libsubid improvements

- libsubid: don't print error messages on stderr by default
- libsubid: libsubid_init return false if out of memory
- useradd: fix SUB_UID_COUNT=0
- libsubid: don't return owner in list_owner_ranges API call
- libsubid: libsubid_init don't print messages on error
- libsubid: fix newusers when nss provides subids
- man: clarify subid delegation
- libsubid: make shadow_logfd not extern

shadow-4.8.1-libsubid_fix_newusers_nss_provides_subids.patch

@@ -0,0 +1,151 @@
+diff -up shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/nss.c
+--- shadow-4.8.1/lib/nss.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.772741048 +0200
++++ shadow-4.8.1/lib/nss.c	2021-05-25 09:37:14.782741188 +0200
+@@ -116,14 +116,6 @@ void nss_init(char *nsswitch_path) {
+ 				subid_nss = NULL;
+ 				goto done;
+ 			}
+-			subid_nss->has_any_range = dlsym(h, "shadow_subid_has_any_range");
+-			if (!subid_nss->has_any_range) {
+-				fprintf(shadow_logfd, "%s did not provide @has_any_range@\n", libname);
+-				dlclose(h);
+-				free(subid_nss);
+-				subid_nss = NULL;
+-				goto done;
+-			}
+ 			subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
+ 			if (!subid_nss->find_subid_owners) {
+ 				fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
+diff -up shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/prototypes.h
+--- shadow-4.8.1/lib/prototypes.h.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/prototypes.h	2021-05-25 09:37:14.782741188 +0200
+@@ -279,18 +279,6 @@ extern bool nss_is_initialized();
+ 
+ struct subid_nss_ops {
+ 	/*
+-	 * nss_has_any_range: does a user own any subid range
+-	 *
+-	 * @owner: username
+-	 * @idtype: subuid or subgid
+-	 * @result: true if a subid allocation was found for @owner
+-	 *
+-	 * returns success if the module was able to determine an answer (true or false),
+-	 * else an error status.
+-	 */
+-	enum subid_status (*has_any_range)(const char *owner, enum subid_type idtype, bool *result);
+-
+-	/*
+ 	 * nss_has_range: does a user own a given subid range
+ 	 *
+ 	 * @owner: username
+diff -up shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.c
+--- shadow-4.8.1/lib/subordinateio.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/subordinateio.c	2021-05-25 09:37:14.782741188 +0200
+@@ -598,19 +598,8 @@ int sub_uid_open (int mode)
+ 	return commonio_open (&subordinate_uid_db, mode);
+ }
+ 
+-bool sub_uid_assigned(const char *owner)
++bool local_sub_uid_assigned(const char *owner)
+ {
+-	struct subid_nss_ops *h;
+-	bool found;
+-	enum subid_status status;
+-	h = get_subid_nss_handle();
+-	if (h) {
+-		status = h->has_any_range(owner, ID_TYPE_UID, &found);
+-		if (status == SUBID_STATUS_SUCCESS && found)
+-			return true;
+-		return false;
+-	}
+-
+ 	return range_exists (&subordinate_uid_db, owner);
+ }
+ 
+@@ -720,18 +709,8 @@ bool have_sub_gids(const char *owner, gi
+ 	return have_range(&subordinate_gid_db, owner, start, count);
+ }
+ 
+-bool sub_gid_assigned(const char *owner)
++bool local_sub_gid_assigned(const char *owner)
+ {
+-	struct subid_nss_ops *h;
+-	bool found;
+-	enum subid_status status;
+-	h = get_subid_nss_handle();
+-	if (h) {
+-		status = h->has_any_range(owner, ID_TYPE_GID, &found);
+-		if (status == SUBID_STATUS_SUCCESS && found)
+-			return true;
+-		return false;
+-	}
+ 	return range_exists (&subordinate_gid_db, owner);
+ }
+ 
+diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/lib/subordinateio.h
+--- shadow-4.8.1/lib/subordinateio.h.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.780741160 +0200
++++ shadow-4.8.1/lib/subordinateio.h	2021-05-25 09:37:14.782741188 +0200
+@@ -16,7 +16,7 @@
+ extern int sub_uid_close(void);
+ extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
+ extern bool sub_uid_file_present (void);
+-extern bool sub_uid_assigned(const char *owner);
++extern bool local_sub_uid_assigned(const char *owner);
+ extern int sub_uid_lock (void);
+ extern int sub_uid_setdbname (const char *filename);
+ extern /*@observer@*/const char *sub_uid_dbname (void);
+@@ -34,7 +34,7 @@ extern void free_subordinate_ranges(stru
+ extern int sub_gid_close(void);
+ extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
+ extern bool sub_gid_file_present (void);
+-extern bool sub_gid_assigned(const char *owner);
++extern bool local_sub_gid_assigned(const char *owner);
+ extern int sub_gid_lock (void);
+ extern int sub_gid_setdbname (const char *filename);
+ extern /*@observer@*/const char *sub_gid_dbname (void);
+diff -up shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids shadow-4.8.1/src/newusers.c
+--- shadow-4.8.1/src/newusers.c.libsubid_fix_newusers_nss_provides_subids	2021-05-25 09:37:14.776741104 +0200
++++ shadow-4.8.1/src/newusers.c	2021-05-25 09:37:25.955897160 +0200
+@@ -1021,6 +1021,24 @@ static void close_files (void)
+ #endif				/* ENABLE_SUBIDS */
+ }
+ 
++static bool want_subuids(void)
++{
++	if (get_subid_nss_handle() != NULL)
++		return false;
++	if (getdef_ulong ("SUB_UID_COUNT", 65536) == 0)
++		return false;
++	return true;
++}
++
++static bool want_subgids(void)
++{
++	if (get_subid_nss_handle() != NULL)
++		return false;
++	if (getdef_ulong ("SUB_GID_COUNT", 65536) == 0)
++		return false;
++	return true;
++}
++
+ int main (int argc, char **argv)
+ {
+ 	char buf[BUFSIZ];
+@@ -1250,7 +1268,7 @@ int main (int argc, char **argv)
+ 		/*
+ 		 * Add subordinate uids if the user does not have them.
+ 		 */
+-		if (is_sub_uid && !sub_uid_assigned(fields[0])) {
++		if (is_sub_uid && want_subuids() && !local_sub_uid_assigned(fields[0])) {
+ 			uid_t sub_uid_start = 0;
+ 			unsigned long sub_uid_count = 0;
+ 			if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
+@@ -1270,7 +1288,7 @@ int main (int argc, char **argv)
+ 		/*
+ 		 * Add subordinate gids if the user does not have them.
+ 		 */
+-		if (is_sub_gid && !sub_gid_assigned(fields[0])) {
++		if (is_sub_gid && want_subgids() && !local_sub_gid_assigned(fields[0])) {
+ 			gid_t sub_gid_start = 0;
+ 			unsigned long sub_gid_count = 0;
+ 			if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {

shadow-4.8.1-libsubid_init_not_print_error_messages.patch

@@ -0,0 +1,40 @@
+From b0e86b959fe5c086ffb5e7eaf3c1b1e9219411e9 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sun, 23 May 2021 08:03:10 -0500
+Subject: [PATCH] libsubid_init: don't print messages on error
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ libsubid/api.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index c4848142..b477b271 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -46,12 +46,10 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+ 	if (progname) {
+ 		progname = strdup(progname);
+-		if (progname) {
++		if (progname)
+ 			Prog = progname;
+-		} else {
+-			fprintf(stderr, "Out of memory");
++		else
+ 			return false;
+-		}
+ 	}
+ 
+ 	if (logfd) {
+@@ -60,7 +58,6 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ 	}
+ 	shadow_logfd = fopen("/dev/null", "w");
+ 	if (!shadow_logfd) {
+-		fprintf(stderr, "ERROR opening /dev/null for error messages.  Using stderr.");
+ 		shadow_logfd = stderr;
+ 		return false;
+ 	}
+-- 
+2.30.2
+

shadow-4.8.1-libsubid_init_return_false.patch

@@ -0,0 +1,37 @@
+From e34f49c1966fcaa9390a544a0136ec189a3c870e Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Mon, 17 May 2021 08:48:03 -0500
+Subject: [PATCH] libsubid_init: return false if out of memory
+
+The rest of the run isn't likely to get much better, is it?
+
+Thanks to Alexey for pointing this out.
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+Cc: Alexey Tikhonov <atikhono@redhat.com>
+---
+ libsubid/api.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index 8ca09859..8618e500 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -46,10 +46,12 @@ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+ 	if (progname) {
+ 		progname = strdup(progname);
+-		if (progname)
++		if (progname) {
+ 			Prog = progname;
+-		else
++		} else {
+ 			fprintf(stderr, "Out of memory");
++			return false;
++		}
+ 	}
+ 
+ 	if (logfd) {
+-- 
+2.30.2
+

shadow-4.8.1-libsubid_make_logfd_not_extern.patch

@@ -0,0 +1,41 @@
+From 1d767fb779d7b203ad609540d1dc605cf62d1050 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Fri, 28 May 2021 22:02:16 -0500
+Subject: [PATCH] libsubid/api.c: make shadow_logfd not extern
+
+Closes #346
+
+Also #include stdio.h
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ libsubid/api.c   | 2 +-
+ libsubid/subid.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsubid/api.c b/libsubid/api.c
+index b477b271..a7b904d0 100644
+--- a/libsubid/api.c
++++ b/libsubid/api.c
+@@ -40,7 +40,7 @@
+ #include "subid.h"
+ 
+ const char *Prog = "(libsubid)";
+-extern FILE * shadow_logfd;
++FILE *shadow_logfd;
+ 
+ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+diff --git a/libsubid/subid.h b/libsubid/subid.h
+index 5fef2572..eabafe4d 100644
+--- a/libsubid/subid.h
++++ b/libsubid/subid.h
+@@ -1,4 +1,5 @@
+ #include <sys/types.h>
++#include <stdio.h>
+ #include <stdbool.h>
+ 
+ #ifndef SUBID_RANGE_DEFINED
+-- 
+2.31.1
+

shadow-4.8.1-libsubid_simplify_ranges_variable.patch

@@ -0,0 +1,264 @@
+diff -up shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable shadow-4.8.1/configure.ac
+--- shadow-4.8.1/configure.ac.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.165917066 +0200
++++ shadow-4.8.1/configure.ac	2021-05-24 15:02:56.184917324 +0200
+@@ -1,6 +1,6 @@
+ dnl Process this file with autoconf to produce a configure script.
+ AC_PREREQ([2.69])
+-m4_define([libsubid_abi_major], 2)
++m4_define([libsubid_abi_major], 3)
+ m4_define([libsubid_abi_minor], 0)
+ m4_define([libsubid_abi_micro], 0)
+ m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
+diff -up shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/prototypes.h
+--- shadow-4.8.1/lib/prototypes.h.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.184917324 +0200
++++ shadow-4.8.1/lib/prototypes.h	2021-05-24 16:38:57.610619467 +0200
+@@ -309,16 +309,15 @@ struct subid_nss_ops {
+ 	 *
+ 	 * @owner - string representing username being queried
+ 	 * @id_type - subuid or subgid
+-	 * @ranges - pointer to an array of struct subordinate_range pointers, or
+-	 *           NULL.  The returned array of struct subordinate_range and its
+-	 *           members must be freed by the caller.
++	 * @ranges - pointer to an array of struct subid_range, or NULL.  The
++	 *           returned array must be freed by the caller.
+ 	 * @count - pointer to an integer into which the number of returned ranges
+ 	 *          is written.
+ 
+ 	 * returns success if the module was able to determine an answer,
+ 	 * else an error status.
+ 	 */
+-	enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges, int *count);
++	enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count);
+ 
+ 	/*
+ 	 * nss_find_subid_owners: find uids who own a given subuid or subgid.
+diff -up shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/api.c
+--- shadow-4.8.1/libsubid/api.c.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.467989079 +0200
++++ shadow-4.8.1/libsubid/api.c	2021-05-24 16:42:32.091584531 +0200
+@@ -68,26 +68,21 @@ bool libsubid_init(const char *progname,
+ }
+ 
+ static
+-int get_subid_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
++int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
+ {
+ 	return list_owner_ranges(owner, id_type, ranges);
+ }
+ 
+-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges)
++int get_subuid_ranges(const char *owner, struct subid_range **ranges)
+ {
+ 	return get_subid_ranges(owner, ID_TYPE_UID, ranges);
+ }
+ 
+-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges)
++int get_subgid_ranges(const char *owner, struct subid_range **ranges)
+ {
+ 	return get_subid_ranges(owner, ID_TYPE_GID, ranges);
+ }
+ 
+-void subid_free_ranges(struct subordinate_range **ranges, int count)
+-{
+-	return free_subordinate_ranges(ranges, count);
+-}
+-
+ static
+ int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
+ {
+diff -up shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable shadow-4.8.1/libsubid/subid.h
+--- shadow-4.8.1/libsubid/subid.h.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.468989093 +0200
++++ shadow-4.8.1/libsubid/subid.h	2021-05-24 16:43:49.697657383 +0200
+@@ -3,6 +3,15 @@
+ 
+ #ifndef SUBID_RANGE_DEFINED
+ #define SUBID_RANGE_DEFINED 1
++
++/* subid_range is just a starting point and size of a range */
++struct subid_range {
++	unsigned long start;
++	unsigned long count;
++};
++
++/* subordinage_range is a subid_range plus an owner, representing
++ * a range in /etc/subuid or /etc/subgid */
+ struct subordinate_range {
+ 	const char *owner;
+ 	unsigned long start;
+@@ -41,32 +50,27 @@ bool libsubid_init(const char *progname,
+  * get_subuid_ranges: return a list of UID ranges for a user
+  *
+  * @owner: username being queried
+- * @ranges: a pointer to a subordinate range ** in which the result will be
+- *          returned.
++ * @ranges: a pointer to an array of subid_range structs in which the result
++ *          will be returned.
++ *
++ * The caller must free(ranges) when done.
+  *
+  * returns: number of ranges found, ir < 0 on error.
+  */
+-int get_subuid_ranges(const char *owner, struct subordinate_range ***ranges);
++int get_subuid_ranges(const char *owner, struct subid_range **ranges);
+ 
+ /*
+  * get_subgid_ranges: return a list of GID ranges for a user
+  *
+  * @owner: username being queried
+- * @ranges: a pointer to a subordinate range ** in which the result will be
+- *          returned.
++ * @ranges: a pointer to an array of subid_range structs in which the result
++ *          will be returned.
+  *
+- * returns: number of ranges found, ir < 0 on error.
+- */
+-int get_subgid_ranges(const char *owner, struct subordinate_range ***ranges);
+-
+-/*
+- * subid_free_ranges: free an array of subordinate_ranges returned by either
+- *                    get_subuid_ranges() or get_subgid_ranges().
++ * The caller must free(ranges) when done.
+  *
+- * @ranges: the ranges to free
+- * @count: the number of ranges in @ranges
++ * returns: number of ranges found, ir < 0 on error.
+  */
+-void subid_free_ranges(struct subordinate_range **ranges, int count);
++int get_subgid_ranges(const char *owner, struct subid_range **ranges);
+ 
+ /*
+  * get_subuid_owners: return a list of uids to which the given uid has been
+diff -up shadow-4.8.1/lib/subordinateio.c.libsubid-simplify shadow-4.8.1/lib/subordinateio.c
+--- shadow-4.8.1/lib/subordinateio.c.libsubid-simplify	2021-05-24 17:27:38.721035241 +0200
++++ shadow-4.8.1/lib/subordinateio.c	2021-05-24 17:28:06.481420946 +0200
+@@ -11,6 +11,7 @@
+ #include <stdio.h>
+ #include "commonio.h"
+ #include "subordinateio.h"
++#include "../libsubid/subid.h"
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <ctype.h>
+@@ -308,25 +309,21 @@ static bool have_range(struct commonio_d
+ 	return false;
+ }
+ 
+-static bool append_range(struct subordinate_range ***ranges, const struct subordinate_range *new, int n)
++static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
+ {
+-	struct subordinate_range *tmp;
+ 	if (!*ranges) {
+-		*ranges = malloc(sizeof(struct subordinate_range *));
++		*ranges = malloc(sizeof(struct subid_range));
+ 		if (!*ranges)
+ 			return false;
+ 	} else {
+-		struct subordinate_range **new;
+-		new = realloc(*ranges, (n + 1) * (sizeof(struct subordinate_range *)));
+-		if (!new)
++		struct subid_range *alloced;
++		alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
++		if (!alloced)
+ 			return false;
+-		*ranges = new;
++		*ranges = alloced;
+ 	}
+-	(*ranges)[n] = NULL;
+-	tmp = subordinate_dup(new);
+-	if (!tmp)
+-		return false;
+-	(*ranges)[n] = tmp;
++	(*ranges)[n].start = new->start;
++	(*ranges)[n].count = new->count;
+ 	return true;
+ }
+ 
+@@ -785,10 +782,10 @@ gid_t sub_gid_find_free_range(gid_t min,
+  *
+  * The caller must free the subordinate range list.
+  */
+-int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***in_ranges)
++int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges)
+ {
+ 	// TODO - need to handle owner being either uid or username
+-	struct subordinate_range **ranges = NULL;
++	struct subid_range *ranges = NULL;
+ 	const struct subordinate_range *range;
+ 	struct commonio_db *db;
+ 	enum subid_status status;
+@@ -826,7 +823,7 @@ int list_owner_ranges(const char *owner,
+ 	while ((range = commonio_next(db)) != NULL) {
+ 		if (0 == strcmp(range->owner, owner)) {
+ 			if (!append_range(&ranges, range, count++)) {
+-				free_subordinate_ranges(ranges, count-1);
++				free(ranges);
+ 				ranges = NULL;
+ 				count = -1;
+ 				goto out;
+diff -up shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable shadow-4.8.1/lib/subordinateio.h
+--- shadow-4.8.1/lib/subordinateio.h.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.467989079 +0200
++++ shadow-4.8.1/lib/subordinateio.h	2021-05-24 16:40:56.978269647 +0200
+@@ -25,7 +25,7 @@ extern int sub_uid_unlock (void);
+ extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
+ extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
+ extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
+-extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges);
++extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges);
+ extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse);
+ extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type);
+ extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids);
+diff -up shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable shadow-4.8.1/src/list_subid_ranges.c
+--- shadow-4.8.1/src/list_subid_ranges.c.libsubid_simplify_ranges_variable	2021-05-24 15:03:01.468989093 +0200
++++ shadow-4.8.1/src/list_subid_ranges.c	2021-05-24 16:45:10.884779740 +0200
+@@ -17,27 +17,29 @@ void usage(void)
+ int main(int argc, char *argv[])
+ {
+ 	int i, count=0;
+-	struct subordinate_range **ranges;
++	struct subid_range *ranges;
++	const char *owner;
+ 
+ 	Prog = Basename (argv[0]);
+ 	shadow_logfd = stderr;
+-	if (argc < 2) {
++	if (argc < 2)
+ 		usage();
+-	}
+-	if (argc == 3 && strcmp(argv[1], "-g") == 0)
+-		count = get_subgid_ranges(argv[2], &ranges);
+-	else if (argc == 2 && strcmp(argv[1], "-h") == 0)
++	owner = argv[1];
++	if (argc == 3 && strcmp(argv[1], "-g") == 0) {
++		owner = argv[2];
++		count = get_subgid_ranges(owner, &ranges);
++	} else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
+ 		usage();
+-	else
+-		count = get_subuid_ranges(argv[1], &ranges);
++	} else {
++		count = get_subuid_ranges(owner, &ranges);
++	}
+ 	if (!ranges) {
+ 		fprintf(stderr, "Error fetching ranges\n");
+ 		exit(1);
+ 	}
+ 	for (i = 0; i < count; i++) {
+-		printf("%d: %s %lu %lu\n", i, ranges[i]->owner,
+-			ranges[i]->start, ranges[i]->count);
++		printf("%d: %s %lu %lu\n", i, owner,
++			ranges[i].start, ranges[i].count);
+ 	}
+-	subid_free_ranges(ranges, count);
+ 	return 0;
+ }
+diff -up shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c
+--- shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c.libsubid_simplify_ranges_variable	2021-05-24 15:02:56.166917079 +0200
++++ shadow-4.8.1/tests/libsubid/04_nss/libsubid_zzz.c	2021-05-24 15:03:01.469989106 +0200
+@@ -113,7 +113,7 @@ enum subid_status shadow_subid_list_owne
+ 	if (strcmp(owner, "conn") == 0)
+ 		return SUBID_STATUS_ERROR_CONN;
+ 
+-	*ranges = NULL;
++	*in_ranges = NULL;
+ 	if (strcmp(owner, "user1") != 0 && strcmp(owner, "ubuntu") != 0 &&
+ 	    strcmp(owner, "group1") != 0)
+ 		return SUBID_STATUS_SUCCESS;

shadow-4.8.1-man_clarify_subid_delegation.patch

@@ -0,0 +1,246 @@
+From d5b15f8633d0eabed885cd16feda224ec2d59072 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 24 May 2021 12:14:43 +0200
+Subject: [PATCH] man: clarify subid delegation
+
+Clarify that the subid delegation can only come from one source.
+Moreover, add an example of what might happen if the subid source is NSS
+and useradd is executed.
+
+Related: https://github.com/shadow-maint/shadow/issues/331
+---
+ man/newgidmap.1.xml | 12 +++++++++---
+ man/newuidmap.1.xml | 10 ++++++++--
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
+index 76fc1e30..7aaf34bf 100644
+--- a/man/newgidmap.1.xml
++++ b/man/newgidmap.1.xml
+@@ -88,9 +88,15 @@
+     <title>DESCRIPTION</title>
+     <para>
+       The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
+-      command line arguments and the gids allowed (either in <filename>/etc/subgid</filename> or
+-      through the configured NSS subid module).
+-      Note that the root user is not exempted from the requirement for a valid
++      command line arguments and the gids allowed. The subid delegation can come either from files
++      (<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
++      can be chosen at a time. So, for example, if the subid source is configured as NSS and
++      <command>groupadd</command> is executed, then the command will fail and the entry will not be
++      created in <filename>/etc/subgid</filename>.
++    </para>
++
++    <para>
++      Note that the root group is not exempted from the requirement for a valid
+       <filename>/etc/subgid</filename> entry.
+     </para>
+ 
+diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
+index 44eca50a..4bc1ef7a 100644
+--- a/man/newuidmap.1.xml
++++ b/man/newuidmap.1.xml
+@@ -88,8 +88,14 @@
+     <title>DESCRIPTION</title>
+     <para>
+       The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
+-      command line arguments and the uids allowed (either in <filename>/etc/subuid</filename> or
+-      through the configured NSS subid module).
++      command line arguments and the uids allowed. The subid delegation can come either from files
++      (<filename>/etc/subuid</filename>) or from the configured NSS subid module. Only one of them
++      can be chosen at a time. So, for example, if the subid source is configured as NSS and
++      <command>useradd</command> is executed, then the command will fail and the entry will not be
++      created in <filename>/etc/subuid</filename>.
++    </para>
++
++    <para>
+       Note that the root user is not exempted from the requirement for a valid
+       <filename>/etc/subuid</filename> entry.
+     </para>
+-- 
+2.30.2
+
+From 68ebbf936038e4e4c8b5105bd3246ef9709b6354 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 7 Jun 2021 11:50:56 +0200
+Subject: [PATCH 1/2] man: clarify subid delegation behaviour
+
+Following the discussion https://github.com/shadow-maint/shadow/pull/345
+I have changed the documentation to clarify the behaviour of subid
+delegation when any subid source except files is configured.
+---
+ man/newgidmap.1.xml | 11 +++++------
+ man/newuidmap.1.xml | 11 +++++------
+ 2 files changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/man/newgidmap.1.xml b/man/newgidmap.1.xml
+index 7aaf34bf..681aefcb 100644
+--- a/man/newgidmap.1.xml
++++ b/man/newgidmap.1.xml
+@@ -87,12 +87,11 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
+-      The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename> based on its
+-      command line arguments and the gids allowed. The subid delegation can come either from files
+-      (<filename>/etc/subgid</filename>) or from the configured NSS subid module. Only one of them
+-      can be chosen at a time. So, for example, if the subid source is configured as NSS and
+-      <command>groupadd</command> is executed, then the command will fail and the entry will not be
+-      created in <filename>/etc/subgid</filename>.
++      The <command>newgidmap</command> sets <filename>/proc/[pid]/gid_map</filename>
++      based on its command line arguments and the gids allowed. Subgid
++      delegation can either be managed via <filename>/etc/subgid</filename>
++      or through the configured NSS subid module. These options are mutually
++      exclusive.
+     </para>
+ 
+     <para>
+diff --git a/man/newuidmap.1.xml b/man/newuidmap.1.xml
+index 4bc1ef7a..09e65d80 100644
+--- a/man/newuidmap.1.xml
++++ b/man/newuidmap.1.xml
+@@ -87,12 +87,11 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
+-      The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename> based on its
+-      command line arguments and the uids allowed. The subid delegation can come either from files
+-      (<filename>/etc/subuid</filename>) or from the configured NSS subid module. Only one of them
+-      can be chosen at a time. So, for example, if the subid source is configured as NSS and
+-      <command>useradd</command> is executed, then the command will fail and the entry will not be
+-      created in <filename>/etc/subuid</filename>.
++      The <command>newuidmap</command> sets <filename>/proc/[pid]/uid_map</filename>
++      based on its command line arguments and the uids allowed. Subuid
++      delegation can either be managed via <filename>/etc/subuid</filename> or
++      through the configured NSS subid module. These options are mutually
++      exclusive.
+     </para>
+ 
+     <para>
+-- 
+2.31.1
+
+
+From 0faec51bf0ec24e6e3d098cc55ed42584dd24efe Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Fri, 11 Jun 2021 15:25:42 +0200
+Subject: [PATCH 2/2] man: definition and configuration of subid
+
+Define the subid functionality and explain the way to configure its
+delegation.
+---
+ man/subgid.5.xml | 32 +++++++++++++++++++++++++++++++-
+ man/subuid.5.xml | 32 +++++++++++++++++++++++++++++++-
+ 2 files changed, 62 insertions(+), 2 deletions(-)
+
+diff --git a/man/subgid.5.xml b/man/subgid.5.xml
+index 70c561c4..02f421ab 100644
+--- a/man/subgid.5.xml
++++ b/man/subgid.5.xml
+@@ -38,6 +38,11 @@
+       <surname>Biederman</surname>
+       <contrib>Creation, 2013</contrib>
+     </author>
++    <author>
++      <firstname>Iker</firstname>
++      <surname>Pedrosa</surname>
++      <contrib>Developer, 2021</contrib>
++    </author>
+   </refentryinfo>
+   <refmeta>
+     <refentrytitle>subgid</refentrytitle>
+@@ -48,11 +53,36 @@
+   </refmeta>
+   <refnamediv id='name'>
+     <refname>subgid</refname>
+-    <refpurpose>the subordinate gid file</refpurpose>
++    <refpurpose>the configuration for subordinate group ids</refpurpose>
+   </refnamediv>
+ 
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
++    <para>
++      Subgid authorizes a group id to map ranges of group ids from its namespace
++      into child namespaces.
++    </para>
++    <para>
++      The delegation of the subordinate gids can be configured via the
++      <replaceable>subid</replaceable> field in
++      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
++      as the delegation source. Setting this field to
++      <replaceable>files</replaceable> configures the delegation of gids to
++      <filename>/etc/subgid</filename>. Setting any other value treats
++      the delegation as a plugin following with a name of the form
++      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
++      missing, then the subordinate gid delegation falls back to
++      <replaceable>files</replaceable>.
++    </para>
++    <para>
++      Note, that <command>groupadd</command> will only create entries in
++      <filename>/etc/subgid</filename> if subid delegation is managed via subid
++      files.
++    </para>
++  </refsect1>
++
++  <refsect1 id='local-subordinate-delegation'>
++    <title>LOCAL SUBORDINATE DELEGATION</title>
+     <para>
+       Each line in <filename>/etc/subgid</filename> contains
+       a user name and a range of subordinate group ids that user
+diff --git a/man/subuid.5.xml b/man/subuid.5.xml
+index ec6a85f5..990d162e 100644
+--- a/man/subuid.5.xml
++++ b/man/subuid.5.xml
+@@ -38,6 +38,11 @@
+       <surname>Biederman</surname>
+       <contrib>Creation, 2013</contrib>
+     </author>
++    <author>
++      <firstname>Iker</firstname>
++      <surname>Pedrosa</surname>
++      <contrib>Developer, 2021</contrib>
++    </author>
+   </refentryinfo>
+   <refmeta>
+     <refentrytitle>subuid</refentrytitle>
+@@ -48,11 +53,36 @@
+   </refmeta>
+   <refnamediv id='name'>
+     <refname>subuid</refname>
+-    <refpurpose>the subordinate uid file</refpurpose>
++    <refpurpose>the configuration for subordinate user ids</refpurpose>
+   </refnamediv>
+ 
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
++    <para>
++      Subuid authorizes a user id to map ranges of user ids from its namespace
++      into child namespaces.
++    </para>
++    <para>
++      The delegation of the subordinate uids can be configured via the
++      <replaceable>subid</replaceable> field in
++      <filename>/etc/nsswitch.conf</filename> file. Only one value can be set
++      as the delegation source. Setting this field to
++      <replaceable>files</replaceable> configures the delegation of uids to
++      <filename>/etc/subuid</filename>. Setting any other value treats
++      the delegation as a plugin following with a name of the form
++      <replaceable>libsubid_$value.so</replaceable>. If the value or plugin is
++      missing, then the subordinate uid delegation falls back to
++      <replaceable>files</replaceable>.
++    </para>
++    <para>
++      Note, that <command>useradd</command> will only create entries in
++      <filename>/etc/subuid</filename> if subid delegation is managed via subid
++      files.
++    </para>
++  </refsect1>
++
++  <refsect1 id='local-subordinate-delegation'>
++    <title>LOCAL SUBORDINATE DELEGATION</title>
+     <para>
+       Each line in <filename>/etc/subuid</filename> contains
+       a user name and a range of subordinate user ids that user
+-- 
+2.31.1
+

shadow-4.8.1-useradd_SUB_UID_COUNT-0.patch

@@ -0,0 +1,44 @@
+From 663824ef4ca927aa2b4319b69e0bfa68282ec719 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sat, 22 May 2021 11:42:02 -0500
+Subject: [PATCH] Fix useradd with SUB_UID_COUNT=0
+
+Closes #298
+
+Fix useradd when SUB_UID_COUNT=0 in login.defs.
+
+Signed-off-by: Serge Hallyn <serge@hallyn.com>
+---
+ src/useradd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 06accb2f..9862ae55 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2386,6 +2386,8 @@ int main (int argc, char **argv)
+ #ifdef ENABLE_SUBIDS
+ 	uid_t uid_min;
+ 	uid_t uid_max;
++	unsigned long subuid_count;
++	unsigned long subgid_count;
+ #endif
+ 
+ 	/*
+@@ -2427,9 +2429,11 @@ int main (int argc, char **argv)
+ #ifdef ENABLE_SUBIDS
+ 	uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+ 	uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+-	is_sub_uid = sub_uid_file_present () && !rflg &&
++	subuid_count = getdef_ulong ("SUB_UID_COUNT", 65536);
++	subgid_count = getdef_ulong ("SUB_GID_COUNT", 65536);
++	is_sub_uid = subuid_count > 0 && sub_uid_file_present () && !rflg &&
+ 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+-	is_sub_gid = sub_gid_file_present () && !rflg &&
++	is_sub_gid = subgid_count > 0 && sub_gid_file_present () && !rflg &&
+ 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+ #endif				/* ENABLE_SUBIDS */
+ 
+-- 
+2.30.2
+

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.8.1
-Release: 10%{?dist}
+Release: 11%{?dist}
 Epoch: 2
 URL: https://github.com/shadow-maint/shadow
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@@ -78,6 +78,23 @@ Patch47: shadow-4.8.1-libsubid_creation.patch
 Patch48: shadow-4.8.1-libsubid_nsswitch_support.patch
 # https://github.com/shadow-maint/shadow/commit/186b1b7ac1a68d0fcc618a22da1a99232b420911
 Patch49: shadow-4.8.1-man-mention-nss-in-newuidmap.patch
+# https://github.com/shadow-maint/shadow/commit/f9831a4a1a20b0e8fe47cc72ec20018ec04dbb90
+Patch50: shadow-4.8.1-libsubid_not_print_error_messages.patch
+# https://github.com/shadow-maint/shadow/commit/c6cab4a7bafa18d9d65a333cac1261e7b5e32bc9
+Patch51: shadow-4.8.1-libsubid_init_return_false.patch
+# https://github.com/shadow-maint/shadow/commit/2f1f45d64fc7c10e7a3cbe00e89f63714343e526
+Patch52: shadow-4.8.1-useradd_SUB_UID_COUNT-0.patch
+# https://github.com/shadow-maint/shadow/commit/ea7af4e1543c63590d4107ae075fea385028997d
+Patch53: shadow-4.8.1-libsubid_simplify_ranges_variable.patch
+# https://github.com/shadow-maint/shadow/commit/0fe42f571c69f0105d31305f995c9887aeb9525e
+Patch54: shadow-4.8.1-libsubid_init_not_print_error_messages.patch
+# https://github.com/shadow-maint/shadow/commit/ec1951c181faed188464396b2cfdd2efb726c7f3
+Patch55: shadow-4.8.1-libsubid_fix_newusers_nss_provides_subids.patch
+# https://github.com/shadow-maint/shadow/commit/087112244327be50abc24f9ec8afbf60ae8b2dec
+# https://github.com/shadow-maint/shadow/pull/353
+Patch56: shadow-4.8.1-man_clarify_subid_delegation.patch
+# https://github.com/shadow-maint/shadow/commit/bd920ab36a6c641e4a8769f8c7f8ca738ec61820
+Patch57: shadow-4.8.1-libsubid_make_logfd_not_extern.patch
 
 License: BSD and GPLv2+
 BuildRequires: make
@@ -152,6 +169,14 @@ Development files for shadow-utils-subid.
 %patch47 -p1 -b .libsubid_creation
 %patch48 -p1 -b .libsubid_nsswitch_support
 %patch49 -p1 -b .man-mention-nss-in-newuidmap
+%patch50 -p1 -b .libsubid_not_print_error_messages
+%patch51 -p1 -b .libsubid_init_return_false
+%patch52 -p1 -b .useradd_SUB_UID_COUNT-0
+%patch53 -p1 -b .libsubid_simplify_ranges_variable
+%patch54 -p1 -b .libsubid_init_not_print_error_messages
+%patch55 -p1 -b .libsubid_fix_newusers_nss_provides_subids
+%patch56 -p1 -b .man_clarify_subid_delegation
+%patch57 -p1 -b .libsubid_make_logfd_not_extern
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -320,6 +345,16 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so
 
 %changelog
+* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
+- libsubid: don't print error messages on stderr by default
+- libsubid: libsubid_init return false if out of memory
+- useradd: fix SUB_UID_COUNT=0
+- libsubid: don't return owner in list_owner_ranges API call
+- libsubid: libsubid_init don't print messages on error
+- libsubid: fix newusers when nss provides subids
+- man: clarify subid delegation
+- libsubid: make shadow_logfd not extern
+
 * Thu May  6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
 - man: mention NSS in new[ug]idmap manpages
 - libsubid: move development header to shadow folder