diff --git a/shadow-4.8-invalid-shell-check.patch b/shadow-4.8-invalid-shell-check.patch
new file mode 100644
index 0000000..2c525c0
--- /dev/null
+++ b/shadow-4.8-invalid-shell-check.patch
@@ -0,0 +1,30 @@
+diff -up shadow-4.8/src/useradd.c.invalid-shell shadow-4.8/src/useradd.c
+--- shadow-4.8/src/useradd.c.invalid-shell	2020-01-16 08:47:13.841921106 +0100
++++ shadow-4.8/src/useradd.c	2020-01-16 08:57:26.338421901 +0100
+@@ -1277,15 +1277,22 @@ static void process_flags (int argc, cha
+ 				if (   ( !VALID (optarg) )
+ 				    || (   ('\0' != optarg[0])
+ 				        && ('/'  != optarg[0])
+-				        && ('*'  != optarg[0]) )
+-				    || (stat(optarg, &st) != 0)
+-				    || (S_ISDIR(st.st_mode))
+-				    || (access(optarg, X_OK) != 0)) {
++				        && ('*'  != optarg[0]) )) {
+ 					fprintf (stderr,
+ 					         _("%s: invalid shell '%s'\n"),
+ 					         Prog, optarg);
+ 					exit (E_BAD_ARG);
+ 				}
++				if (    '\0' != optarg[0]
++				     && '*'  != optarg[0]
++				     && strcmp(optarg, "/sbin/nologin") != 0
++				     && (   stat(optarg, &st) != 0
++				         || S_ISDIR(st.st_mode)
++				         || access(optarg, X_OK) != 0)) {
++					fprintf (stderr,
++					         _("%s: Warning: missing or not executable shell '%s'\n"),
++					         Prog, optarg);
++				}
+ 				user_shell = optarg;
+ 				def_shell = optarg;
+ 				sflg = true;