diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch
index cc62a86..d70f4cc 100644
--- a/shadow-4.3.1-manfix.patch
+++ b/shadow-4.3.1-manfix.patch
@@ -213,6 +213,15 @@ Index: shadow-4.5/man/shadow.5.xml
 ===================================================================
 --- shadow-4.5.orig/man/shadow.5.xml
 +++ shadow-4.5/man/shadow.5.xml
+@@ -129,7 +129,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of the last password change, expressed as the number
+-	    of days since Jan 1, 1970.
++	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    The value 0 has a special meaning, which is that the user
 @@ -208,8 +208,8 @@
  	  </para>
  	  <para>
@@ -224,6 +233,15 @@ Index: shadow-4.5/man/shadow.5.xml
  	  </para>
  	  <para>
  	    An empty field means that there are no enforcement of an
+@@ -224,7 +224,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of expiration of the account, expressed as the number
+-	    of days since Jan 1, 1970.
++	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    Note that an account expiration differs from a password
 Index: shadow-4.5/man/useradd.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/useradd.8.xml
diff --git a/shadow-4.5-goodname.patch b/shadow-4.5-goodname.patch
index 215f658..2f82828 100644
--- a/shadow-4.5-goodname.patch
+++ b/shadow-4.5-goodname.patch
@@ -64,7 +64,7 @@ Index: shadow-4.5/man/groupadd.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/groupadd.8.xml
 +++ shadow-4.5/man/groupadd.8.xml
-@@ -256,12 +256,6 @@
+@@ -256,10 +256,14 @@
     <refsect1 id='caveats'>
       <title>CAVEATS</title>
       <para>
@@ -72,16 +72,22 @@ Index: shadow-4.5/man/groupadd.8.xml
 -       followed by lower case letters, digits, underscores, or dashes.
 -       They can end with a dollar sign.
 -       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
--     </para>
--     <para>
-        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
++       Groupnames may contain only lower and upper case letters, digits,
++       underscores, or dashes. They can end with a dollar sign.
++
++       Dashes are not allowed at the beginning of the groupname.
++       Fully numeric groupnames and groupnames . or .. are
++       also disallowed.
++
++       In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
       </para>
       <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
 Index: shadow-4.5/man/useradd.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/useradd.8.xml
 +++ shadow-4.5/man/useradd.8.xml
-@@ -633,12 +633,6 @@
+@@ -633,10 +633,16 @@
      </para>
  
      <para>
@@ -89,8 +95,16 @@ Index: shadow-4.5/man/useradd.8.xml
 -      followed by lower case letters, digits, underscores, or dashes.
 -      They can end with a dollar sign.
 -      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
--    </para>
--    <para>
-       Usernames may only be up to 32 characters long.
++      Usernames may contain only lower and upper case letters, digits,
++      underscores, or dashes. They can end with a dollar sign.
++
++      Dashes are not allowed at the beginning of the username.
++      Fully numeric usernames and usernames . or .. are
++      also disallowed. It is not recommended to use usernames beginning
++      with . character as their home directories will be hidden in
++      the <command>ls</command> output.
++
++      In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
      </para>
-   </refsect1>
+     <para>
+       Usernames may only be up to 32 characters long.
diff --git a/shadow-4.6-sysugid-min-limit.patch b/shadow-4.6-sysugid-min-limit.patch
new file mode 100644
index 0000000..c03adde
--- /dev/null
+++ b/shadow-4.6-sysugid-min-limit.patch
@@ -0,0 +1,32 @@
+diff -up shadow-4.6/libmisc/find_new_gid.c.min-limit shadow-4.6/libmisc/find_new_gid.c
+--- shadow-4.6/libmisc/find_new_gid.c.min-limit	2018-04-29 18:42:37.000000001 +0200
++++ shadow-4.6/libmisc/find_new_gid.c	2018-11-06 10:07:14.567611067 +0100
+@@ -81,6 +81,12 @@ static int get_ranges (bool sys_group, g
+                             getdef_ulong ("GID_MIN", 1000UL),
+                             (unsigned long) *max_id);
+ 			return EINVAL;
++		/*
++		 * Zero is reserved for root and the allocation algorithm does not
++		 * work right with it.
++		 */
++		if (*min_id == 0) {
++			*min_id = (gid_t) 1;
+ 		}
+ 	} else {
+ 		/* Non-system groups */
+diff -up shadow-4.6/libmisc/find_new_uid.c.min-limit shadow-4.6/libmisc/find_new_uid.c
+--- shadow-4.6/libmisc/find_new_uid.c.min-limit	2018-04-29 18:42:37.000000001 +0200
++++ shadow-4.6/libmisc/find_new_uid.c	2018-11-06 10:07:34.392075491 +0100
+@@ -81,6 +81,12 @@ static int get_ranges (bool sys_user, ui
+                             getdef_ulong ("UID_MIN", 1000UL),
+                             (unsigned long) *max_id);
+ 			return EINVAL;
++		/*
++		 * Zero is reserved for root and the allocation algorithm does not
++		 * work right with it.
++		 */
++		if (*min_id == 0) {
++			*min_id = (uid_t) 1;
+ 		}
+ 	} else {
+ 		/* Non-system users */
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 8d924f6..223aaaf 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.6
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@@ -32,6 +32,7 @@ Patch33: shadow-4.5-long-entry.patch
 Patch34: shadow-4.6-usermod-crash.patch
 Patch35: shadow-4.6-coverity.patch
 Patch36: shadow-4.6-sssd-flush.patch
+Patch37: shadow-4.6-sysugid-min-limit.patch
 
 License: BSD and GPLv2+
 Group: System Environment/Base
@@ -85,6 +86,7 @@ are used for managing group accounts.
 %patch34 -p1 -b .usermod-crash
 %patch35 -p1 -b .coverity
 %patch36 -p1 -b .sssd-flush
+%patch37 -p1 -b .sysugid-min-limit
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -197,8 +199,8 @@ done
 %attr(4755,root,root) %{_bindir}/gpasswd
 %{_bindir}/lastlog
 %attr(4755,root,root) %{_bindir}/newgrp
-%attr(4755,root,root) %{_bindir}/newgidmap
-%attr(4755,root,root) %{_bindir}/newuidmap
+%attr(0755,root,root) %caps(cap_setgid=ep) %{_bindir}/newgidmap
+%attr(0755,root,root) %caps(cap_setuid=ep) %{_bindir}/newuidmap
 %{_sbindir}/adduser
 %attr(0755,root,root)   %{_sbindir}/user*
 %attr(0755,root,root)   %{_sbindir}/group*
@@ -236,6 +238,12 @@ done
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Tue Nov  6 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-4
+- use cap_setxid file capabilities for newxidmap instead of making them setuid
+- limit the SYS_U/GID_MIN value to 1 as the algorithm does not work with 0
+  and the 0 is always used by root anyway
+- manual page improvements
+
 * Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
 - fix some issues from Coverity scan
 - flush sssd caches - patch by Jakub Hrozek