libsubid initial implementation

Resolves: #1859252

- libsubid: creation and nsswitch support
- Creation of subid and subid-devel subpackages
- man: mention NSS in new[ug]idmap manpages
- libsubid: move development header to shadow folder
- libsubid: don't print error messages on stderr by default
- libsubid: libsubid_init return false if out of memory
- useradd: fix SUB_UID_COUNT=0
- libsubid: don't return owner in list_owner_ranges API call
- libsubid: libsubid_init don't print messages on error
- libsubid: fix newusers when nss provides subids
- man: clarify subid delegation
- libsubid: make shadow_logfd not extern
- login.defs: include HMAC_CRYPTO_ALGO key

shadow-4.8.1-libsubid_fix_newusers_nss_provides_subids.patch

@@ -0,0 +1,151 @@
+diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c
+--- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.772741048 +0200
++++ shadow-4.8.1/lib/nss.c	2021-05-25 09:37:14.782741188 +0200
+@@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) {
+ 				subid_nss = NULL;
+ 				goto done;
+ 			}
+-			subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
+-			if (!subid_nss->has_any_range) {
+-				fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname);
+-				dlclose(h);
+-				free(subid_nss);
+-				subid_nss = NULL;
+-				goto done;
+-			}
+ 			subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
+ 			if (!subid_nss->find_subid_owners) {
+ 				fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
+diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h
+--- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/prototypes.h	2021-05-25 09:37:14.782741188 +0200
+@@ -279,18 +279,6 @@ extern bool nss_is_initialized();
+ 
+ struct subid_nss_ops {
+ 	/*
+-	 * nss_has_any_range: does a user own any subid range
+-	 *
+-	 * @owner: username
+-	 * @idtype: subuid or subgid
+-	 * @result: true if a subid allocation was found for @owner
+-	 *
+-	 * returns success if the module was able to determine an answer (true or false),
+-	 * else an error status.
+-	 */
+-	enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
+-
+-	/*
+ 	 * nss_has_range: does a user own a given subid range
+ 	 *
+ 	 * @owner: username
+diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c
+--- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/subordinateio.c	2021-05-25 09:37:14.782741188 +0200
+@@ -598,19 +598,8 @@ int sub_uid_open (int mode)
+ 	return commonio_open (&subordinate_uid_db, mode);
+ }
+ 
+-bool sub_uid_assigned(const char *owner)
++bool local_sub_uid_assigned(const char *owner)
+ {
+-	struct subid_nss_ops *h;
+-	bool found;
+-	enum subid_status status;
+-	h = get_subid_nss_handle();
+-	if (h) {
+-		status = h->has_any_range(owner, ID_TYPE_UID, &found);
+-		if (status == SUBID_STATUS_SUCCESS && found)
+-			return true;
+-		return false;
+-	}
+-
+ 	return range_exists (&subordinate_uid_db, owner);
+ }
+ 
+@@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi
+ 	return have_range(&subordinate_gid_db, owner, start, count);
+ }
+ 
+-bool sub_gid_assigned(const char *owner)
++bool local_sub_gid_assigned(const char *owner)
+ {
+-	struct subid_nss_ops *h;
+-	bool found;
+-	enum subid_status status;
+-	h = get_subid_nss_handle();
+-	if (h) {
+-		status = h->has_any_range(owner, ID_TYPE_GID, &found);
+-		if (status == SUBID_STATUS_SUCCESS && found)
+-			return true;
+-		return false;
+-	}
+ 	return range_exists (&subordinate_gid_db, owner);
+ }
+ 
+diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h
+--- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/subordinateio.h	2021-05-25 09:37:14.782741188 +0200
+@@ -16,7 +16,7 @@
+ extern int sub_uid_close(void);
+ extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
+ extern bool sub_uid_file_present (void);
+-extern bool sub_uid_assigned(const char *owner);
++extern bool local_sub_uid_assigned(const char *owner);
+ extern int sub_uid_lock (void);
+ extern int sub_uid_setdbname (const char *filename);
+ extern /*@observer@*/const char *sub_uid_dbname (void);
+@@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru
+ extern int sub_gid_close(void);
+ extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
+ extern bool sub_gid_file_present (void);
+-extern bool sub_gid_assigned(const char *owner);
++extern bool local_sub_gid_assigned(const char *owner);
+ extern int sub_gid_lock (void);
+ extern int sub_gid_setdbname (const char *filename);
+ extern /*@observer@*/const char *sub_gid_dbname (void);
+diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c
+--- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.776741104 +0200
++++ shadow-4.8.1/src/newusers.c	2021-05-25 09:37:25.955897160 +0200
+@@ -1021,6 +1021,24 @@ static void close_files (void)
+ #endif				/* ENABLE_SUBIDS */
+ }
+ 
++static bool want_subuids(void)
++{
++	if (get_subid_nss_handle() != NULL)
++		return false;
++	if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0)
++		return false;
++	return true;
++}
++
++static bool want_subgids(void)
++{
++	if (get_subid_nss_handle() != NULL)
++		return false;
++	if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0)
++		return false;
++	return true;
++}
++
+ int main (int argc, char **argv)
+ {
+ 	char buf[BUFSIZ];
+@@ -1250,7 +1268,7 @@ int main (int argc, char **argv)
+ 		/*
+ 		 * Add subordinate uids if the user does not have them.
+ 		 */
+-		if (is_sub_uid && !sub_uid_assigned(fields[0])) {
++		if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) {
+ 			uid_t sub_uid_start = 0;
+ 			unsigned long sub_uid_count = 0;
+ 			if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
+@@ -1270,7 +1288,7 @@ int main (int argc, char **argv)
+ 		/*
+ 		 * Add subordinate gids if the user does not have them.
+ 		 */
+-		if (is_sub_gid && !sub_gid_assigned(fields[0])) {
++		if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) {
+ 			gid_t sub_gid_start = 0;
+ 			unsigned long sub_gid_count = 0;
+ 			if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {

shadow-4.8.1-libsubid_init_not_print_error_messages.patch

@@ -0,0 +1,40 @@
+From b0e86b959fe5c086ffb5e7eaf3c1b1e9219411e9 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sun, 23 May 2021 08:03:10 -0500
+Subject: [PATCH] libsubid_init: don't print messages on error
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ libsubid/api.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index c4848142..b477b271 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -46,12 +46,10 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+ 	if (progname) {
+ 		progname = strdup(progname);
+-		if (progname) {
++		if (progname)
+ 			Prog = progname;
+-		} else {
+-			fprintf(stderr, "Out of memory");
++		else
+ 			return false;
+-		}
+ 	}
+ 
+ 	if (logfd) {
+@@ -60,7 +58,6 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ 	}
+ 	shadow_logfd = fopen("/dev/null", "w");
+ 	if (!shadow_logfd) {
+-		fprintf(stderr, "ERROR opening /dev/null for error messages.  Using stderr.");
+ 		shadow_logfd = stderr;
+ 		return false;
+ 	}
+-- 
+2.30.2
+

shadow-4.8.1-libsubid_init_return_false.patch

@@ -0,0 +1,37 @@
+From e34f49c1966fcaa9390a544a0136ec189a3c870e Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Mon, 17 May 2021 08:48:03 -0500
+Subject: [PATCH] libsubid_init: return false if out of memory
+
+The rest of the run isn't likely to get much better, is it?
+
+Thanks to Alexey for pointing this out.
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+Cc: Alexey Tikhonov <atikhono@redhat.com>
+---
+ libsubid/api.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index 8ca09859..8618e500 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -46,10 +46,12 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+ 	if (progname) {
+ 		progname = strdup(progname);
+-		if (progname)
++		if (progname) {
+ 			Prog = progname;
+-		else
++		} else {
+ 			fprintf(stderr, "Out of memory");
++			return false;
++		}
+ 	}
+ 
+ 	if (logfd) {
+-- 
+2.30.2
+

shadow-4.8.1-libsubid_make_logfd_not_extern.patch

@@ -0,0 +1,41 @@
+From 1d767fb779d7b203ad609540d1dc605cf62d1050 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Fri, 28 May 2021 22:02:16 -0500
+Subject: [PATCH] libsubid/api.c: make shadow_logfd not extern
+
+Closes #346
+
+Also #include stdio.h
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ libsubid/api.c   | 2 +-
+ libsubid/subid.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index b477b271..a7b904d0 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -40,7 +40,7 @@
+ #include "subid.h"
+ 
+ const char *Prog = "(libsubid)";
+-extern FILE * shadow_logfd;
++FILE *shadow_logfd;
+ 
+ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+diff --git a/libsubid/subid.h b/libsubid/subid.h
+index 5fef2572..eabafe4d 100644
+--- a/libsubid/subid.h
++++ b/libsubid/subid.h
+@@ -1,4 +1,5 @@
+ #include <sys/types.h>
++#include <stdio.h>
+ #include <stdbool.h>
+ 
+ #ifndef SUBID_RANGE_DEFINED
+-- 
+2.31.1
+

shadow-4.8.1-libsubid_simplify_ranges_variable.patch

@@ -0,0 +1,264 @@
+diff -up shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable shadow-4.8.1/configure.ac
+--- shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.165917066 +0200
++++ shadow-4.8.1/configure.ac	2021-05-24 15:02:56.184917324 +0200
+@@ -1,6 +1,6 @@
+ dnl Process this file with autoconf to produce a configure script.
+ AC_PREREQ([2.69])
+-m4_define([libsubid_abi_major], 2)
++m4_define([libsubid_abi_major], 3)
+ m4_define([libsubid_abi_minor], 0)
+ m4_define([libsubid_abi_micro], 0)
+ m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
+diff -up shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/prototypes.h
+--- shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.184917324 +0200
++++ shadow-4.8.1/lib/prototypes.h	2021-05-24 16:38:57.610619467 +0200
+@@ -309,16 +309,15 @@ struct subid_nss_ops {
+ 	 *
+ 	 * @owner - string representing username being queried
+ 	 * @id_type - subuid or subgid
+-	 * @ranges - pointer to an array of struct subordinate_range pointers, or
+-	 *           NULL.  The returned array of struct subordinate_range and its
+-	 *           members must be freed by the caller.
++	 * @ranges - pointer to an array of struct subid_range, or NULL.  The
++	 *           returned array must be freed by the caller.
+ 	 * @count - pointer to an integer into which the number of returned ranges
+ 	 *          is written.
+ 
+ 	 * returns success if the module was able to determine an answer,
+ 	 * else an error status.
+ 	 */
+-	enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);
++	enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count);
+ 
+ 	/*
+ 	 * nss_find_subid_owners: find uids who own a given subuid or subgid.
+diff -up shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/api.c
+--- shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.467989079 +0200
++++ shadow-4.8.1/libsubid/api.c	2021-05-24 16:42:32.091584531 +0200
+@@ -68,26 +68,21 @@ bool libsubid_init(const char *progname,
+ }
+ 
+ static
+-int get_subid_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
++int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
+ {
+ 	return list_owner_ranges(owner, id_type, ranges);
+ }
+ 
+-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges)
++int get_subuid_ranges(const char *owner, struct subid_range **ranges)
+ {
+ 	return get_subid_ranges(owner, ID_TYPE_UID, ranges);
+ }
+ 
+-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges)
++int get_subgid_ranges(const char *owner, struct subid_range **ranges)
+ {
+ 	return get_subid_ranges(owner, ID_TYPE_GID, ranges);
+ }
+ 
+-void subid_free_ranges(struct subordinate_range **ranges, int count)
+-{
+-	return free_subordinate_ranges(ranges, count);
+-}
+-
+ static
+ int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
+ {
+diff -up shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/subid.h
+--- shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.468989093 +0200
++++ shadow-4.8.1/libsubid/subid.h	2021-05-24 16:43:49.697657383 +0200
+@@ -3,6 +3,15 @@
+ 
+ #ifndef SUBID_RANGE_DEFINED
+ #define SUBID_RANGE_DEFINED 1
++
++/* subid_range is just a starting point and size of a range */
++struct subid_range {
++	unsigned long start;
++	unsigned long count;
++};
++
++/* subordinage_range is a subid_range plus an owner, representing
++ * a range in /etc/subuid or /etc/subgid */
+ struct subordinate_range {
+ 	const char *owner;
+ 	unsigned long start;
+@@ -41,32 +50,27 @@ bool libsubid_init(const char *progname,
+  * get_subuid_ranges: return a list of UID ranges for a user
+  *
+  * @owner: username being queried
+- * @ranges: a pointer to a subordinate range ** in which the result will be
+- *          returned.
++ * @ranges: a pointer to an array of subid_range structs in which the result
++ *          will be returned.
++ *
++ * The caller must free(ranges) when done.
+  *
+  * returns: number of ranges found, ir < 0 on error.
+  */
+-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges);
++int get_subuid_ranges(const char *owner, struct subid_range **ranges);
+ 
+ /*
+  * get_subgid_ranges: return a list of GID ranges for a user
+  *
+  * @owner: username being queried
+- * @ranges: a pointer to a subordinate range ** in which the result will be
+- *          returned.
++ * @ranges: a pointer to an array of subid_range structs in which the result
++ *          will be returned.
+  *
+- * returns: number of ranges found, ir < 0 on error.
+- */
+-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges);
+-
+-/*
+- * subid_free_ranges: free an array of subordinate_ranges returned by either
+- *                    get_subuid_ranges() or get_subgid_ranges().
++ * The caller must free(ranges) when done.
+  *
+- * @ranges: the ranges to free
+- * @count: the number of ranges in @ranges
++ * returns: number of ranges found, ir < 0 on error.
+  */
+-void subid_free_ranges(struct subordinate_range **ranges, int count);
++int get_subgid_ranges(const char *owner, struct subid_range **ranges);
+ 
+ /*
+  * get_subuid_owners: return a list of uids to which the given uid has been
+diff -up shadow-4.8.1/lib/subordinateio.c.libsubid-simplify shadow-4.8.1/lib/subordinateio.c
+--- shadow-4.8.1/lib/subordinateio.c.libsubid-simplify	2021-05-24 17:27:38.721035241 +0200
++++ shadow-4.8.1/lib/subordinateio.c	2021-05-24 17:28:06.481420946 +0200
+@@ -11,6 +11,7 @@
+ #include <stdio.h>
+ #include "commonio.h"
+ #include "subordinateio.h"
++#include "../libsubid/subid.h"
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <ctype.h>
+@@ -308,25 +309,21 @@ static bool have_range(struct commonio_d
+ 	return false;
+ }
+ 
+-static bool append_range(struct subordinate_range ***ranges, const struct subordinate_range *new, int n)
++static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
+ {
+-	struct subordinate_range *tmp;
+ 	if (!*ranges) {
+-		*ranges = malloc(sizeof(struct subordinate_range *));
++		*ranges = malloc(sizeof(struct subid_range));
+ 		if (!*ranges)
+ 			return false;
+ 	} else {
+-		struct subordinate_range **new;
+-		new = realloc(*ranges, (n + 1) * (sizeof(struct subordinate_range *)));
+-		if (!new)
++		struct subid_range *alloced;
++		alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
++		if (!alloced)
+ 			return false;
+-		*ranges = new;
++		*ranges = alloced;
+ 	}
+-	(*ranges)[n] = NULL;
+-	tmp = subordinate_dup(new);
+-	if (!tmp)
+-		return false;
+-	(*ranges)[n] = tmp;
++	(*ranges)[n].start = new->start;
++	(*ranges)[n].count = new->count;
+ 	return true;
+ }
+ 
+@@ -785,10 +782,10 @@ gid_t sub_gid_find_free_range(gid_t min,
+  *
+  * The caller must free the subordinate range list.
+  */
+-int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***in_ranges)
++int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges)
+ {
+ 	// TODO - need to handle owner being either uid or username
+-	struct subordinate_range **ranges = NULL;
++	struct subid_range *ranges = NULL;
+ 	const struct subordinate_range *range;
+ 	struct commonio_db *db;
+ 	enum subid_status status;
+@@ -826,7 +823,7 @@ int list_owner_ranges(const char *owner,
+ 	while ((range = commonio_next(db)) != NULL) {
+ 		if (0 == strcmp(range->owner, owner)) {
+ 			if (!append_range(&ranges, range, count++)) {
+-				free_subordinate_ranges(ranges, count-1);
++				free(ranges);
+ 				ranges = NULL;
+ 				count = -1;
+ 				goto out;
+diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/subordinateio.h
+--- shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.467989079 +0200
++++ shadow-4.8.1/lib/subordinateio.h	2021-05-24 16:40:56.978269647 +0200
+@@ -25,7 +25,7 @@ extern int sub_uid_unlock (void);
+ extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
+ extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
+ extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
+-extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges);
++extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges);
+ extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse);
+ extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type);
+ extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids);
+diff -up shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable shadow-4.8.1/src/list_subid_ranges.c
+--- shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.468989093 +0200
++++ shadow-4.8.1/src/list_subid_ranges.c	2021-05-24 16:45:10.884779740 +0200
+@@ -17,27 +17,29 @@ void usage(void)
+ int main(int argc, char *argv[])
+ {
+ 	int i, count=0;
+-	struct subordinate_range **ranges;
++	struct subid_range *ranges;
++	const char *owner;
+ 
+ 	Prog = Basename (argv[0]);
+ 	shadow_logfd = stderr;
+-	if (argc < 2) {
++	if (argc < 2)
+ 		usage();
+-	}
+-	if (argc == 3 && strcmp(argv[1], "-g") == 0)
+-		count = get_subgid_ranges(argv[2], &ranges);
+-	else if (argc == 2 && strcmp(argv[1], "-h") == 0)
++	owner = argv[1];
++	if (argc == 3 && strcmp(argv[1], "-g") == 0) {
++		owner = argv[2];
++		count = get_subgid_ranges(owner, &ranges);
++	} else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
+ 		usage();
+-	else
+-		count = get_subuid_ranges(argv[1], &ranges);
++	} else {
++		count = get_subuid_ranges(owner, &ranges);
++	}
+ 	if (!ranges) {
+ 		fprintf(stderr, "Error fetching ranges\n");
+ 		exit(1);
+ 	}
+ 	for (i = 0; i < count; i++) {
+-		printf("%d: %s %lu %lu\n", i, ranges[i]->owner,
+-			ranges[i]->start, ranges[i]->count);
++		printf("%d: %s %lu %lu\n", i, owner,
++			ranges[i].start, ranges[i].count);
+ 	}
+-	subid_free_ranges(ranges, count);
+ 	return 0;
+ }
+diff -up shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c
+--- shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.166917079 +0200
++++ shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c	2021-05-24 15:03:01.469989106 +0200
+@@ -113,7 +113,7 @@ enum subid_status shadow_subid_list_owne
+ 	if (strcmp(owner, "conn") == 0)
+ 		return SUBID_STATUS_ERROR_CONN;
+ 
+-	*ranges = NULL;
++	*in_ranges = NULL;
+ 	if (strcmp(owner, "user1") != 0 && strcmp(owner, "ubuntu") != 0 &&
+ 	    strcmp(owner, "group1") != 0)
+ 		return SUBID_STATUS_SUCCESS;

shadow-4.8.1-login_defs_HMAC_CRYPTO_ALGO.patch

@@ -0,0 +1,89 @@
+diff -up shadow-4.8.1/lib/getdef.c.login_defs_HMAC_CRYPTO_ALGO shadow-4.8.1/lib/getdef.c
+--- shadow-4.8.1/lib/getdef.c.login_defs_HMAC_CRYPTO_ALGO	2021-06-24 15:55:32.960558932 +0200
++++ shadow-4.8.1/lib/getdef.c	2021-06-24 15:55:32.975559187 +0200
+@@ -61,6 +61,7 @@ struct itemdef {
+ 	{"ENV_TZ", NULL},			\
+ 	{"FAILLOG_ENAB", NULL},			\
+ 	{"FTMP_FILE", NULL},			\
++	{"HMAC_CRYPTO_ALGO", NULL},		\
+ 	{"ISSUE_FILE", NULL},			\
+ 	{"LASTLOG_ENAB", NULL},			\
+ 	{"LOGIN_STRING", NULL},			\
+diff -up shadow-4.8.1/man/login.defs.5.xml.login_defs_HMAC_CRYPTO_ALGO shadow-4.8.1/man/login.defs.5.xml
+--- shadow-4.8.1/man/login.defs.5.xml.login_defs_HMAC_CRYPTO_ALGO	2021-06-24 15:55:32.929558405 +0200
++++ shadow-4.8.1/man/login.defs.5.xml	2021-06-24 15:55:32.975559187 +0200
+@@ -50,6 +50,7 @@
+ <!ENTITY FAKE_SHELL            SYSTEM "login.defs.d/FAKE_SHELL.xml">
+ <!ENTITY FTMP_FILE             SYSTEM "login.defs.d/FTMP_FILE.xml">
+ <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
++<!ENTITY HMAC_CRYPTO_ALGO      SYSTEM "login.defs.d/HMAC_CRYPTO_ALGO.xml">
+ <!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
+ <!ENTITY HUSHLOGIN_FILE        SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
+ <!ENTITY ISSUE_FILE            SYSTEM "login.defs.d/ISSUE_FILE.xml">
+@@ -197,6 +198,7 @@
+       &FAKE_SHELL;
+       &FTMP_FILE;
+       &GID_MAX; <!-- documents also GID_MIN -->
++      &HMAC_CRYPTO_ALGO;
+       &HOME_MODE;
+       &HUSHLOGIN_FILE;
+       &ISSUE_FILE;
+diff -up shadow-4.8.1/man/login.defs.d/HMAC_CRYPTO_ALGO.xml.login_defs_HMAC_CRYPTO_ALGO shadow-4.8.1/man/login.defs.d/HMAC_CRYPTO_ALGO.xml
+--- shadow-4.8.1/man/login.defs.d/HMAC_CRYPTO_ALGO.xml.login_defs_HMAC_CRYPTO_ALGO	2021-06-24 15:55:32.975559187 +0200
++++ shadow-4.8.1/man/login.defs.d/HMAC_CRYPTO_ALGO.xml	2021-06-24 15:55:32.975559187 +0200
+@@ -0,0 +1,44 @@
++<!--
++   Copyright (c) 1991 - 1993, Julianne Frances Haugh
++   Copyright (c) 1991 - 1993, Chip Rosenthal
++   Copyright (c) 2007 - 2008, Nicolas François
++   All rights reserved.
++
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<varlistentry condition="no_pam">
++  <term><option>HMAC_CRYPTO_ALGO</option> (string)</term>
++  <listitem>
++    <para>
++      Used to select the HMAC cryptography algorithm that the pam_timestamp
++      module is going to use to calculate the keyed-hash message authentication
++      code.
++    </para>
++    <para>
++      Note: Check <refentrytitle>hmac</refentrytitle><manvolnum>3</manvolnum>
++      to see the possible algorithms that are available in your system.
++    </para>
++  </listitem>
++</varlistentry>
+diff -up shadow-4.8.1/man/Makefile.am.login_defs_HMAC_CRYPTO_ALGO shadow-4.8.1/man/Makefile.am
+--- shadow-4.8.1/man/Makefile.am.login_defs_HMAC_CRYPTO_ALGO	2021-06-24 15:55:32.975559187 +0200
++++ shadow-4.8.1/man/Makefile.am	2021-06-24 15:57:11.231229970 +0200
+@@ -136,6 +136,7 @@ login_defs_v = \
+ 	FAKE_SHELL.xml \
+ 	FTMP_FILE.xml \
+ 	GID_MAX.xml \
++	HMAC_CRYPTO_ALGO.xml \
+ 	HUSHLOGIN_FILE.xml \
+ 	ISSUE_FILE.xml \
+ 	KILLCHAR.xml \

shadow-4.8.1-man-mention-nss-in-newuidmap.patch

@@ -0,0 +1,44 @@
+From 186b1b7ac1a68d0fcc618a22da1a99232b420911 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Tue, 4 May 2021 14:39:26 -0500
+Subject: [PATCH] manpages: mention NSS in new[ug]idmap manpages
+
+Closes #328
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ man/newgidmap.1.xml | 3 ++-
+ man/newuidmap.1.xml | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
+index 71b03e56..76fc1e30 100644
+--- a/man/newgidmap.1.xml
++++ b/man/newgidmap.1.xml
+@@ -88,7 +88,8 @@
+     <title>DESCRIPTION</title>
+     <para>
+       The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
+-      command line arguments and the gids allowed in <filename>/etc/subgid</filename>.
++      command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
++      through the configured NSS subid module).
+       Note that the root user is not exempted from the requirement for a valid
+       <filename>/etc/subgid</filename> entry.
+     </para>
+diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
+index a6f1f085..44eca50a 100644
+--- a/man/newuidmap.1.xml
++++ b/man/newuidmap.1.xml
+@@ -88,7 +88,8 @@
+     <title>DESCRIPTION</title>
+     <para>
+       The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
+-      command line arguments and the uids allowed in <filename>/etc/subuid</filename>.
++      command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
++      through the configured NSS subid module).
+       Note that the root user is not exempted from the requirement for a valid
+       <filename>/etc/subuid</filename> entry.
+     </para>
+-- 
+2.30.2
+

shadow-4.8.1-man_clarify_subid_delegation.patch

@@ -0,0 +1,246 @@
+From d5b15f8633d0eabed885cd16feda224ec2d59072 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 24 May 2021 12:14:43 +0200
+Subject: [PATCH] man: clarify subid delegation
+
+Clarify that the subid delegation can only come from one source.
+Moreover, add an example of what might happen if the subid source is NSS
+and useradd is executed.
+
+Related: https://github.com/shadow-maint/shadow/issues/331
+---
+ man/newgidmap.1.xml | 12 +++++++++---
+ man/newuidmap.1.xml | 10 ++++++++--
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
+index 76fc1e30..7aaf34bf 100644
+--- a/man/newgidmap.1.xml
++++ b/man/newgidmap.1.xml
+@@ -88,9 +88,15 @@
+     <title>DESCRIPTION</title>
+     <para>
+       The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
+-      command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
+-      through the configured NSS subid module).
+-      Note that the root user is not exempted from the requirement for a valid
++      command line arguments and the gids allowed. The subid delegation can come either from files
++      (<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
++      can be chosen at a time. So, for example, if the subid source is configured as NSS and
++      <command>groupadd</command> is executed, then the command will fail and the entry will not be
++      created in <filename>/etc/subgid</filename>.
++    </para>
++
++    <para>
++      Note that the root group is not exempted from the requirement for a valid
+       <filename>/etc/subgid</filename> entry.
+     </para>
+ 
+diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
+index 44eca50a..4bc1ef7a 100644
+--- a/man/newuidmap.1.xml
++++ b/man/newuidmap.1.xml
+@@ -88,8 +88,14 @@
+     <title>DESCRIPTION</title>
+     <para>
+       The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
+-      command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
+-      through the configured NSS subid module).
++      command line arguments and the uids allowed. The subid delegation can come either from files
++      (<filename>/etc/subuid</filename>) or from the configured NSS subid module. Only one of them
++      can be chosen at a time. So, for example, if the subid source is configured as NSS and
++      <command>useradd</command> is executed, then the command will fail and the entry will not be
++      created in <filename>/etc/subuid</filename>.
++    </para>
++
++    <para>
+       Note that the root user is not exempted from the requirement for a valid
+       <filename>/etc/subuid</filename> entry.
+     </para>
+-- 
+2.30.2
+
+From 68ebbf936038e4e4c8b5105bd3246ef9709b6354 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 7 Jun 2021 11:50:56 +0200
+Subject: [PATCH 1/2] man: clarify subid delegation behaviour
+
+Following the discussion https://github.com/shadow-maint/shadow/pull/345
+I have changed the documentation to clarify the behaviour of subid
+delegation when any subid source except files is configured.
+---
+ man/newgidmap.1.xml | 11 +++++------
+ man/newuidmap.1.xml | 11 +++++------
+ 2 files changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
+index 7aaf34bf..681aefcb 100644
+--- a/man/newgidmap.1.xml
++++ b/man/newgidmap.1.xml
+@@ -87,12 +87,11 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
+-      The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
+-      command line arguments and the gids allowed. The subid delegation can come either from files
+-      (<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
+-      can be chosen at a time. So, for example, if the subid source is configured as NSS and
+-      <command>groupadd</command> is executed, then the command will fail and the entry will not be
+-      created in <filename>/etc/subgid</filename>.
++      The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
++      based on its command line arguments and the gids allowed. Subgid
++      delegation can either be managed via <filename>/etc/subgid</filename>
++      or through the configured NSS subid module. These options are mutually
++      exclusive.
+     </para>
+ 
+     <para>
+diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
+index 4bc1ef7a..09e65d80 100644
+--- a/man/newuidmap.1.xml
++++ b/man/newuidmap.1.xml
+@@ -87,12 +87,11 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
+-      The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
+-      command line arguments and the uids allowed. The subid delegation can come either from files
+-      (<filename>/etc/subuid</filename>) or from the configured NSS subid module. Only one of them
+-      can be chosen at a time. So, for example, if the subid source is configured as NSS and
+-      <command>useradd</command> is executed, then the command will fail and the entry will not be
+-      created in <filename>/etc/subuid</filename>.
++      The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
++      based on its command line arguments and the uids allowed. Subuid
++      delegation can either be managed via <filename>/etc/subuid</filename> or
++      through the configured NSS subid module. These options are mutually
++      exclusive.
+     </para>
+ 
+     <para>
+-- 
+2.31.1
+
+
+From 0faec51bf0ec24e6e3d098cc55ed42584dd24efe Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Fri, 11 Jun 2021 15:25:42 +0200
+Subject: [PATCH 2/2] man: definition and configuration of subid
+
+Define the subid functionality and explain the way to configure its
+delegation.
+---
+ man/subgid.5.xml | 32 +++++++++++++++++++++++++++++++-
+ man/subuid.5.xml | 32 +++++++++++++++++++++++++++++++-
+ 2 files changed, 62 insertions(+), 2 deletions(-)
+
+diff --git a/man/subgid.5.xml b/man/subgid.5.xml
+index 70c561c4..02f421ab 100644
+--- a/man/subgid.5.xml
++++ b/man/subgid.5.xml
+@@ -38,6 +38,11 @@
+       <surname>Biederman</surname>
+       <contrib>Creation, 2013</contrib>
+     </author>
++    <author>
++      <firstname>Iker</firstname>
++      <surname>Pedrosa</surname>
++      <contrib>Developer, 2021</contrib>
++    </author>
+   </refentryinfo>
+   <refmeta>
+     <refentrytitle>subgid</refentrytitle>
+@@ -48,11 +53,36 @@
+   </refmeta>
+   <refnamediv id='name'>
+     <refname>subgid</refname>
+-    <refpurpose>the subordinate gid file</refpurpose>
++    <refpurpose>the configuration for subordinate group ids</refpurpose>
+   </refnamediv>
+ 
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
++    <para>
++      Subgid authorizes a group id to map ranges of group ids from its namespace
++      into child namespaces.
++    </para>
++    <para>
++      The delegation of the subordinate gids can be configured via the
++      <replaceable>subid</replaceable> field in
++      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
++      as the delegation source. Setting this field to
++      <replaceable>files</replaceable> configures the delegation of gids to
++      <filename>/etc/subgid</filename>. Setting any other value treats
++      the delegation as a plugin following with a name of the form
++      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
++      missing, then the subordinate gid delegation falls back to
++      <replaceable>files</replaceable>.
++    </para>
++    <para>
++      Note, that <command>groupadd</command> will only create entries in
++      <filename>/etc/subgid</filename> if subid delegation is managed via subid
++      files.
++    </para>
++  </refsect1>
++
++  <refsect1 id='local-subordinate-delegation'>
++    <title>LOCAL SUBORDINATE DELEGATION</title>
+     <para>
+       Each line in <filename>/etc/subgid</filename> contains
+       a user name and a range of subordinate group ids that user
+diff --git a/man/subuid.5.xml b/man/subuid.5.xml
+index ec6a85f5..990d162e 100644
+--- a/man/subuid.5.xml
++++ b/man/subuid.5.xml
+@@ -38,6 +38,11 @@
+       <surname>Biederman</surname>
+       <contrib>Creation, 2013</contrib>
+     </author>
++    <author>
++      <firstname>Iker</firstname>
++      <surname>Pedrosa</surname>
++      <contrib>Developer, 2021</contrib>
++    </author>
+   </refentryinfo>
+   <refmeta>
+     <refentrytitle>subuid</refentrytitle>
+@@ -48,11 +53,36 @@
+   </refmeta>
+   <refnamediv id='name'>
+     <refname>subuid</refname>
+-    <refpurpose>the subordinate uid file</refpurpose>
++    <refpurpose>the configuration for subordinate user ids</refpurpose>
+   </refnamediv>
+ 
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
++    <para>
++      Subuid authorizes a user id to map ranges of user ids from its namespace
++      into child namespaces.
++    </para>
++    <para>
++      The delegation of the subordinate uids can be configured via the
++      <replaceable>subid</replaceable> field in
++      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
++      as the delegation source. Setting this field to
++      <replaceable>files</replaceable> configures the delegation of uids to
++      <filename>/etc/subuid</filename>. Setting any other value treats
++      the delegation as a plugin following with a name of the form
++      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
++      missing, then the subordinate uid delegation falls back to
++      <replaceable>files</replaceable>.
++    </para>
++    <para>
++      Note, that <command>useradd</command> will only create entries in
++      <filename>/etc/subuid</filename> if subid delegation is managed via subid
++      files.
++    </para>
++  </refsect1>
++
++  <refsect1 id='local-subordinate-delegation'>
++    <title>LOCAL SUBORDINATE DELEGATION</title>
+     <para>
+       Each line in <filename>/etc/subuid</filename> contains
+       a user name and a range of subordinate user ids that user
+-- 
+2.31.1
+

shadow-4.8.1-useradd_SUB_UID_COUNT-0.patch

@@ -0,0 +1,44 @@
+From 663824ef4ca927aa2b4319b69e0bfa68282ec719 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sat, 22 May 2021 11:42:02 -0500
+Subject: [PATCH] Fix useradd with SUB_UID_COUNT=0
+
+Closes #298
+
+Fix useradd when SUB_UID_COUNT=0 in login.defs.
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ src/useradd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 06accb2f..9862ae55 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2386,6 +2386,8 @@ int main (int argc, char **argv)
+ #ifdef ENABLE_SUBIDS
+ 	uid_t uid_min;
+ 	uid_t uid_max;
++	unsigned long subuid_count;
++	unsigned long subgid_count;
+ #endif
+ 
+ 	/*
+@@ -2427,9 +2429,11 @@ int main (int argc, char **argv)
+ #ifdef ENABLE_SUBIDS
+ 	uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+ 	uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+-	is_sub_uid = sub_uid_file_present () && !rflg &&
++	subuid_count = getdef_ulong ("SUB_UID_COUNT", 65536);
++	subgid_count = getdef_ulong ("SUB_GID_COUNT", 65536);
++	is_sub_uid = subuid_count > 0 && sub_uid_file_present () && !rflg &&
+ 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+-	is_sub_gid = sub_gid_file_present () && !rflg &&
++	is_sub_gid = subgid_count > 0 && sub_gid_file_present () && !rflg &&
+ 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+ #endif				/* ENABLE_SUBIDS */
+ 
+-- 
+2.30.2
+

shadow-utils.login.defs

@@ -266,3 +266,13 @@ CREATE_HOME	yes
 # missing.
 #
 #FORCE_SHADOW    yes
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+HMAC_CRYPTO_ALGO SHA512

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.8.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 Epoch: 2
 URL: https://github.com/shadow-maint/shadow
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@@ -11,6 +11,11 @@ Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
 Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Source6: shadow-utils.HOME_MODE.xml
+
+### Globals ###
+%global includesubiddir %{_includedir}/shadow
+
+### Patches ###
 # Misc small changes - most probably non-upstreamable
 Patch0: shadow-4.6-redhat.patch
 # Be more lenient with acceptable user/group names - non upstreamable
@@ -58,6 +63,36 @@ Patch43: shadow-4.8.1-useradd-man-clarification.patch
 Patch44: shadow-4.8.1-check-local-groups.patch
 # https://github.com/shadow-maint/shadow/commit/599cc003daf833bffdc9cbe0d33dc8b3e7ec74c8
 Patch45: shadow-4.8.1-commonio-force-lock-file-sync.patch
+# https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a052b988b01a71933b67296e68
+# https://github.com/shadow-maint/shadow/commit/607f1dd549cf9abc87af1cf29275f0d2d11eea29
+# https://github.com/shadow-maint/shadow/commit/b5fb1b38eea2fb0489ed088c82daf6700e72363e
+# https://github.com/shadow-maint/shadow/commit/43a917cce54019799a8de037fd63780a2b640afc
+Patch46: shadow-4.8.1-libsubid_creation.patch
+# https://github.com/shadow-maint/shadow/commit/514c1328b6c90d817ae0a9f7addfb3c9a11a275a
+# https://github.com/shadow-maint/shadow/commit/8492dee6632e340dee76eee895c3e30877bebf45
+# https://github.com/shadow-maint/shadow/commit/0f4347d1483191b2142546416a9eefe0c9459600
+Patch47: shadow-4.8.1-libsubid_nsswitch_support.patch
+# https://github.com/shadow-maint/shadow/commit/186b1b7ac1a68d0fcc618a22da1a99232b420911
+Patch48: shadow-4.8.1-man-mention-nss-in-newuidmap.patch
+# https://github.com/shadow-maint/shadow/commit/f9831a4a1a20b0e8fe47cc72ec20018ec04dbb90
+Patch49: shadow-4.8.1-libsubid_not_print_error_messages.patch
+# https://github.com/shadow-maint/shadow/commit/c6cab4a7bafa18d9d65a333cac1261e7b5e32bc9
+Patch50: shadow-4.8.1-libsubid_init_return_false.patch
+# https://github.com/shadow-maint/shadow/commit/2f1f45d64fc7c10e7a3cbe00e89f63714343e526
+Patch51: shadow-4.8.1-useradd_SUB_UID_COUNT-0.patch
+# https://github.com/shadow-maint/shadow/commit/ea7af4e1543c63590d4107ae075fea385028997d
+Patch52: shadow-4.8.1-libsubid_simplify_ranges_variable.patch
+# https://github.com/shadow-maint/shadow/commit/0fe42f571c69f0105d31305f995c9887aeb9525e
+Patch53: shadow-4.8.1-libsubid_init_not_print_error_messages.patch
+# https://github.com/shadow-maint/shadow/commit/ec1951c181faed188464396b2cfdd2efb726c7f3
+Patch54: shadow-4.8.1-libsubid_fix_newusers_nss_provides_subids.patch
+# https://github.com/shadow-maint/shadow/commit/087112244327be50abc24f9ec8afbf60ae8b2dec
+# https://github.com/shadow-maint/shadow/commit/5939e066db2db487e9cc7f6d6ccac18386ab9422
+Patch55: shadow-4.8.1-man_clarify_subid_delegation.patch
+# https://github.com/shadow-maint/shadow/commit/bd920ab36a6c641e4a8769f8c7f8ca738ec61820
+Patch56: shadow-4.8.1-libsubid_make_logfd_not_extern.patch
+# https://github.com/shadow-maint/shadow/commit/b8cbc2c11369c1391832452e6ce0522c81bcf726
+Patch57: shadow-4.8.1-login_defs_HMAC_CRYPTO_ALGO.patch
 
 License: BSD and GPLv2+
 BuildRequires: make
@@ -86,6 +121,23 @@ for all users. The useradd, userdel, and usermod commands are used for
 managing user accounts. The groupadd, groupdel, and groupmod commands
 are used for managing group accounts.
 
+
+### Subpackages ###
+%package subid
+Summary: A library to manage subordinate uid and gid ranges
+License: BSD and GPLv2+
+
+%description subid
+Utility library that provides a way to manage subid ranges.
+
+
+%package subid-devel
+Summary: Development package for shadow-utils-subid
+License: BSD and GPLv2+
+
+%description subid-devel
+Development files for shadow-utils-subid.
+
 %prep
 %setup -q -n shadow-%{version}
 %patch0 -p1 -b .redhat
@@ -111,6 +163,18 @@ are used for managing group accounts.
 %patch43 -p1 -b .useradd-man-clarification
 %patch44 -p1 -b .check-local-groups
 %patch45 -p1 -b .commonio-force-lock-file-sync
+%patch46 -p1 -b .libsubid_creation
+%patch47 -p1 -b .libsubid_nsswitch_support
+%patch48 -p1 -b .man-mention-nss-in-newuidmap
+%patch49 -p1 -b .libsubid_not_print_error_messages
+%patch50 -p1 -b .libsubid_init_return_false
+%patch51 -p1 -b .useradd_SUB_UID_COUNT-0
+%patch52 -p1 -b .libsubid_simplify_ranges_variable
+%patch53 -p1 -b .libsubid_init_not_print_error_messages
+%patch54 -p1 -b .libsubid_fix_newusers_nss_provides_subids
+%patch55 -p1 -b .man_clarify_subid_delegation
+%patch56 -p1 -b .libsubid_make_logfd_not_extern
+%patch57 -p1 -b .login_defs_HMAC_CRYPTO_ALGO
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -140,7 +204,7 @@ autoreconf
         --with-selinux \
         --without-libcrack \
         --without-libpam \
-        --disable-shared \
+        --enable-shared \
         --with-group-name-max-length=32
 %make_build
 
@@ -215,6 +279,14 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
     echo "%%lang($lang) $dir/man*/*" >> shadow.lang
 done
 
+# Move header files to its own folder
+echo $(ls)
+mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
+install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
+
+# Remove .la files created by libsubid
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
+
 %files -f shadow.lang
 %doc NEWS doc/HOWTO README
 %license gpl-2.0.txt shadow-bsd.txt
@@ -263,7 +335,29 @@ done
 %{_mandir}/man8/vipw.8*
 %{_mandir}/man8/vigr.8*
 
+%files subid
+%{_libdir}/libsubid.so.*
+
+%files subid-devel
+%{includesubiddir}/subid.h
+%{_libdir}/libsubid.so
+
 %changelog
+* Fri Jun 25 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
+- libsubid: creation and nsswitch support. Resolves: #1859252
+- Creation of subid and subid-devel subpackages
+- man: mention NSS in new[ug]idmap manpages
+- libsubid: move development header to shadow folder
+- libsubid: don't print error messages on stderr by default
+- libsubid: libsubid_init return false if out of memory
+- useradd: fix SUB_UID_COUNT=0
+- libsubid: don't return owner in list_owner_ranges API call
+- libsubid: libsubid_init don't print messages on error
+- libsubid: fix newusers when nss provides subids
+- man: clarify subid delegation
+- libsubid: make shadow_logfd not extern
+- login.defs: include HMAC_CRYPTO_ALGO key
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:4.8.1-8
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937