  po/pt_BR.po
+cp %{SOURCE9}  po/ru.po
+cp %{SOURCE10} po/es.po
 
 %build
-./autogen.sh
-%configure --with-selinux --with-ldap --with-audit \
-           --enable-gtk-doc --with-html-dir=%{_datadir}/gtk-doc/html \
-           PYTHON=%{python3}
+autoreconf -if
+%configure --with-selinux \
+           --with-ldap \
+           --with-audit \
+           --with-html-dir=%{_datadir}/gtk-doc/html \
+	PYTHON=/usr/bin/python3
 make
+# (make all) only rebuilds .gmo files if the .pot file is updated, regardless of po/ja.po changes
+make -C po ja.gmo
+make -C po zh_CN.gmo
+make -C po zh_TW.gmo
+make -C po it.gmo
+make -C po de.gmo
+make -C po ko.gmo
+make -C po pt_BR.gmo
+make -C po ru.gmo
+make -C po es.gmo
 
 
 %install
-%make_install
+make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p'
 
 %find_lang %{name}
 
-#%check
-#make check || { cat test-suite.log; false; }
-#
-## Verify that all python modules load, just in case.
-#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir}:${LD_LIBRARY_PATH}
-#export LD_LIBRARY_PATH
-#PYTHONPATH=$RPM_BUILD_ROOT%{python3_sitearch}
-#export PYTHONPATH
-#%{python3} -c "import libuser"
+%check
+
+LC_ALL=C.UTF-8 make check \
+	|| { cat test-suite.log; false; }
+
+# Verify that all python modules load, just in case.
+LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir}:${LD_LIBRARY_PATH}
+export LD_LIBRARY_PATH
+cd $RPM_BUILD_ROOT/%{python3_sitearch}
+# The Python 3 module only supports UTF-8
+LC_ALL=C.UTF-8 python3 -c "import libuser"
 
 
-%ldconfig_scriptlets
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
 
 %files -f %{name}.lang
 %{!?_licensedir:%global license %%doc}
@@ -123,120 +170,50 @@ make
 %{_datadir}/gtk-doc/html/*
 
 %changelog
-* Tue May 7 2024 Tomas Halman <thalman@redhat.com> - 0.63-15
-- Update translations
-  Resolves: RHEL-12110
+* Tue Jul 23 2024 Michal Hlavinka <mhlavink@redhat.com> - 0.62-26
+- fix findings from static application security testing (#RHEL-35578)
+- translation update (#RHEL-12111)
 
-* Mon May 6 2024 Tomas Halman <thalman@redhat.com> - 0.63-14
-- Fix findings from static application security testing
-  Resolves: RHEL-35693
+* Tue Nov 29 2022 Tomas Halman <thalman@redhat.com> - 0.62-25
+- Man-page update
+- Resolves: rhbz#2070941 - small typo in lchage man page
 
-* Tue Jul 11 2023 Tomas Halman <thalman@redhat.com> - 0.63-13
-- Translation update
-  Resolves: rhbz#2139662
+* Wed Jun 26 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.62-23
+- Actually apply the patch from the previous build
+- Resolves: rhbz#1670997 - Amend the user lifecycle auditing
 
-* Thu Nov 10 2022 Tomas Halman <thalman@redhat.com> - 0.63-12
-- correct popt memory handling
-- Fix the manpage
-  Resolves: rhbz#2070943
+* Fri Jun  7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.62-22
+- Resolves: rhbz#1670997 - Amend the user lifecycle auditing
 
-* Fri Jul 15 2022 Tomas Halman <thalman@redhat.com> - 0.63-11
-- remove build dependency for openldap-server
-  Resolves: rhbz#2102876
+* Fri Nov 30 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-21
+- Resolves: rhbz#1608321 - [libuser] RHEL 8.0 Tier 0 Localization
 
-* Tue Aug 17 2021 Tomas Halman <thalman@redhat.com> - 0.63-10
-- Update changelog according git history
-  Resolves: rhbz#1993633
+* Fri Oct 12 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-20
+- Resolves: rhbz#1637398 - libuser-python3 should be renamed to comply
+                           with Packaging Guidelines
 
-* Tue Aug 17 2021 Tomas Halman <thalman@redhat.com> - 0.63-9
-- Fix broken changelog in rpm spec
-  Resolves: rhbz#1993633
+* Wed Oct  3 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-19
+- Resolves: rhbz#1602600 -  Please review important issues found by covscan
+                            in "libuser-0.62-14.el8+7" package
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.63-7
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Fri Sep 28 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-18
+- Resolves: rhbz#1608321 - [libuser] RHEL 8.0 Tier 0 Localization
 
-* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 0.63-6
-- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
+* Mon Aug 13 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-17
+- Resolves: rhbz#1558151 - libuser needs audit events around the account
+                           lifecycle
 
-* Thu May 20 2021 Tomas Halman <thalman@redhat.com> - 0.63-5
-- Enable audit library in the build
-- Resolves: rhbz#1923043 - libuser doesn't audit events around the account lifecycle
+* Mon Aug  6 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-16
+- Use 2048bit keys in tests
+- Resolves: rhbz#1611729 - [RHEL8-S-BUILD] libuser Fails Scratch Build on rhel-8.0
 
-* Tue May 11 2021 Tomas Halman <thalman@redhat.com> - 0.63-4
-- Resolves: rhbz#1951601 - Remove fakeroot dependency
+* Mon Jun 11 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-15
+- Drop the fakeroot dependency
+- Resolves: #1581448 - Remove fakeroot from libuser in RHEL8
 
-* Tue May 11 2021 Tomas Halman <thalman@redhat.com>  - 0.63-3
-- Renaming python package according to the standard
-- Resolves: rhbz#1951968
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.63-2
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Mon Mar 1 2021 Tomas Halman <thalman@redhat.com> - 0.63-1
-- Release new version 0.63
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-31
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Sep 09 2020 Tom Stellard <tstellar@redhat.com> - 0.62-30
- - Use make macros
- - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
-
-* Wed Sep 02 2020 Merlin Mathesius <mmathesi@redhat.com> - 0.62-29
-- Pull in upstream patch that fixes FTBFS for Rawhide and ELN
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-28
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-27
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Fri Jul  3 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.62-26
-- Temporarily disable tests, nothing changed since forever so this should be
-  safe and would unblock FTBFS
-- Related: rhbz#1817666 - libuser fails to build with Python 3.9: FAIL: tests/fs_test
-
-* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.62-25
-- Rebuilt for Python 3.9
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-24
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Tue Nov 26 2019 Miro Hrončok <mhroncok@redhat.com> - 0.62-23
-- Subpackage python2-libuser has been removed
-  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
-
-* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.62-22
-- Rebuilt for Python 3.8
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-21
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-20
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 0.62-19
-- Rebuilt for libcrypt.so.2 (#1666033)
-
-* Fri Jul 20 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-19
-- BuildRequires: gcc
-- Related: rhbz#1604682 - libuser: FTBFS in Fedora rawhide
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-17
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Mon Jul  9 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-16
-- Use python2 explicitly in tests of python2 bindings instead of just "python"
-- Related: rhbz#1582899 - libuser: FTBFS in Fedora 28
-
-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.62-15
-- Rebuilt for Python 3.7
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.62-14
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+* Sun Jun 10 2018 Jakub Hrozek <jhrozek@redhat.com> - 0.62-14
+- Do not build python2-libuser at all in RHEL-8
+- Resolves: #1559103 - libuser: Drop Python 2 subpackage(s) from RHEL 8
 
 * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 0.62-13
 - Rebuilt for switch to libxcrypt
@@ -643,7 +620,7 @@ make
 - Fix updating of groups after user renaming in lusermod
 - Allow setting a shadow password even if the current shadow password is
   invalid (#131180)
-- Add lu_{user,group}_unlock_nonempty (#86414); module interface ABI has
+- Add lu_{user,group}_unlock_nonempty (#86414); module interface ABI has 
   changed
 - Miscellaneous bug and memory leak fixes
 
@@ -718,7 +695,7 @@ make
 - enable SELinux
 
 * Mon Sep 08 2003 Dan Walsh <dwalsh@redhat.com> 0.51.7-5
-- Turn off SELinux
+- Turn off SELinux 
 
 * Wed Aug 06 2003 Dan Walsh <dwalsh@redhat.com> 0.51.7-3
 - Add SELinux support
@@ -945,7 +922,7 @@ make
 - finish adding a sasldb module which manipulates a sasldb file
 - add users_enumerate_by_group and groups_enumerate_by_users
 
-* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com> 
 - luserdel: remove the user's primary group if it has the same name as
   the user and has no members configured (-G disables)
 - fixup some configure stuff to make libuser.conf get generated correctly
@@ -999,7 +976,7 @@ make
 
 * Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
 - stub out the krb5 and ldap modules so that they'll at least compile again
-
+ 
 * Tue Jul 10 2001 Nalin Dahyabhai <nalin@redhat.com>
 - don't bail when writing empty fields to colon-delimited files
 - use permissions of the original file when making backup files instead of 0600