From ac982f2f05b5d7ceead452c26c80d392029f675e Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 23 Feb 2026 15:22:59 +0100
Subject: [PATCH] passwd.c: lock, open, close and unlock passwd database

Resolves: RHEL-151055
Resolves: RHEL-150955
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 shadow-4.15.0-passwd-database.patch | 46 +++++++++++++++++++++++++++++
 shadow-utils.spec                   |  9 +++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 shadow-4.15.0-passwd-database.patch

diff --git a/shadow-4.15.0-passwd-database.patch b/shadow-4.15.0-passwd-database.patch
new file mode 100644
index 0000000..b792e84
--- /dev/null
+++ b/shadow-4.15.0-passwd-database.patch
@@ -0,0 +1,46 @@
+--- shadow-4.15.0/src/passwd.c.orig	2026-02-23 14:51:37.436277148 +0100
++++ shadow-4.15.0/src/passwd.c	2026-02-23 14:53:17.130933320 +0100
+@@ -626,6 +626,20 @@
+ 	struct spwd *nsp;
+ 	int ret;
+ 
++	if (pw_lock () == 0) {
++		(void) fprintf (stderr,
++		                _("%s: cannot lock %s; try again later.\n"),
++		                Prog, pw_dbname ());
++		exit (E_PWDBUSY);
++	}
++	pw_locked = true;
++	if (pw_open (O_CREAT | O_RDWR) == 0) {
++		(void) fprintf (stderr,
++		                _("%s: cannot open %s\n"),
++		                Prog, pw_dbname ());
++		SYSLOG ((LOG_WARN, "cannot open %s", pw_dbname ()));
++		fail_exit (E_MISSING);
++	}
+ 	pw = pw_locate(name);
+ 	if (NULL == pw) {
+ 		fprintf(stderr,
+@@ -760,6 +774,22 @@
+ 		/* continue */
+ 	}
+ 	spw_locked = false;
++
++	if (pw_close () == 0) {
++		(void) fprintf (stderr,
++		                _("%s: failure while writing changes to %s\n"),
++		                Prog, pw_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ()));
++		fail_exit (E_FAILURE);
++	}
++	if (pw_unlock () == 0) {
++		(void) fprintf (stderr,
++		                _("%s: failed to unlock %s\n"),
++		                Prog, pw_dbname ());
++		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
++		/* continue */
++	}
++	pw_locked = false;
+ }
+ 
+ /*
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 43d8959..dfe8654 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.15.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 Epoch: 2
 License: BSD-3-Clause AND GPL-2.0-or-later
 URL: https://github.com/shadow-maint/shadow
@@ -38,6 +38,8 @@ Patch7: shadow-4.15.0-vipw-restore-terminal.patch
 Patch8: shadow-4.15.0-groupmod-help.patch
 # https://github.com/shadow-maint/shadow/commit/03a10499fb6d499e6db06d44007d67893db48e32
 Patch9: shadow-4.15.0-passwd-audit.patch
+# Downstream only
+Patch10: shadow-4.15.0-passwd-database.patch
 
 ### Dependencies ###
 Requires: audit-libs >= 1.6.5
@@ -286,6 +288,11 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
 %{_libdir}/libsubid.so
 
 %changelog
+* Mon Feb 23 2026 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-11
+- passwd.c: lock, open, close and unlock passwd database
+  Resolves: RHEL-151055
+  Resolves: RHEL-150955
+
 * Wed Feb 11 2026 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.15.0-10
 - passwd.c: add audit messages for passwd. Resolves: RHEL-141919