.gitignore

@@ -1 +1 @@
-SOURCES/shadow-4.9.tar.xz
+SOURCES/shadow-4.6.tar.xz

.shadow-utils.metadata

@@ -1 +1 @@
-fa2307ff6c85ab3863d9e24dba0935bbbb337f3f SOURCES/shadow-4.9.tar.xz
+0b84eb1010fda5edca2a9d1733f9480200e02de6 SOURCES/shadow-4.6.tar.xz

SOURCES/shadow-4.1.5.1-default-range.patch

@@ -1,6 +1,7 @@
-diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
+Index: shadow-4.5/lib/semanage.c
---- shadow-4.9/lib/semanage.c.default-range	2021-07-22 23:55:35.000000000 +0200
+===================================================================
-+++ shadow-4.9/lib/semanage.c	2021-08-02 12:43:16.822817392 +0200
+--- shadow-4.5.orig/lib/semanage.c
++++ shadow-4.5/lib/semanage.c
 @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
  		goto done;
  	}
@@ -8,7 +9,7 @@ diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
 +#if 0
  	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
  	if (ret != 0) {
- 		fprintf (shadow_logfd,
+ 		fprintf (stderr,
 @@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
  		ret = 1;
  		goto done;
@@ -24,7 +25,7 @@ diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
 +#if 0
  	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
  	if (ret != 0) {
- 		fprintf (shadow_logfd,
+ 		fprintf (stderr,
 @@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
  		ret = 1;
  		goto done;

SOURCES/shadow-4.1.5.1-info-parent-dir.patch

@@ -0,0 +1,21 @@
+Index: shadow-4.5/man/newusers.8.xml
+===================================================================
+--- shadow-4.5.orig/man/newusers.8.xml
++++ shadow-4.5/man/newusers.8.xml
+@@ -218,7 +218,15 @@
+ 	  <para>
+ 	    If this field does not specify an existing directory, the
+ 	    specified directory is created, with ownership set to the
+-	    user being created or updated and its primary group.
++	    user being created or updated and its primary group. Note 
++            that newusers does not create parent directories of the new 
++            user's home directory. The newusers command will fail to 
++            create the home directory if the parent directories do not 
++            exist, and will send a message to stderr informing the user 
++            of the failure. The newusers command will not halt or return 
++            a failure to the calling shell if it fails to create the home 
++            directory, it will continue to process the batch of new users 
++            specified.
+ 	  </para>
+ 	  <para>
+ 	    If the home directory of an existing user is changed,

SOURCES/shadow-4.1.5.1-logmsg.patch

@@ -0,0 +1,13 @@
+Index: shadow-4.5/src/useradd.c
+===================================================================
+--- shadow-4.5.orig/src/useradd.c
++++ shadow-4.5/src/useradd.c
+@@ -323,7 +323,7 @@ static void fail_exit (int code)
+ 	              user_name, AUDIT_NO_ID,
+ 	              SHADOW_AUDIT_FAILURE);
+ #endif
+-	SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
++	SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
+ 	exit (code);
+ }
+ 

SOURCES/shadow-4.1.5.1-userdel-helpfix.patch

@@ -0,0 +1,16 @@
+Index: shadow-4.5/src/userdel.c
+===================================================================
+--- shadow-4.5.orig/src/userdel.c
++++ shadow-4.5/src/userdel.c
+@@ -143,8 +143,9 @@ static void usage (int status)
+ 	                  "\n"
+ 	                  "Options:\n"),
+ 	                Prog);
+-	(void) fputs (_("  -f, --force                   force removal of files,\n"
+-	                "                                even if not owned by user\n"),
++	(void) fputs (_("  -f, --force                   force some actions that would fail otherwise\n"
++			"                                e.g. removal of user still logged in\n"
++			"                                or files, even if not owned by the user\n"),
+ 	              usageout);
+ 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -r, --remove                  remove home directory and mail spool\n"), usageout);

SOURCES/shadow-4.2.1-no-lock-dos.patch

@@ -0,0 +1,16 @@
+Index: shadow-4.5/lib/commonio.c
+===================================================================
+--- shadow-4.5.orig/lib/commonio.c
++++ shadow-4.5/lib/commonio.c
+@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
+ 	int retval;
+ 	char buf[32];
+ 
+-	fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
++	/* We depend here on the fact, that the file name is pid-specific.
++	 * So no O_EXCL here and no DoS.
++	 */
++	fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+ 	if (-1 == fd) {
+ 		if (log) {
+ 			(void) fprintf (stderr,

SOURCES/shadow-4.2.1-null-tm.patch

@@ -1,3 +1,24 @@
+Index: shadow-4.5/src/faillog.c
+===================================================================
+--- shadow-4.5.orig/src/faillog.c
++++ shadow-4.5/src/faillog.c
+@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
+ 	}
+ 
+ 	tm = localtime (&fl.fail_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
++		cp = ptime;
+ #endif
++	}
+ 	printf ("%-9s   %5d    %5d   ",
+ 	        pw->pw_name, fl.fail_cnt, fl.fail_max);
+ 	/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
 Index: shadow-4.5/src/chage.c
 ===================================================================
 --- shadow-4.5.orig/src/chage.c

SOURCES/shadow-4.5-crypt_h.patch

@@ -0,0 +1,41 @@
+Index: shadow-4.5/configure.ac
+===================================================================
+--- shadow-4.5.orig/configure.ac
++++ shadow-4.5/configure.ac
+@@ -32,9 +32,9 @@ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+ AC_HEADER_STDBOOL
+ 
+-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
+-	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
+-	utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
++	utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
++	paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
+ 	locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
+ 	attr/error_context.h)
+ 
+Index: shadow-4.5/lib/defines.h
+===================================================================
+--- shadow-4.5.orig/lib/defines.h
++++ shadow-4.5/lib/defines.h
+@@ -4,6 +4,8 @@
+ #ifndef _DEFINES_H_
+ #define _DEFINES_H_
+ 
++#include "config.h"
++
+ #if HAVE_STDBOOL_H
+ # include <stdbool.h>
+ #else
+@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
+ # include <unistd.h>
+ #endif
+ 
++#if HAVE_CRYPT_H
++# include <crypt.h>		/* crypt(3) may be defined in here */
++#endif
++
+ #if TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>

SOURCES/shadow-4.5-long-entry.patch

@@ -1,19 +1,17 @@
-diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
+diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
---- shadow-4.8/lib/defines.h.long-entry	2020-01-13 10:29:45.288957339 +0100
+--- shadow-4.5/lib/defines.h.long-entry	2014-09-01 16:36:40.000000000 +0200
-+++ shadow-4.8/lib/defines.h	2020-01-13 10:30:47.482902954 +0100
++++ shadow-4.5/lib/defines.h	2018-04-20 11:53:07.419308212 +0200
-@@ -388,6 +388,9 @@ extern char *strerror ();
+@@ -382,4 +382,7 @@ extern char *strerror ();
  # endif
  #endif
  
 +/* Maximum length of passwd entry */
 +#define PASSWD_ENTRY_MAX_LENGTH 32768
 +
- #ifdef HAVE_SECURE_GETENV
+ #endif				/* _DEFINES_H_ */
- #  define shadow_getenv(name) secure_getenv(name)
+diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
- # else
+--- shadow-4.5/lib/pwio.c.long-entry	2015-11-17 17:45:15.000000000 +0100
-diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
++++ shadow-4.5/lib/pwio.c	2018-04-20 12:10:24.400837235 +0200
---- shadow-4.8/lib/pwio.c.long-entry	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/lib/pwio.c	2020-01-13 10:29:45.288957339 +0100
 @@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
  	    || (pw->pw_gid == (gid_t)-1)
  	    || (valid_field (pw->pw_gecos, ":\n") == -1)
@@ -26,9 +24,9 @@ diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
  		return -1;
  	}
  
-diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
+diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
---- shadow-4.8/lib/sgetpwent.c.long-entry	2019-10-05 03:23:58.000000000 +0200
+--- shadow-4.5/lib/sgetpwent.c.long-entry	2014-09-01 16:36:40.000000000 +0200
-+++ shadow-4.8/lib/sgetpwent.c	2020-01-13 10:29:45.288957339 +0100
++++ shadow-4.5/lib/sgetpwent.c	2018-04-20 12:16:31.911513808 +0200
 @@ -57,7 +57,7 @@
  struct passwd *sgetpwent (const char *buf)
  {
@@ -50,9 +48,9 @@ diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
  	strcpy (pwdbuf, buf);
  
  	/*
-diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
+diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
---- shadow-4.8/lib/sgetspent.c.long-entry	2019-07-23 17:26:08.000000000 +0200
+--- shadow-4.5/lib/sgetspent.c.long-entry	2014-09-01 16:36:40.000000000 +0200
-+++ shadow-4.8/lib/sgetspent.c	2020-01-13 10:29:45.289957322 +0100
++++ shadow-4.5/lib/sgetspent.c	2018-04-20 12:16:54.505056257 +0200
 @@ -48,7 +48,7 @@
   */
  struct spwd *sgetspent (const char *string)
@@ -70,9 +68,9 @@ diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
  		return 0;	/* fail if too long */
  	}
  	strcpy (spwbuf, string);
-diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
+diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
---- shadow-4.8/lib/shadowio.c.long-entry	2019-07-23 17:26:08.000000000 +0200
+--- shadow-4.5/lib/shadowio.c.long-entry	2016-12-07 06:30:41.000000001 +0100
-+++ shadow-4.8/lib/shadowio.c	2020-01-13 10:29:45.289957322 +0100
++++ shadow-4.5/lib/shadowio.c	2018-04-20 12:12:03.292171667 +0200
 @@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
  
  	if (   (NULL == sp)

SOURCES/shadow-4.6-check-local-groups.patch

@@ -0,0 +1,642 @@
+From 140510de9de4771feb3af1d859c09604043a4c9b Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Fri, 27 Mar 2020 14:23:02 +0100
+Subject: [PATCH 1/2] usermod: check only local groups with -G option
+
+Check only local groups when adding new supplementary groups to a user
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
+---
+ src/usermod.c | 220 ++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 143 insertions(+), 77 deletions(-)
+
+diff --git a/src/usermod.c b/src/usermod.c
+index 05b98715..ef430296 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -183,6 +183,7 @@ static bool sub_gid_locked = false;
+ static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
+                          long int date);
+ static int get_groups (char *);
++static struct group * get_local_group (char * grp_name);
+ static /*@noreturn@*/void usage (int status);
+ static void new_pwent (struct passwd *);
+ static void new_spent (struct spwd *);
+@@ -196,7 +197,9 @@ static void grp_update (void);
+ 
+ static void process_flags (int, char **);
+ static void close_files (void);
++static void close_group_files (void);
+ static void open_files (void);
++static void open_group_files (void);
+ static void usr_update (void);
+ static void move_home (void);
+ static void update_lastlog (void);
+@@ -253,6 +256,11 @@ static int get_groups (char *list)
+ 		return 0;
+ 	}
+ 
++	/*
++	 * Open the group files
++	 */
++	open_group_files ();
++
+ 	/*
+ 	 * So long as there is some data to be converted, strip off each
+ 	 * name and look it up. A mix of numerical and string values for
+@@ -272,7 +280,7 @@ static int get_groups (char *list)
+ 		 * Names starting with digits are treated as numerical GID
+ 		 * values, otherwise the string is looked up as is.
+ 		 */
+-		grp = prefix_getgr_nam_gid (list);
++		grp = get_local_group (list);
+ 
+ 		/*
+ 		 * There must be a match, either by GID value or by
+@@ -322,6 +330,8 @@ static int get_groups (char *list)
+ 		gr_free ((struct group *)grp);
+ 	} while (NULL != list);
+ 
++	close_group_files ();
++
+ 	user_groups[ngroups] = (char *) 0;
+ 
+ 	/*
+@@ -334,6 +344,44 @@ static int get_groups (char *list)
+ 	return 0;
+ }
+ 
++/*
++ * get_local_group - checks if a given group name exists locally
++ *
++ *	get_local_group() checks if a given group name exists locally.
++ *	If the name exists the group information is returned, otherwise NULL is
++ *	returned.
++ */
++static struct group * get_local_group(char * grp_name)
++{
++	const struct group *grp;
++	struct group *result_grp = NULL;
++	long long int gid;
++	char *endptr;
++
++	gid = strtoll (grp_name, &endptr, 10);
++	if (   ('\0' != *grp_name)
++		&& ('\0' == *endptr)
++		&& (ERANGE != errno)
++		&& (gid == (gid_t)gid)) {
++		grp = gr_locate_gid ((gid_t) gid);
++	}
++	else {
++		grp = gr_locate(grp_name);
++	}
++
++	if (grp != NULL) {
++		result_grp = __gr_dup (grp);
++		if (NULL == result_grp) {
++			fprintf (stderr,
++					_("%s: Out of memory. Cannot find group '%s'.\n"),
++					Prog, grp_name);
++			fail_exit (E_GRP_UPDATE);
++		}
++	}
++
++	return result_grp;
++}
++
+ #ifdef ENABLE_SUBIDS
+ struct ulong_range
+ {
+@@ -1447,50 +1495,7 @@ static void close_files (void)
+ 	}
+ 
+ 	if (Gflg || lflg) {
+-		if (gr_close () == 0) {
+-			fprintf (stderr,
+-			         _("%s: failure while writing changes to %s\n"),
+-			         Prog, gr_dbname ());
+-			SYSLOG ((LOG_ERR,
+-			         "failure while writing changes to %s",
+-			         gr_dbname ()));
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-#ifdef SHADOWGRP
+-		if (is_shadow_grp) {
+-			if (sgr_close () == 0) {
+-				fprintf (stderr,
+-				         _("%s: failure while writing changes to %s\n"),
+-				         Prog, sgr_dbname ());
+-				SYSLOG ((LOG_ERR,
+-				         "failure while writing changes to %s",
+-				         sgr_dbname ()));
+-				fail_exit (E_GRP_UPDATE);
+-			}
+-		}
+-#endif
+-#ifdef SHADOWGRP
+-		if (is_shadow_grp) {
+-			if (sgr_unlock () == 0) {
+-				fprintf (stderr,
+-				         _("%s: failed to unlock %s\n"),
+-				         Prog, sgr_dbname ());
+-				SYSLOG ((LOG_ERR,
+-				         "failed to unlock %s",
+-				         sgr_dbname ()));
+-				/* continue */
+-			}
+-		}
+-#endif
+-		if (gr_unlock () == 0) {
+-			fprintf (stderr,
+-			         _("%s: failed to unlock %s\n"),
+-			         Prog, gr_dbname ());
+-			SYSLOG ((LOG_ERR,
+-			         "failed to unlock %s",
+-			         gr_dbname ()));
+-			/* continue */
+-		}
++		close_group_files ();
+ 	}
+ 
+ 	if (is_shadow_pwd) {
+@@ -1559,6 +1564,60 @@ static void close_files (void)
+ #endif
+ }
+ 
++/*
++ * close_group_files - close all of the files that were opened
++ *
++ *	close_group_files() closes all of the files that were opened related
++ *  with groups. This causes any modified entries to be written out.
++ */
++static void close_group_files (void)
++{
++	if (gr_close () == 0) {
++		fprintf (stderr,
++					_("%s: failure while writing changes to %s\n"),
++					Prog, gr_dbname ());
++		SYSLOG ((LOG_ERR,
++					"failure while writing changes to %s",
++					gr_dbname ()));
++		fail_exit (E_GRP_UPDATE);
++	}
++#ifdef SHADOWGRP
++	if (is_shadow_grp) {
++		if (sgr_close () == 0) {
++			fprintf (stderr,
++						_("%s: failure while writing changes to %s\n"),
++						Prog, sgr_dbname ());
++			SYSLOG ((LOG_ERR,
++						"failure while writing changes to %s",
++						sgr_dbname ()));
++			fail_exit (E_GRP_UPDATE);
++		}
++	}
++#endif
++#ifdef SHADOWGRP
++	if (is_shadow_grp) {
++		if (sgr_unlock () == 0) {
++			fprintf (stderr,
++						_("%s: failed to unlock %s\n"),
++						Prog, sgr_dbname ());
++			SYSLOG ((LOG_ERR,
++						"failed to unlock %s",
++						sgr_dbname ()));
++			/* continue */
++		}
++	}
++#endif
++	if (gr_unlock () == 0) {
++		fprintf (stderr,
++					_("%s: failed to unlock %s\n"),
++					Prog, gr_dbname ());
++		SYSLOG ((LOG_ERR,
++					"failed to unlock %s",
++					gr_dbname ()));
++		/* continue */
++	}
++}
++
+ /*
+  * open_files - lock and open the password files
+  *
+@@ -1594,38 +1653,7 @@ static void open_files (void)
+ 	}
+ 
+ 	if (Gflg || lflg) {
+-		/*
+-		 * Lock and open the group file. This will load all of the
+-		 * group entries.
+-		 */
+-		if (gr_lock () == 0) {
+-			fprintf (stderr,
+-			         _("%s: cannot lock %s; try again later.\n"),
+-			         Prog, gr_dbname ());
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-		gr_locked = true;
+-		if (gr_open (O_CREAT | O_RDWR) == 0) {
+-			fprintf (stderr,
+-			         _("%s: cannot open %s\n"),
+-			         Prog, gr_dbname ());
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-#ifdef SHADOWGRP
+-		if (is_shadow_grp && (sgr_lock () == 0)) {
+-			fprintf (stderr,
+-			         _("%s: cannot lock %s; try again later.\n"),
+-			         Prog, sgr_dbname ());
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-		sgr_locked = true;
+-		if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
+-			fprintf (stderr,
+-			         _("%s: cannot open %s\n"),
+-			         Prog, sgr_dbname ());
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-#endif
++		open_group_files ();
+ 	}
+ #ifdef ENABLE_SUBIDS
+ 	if (vflg || Vflg) {
+@@ -1661,6 +1689,44 @@ static void open_files (void)
+ #endif				/* ENABLE_SUBIDS */
+ }
+ 
++/*
++ * open_group_files - lock and open the group files
++ *
++ *	open_group_files() loads all of the group entries.
++ */
++static void open_group_files (void)
++{
++	if (gr_lock () == 0) {
++		fprintf (stderr,
++					_("%s: cannot lock %s; try again later.\n"),
++					Prog, gr_dbname ());
++		fail_exit (E_GRP_UPDATE);
++	}
++	gr_locked = true;
++	if (gr_open (O_CREAT | O_RDWR) == 0) {
++		fprintf (stderr,
++					_("%s: cannot open %s\n"),
++					Prog, gr_dbname ());
++		fail_exit (E_GRP_UPDATE);
++	}
++
++#ifdef SHADOWGRP
++	if (is_shadow_grp && (sgr_lock () == 0)) {
++		fprintf (stderr,
++					_("%s: cannot lock %s; try again later.\n"),
++					Prog, sgr_dbname ());
++		fail_exit (E_GRP_UPDATE);
++	}
++	sgr_locked = true;
++	if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
++		fprintf (stderr,
++					_("%s: cannot open %s\n"),
++					Prog, sgr_dbname ());
++		fail_exit (E_GRP_UPDATE);
++	}
++#endif
++}
++
+ /*
+  * usr_update - create the user entries
+  *
+-- 
+2.25.4
+
+
+From 8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Mon, 30 Mar 2020 09:08:23 +0200
+Subject: [PATCH 2/2] useradd: check only local groups with -G option
+
+Check only local groups when adding new supplementary groups to a user
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
+---
+ src/useradd.c | 234 +++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 157 insertions(+), 77 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 645d4a40..90210233 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -211,6 +211,7 @@ static void get_defaults (void);
+ static void show_defaults (void);
+ static int set_defaults (void);
+ static int get_groups (char *);
++static struct group * get_local_group (char * grp_name);
+ static void usage (int status);
+ static void new_pwent (struct passwd *);
+ 
+@@ -220,7 +221,10 @@ static void grp_update (void);
+ 
+ static void process_flags (int argc, char **argv);
+ static void close_files (void);
++static void close_group_files (void);
++static void unlock_group_files (void);
+ static void open_files (void);
++static void open_group_files (void);
+ static void open_shadow (void);
+ static void faillog_reset (uid_t);
+ static void lastlog_reset (uid_t);
+@@ -731,6 +735,11 @@ static int get_groups (char *list)
+ 		return 0;
+ 	}
+ 
++	/*
++	 * Open the group files
++	 */
++	open_group_files ();
++
+ 	/*
+ 	 * So long as there is some data to be converted, strip off
+ 	 * each name and look it up. A mix of numerical and string
+@@ -749,7 +758,7 @@ static int get_groups (char *list)
+ 		 * Names starting with digits are treated as numerical
+ 		 * GID values, otherwise the string is looked up as is.
+ 		 */
+-		grp = prefix_getgr_nam_gid (list);
++		grp = get_local_group (list);
+ 
+ 		/*
+ 		 * There must be a match, either by GID value or by
+@@ -799,6 +808,9 @@ static int get_groups (char *list)
+ 		user_groups[ngroups++] = xstrdup (grp->gr_name);
+ 	} while (NULL != list);
+ 
++	close_group_files ();
++	unlock_group_files ();
++
+ 	user_groups[ngroups] = (char *) 0;
+ 
+ 	/*
+@@ -811,6 +823,44 @@ static int get_groups (char *list)
+ 	return 0;
+ }
+ 
++/*
++ * get_local_group - checks if a given group name exists locally
++ *
++ *	get_local_group() checks if a given group name exists locally.
++ *	If the name exists the group information is returned, otherwise NULL is
++ *	returned.
++ */
++static struct group * get_local_group(char * grp_name)
++{
++	const struct group *grp;
++	struct group *result_grp = NULL;
++	long long int gid;
++	char *endptr;
++
++	gid = strtoll (grp_name, &endptr, 10);
++	if (   ('\0' != *grp_name)
++		&& ('\0' == *endptr)
++		&& (ERANGE != errno)
++		&& (gid == (gid_t)gid)) {
++		grp = gr_locate_gid ((gid_t) gid);
++	}
++	else {
++		grp = gr_locate(grp_name);
++	}
++
++	if (grp != NULL) {
++		result_grp = __gr_dup (grp);
++		if (NULL == result_grp) {
++			fprintf (stderr,
++					_("%s: Out of memory. Cannot find group '%s'.\n"),
++					Prog, grp_name);
++			fail_exit (E_GRP_UPDATE);
++		}
++	}
++
++	return result_grp;
++}
++
+ /*
+  * usage - display usage message and exit
+  */
+@@ -1530,23 +1580,9 @@ static void close_files (void)
+ 		SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ()));
+ 		fail_exit (E_PW_UPDATE);
+ 	}
+-	if (do_grp_update) {
+-		if (gr_close () == 0) {
+-			fprintf (stderr,
+-			         _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
+-			SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-#ifdef	SHADOWGRP
+-		if (is_shadow_grp && (sgr_close () == 0)) {
+-			fprintf (stderr,
+-			         _("%s: failure while writing changes to %s\n"),
+-			         Prog, sgr_dbname ());
+-			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-#endif
+-	}
++
++	close_group_files ();
++
+ #ifdef ENABLE_SUBIDS
+ 	if (is_sub_uid  && (sub_uid_close () == 0)) {
+ 		fprintf (stderr,
+@@ -1587,34 +1623,9 @@ static void close_files (void)
+ 		/* continue */
+ 	}
+ 	pw_locked = false;
+-	if (gr_unlock () == 0) {
+-		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
+-		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
+-#ifdef WITH_AUDIT
+-		audit_logger (AUDIT_ADD_USER, Prog,
+-		              "unlocking-group-file",
+-		              user_name, AUDIT_NO_ID,
+-		              SHADOW_AUDIT_FAILURE);
+-#endif
+-		/* continue */
+-	}
+-	gr_locked = false;
+-#ifdef	SHADOWGRP
+-	if (is_shadow_grp) {
+-		if (sgr_unlock () == 0) {
+-			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
+-			SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
+-#ifdef WITH_AUDIT
+-			audit_logger (AUDIT_ADD_USER, Prog,
+-			              "unlocking-gshadow-file",
+-			              user_name, AUDIT_NO_ID,
+-			              SHADOW_AUDIT_FAILURE);
+-#endif
+-			/* continue */
+-		}
+-		sgr_locked = false;
+-	}
+-#endif
++
++	unlock_group_files ();
++
+ #ifdef ENABLE_SUBIDS
+ 	if (is_sub_uid) {
+ 		if (sub_uid_unlock () == 0) {
+@@ -1647,6 +1658,71 @@ static void close_files (void)
+ #endif				/* ENABLE_SUBIDS */
+ }
+ 
++/*
++ * close_group_files - close all of the files that were opened
++ *
++ *	close_group_files() closes all of the files that were opened related
++ *  with groups. This causes any modified entries to be written out.
++ */
++static void close_group_files (void)
++{
++	if (do_grp_update) {
++		if (gr_close () == 0) {
++			fprintf (stderr,
++			         _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
++			fail_exit (E_GRP_UPDATE);
++		}
++#ifdef	SHADOWGRP
++		if (is_shadow_grp && (sgr_close () == 0)) {
++			fprintf (stderr,
++			         _("%s: failure while writing changes to %s\n"),
++			         Prog, sgr_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
++			fail_exit (E_GRP_UPDATE);
++		}
++#endif /* SHADOWGRP */
++	}
++}
++
++/*
++ * unlock_group_files - unlock all of the files that were locked
++ *
++ *	unlock_group_files() unlocks all of the files that were locked related
++ *  with groups. This causes any modified entries to be written out.
++ */
++static void unlock_group_files (void)
++{
++	if (gr_unlock () == 0) {
++		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
++		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
++#ifdef WITH_AUDIT
++		audit_logger (AUDIT_ADD_USER, Prog,
++		              "unlocking-group-file",
++		              user_name, AUDIT_NO_ID,
++		              SHADOW_AUDIT_FAILURE);
++#endif /* WITH_AUDIT */
++		/* continue */
++	}
++	gr_locked = false;
++#ifdef	SHADOWGRP
++	if (is_shadow_grp) {
++		if (sgr_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++			              "unlocking-gshadow-file",
++			              user_name, AUDIT_NO_ID,
++			              SHADOW_AUDIT_FAILURE);
++#endif /* WITH_AUDIT */
++			/* continue */
++		}
++		sgr_locked = false;
++	}
++#endif /* SHADOWGRP */
++}
++
+ /*
+  * open_files - lock and open the password files
+  *
+@@ -1668,37 +1744,8 @@ static void open_files (void)
+ 
+ 	/* shadow file will be opened by open_shadow(); */
+ 
+-	/*
+-	 * Lock and open the group file.
+-	 */
+-	if (gr_lock () == 0) {
+-		fprintf (stderr,
+-		         _("%s: cannot lock %s; try again later.\n"),
+-		         Prog, gr_dbname ());
+-		fail_exit (E_GRP_UPDATE);
+-	}
+-	gr_locked = true;
+-	if (gr_open (O_CREAT | O_RDWR) == 0) {
+-		fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
+-		fail_exit (E_GRP_UPDATE);
+-	}
+-#ifdef  SHADOWGRP
+-	if (is_shadow_grp) {
+-		if (sgr_lock () == 0) {
+-			fprintf (stderr,
+-			         _("%s: cannot lock %s; try again later.\n"),
+-			         Prog, sgr_dbname ());
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-		sgr_locked = true;
+-		if (sgr_open (O_CREAT | O_RDWR) == 0) {
+-			fprintf (stderr,
+-			         _("%s: cannot open %s\n"),
+-			         Prog, sgr_dbname ());
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-	}
+-#endif
++	open_group_files ();
++
+ #ifdef ENABLE_SUBIDS
+ 	if (is_sub_uid) {
+ 		if (sub_uid_lock () == 0) {
+@@ -1733,6 +1780,39 @@ static void open_files (void)
+ #endif				/* ENABLE_SUBIDS */
+ }
+ 
++static void open_group_files (void)
++{
++	if (gr_lock () == 0) {
++		fprintf (stderr,
++		         _("%s: cannot lock %s; try again later.\n"),
++		         Prog, gr_dbname ());
++		fail_exit (E_GRP_UPDATE);
++	}
++	gr_locked = true;
++	if (gr_open (O_CREAT | O_RDWR) == 0) {
++		fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
++		fail_exit (E_GRP_UPDATE);
++	}
++
++#ifdef  SHADOWGRP
++	if (is_shadow_grp) {
++		if (sgr_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sgr_dbname ());
++			fail_exit (E_GRP_UPDATE);
++		}
++		sgr_locked = true;
++		if (sgr_open (O_CREAT | O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sgr_dbname ());
++			fail_exit (E_GRP_UPDATE);
++		}
++	}
++#endif /* SHADOWGRP */
++}
++
+ static void open_shadow (void)
+ {
+ 	if (!is_shadow_pwd) {
+-- 
+2.25.4
+

SOURCES/shadow-4.6-chgrp-guard.patch

@@ -0,0 +1,44 @@
+diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml
+--- shadow-4.6/man/usermod.8.xml.chgrp-guard	2018-11-06 09:08:54.170095358 +0100
++++ shadow-4.6/man/usermod.8.xml	2018-12-18 15:24:12.283181180 +0100
+@@ -195,6 +195,12 @@
+ 	    The group ownership of files outside of the user's home directory
+ 	    must be fixed manually.
+ 	  </para>
++	  <para>
++	    The change of the group ownership of files inside of the user's
++	    home directory is also not done if the home dir owner uid is
++	    different from the current or new user id. This is safety measure
++	    for special home directories such as <filename>/</filename>.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+@@ -372,6 +378,12 @@
+ 	    must be fixed manually.
+ 	  </para>
+ 	  <para>
++	    The change of the user ownership of files inside of the user's
++	    home directory is also not done if the home dir owner uid is
++	    different from the current or new user id. This is safety measure
++	    for special home directories such as <filename>/</filename>.
++	  </para>
++	  <para>
+ 	    No checks will be performed with regard to the
+ 	    <option>UID_MIN</option>, <option>UID_MAX</option>,
+ 	    <option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
+diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c
+--- shadow-4.6/src/usermod.c.chgrp-guard	2018-12-18 15:24:12.286181249 +0100
++++ shadow-4.6/src/usermod.c	2018-12-18 15:26:51.227841435 +0100
+@@ -2336,7 +2336,10 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	if (!mflg && (uflg || gflg)) {
+-		if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) {
++		struct stat sb;
++
++		if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
++			((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
+ 			/*
+ 			 * Change the UID on all of the files owned by
+ 			 * `user_id' to `user_newid' in the user's home

SOURCES/shadow-4.6-coverity.patch

@@ -0,0 +1,223 @@
+diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
+--- shadow-4.6/lib/commonio.c.coverity	2018-10-10 09:50:59.307738194 +0200
++++ shadow-4.6/lib/commonio.c	2018-10-10 09:55:32.919319048 +0200
+@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
+ 	char* lock = NULL;
+ 	size_t lock_file_len;
+ 	size_t file_len;
+-	int err;
++	int err = 0;
+ 
+ 	if (db->locked) {
+ 		return 1;
+@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
+ 	lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
+ 	file = (char*)malloc(file_len);
+ 	if(file == NULL) {
+-		err = ENOMEM;
+ 		goto cleanup_ENOMEM;
+ 	}
+ 	lock = (char*)malloc(lock_file_len);
+ 	if(lock == NULL) {
+-		err = ENOMEM;
+ 		goto cleanup_ENOMEM;
+ 	}
+ 	snprintf (file, file_len, "%s.%lu",
+diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
+--- shadow-4.6/libmisc/console.c.coverity	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/libmisc/console.c	2018-10-10 11:56:51.368837533 +0200
+@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
+ static bool is_listed (const char *cfgin, const char *tty, bool def)
+ {
+ 	FILE *fp;
+-	char buf[200], *s;
++	char buf[1024], *s;
+ 	const char *cons;
+ 
+ 	/*
+@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
+ 
+ 	if (*cons != '/') {
+ 		char *pbuf;
+-		strcpy (buf, cons);
++		strncpy (buf, cons, sizeof (buf));
++		buf[sizeof (buf) - 1] = '\0';
+ 		pbuf = &buf[0];
+ 		while ((s = strtok (pbuf, ":")) != NULL) {
+ 			if (strcmp (s, tty) == 0) {
+diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
+--- shadow-4.6/lib/spawn.c.coverity	2018-04-29 18:42:37.000000001 +0200
++++ shadow-4.6/lib/spawn.c	2018-10-10 11:36:49.035784609 +0200
+@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
+ 	do {
+ 		wpid = waitpid (pid, status, 0);
+ 	} while (   ((pid_t)-1 == wpid && errno == EINTR)
+-	         || (wpid != pid));
++	         || ((pid_t)-1 != wpid && wpid != pid));
+ 
+ 	if ((pid_t)-1 == wpid) {
+ 		fprintf (stderr, "%s: waitpid (status: %d): %s\n",
+diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.coverity	2018-10-10 09:50:59.303738098 +0200
++++ shadow-4.6/src/useradd.c	2018-10-12 13:51:54.480490257 +0200
+@@ -314,7 +314,7 @@ static void fail_exit (int code)
+ static void get_defaults (void)
+ {
+ 	FILE *fp;
+-	char* default_file = USER_DEFAULTS_FILE;
++	char *default_file = USER_DEFAULTS_FILE;
+ 	char buf[1024];
+ 	char *cp;
+ 
+@@ -324,6 +324,8 @@ static void get_defaults (void)
+ 
+ 		len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
+ 		default_file = malloc(len);
++                if (default_file == NULL)
++                       return;
+ 		wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
+ 		assert (wlen == (int) len -1);
+ 	}
+@@ -334,7 +336,7 @@ static void get_defaults (void)
+ 
+ 	fp = fopen (default_file, "r");
+ 	if (NULL == fp) {
+-		return;
++		goto getdef_err;
+ 	}
+ 
+ 	/*
+@@ -445,7 +447,7 @@ static void get_defaults (void)
+ 		}
+ 	}
+ 	(void) fclose (fp);
+-
++     getdef_err:
+ 	if(prefix[0]) {
+ 		free(default_file);
+ 	}
+@@ -480,8 +482,8 @@ static int set_defaults (void)
+ 	FILE *ifp;
+ 	FILE *ofp;
+ 	char buf[1024];
+-	char* new_file = NEW_USER_FILE;
+-	char* default_file = USER_DEFAULTS_FILE;
++	char *new_file = NULL;
++	char *default_file = USER_DEFAULTS_FILE;
+ 	char *cp;
+ 	int ofd;
+ 	int wlen;
+@@ -492,17 +494,30 @@ static int set_defaults (void)
+ 	bool out_shell = false;
+ 	bool out_skel = false;
+ 	bool out_create_mail_spool = false;
++	size_t len;
++	int ret = -1;
+ 
+-	if(prefix[0]) {
+-		size_t len;
+ 
+-		len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
+-		new_file = malloc(len);
+-		wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
+-		assert (wlen == (int) len -1);
++	len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
++	new_file = malloc(len);
++        if (new_file == NULL) {
++		fprintf (stderr,
++		         _("%s: cannot create new defaults file: %s\n"),
++		         Prog, strerror(errno));
++		return -1;
++        }
++	wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
++	assert (wlen <= (int) len -1);
+ 
++	if(prefix[0]) {
+ 		len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
+ 		default_file = malloc(len);
++		if (default_file == NULL) {
++			fprintf (stderr,
++			         _("%s: cannot create new defaults file: %s\n"),
++			         Prog, strerror(errno));
++			goto setdef_err;
++		}
+ 		wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
+ 		assert (wlen == (int) len -1);
+ 	}
+@@ -515,7 +530,7 @@ static int set_defaults (void)
+ 		fprintf (stderr,
+ 		         _("%s: cannot create new defaults file\n"),
+ 		         Prog);
+-		return -1;
++		goto setdef_err;
+ 	}
+ 
+ 	ofp = fdopen (ofd, "w");
+@@ -523,7 +538,7 @@ static int set_defaults (void)
+ 		fprintf (stderr,
+ 		         _("%s: cannot open new defaults file\n"),
+ 		         Prog);
+-		return -1;
++		goto setdef_err;
+ 	}
+ 
+ 	/*
+@@ -550,7 +565,7 @@ static int set_defaults (void)
+ 				         _("%s: line too long in %s: %s..."),
+ 				         Prog, default_file, buf);
+ 				(void) fclose (ifp);
+-				return -1;
++				goto setdef_err;
+ 			}
+ 		}
+ 
+@@ -614,7 +629,7 @@ static int set_defaults (void)
+ 	    || (fsync (fileno (ofp)) != 0)
+ 	    || (fclose (ofp) != 0)) {
+ 		unlink (new_file);
+-		return -1;
++		goto setdef_err;
+ 	}
+ 
+ 	/*
+@@ -629,7 +644,7 @@ static int set_defaults (void)
+ 		         _("%s: Cannot create backup file (%s): %s\n"),
+ 		         Prog, buf, strerror (err));
+ 		unlink (new_file);
+-		return -1;
++		goto setdef_err;
+ 	}
+ 
+ 	/*
+@@ -640,11 +655,11 @@ static int set_defaults (void)
+ 		fprintf (stderr,
+ 		         _("%s: rename: %s: %s\n"),
+ 		         Prog, new_file, strerror (err));
+-		return -1;
++		goto setdef_err;
+ 	}
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_USYS_CONFIG, Prog,
+-	              "changing-useradd-defaults",
++	              "changing useradd defaults",
+ 	              NULL, AUDIT_NO_ID,
+ 	              SHADOW_AUDIT_SUCCESS);
+ #endif
+@@ -654,13 +669,14 @@ static int set_defaults (void)
+ 	         (unsigned int) def_group, def_home, def_shell,
+ 	         def_inactive, def_expire, def_template,
+ 	         def_create_mail_spool));
+-
++	ret = 0;
++    setdef_err:
++	free(new_file);
+ 	if(prefix[0]) {
+-		free(new_file);
+ 		free(default_file);
+ 	}
+ 
+-	return 0;
++	return ret;
+ }
+ 
+ /*

SOURCES/shadow-4.6-getenforce.patch

@@ -0,0 +1,21 @@
+diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
+--- shadow-4.6/lib/selinux.c.getenforce	2018-05-28 15:10:15.870315221 +0200
++++ shadow-4.6/lib/selinux.c	2018-05-28 15:10:15.894315731 +0200
+@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
+ 	}
+ 	return 0;
+     error:
+-	if (security_getenforce () != 0) {
++	if (security_getenforce () > 0) {
+ 		return 1;
+ 	}
+ 	return 0;
+@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
+ 		selinux_checked = true;
+ 	}
+ 	if (selinux_enabled) {
+-		if (setfscreatecon (NULL) != 0) {
++		if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
+ 			return 1;
+ 		}
+ 	}

SOURCES/shadow-4.6-getsubids.patch

@@ -1,6 +1,6 @@
-diff -up shadow-4.9/man/getsubids.1.xml.getsubids shadow-4.9/man/getsubids.1.xml
+diff -up shadow-4.6/man/getsubids.1.xml.getsubids shadow-4.6/man/getsubids.1.xml
---- shadow-4.9/man/getsubids.1.xml.getsubids	2021-11-18 16:27:33.951053120 +0100
+--- shadow-4.6/man/getsubids.1.xml.getsubids	2021-12-09 10:40:50.730275761 +0100
-+++ shadow-4.9/man/getsubids.1.xml	2021-11-18 16:27:33.951053120 +0100
++++ shadow-4.6/man/getsubids.1.xml	2021-12-09 10:40:50.730275761 +0100
 @@ -0,0 +1,141 @@
 +<?xml version="1.0" encoding="UTF-8"?>
 +<!--
@@ -143,10 +143,10 @@ diff -up shadow-4.9/man/getsubids.1.xml.getsubids shadow-4.9/man/getsubids.1.xml
 +    </para>
 +  </refsect1>
 +</refentry>
-diff -up shadow-4.9/man/Makefile.am.getsubids shadow-4.9/man/Makefile.am
+diff -up shadow-4.6/man/Makefile.am.getsubids shadow-4.6/man/Makefile.am
---- shadow-4.9/man/Makefile.am.getsubids	2021-07-22 23:55:35.000000000 +0200
+--- shadow-4.6/man/Makefile.am.getsubids	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.9/man/Makefile.am	2021-11-18 16:27:33.951053120 +0100
++++ shadow-4.6/man/Makefile.am	2021-12-09 10:40:50.730275761 +0100
-@@ -62,6 +62,7 @@ man_MANS += $(man_nopam)
+@@ -59,6 +59,7 @@ man_MANS += $(man_nopam)
  endif
  
  man_subids = \
@@ -154,7 +154,7 @@ diff -up shadow-4.9/man/Makefile.am.getsubids shadow-4.9/man/Makefile.am
  	man1/newgidmap.1 \
  	man1/newuidmap.1 \
  	man5/subgid.5 \
-@@ -80,6 +81,7 @@ man_XMANS = \
+@@ -77,6 +78,7 @@ man_XMANS = \
  	expiry.1.xml \
  	faillog.5.xml \
  	faillog.8.xml \
@@ -162,9 +162,9 @@ diff -up shadow-4.9/man/Makefile.am.getsubids shadow-4.9/man/Makefile.am
  	gpasswd.1.xml \
  	groupadd.8.xml \
  	groupdel.8.xml \
-diff -up shadow-4.9/src/getsubids.c.getsubids shadow-4.9/src/getsubids.c
+diff -up shadow-4.6/src/getsubids.c.getsubids shadow-4.6/src/getsubids.c
---- shadow-4.9/src/getsubids.c.getsubids	2021-11-18 16:27:33.951053120 +0100
+--- shadow-4.6/src/getsubids.c.getsubids	2021-12-09 10:40:50.730275761 +0100
-+++ shadow-4.9/src/getsubids.c	2021-11-18 16:27:33.951053120 +0100
++++ shadow-4.6/src/getsubids.c	2021-12-09 10:40:50.730275761 +0100
 @@ -0,0 +1,46 @@
 +#include <stdio.h>
 +#include <string.h>
@@ -212,14 +212,13 @@ diff -up shadow-4.9/src/getsubids.c.getsubids shadow-4.9/src/getsubids.c
 +	}
 +	return 0;
 +}
-diff -up shadow-4.9/src/list_subid_ranges.c.getsubids shadow-4.9/src/list_subid_ranges.c
+diff -up shadow-4.6/src/Makefile.am.getsubids shadow-4.6/src/Makefile.am
-diff -up shadow-4.9/src/Makefile.am.getsubids shadow-4.9/src/Makefile.am
+--- shadow-4.6/src/Makefile.am.getsubids	2021-12-09 10:40:50.710275627 +0100
---- shadow-4.9/src/Makefile.am.getsubids	2021-11-18 16:27:33.943053061 +0100
++++ shadow-4.6/src/Makefile.am	2021-12-09 10:45:04.465985510 +0100
-+++ shadow-4.9/src/Makefile.am	2021-11-18 16:28:03.647272392 +0100
+@@ -140,8 +140,8 @@ if WITH_TCB
-@@ -157,8 +157,8 @@ if FCAPS
- 	setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
  endif
  
+ if ENABLE_SUBIDS
 -noinst_PROGRAMS += list_subid_ranges  \
 -					get_subid_owners \
 +bin_PROGRAMS    +=  getsubids
@@ -227,7 +226,7 @@ diff -up shadow-4.9/src/Makefile.am.getsubids shadow-4.9/src/Makefile.am
  					new_subid_range \
  					free_subid_range \
  					check_subid_range
-@@ -174,13 +174,13 @@ MISCLIBS = \
+@@ -156,13 +156,13 @@ MISCLIBS = \
  	$(LIBCRYPT) \
  	$(LIBTCB)
  

SOURCES/shadow-4.6-goodname.patch

@@ -1,12 +1,14 @@
-diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
+diff -up shadow-4.6/libmisc/chkname.c.goodname shadow-4.6/libmisc/chkname.c
---- shadow-4.8/libmisc/chkname.c.goodname	2020-01-13 09:44:41.968507996 +0100
+--- shadow-4.6/libmisc/chkname.c.goodname	2020-10-23 12:50:47.202529031 +0200
-+++ shadow-4.8/libmisc/chkname.c	2020-01-13 09:46:27.863727732 +0100
++++ shadow-4.6/libmisc/chkname.c	2020-10-23 12:54:54.604692559 +0200
-@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
+@@ -49,25 +49,44 @@
- 	}
+ static bool is_valid_name (const char *name)
- 
+ {
  	/*
 -	 * User/group names must match [a-z_][a-z0-9_-]*[$]
 -	 */
+-	if (('\0' == *name) ||
+-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
 +         * User/group names must match gnu e-regex:
 +         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
 +         *
@@ -16,9 +18,7 @@ diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
 +         * Also do not allow fully numeric names or just "." or "..".
 +         */
 +	int numeric;
- 
++
--	if (('\0' == *name) ||
--	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
 +	if ('\0' == *name ||
 +	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
 +			      '\0' == name[1])) ||
@@ -56,10 +56,10 @@ diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
  }
  
  bool is_valid_user_name (const char *name)
-diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
+diff -up shadow-4.6/man/groupadd.8.xml.goodname shadow-4.6/man/groupadd.8.xml
---- shadow-4.8/man/groupadd.8.xml.goodname	2019-07-23 17:26:08.000000000 +0200
+--- shadow-4.6/man/groupadd.8.xml.goodname	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.8/man/groupadd.8.xml	2020-01-13 09:44:41.968507996 +0100
++++ shadow-4.6/man/groupadd.8.xml	2020-10-23 12:50:47.202529031 +0200
-@@ -273,10 +273,12 @@
+@@ -273,10 +273,14 @@
     <refsect1 id='caveats'>
       <title>CAVEATS</title>
       <para>
@@ -67,19 +67,21 @@ diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
 -       followed by lower case letters, digits, underscores, or dashes.
 -       They can end with a dollar sign.
 -       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
-+       Groupnames may contain only lower and upper case letters, digits,
++       Groupnames may begin with lower and upper case letters, digits,
-+       underscores, or dashes. They can end with a dollar sign.
++       underscores, or periods. They may continue with all the aforementioned
++       characters, or dashes. Finally, they can end with a dollar sign.
 +
-+       Dashes are not allowed at the beginning of the groupname.
++       Fully numeric groupnames and groupnames containing only . or .. are
-+       Fully numeric groupnames and groupnames . or .. are
++       disallowed.
-+       also disallowed.
++
++       In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
       </para>
       <para>
         Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
-diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
+diff -up shadow-4.6/man/useradd.8.xml.goodname shadow-4.6/man/useradd.8.xml
---- shadow-4.8/man/useradd.8.xml.goodname	2019-10-05 03:23:58.000000000 +0200
+--- shadow-4.6/man/useradd.8.xml.goodname	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.8/man/useradd.8.xml	2020-01-13 09:44:41.968507996 +0100
++++ shadow-4.6/man/useradd.8.xml	2020-10-23 12:50:47.202529031 +0200
-@@ -661,10 +661,14 @@
+@@ -650,10 +650,16 @@
      </para>
  
      <para>
@@ -87,14 +89,16 @@ diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
 -      followed by lower case letters, digits, underscores, or dashes.
 -      They can end with a dollar sign.
 -      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
-+      Usernames may contain only lower and upper case letters, digits,
++      Usernames may begin with lower and upper case letters, digits,
-+      underscores, or dashes. They can end with a dollar sign.
++      underscores, or periods. They may continue with all the aforementioned
++      characters, or dashes. Finally, they can end with a dollar sign.
 +
-+      Dashes are not allowed at the beginning of the username.
++      Fully numeric usernames and usernames containing only . or .. are
-+      Fully numeric usernames and usernames . or .. are
++      disallowed. It is not recommended to use usernames beginning
-+      also disallowed. It is not recommended to use usernames beginning
 +      with . character as their home directories will be hidden in
 +      the <command>ls</command> output.
++
++      In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
      </para>
      <para>
        Usernames may only be up to 32 characters long.

SOURCES/shadow-4.6-home_mode-directive.patch

@@ -0,0 +1,201 @@
+From a847899b521b0df0665e442845bcff23407d9ea0 Mon Sep 17 00:00:00 2001
+From: Duncan Overbruck <mail@duncano.de>
+Date: Sat, 11 Jan 2020 22:19:37 +0100
+Subject: [PATCH] add new HOME_MODE login.defs(5) option
+
+This option can be used to set a separate mode for useradd(8) and
+newusers(8) to create the home directories with.
+If this option is not set, the current behavior of using UMASK
+or the default umask is preserved.
+
+There are many distributions that set UMASK to 077 by default just
+to create home directories not readable by others and use things like
+/etc/profile, bashrc or sudo configuration files to set a less
+restrictive
+umask. This has always resulted in bug reports because it is hard
+to follow as users tend to change files like bashrc and are not about
+setting the umask to counteract the umask set in /etc/login.defs.
+
+A recent change in sudo has also resulted in many bug reports about
+this. sudo now tries to respect the umask set by pam modules and on
+systems where pam does not set a umask, the login.defs UMASK value is
+used.
+---
+ etc/login.defs             | 7 ++++++-
+ lib/getdef.c               | 1 +
+ man/login.defs.5.xml       | 4 ++++
+ man/login.defs.d/UMASK.xml | 3 ++-
+ src/newusers.c             | 6 +++---
+ src/useradd.c              | 5 +++--
+ 6 files changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/etc/login.defs b/etc/login.defs
+index cd2597dc..a2f8cd50 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -195,12 +195,17 @@ KILLCHAR	025
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
+ # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+-# home directories.
++# home directories if HOME_MODE is not set.
+ # 022 is the default value, but 027, or even 077, could be considered
+ # for increased privacy. There is no One True Answer here: each sysadmin
+ # must make up their mind.
+ UMASK		022
+ 
++# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
++# home directories.
++# If HOME_MODE is not set, the value of UMASK is used to create the mode.
++HOME_MODE	0700
++
+ #
+ # Password aging controls:
+ #
+diff --git a/lib/getdef.c b/lib/getdef.c
+index bbb273f4..00f6abfe 100644
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
+ 	{"FAKE_SHELL", NULL},
+ 	{"GID_MAX", NULL},
+ 	{"GID_MIN", NULL},
++	{"HOME_MODE", NULL},
+ 	{"HUSHLOGIN_FILE", NULL},
+ 	{"KILLCHAR", NULL},
+ 	{"LOGIN_RETRIES", NULL},
+diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
+index ebf60ba3..9e95da20 100644
+--- a/man/login.defs.5.xml
++++ b/man/login.defs.5.xml
+@@ -50,6 +50,7 @@
+ <!ENTITY FAKE_SHELL            SYSTEM "login.defs.d/FAKE_SHELL.xml">
+ <!ENTITY FTMP_FILE             SYSTEM "login.defs.d/FTMP_FILE.xml">
+ <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
++<!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
+ <!ENTITY HUSHLOGIN_FILE        SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
+ <!ENTITY ISSUE_FILE            SYSTEM "login.defs.d/ISSUE_FILE.xml">
+ <!ENTITY KILLCHAR              SYSTEM "login.defs.d/KILLCHAR.xml">
+@@ -185,6 +186,7 @@
+       &FAKE_SHELL;
+       &FTMP_FILE;
+       &GID_MAX; <!-- documents also GID_MIN -->
++      &HOME_MODE;
+       &HUSHLOGIN_FILE;
+       &ISSUE_FILE;
+       &KILLCHAR;
+@@ -401,6 +403,7 @@
+ 	    ENCRYPT_METHOD
+ 	    GID_MAX GID_MIN
+ 	    MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
++	    HOME_MODE
+ 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
+ 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+ 	    SHA_CRYPT_MIN_ROUNDS</phrase>
+@@ -481,6 +484,7 @@
+ 	  <para>
+ 	    CREATE_HOME
+ 	    GID_MAX GID_MIN
++	    HOME_MODE
+ 	    MAIL_DIR MAX_MEMBERS_PER_GROUP
+ 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
+	    SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
+diff --git a/man/login.defs.d/HOME_MODE.xml b/man/login.defs.d/HOME_MODE.xml
+new file mode 100644
+index 00000000..21aa55f7
+--- /dev/null
++++ b/man/login.defs.d/HOME_MODE.xml
+@@ -0,0 +1,43 @@
++<!--
++   Copyright (c) 1991 - 1993, Julianne Frances Haugh
++   Copyright (c) 1991 - 1993, Chip Rosenthal
++   Copyright (c) 2007 - 2009, Nicolas François
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<varlistentry>
++  <term><option>HOME_MODE</option> (number)</term>
++  <listitem>
++    <para>
++      The mode for new home directories. If not specified,
++      the <option>UMASK</option> is used to create the mode.
++    </para>
++    <para>
++      <command>useradd</command> and <command>newusers</command> use this
++      to set the mode of the home directory they create.
++    </para>
++  </listitem>
++</varlistentry>
+diff --git a/man/login.defs.d/UMASK.xml b/man/login.defs.d/UMASK.xml
+index d7b71a5e..0f061dbb 100644
+--- a/man/login.defs.d/UMASK.xml
++++ b/man/login.defs.d/UMASK.xml
+@@ -37,7 +37,8 @@
+     </para>
+     <para>
+       <command>useradd</command> and <command>newusers</command> use this
+-      mask to set the mode of the home directory they create
++      mask to set the mode of the home directory they create if
++      <option>HOME_MODE</option> is not set.
+     </para>
+     <para condition="no_pam">
+       It is also used by <command>login</command> to define users' initial
+diff --git a/src/newusers.c b/src/newusers.c
+index 99c69f78..e9fe0e27 100644
+--- a/src/newusers.c
++++ b/src/newusers.c
+@@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
+ 		if (   ('\0' != fields[5][0])
+ 		    && (access (newpw.pw_dir, F_OK) != 0)) {
+ /* FIXME: should check for directory */
+-			mode_t msk = 0777 & ~getdef_num ("UMASK",
+-			                                 GETDEF_DEFAULT_UMASK);
+-			if (mkdir (newpw.pw_dir, msk) != 0) {
++			mode_t mode = getdef_num ("HOME_MODE",
++			                          0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++			if (mkdir (newpw.pw_dir, mode) != 0) {
+ 				fprintf (stderr,
+ 				         _("%s: line %d: mkdir %s failed: %s\n"),
+ 				         Prog, line, newpw.pw_dir,
+diff --git a/src/useradd.c b/src/useradd.c
+index 4af0f7c6..8b453e3c 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2152,8 +2152,9 @@ static void create_home (void)
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ 		(void) chown (prefix_user_home, user_id, user_gid);
+-		chmod (prefix_user_home,
+-		       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++		mode_t mode = getdef_num ("HOME_MODE",
++		                          0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++		chmod (prefix_user_home, mode);
+ 		home_added = true;
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_USER_MGMT, Prog,
+-- 
+2.25.2
+

SOURCES/shadow-4.6-ignore-login-prompt.patch

@@ -0,0 +1,11 @@
+diff -up shadow-4.6/lib/getdef.c.login-prompt shadow-4.6/lib/getdef.c
+--- shadow-4.6/lib/getdef.c.login-prompt	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/getdef.c	2019-03-21 15:06:58.009280504 +0100
+@@ -94,6 +94,7 @@ static struct itemdef def_table[] = {
+ 	{"KILLCHAR", NULL},
+ 	{"LOGIN_RETRIES", NULL},
+ 	{"LOGIN_TIMEOUT", NULL},
++	{"LOGIN_PLAIN_PROMPT", NULL},
+ 	{"LOG_OK_LOGINS", NULL},
+ 	{"LOG_UNKFAIL_ENAB", NULL},
+ 	{"MAIL_DIR", NULL},

SOURCES/shadow-4.6-install_subid_h.patch

@@ -0,0 +1,28 @@
+From 77e39de1e6cbd6925f16bb260abb7d216296886b Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Tue, 4 May 2021 09:21:11 -0500
+Subject: [PATCH] Install subid.h
+
+Now subid.h gets installed under /usr/include/shadow/subid.h
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ libsubid/Makefile.am | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
+index f543b5eb..189165b0 100644
+--- a/libsubid/Makefile.am
++++ b/libsubid/Makefile.am
+@@ -3,6 +3,8 @@ libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
+ 	-shared -version-info @LIBSUBID_ABI_MAJOR@
+ libsubid_la_SOURCES = api.c
+ 
++pkginclude_HEADERS = subid.h
++
+ MISCLIBS = \
+ 	$(LIBAUDIT) \
+ 	$(LIBSELINUX) \
+-- 
+2.31.1
+

SOURCES/shadow-4.6-libsubid_fix_newusers_nss_provides_subids.patch

@@ -0,0 +1,151 @@
+diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c
+--- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.772741048 +0200
++++ shadow-4.8.1/lib/nss.c	2021-05-25 09:37:14.782741188 +0200
+@@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) {
+ 				subid_nss = NULL;
+ 				goto done;
+ 			}
+-			subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
+-			if (!subid_nss->has_any_range) {
+-				fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname);
+-				dlclose(h);
+-				free(subid_nss);
+-				subid_nss = NULL;
+-				goto done;
+-			}
+ 			subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
+ 			if (!subid_nss->find_subid_owners) {
+ 				fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
+diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h
+--- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/prototypes.h	2021-05-25 09:37:14.782741188 +0200
+@@ -279,18 +279,6 @@ extern bool nss_is_initialized();
+ 
+ struct subid_nss_ops {
+ 	/*
+-	 * nss_has_any_range: does a user own any subid range
+-	 *
+-	 * @owner: username
+-	 * @idtype: subuid or subgid
+-	 * @result: true if a subid allocation was found for @owner
+-	 *
+-	 * returns success if the module was able to determine an answer (true or false),
+-	 * else an error status.
+-	 */
+-	enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
+-
+-	/*
+ 	 * nss_has_range: does a user own a given subid range
+ 	 *
+ 	 * @owner: username
+diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c
+--- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/subordinateio.c	2021-05-25 09:37:14.782741188 +0200
+@@ -598,19 +598,8 @@ int sub_uid_open (int mode)
+ 	return commonio_open (&subordinate_uid_db, mode);
+ }
+ 
+-bool sub_uid_assigned(const char *owner)
++bool local_sub_uid_assigned(const char *owner)
+ {
+-	struct subid_nss_ops *h;
+-	bool found;
+-	enum subid_status status;
+-	h = get_subid_nss_handle();
+-	if (h) {
+-		status = h->has_any_range(owner, ID_TYPE_UID, &found);
+-		if (status == SUBID_STATUS_SUCCESS && found)
+-			return true;
+-		return false;
+-	}
+-
+ 	return range_exists (&subordinate_uid_db, owner);
+ }
+ 
+@@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi
+ 	return have_range(&subordinate_gid_db, owner, start, count);
+ }
+ 
+-bool sub_gid_assigned(const char *owner)
++bool local_sub_gid_assigned(const char *owner)
+ {
+-	struct subid_nss_ops *h;
+-	bool found;
+-	enum subid_status status;
+-	h = get_subid_nss_handle();
+-	if (h) {
+-		status = h->has_any_range(owner, ID_TYPE_GID, &found);
+-		if (status == SUBID_STATUS_SUCCESS && found)
+-			return true;
+-		return false;
+-	}
+ 	return range_exists (&subordinate_gid_db, owner);
+ }
+ 
+diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h
+--- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/subordinateio.h	2021-05-25 09:37:14.782741188 +0200
+@@ -16,7 +16,7 @@
+ extern int sub_uid_close(void);
+ extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
+ extern bool sub_uid_file_present (void);
+-extern bool sub_uid_assigned(const char *owner);
++extern bool local_sub_uid_assigned(const char *owner);
+ extern int sub_uid_lock (void);
+ extern int sub_uid_setdbname (const char *filename);
+ extern /*@observer@*/const char *sub_uid_dbname (void);
+@@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru
+ extern int sub_gid_close(void);
+ extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
+ extern bool sub_gid_file_present (void);
+-extern bool sub_gid_assigned(const char *owner);
++extern bool local_sub_gid_assigned(const char *owner);
+ extern int sub_gid_lock (void);
+ extern int sub_gid_setdbname (const char *filename);
+ extern /*@observer@*/const char *sub_gid_dbname (void);
+diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c
+--- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.776741104 +0200
++++ shadow-4.8.1/src/newusers.c	2021-05-25 09:37:25.955897160 +0200
+@@ -1021,6 +1021,24 @@ static void close_files (void)
+ #endif				/* ENABLE_SUBIDS */
+ }
+ 
++static bool want_subuids(void)
++{
++	if (get_subid_nss_handle() != NULL)
++		return false;
++	if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0)
++		return false;
++	return true;
++}
++
++static bool want_subgids(void)
++{
++	if (get_subid_nss_handle() != NULL)
++		return false;
++	if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0)
++		return false;
++	return true;
++}
++
+ int main (int argc, char **argv)
+ {
+ 	char buf[BUFSIZ];
+@@ -1250,7 +1268,7 @@ int main (int argc, char **argv)
+ 		/*
+ 		 * Add subordinate uids if the user does not have them.
+ 		 */
+-		if (is_sub_uid && !sub_uid_assigned(fields[0])) {
++		if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) {
+ 			uid_t sub_uid_start = 0;
+ 			unsigned long sub_uid_count = 0;
+ 			if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
+@@ -1270,7 +1288,7 @@ int main (int argc, char **argv)
+ 		/*
+ 		 * Add subordinate gids if the user does not have them.
+ 		 */
+-		if (is_sub_gid && !sub_gid_assigned(fields[0])) {
++		if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) {
+ 			gid_t sub_gid_start = 0;
+ 			unsigned long sub_gid_count = 0;
+ 			if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {

SOURCES/shadow-4.6-libsubid_init_not_print_error_messages.patch

@@ -0,0 +1,40 @@
+From b0e86b959fe5c086ffb5e7eaf3c1b1e9219411e9 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sun, 23 May 2021 08:03:10 -0500
+Subject: [PATCH] libsubid_init: don't print messages on error
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ libsubid/api.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index c4848142..b477b271 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -46,12 +46,10 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+ 	if (progname) {
+ 		progname = strdup(progname);
+-		if (progname) {
++		if (progname)
+ 			Prog = progname;
+-		} else {
+-			fprintf(stderr, "Out of memory");
++		else
+ 			return false;
+-		}
+ 	}
+ 
+ 	if (logfd) {
+@@ -60,7 +58,6 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ 	}
+ 	shadow_logfd = fopen("/dev/null", "w");
+ 	if (!shadow_logfd) {
+-		fprintf(stderr, "ERROR opening /dev/null for error messages.  Using stderr.");
+ 		shadow_logfd = stderr;
+ 		return false;
+ 	}
+-- 
+2.30.2
+

SOURCES/shadow-4.6-libsubid_init_return_false.patch

@@ -0,0 +1,37 @@
+From e34f49c1966fcaa9390a544a0136ec189a3c870e Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Mon, 17 May 2021 08:48:03 -0500
+Subject: [PATCH] libsubid_init: return false if out of memory
+
+The rest of the run isn't likely to get much better, is it?
+
+Thanks to Alexey for pointing this out.
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+Cc: Alexey Tikhonov <atikhono@redhat.com>
+---
+ libsubid/api.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index 8ca09859..8618e500 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -46,10 +46,12 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+ 	if (progname) {
+ 		progname = strdup(progname);
+-		if (progname)
++		if (progname) {
+ 			Prog = progname;
+-		else
++		} else {
+ 			fprintf(stderr, "Out of memory");
++			return false;
++		}
+ 	}
+ 
+ 	if (logfd) {
+-- 
+2.30.2
+

SOURCES/shadow-4.6-libsubid_make_logfd_not_extern.patch

@@ -0,0 +1,41 @@
+From 1d767fb779d7b203ad609540d1dc605cf62d1050 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Fri, 28 May 2021 22:02:16 -0500
+Subject: [PATCH] libsubid/api.c: make shadow_logfd not extern
+
+Closes #346
+
+Also #include stdio.h
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ libsubid/api.c   | 2 +-
+ libsubid/subid.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index b477b271..a7b904d0 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -40,7 +40,7 @@
+ #include "subid.h"
+ 
+ const char *Prog = "(libsubid)";
+-extern FILE * shadow_logfd;
++FILE *shadow_logfd;
+ 
+ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+diff --git a/libsubid/subid.h b/libsubid/subid.h
+index 5fef2572..eabafe4d 100644
+--- a/libsubid/subid.h
++++ b/libsubid/subid.h
+@@ -1,4 +1,5 @@
+ #include <sys/types.h>
++#include <stdio.h>
+ #include <stdbool.h>
+ 
+ #ifndef SUBID_RANGE_DEFINED
+-- 
+2.31.1
+

SOURCES/shadow-4.6-libsubid_simplify_ranges_variable.patch

@@ -0,0 +1,264 @@
+diff -up shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable shadow-4.8.1/configure.ac
+--- shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.165917066 +0200
++++ shadow-4.8.1/configure.ac	2021-05-24 15:02:56.184917324 +0200
+@@ -1,6 +1,6 @@
+ dnl Process this file with autoconf to produce a configure script.
+ AC_PREREQ([2.69])
+-m4_define([libsubid_abi_major], 2)
++m4_define([libsubid_abi_major], 3)
+ m4_define([libsubid_abi_minor], 0)
+ m4_define([libsubid_abi_micro], 0)
+ m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
+diff -up shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/prototypes.h
+--- shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.184917324 +0200
++++ shadow-4.8.1/lib/prototypes.h	2021-05-24 16:38:57.610619467 +0200
+@@ -309,16 +309,15 @@ struct subid_nss_ops {
+ 	 *
+ 	 * @owner - string representing username being queried
+ 	 * @id_type - subuid or subgid
+-	 * @ranges - pointer to an array of struct subordinate_range pointers, or
+-	 *           NULL.  The returned array of struct subordinate_range and its
+-	 *           members must be freed by the caller.
++	 * @ranges - pointer to an array of struct subid_range, or NULL.  The
++	 *           returned array must be freed by the caller.
+ 	 * @count - pointer to an integer into which the number of returned ranges
+ 	 *          is written.
+ 
+ 	 * returns success if the module was able to determine an answer,
+ 	 * else an error status.
+ 	 */
+-	enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);
++	enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count);
+ 
+ 	/*
+ 	 * nss_find_subid_owners: find uids who own a given subuid or subgid.
+diff -up shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/api.c
+--- shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.467989079 +0200
++++ shadow-4.8.1/libsubid/api.c	2021-05-24 16:42:32.091584531 +0200
+@@ -68,26 +68,21 @@ bool libsubid_init(const char *progname,
+ }
+ 
+ static
+-int get_subid_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
++int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
+ {
+ 	return list_owner_ranges(owner, id_type, ranges);
+ }
+ 
+-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges)
++int get_subuid_ranges(const char *owner, struct subid_range **ranges)
+ {
+ 	return get_subid_ranges(owner, ID_TYPE_UID, ranges);
+ }
+ 
+-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges)
++int get_subgid_ranges(const char *owner, struct subid_range **ranges)
+ {
+ 	return get_subid_ranges(owner, ID_TYPE_GID, ranges);
+ }
+ 
+-void subid_free_ranges(struct subordinate_range **ranges, int count)
+-{
+-	return free_subordinate_ranges(ranges, count);
+-}
+-
+ static
+ int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
+ {
+diff -up shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/subid.h
+--- shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.468989093 +0200
++++ shadow-4.8.1/libsubid/subid.h	2021-05-24 16:43:49.697657383 +0200
+@@ -3,6 +3,15 @@
+ 
+ #ifndef SUBID_RANGE_DEFINED
+ #define SUBID_RANGE_DEFINED 1
++
++/* subid_range is just a starting point and size of a range */
++struct subid_range {
++	unsigned long start;
++	unsigned long count;
++};
++
++/* subordinage_range is a subid_range plus an owner, representing
++ * a range in /etc/subuid or /etc/subgid */
+ struct subordinate_range {
+ 	const char *owner;
+ 	unsigned long start;
+@@ -41,32 +50,27 @@ bool libsubid_init(const char *progname,
+  * get_subuid_ranges: return a list of UID ranges for a user
+  *
+  * @owner: username being queried
+- * @ranges: a pointer to a subordinate range ** in which the result will be
+- *          returned.
++ * @ranges: a pointer to an array of subid_range structs in which the result
++ *          will be returned.
++ *
++ * The caller must free(ranges) when done.
+  *
+  * returns: number of ranges found, ir < 0 on error.
+  */
+-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges);
++int get_subuid_ranges(const char *owner, struct subid_range **ranges);
+ 
+ /*
+  * get_subgid_ranges: return a list of GID ranges for a user
+  *
+  * @owner: username being queried
+- * @ranges: a pointer to a subordinate range ** in which the result will be
+- *          returned.
++ * @ranges: a pointer to an array of subid_range structs in which the result
++ *          will be returned.
+  *
+- * returns: number of ranges found, ir < 0 on error.
+- */
+-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges);
+-
+-/*
+- * subid_free_ranges: free an array of subordinate_ranges returned by either
+- *                    get_subuid_ranges() or get_subgid_ranges().
++ * The caller must free(ranges) when done.
+  *
+- * @ranges: the ranges to free
+- * @count: the number of ranges in @ranges
++ * returns: number of ranges found, ir < 0 on error.
+  */
+-void subid_free_ranges(struct subordinate_range **ranges, int count);
++int get_subgid_ranges(const char *owner, struct subid_range **ranges);
+ 
+ /*
+  * get_subuid_owners: return a list of uids to which the given uid has been
+diff -up shadow-4.8.1/lib/subordinateio.c.libsubid-simplify shadow-4.8.1/lib/subordinateio.c
+--- shadow-4.8.1/lib/subordinateio.c.libsubid-simplify	2021-05-24 17:27:38.721035241 +0200
++++ shadow-4.8.1/lib/subordinateio.c	2021-05-24 17:28:06.481420946 +0200
+@@ -11,6 +11,7 @@
+ #include <stdio.h>
+ #include "commonio.h"
+ #include "subordinateio.h"
++#include "../libsubid/subid.h"
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <ctype.h>
+@@ -308,25 +309,21 @@ static bool have_range(struct commonio_d
+ 	return false;
+ }
+ 
+-static bool append_range(struct subordinate_range ***ranges, const struct subordinate_range *new, int n)
++static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
+ {
+-	struct subordinate_range *tmp;
+ 	if (!*ranges) {
+-		*ranges = malloc(sizeof(struct subordinate_range *));
++		*ranges = malloc(sizeof(struct subid_range));
+ 		if (!*ranges)
+ 			return false;
+ 	} else {
+-		struct subordinate_range **new;
+-		new = realloc(*ranges, (n + 1) * (sizeof(struct subordinate_range *)));
+-		if (!new)
++		struct subid_range *alloced;
++		alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
++		if (!alloced)
+ 			return false;
+-		*ranges = new;
++		*ranges = alloced;
+ 	}
+-	(*ranges)[n] = NULL;
+-	tmp = subordinate_dup(new);
+-	if (!tmp)
+-		return false;
+-	(*ranges)[n] = tmp;
++	(*ranges)[n].start = new->start;
++	(*ranges)[n].count = new->count;
+ 	return true;
+ }
+ 
+@@ -785,10 +782,10 @@ gid_t sub_gid_find_free_range(gid_t min,
+  *
+  * The caller must free the subordinate range list.
+  */
+-int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***in_ranges)
++int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges)
+ {
+ 	// TODO - need to handle owner being either uid or username
+-	struct subordinate_range **ranges = NULL;
++	struct subid_range *ranges = NULL;
+ 	const struct subordinate_range *range;
+ 	struct commonio_db *db;
+ 	enum subid_status status;
+@@ -826,7 +823,7 @@ int list_owner_ranges(const char *owner,
+ 	while ((range = commonio_next(db)) != NULL) {
+ 		if (0 == strcmp(range->owner, owner)) {
+ 			if (!append_range(&ranges, range, count++)) {
+-				free_subordinate_ranges(ranges, count-1);
++				free(ranges);
+ 				ranges = NULL;
+ 				count = -1;
+ 				goto out;
+diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/subordinateio.h
+--- shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.467989079 +0200
++++ shadow-4.8.1/lib/subordinateio.h	2021-05-24 16:40:56.978269647 +0200
+@@ -25,7 +25,7 @@ extern int sub_uid_unlock (void);
+ extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
+ extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
+ extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
+-extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges);
++extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges);
+ extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse);
+ extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type);
+ extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids);
+diff -up shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable shadow-4.8.1/src/list_subid_ranges.c
+--- shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.468989093 +0200
++++ shadow-4.8.1/src/list_subid_ranges.c	2021-05-24 16:45:10.884779740 +0200
+@@ -17,27 +17,29 @@ void usage(void)
+ int main(int argc, char *argv[])
+ {
+ 	int i, count=0;
+-	struct subordinate_range **ranges;
++	struct subid_range *ranges;
++	const char *owner;
+ 
+ 	Prog = Basename (argv[0]);
+ 	shadow_logfd = stderr;
+-	if (argc < 2) {
++	if (argc < 2)
+ 		usage();
+-	}
+-	if (argc == 3 && strcmp(argv[1], "-g") == 0)
+-		count = get_subgid_ranges(argv[2], &ranges);
+-	else if (argc == 2 && strcmp(argv[1], "-h") == 0)
++	owner = argv[1];
++	if (argc == 3 && strcmp(argv[1], "-g") == 0) {
++		owner = argv[2];
++		count = get_subgid_ranges(owner, &ranges);
++	} else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
+ 		usage();
+-	else
+-		count = get_subuid_ranges(argv[1], &ranges);
++	} else {
++		count = get_subuid_ranges(owner, &ranges);
++	}
+ 	if (!ranges) {
+ 		fprintf(stderr, "Error fetching ranges\n");
+ 		exit(1);
+ 	}
+ 	for (i = 0; i < count; i++) {
+-		printf("%d: %s %lu %lu\n", i, ranges[i]->owner,
+-			ranges[i]->start, ranges[i]->count);
++		printf("%d: %s %lu %lu\n", i, owner,
++			ranges[i].start, ranges[i].count);
+ 	}
+-	subid_free_ranges(ranges, count);
+ 	return 0;
+ }
+diff -up shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c
+--- shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.166917079 +0200
++++ shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c	2021-05-24 15:03:01.469989106 +0200
+@@ -113,7 +113,7 @@ enum subid_status shadow_subid_list_owne
+ 	if (strcmp(owner, "conn") == 0)
+ 		return SUBID_STATUS_ERROR_CONN;
+ 
+-	*ranges = NULL;
++	*in_ranges = NULL;
+ 	if (strcmp(owner, "user1") != 0 && strcmp(owner, "ubuntu") != 0 &&
+ 	    strcmp(owner, "group1") != 0)
+ 		return SUBID_STATUS_SUCCESS;

SOURCES/shadow-4.6-man-mention-nss-in-newuidmap.patch

@@ -0,0 +1,44 @@
+From 186b1b7ac1a68d0fcc618a22da1a99232b420911 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Tue, 4 May 2021 14:39:26 -0500
+Subject: [PATCH] manpages: mention NSS in new[ug]idmap manpages
+
+Closes #328
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ man/newgidmap.1.xml | 3 ++-
+ man/newuidmap.1.xml | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
+index 71b03e56..76fc1e30 100644
+--- a/man/newgidmap.1.xml
++++ b/man/newgidmap.1.xml
+@@ -88,7 +88,8 @@
+     <title>DESCRIPTION</title>
+     <para>
+       The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
+-      command line arguments and the gids allowed in <filename>/etc/subgid</filename>.
++      command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
++      through the configured NSS subid module).
+       Note that the root user is not exempted from the requirement for a valid
+       <filename>/etc/subgid</filename> entry.
+     </para>
+diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
+index a6f1f085..44eca50a 100644
+--- a/man/newuidmap.1.xml
++++ b/man/newuidmap.1.xml
+@@ -88,7 +88,8 @@
+     <title>DESCRIPTION</title>
+     <para>
+       The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
+-      command line arguments and the uids allowed in <filename>/etc/subuid</filename>.
++      command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
++      through the configured NSS subid module).
+       Note that the root user is not exempted from the requirement for a valid
+       <filename>/etc/subuid</filename> entry.
+     </para>
+-- 
+2.30.2
+

SOURCES/shadow-4.6-man_clarify_subid_delegation.patch

@@ -0,0 +1,166 @@
+diff -up shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newgidmap.1.xml
+--- shadow-4.6/man/newgidmap.1.xml.man_clarify_subid_delegation	2021-11-03 09:58:34.176484342 +0100
++++ shadow-4.6/man/newgidmap.1.xml	2021-11-03 09:58:34.191484452 +0100
+@@ -80,10 +80,15 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
+-      The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
+-      command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
+-      through the configured NSS subid module).
+-      Note that the root user is not exempted from the requirement for a valid
++      The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
++      based on its command line arguments and the gids allowed. Subgid
++      delegation can either be managed via <filename>/etc/subgid</filename>
++      or through the configured NSS subid module. These options are mutually
++      exclusive.
++    </para>
++
++    <para>
++      Note that the root group is not exempted from the requirement for a valid
+       <filename>/etc/subgid</filename> entry.
+     </para>
+ 
+diff -up shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation shadow-4.6/man/newuidmap.1.xml
+--- shadow-4.6/man/newuidmap.1.xml.man_clarify_subid_delegation	2021-11-03 09:58:34.176484342 +0100
++++ shadow-4.6/man/newuidmap.1.xml	2021-11-03 09:58:34.191484452 +0100
+@@ -80,9 +80,14 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
+-      The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
+-      command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
+-      through the configured NSS subid module).
++      The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
++      based on its command line arguments and the uids allowed. Subuid
++      delegation can either be managed via <filename>/etc/subuid</filename> or
++      through the configured NSS subid module. These options are mutually
++      exclusive.
++    </para>
++
++    <para>
+       Note that the root user is not exempted from the requirement for a valid
+       <filename>/etc/subuid</filename> entry.
+     </para>
+diff -up shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subgid.5.xml
+--- shadow-4.6/man/subgid.5.xml.man_clarify_subid_delegation	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/subgid.5.xml	2021-11-03 09:59:55.752084920 +0100
+@@ -32,6 +32,18 @@
+ <!-- SHADOW-CONFIG-HERE -->
+ ]>
+ <refentry id='subgid.5'>
++  <refentryinfo>
++    <author>
++      <firstname>Eric</firstname>
++      <surname>Biederman</surname>
++      <contrib>Creation, 2013</contrib>
++    </author>
++    <author>
++      <firstname>Iker</firstname>
++      <surname>Pedrosa</surname>
++      <contrib>Developer, 2021</contrib>
++    </author>
++  </refentryinfo>
+   <refmeta>
+     <refentrytitle>subgid</refentrytitle>
+     <manvolnum>5</manvolnum>
+@@ -41,12 +53,37 @@
+   </refmeta>
+   <refnamediv id='name'>
+     <refname>subgid</refname>
+-    <refpurpose>the subordinate gid file</refpurpose>
++    <refpurpose>the configuration for subordinate group ids</refpurpose>
+   </refnamediv>
+ 
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
++      Subgid authorizes a group id to map ranges of group ids from its namespace
++      into child namespaces.
++    </para>
++    <para>
++      The delegation of the subordinate gids can be configured via the
++      <replaceable>subid</replaceable> field in
++      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
++      as the delegation source. Setting this field to
++      <replaceable>files</replaceable> configures the delegation of gids to
++      <filename>/etc/subgid</filename>. Setting any other value treats
++      the delegation as a plugin following with a name of the form
++      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
++      missing, then the subordinate gid delegation falls back to
++      <replaceable>files</replaceable>.
++    </para>
++    <para>
++      Note, that <command>groupadd</command> will only create entries in
++      <filename>/etc/subgid</filename> if subid delegation is managed via subid
++      files.
++    </para>
++  </refsect1>
++
++  <refsect1 id='local-subordinate-delegation'>
++    <title>LOCAL SUBORDINATE DELEGATION</title>
++    <para>
+       Each line in <filename>/etc/subgid</filename> contains
+       a user name and a range of subordinate group ids that user
+       is allowed to use.
+diff -up shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation shadow-4.6/man/subuid.5.xml
+--- shadow-4.6/man/subuid.5.xml.man_clarify_subid_delegation	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/subuid.5.xml	2021-11-03 10:00:18.888255255 +0100
+@@ -32,6 +32,18 @@
+ <!-- SHADOW-CONFIG-HERE -->
+ ]>
+ <refentry id='subuid.5'>
++  <refentryinfo>
++    <author>
++      <firstname>Eric</firstname>
++      <surname>Biederman</surname>
++      <contrib>Creation, 2013</contrib>
++    </author>
++    <author>
++      <firstname>Iker</firstname>
++      <surname>Pedrosa</surname>
++      <contrib>Developer, 2021</contrib>
++    </author>
++  </refentryinfo>
+   <refmeta>
+     <refentrytitle>subuid</refentrytitle>
+     <manvolnum>5</manvolnum>
+@@ -41,12 +53,37 @@
+   </refmeta>
+   <refnamediv id='name'>
+     <refname>subuid</refname>
+-    <refpurpose>the subordinate uid file</refpurpose>
++    <refpurpose>the configuration for subordinate user ids</refpurpose>
+   </refnamediv>
+ 
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
++      Subuid authorizes a user id to map ranges of user ids from its namespace
++      into child namespaces.
++    </para>
++    <para>
++      The delegation of the subordinate uids can be configured via the
++      <replaceable>subid</replaceable> field in
++      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
++      as the delegation source. Setting this field to
++      <replaceable>files</replaceable> configures the delegation of uids to
++      <filename>/etc/subuid</filename>. Setting any other value treats
++      the delegation as a plugin following with a name of the form
++      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
++      missing, then the subordinate uid delegation falls back to
++      <replaceable>files</replaceable>.
++    </para>
++    <para>
++      Note, that <command>useradd</command> will only create entries in
++      <filename>/etc/subuid</filename> if subid delegation is managed via subid
++      files.
++    </para>
++  </refsect1>
++
++  <refsect1 id='local-subordinate-delegation'>
++    <title>LOCAL SUBORDINATE DELEGATION</title>
++    <para>
+       Each line in <filename>/etc/subuid</filename> contains
+       a user name and a range of subordinate user ids that user
+       is allowed to use.

SOURCES/shadow-4.6-manfix.patch

@@ -0,0 +1,349 @@
+diff -up shadow-4.6/man/groupmems.8.xml.manfix shadow-4.6/man/groupmems.8.xml
+--- shadow-4.6/man/groupmems.8.xml.manfix	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/groupmems.8.xml	2020-10-23 13:15:24.105387634 +0200
+@@ -179,20 +179,10 @@
+   <refsect1 id='setup'>
+     <title>SETUP</title>
+     <para>
+-      The <command>groupmems</command> executable should be in mode
+-      <literal>2770</literal> as user <emphasis>root</emphasis> and in group
+-      <emphasis>groups</emphasis>. The system administrator can add users to
+-      group <emphasis>groups</emphasis> to allow or disallow them using the
+-      <command>groupmems</command> utility to manage their own group
+-      membership list.
++      In this operating system the <command>groupmems</command> executable
++      is not setuid and regular users cannot use it to manipulate
++      the membership of their own group.
+     </para>
+-
+-    <programlisting>
+-	$ groupadd -r groups
+-	$ chmod 2770 groupmems
+-	$ chown root.groups groupmems
+-	$ groupmems -g groups -a gk4
+-    </programlisting>
+   </refsect1>
+ 
+   <refsect1 id='configuration'>
+diff -up shadow-4.6/man/chage.1.xml.manfix shadow-4.6/man/chage.1.xml
+--- shadow-4.6/man/chage.1.xml.manfix	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/chage.1.xml	2020-10-23 13:15:24.105387634 +0200
+@@ -102,6 +102,9 @@
+ 	    Set the number of days since January 1st, 1970 when the password
+ 	    was last changed. The date may also be expressed in the format
+ 	    YYYY-MM-DD (or the format more commonly used in your area).
++	    If the <replaceable>LAST_DAY</replaceable> is set to
++	    <emphasis>0</emphasis> the user is forced to change his password
++	    on the next log on.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -119,6 +122,13 @@
+ 	    system again.
+ 	  </para>
+ 	  <para>
++	    For example the following can be used to set an account to expire
++	    in 180 days:
++	  </para>
++	  <programlisting>
++	    chage -E $(date -d +180days +%Y-%m-%d)
++	  </programlisting>
++	  <para>
+ 	    Passing the number <emphasis remap='I'>-1</emphasis> as the
+ 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
+ 	    expiration date.
+@@ -233,6 +243,18 @@
+       The <command>chage</command> program requires a shadow password file to
+       be available.
+     </para>
++    <para>
++      The chage program will report only the information from the shadow
++      password file. This implies that configuration from other sources
++     (e.g. LDAP or empty password hash field from the passwd file) that
++     affect the user's login will not be shown in the chage output.
++    </para>
++    <para>
++      The <command>chage</command> program will also not report any
++      inconsistency between the shadow and passwd files (e.g. missing x in
++      the passwd file). The <command>pwck</command> can be used to check
++      for this kind of inconsistencies.
++    </para>
+     <para>The <command>chage</command> command is restricted to the root
+       user, except for the <option>-l</option> option, which may be used by
+       an unprivileged user to determine when their password or account is due
+diff -up shadow-4.6/man/ja/man5/login.defs.5.manfix shadow-4.6/man/ja/man5/login.defs.5
+--- shadow-4.6/man/ja/man5/login.defs.5.manfix	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/ja/man5/login.defs.5	2020-10-23 13:15:24.106387639 +0200
+@@ -147,10 +147,6 @@ 以下の参照表は、
+ shadow パスワード機能のどのプログラムが
+ どのパラメータを使用するかを示したものである。
+ .na
+-.IP chfn 12
+-CHFN_AUTH CHFN_RESTRICT
+-.IP chsh 12
+-CHFN_AUTH
+ .IP groupadd 12
+ GID_MAX GID_MIN
+ .IP newusers 12
+diff -up shadow-4.6/man/login.defs.5.xml.manfix shadow-4.6/man/login.defs.5.xml
+--- shadow-4.6/man/login.defs.5.xml.manfix	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/login.defs.5.xml	2020-10-23 13:15:43.280475188 +0200
+@@ -162,6 +162,27 @@
+       long numeric parameters is machine-dependent.
+     </para>
+ 
++    <para>
++      Please note that the parameters in this configuration file control the
++      behavior of the tools from the shadow-utils component. None of these
++      tools uses the PAM mechanism, and the utilities that use PAM (such as the
++      passwd command) should be configured elsewhere. The only values that
++      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
++      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
++      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
++      pam(8) for more information.
++    </para>
++
++    <para>
++      Please also take into account that this man page is generic and some of
++      the options may be unsupported by currently installed tools. In case of
++      doubt check <xref linkend="cross_references"/> and
++      <xref linkend="see_also"/>. For example see
++      <citerefentry><refentrytitle>login</refentrytitle>
++      <manvolnum>1</manvolnum></citerefentry> for login specific options such
++      as <emphasis>LOGIN_STRING</emphasis>.
++    </para>
++
+     <para>The following configuration items are provided:</para>
+ 
+     <variablelist remap='IP'>
+@@ -252,16 +273,6 @@
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+-	<term>chfn</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CHFN_AUTH</phrase>
+-	    CHFN_RESTRICT
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+ 	<term>chgpasswd</term>
+ 	<listitem>
+ 	  <para>
+@@ -282,14 +293,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry condition="no_pam">
+-	<term>chsh</term>
+-	<listitem>
+-	  <para>
+-	    CHSH_AUTH LOGIN_STRING
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
+       <!-- faillog: no variables -->
+       <varlistentry>
+@@ -350,34 +353,6 @@
+       </varlistentry>
+       <!-- id: no variables -->
+       <!-- lastlog: no variables -->
+-      <varlistentry>
+-	<term>login</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+-	    ENV_TZ ENVIRON_FILE</phrase>
+-	    ERASECHAR FAIL_DELAY
+-	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+-	    FAKE_SHELL
+-	    <phrase condition="no_pam">FTMP_FILE</phrase>
+-	    HUSHLOGIN_FILE
+-	    <phrase condition="no_pam">ISSUE_FILE</phrase>
+-	    KILLCHAR
+-	    <phrase condition="no_pam">LASTLOG_ENAB</phrase>
+-	    LOGIN_RETRIES
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+-	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+-	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+-	    QUOTAS_ENAB</phrase>
+-	    TTYGROUP TTYPERM TTYTYPE_FILE
+-	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
+-	    USERGROUPS_ENAB
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- logoutd: no variables -->
+       <varlistentry>
+ 	<term>newgrp / sg</term>
+@@ -405,17 +380,6 @@
+ 	</listitem>
+       </varlistentry>
+       <!-- nologin: no variables -->
+-      <varlistentry condition="no_pam">
+-	<term>passwd</term>
+-	<listitem>
+-	  <para>
+-	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
+-	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
+-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>pwck</term>
+ 	<listitem>
+@@ -442,32 +406,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>su</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+-	    ENV_PATH ENV_SUPATH
+-	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+-	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+-	    SULOG_FILE SU_NAME
+-	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+-	    SYSLOG_SU_ENAB
+-	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>sulogin</term>
+-	<listitem>
+-	  <para>
+-	    ENV_HZ
+-	    <phrase condition="no_pam">ENV_TZ</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>useradd</term>
+ 	<listitem>
+diff -up shadow-4.6/man/shadow.5.xml.manfix shadow-4.6/man/shadow.5.xml
+--- shadow-4.6/man/shadow.5.xml.manfix	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/shadow.5.xml	2020-10-23 13:15:24.106387639 +0200
+@@ -129,7 +129,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of the last password change, expressed as the number
+-	    of days since Jan 1, 1970.
++	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    The value 0 has a special meaning, which is that the user
+@@ -208,8 +208,8 @@
+ 	  </para>
+ 	  <para>
+ 	    After expiration of the password and this expiration period is
+-	    elapsed, no login is possible using the current user's
+-	    password.  The user should contact her administrator.
++	    elapsed, no login is possible for the user.
++	    The user should contact her administrator.
+ 	  </para>
+ 	  <para>
+ 	    An empty field means that there are no enforcement of an
+@@ -224,7 +224,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of expiration of the account, expressed as the number
+-	    of days since Jan 1, 1970.
++	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    Note that an account expiration differs from a password
+diff -up shadow-4.6/man/useradd.8.xml.manfix shadow-4.6/man/useradd.8.xml
+--- shadow-4.6/man/useradd.8.xml.manfix	2020-10-23 13:15:24.100387611 +0200
++++ shadow-4.6/man/useradd.8.xml	2020-10-23 13:15:24.106387639 +0200
+@@ -347,6 +347,11 @@
+ 	    <option>CREATE_HOME</option> is not enabled, no home
+ 	    directories are created.
+ 	  </para>
++	  <para>
++	    The directory where the user's home directory is created must
++	    exist and have proper SELinux context and permissions. Otherwise
++	    the user's home directory cannot be created or accessed.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+diff -up shadow-4.6/man/usermod.8.xml.manfix shadow-4.6/man/usermod.8.xml
+--- shadow-4.6/man/usermod.8.xml.manfix	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/usermod.8.xml	2020-10-23 13:15:24.106387639 +0200
+@@ -132,7 +132,8 @@
+ 	    If the <option>-m</option>
+ 	    option is given, the contents of the current home directory will
+ 	    be moved to the new home directory, which is created if it does
+-	    not already exist.
++	    not already exist. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -256,7 +257,8 @@
+ 	<listitem>
+ 	  <para>
+ 	    Move the content of the user's home directory to the new
+-	    location.
++	    location. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	  <para>
+ 	    This option is only valid in combination with the
+diff -up shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml
+--- shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml	2020-10-23 13:15:24.106387639 +0200
+@@ -42,7 +42,7 @@
+     <para>
+       The default values for <option>SUB_GID_MIN</option>,
+       <option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
+-      are respectively 100000, 600100000 and 10000.
++      are respectively 100000, 600100000 and 65536.
+     </para>
+   </listitem>
+ </varlistentry>
+diff -up shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml
+--- shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml	2020-10-23 13:15:24.106387639 +0200
+@@ -42,7 +42,7 @@
+     <para>
+       The default values for <option>SUB_UID_MIN</option>,
+       <option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
+-      are respectively 100000, 600100000 and 10000.
++      are respectively 100000, 600100000 and 65536.
+     </para>
+   </listitem>
+ </varlistentry>
+diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
+--- shadow-4.6/man/groupadd.8.xml.manfix	2020-10-23 13:15:24.100387611 +0200
++++ shadow-4.6/man/groupadd.8.xml	2020-10-23 13:15:24.106387639 +0200
+@@ -322,13 +322,13 @@
+ 	<varlistentry>
+ 	  <term><replaceable>4</replaceable></term>
+ 	  <listitem>
+-	    <para>GID not unique (when <option>-o</option> not used)</para>
++	    <para>GID is already used (when called without <option>-o</option>)</para>
+ 	  </listitem>
+ 	</varlistentry>
+ 	<varlistentry>
+ 	  <term><replaceable>9</replaceable></term>
+ 	  <listitem>
+-	    <para>group name not unique</para>
++	    <para>group name is already used</para>
+ 	  </listitem>
+ 	</varlistentry>
+ 	<varlistentry>

SOURCES/shadow-4.6-orig-context.patch

@@ -0,0 +1,128 @@
+diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
+--- shadow-4.6/lib/commonio.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/commonio.c	2018-05-28 14:56:37.287929667 +0200
+@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
+ 		snprintf (buf, sizeof buf, "%s-", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (buf) != 0) {
++		if (set_selinux_file_context (buf, db->filename) != 0) {
+ 			errors++;
+ 		}
+ #endif
+@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (buf) != 0) {
++	if (set_selinux_file_context (buf, db->filename) != 0) {
+ 		errors++;
+ 	}
+ #endif
+diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
+--- shadow-4.6/libmisc/copydir.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/libmisc/copydir.c	2018-05-28 14:56:37.287929667 +0200
+@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
+ 	 */
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		free (oldlink);
+ 		return -1;
+ 	}
+@@ -684,7 +684,7 @@ static int copy_special (const char *src
+ 	int err = 0;
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
+ 		return -1;
+ 	}
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
+--- shadow-4.6/lib/prototypes.h.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/prototypes.h	2018-05-28 14:56:37.287929667 +0200
+@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
+ 
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+-extern int set_selinux_file_context (const char *dst_name);
++extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
+ extern int reset_selinux_file_context (void);
+ #endif
+ 
+diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
+--- shadow-4.6/lib/selinux.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/selinux.c	2018-05-28 14:56:37.287929667 +0200
+@@ -50,7 +50,7 @@ static bool selinux_enabled;
+  *	Callers may have to Reset SELinux to create files with default
+  *	contexts with reset_selinux_file_context
+  */
+-int set_selinux_file_context (const char *dst_name)
++int set_selinux_file_context (const char *dst_name, const char *orig_name)
+ {
+ 	/*@null@*/security_context_t scontext = NULL;
+ 
+@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
+ 	if (selinux_enabled) {
+ 		/* Get the default security context for this file */
+ 		if (matchpathcon (dst_name, 0, &scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
++			/* We could not get the default, copy the original */
++			if (orig_name == NULL)
++				goto error;
++			if (getfilecon (orig_name, &scontext) < 0)
++				goto error;
+ 		}
+ 		/* Set the security context for the next created file */
+-		if (setfscreatecon (scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
+-		}
++		if (setfscreatecon (scontext) < 0)
++			goto error;
+ 		freecon (scontext);
+ 	}
+ 	return 0;
++    error:
++	if (security_getenforce () != 0) {
++		return 1;
++	}
++	return 0;
+ }
+ 
+ /*
+diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.orig-context	2018-05-28 14:56:37.288929688 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 14:58:02.242730903 +0200
+@@ -2020,7 +2020,7 @@ static void create_home (void)
+ {
+ 	if (access (prefix_user_home, F_OK) != 0) {
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (prefix_user_home) != 0) {
++		if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
+ 			fprintf (stderr,
+ 			         _("%s: cannot set SELinux context for home directory %s\n"),
+ 			         Prog, user_home);

SOURCES/shadow-4.6-redhat.patch

@@ -1,16 +1,16 @@
-diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
+diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
---- shadow-4.9/src/useradd.c.redhat	2021-07-22 23:55:35.000000000 +0200
+--- shadow-4.6/src/useradd.c.redhat	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.9/src/useradd.c	2021-08-02 11:45:11.942867250 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 13:37:16.695651258 +0200
-@@ -104,7 +104,7 @@ FILE *shadow_logfd = NULL;
+@@ -98,7 +98,7 @@ const char *Prog;
- static gid_t def_group = 1000;
+ static gid_t def_group = 100;
  static const char *def_gname = "other";
  static const char *def_home = "/home";
--static const char *def_shell = "/bin/bash";
+-static const char *def_shell = "";
 +static const char *def_shell = "/sbin/nologin";
  static const char *def_template = SKEL_DIR;
- static const char *def_create_mail_spool = "yes";
+ static const char *def_create_mail_spool = "no";
  
-@@ -114,7 +114,7 @@ static const char *def_expire = "";
+@@ -108,7 +108,7 @@ static const char *def_expire = "";
  #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
  
  static const char *user_name = "";
@@ -19,7 +19,7 @@ diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
  static uid_t user_id;
  static gid_t user_gid;
  static const char *user_comment = "";
-@@ -1204,9 +1204,9 @@ static void process_flags (int argc, cha
+@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -31,7 +31,7 @@ diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1363,6 +1363,7 @@ static void process_flags (int argc, cha
+@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
  			case 'M':
  				Mflg = true;
  				break;

SOURCES/shadow-4.6-regular-user.patch

@@ -0,0 +1,108 @@
+From fd4405b763d26649339069532e79bd45013c8c38 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Mon, 20 Jan 2020 13:58:07 +0100
+Subject: [PATCH] Do not mistake a regular user process for a namespaced one
+
+In case there is a regular user with a process running on a system
+with uid falling into a namespaced uid range of another user.
+The user with the colliding namespaced uid range will not be
+allowed to be deleted without forcing the action with -f.
+
+The user_busy() is adjusted to check whether the suspected process
+is really a namespaced process in a different namespace.
+---
+ libmisc/user_busy.c | 44 ++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 8 deletions(-)
+
+diff --git a/libmisc/user_busy.c b/libmisc/user_busy.c
+index b0867568..324bb946 100644
+--- a/libmisc/user_busy.c
++++ b/libmisc/user_busy.c
+@@ -39,6 +39,7 @@
+ #include <sys/types.h>
+ #include <dirent.h>
+ #include <fcntl.h>
++#include <unistd.h>
+ #include "defines.h"
+ #include "prototypes.h"
+ #ifdef ENABLE_SUBIDS
+@@ -106,6 +107,31 @@ static int user_busy_utmp (const char *name)
+ #endif				/* !__linux__ */
+ 
+ #ifdef __linux__
++#ifdef ENABLE_SUBIDS
++#define in_parentuid_range(uid) ((uid) >= parentuid && (uid) < parentuid + range)
++static int different_namespace (const char *sname)
++{
++	/* 41: /proc/xxxxxxxxxx/task/xxxxxxxxxx/ns/user + \0 */
++	char path[41];
++	char buf[512], buf2[512];
++	ssize_t llen1, llen2;
++
++	snprintf (path, 41, "/proc/%s/ns/user", sname);
++
++	if ((llen1 = readlink (path, buf, sizeof(buf))) == -1)
++		return 0;
++
++	if ((llen2 = readlink ("/proc/self/ns/user", buf2, sizeof(buf2))) == -1)
++		return 0;
++
++	if (llen1 == llen2 && memcmp (buf, buf2, llen1) == 0)
++		return 0; /* same namespace */
++
++	return 1;
++}
++#endif                          /* ENABLE_SUBIDS */
++
++
+ static int check_status (const char *name, const char *sname, uid_t uid)
+ {
+ 	/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
+@@ -114,7 +140,6 @@ static int check_status (const char *name, const char *sname, uid_t uid)
+ 	FILE *sfile;
+ 
+ 	snprintf (status, 40, "/proc/%s/status", sname);
+-	status[39] = '\0';
+ 
+ 	sfile = fopen (status, "r");
+ 	if (NULL == sfile) {
+@@ -123,26 +148,29 @@ static int check_status (const char *name, const char *sname, uid_t uid)
+ 	while (fgets (line, sizeof (line), sfile) == line) {
+ 		if (strncmp (line, "Uid:\t", 5) == 0) {
+ 			unsigned long ruid, euid, suid;
++
+ 			assert (uid == (unsigned long) uid);
++			(void) fclose (sfile);
+ 			if (sscanf (line,
+ 			            "Uid:\t%lu\t%lu\t%lu\n",
+ 			            &ruid, &euid, &suid) == 3) {
+ 				if (   (ruid == (unsigned long) uid)
+ 				    || (euid == (unsigned long) uid)
+-				    || (suid == (unsigned long) uid)
++				    || (suid == (unsigned long) uid) ) {
++					return 1;
++				}
+ #ifdef ENABLE_SUBIDS
+-				    || have_sub_uids(name, ruid, 1)
+-				    || have_sub_uids(name, euid, 1)
+-				    || have_sub_uids(name, suid, 1)
+-#endif				/* ENABLE_SUBIDS */
++				if (    different_namespace (sname)
++				     && (   have_sub_uids(name, ruid, 1)
++				         || have_sub_uids(name, euid, 1)
++				         || have_sub_uids(name, suid, 1))
+ 				   ) {
+-					(void) fclose (sfile);
+ 					return 1;
+ 				}
++#endif				/* ENABLE_SUBIDS */
+ 			} else {
+ 				/* Ignore errors. This is just a best effort. */
+ 			}
+-			(void) fclose (sfile);
+ 			return 0;
+ 		}
+ 	}
+-- 
+2.25.2
+

SOURCES/shadow-4.6-remove-login-string-references.patch

@@ -0,0 +1,19 @@
+diff -up shadow-4.6/man/login.defs.5.xml.remove_login_string_references shadow-4.6/man/login.defs.5.xml
+--- shadow-4.6/man/login.defs.5.xml.remove_login_string_references	2021-04-27 13:01:49.428338258 +0200
++++ shadow-4.6/man/login.defs.5.xml	2021-04-27 13:01:49.433338329 +0200
+@@ -58,7 +58,6 @@
+ <!ENTITY LOG_OK_LOGINS         SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
+ <!ENTITY LOG_UNKFAIL_ENAB      SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
+ <!ENTITY LOGIN_RETRIES         SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
+-<!ENTITY LOGIN_STRING          SYSTEM "login.defs.d/LOGIN_STRING.xml">
+ <!ENTITY LOGIN_TIMEOUT         SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
+ <!ENTITY MAIL_CHECK_ENAB       SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
+ <!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
+@@ -214,7 +213,6 @@
+       &LOG_OK_LOGINS;
+       &LOG_UNKFAIL_ENAB;
+       &LOGIN_RETRIES;
+-      &LOGIN_STRING;
+       &LOGIN_TIMEOUT;
+       &MAIL_CHECK_ENAB;
+       &MAIL_DIR;

SOURCES/shadow-4.6-respect_enable_static_no.patch

@@ -0,0 +1,24 @@
+diff -up shadow-4.6/configure.ac.respect_enable_static_no shadow-4.6/configure.ac
+--- shadow-4.6/configure.ac.respect_enable_static_no	2021-11-03 12:09:39.852829632 +0100
++++ shadow-4.6/configure.ac	2021-11-03 12:10:32.447203434 +0100
+@@ -311,6 +311,8 @@ if test "$with_sha_crypt" = "yes"; then
+ 	AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
+ fi
+ 
++AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
++
+ if test "$with_nscd" = "yes"; then
+ 	AC_CHECK_FUNC(posix_spawn,
+ 	              [AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
+diff -up shadow-4.6/libsubid/Makefile.am.respect_enable_static_no shadow-4.6/libsubid/Makefile.am
+--- shadow-4.6/libsubid/Makefile.am.respect_enable_static_no	2021-11-03 12:09:39.851829625 +0100
++++ shadow-4.6/libsubid/Makefile.am	2021-11-03 12:09:39.852829632 +0100
+@@ -1,6 +1,8 @@
+ lib_LTLIBRARIES = libsubid.la
++if ENABLE_SHARED
+ libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
+ 	-shared -version-info @LIBSUBID_ABI_MAJOR@
++endif
+ libsubid_la_SOURCES = api.c
+ 
+ pkginclude_HEADERS = subid.h

SOURCES/shadow-4.6-salt-remove-rounds.patch

@@ -0,0 +1,15 @@
+diff --git a/libmisc/salt.c b/libmisc/salt.c
+index c72447ea..4940d76e 100644
+--- a/libmisc/salt.c
++++ b/libmisc/salt.c
+@@ -248,6 +248,10 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ 		result[0] = '\0';
+ 	}
+ 
++	if (strstr(result, "rounds=") != NULL) {
++		result[3] = '\0';
++	}
++
+ 	/*
+ 	 * Concatenate a pseudo random salt.
+ 	 */

SOURCES/shadow-4.6-selinux-perms.patch

@@ -135,6 +135,22 @@ diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
  	check_perms ();
  
  #ifdef SHADOWGRP
+@@ -536,6 +629,15 @@ int main (int argc, char **argv)
+ 			newgr.gr_passwd = cp;
+ 		}
+ 
++#ifdef WITH_AUDIT
++		{
++
++			audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
++		              "change-password",
++		              myname, AUDIT_NO_ID, gr->gr_name,
++		              SHADOW_AUDIT_SUCCESS);
++		}
++#endif
+ 		/* 
+ 		 * The updated group file entry is then put back and will
+ 		 * be written to the group file later, after all the
 diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
 --- shadow-4.8/src/chpasswd.c.selinux-perms	2019-12-01 18:02:43.000000000 +0100
 +++ shadow-4.8/src/chpasswd.c	2020-01-13 10:21:44.558107260 +0100
@@ -238,3 +254,31 @@ diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
  	check_perms ();
  
  #ifdef USE_PAM
+@@ -566,6 +638,11 @@ int main (int argc, char **argv)
+ 			newpw.pw_passwd = cp;
+ 		}
+ 
++#ifdef WITH_AUDIT
++		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++		              "updating-password",
++		              pw->pw_name, (unsigned int) pw->pw_uid, 1);
++#endif
+ 		/* 
+ 		 * The updated password file entry is then put back and will
+ 		 * be written to the password file later, after all the
+Index: shadow-4.5/src/Makefile.am
+===================================================================
+--- shadow-4.5.orig/src/Makefile.am
++++ shadow-4.5/src/Makefile.am
+@@ -87,9 +87,9 @@ chage_LDADD    = $(LDADD) $(LIBPAM_SUID)
+ newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+ newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)

SOURCES/shadow-4.6-selinux.patch

@@ -0,0 +1,115 @@
+diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
+--- shadow-4.6/lib/semanage.c.selinux	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/semanage.c	2018-05-28 13:38:20.551008911 +0200
+@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
+ 
+ 	ret = 0;
+ 
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_seuser_key_free (key);
+ 	semanage_handle_destroy (handle);
+@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
+ 	}
+ 
+ 	ret = 0;
++
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.selinux	2018-05-28 13:43:30.996748997 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 13:44:04.645486199 +0200
+@@ -2120,6 +2120,7 @@ static void create_mail (void)
+  */
+ int main (int argc, char **argv)
+ {
++	int rv = E_SUCCESS;
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ 	pam_handle_t *pamh = NULL;
+@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
+ 
+ 	usr_update ();
+ 
+-	if (mflg) {
+-		create_home ();
+-		if (home_added) {
+-			copy_tree (def_template, prefix_user_home, false, false,
+-			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
+-		} else {
+-			fprintf (stderr,
+-			         _("%s: warning: the home directory already exists.\n"
+-			           "Not copying any file from skel directory into it.\n"),
+-			         Prog);
+-		}
+-
+-	}
+-
+-	/* Do not create mail directory for system accounts */
+-	if (!rflg) {
+-		create_mail ();
+-	}
+-
+ 	close_files ();
+ 
++	nscd_flush_cache ("passwd");
++	nscd_flush_cache ("group");
++
+ 	/*
+ 	 * tallylog_reset needs to be able to lookup
+ 	 * a valid existing user name,
+@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (Zflg) {
+-		if (set_seuser (user_name, user_selinux) != 0) {
++	if (Zflg && *user_selinux) {
++		if (is_selinux_enabled () > 0) {
++		    if (set_seuser (user_name, user_selinux) != 0) {
+ 			fprintf (stderr,
+ 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ 			         Prog, user_name, user_selinux);
+@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
+ 			              "adding SELinux user mapping",
+ 			              user_name, (unsigned int) user_id, 0);
+ #endif				/* WITH_AUDIT */
+-			fail_exit (E_SE_UPDATE);
++			rv = E_SE_UPDATE;
++		    }
+ 		}
+ 	}
+-#endif				/* WITH_SELINUX */
++#endif
+ 
+-	nscd_flush_cache ("passwd");
+-	nscd_flush_cache ("group");
++	if (mflg) {
++		create_home ();
++		if (home_added) {
++			copy_tree (def_template, prefix_user_home, false, true,
++			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
++		} else {
++			fprintf (stderr,
++			         _("%s: warning: the home directory already exists.\n"
++			           "Not copying any file from skel directory into it.\n"),
++			         Prog);
++		}
++
++	}
++
++	/* Do not create mail directory for system accounts */
++	if (!rflg) {
++		create_mail ();
++	}
+ 
+-	return E_SUCCESS;
++	return rv;
+ }
+ 

SOURCES/shadow-4.6-sssd-flush.patch

@@ -0,0 +1,641 @@
+From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Wed, 12 Sep 2018 14:22:11 +0200
+Subject: [PATCH] Flush sssd caches in addition to nscd caches
+
+Some distributions, notably Fedora, have the following order of nsswitch
+modules by default:
+    passwd: sss files
+    group:  sss files
+
+The advantage of serving local users through SSSD is that the nss_sss
+module has a fast mmapped-cache that speeds up NSS lookups compared to
+accessing the disk an opening the files on each NSS request.
+
+Traditionally, this has been done with the help of nscd, but using nscd
+in parallel with sssd is cumbersome, as both SSSD and nscd use their own
+independent caching, so using nscd in setups where sssd is also serving
+users from some remote domain (LDAP, AD, ...) can result in a bit of
+unpredictability.
+
+More details about why Fedora chose to use sss before files can be found
+on e.g.:
+    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
+or:
+    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
+
+Now, even though sssd watches the passwd and group files with the help
+of inotify, there can still be a small window where someone requests a
+user or a group, finds that it doesn't exist, adds the entry and checks
+again. Without some support in shadow-utils that would explicitly drop
+the sssd caches, the inotify watch can fire a little late, so a
+combination of commands like this:
+    getent passwd user || useradd user; getent passwd user
+can result in the second getent passwd not finding the newly added user
+as the racy behaviour might still return the cached negative hit from
+the first getent passwd.
+
+This patch more or less copies the already existing support that
+shadow-utils had for dropping nscd caches, except using the "sss_cache"
+tool that sssd ships.
+---
+ configure.ac    | 10 +++++++
+ lib/Makefile.am |  2 ++
+ lib/commonio.c  |  2 ++
+ lib/sssd.c      | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/sssd.h      | 17 +++++++++++
+ src/chfn.c      |  2 ++
+ src/chgpasswd.c |  2 ++
+ src/chpasswd.c  |  2 ++
+ src/chsh.c      |  2 ++
+ src/gpasswd.c   |  2 ++
+ src/groupadd.c  |  2 ++
+ src/groupdel.c  |  2 ++
+ src/groupmod.c  |  2 ++
+ src/grpck.c     |  2 ++
+ src/grpconv.c   |  2 ++
+ src/grpunconv.c |  2 ++
+ src/newusers.c  |  2 ++
+ src/passwd.c    |  2 ++
+ src/pwck.c      |  2 ++
+ src/pwconv.c    |  2 ++
+ src/pwunconv.c  |  2 ++
+ src/useradd.c   |  2 ++
+ src/userdel.c   |  2 ++
+ src/usermod.c   |  2 ++
+ src/vipw.c      |  2 ++
+ 25 files changed, 146 insertions(+)
+ create mode 100644 lib/sssd.c
+ create mode 100644 lib/sssd.h
+
+diff --git a/configure.ac b/configure.ac
+index 41068a5d..10ad70cf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
+ AC_ARG_WITH(nscd,
+ 	[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
+ 	[with_nscd=$withval], [with_nscd=yes])
++AC_ARG_WITH(sssd,
++	[AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
++	[with_sssd=$withval], [with_sssd=yes])
+ AC_ARG_WITH(group-name-max-length,
+ 	[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
+ 	[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
+@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
+ 	              [AC_MSG_ERROR([posix_spawn is needed for nscd support])])
+ fi
+ 
++if test "$with_sssd" = "yes"; then
++	AC_CHECK_FUNC(posix_spawn,
++	              [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
++	              [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
++fi
++
+ dnl Check for some functions in libc first, only if not found check for
+ dnl other libraries.  This should prevent linking libnsl if not really
+ dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
+@@ -679,5 +688,6 @@ echo "	shadow group support:		$enable_shadowgrp"
+ echo "	S/Key support:			$with_skey"
+ echo "	SHA passwords encryption:	$with_sha_crypt"
+ echo "	nscd support:			$with_nscd"
++echo "	sssd support:			$with_sssd"
+ echo "	subordinate IDs support:	$enable_subids"
+ echo
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index 6db86cd6..fd634542 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
+ 	lockpw.c \
+ 	nscd.c \
+ 	nscd.h \
++	sssd.c \
++	sssd.h \
+ 	pam_defs.h \
+ 	port.c \
+ 	port.h \
+diff --git a/lib/commonio.c b/lib/commonio.c
+index d06b8e7d..96f2d5f7 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -45,6 +45,7 @@
+ #include <stdio.h>
+ #include <signal.h>
+ #include "nscd.h"
++#include "sssd.h"
+ #ifdef WITH_TCB
+ #include <tcb.h>
+ #endif				/* WITH_TCB */
+@@ -485,6 +486,7 @@ static void dec_lock_count (void)
+ 			if (nscd_need_reload) {
+ 				nscd_flush_cache ("passwd");
+ 				nscd_flush_cache ("group");
++				sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 				nscd_need_reload = false;
+ 			}
+ #ifdef HAVE_LCKPWDF
+diff --git a/lib/sssd.c b/lib/sssd.c
+new file mode 100644
+index 00000000..80e49e55
+--- /dev/null
++++ b/lib/sssd.c
+@@ -0,0 +1,75 @@
++/* Author: Peter Vrabec <pvrabec@redhat.com> */
++
++#include <config.h>
++#ifdef USE_SSSD
++
++#include <stdio.h>
++#include <sys/wait.h>
++#include <sys/types.h>
++#include "exitcodes.h"
++#include "defines.h"
++#include "prototypes.h"
++#include "sssd.h"
++
++#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
++
++int sssd_flush_cache (int dbflags)
++{
++	int status, code, rv;
++	const char *cmd = "/usr/sbin/sss_cache";
++	char *sss_cache_args = NULL;
++	const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
++	const char *spawnedEnv[] = {NULL};
++	int i = 0;
++
++	sss_cache_args = malloc(4);
++	if (sss_cache_args == NULL) {
++	    return -1;
++	}
++
++	sss_cache_args[i++] = '-';
++	if (dbflags & SSSD_DB_PASSWD) {
++		sss_cache_args[i++] = 'U';
++	}
++	if (dbflags & SSSD_DB_GROUP) {
++		sss_cache_args[i++] = 'G';
++	}
++	sss_cache_args[i++] = '\0';
++	if (i == 2) {
++		/* Neither passwd nor group, nothing to do */
++		free(sss_cache_args);
++		return 0;
++	}
++	spawnedArgs[1] = sss_cache_args;
++
++	rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
++	free(sss_cache_args);
++	if (rv != 0) {
++		/* run_command writes its own more detailed message. */
++		(void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
++		return -1;
++	}
++
++	code = WEXITSTATUS (status);
++	if (!WIFEXITED (status)) {
++		(void) fprintf (stderr,
++		                _("%s: sss_cache did not terminate normally (signal %d)\n"),
++		                Prog, WTERMSIG (status));
++		return -1;
++	} else if (code == E_CMD_NOTFOUND) {
++		/* sss_cache is not installed, or it is installed but uses an
++		   interpreter that is missing.  Probably the former. */
++		return 0;
++	} else if (code != 0) {
++		(void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
++		                Prog, code);
++		(void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
++		return -1;
++	}
++
++	return 0;
++}
++#else				/* USE_SSSD */
++extern int errno;		/* warning: ANSI C forbids an empty source file */
++#endif				/* USE_SSSD */
++
+diff --git a/lib/sssd.h b/lib/sssd.h
+new file mode 100644
+index 00000000..00ff2a8a
+--- /dev/null
++++ b/lib/sssd.h
+@@ -0,0 +1,17 @@
++#ifndef _SSSD_H_
++#define _SSSD_H_
++
++#define SSSD_DB_PASSWD	0x001
++#define SSSD_DB_GROUP	0x002
++
++/*
++ * sssd_flush_cache - flush specified service buffer in sssd cache
++ */
++#ifdef	USE_SSSD
++extern int sssd_flush_cache (int dbflags);
++#else
++#define sssd_flush_cache(service) (0)
++#endif
++
++#endif
++
+diff --git a/src/chfn.c b/src/chfn.c
+index 18aa3de7..0725e1c7 100644
+--- a/src/chfn.c
++++ b/src/chfn.c
+@@ -47,6 +47,7 @@
+ #include "defines.h"
+ #include "getdef.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #ifdef USE_PAM
+ #include "pam_defs.h"
+ #endif
+@@ -746,6 +747,7 @@ int main (int argc, char **argv)
+ 	SYSLOG ((LOG_INFO, "changed user '%s' information", user));
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	closelog ();
+ 	exit (E_SUCCESS);
+diff --git a/src/chgpasswd.c b/src/chgpasswd.c
+index 13203a46..e5f2eb7e 100644
+--- a/src/chgpasswd.c
++++ b/src/chgpasswd.c
+@@ -46,6 +46,7 @@
+ #endif				/* ACCT_TOOLS_SETUID */
+ #include "defines.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "groupio.h"
+ #ifdef	SHADOWGRP
+@@ -581,6 +582,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return (0);
+ }
+diff --git a/src/chpasswd.c b/src/chpasswd.c
+index 918b27ee..49e79cdb 100644
+--- a/src/chpasswd.c
++++ b/src/chpasswd.c
+@@ -44,6 +44,7 @@
+ #endif				/* USE_PAM */
+ #include "defines.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "getdef.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+@@ -624,6 +625,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	return (0);
+ }
+diff --git a/src/chsh.c b/src/chsh.c
+index c89708b9..910e3dd4 100644
+--- a/src/chsh.c
++++ b/src/chsh.c
+@@ -46,6 +46,7 @@
+ #include "defines.h"
+ #include "getdef.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -557,6 +558,7 @@ int main (int argc, char **argv)
+ 	SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	closelog ();
+ 	exit (E_SUCCESS);
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index c4a492b1..4d75af96 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -45,6 +45,7 @@
+ #include "defines.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #ifdef SHADOWGRP
+ #include "sgroupio.h"
+@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	exit (E_SUCCESS);
+ }
+diff --git a/src/groupadd.c b/src/groupadd.c
+index b57006c5..2dd8eec9 100644
+--- a/src/groupadd.c
++++ b/src/groupadd.c
+@@ -51,6 +51,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #ifdef	SHADOWGRP
+ #include "sgroupio.h"
+@@ -625,6 +626,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return E_SUCCESS;
+ }
+diff --git a/src/groupdel.c b/src/groupdel.c
+index 70bed010..f941a84a 100644
+--- a/src/groupdel.c
++++ b/src/groupdel.c
+@@ -49,6 +49,7 @@
+ #include "defines.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #ifdef	SHADOWGRP
+ #include "sgroupio.h"
+@@ -492,6 +493,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return E_SUCCESS;
+ }
+diff --git a/src/groupmod.c b/src/groupmod.c
+index b293b98f..1dca5fc9 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -51,6 +51,7 @@
+ #include "groupio.h"
+ #include "pwio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #ifdef	SHADOWGRP
+ #include "sgroupio.h"
+@@ -877,6 +878,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return E_SUCCESS;
+ }
+diff --git a/src/grpck.c b/src/grpck.c
+index ea5d3b39..6140b10d 100644
+--- a/src/grpck.c
++++ b/src/grpck.c
+@@ -45,6 +45,7 @@
+ #include "defines.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ 
+ #ifdef SHADOWGRP
+@@ -870,6 +871,7 @@ int main (int argc, char **argv)
+ 	close_files (changed);
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	/*
+ 	 * Tell the user what we did and exit.
+diff --git a/src/grpconv.c b/src/grpconv.c
+index f95f4960..5e5eaaca 100644
+--- a/src/grpconv.c
++++ b/src/grpconv.c
+@@ -48,6 +48,7 @@
+ #include <unistd.h>
+ #include <getopt.h>
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ /*@-exitarg@*/
+ #include "exitcodes.h"
+@@ -273,6 +274,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return 0;
+ }
+diff --git a/src/grpunconv.c b/src/grpunconv.c
+index 253f06f5..e4105c26 100644
+--- a/src/grpunconv.c
++++ b/src/grpunconv.c
+@@ -48,6 +48,7 @@
+ #include <grp.h>
+ #include <getopt.h>
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ /*@-exitarg@*/
+ #include "exitcodes.h"
+@@ -236,6 +237,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return 0;
+ }
+diff --git a/src/newusers.c b/src/newusers.c
+index 8e4bef97..7c3bb1c2 100644
+--- a/src/newusers.c
++++ b/src/newusers.c
+@@ -62,6 +62,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "pwio.h"
+ #include "sgroupio.h"
+ #include "shadowio.h"
+@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ #ifdef USE_PAM
+ 	unsigned int i;
+diff --git a/src/passwd.c b/src/passwd.c
+index 3af3e651..5bea2765 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -51,6 +51,7 @@
+ #include "defines.h"
+ #include "getdef.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ 	SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
+ 	closelog ();
+diff --git a/src/pwck.c b/src/pwck.c
+index 05df68ec..0ffb711e 100644
+--- a/src/pwck.c
++++ b/src/pwck.c
+@@ -48,6 +48,7 @@
+ #include "shadowio.h"
+ #include "getdef.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #ifdef WITH_TCB
+ #include "tcbfuncs.h"
+ #endif				/* WITH_TCB */
+@@ -877,6 +878,7 @@ int main (int argc, char **argv)
+ 	close_files (changed);
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	/*
+ 	 * Tell the user what we did and exit.
+diff --git a/src/pwconv.c b/src/pwconv.c
+index d6ee31a8..9c69fa13 100644
+--- a/src/pwconv.c
++++ b/src/pwconv.c
+@@ -72,6 +72,7 @@
+ #include "pwio.h"
+ #include "shadowio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ 
+ /*
+  * exit status values
+@@ -328,6 +329,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	return E_SUCCESS;
+ }
+diff --git a/src/pwunconv.c b/src/pwunconv.c
+index fabf0237..e11ea494 100644
+--- a/src/pwunconv.c
++++ b/src/pwunconv.c
+@@ -42,6 +42,7 @@
+ #include <getopt.h>
+ #include "defines.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+ #include "shadowio.h"
+@@ -250,6 +251,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	return 0;
+ }
+diff --git a/src/useradd.c b/src/useradd.c
+index ca90f076..b0c2224d 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -60,6 +60,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ 	/*
+ 	 * tallylog_reset needs to be able to lookup
+diff --git a/src/userdel.c b/src/userdel.c
+index c8de1d31..0715e4fe 100644
+--- a/src/userdel.c
++++ b/src/userdel.c
+@@ -53,6 +53,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ 	return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
+ }
+diff --git a/src/usermod.c b/src/usermod.c
+index 7355ad31..fd9a98a6 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -57,6 +57,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ #ifdef WITH_SELINUX
+ 	if (Zflg) {
+diff --git a/src/vipw.c b/src/vipw.c
+index 6d730f65..2cfac6b4 100644
+--- a/src/vipw.c
++++ b/src/vipw.c
+@@ -42,6 +42,7 @@
+ #include "defines.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+ #include "sgroupio.h"
+@@ -556,6 +557,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ 	return E_SUCCESS;
+ }

SOURCES/shadow-4.6-sssd-redirect-warning.patch

@@ -0,0 +1,59 @@
+From 87257a49a1821d67870aa9760c71b6791583709c Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Fri, 2 Oct 2020 16:09:42 +0200
+Subject: [PATCH] lib/sssd: redirect warning message to file
+
+Instead of printing warning in stderr print it to file. This way the
+user is not spammed with unnecessary messages when updating packages.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749001
+---
+ lib/sssd.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/lib/sssd.c b/lib/sssd.c
+index 80e49e55..f864ce68 100644
+--- a/lib/sssd.c
++++ b/lib/sssd.c
+@@ -11,7 +11,7 @@
+ #include "prototypes.h"
+ #include "sssd.h"
+ 
+-#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
++#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache."
+ 
+ int sssd_flush_cache (int dbflags)
+ {
+@@ -46,24 +46,22 @@ int sssd_flush_cache (int dbflags)
+ 	free(sss_cache_args);
+ 	if (rv != 0) {
+ 		/* run_command writes its own more detailed message. */
+-		(void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
++		SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
+ 		return -1;
+ 	}
+ 
+ 	code = WEXITSTATUS (status);
+ 	if (!WIFEXITED (status)) {
+-		(void) fprintf (stderr,
+-		                _("%s: sss_cache did not terminate normally (signal %d)\n"),
+-		                Prog, WTERMSIG (status));
++		SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)",
++			Prog, WTERMSIG (status)));
+ 		return -1;
+ 	} else if (code == E_CMD_NOTFOUND) {
+ 		/* sss_cache is not installed, or it is installed but uses an
+ 		   interpreter that is missing.  Probably the former. */
+ 		return 0;
+ 	} else if (code != 0) {
+-		(void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
+-		                Prog, code);
+-		(void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
++		SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code));
++		SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
+ 		return -1;
+ 	}
+ 
+-- 
+2.26.2
+

SOURCES/shadow-4.6-use-itstool.patch

@@ -0,0 +1,31 @@
+diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak
+--- shadow-4.6/man/generate_translations.mak.use-itstool	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/generate_translations.mak	2018-07-31 16:42:21.623990969 +0200
+@@ -5,8 +5,19 @@ config.xml: ../config.xml.in
+ 	$(MAKE) -C .. config.xml
+ 	cp ../config.xml $@
+ 
+-%.xml: ../%.xml ../po/$(LANG).po
+-	xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@
++messages.mo: ../po/$(LANG).po
++	msgfmt ../po/$(LANG).po -o messages.mo
++
++login.defs.d:
++	ln -sf ../login.defs.d login.defs.d
++
++%.xml: ../%.xml messages.mo login.defs.d
++	if grep -q SHADOW-CONFIG-HERE $< ; then \
++	    sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $< > $@; \
++	else \
++	    sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $< > $@; \
++	fi
++	itstool -d -l $(LANG) -m messages.mo -o . $@
+ 	sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
+ 
+ include ../generate_mans.mak
+@@ -16,4 +27,4 @@ $(man_MANS):
+ 	@echo you need to run configure with --enable-man to generate man pages
+ endif
+ 
+-CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
++CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml

SOURCES/shadow-4.6-use-lckpwdf.patch

@@ -0,0 +1,190 @@
+commit 408b8a548243aebaa6d773beeae8ddf4bb6100f0
+Author: Tomas Mraz <tmraz@fedoraproject.org>
+Date:   Thu May 2 14:33:06 2019 +0200
+
+    Use the lckpwdf() again if prefix is not set
+    
+    The implementation of prefix option dropped the use of lckpwdf().
+    However that is incorrect as other tools manipulating the shadow passwords
+    such as PAM use lckpwdf() and do not know anything about the
+    shadow's own locking mechanism.
+    
+    This reverts the implementation to use lckpwdf() if prefix option
+    is not used.
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 26e518f2..94dda779 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -364,6 +364,7 @@ static void free_linked_list (struct commonio_db *db)
+ int commonio_setname (struct commonio_db *db, const char *name)
+ {
+ 	snprintf (db->filename, sizeof (db->filename), "%s", name);
++	db->setname = true;
+ 	return 1;
+ }
+ 
+@@ -414,37 +415,39 @@ cleanup_ENOMEM:
+ 
+ int commonio_lock (struct commonio_db *db)
+ {
+-/*#ifdef HAVE_LCKPWDF*/ /* not compatible with prefix option*/
+-#if 0
+-	/*
+-	 * only if the system libc has a real lckpwdf() - the one from
+-	 * lockpw.c calls us and would cause infinite recursion!
+-	 */
++	int i;
+ 
++#ifdef HAVE_LCKPWDF
+ 	/*
+-	 * Call lckpwdf() on the first lock.
+-	 * If it succeeds, call *_lock() only once
+-	 * (no retries, it should always succeed).
++	 * Only if the system libc has a real lckpwdf() - the one from
++	 * lockpw.c calls us and would cause infinite recursion!
++	 * It is also not used with the prefix option.
+ 	 */
+-	if (0 == lock_count) {
+-		if (lckpwdf () == -1) {
+-			if (geteuid () != 0) {
+-				(void) fprintf (stderr,
+-				                "%s: Permission denied.\n",
+-				                Prog);
++	if (!db->setname) {
++		/*
++		 * Call lckpwdf() on the first lock.
++		 * If it succeeds, call *_lock() only once
++		 * (no retries, it should always succeed).
++		 */
++		if (0 == lock_count) {
++			if (lckpwdf () == -1) {
++				if (geteuid () != 0) {
++					(void) fprintf (stderr,
++					                "%s: Permission denied.\n",
++					                Prog);
++				}
++				return 0;	/* failure */
+ 			}
+-			return 0;	/* failure */
+ 		}
+-	}
+ 
+-	if (commonio_lock_nowait (db, true) != 0) {
+-		return 1;	/* success */
+-	}
++		if (commonio_lock_nowait (db, true) != 0) {
++			return 1;	/* success */
++		}
+ 
+-	ulckpwdf ();
+-	return 0;		/* failure */
+-#else				/* !HAVE_LCKPWDF */
+-	int i;
++		ulckpwdf ();
++		return 0;		/* failure */
++	}
++#endif				/* !HAVE_LCKPWDF */
+ 
+ 	/*
+ 	 * lckpwdf() not used - do it the old way.
+@@ -471,7 +474,6 @@ int commonio_lock (struct commonio_db *db)
+ 		}
+ 	}
+ 	return 0;		/* failure */
+-#endif				/* !HAVE_LCKPWDF */
+ }
+ 
+ static void dec_lock_count (void)
+diff --git a/lib/commonio.h b/lib/commonio.h
+index 40e5708f..64e83073 100644
+--- a/lib/commonio.h
++++ b/lib/commonio.h
+@@ -143,6 +143,7 @@ struct commonio_db {
+ 	bool isopen:1;
+ 	bool locked:1;
+ 	bool readonly:1;
++	bool setname:1;
+ };
+ 
+ extern int commonio_setname (struct commonio_db *, const char *);
+diff --git a/lib/groupio.c b/lib/groupio.c
+index ae2302b5..bffb06e0 100644
+--- a/lib/groupio.c
++++ b/lib/groupio.c
+@@ -139,7 +139,8 @@ static /*@owned@*/struct commonio_db group_db = {
+ 	false,			/* changed */
+ 	false,			/* isopen */
+ 	false,			/* locked */
+-	false			/* readonly */
++	false,			/* readonly */
++	false			/* setname */
+ };
+ 
+ int gr_setdbname (const char *filename)
+diff --git a/lib/pwio.c b/lib/pwio.c
+index 7ee85377..127719cb 100644
+--- a/lib/pwio.c
++++ b/lib/pwio.c
+@@ -114,7 +114,8 @@ static struct commonio_db passwd_db = {
+ 	false,			/* changed */
+ 	false,			/* isopen */
+ 	false,			/* locked */
+-	false			/* readonly */
++	false,			/* readonly */
++	false			/* setname */
+ };
+ 
+ int pw_setdbname (const char *filename)
+diff --git a/lib/sgroupio.c b/lib/sgroupio.c
+index 5423626a..ffbdb263 100644
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -238,7 +238,8 @@ static struct commonio_db gshadow_db = {
+ 	false,			/* changed */
+ 	false,			/* isopen */
+ 	false,			/* locked */
+-	false			/* readonly */
++	false,			/* readonly */
++	false			/* setname */
+ };
+ 
+ int sgr_setdbname (const char *filename)
+diff --git a/lib/shadowio.c b/lib/shadowio.c
+index 5fa3d312..676b1f1a 100644
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -114,7 +114,8 @@ static struct commonio_db shadow_db = {
+ 	false,			/* changed */
+ 	false,			/* isopen */
+ 	false,			/* locked */
+-	false			/* readonly */
++	false,			/* readonly */
++	false			/* setname */
+ };
+ 
+ int spw_setdbname (const char *filename)
+diff --git a/lib/subordinateio.c b/lib/subordinateio.c
+index a662e67e..dd779c59 100644
+--- a/lib/subordinateio.c
++++ b/lib/subordinateio.c
+@@ -550,7 +550,8 @@ static struct commonio_db subordinate_uid_db = {
+ 	false,			/* changed */
+ 	false,			/* isopen */
+ 	false,			/* locked */
+-	false			/* readonly */
++	false,			/* readonly */
++	false			/* setname */
+ };
+ 
+ int sub_uid_setdbname (const char *filename)
+@@ -631,7 +632,8 @@ static struct commonio_db subordinate_gid_db = {
+ 	false,			/* changed */
+ 	false,			/* isopen */
+ 	false,			/* locked */
+-	false			/* readonly */
++	false,			/* readonly */
++	false			/* setname */
+ };
+ 
+ int sub_gid_setdbname (const char *filename)

SOURCES/shadow-4.6-useradd-check-if-subid-range-exists.patch

@@ -0,0 +1,20 @@
+diff -up shadow-4.6/src/useradd.c.useradd-check-if-subid-range-exists shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.useradd-check-if-subid-range-exists	2023-05-17 10:39:41.457826153 +0200
++++ shadow-4.6/src/useradd.c	2023-05-17 10:41:30.937036772 +0200
+@@ -2019,14 +2019,14 @@ static void usr_update (void)
+ 		fail_exit (E_PW_UPDATE);
+ 	}
+ #ifdef ENABLE_SUBIDS
+-	if (is_sub_uid &&
++	if (is_sub_uid && !local_sub_uid_assigned(user_name) &&
+ 	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to prepare the new %s entry\n"),
+ 		         Prog, sub_uid_dbname ());
+ 		fail_exit (E_SUB_UID_UPDATE);
+ 	}
+-	if (is_sub_gid &&
++	if (is_sub_gid && !local_sub_gid_assigned(user_name) &&
+ 	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to prepare the new %s entry\n"),

SOURCES/shadow-4.6-useradd_SUB_UID_COUNT-0.patch

@@ -0,0 +1,44 @@
+From 663824ef4ca927aa2b4319b69e0bfa68282ec719 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sat, 22 May 2021 11:42:02 -0500
+Subject: [PATCH] Fix useradd with SUB_UID_COUNT=0
+
+Closes #298
+
+Fix useradd when SUB_UID_COUNT=0 in login.defs.
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ src/useradd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 06accb2f..9862ae55 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2386,6 +2386,8 @@ int main (int argc, char **argv)
+ #ifdef ENABLE_SUBIDS
+ 	uid_t uid_min;
+ 	uid_t uid_max;
++	unsigned long subuid_count;
++	unsigned long subgid_count;
+ #endif
+ 
+ 	/*
+@@ -2427,9 +2429,11 @@ int main (int argc, char **argv)
+ #ifdef ENABLE_SUBIDS
+ 	uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+ 	uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+-	is_sub_uid = sub_uid_file_present () && !rflg &&
++	subuid_count = getdef_ulong ("SUB_UID_COUNT", 65536);
++	subgid_count = getdef_ulong ("SUB_GID_COUNT", 65536);
++	is_sub_uid = subuid_count > 0 && sub_uid_file_present () && !rflg &&
+ 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+-	is_sub_gid = sub_gid_file_present () && !rflg &&
++	is_sub_gid = subgid_count > 0 && sub_gid_file_present () && !rflg &&
+ 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+ #endif				/* ENABLE_SUBIDS */
+ 
+-- 
+2.30.2
+

SOURCES/shadow-4.6-useradd_dont_try_to_create_0_subuids.patch

@@ -0,0 +1,21 @@
+diff -up shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.useradd_dont_try_to_create_0_subuids	2021-11-03 11:55:00.189562187 +0100
++++ shadow-4.6/src/useradd.c	2021-11-03 11:57:34.128658978 +0100
+@@ -2350,7 +2350,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ #ifdef ENABLE_SUBIDS
+-	if (is_sub_uid) {
++	if (is_sub_uid && subuid_count != 0) {
+ 		if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
+ 			fprintf (stderr,
+ 			         _("%s: can't create subordinate user IDs\n"),
+@@ -2358,7 +2358,7 @@ int main (int argc, char **argv)
+ 			fail_exit(E_SUB_UID_UPDATE);
+ 		}
+ 	}
+-	if (is_sub_gid) {
++	if (is_sub_gid && subgid_count != 0) {
+ 		if (find_new_sub_gids(user_name, &sub_gid_start, &sub_gid_count) < 0) {
+ 			fprintf (stderr,
+ 			         _("%s: can't create subordinate group IDs\n"),

SOURCES/shadow-4.6-usermod-crash.patch

@@ -0,0 +1,42 @@
+diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
+--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/libmisc/prefix_flag.c	2018-05-28 15:14:10.642302440 +0200
+@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
+ {
+ 	long long int gid;
+ 	char *endptr;
++	struct group *g;
+ 
+ 	if (NULL == grname) {
+ 		return NULL;
+@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
+ 	    	&& (gid == (gid_t)gid)) {
+ 			return prefix_getgrgid ((gid_t) gid);
+ 		}
+-		return prefix_getgrnam (grname);
++		g = prefix_getgrnam (grname);
++		return g ? __gr_dup(g) : NULL;
+ 	}
+ 	else
+ 		return getgr_nam_gid(grname);
+diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
+--- shadow-4.6/src/usermod.c.usermod-crash	2018-05-28 15:12:37.920332763 +0200
++++ shadow-4.6/src/usermod.c	2018-05-28 15:15:50.337422470 +0200
+@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
+ 		prefix_user_home = xmalloc(len);
+ 		wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
+ 		assert (wlen == (int) len -1);
++		if (user_newhome) {
++			len = strlen(prefix) + strlen(user_newhome) + 2;
++			prefix_user_newhome = xmalloc(len);
++			wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
++			assert (wlen == (int) len -1);
++		}
+ 
+-		len = strlen(prefix) + strlen(user_newhome) + 2;
+-		prefix_user_newhome = xmalloc(len);
+-		wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
+-		assert (wlen == (int) len -1);
+ 	}
+ 	else {
+ 		prefix_user_home = user_home;

SOURCES/shadow-4.6.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAlrncOkACgkQ6f7qBqhe
+P52UGAf/eOnoIYIZ52y72iMxeNfQMTMjYTZd1YrtjlK0RQKquK7FrCOg91MvOF2B
+hLVKu2OU7mzuPTMSAraAxjXLkrM0E3vFjMtu1fHBGlGTMspAfik/9Gu9qoevAKXy
+BRqgN5m5HMfoGPeEjzILzaGq8bnPKIOfJ0iAYVkjjIa73Vn20uTmNgNZIRqHqwfw
+5GUFHn6cjQXFcQ3ngywgwQD7/h/65w8dBbGysF551sAqzPJRbneQL9Wtklcqi1ub
+55NyF0ifT67RqMh+EyxhuhXP1Hi57PTEAeqaFMFxnPlQPb+8pQ8nszWBmI+vUN8D
+FmhwCtSTnmKlj0jeAqevmkijJhGPQQ==
+=fk/F
+-----END PGP SIGNATURE-----

SOURCES/shadow-4.8-ignore-login-prompt.patch

@@ -1,11 +0,0 @@
-diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c
---- shadow-4.8/lib/getdef.c.login-prompt	2020-01-13 10:38:44.852796681 +0100
-+++ shadow-4.8/lib/getdef.c	2020-01-13 10:39:54.472612511 +0100
-@@ -98,6 +98,7 @@ static struct itemdef def_table[] = {
- 	{"LASTLOG_UID_MAX", NULL},
- 	{"LOGIN_RETRIES", NULL},
- 	{"LOGIN_TIMEOUT", NULL},
-+	{"LOGIN_PLAIN_PROMPT", NULL},
- 	{"LOG_OK_LOGINS", NULL},
- 	{"LOG_UNKFAIL_ENAB", NULL},
- 	{"MAIL_DIR", NULL},

SOURCES/shadow-4.9-badname-special-characters.patch

@@ -1,106 +0,0 @@
-diff -up shadow-4.9/man/usermod.8.xml.badname-special-characters shadow-4.9/man/usermod.8.xml
---- shadow-4.9/man/usermod.8.xml.badname-special-characters	2021-07-22 23:55:35.000000000 +0200
-+++ shadow-4.9/man/usermod.8.xml	2022-09-26 16:32:46.214519257 +0200
-@@ -110,7 +110,7 @@
-       </varlistentry>
-       <varlistentry>
- 	<term>
--	  <option>-b</option>, <option>--badnames</option>
-+	  <option>-b</option>, <option>--badname</option>
- 	</term>
- 	<listitem>
- 	  <para>
-diff -up shadow-4.9/src/newusers.c.badname-special-characters shadow-4.9/src/newusers.c
---- shadow-4.9/src/newusers.c.badname-special-characters	2021-07-22 23:55:35.000000000 +0200
-+++ shadow-4.9/src/newusers.c	2022-09-26 16:33:31.331869855 +0200
-@@ -139,7 +139,7 @@ static void usage (int status)
- 	                  "\n"
- 	                  "Options:\n"),
- 	                Prog);
--	(void) fputs (_("  -b, --badnames                allow bad names\n"), usageout);
-+	(void) fputs (_("  -b, --badname                 allow bad names\n"), usageout);
- #ifndef USE_PAM
- 	(void) fprintf (usageout,
- 	                _("  -c, --crypt-method METHOD     the crypt method (one of %s)\n"),
-@@ -406,7 +406,7 @@ static int add_user (const char *name, u
- 	/* Check if this is a valid user name */
- 	if (!is_valid_user_name (name)) {
- 		fprintf (stderr,
--		         _("%s: invalid user name '%s'\n"),
-+		         _("%s: invalid user name '%s': use --badname to ignore\n"),
- 		         Prog, name);
- 		return -1;
- 	}
-@@ -634,7 +634,7 @@ static void process_flags (int argc, cha
-         int bad_s;
- #endif				/* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
- 	static struct option long_options[] = {
--		{"badnames",     no_argument,       NULL, 'b'},
-+		{"badname",      no_argument,       NULL, 'b'},
- #ifndef USE_PAM
- 		{"crypt-method", required_argument, NULL, 'c'},
- #endif				/* !USE_PAM */
-diff -up shadow-4.9/src/pwck.c.badname-special-characters shadow-4.9/src/pwck.c
---- shadow-4.9/src/pwck.c.badname-special-characters	2022-09-26 16:32:46.208519211 +0200
-+++ shadow-4.9/src/pwck.c	2022-09-26 16:32:46.214519257 +0200
-@@ -151,7 +151,7 @@ static /*@noreturn@*/void usage (int sta
- 		                  "Options:\n"),
- 		                Prog);
- 	}
--	(void) fputs (_("  -b, --badnames                allow bad names\n"), usageout);
-+	(void) fputs (_("  -b, --badname                 allow bad names\n"), usageout);
- 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
- 	(void) fputs (_("  -q, --quiet                   report errors only\n"), usageout);
- 	(void) fputs (_("  -r, --read-only               display errors and warnings\n"
-@@ -176,7 +176,7 @@ static void process_flags (int argc, cha
- {
- 	int c;
- 	static struct option long_options[] = {
--		{"badnames",  no_argument,       NULL, 'b'},
-+		{"badname",   no_argument,       NULL, 'b'},
- 		{"help",      no_argument,       NULL, 'h'},
- 		{"quiet",     no_argument,       NULL, 'q'},
- 		{"read-only", no_argument,       NULL, 'r'},
-@@ -493,7 +493,8 @@ static void check_pw_file (int *errors,
- 		 */
- 
- 		if (!is_valid_user_name (pwd->pw_name)) {
--			printf (_("invalid user name '%s'\n"), pwd->pw_name);
-+			printf (_("invalid user name '%s': use --badname to ignore\n"),
-+					pwd->pw_name);
- 			*errors += 1;
- 		}
- 
-diff -up shadow-4.9/src/useradd.c.badname-special-characters shadow-4.9/src/useradd.c
---- shadow-4.9/src/useradd.c.badname-special-characters	2022-09-26 16:32:46.212519242 +0200
-+++ shadow-4.9/src/useradd.c	2022-09-26 16:32:46.214519257 +0200
-@@ -852,7 +852,7 @@ static void usage (int status)
- 	                  "\n"
- 	                  "Options:\n"),
- 	                Prog, Prog, Prog);
--	(void) fputs (_("      --badnames                do not check for bad names\n"), usageout);
-+	(void) fputs (_("      --badname                 do not check for bad names\n"), usageout);
- 	(void) fputs (_("  -b, --base-dir BASE_DIR       base directory for the home directory of the\n"
- 	                "                                new account\n"), usageout);
- #ifdef WITH_BTRFS
-@@ -1119,7 +1119,7 @@ static void process_flags (int argc, cha
- #ifdef WITH_BTRFS
- 			{"btrfs-subvolume-home", no_argument, NULL, 200},
- #endif
--			{"badnames",       no_argument,       NULL, 201},
-+			{"badname",        no_argument,       NULL, 201},
- 			{"comment",        required_argument, NULL, 'c'},
- 			{"home-dir",       required_argument, NULL, 'd'},
- 			{"defaults",       no_argument,       NULL, 'D'},
-diff -up shadow-4.9/src/usermod.c.badname-special-characters shadow-4.9/src/usermod.c
---- shadow-4.9/src/usermod.c.badname-special-characters	2022-09-26 16:32:46.215519265 +0200
-+++ shadow-4.9/src/usermod.c	2022-09-26 16:33:52.274032599 +0200
-@@ -418,7 +418,7 @@ static /*@noreturn@*/void usage (int sta
- 	                  "\n"
- 	                  "Options:\n"),
- 	                Prog);
--	(void) fputs (_("  -b, --badnames                allow bad names\n"), usageout);
-+	(void) fputs (_("  -b, --badname                 allow bad names\n"), usageout);
- 	(void) fputs (_("  -c, --comment COMMENT         new value of the GECOS field\n"), usageout);
- 	(void) fputs (_("  -d, --home HOME_DIR           new home directory for the user account\n"), usageout);
- 	(void) fputs (_("  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE\n"), usageout);

SOURCES/shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch

@@ -1,60 +0,0 @@
-From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
-From: Mike Gilbert <floppym@gentoo.org>
-Date: Sat, 14 Aug 2021 13:24:34 -0400
-Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()
-
-If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
-use SHA_ROUNDS_DEFAULT.
-
-Previously, the code fell through, calling shadow_random(-1, -1). This
-ultimately set rounds = (unsigned long) -1, which ends up being a very
-large number! This then got capped to SHA_ROUNDS_MAX later in the
-function.
-
-The new behavior matches BCRYPT_get_salt_rounds().
-
-Bug: https://bugs.gentoo.org/808195
-Fixes: https://github.com/shadow-maint/shadow/issues/393
----
- libmisc/salt.c | 21 +++++++++++----------
- 1 file changed, 11 insertions(+), 10 deletions(-)
-
-diff --git a/libmisc/salt.c b/libmisc/salt.c
-index 91d528fd..30eefb9c 100644
---- a/libmisc/salt.c
-+++ b/libmisc/salt.c
-@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
- 		if ((-1 == min_rounds) && (-1 == max_rounds)) {
- 			rounds = SHA_ROUNDS_DEFAULT;
- 		}
-+		else {
-+			if (-1 == min_rounds) {
-+				min_rounds = max_rounds;
-+			}
- 
--		if (-1 == min_rounds) {
--			min_rounds = max_rounds;
--		}
-+			if (-1 == max_rounds) {
-+				max_rounds = min_rounds;
-+			}
- 
--		if (-1 == max_rounds) {
--			max_rounds = min_rounds;
--		}
-+			if (min_rounds > max_rounds) {
-+				max_rounds = min_rounds;
-+			}
- 
--		if (min_rounds > max_rounds) {
--			max_rounds = min_rounds;
-+			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
- 		}
--
--		rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
- 	} else if (0 == *prefered_rounds) {
- 		rounds = SHA_ROUNDS_DEFAULT;
- 	} else {
--- 
-2.31.1
-

SOURCES/shadow-4.9-manfix.patch

@@ -1,180 +0,0 @@
-diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
---- shadow-4.8.1/man/groupmems.8.xml.manfix	2020-03-17 15:34:48.750414984 +0100
-+++ shadow-4.8.1/man/groupmems.8.xml	2020-03-17 15:41:13.383588722 +0100
-@@ -179,20 +179,10 @@
-   <refsect1 id='setup'>
-     <title>SETUP</title>
-     <para>
--      The <command>groupmems</command> executable should be in mode
--      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
--      <emphasis>groups</emphasis>. The system administrator can add users to
--      group <emphasis>groups</emphasis> to allow or disallow them using the
--      <command>groupmems</command> utility to manage their own group
--      membership list.
-+      In this operating system the <command>groupmems</command> executable
-+      is not setuid and regular users cannot use it to manipulate
-+      the membership of their own group.
-     </para>
--
--    <programlisting>
--	$ groupadd -r groups
--	$ chmod 2710 groupmems
--	$ chown root.groups groupmems
--	$ groupmems -g groups -a gk4
--    </programlisting>
-   </refsect1>
- 
-   <refsect1 id='configuration'>
-diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
---- shadow-4.8.1/man/ja/man5/login.defs.5.manfix	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8.1/man/ja/man5/login.defs.5	2020-03-17 15:34:48.750414984 +0100
-@@ -147,10 +147,6 @@ 以下の参照表は、
- shadow パスワード機能のどのプログラムが
- どのパラメータを使用するかを示したものである。
- .na
--.IP chfn 12
--CHFN_AUTH CHFN_RESTRICT
--.IP chsh 12
--CHFN_AUTH
- .IP groupadd 12
- GID_MAX GID_MIN
- .IP newusers 12
-diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
---- shadow-4.8.1/man/login.defs.5.xml.manfix	2020-01-17 16:47:56.000000000 +0100
-+++ shadow-4.8.1/man/login.defs.5.xml	2020-03-17 15:34:48.750414984 +0100
-@@ -164,6 +164,17 @@
-       long numeric parameters is machine-dependent.
-     </para>
- 
-+    <para>
-+      Please note that the parameters in this configuration file control the
-+      behavior of the tools from the shadow-utils component. None of these
-+      tools uses the PAM mechanism, and the utilities that use PAM (such as the
-+      passwd command) should be configured elsewhere. The only values that
-+      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
-+      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
-+      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
-+      pam(8) for more information.
-+    </para>
-+
-     <para>The following configuration items are provided:</para>
- 
-     <variablelist remap='IP'>
-@@ -256,16 +267,6 @@
- 	</listitem>
-       </varlistentry>
-       <varlistentry>
--	<term>chfn</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CHFN_AUTH</phrase>
--	    CHFN_RESTRICT
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
- 	<term>chgpasswd</term>
- 	<listitem>
- 	  <para>
-@@ -286,14 +287,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry condition="no_pam">
--	<term>chsh</term>
--	<listitem>
--	  <para>
--	    CHSH_AUTH LOGIN_STRING
--	  </para>
--	</listitem>
--      </varlistentry>
-       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
-       <!-- faillog: no variables -->
-       <varlistentry>
-@@ -359,34 +352,6 @@
- 	  <para>LASTLOG_UID_MAX</para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>login</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
--	    ENV_TZ ENVIRON_FILE</phrase>
--	    ERASECHAR FAIL_DELAY
--	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
--	    FAKE_SHELL
--	    <phrase condition="no_pam">FTMP_FILE</phrase>
--	    HUSHLOGIN_FILE
--	    <phrase condition="no_pam">ISSUE_FILE</phrase>
--	    KILLCHAR
--	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
--	    LOGIN_RETRIES
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
--	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
--	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
--	    QUOTAS_ENAB</phrase>
--	    TTYGROUP TTYPERM TTYTYPE_FILE
--	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
--	    USERGROUPS_ENAB
--	  </para>
--	</listitem>
--      </varlistentry>
-       <!-- logoutd: no variables -->
-       <varlistentry>
- 	<term>newgrp / sg</term>
-@@ -415,17 +380,6 @@
- 	</listitem>
-       </varlistentry>
-       <!-- nologin: no variables -->
--      <varlistentry condition="no_pam">
--	<term>passwd</term>
--	<listitem>
--	  <para>
--	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
--	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
--	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
--	    SHA_CRYPT_MIN_ROUNDS</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>pwck</term>
- 	<listitem>
-@@ -452,32 +406,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>su</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
--	    ENV_PATH ENV_SUPATH
--	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
--	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
--	    SULOG_FILE SU_NAME
--	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
--	    SYSLOG_SU_ENAB
--	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
--	<term>sulogin</term>
--	<listitem>
--	  <para>
--	    ENV_HZ
--	    <phrase condition="no_pam">ENV_TZ</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>useradd</term>
- 	<listitem>

SOURCES/shadow-4.9-move-create-home.patch

@@ -1,88 +0,0 @@
-From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Fri, 8 Oct 2021 13:09:59 +0200
-Subject: [PATCH] useradd: create directories after the SELinux user
-
-Create the home and mail folders after the SELinux user has been set for
-the added user. This will allow the folders to be created with the
-SELinux user label.
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- src/useradd.c | 46 +++++++++++++++++++++++-----------------------
- 1 file changed, 23 insertions(+), 23 deletions(-)
-
-diff --git a/src/useradd.c b/src/useradd.c
-index 6269c01c..b463a170 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
- 
- 	usr_update ();
- 
--	if (mflg) {
--		create_home ();
--		if (home_added) {
--			copy_tree (def_template, prefix_user_home, false, false,
--			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
--		} else {
--			fprintf (stderr,
--			         _("%s: warning: the home directory %s already exists.\n"
--			           "%s: Not copying any file from skel directory into it.\n"),
--			         Prog, user_home, Prog);
--		}
--
--	}
--
--	/* Do not create mail directory for system accounts */
--	if (!rflg) {
--		create_mail ();
--	}
--
- 	close_files ();
- 
-+	nscd_flush_cache ("passwd");
-+	nscd_flush_cache ("group");
-+	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
-+
- 	/*
- 	 * tallylog_reset needs to be able to lookup
- 	 * a valid existing user name,
-@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
- 	}
- #endif				/* WITH_SELINUX */
- 
-+	if (mflg) {
-+		create_home ();
-+		if (home_added) {
-+			copy_tree (def_template, prefix_user_home, false, false,
-+			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
-+		} else {
-+			fprintf (stderr,
-+			         _("%s: warning: the home directory %s already exists.\n"
-+			           "%s: Not copying any file from skel directory into it.\n"),
-+			         Prog, user_home, Prog);
-+		}
-+
-+	}
-+
-+	/* Do not create mail directory for system accounts */
-+	if (!rflg) {
-+		create_mail ();
-+	}
-+
- 	if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
- 			"useradd")) {
- 		exit(1);
- 	}
- 
--	nscd_flush_cache ("passwd");
--	nscd_flush_cache ("group");
--	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
--
- 	return E_SUCCESS;
- }
- 
--- 
-2.31.1
-

SOURCES/shadow-4.9-newgrp-fix-segmentation-fault.patch

@@ -1,35 +0,0 @@
-From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Wed, 10 Nov 2021 12:02:04 +0100
-Subject: [PATCH] newgrp: fix segmentation fault
-
-Fix segmentation fault in newgrp when xgetspnam() returns a NULL value
-that is immediately freed.
-
-The error was committed in
-https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- src/newgrp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/newgrp.c b/src/newgrp.c
-index 730f47e8..566f1c89 100644
---- a/src/newgrp.c
-+++ b/src/newgrp.c
-@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
- 	spwd = xgetspnam (pwd->pw_name);
- 	if (NULL != spwd) {
- 		pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
-+		spw_free (spwd);
- 	}
--	spw_free (spwd);
- 
- 	if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
- 		needspasswd = true;
--- 
-2.31.1
-

SOURCES/shadow-4.9-newuidmap-libeconf-dependency.patch

@@ -1,15 +0,0 @@
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 7c1a3491..6cc873be 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
- endif
- 
- chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
--newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
--newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
-+newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
-+newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
- chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
- chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
- chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)

SOURCES/shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch

@@ -1,30 +0,0 @@
-From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Mon, 15 Nov 2021 12:40:15 +0100
-Subject: [PATCH] pwck: fix segfault when calling fprintf()
-
-As shadow_logfd variable is not set at the beginning of the program if
-something fails and fprintf() is called a segmentation fault happens.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- src/pwck.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/pwck.c b/src/pwck.c
-index 4248944a..4ce86af2 100644
---- a/src/pwck.c
-+++ b/src/pwck.c
-@@ -857,6 +857,7 @@ int main (int argc, char **argv)
- 	 * Get my name so that I can use it to report errors.
- 	 */
- 	Prog = Basename (argv[0]);
-+	shadow_logfd = stderr;
- 
- 	(void) setlocale (LC_ALL, "");
- 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
--- 
-2.31.1
-

SOURCES/shadow-4.9-revert-useradd-fix-memleak.patch

@@ -1,30 +0,0 @@
-From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001
-From: Serge Hallyn <serge@hallyn.com>
-Date: Sat, 14 Aug 2021 19:37:24 -0500
-Subject: [PATCH] Revert "useradd.c:fix memleaks of grp"
-
-In some cases, the value which was being freed is not actually
-safe to free.
-
-Closes #394
-
-This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5.
----
- src/useradd.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/src/useradd.c b/src/useradd.c
-index f90127cd..0d3f390d 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -413,7 +413,6 @@ static void get_defaults (void)
- 			} else {
- 				def_group = grp->gr_gid;
- 				def_gname = xstrdup (grp->gr_name);
--				gr_free(grp);
- 			}
- 		}
- 
--- 
-2.31.1
-

SOURCES/shadow-4.9-semanage-close-the-selabel-handle.patch

@@ -1,61 +0,0 @@
-From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Fri, 8 Oct 2021 13:13:13 +0200
-Subject: [PATCH] semanage: close the selabel handle
-
-Close the selabel handle to update the file_context. This means that the
-file_context will be remmaped and used by selabel_lookup() to return
-the appropriate context to label the home folder.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- lib/prototypes.h | 1 +
- lib/selinux.c    | 5 +++++
- lib/semanage.c   | 1 +
- 3 files changed, 7 insertions(+)
-
-diff --git a/lib/prototypes.h b/lib/prototypes.h
-index 1d1586d4..b697e0ec 100644
---- a/lib/prototypes.h
-+++ b/lib/prototypes.h
-@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
- /* selinux.c */
- #ifdef WITH_SELINUX
- extern int set_selinux_file_context (const char *dst_name, mode_t mode);
-+extern void reset_selinux_handle (void);
- extern int reset_selinux_file_context (void);
- extern int check_selinux_permit (const char *perm_name);
- #endif
-diff --git a/lib/selinux.c b/lib/selinux.c
-index c83545f9..b075d4c0 100644
---- a/lib/selinux.c
-+++ b/lib/selinux.c
-@@ -50,6 +50,11 @@ static void cleanup(void)
- 	}
- }
- 
-+void reset_selinux_handle (void)
-+{
-+    cleanup();
-+}
-+
- /*
-  * set_selinux_file_context - Set the security context before any file or
-  *                            directory creation.
-diff --git a/lib/semanage.c b/lib/semanage.c
-index 0d30456a..a5bf9218 100644
---- a/lib/semanage.c
-+++ b/lib/semanage.c
-@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
- 	}
- 
- 	ret = 0;
-+	reset_selinux_handle();
- 
- done:
- 	semanage_seuser_key_free (key);
--- 
-2.31.1
-

SOURCES/shadow-4.9-useradd-avoid-generating-empty-subid-range.patch

@@ -1,79 +0,0 @@
-diff --git a/src/useradd.c b/src/useradd.c
-index baeffb35..9abeea6e 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -142,9 +142,7 @@ static bool is_sub_gid = false;
- static bool sub_uid_locked = false;
- static bool sub_gid_locked = false;
- static uid_t sub_uid_start;	/* New subordinate uid range */
--static unsigned long sub_uid_count;
- static gid_t sub_gid_start;	/* New subordinate gid range */
--static unsigned long sub_gid_count;
- #endif				/* ENABLE_SUBIDS */
- static bool pw_locked = false;
- static bool gr_locked = false;
-@@ -234,7 +232,7 @@ static void open_shadow (void);
- static void faillog_reset (uid_t);
- static void lastlog_reset (uid_t);
- static void tallylog_reset (const char *);
--static void usr_update (void);
-+static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
- static void create_home (void);
- static void create_mail (void);
- static void check_uid_range(int rflg, uid_t user_id);
-@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name)
-  *	usr_update() creates the password file entries for this user
-  *	and will update the group entries if required.
-  */
--static void usr_update (void)
-+static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
- {
- 	struct passwd pwent;
- 	struct spwd spent;
-@@ -2155,14 +2153,14 @@ static void usr_update (void)
- 	}
- #ifdef ENABLE_SUBIDS
- 	if (is_sub_uid &&
--	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
-+	    (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
- 		fprintf (stderr,
- 		         _("%s: failed to prepare the new %s entry\n"),
- 		         Prog, sub_uid_dbname ());
- 		fail_exit (E_SUB_UID_UPDATE);
- 	}
- 	if (is_sub_gid &&
--	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
-+	    (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
- 		fprintf (stderr,
- 		         _("%s: failed to prepare the new %s entry\n"),
- 		         Prog, sub_uid_dbname ());
-@@ -2624,16 +2622,16 @@ int main (int argc, char **argv)
- 	}
- 
- #ifdef ENABLE_SUBIDS
--	if (is_sub_uid && sub_uid_count != 0) {
--		if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
-+	if (is_sub_uid && subuid_count != 0) {
-+		if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
- 			fprintf (stderr,
- 			         _("%s: can't create subordinate user IDs\n"),
- 			         Prog);
- 			fail_exit(E_SUB_UID_UPDATE);
- 		}
- 	}
--	if (is_sub_gid && sub_gid_count != 0) {
--		if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
-+	if (is_sub_gid && subgid_count != 0) {
-+		if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
- 			fprintf (stderr,
- 			         _("%s: can't create subordinate group IDs\n"),
- 			         Prog);
-@@ -2642,7 +2640,7 @@ int main (int argc, char **argv)
- 	}
- #endif				/* ENABLE_SUBIDS */
- 
--	usr_update ();
-+	usr_update (subuid_count, subgid_count);
- 
- 	close_files ();
- 

SOURCES/shadow-4.9-useradd-check-if-subid-range-exists.patch

@@ -1,38 +0,0 @@
-From e0524e813a3bae2891b33a66f35876841c11cee7 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Mon, 24 Oct 2022 10:46:36 +0200
-Subject: [PATCH] useradd: check if subid range exists for user
-
-Check if a user already has a subid range before assigning one.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- src/useradd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/useradd.c b/src/useradd.c
-index 7ea0a9c4..e784d602 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -2188,14 +2188,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
- 		fail_exit (E_PW_UPDATE);
- 	}
- #ifdef ENABLE_SUBIDS
--	if (is_sub_uid &&
-+	if (is_sub_uid && !local_sub_uid_assigned(user_name) &&
- 	    (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
- 		fprintf (stderr,
- 		         _("%s: failed to prepare the new %s entry\n"),
- 		         Prog, sub_uid_dbname ());
- 		fail_exit (E_SUB_UID_UPDATE);
- 	}
--	if (is_sub_gid &&
-+	if (is_sub_gid && !local_sub_gid_assigned(user_name) &&
- 	    (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
- 		fprintf (stderr,
- 		         _("%s: failed to prepare the new %s entry\n"),
--- 
-2.40.1
-

SOURCES/shadow-4.9-useradd-copy-tree-argument.patch

@@ -1,13 +0,0 @@
-diff --git a/src/useradd.c b/src/useradd.c
-index b463a170..f7c97958 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -2704,7 +2704,7 @@ int main (int argc, char **argv)
- 	if (mflg) {
- 		create_home ();
- 		if (home_added) {
--			copy_tree (def_template, prefix_user_home, false, false,
-+			copy_tree (def_template, prefix_user_home, false, true,
- 			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
- 		} else {
- 			fprintf (stderr,

SOURCES/shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch

@@ -1,19 +0,0 @@
-diff -up shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users shadow-4.9/src/useradd.c
---- shadow-4.9/src/useradd.c.useradd-modify-check-ID-range-for-system-users	2022-04-22 14:50:10.658371270 +0200
-+++ shadow-4.9/src/useradd.c	2022-04-22 14:54:34.810100549 +0200
-@@ -2319,12 +2319,10 @@ static void check_uid_range(int rflg, ui
- {
- 	uid_t uid_min ;
- 	uid_t uid_max ;
--	if(rflg){
--		uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
-+	if (rflg) {
- 		uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
--		if(uid_min <= uid_max){
--			if(user_id < uid_min || user_id >uid_max)
--				fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
-+		if (user_id > uid_max) {
-+			fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
- 		}
- 	}else{
- 		uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);

SOURCES/shadow-4.9.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAmD5+dkACgkQ6f7qBqhe
-P53Qywf/ShkcKvecTDRIrKUNJUTIlP8iywZ1NXypfdDKG/J63awMAGrKMZwOkLUS
-AnImsvyoW3+XDIhdkeJd1Kv+8JDEt3oJ0ifHjfpXl4FzOervb1ZKtRPUcoJzzpnJ
-Szt/7f3Sd0VfbItgf5F6jgMi7iDA/ZIqJTXeI0kEfVVL7DT681jVRjpnoURlrEq1
-6SmIyAul50VmZjLXq1xJ35uktr7VclnaRu17acax95e+oekP4sdNMaV5E5DSeq2N
-db7kKCu80+lPvtQpj22vOO2w15ActH6f5Ec3P7OG8jL125q3yZNebVoh8FKxmFsh
-PssfXu0TL50qH/p7qNEeihDLpwoI7g==
-=6MLu
------END PGP SIGNATURE-----

SOURCES/shadow-utils.HOME_MODE.xml

@@ -1,43 +0,0 @@
-<!--
-   Copyright (c) 1991 - 1993, Julianne Frances Haugh
-   Copyright (c) 1991 - 1993, Chip Rosenthal
-   Copyright (c) 2007 - 2009, Nicolas François
-   All rights reserved.
-  
-   Redistribution and use in source and binary forms, with or without
-   modification, are permitted provided that the following conditions
-   are met:
-   1. Redistributions of source code must retain the above copyright
-      notice, this list of conditions and the following disclaimer.
-   2. Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-   3. The name of the copyright holders or contributors may not be used to
-      endorse or promote products derived from this software without
-      specific prior written permission.
-  
-   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
-   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--->
-<varlistentry>
-  <term><option>HOME_MODE</option> (number)</term>
-  <listitem>
-    <para>
-      The mode for new home directories. If not specified,
-      the <option>UMASK</option> is used to create the mode.
-    </para>
-    <para>
-      <command>useradd</command> and <command>newusers</command> use this
-      to set the mode of the home directory they create.
-    </para>
-  </listitem>
-</varlistentry>

SOURCES/shadow-utils.login.defs

@@ -6,107 +6,15 @@
 # /etc/pam.d/system-auth for more information.
 #
 
-#
-# Delay in seconds before being allowed another attempt after a login failure
-# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
-#       pam_unix(8) enforces a 2s delay)
-#
-#FAIL_DELAY		3
-
-# Currently FAILLOG_ENAB is not supported
-
-#
-# Enable display of unknown usernames when login(1) failures are recorded.
-#
-#LOG_UNKFAIL_ENAB	no
-
-# Currently LOG_OK_LOGINS is not supported
-
-# Currently LASTLOG_ENAB is not supported
-
-#
-# Limit the highest user ID number for which the lastlog entries should
-# be updated.
-#
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-# lastlog entries.
-#
-#LASTLOG_UID_MAX
-
-# Currently MAIL_CHECK_ENAB is not supported
-
-# Currently OBSCURE_CHECKS_ENAB is not supported
-
-# Currently PORTTIME_CHECKS_ENAB is not supported
-
-# Currently QUOTAS_ENAB is not supported
-
-# Currently SYSLOG_SU_ENAB is not supported
-
-#
-# Enable "syslog" logging of newgrp(1) and sg(1) activity.
-#
-#SYSLOG_SG_ENAB		yes
-
-# Currently CONSOLE is not supported
-
-# Currently SULOG_FILE is not supported
-
-# Currently MOTD_FILE is not supported
-
-# Currently ISSUE_FILE is not supported
-
-# Currently TTYTYPE_FILE is not supported
-
-# Currently FTMP_FILE is not supported
-
-# Currently NOLOGINS_FILE is not supported
-
-# Currently SU_NAME is not supported
-
 # *REQUIRED*
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#   QMAIL_DIR is for Qmail
 #
+#QMAIL_DIR	Maildir
 MAIL_DIR	/var/spool/mail
 #MAIL_FILE	.mail
 
-#
-# If defined, file which inhibits all the usual chatter during the login
-# sequence.  If a full pathname, then hushed mode will be enabled if the
-# user's name or shell are found in the file.  If not a full pathname, then
-# hushed mode will be enabled if the file exists in the user's home directory.
-#
-#HUSHLOGIN_FILE	.hushlogin
-#HUSHLOGIN_FILE	/etc/hushlogins
-
-# Currently ENV_TZ is not supported
-
-# Currently ENV_HZ is not supported
-
-#
-# The default PATH settings, for superuser and normal users.
-#
-# (they are minimal, add the rest in the shell startup files)
-#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-#ENV_PATH	PATH=/bin:/usr/bin
-
-#
-# Terminal permissions
-#
-#	TTYGROUP	Login tty will be assigned this group ownership.
-#	TTYPERM		Login tty will be set to this permission.
-#
-# If you have a write(1) program which is "setgid" to a special group
-# which owns the terminals, define TTYGROUP as the number of such group
-# and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
-# set TTYPERM to either 622 or 600.
-#
-#TTYGROUP	tty
-#TTYPERM		0600
-
-# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
-
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
@@ -130,76 +38,49 @@ HOME_MODE	0700
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
+PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 
-# Currently PASS_MIN_LEN is not supported
-
-# Currently SU_WHEEL_ONLY is not supported
-
-# Currently CRACKLIB_DICTPATH is not supported
-
 #
-# Min/max values for automatic uid selection in useradd(8)
+# Min/max values for automatic uid selection in useradd
 #
 UID_MIN                  1000
 UID_MAX                 60000
 # System accounts
 SYS_UID_MIN               201
 SYS_UID_MAX               999
-# Extra per user uids
-SUB_UID_MIN		   100000
-SUB_UID_MAX		600100000
-SUB_UID_COUNT		    65536
 
 #
-# Min/max values for automatic gid selection in groupadd(8)
+# Min/max values for automatic gid selection in groupadd
 #
 GID_MIN                  1000
 GID_MAX                 60000
 # System accounts
 SYS_GID_MIN               201
 SYS_GID_MAX               999
-# Extra per user group ids
-SUB_GID_MIN		   100000
-SUB_GID_MAX		600100000
-SUB_GID_COUNT		    65536
 
 #
-# Max number of login(1) retries if password is bad
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
 #
-#LOGIN_RETRIES		3
+#USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# Max time in seconds for login(1)
+# If useradd should create home directories for users by default
+# On RH systems, we do. This option is overridden with the -m flag on
+# useradd command line.
 #
-#LOGIN_TIMEOUT		60
+CREATE_HOME	yes
 
-# Currently PASS_CHANGE_TRIES is not supported
+# This enables userdel to remove user groups if no members exist.
-
+#
-# Currently PASS_ALWAYS_WARN is not supported
+USERGROUPS_ENAB yes
-
-# Currently PASS_MAX_LEN is not supported
-
-# Currently CHFN_AUTH is not supported
 
 #
-# Which fields may be changed by regular users using chfn(1) - use
-# any combination of letters "frwh" (full name, room number, work
-# phone, home phone).  If not defined, no changes are allowed.
-# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-# 
-#CHFN_RESTRICT		rwh
-
-# Currently LOGIN_STRING is not supported
-
-# Currently MD5_CRYPT_ENAB is not supported
-
-#
-# If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
-# If set to DES, DES-based algorithm will be used for encrypting password (default)
 #
 ENCRYPT_METHOD SHA512
 
@@ -211,68 +92,7 @@ ENCRYPT_METHOD SHA512
 # However, more CPU resources will be needed to authenticate users if
 # this value is increased.
 #
-# If not specified, the libc will choose the default number of rounds (5000).
 # The values must be within the 1000-999999999 range.
 #
-#SHA_CRYPT_MAX_ROUNDS 5000
+SHA_CRYPT_MAX_ROUNDS 5000
 
-# Currently SHA_CRYPT_MIN_ROUNDS is not supported
-
-# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported
-
-# Currently CONSOLE_GROUPS is not supported
-
-#
-# Should login be allowed if we can't cd to the home directory?
-# Default is yes.
-#
-#DEFAULT_HOME	yes
-
-# Currently ENVIRON_FILE is not supported
-
-#
-# If defined, this command is run when removing a user.
-# It should remove any at/cron/print jobs etc. owned by
-# the user to be removed (passed as the first argument).
-#
-#USERDEL_CMD	/usr/sbin/userdel_local
-
-#
-# Enables userdel(8) to remove user groups if no members exist.
-#
-USERGROUPS_ENAB yes
-
-#
-# If set to a non-zero number, the shadow utilities will make sure that
-# groups never have more than this number of users on one line.
-# This permits to support split groups (groups split into multiple lines,
-# with the same group ID, to avoid limitation of the line length in the
-# group file).
-#
-# 0 is the default value and disables this feature.
-#
-#MAX_MEMBERS_PER_GROUP	0
-
-#
-# If useradd(8) should create home directories for users by default (non
-# system users only).
-# This option is overridden with the -M or -m flags on the useradd(8)
-# command-line.
-#
-CREATE_HOME	yes
-
-#
-# Force use shadow, even if shadow passwd & shadow group files are
-# missing.
-#
-#FORCE_SHADOW    yes
-
-#
-# Select the HMAC cryptography algorithm.
-# Used in pam_timestamp module to calculate the keyed-hash message
-# authentication code.
-#
-# Note: It is recommended to check hmac(3) to see the possible algorithms
-# that are available in your system.
-#
-HMAC_CRYPTO_ALGO SHA512

SPECS/shadow-utils.spec

@@ -1,112 +1,123 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
-Version: 4.9
+Version: 4.6
-Release: 8%{?dist}
+Release: 22%{?dist}
 Epoch: 2
-License: BSD and GPLv2+
+URL: http://pkg-shadow.alioth.debian.org/
-URL: https://github.com/shadow-maint/shadow
 Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
 Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
 Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
-Source6: shadow-utils.HOME_MODE.xml
 
 ### Globals ###
-%global includesubiddir %{_includedir}/shadow
+%global includesubiddir %{_includedir}/shadow 
 
 ### Patches ###
-# Misc small changes - most probably non-upstreamable
+Patch0: shadow-4.6-redhat.patch
-Patch0: shadow-4.9-redhat.patch
+Patch1: shadow-4.6-goodname.patch
-# Be more lenient with acceptable user/group names - non upstreamable
+Patch2: shadow-4.1.5.1-info-parent-dir.patch
-Patch1: shadow-4.8-goodname.patch
+Patch6: shadow-4.6-selinux.patch
-# https://github.com/shadow-maint/shadow/commit/09c752f00f9dfc610f66d68be38c9e5be8ca7f15
+Patch10: shadow-4.6-orig-context.patch
-Patch2: shadow-4.9-move-create-home.patch
+Patch11: shadow-4.1.5.1-logmsg.patch
-# SElinux related - upstreamability unknown
+Patch14: shadow-4.1.5.1-default-range.patch
-Patch3: shadow-4.9-default-range.patch
+Patch15: shadow-4.6-manfix.patch
-# Misc manual page changes - non-upstreamable
+Patch17: shadow-4.1.5.1-userdel-helpfix.patch
-Patch4: shadow-4.9-manfix.patch
+Patch19: shadow-4.2.1-date-parsing.patch
-# Date parsing improvement - could be upstreamed
+Patch21: shadow-4.6-move-home.patch
-Patch5: shadow-4.2.1-date-parsing.patch
+Patch22: shadow-4.6-audit-update.patch
-# Additional error message - could be upstreamed
+Patch23: shadow-4.5-usermod-unlock.patch
-Patch6: shadow-4.6-move-home.patch
+Patch24: shadow-4.2.1-no-lock-dos.patch
-# Audit message changes - upstreamability unknown
+Patch28: shadow-4.6-selinux-perms.patch
-Patch7: shadow-4.9-audit-update.patch
+Patch29: shadow-4.2.1-null-tm.patch
-# Changes related to password unlocking - could be upstreamed
+Patch31: shadow-4.6-getenforce.patch
-Patch8: shadow-4.5-usermod-unlock.patch
+Patch32: shadow-4.5-crypt_h.patch
-# Additional SElinux related changes - upstreamability unknown
+Patch33: shadow-4.5-long-entry.patch
-Patch9: shadow-4.8-selinux-perms.patch
+Patch34: shadow-4.6-usermod-crash.patch
-# Handle NULL return from *time funcs - could be upstreamed
+Patch35: shadow-4.6-coverity.patch
-Patch10: shadow-4.9-null-tm.patch
+Patch36: shadow-4.6-use-itstool.patch
-# Handle /etc/passwd corruption - could be upstreamed
+Patch37: shadow-4.6-sssd-flush.patch
-Patch11: shadow-4.8-long-entry.patch
+Patch38: shadow-4.6-sysugid-min-limit.patch
-# Limit uid/gid allocation to non-zero - could be upstreamed
+Patch39: shadow-4.6-chgrp-guard.patch
-Patch12: shadow-4.6-sysugid-min-limit.patch
+Patch40: shadow-4.6-ignore-login-prompt.patch
-# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
+Patch41: shadow-4.6-use-lckpwdf.patch
-Patch13: shadow-4.8-ignore-login-prompt.patch
+# Upstreamed
-# https://github.com/shadow-maint/shadow/commit/c6847011e8b656adacd9a0d2a78418cad0de34cb
+Patch42: shadow-4.6-regular-user.patch
-Patch14: shadow-4.9-newuidmap-libeconf-dependency.patch
+# Upstreamed
+Patch43: shadow-4.6-home_mode-directive.patch
+# Upstreamed
+Patch44: shadow-4.6-check-local-groups.patch
+# https://github.com/shadow-maint/shadow/commit/e84df9e163e133eb11a2728024ff3e3440592cf8
+Patch45: shadow-4.6-sssd-redirect-warning.patch
+# Unused option in Fedora/RHEL - non upstreamable
+Patch46: shadow-4.6-remove-login-string-references.patch
 # https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991
-Patch15: shadow-4.9-usermod-allow-all-group-types.patch
+Patch47: shadow-4.6-usermod-allow-all-group-types.patch
-# https://github.com/shadow-maint/shadow/commit/9dd720a28578eef5be8171697aae0906e4c53249
+# https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a052b988b01a71933b67296e68
-Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
+# https://github.com/shadow-maint/shadow/commit/607f1dd549cf9abc87af1cf29275f0d2d11eea29
-# https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62
+# https://github.com/shadow-maint/shadow/commit/b5fb1b38eea2fb0489ed088c82daf6700e72363e
-Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
+# https://github.com/shadow-maint/shadow/commit/43a917cce54019799a8de037fd63780a2b640afc
-# https://github.com/shadow-maint/shadow/commit/234af5cf67fc1a3ba99fc246ba65869a3c416545
+Patch48: shadow-4.6-libsubid_creation.patch
-Patch18: shadow-4.9-semanage-close-the-selabel-handle.patch
+# https://github.com/shadow-maint/shadow/commit/514c1328b6c90d817ae0a9f7addfb3c9a11a275a
-# https://github.com/shadow-maint/shadow/commit/4624e9fca1b02b64e25e8b2280a0186182ab73ba
+# https://github.com/shadow-maint/shadow/commit/8492dee6632e340dee76eee895c3e30877bebf45
-Patch19: shadow-4.9-revert-useradd-fix-memleak.patch
+# https://github.com/shadow-maint/shadow/commit/0f4347d1483191b2142546416a9eefe0c9459600
-# https://github.com/shadow-maint/shadow/commit/06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2
+Patch49: shadow-4.6-libsubid_nsswitch_support.patch
-Patch20: shadow-4.9-useradd-copy-tree-argument.patch
+# https://github.com/shadow-maint/shadow/commit/186b1b7ac1a68d0fcc618a22da1a99232b420911
-# https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f
+Patch50: shadow-4.6-man-mention-nss-in-newuidmap.patch
-Patch21: shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch
+# https://github.com/shadow-maint/shadow/commit/f9831a4a1a20b0e8fe47cc72ec20018ec04dbb90
-# https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948
+Patch51: shadow-4.6-libsubid_not_print_error_messages.patch
-Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch
+# https://github.com/shadow-maint/shadow/commit/c6cab4a7bafa18d9d65a333cac1261e7b5e32bc9
+Patch52: shadow-4.6-libsubid_init_return_false.patch
+# https://github.com/shadow-maint/shadow/commit/2f1f45d64fc7c10e7a3cbe00e89f63714343e526
+Patch53: shadow-4.6-useradd_SUB_UID_COUNT-0.patch
+# https://github.com/shadow-maint/shadow/commit/ea7af4e1543c63590d4107ae075fea385028997d
+Patch54: shadow-4.6-libsubid_simplify_ranges_variable.patch
+# https://github.com/shadow-maint/shadow/commit/0fe42f571c69f0105d31305f995c9887aeb9525e
+Patch55: shadow-4.6-libsubid_init_not_print_error_messages.patch
+# https://github.com/shadow-maint/shadow/commit/ec1951c181faed188464396b2cfdd2efb726c7f3
+Patch56: shadow-4.6-libsubid_fix_newusers_nss_provides_subids.patch
+# https://github.com/shadow-maint/shadow/commit/087112244327be50abc24f9ec8afbf60ae8b2dec
+# https://github.com/shadow-maint/shadow/pull/353
+Patch57: shadow-4.6-man_clarify_subid_delegation.patch
+# https://github.com/shadow-maint/shadow/commit/bd920ab36a6c641e4a8769f8c7f8ca738ec61820
+Patch58: shadow-4.6-libsubid_make_logfd_not_extern.patch
+# https://github.com/shadow-maint/shadow/commit/0dffc7c61200f492eeac03c29fa7e93b62d3cead
+Patch59: shadow-4.6-useradd_dont_try_to_create_0_subuids.patch
+# https://github.com/shadow-maint/shadow/commit/77e39de1e6cbd6925f16bb260abb7d216296886b
+Patch60: shadow-4.6-install_subid_h.patch
+# https://github.com/shadow-maint/shadow/commit/fa986b1d73605ecca54a4f19249227aeab827bf6
+Patch61: shadow-4.6-respect_enable_static_no.patch
 # https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734
-Patch23: shadow-4.9-getsubids.patch
+Patch62: shadow-4.6-getsubids.patch
 # https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
-Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
+Patch63: shadow-4.6-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
-# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
-Patch25: shadow-4.9-useradd-modify-check-ID-range-for-system-users.patch
 # https://github.com/shadow-maint/shadow/commit/3ec32f9975f262073f8fbdecd2bfaee4a1d3db48
-Patch26: shadow-4.9-subordinateio-compare-owner-ID.patch
+Patch64: shadow-4.9-subordinateio-compare-owner-ID.patch
-# https://github.com/shadow-maint/shadow/commit/0593b330d8413e9694b5d6783bb90974c9b141c5
-# https://github.com/shadow-maint/shadow/commit/45d674621918664c8736f94f862e86bddf4c3fd4
-Patch27: shadow-4.9-badname-special-characters.patch
 # https://github.com/shadow-maint/shadow/commit/e0524e813a3bae2891b33a66f35876841c11cee7
-Patch28: shadow-4.9-useradd-check-if-subid-range-exists.patch
+Patch65: shadow-4.6-useradd-check-if-subid-range-exists.patch
 # https://github.com/shadow-maint/shadow/commit/baae5b4a06c905d9f52ed1f922a0d7d0625d11cf
-Patch29: shadow-4.9-skip-over-reserved-ids.patch
+Patch66: shadow-4.6-skip-over-reserved-ids.patch
 # https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
-Patch30: shadow-4.9-gpasswd-fix-password-leak.patch
+Patch67: shadow-4.6-gpasswd-fix-password-leak.patch
+Patch68: shadow-4.6-salt-remove-rounds.patch
 
-### Dependencies ###
+License: BSD and GPLv2+
-Requires: audit-libs >= 1.6.5
+Group: System Environment/Base
-Requires: libselinux >= 1.25.2-1
-Requires: setup
-
-### Build Dependencies ###
-BuildRequires: audit-libs-devel >= 1.6.5
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: bison
-BuildRequires: docbook-dtds
-BuildRequires: docbook-style-xsl
-BuildRequires: flex
 BuildRequires: gcc
-BuildRequires: gettext-devel
-BuildRequires: itstool
-BuildRequires: libacl-devel
-BuildRequires: libattr-devel
 BuildRequires: libselinux-devel >= 1.25.2-1
+BuildRequires: audit-libs-devel >= 1.6.5
 BuildRequires: libsemanage-devel
-BuildRequires: libtool
+BuildRequires: libacl-devel, libattr-devel
-BuildRequires: libxslt
+BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
-BuildRequires: make
+BuildRequires: autoconf, automake, libtool, gettext-devel
-
+BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
-### Provides ###
+Requires: libselinux >= 1.25.2-1
-Provides: shadow = %{epoch}:%{version}-%{release}
+Requires: audit-libs >= 1.6.5
+Requires: setup
+Requires(pre): coreutils
+Requires(post): coreutils
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
 The shadow-utils package includes the necessary programs for
@@ -142,41 +153,63 @@ Development files for shadow-utils-subid.
 %setup -q -n shadow-%{version}
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .goodname
-%patch2 -p1 -b .move-create-home
+%patch2 -p1 -b .info-parent-dir
-%patch3 -p1 -b .default-range
+%patch6 -p1 -b .selinux
-%patch4 -p1 -b .manfix
+%patch10 -p1 -b .orig-context
-%patch5 -p1 -b .date-parsing
+%patch11 -p1 -b .logmsg
-%patch6 -p1 -b .move-home
+%patch14 -p1 -b .default-range
-%patch7 -p1 -b .audit-update
+%patch15 -p1 -b .manfix
-%patch8 -p1 -b .unlock
+%patch17 -p1 -b .userdel
-%patch9 -p1 -b .selinux-perms
+%patch19 -p1 -b .date-parsing
-%patch10 -p1 -b .null-tm
+%patch21 -p1 -b .move-home
-%patch11 -p1 -b .long-entry
+%patch22 -p1 -b .audit-update
-%patch12 -p1 -b .sysugid-min-limit
+%patch23 -p1 -b .unlock
-%patch13 -p1 -b .login-prompt
+%patch24 -p1 -b .no-lock-dos
-%patch14 -p1 -b .newuidmap-libeconf-dependency
+%patch28 -p1 -b .selinux-perms
-%patch15 -p1 -b .usermod-allow-all-group-types
+%patch29 -p1 -b .null-tm
-%patch16 -p1 -b .useradd-avoid-generating-empty-subid-range
+%patch31 -p1 -b .getenforce
-%patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds
+%patch32 -p1 -b .crypt_h
-%patch18 -p1 -b .semanage-close-the-selabel-handle
+%patch33 -p1 -b .long-entry
-%patch19 -p1 -b .revert-useradd-fix-memleak
+%patch34 -p1 -b .usermod-crash
-%patch20 -p1 -b .useradd-copy-tree-argument
+%patch35 -p1 -b .coverity
-%patch21 -p1 -b .pwck-fix-segfault-when-calling-fprintf
+%patch36 -p1 -b .use-itstool
-%patch22 -p1 -b .newgrp-fix-segmentation-fault
+%patch37 -p1 -b .sssd-flush
-%patch23 -p1 -b .getsubids
+%patch38 -p1 -b .sysugid-min-limit
-%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
+%patch39 -p1 -b .chgrp-guard
-%patch25 -p1 -b .useradd-modify-check-ID-range-for-system-users
+%patch40 -p1 -b .login-prompt
-%patch26 -p1 -b .subordinateio-compare-owner-ID
+%patch41 -p1 -b .use-lckpwdf
-%patch27 -p1 -b .badname-special-characters
+%patch42 -p1 -b .regular-user
-%patch28 -p1 -b .useradd-check-if-subid-range-exists
+%patch43 -p1 -b .home_mode-directive
-%patch29 -p1 -b .skip-over-reserved-ids
+%patch44 -p1 -b .check-local-groups
-%patch30 -p1 -b .gpasswd-fix-password-leak
+%patch45 -p1 -b .sssd-redirect-warning
+%patch46 -p1 -b .remove-login-string-references
+%patch47 -p1 -b .usermod-allow-all-group-types
+%patch48 -p1 -b .libsubid_creation
+%patch49 -p1 -b .libsubid_nsswitch_support
+%patch50 -p1 -b .man-mention-nss-in-newuidmap
+%patch51 -p1 -b .libsubid_not_print_error_messages
+%patch52 -p1 -b .libsubid_init_return_false
+%patch53 -p1 -b .useradd_SUB_UID_COUNT-0
+%patch54 -p1 -b .libsubid_simplify_ranges_variable
+%patch55 -p1 -b .libsubid_init_not_print_error_messages
+%patch56 -p1 -b .libsubid_fix_newusers_nss_provides_subids
+%patch57 -p1 -b .man_clarify_subid_delegation
+%patch58 -p1 -b .libsubid_make_logfd_not_extern
+%patch59 -p1 -b .useradd_dont_try_to_create_0_subuids
+%patch60 -p1 -b .install_subid_h
+%patch61 -p1 -b .respect_enable_static_no
+%patch62 -p1 -b .getsubids
+%patch63 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
+%patch64 -p1 -b .subordinateio-compare-owner-ID
+%patch65 -p1 -b .useradd-check-if-subid-range-exists
+%patch66 -p1 -b .skip-over-reserved-ids
+%patch67 -p1 -b .gpasswd-fix-password-leak
+%patch68 -p1 -b .salt-remove-rounds
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
 
 cp -a %{SOURCE4} %{SOURCE5} .
-cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml
 
 # Force regeneration of getdate.c
 rm libmisc/getdate.c
@@ -205,65 +238,66 @@ autoreconf
 %make_build
 
 %install
-%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
+rm -rf $RPM_BUILD_ROOT
-install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
+%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
-install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
+install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
-install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
+install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
+install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
 
 
 ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
-ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
+ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
-for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
+for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
         test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
 done
 
 # Remove binaries we don't use.
-rm $RPM_BUILD_ROOT%{_bindir}/chfn
+rm $RPM_BUILD_ROOT/%{_bindir}/chfn
-rm $RPM_BUILD_ROOT%{_bindir}/chsh
+rm $RPM_BUILD_ROOT/%{_bindir}/chsh
-rm $RPM_BUILD_ROOT%{_bindir}/expiry
+rm $RPM_BUILD_ROOT/%{_bindir}/expiry
-rm $RPM_BUILD_ROOT%{_bindir}/groups
+rm $RPM_BUILD_ROOT/%{_bindir}/groups
-rm $RPM_BUILD_ROOT%{_bindir}/login
+rm $RPM_BUILD_ROOT/%{_bindir}/login
-rm $RPM_BUILD_ROOT%{_bindir}/passwd
+rm $RPM_BUILD_ROOT/%{_bindir}/passwd
-rm $RPM_BUILD_ROOT%{_bindir}/su
+rm $RPM_BUILD_ROOT/%{_bindir}/su
-rm $RPM_BUILD_ROOT%{_bindir}/faillog
+rm $RPM_BUILD_ROOT/%{_bindir}/faillog
-rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
-rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
-rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
+rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
-rm $RPM_BUILD_ROOT%{_sbindir}/nologin
+rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
-rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
-rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
 
 find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
 %find_lang shadow
@@ -276,7 +310,6 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
 done
 
 # Move header files to its own folder
-echo $(ls)
 mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
 install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
 
@@ -285,6 +318,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 
 %files -f shadow.lang
 %doc NEWS doc/HOWTO README
+%{!?_licensedir:%global license %%doc}
 %license gpl-2.0.txt shadow-bsd.txt
 %attr(0644,root,root)   %config(noreplace) %{_sysconfdir}/login.defs
 %attr(0644,root,root)   %config(noreplace) %{_sysconfdir}/default/useradd
@@ -341,165 +375,97 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so
 
 %changelog
-* Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
+* Tue Nov 21 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-22
-- gpasswd: fix password leak. Resolves: #2215948
+- salt: remove rounds from salt string. Resolves: RHEL-16668
 
-* Tue May 16 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
+* Thu Nov  2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-21
-- useradd: check if subid range exists for user. Resolves: #2179987
+- login.defs: include SHA_CRYPT_MAX_ROUNDS. Resolves: RHEL-15024
-- find_new_[gu]id: Skip over IDs that are reserved for legacy reasons. Resolves: #2179988
 
-* Wed Sep 28 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
+* Wed Jul 12 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-19
-- Change "badnames" to "badname" as this is the accepted option name. Resolves: #2076819
+- gpasswd: fix password leak. Resolves: #2215947
 
-* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
+* Wed May 17 2023 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-18
-- subordinateio: also compare the owner ID. Resolves: #2109410
+- Update patch to close label to reset libselinux state. Resolves: #1984740
+- useradd: check if subid range exists for user. Resolves: #2012929
+- find_new_[gu]id: Skip over IDs that are reserved for legacy reasons. Resolves: #1994269
 
-* Fri Apr 22 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
+* Thu Jul 21 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-17
-- useradd: modify check ID range for system users. Resolves: #2004911
+- subordinateio: also compare the owner ID. Resolves: #2093311
 - Fix release sources
 - Add subid requirement for subid-devel
 
-* Thu Dec  2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
+* Thu Dec  9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-16
-- getsubids: provide system binary and man page. Resolves: #2013015
+- getsubids: provide system binary and man page. Resolves: #2013016
-- useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081
+- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #1986782
-- useradd: revert fix memleak of grp. Resolves: #2020238
-- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #2024834
-- pwck: fix segfault when calling fprintf()
-- newgrp: fix segmentation fault
-- Clean spec file: organize dependencies and move License location
 
-* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
+* Tue Oct 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-15
-- libmisc: fix default value in SHA_get_salt_rounds(). Resolves: #1993919
+- Creation of subid and subid-devel subpackages (#2013009)
-
+- libsubid: creation and nsswitch support
-* Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
-- Rebase to version 4.9. Resolves: #1989556
-- usermod: allow all group types with -G option. Resolves: #1975329
-- useradd: avoid generating an empty subid range
-- Clean spec file
-
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:4.8.1-12
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
-- Fix regression issues detected in rhbz#667593 and rhbz#672510. Resolves: #1938871
-
-* Tue Jul 13 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
-- Covscan fixes. Resolves: #1938871
-
-* Fri Jun 25 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
-- libsubid: creation and nsswitch support. Resolves: #1859252
-- Creation of subid and subid-devel subpackages
-- man: mention NSS in new[ug]idmap manpages
-- libsubid: move development header to shadow folder
 - libsubid: don't print error messages on stderr by default
 - libsubid: libsubid_init return false if out of memory
-- useradd: fix SUB_UID_COUNT=0
 - libsubid: don't return owner in list_owner_ranges API call
 - libsubid: libsubid_init don't print messages on error
 - libsubid: fix newusers when nss provides subids
-- man: clarify subid delegation
 - libsubid: make shadow_logfd not extern
-- login.defs: include HMAC_CRYPTO_ALGO key
+- useradd: fix SUB_UID_COUNT=0
+- man: mention NSS in new[ug]idmap manpages
+- man: clarify subid delegation
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:4.8.1-8
+* Thu Aug 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-14
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- usermod: allow all group types with -G option (#1967641)
 
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
+* Mon May  3 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-13
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+- man: Remove references to LOGIN_STRING in login.defs (#1884702)
 
-* Mon Nov  9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
+* Fri Oct 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-12
-- commonio: force lock file sync (#1862056)
+- lib/sssd: redirect warning message to file (#1749001)
+- useradd: clarify valid usernames/groupnames (#1869432)
+- login.defs: link login specific information to its own package (#1804766)
 
-* Tue Nov  3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
+* Fri Aug  7 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-11
-- Rebuild with libsemanage.so.2
+- change UMASK value and add HOME_MODE in login.defs (#1777718)
 
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
+* Tue May  5 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+- check only local groups when adding new supplementary groups to a user
 
-* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
+* Fri Apr 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-9
-- check only local groups when adding new supplementary groups to a user (#1727236)
+- do not mistake a regular user process for a namespaced one (#1788696)
+- add HOME_MODE support in login.defs (#1777718)
 
-* Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
+* Fri Jun  7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-8
-- useradd: clarify the useradd -d parameter behavior in man page
+- properly audit group password change
-
+- do not add uid of a new (not yet added) user to the audit message
-* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-1
-- updated upstream to 4.8.1
-
-* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-5
-- synchronized login.defs with upstream file (#1261099 and #1807957)
-
-* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-4
-- fix useradd: doesn't generate spool mail with the proper SELinux user identity
-  (#1690527)
-
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Jan 16 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-2
-- make the invalid shell check into warning
-
-* Mon Jan 13 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-1
-- update to current upstream release 4.8
-
-* Mon Sep  2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-16
-- fix SELinux related problem in chpasswd/chgpasswd when run with -R
-  (patch by Petr Lautrbach) (#1747215)
-
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-15
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Jun  7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-14
-- minor auditing fixes
-
-* Fri May  3 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-13
 - use lckpwdf() again to disable concurrent edits of databases by
   other applications
-
+- clarify chage manual page in regards to shadow and passwd
-* Tue Apr  2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-12
+  inconsistency
+- fix minor issues in groupadd and login.defs manual pages
+- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
 - force regeneration of getdate.c otherwise the date parsing fix
   is not applied
 
-* Fri Mar 22 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-11
+* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-7
-- clarify chage manual page in regards to shadow and passwd
-  inconsistency (#1686440)
-
-* Thu Mar 21 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-10
-- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
-
-* Thu Mar  7 2019 Tim Landscheidt <tim@tim-landscheidt.de> - 2:4.6-9
-- Remove obsolete requirements for post/pre scriptlets
-
-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2:4.6-7
-- Rebuilt for libcrypt.so.2 (#1666033)
-
-* Tue Dec 18 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-6
 - usermod: guard against unsafe change of ownership of
   special home directories
 
-* Mon Nov 19 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-5
+* Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-6
-- use itstool instead of xml2po
+- drop trailing space from login.defs ENCRYPT_METHOD setting
 
-* Tue Nov  6 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
+* Mon Nov 19 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-5
 - use cap_setxid file capabilities for newxidmap instead of making them setuid
 - limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0
   and the 0 is always used by root anyway
 - manual page improvements
-
-* Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
-- fix some issues from Coverity scan
 - flush sssd caches - patch by Jakub Hrozek
 
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-2
+* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+- fix some issues from Coverity scan
 
-* Mon May 28 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
+* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-2
-- update to current upstream release 4.6
+- use itstool instead of xml2po
 
-* Fri Apr 20 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-10
+* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
+- Update to current upstream release 4.6
 - Raise limit for passwd and shadow entry length but also prevent
   writing longer entries (#1422497)