diff --git a/SOURCES/shadow-4.3.1-manfix.patch b/SOURCES/shadow-4.3.1-manfix.patch
index d70f4cc..bd1577e 100644
--- a/SOURCES/shadow-4.3.1-manfix.patch
+++ b/SOURCES/shadow-4.3.1-manfix.patch
@@ -54,6 +54,25 @@ Index: shadow-4.5/man/chage.1.xml
Passing the number -1 as the
EXPIRE_DATE will remove an account
expiration date.
+@@ -233,6 +243,18 @@
+ The chage program requires a shadow password file to
+ be available.
+
++
++ The chage program will report only the information from the shadow
++ password file. This implies that configuration from other sources
++ (e.g. LDAP or empty password hash field from the passwd file) that
++ affect the user's login will not be shown in the chage output.
++
++
++ The chage program will also not report any
++ inconsistency between the shadow and passwd files (e.g. missing x in
++ the passwd file). The pwck can be used to check
++ for this kind of inconsistencies.
++
+ The chage command is restricted to the root
+ user, except for the option, which may be used by
+ an unprivileged user to determine when their password or account is due
Index: shadow-4.5/man/ja/man5/login.defs.5
===================================================================
--- shadow-4.5.orig/man/ja/man5/login.defs.5
@@ -282,3 +301,49 @@ Index: shadow-4.5/man/usermod.8.xml
This option is only valid in combination with the
+diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml
+index 01ace007..93fe7421 100644
+--- a/man/login.defs.d/SUB_GID_COUNT.xml
++++ b/man/login.defs.d/SUB_GID_COUNT.xml
+@@ -42,7 +42,7 @@
+
+ The default values for ,
+ ,
+- are respectively 100000, 600100000 and 10000.
++ are respectively 100000, 600100000 and 65536.
+
+
+
+diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml
+index 5ad812f7..516417b7 100644
+--- a/man/login.defs.d/SUB_UID_COUNT.xml
++++ b/man/login.defs.d/SUB_UID_COUNT.xml
+@@ -42,7 +42,7 @@
+
+ The default values for ,
+ ,
+- are respectively 100000, 600100000 and 10000.
++ are respectively 100000, 600100000 and 65536.
+
+
+
+diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
+--- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200
++++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200
+@@ -320,13 +320,13 @@
+
+ 4
+
+- GID not unique (when not used)
++ GID is already used (when called without )
+
+
+
+ 9
+
+- group name not unique
++ group name is already used
+
+
+
+
diff --git a/SOURCES/shadow-4.6-audit-update.patch b/SOURCES/shadow-4.6-audit-update.patch
index b9d0a67..4237739 100644
--- a/SOURCES/shadow-4.6-audit-update.patch
+++ b/SOURCES/shadow-4.6-audit-update.patch
@@ -834,16 +834,23 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_group.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
-@@ -472,7 +472,7 @@ static void close_files (void)
+@@ -472,7 +472,14 @@ static void close_files (void)
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_ACCT, Prog,
-+ audit_logger (AUDIT_GRP_MGMT, Prog,
++ /* If both happened, log password change as its more important */
++ if (pflg)
++ audit_logger (AUDIT_GRP_CHAUTHTOK, Prog,
++ info_gshadow.audit_msg,
++ group_name, AUDIT_NO_ID,
++ SHADOW_AUDIT_SUCCESS);
++ else
++ audit_logger (AUDIT_GRP_MGMT, Prog,
info_gshadow.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
-@@ -495,7 +495,7 @@ static void close_files (void)
+@@ -495,7 +502,7 @@ static void close_files (void)
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
@@ -852,7 +859,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_passwd.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
-@@ -510,8 +510,8 @@ static void close_files (void)
+@@ -510,8 +517,8 @@ static void close_files (void)
}
#ifdef WITH_AUDIT
@@ -863,7 +870,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
-@@ -523,6 +523,8 @@ static void close_files (void)
+@@ -523,6 +530,8 @@ static void close_files (void)
*/
static void prepare_failure_reports (void)
{
@@ -872,7 +879,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_group.name = group_name;
#ifdef SHADOWGRP
info_gshadow.name = group_name;
-@@ -535,76 +537,106 @@ static void prepare_failure_reports (voi
+@@ -535,76 +544,109 @@ static void prepare_failure_reports (voi
#endif
info_passwd.audit_msg = xmalloc (512);
@@ -971,6 +978,9 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
+ free(nv_pair);
}
if (pflg) {
++ strncat(info_passwd.audit_msg, "op=change-password",
++ 511 - strlen (info_passwd.action));
++
+ /* Note: audit doesn't want this value recorded */
strncat (info_group.action, ", new password",
- 511 - strlen (info_group.audit_msg));
@@ -1006,7 +1016,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
"%lu", (unsigned long int) group_newid);
}
info_group.audit_msg[511] = '\0';
-@@ -612,6 +644,11 @@ static void prepare_failure_reports (voi
+@@ -612,6 +654,11 @@ static void prepare_failure_reports (voi
info_gshadow.audit_msg[511] = '\0';
#endif
info_passwd.audit_msg[511] = '\0';
@@ -1603,16 +1613,24 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_PW_UPDATE);
}
#ifdef ENABLE_SUBIDS
-@@ -1997,7 +1939,7 @@ static void usr_update (void)
+@@ -1996,9 +1938,14 @@ static void usr_update (void)
+ #endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
++ /*
++ * Even though we have the ID of the user, we won't send it now
++ * because its not written to disk yet. After close_files it is
++ * and we can use the real ID thereafter.
++ */
audit_logger (AUDIT_ADD_USER, Prog,
- "adding user",
+- user_name, (unsigned int) user_id,
+ "add-user",
- user_name, (unsigned int) user_id,
++ user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
-@@ -2032,12 +1974,6 @@ static void create_home (void)
+ /*
+@@ -2032,12 +1979,6 @@ static void create_home (void)
fprintf (stderr,
_("%s: cannot create directory %s\n"),
Prog, prefix_user_home);
@@ -1625,7 +1643,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_HOMEDIR);
}
(void) chown (prefix_user_home, user_id, user_gid);
-@@ -2045,8 +1981,8 @@ static void create_home (void)
+@@ -2045,8 +1986,8 @@ static void create_home (void)
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
home_added = true;
#ifdef WITH_AUDIT
@@ -1636,7 +1654,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
user_name, (unsigned int) user_id,
SHADOW_AUDIT_SUCCESS);
#endif
-@@ -2231,12 +2167,6 @@ int main (int argc, char **argv)
+@@ -2231,12 +2172,6 @@ int main (int argc, char **argv)
*/
if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */
fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name);
@@ -1649,7 +1667,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_NAME_IN_USE);
}
-@@ -2252,12 +2182,6 @@ int main (int argc, char **argv)
+@@ -2252,12 +2187,6 @@ int main (int argc, char **argv)
fprintf (stderr,
_("%s: group %s exists - if you want to add this user to that group, use -g.\n"),
Prog, user_name);
@@ -1662,7 +1680,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_NAME_IN_USE);
}
}
-@@ -2287,12 +2211,6 @@ int main (int argc, char **argv)
+@@ -2287,12 +2216,6 @@ int main (int argc, char **argv)
fprintf (stderr,
_("%s: UID %lu is not unique\n"),
Prog, (unsigned long) user_id);
diff --git a/SOURCES/shadow-4.6-ignore-login-prompt.patch b/SOURCES/shadow-4.6-ignore-login-prompt.patch
new file mode 100644
index 0000000..faf50f7
--- /dev/null
+++ b/SOURCES/shadow-4.6-ignore-login-prompt.patch
@@ -0,0 +1,11 @@
+diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
+--- shadow-4.6/lib/getdef.c.login-prompt 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/getdef.c 2019-03-21 15:06:58.009280504 +0100
+@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
+ {"KILLCHAR", NULL},
+ {"LOGIN_RETRIES", NULL},
+ {"LOGIN_TIMEOUT", NULL},
++ {"LOGIN_PLAIN_PROMPT", NULL},
+ {"LOG_OK_LOGINS", NULL},
+ {"LOG_UNKFAIL_ENAB", NULL},
+ {"MAIL_DIR", NULL},
diff --git a/SOURCES/shadow-4.6-use-lckpwdf.patch b/SOURCES/shadow-4.6-use-lckpwdf.patch
new file mode 100644
index 0000000..363579a
--- /dev/null
+++ b/SOURCES/shadow-4.6-use-lckpwdf.patch
@@ -0,0 +1,190 @@
+commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
+Author: Tomas Mraz
+Date: Thu May 2 14:33:06 2019 +0200
+
+ Use the lckpwdf() again if prefix is not set
+
+ The implementation of prefix option dropped the use of lckpwdf().
+ However that is incorrect as other tools manipulating the shadow passwords
+ such as PAM use lckpwdf() and do not know anything about the
+ shadow's own locking mechanism.
+
+ This reverts the implementation to use lckpwdf() if prefix option
+ is not used.
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 26e518f2..94dda779 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
+ int commonio_setname (struct commonio_db *db, const char *name)
+ {
+ snprintf (db->filename, sizeof (db->filename), "%s", name);
++ db->setname = true;
+ return 1;
+ }
+
+@@ -414,37 +415,39 @@ cleanup_ENOMEM:
+
+ int commonio_lock (struct commonio_db *db)
+ {
+-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
+-#if 0
+- /*
+- * only if the system libc has a real lckpwdf() - the one from
+- * lockpw.c calls us and would cause infinite recursion!
+- */
++ int i;
+
++#ifdef HAVE_LCKPWDF
+ /*
+- * Call lckpwdf() on the first lock.
+- * If it succeeds, call *_lock() only once
+- * (no retries, it should always succeed).
++ * Only if the system libc has a real lckpwdf() - the one from
++ * lockpw.c calls us and would cause infinite recursion!
++ * It is also not used with the prefix option.
+ */
+- if (0 == lock_count) {
+- if (lckpwdf () == -1) {
+- if (geteuid () != 0) {
+- (void) fprintf (stderr,
+- "%s: Permission denied.\n",
+- Prog);
++ if (!db->setname) {
++ /*
++ * Call lckpwdf() on the first lock.
++ * If it succeeds, call *_lock() only once
++ * (no retries, it should always succeed).
++ */
++ if (0 == lock_count) {
++ if (lckpwdf () == -1) {
++ if (geteuid () != 0) {
++ (void) fprintf (stderr,
++ "%s: Permission denied.\n",
++ Prog);
++ }
++ return 0; /* failure */
+ }
+- return 0; /* failure */
+ }
+- }
+
+- if (commonio_lock_nowait (db, true) != 0) {
+- return 1; /* success */
+- }
++ if (commonio_lock_nowait (db, true) != 0) {
++ return 1; /* success */
++ }
+
+- ulckpwdf ();
+- return 0; /* failure */
+-#else /* !HAVE_LCKPWDF */
+- int i;
++ ulckpwdf ();
++ return 0; /* failure */
++ }
++#endif /* !HAVE_LCKPWDF */
+
+ /*
+ * lckpwdf() not used - do it the old way.
+@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
+ }
+ }
+ return 0; /* failure */
+-#endif /* !HAVE_LCKPWDF */
+ }
+
+ static void dec_lock_count (void)
+diff --git a/lib/commonio.h b/lib/commonio.h
+index 40e5708f..64e83073 100644
+--- a/lib/commonio.h
++++ b/lib/commonio.h
+@@ -143,6 +143,7 @@ struct commonio_db {
+ bool isopen:1;
+ bool locked:1;
+ bool readonly:1;
++ bool setname:1;
+ };
+
+ extern int commonio_setname (struct commonio_db *, const char *);
+diff --git a/lib/groupio.c b/lib/groupio.c
+index ae2302b5..bffb06e0 100644
+--- a/lib/groupio.c
++++ b/lib/groupio.c
+@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
+ false, /* changed */
+ false, /* isopen */
+ false, /* locked */
+- false /* readonly */
++ false, /* readonly */
++ false /* setname */
+ };
+
+ int gr_setdbname (const char *filename)
+diff --git a/lib/pwio.c b/lib/pwio.c
+index 7ee85377..127719cb 100644
+--- a/lib/pwio.c
++++ b/lib/pwio.c
+@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
+ false, /* changed */
+ false, /* isopen */
+ false, /* locked */
+- false /* readonly */
++ false, /* readonly */
++ false /* setname */
+ };
+
+ int pw_setdbname (const char *filename)
+diff --git a/lib/sgroupio.c b/lib/sgroupio.c
+index 5423626a..ffbdb263 100644
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
+ false, /* changed */
+ false, /* isopen */
+ false, /* locked */
+- false /* readonly */
++ false, /* readonly */
++ false /* setname */
+ };
+
+ int sgr_setdbname (const char *filename)
+diff --git a/lib/shadowio.c b/lib/shadowio.c
+index 5fa3d312..676b1f1a 100644
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
+ false, /* changed */
+ false, /* isopen */
+ false, /* locked */
+- false /* readonly */
++ false, /* readonly */
++ false /* setname */
+ };
+
+ int spw_setdbname (const char *filename)
+diff --git a/lib/subordinateio.c b/lib/subordinateio.c
+index a662e67e..dd779c59 100644
+--- a/lib/subordinateio.c
++++ b/lib/subordinateio.c
+@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
+ false, /* changed */
+ false, /* isopen */
+ false, /* locked */
+- false /* readonly */
++ false, /* readonly */
++ false /* setname */
+ };
+
+ int sub_uid_setdbname (const char *filename)
+@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
+ false, /* changed */
+ false, /* isopen */
+ false, /* locked */
+- false /* readonly */
++ false, /* readonly */
++ false /* setname */
+ };
+
+ int sub_gid_setdbname (const char *filename)
diff --git a/SPECS/shadow-utils.spec b/SPECS/shadow-utils.spec
index b86ea1d..b329b11 100644
--- a/SPECS/shadow-utils.spec
+++ b/SPECS/shadow-utils.spec
@@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.6
-Release: 7%{?dist}
+Release: 8%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@@ -35,6 +35,8 @@ Patch36: shadow-4.6-use-itstool.patch
Patch37: shadow-4.6-sssd-flush.patch
Patch38: shadow-4.6-sysugid-min-limit.patch
Patch39: shadow-4.6-chgrp-guard.patch
+Patch40: shadow-4.6-ignore-login-prompt.patch
+Patch41: shadow-4.6-use-lckpwdf.patch
License: BSD and GPLv2+
Group: System Environment/Base
@@ -92,12 +94,17 @@ are used for managing group accounts.
%patch37 -p1 -b .sssd-flush
%patch38 -p1 -b .sysugid-min-limit
%patch39 -p1 -b .chgrp-guard
+%patch40 -p1 -b .login-prompt
+%patch41 -p1 -b .use-lckpwdf
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO
cp -a %{SOURCE4} %{SOURCE5} .
+# Force regeneration of getdate.c
+rm libmisc/getdate.c
+
%build
%ifarch sparc64
#sparc64 need big PIE
@@ -243,6 +250,18 @@ done
%{_mandir}/man8/vigr.8*
%changelog
+* Fri Jun 7 2019 Tomáš Mráz - 2:4.6-8
+- properly audit group password change
+- do not add uid of a new (not yet added) user to the audit message
+- use lckpwdf() again to disable concurrent edits of databases by
+ other applications
+- clarify chage manual page in regards to shadow and passwd
+ inconsistency
+- fix minor issues in groupadd and login.defs manual pages
+- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
+- force regeneration of getdate.c otherwise the date parsing fix
+ is not applied
+
* Tue Dec 18 2018 Tomáš Mráz - 2:4.6-7
- usermod: guard against unsafe change of ownership of
special home directories