useradd: modify check ID range for system users

Resolves: #2093692

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

.gitignore

@@ -14,3 +14,7 @@ shadow-4.1.4.2.tar.bz2
 /shadow-4.8.tar.xz.asc
 /shadow-4.8.1.tar.xz
 /shadow-4.8.1.tar.xz.asc
+/shadow-4.9.tar.xz
+/shadow-4.9.tar.xz.asc
+/shadow-4.11.1.tar.xz
+/shadow-4.11.1.tar.xz.asc

shadow-4.1.5.1-info-parent-dir.patch

@@ -1,21 +0,0 @@
-Index: shadow-4.5/man/newusers.8.xml
-===================================================================
---- shadow-4.5.orig/man/newusers.8.xml
-+++ shadow-4.5/man/newusers.8.xml
-@@ -218,7 +218,15 @@
- 	  <para>
- 	    If this field does not specify an existing directory, the
- 	    specified directory is created, with ownership set to the
--	    user being created or updated and its primary group.
-+	    user being created or updated and its primary group. Note 
-+            that newusers does not create parent directories of the new 
-+            user's home directory. The newusers command will fail to 
-+            create the home directory if the parent directories do not 
-+            exist, and will send a message to stderr informing the user 
-+            of the failure. The newusers command will not halt or return 
-+            a failure to the calling shell if it fails to create the home 
-+            directory, it will continue to process the batch of new users 
-+            specified.
- 	  </para>
- 	  <para>
- 	    If the home directory of an existing user is changed,

shadow-4.1.5.1-logmsg.patch

@@ -1,13 +0,0 @@
-Index: shadow-4.5/src/useradd.c
-===================================================================
---- shadow-4.5.orig/src/useradd.c
-+++ shadow-4.5/src/useradd.c
-@@ -323,7 +323,7 @@ static void fail_exit (int code)
- 	              user_name, AUDIT_NO_ID,
- 	              SHADOW_AUDIT_FAILURE);
- #endif
--	SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
-+	SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
- 	exit (code);
- }
- 

shadow-4.1.5.1-userdel-helpfix.patch

@@ -1,16 +0,0 @@
-Index: shadow-4.5/src/userdel.c
-===================================================================
---- shadow-4.5.orig/src/userdel.c
-+++ shadow-4.5/src/userdel.c
-@@ -143,8 +143,9 @@ static void usage (int status)
- 	                  "\n"
- 	                  "Options:\n"),
- 	                Prog);
--	(void) fputs (_("  -f, --force                   force removal of files,\n"
--	                "                                even if not owned by user\n"),
-+	(void) fputs (_("  -f, --force                   force some actions that would fail otherwise\n"
-+			"                                e.g. removal of user still logged in\n"
-+			"                                or files, even if not owned by the user\n"),
- 	              usageout);
- 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
- 	(void) fputs (_("  -r, --remove                  remove home directory and mail spool\n"), usageout);

shadow-4.11.1-null-tm.patch

@@ -0,0 +1,22 @@
+diff -up shadow-4.11.1/src/chage.c.null-tm shadow-4.11.1/src/chage.c
+diff -up shadow-4.11.1/src/lastlog.c.null-tm shadow-4.11.1/src/lastlog.c
+--- shadow-4.11.1/src/lastlog.c.null-tm	2022-01-03 15:31:56.348555620 +0100
++++ shadow-4.11.1/src/lastlog.c	2022-01-03 15:38:41.262229024 +0100
+@@ -151,9 +151,12 @@ static void print_one (/*@null@*/const s
+ 
+ 	ll_time = ll.ll_time;
+ 	tm = localtime (&ll_time);
+-	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+-	cp = ptime;
+-
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
++		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
++		cp = ptime;
++	}
+ 	if (ll.ll_time == (time_t) 0) {
+ 		cp = _("**Never logged in**\0");
+ 	}
+diff -up shadow-4.11.1/src/passwd.c.null-tm shadow-4.11.1/src/passwd.c
+diff -up shadow-4.11.1/src/usermod.c.null-tm shadow-4.11.1/src/usermod.c

shadow-4.11.1-redhat.patch

@@ -1,16 +1,16 @@
-diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
+diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
---- shadow-4.6/src/useradd.c.redhat	2018-04-29 18:42:37.000000000 +0200
+--- shadow-4.11.1/src/useradd.c.redhat	2022-01-03 01:46:53.000000000 +0100
-+++ shadow-4.6/src/useradd.c	2018-05-28 13:37:16.695651258 +0200
++++ shadow-4.11.1/src/useradd.c	2022-01-03 14:53:12.988484829 +0100
-@@ -98,7 +98,7 @@ const char *Prog;
+@@ -82,7 +82,7 @@ const char *Prog;
- static gid_t def_group = 100;
+ static gid_t def_group = 1000;
  static const char *def_gname = "other";
  static const char *def_home = "/home";
--static const char *def_shell = "";
+-static const char *def_shell = "/bin/bash";
 +static const char *def_shell = "/sbin/nologin";
  static const char *def_template = SKEL_DIR;
- static const char *def_create_mail_spool = "no";
+ static const char *def_create_mail_spool = "yes";
- 
+ static const char *def_log_init = "yes";
-@@ -108,7 +108,7 @@ static const char *def_expire = "";
+@@ -93,7 +93,7 @@ static const char *def_expire = "";
  #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
  
  static const char *user_name = "";
@@ -19,7 +19,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
  static uid_t user_id;
  static gid_t user_gid;
  static const char *user_comment = "";
-@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
+@@ -1219,9 +1219,9 @@ static void process_flags (int argc, cha
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -31,7 +31,7 @@ diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
+@@ -1378,6 +1378,7 @@ static void process_flags (int argc, cha
  			case 'M':
  				Mflg = true;
  				break;

shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch

@@ -0,0 +1,40 @@
+From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Tue, 4 Jan 2022 13:06:00 +0100
+Subject: [PATCH] useradd: modify check ID range for system users
+
+useradd warns that a system user ID less than SYS_UID_MIN is outside the
+expected range, even though that ID has been specifically selected with
+the "-u" option.
+
+In my opinion all the user ID's below SYS_UID_MAX are for the system,
+thus I change the condition to take that into account.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ src/useradd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 34376fa5..4c71c38a 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
+ 	uid_t uid_min ;
+ 	uid_t uid_max ;
+ 	if (rflg) {
+-		uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
+ 		uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
+-		if (uid_min <= uid_max) {
+-			if (user_id < uid_min || user_id >uid_max)
+-				fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
++		if (user_id > uid_max) {
++			fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
+ 		}
+ 	}else{
+ 		uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
+-- 
+2.37.1
+

shadow-4.2.1-null-tm.patch

@@ -1,91 +0,0 @@
-Index: shadow-4.5/src/faillog.c
-===================================================================
---- shadow-4.5.orig/src/faillog.c
-+++ shadow-4.5/src/faillog.c
-@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
- 	}
- 
- 	tm = localtime (&fl.fail_time);
-+	if (tm == NULL) {
-+		cp = "(unknown)";
-+	} else {
- #ifdef HAVE_STRFTIME
--	strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
--	cp = ptime;
-+		strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
-+		cp = ptime;
- #endif
-+	}
- 	printf ("%-9s   %5d    %5d   ",
- 	        pw->pw_name, fl.fail_cnt, fl.fail_max);
- 	/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
-Index: shadow-4.5/src/chage.c
-===================================================================
---- shadow-4.5.orig/src/chage.c
-+++ shadow-4.5/src/chage.c
-@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
- 	struct tm *tp;
- 
- 	tp = gmtime (&date);
-+	if (tp == NULL) {
-+		(void) snprintf (buf, maxsize, "(unknown)");
-+		return;
-+	}
- #ifdef HAVE_STRFTIME
- 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
- #else
-Index: shadow-4.5/src/lastlog.c
-===================================================================
---- shadow-4.5.orig/src/lastlog.c
-+++ shadow-4.5/src/lastlog.c
-@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
- 
- 	ll_time = ll.ll_time;
- 	tm = localtime (&ll_time);
-+	if (tm == NULL) {
-+		cp = "(unknown)";
-+	} else {
- #ifdef HAVE_STRFTIME
--	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
--	cp = ptime;
-+		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
-+		cp = ptime;
- #else
--	cp = asctime (tm);
--	cp[24] = '\0';
-+		cp = asctime (tm);
-+		cp[24] = '\0';
- #endif
-+	}
- 
- 	if (ll.ll_time == (time_t) 0) {
- 		cp = _("**Never logged in**\0");
-Index: shadow-4.5/src/passwd.c
-===================================================================
---- shadow-4.5.orig/src/passwd.c
-+++ shadow-4.5/src/passwd.c
-@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
- 	struct tm *tm;
- 
- 	tm = gmtime (&t);
-+	if (tm == NULL) {
-+		return "(unknown)";
-+	}
- #ifdef HAVE_STRFTIME
- 	(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
- #else				/* !HAVE_STRFTIME */
-Index: shadow-4.5/src/usermod.c
-===================================================================
---- shadow-4.5.orig/src/usermod.c
-+++ shadow-4.5/src/usermod.c
-@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
- 	} else {
- 		time_t t = (time_t) date;
- 		tp = gmtime (&t);
-+		if (tp == NULL) {
-+			strncpy (buf, "unknown", maxsize);
-+			return;
-+		}
- #ifdef HAVE_STRFTIME
- 		strftime (buf, maxsize, "%Y-%m-%d", tp);
- #else

shadow-4.6-getenforce.patch

@@ -1,21 +0,0 @@
-diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
---- shadow-4.6/lib/selinux.c.getenforce	2018-05-28 15:10:15.870315221 +0200
-+++ shadow-4.6/lib/selinux.c	2018-05-28 15:10:15.894315731 +0200
-@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
- 	}
- 	return 0;
-     error:
--	if (security_getenforce () != 0) {
-+	if (security_getenforce () > 0) {
- 		return 1;
- 	}
- 	return 0;
-@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
- 		selinux_checked = true;
- 	}
- 	if (selinux_enabled) {
--		if (setfscreatecon (NULL) != 0) {
-+		if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
- 			return 1;
- 		}
- 	}

shadow-4.8-crypt_h.patch

@@ -1,35 +0,0 @@
-diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac
---- shadow-4.8/configure.ac.crypt_h	2020-01-13 10:26:17.400481712 +0100
-+++ shadow-4.8/configure.ac	2020-01-13 10:29:11.563529093 +0100
-@@ -32,7 +32,7 @@ AC_HEADER_STDC
- AC_HEADER_SYS_WAIT
- AC_HEADER_STDBOOL
- 
--AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
-+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
- 	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
- 	utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \
- 	locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
-diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h
---- shadow-4.8/lib/defines.h.crypt_h	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/lib/defines.h	2020-01-13 10:26:17.400481712 +0100
-@@ -4,6 +4,8 @@
- #ifndef _DEFINES_H_
- #define _DEFINES_H_
- 
-+#include "config.h"
-+
- #if HAVE_STDBOOL_H
- # include <stdbool.h>
- #else
-@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
- # include <unistd.h>
- #endif
- 
-+#if HAVE_CRYPT_H
-+# include <crypt.h>		/* crypt(3) may be defined in here */
-+#endif
-+
- #if TIME_WITH_SYS_TIME
- # include <sys/time.h>
- # include <time.h>

shadow-4.8-selinux.patch

@@ -1,241 +0,0 @@
-diff -up shadow-4.8/lib/commonio.c.selinux shadow-4.8/lib/commonio.c
---- shadow-4.8/lib/commonio.c.selinux	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/lib/commonio.c	2020-01-13 10:08:53.769101131 +0100
-@@ -964,7 +964,7 @@ int commonio_close (struct commonio_db *
- 		snprintf (buf, sizeof buf, "%s-", db->filename);
- 
- #ifdef WITH_SELINUX
--		if (set_selinux_file_context (buf) != 0) {
-+		if (set_selinux_file_context (buf, db->filename) != 0) {
- 			errors++;
- 		}
- #endif
-@@ -997,7 +997,7 @@ int commonio_close (struct commonio_db *
- 	snprintf (buf, sizeof buf, "%s+", db->filename);
- 
- #ifdef WITH_SELINUX
--	if (set_selinux_file_context (buf) != 0) {
-+	if (set_selinux_file_context (buf, db->filename) != 0) {
- 		errors++;
- 	}
- #endif
-diff -up shadow-4.8/libmisc/copydir.c.selinux shadow-4.8/libmisc/copydir.c
---- shadow-4.8/libmisc/copydir.c.selinux	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/libmisc/copydir.c	2020-01-13 10:08:53.769101131 +0100
-@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
- 	 */
- 
- #ifdef WITH_SELINUX
--	if (set_selinux_file_context (dst) != 0) {
-+	if (set_selinux_file_context (dst, NULL) != 0) {
- 		return -1;
- 	}
- #endif				/* WITH_SELINUX */
-@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
- 	}
- 
- #ifdef WITH_SELINUX
--	if (set_selinux_file_context (dst) != 0) {
-+	if (set_selinux_file_context (dst, NULL) != 0) {
- 		free (oldlink);
- 		return -1;
- 	}
-@@ -684,7 +684,7 @@ static int copy_special (const char *src
- 	int err = 0;
- 
- #ifdef WITH_SELINUX
--	if (set_selinux_file_context (dst) != 0) {
-+	if (set_selinux_file_context (dst, NULL) != 0) {
- 		return -1;
- 	}
- #endif				/* WITH_SELINUX */
-@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
- 		return -1;
- 	}
- #ifdef WITH_SELINUX
--	if (set_selinux_file_context (dst) != 0) {
-+	if (set_selinux_file_context (dst, NULL) != 0) {
- 		return -1;
- 	}
- #endif				/* WITH_SELINUX */
-diff -up shadow-4.8/lib/prototypes.h.selinux shadow-4.8/lib/prototypes.h
---- shadow-4.8/lib/prototypes.h.selinux	2020-01-13 10:08:53.769101131 +0100
-+++ shadow-4.8/lib/prototypes.h	2020-01-13 10:11:20.914627399 +0100
-@@ -334,7 +334,7 @@ extern /*@observer@*/const char *crypt_m
- 
- /* selinux.c */
- #ifdef WITH_SELINUX
--extern int set_selinux_file_context (const char *dst_name);
-+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
- extern int reset_selinux_file_context (void);
- extern int check_selinux_permit (const char *perm_name);
- #endif
-diff -up shadow-4.8/lib/selinux.c.selinux shadow-4.8/lib/selinux.c
---- shadow-4.8/lib/selinux.c.selinux	2019-11-12 01:18:25.000000000 +0100
-+++ shadow-4.8/lib/selinux.c	2020-01-13 10:08:53.769101131 +0100
-@@ -51,7 +51,7 @@ static bool selinux_enabled;
-  *	Callers may have to Reset SELinux to create files with default
-  *	contexts with reset_selinux_file_context
-  */
--int set_selinux_file_context (const char *dst_name)
-+int set_selinux_file_context (const char *dst_name, const char *orig_name)
- {
- 	/*@null@*/security_context_t scontext = NULL;
- 
-@@ -63,19 +63,23 @@ int set_selinux_file_context (const char
- 	if (selinux_enabled) {
- 		/* Get the default security context for this file */
- 		if (matchpathcon (dst_name, 0, &scontext) < 0) {
--			if (security_getenforce () != 0) {
--				return 1;
--			}
-+			/* We could not get the default, copy the original */
-+			if (orig_name == NULL)
-+				goto error;
-+			if (getfilecon (orig_name, &scontext) < 0)
-+				goto error;
- 		}
- 		/* Set the security context for the next created file */
--		if (setfscreatecon (scontext) < 0) {
--			if (security_getenforce () != 0) {
--				return 1;
--			}
--		}
-+		if (setfscreatecon (scontext) < 0)
-+			goto error;
- 		freecon (scontext);
- 	}
- 	return 0;
-+    error:
-+	if (security_getenforce () != 0) {
-+		return 1;
-+	}
-+	return 0;
- }
- 
- /*
-diff -up shadow-4.8/lib/semanage.c.selinux shadow-4.8/lib/semanage.c
---- shadow-4.8/lib/semanage.c.selinux	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/lib/semanage.c	2020-01-13 10:08:53.766101181 +0100
-@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
- 
- 	ret = 0;
- 
-+        /* drop obsolete matchpathcon cache */
-+        matchpathcon_fini();
-+
- done:
- 	semanage_seuser_key_free (key);
- 	semanage_handle_destroy (handle);
-@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
- 	}
- 
- 	ret = 0;
-+
-+        /* drop obsolete matchpathcon cache */
-+        matchpathcon_fini();
-+
- done:
- 	semanage_handle_destroy (handle);
- 	return ret;
-diff -up shadow-4.8/src/useradd.c.selinux shadow-4.8/src/useradd.c
---- shadow-4.8/src/useradd.c.selinux	2020-01-13 10:08:53.762101248 +0100
-+++ shadow-4.8/src/useradd.c	2020-01-13 10:08:53.767101164 +0100
-@@ -2078,7 +2078,7 @@ static void create_home (void)
- 		++bhome;
- 
- #ifdef WITH_SELINUX
--		if (set_selinux_file_context (prefix_user_home) != 0) {
-+		if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
- 			fprintf (stderr,
- 			         _("%s: cannot set SELinux context for home directory %s\n"),
- 			         Prog, user_home);
-@@ -2232,6 +2232,7 @@ static void create_mail (void)
-  */
- int main (int argc, char **argv)
- {
-+	int rv = E_SUCCESS;
- #ifdef ACCT_TOOLS_SETUID
- #ifdef USE_PAM
- 	pam_handle_t *pamh = NULL;
-@@ -2454,27 +2455,12 @@ int main (int argc, char **argv)
- 
- 	usr_update ();
- 
--	if (mflg) {
--		create_home ();
--		if (home_added) {
--			copy_tree (def_template, prefix_user_home, false, false,
--			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
--		} else {
--			fprintf (stderr,
--			         _("%s: warning: the home directory %s already exists.\n"
--			           "%s: Not copying any file from skel directory into it.\n"),
--			         Prog, user_home, Prog);
--		}
--
--	}
--
--	/* Do not create mail directory for system accounts */
--	if (!rflg) {
--		create_mail ();
--	}
--
- 	close_files ();
- 
-+	nscd_flush_cache ("passwd");
-+	nscd_flush_cache ("group");
-+	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
-+
- 	/*
- 	 * tallylog_reset needs to be able to lookup
- 	 * a valid existing user name,
-@@ -2485,8 +2471,9 @@ int main (int argc, char **argv)
- 	}
- 
- #ifdef WITH_SELINUX
--	if (Zflg) {
--		if (set_seuser (user_name, user_selinux) != 0) {
-+	if (Zflg && *user_selinux) {
-+		if (is_selinux_enabled () > 0) {
-+		    if (set_seuser (user_name, user_selinux) != 0) {
- 			fprintf (stderr,
- 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- 			         Prog, user_name, user_selinux);
-@@ -2495,15 +2482,31 @@ int main (int argc, char **argv)
- 			              "adding SELinux user mapping",
- 			              user_name, (unsigned int) user_id, 0);
- #endif				/* WITH_AUDIT */
--			fail_exit (E_SE_UPDATE);
-+			rv = E_SE_UPDATE;
-+		    }
- 		}
- 	}
- #endif				/* WITH_SELINUX */
- 
--	nscd_flush_cache ("passwd");
--	nscd_flush_cache ("group");
--	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
-+	if (mflg) {
-+		create_home ();
-+		if (home_added) {
-+			copy_tree (def_template, prefix_user_home, false, true,
-+			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
-+		} else {
-+			fprintf (stderr,
-+			         _("%s: warning: the home directory %s already exists.\n"
-+			           "%s: Not copying any file from skel directory into it.\n"),
-+			         Prog, user_home, Prog);
-+		}
-+
-+	}
-+
-+	/* Do not create mail directory for system accounts */
-+	if (!rflg) {
-+		create_mail ();
-+	}
- 
--	return E_SUCCESS;
-+	return rv;
- }
- 

shadow-4.8-useradd-selinux-mail.patch

@@ -1,61 +0,0 @@
-From 4dc62ebcf37d7568be1d4ca54367215eba8b8a28 Mon Sep 17 00:00:00 2001
-From: ikerexxe <ipedrosa@redhat.com>
-Date: Wed, 5 Feb 2020 15:04:39 +0100
-Subject: [PATCH] useradd: doesn't generate /var/spool/mail/$USER with the
- proper SELinux user identity
-
-Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
----
- src/useradd.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/src/useradd.c b/src/useradd.c
-index a679392d..645d4a40 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -190,6 +190,7 @@ static bool home_added = false;
- #define E_NAME_IN_USE	9	/* username already in use */
- #define E_GRP_UPDATE	10	/* can't update group file */
- #define E_HOMEDIR	12	/* can't create home directory */
-+#define E_MAILBOXFILE	13	/* can't create mailbox file */
- #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
- #ifdef ENABLE_SUBIDS
- #define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
-@@ -2210,6 +2211,16 @@ static void create_mail (void)
- 			sprintf (file, "%s/%s/%s", prefix, spool, user_name);
- 		else
- 			sprintf (file, "%s/%s", spool, user_name);
-+
-+#ifdef WITH_SELINUX
-+		if (set_selinux_file_context (file, NULL) != 0) {
-+			fprintf (stderr,
-+			         _("%s: cannot set SELinux context for mailbox file %s\n"),
-+			         Prog, file);
-+			fail_exit (E_MAILBOXFILE);
-+		}
-+#endif
-+
- 		fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
- 		if (fd < 0) {
- 			perror (_("Creating mailbox file"));
-@@ -2234,6 +2245,15 @@ static void create_mail (void)
- 
- 		fsync (fd);
- 		close (fd);
-+#ifdef WITH_SELINUX
-+		/* Reset SELinux to create files with default contexts */
-+		if (reset_selinux_file_context () != 0) {
-+			fprintf (stderr,
-+			         _("%s: cannot reset SELinux file creation context\n"),
-+			         Prog);
-+			fail_exit (E_MAILBOXFILE);
-+		}
-+#endif
- 	}
- }
- 
--- 
-2.24.1
-

shadow-4.8.1-commonio-force-lock-file-sync.patch

@@ -1,39 +0,0 @@
-From fb0f702cbf958a5ee9097c1611212c9880b347ce Mon Sep 17 00:00:00 2001
-From: ikerexxe <ipedrosa@redhat.com>
-Date: Mon, 2 Nov 2020 17:08:55 +0100
-Subject: [PATCH] commonio: force lock file sync
-
-lib/commonio.c: after writing to the lock file, force a file sync to
-the storage system.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1862056
----
- lib/commonio.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/lib/commonio.c b/lib/commonio.c
-index 16fa7e75..c5b3d104 100644
---- a/lib/commonio.c
-+++ b/lib/commonio.c
-@@ -157,7 +157,17 @@ static int do_lock_file (const char *file, const char *lock, bool log)
- 	if (write (fd, buf, (size_t) len) != len) {
- 		if (log) {
- 			(void) fprintf (stderr,
--			                "%s: %s: %s\n",
-+			                "%s: %s file write error: %s\n",
-+			                Prog, file, strerror (errno));
-+		}
-+		(void) close (fd);
-+		unlink (file);
-+		return 0;
-+	}
-+	if (fdatasync (fd) == -1) {
-+		if (log) {
-+			(void) fprintf (stderr,
-+			                "%s: %s file sync error: %s\n",
- 			                Prog, file, strerror (errno));
- 		}
- 		(void) close (fd);
--- 
-2.26.2
-

shadow-4.8.1-manfix.patch

@@ -1,341 +0,0 @@
-diff -up shadow-4.8.1/man/chage.1.xml.manfix shadow-4.8.1/man/chage.1.xml
---- shadow-4.8.1/man/chage.1.xml.manfix	2019-10-05 01:28:34.000000000 +0200
-+++ shadow-4.8.1/man/chage.1.xml	2020-03-17 15:34:48.750414984 +0100
-@@ -102,6 +102,9 @@
- 	    Set the number of days since January 1st, 1970 when the password
- 	    was last changed. The date may also be expressed in the format
- 	    YYYY-MM-DD (or the format more commonly used in your area).
-+	    If the <replaceable>LAST_DAY</replaceable> is set to
-+	    <emphasis>0</emphasis> the user is forced to change his password
-+	    on the next log on.
- 	  </para>
- 	</listitem>
-       </varlistentry>
-@@ -119,6 +122,13 @@
- 	    system again.
- 	  </para>
- 	  <para>
-+	    For example the following can be used to set an account to expire
-+	    in 180 days:
-+	  </para>
-+	  <programlisting>
-+	    chage -E $(date -d +180days +%Y-%m-%d)
-+	  </programlisting>
-+	  <para>
- 	    Passing the number <emphasis remap='I'>-1</emphasis> as the
- 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
- 	    expiration date.
-@@ -239,6 +249,18 @@
-       The <command>chage</command> program requires a shadow password file to
-       be available.
-     </para>
-+    <para>
-+      The chage program will report only the information from the shadow
-+      password file. This implies that configuration from other sources
-+     (e.g. LDAP or empty password hash field from the passwd file) that
-+     affect the user's login will not be shown in the chage output.
-+    </para>
-+    <para>
-+      The <command>chage</command> program will also not report any
-+      inconsistency between the shadow and passwd files (e.g. missing x in
-+      the passwd file). The <command>pwck</command> can be used to check
-+      for this kind of inconsistencies.
-+    </para>
-     <para>The <command>chage</command> command is restricted to the root
-       user, except for the <option>-l</option> option, which may be used by
-       an unprivileged user to determine when their password or account is due
-diff -up shadow-4.8.1/man/groupadd.8.xml.manfix shadow-4.8.1/man/groupadd.8.xml
---- shadow-4.8.1/man/groupadd.8.xml.manfix	2020-03-17 15:34:48.745414917 +0100
-+++ shadow-4.8.1/man/groupadd.8.xml	2020-03-17 15:34:48.750414984 +0100
-@@ -320,13 +320,13 @@
- 	<varlistentry>
- 	  <term><replaceable>4</replaceable></term>
- 	  <listitem>
--	    <para>GID not unique (when <option>-o</option> not used)</para>
-+	    <para>GID is already used (when called without <option>-o</option>)</para>
- 	  </listitem>
- 	</varlistentry>
- 	<varlistentry>
- 	  <term><replaceable>9</replaceable></term>
- 	  <listitem>
--	    <para>group name not unique</para>
-+	    <para>group name is already used</para>
- 	  </listitem>
- 	</varlistentry>
- 	<varlistentry>
-diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
---- shadow-4.8.1/man/groupmems.8.xml.manfix	2020-03-17 15:34:48.750414984 +0100
-+++ shadow-4.8.1/man/groupmems.8.xml	2020-03-17 15:41:13.383588722 +0100
-@@ -179,20 +179,10 @@
-   <refsect1 id='setup'>
-     <title>SETUP</title>
-     <para>
--      The <command>groupmems</command> executable should be in mode
--      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
--      <emphasis>groups</emphasis>. The system administrator can add users to
--      group <emphasis>groups</emphasis> to allow or disallow them using the
--      <command>groupmems</command> utility to manage their own group
--      membership list.
-+      In this operating system the <command>groupmems</command> executable
-+      is not setuid and regular users cannot use it to manipulate
-+      the membership of their own group.
-     </para>
--
--    <programlisting>
--	$ groupadd -r groups
--	$ chmod 2710 groupmems
--	$ chown root.groups groupmems
--	$ groupmems -g groups -a gk4
--    </programlisting>
-   </refsect1>
- 
-   <refsect1 id='configuration'>
-diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
---- shadow-4.8.1/man/ja/man5/login.defs.5.manfix	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8.1/man/ja/man5/login.defs.5	2020-03-17 15:34:48.750414984 +0100
-@@ -147,10 +147,6 @@ 以下の参照表は、
- shadow パスワード機能のどのプログラムが
- どのパラメータを使用するかを示したものである。
- .na
--.IP chfn 12
--CHFN_AUTH CHFN_RESTRICT
--.IP chsh 12
--CHFN_AUTH
- .IP groupadd 12
- GID_MAX GID_MIN
- .IP newusers 12
-diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
---- shadow-4.8.1/man/login.defs.5.xml.manfix	2020-01-17 16:47:56.000000000 +0100
-+++ shadow-4.8.1/man/login.defs.5.xml	2020-03-17 15:34:48.750414984 +0100
-@@ -164,6 +164,17 @@
-       long numeric parameters is machine-dependent.
-     </para>
- 
-+    <para>
-+      Please note that the parameters in this configuration file control the
-+      behavior of the tools from the shadow-utils component. None of these
-+      tools uses the PAM mechanism, and the utilities that use PAM (such as the
-+      passwd command) should be configured elsewhere. The only values that
-+      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
-+      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
-+      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
-+      pam(8) for more information.
-+    </para>
-+
-     <para>The following configuration items are provided:</para>
- 
-     <variablelist remap='IP'>
-@@ -256,16 +267,6 @@
- 	</listitem>
-       </varlistentry>
-       <varlistentry>
--	<term>chfn</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CHFN_AUTH</phrase>
--	    CHFN_RESTRICT
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
- 	<term>chgpasswd</term>
- 	<listitem>
- 	  <para>
-@@ -286,14 +287,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry condition="no_pam">
--	<term>chsh</term>
--	<listitem>
--	  <para>
--	    CHSH_AUTH LOGIN_STRING
--	  </para>
--	</listitem>
--      </varlistentry>
-       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
-       <!-- faillog: no variables -->
-       <varlistentry>
-@@ -359,34 +352,6 @@
- 	  <para>LASTLOG_UID_MAX</para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>login</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
--	    ENV_TZ ENVIRON_FILE</phrase>
--	    ERASECHAR FAIL_DELAY
--	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
--	    FAKE_SHELL
--	    <phrase condition="no_pam">FTMP_FILE</phrase>
--	    HUSHLOGIN_FILE
--	    <phrase condition="no_pam">ISSUE_FILE</phrase>
--	    KILLCHAR
--	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
--	    LOGIN_RETRIES
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
--	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
--	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
--	    QUOTAS_ENAB</phrase>
--	    TTYGROUP TTYPERM TTYTYPE_FILE
--	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
--	    USERGROUPS_ENAB
--	  </para>
--	</listitem>
--      </varlistentry>
-       <!-- logoutd: no variables -->
-       <varlistentry>
- 	<term>newgrp / sg</term>
-@@ -415,17 +380,6 @@
- 	</listitem>
-       </varlistentry>
-       <!-- nologin: no variables -->
--      <varlistentry condition="no_pam">
--	<term>passwd</term>
--	<listitem>
--	  <para>
--	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
--	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
--	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
--	    SHA_CRYPT_MIN_ROUNDS</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>pwck</term>
- 	<listitem>
-@@ -452,32 +406,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>su</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
--	    ENV_PATH ENV_SUPATH
--	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
--	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
--	    SULOG_FILE SU_NAME
--	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
--	    SYSLOG_SU_ENAB
--	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
--	<term>sulogin</term>
--	<listitem>
--	  <para>
--	    ENV_HZ
--	    <phrase condition="no_pam">ENV_TZ</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>useradd</term>
- 	<listitem>
-diff -up shadow-4.8.1/man/shadow.5.xml.manfix shadow-4.8.1/man/shadow.5.xml
---- shadow-4.8.1/man/shadow.5.xml.manfix	2019-12-01 17:52:32.000000000 +0100
-+++ shadow-4.8.1/man/shadow.5.xml	2020-03-17 15:34:48.750414984 +0100
-@@ -129,7 +129,7 @@
- 	<listitem>
- 	  <para>
- 	    The date of the last password change, expressed as the number
--	    of days since Jan 1, 1970.
-+	    of days since Jan 1, 1970 00:00 UTC.
- 	  </para>
- 	  <para>
- 	    The value 0 has a special meaning, which is that the user
-@@ -208,8 +208,8 @@
- 	  </para>
- 	  <para>
- 	    After expiration of the password and this expiration period is
--	    elapsed, no login is possible using the current user's
--	    password.  The user should contact her administrator.
-+	    elapsed, no login is possible for the user.
-+	    The user should contact her administrator.
- 	  </para>
- 	  <para>
- 	    An empty field means that there are no enforcement of an
-@@ -224,7 +224,7 @@
- 	<listitem>
- 	  <para>
- 	    The date of expiration of the account, expressed as the number
--	    of days since Jan 1, 1970.
-+	    of days since Jan 1, 1970 00:00 UTC.
- 	  </para>
- 	  <para>
- 	    Note that an account expiration differs from a password
-diff -up shadow-4.8.1/man/useradd.8.xml.manfix shadow-4.8.1/man/useradd.8.xml
---- shadow-4.8.1/man/useradd.8.xml.manfix	2020-03-17 15:34:48.745414917 +0100
-+++ shadow-4.8.1/man/useradd.8.xml	2020-03-17 15:34:48.751414997 +0100
-@@ -359,6 +359,11 @@
- 	    <option>CREATE_HOME</option> is not enabled, no home
- 	    directories are created.
- 	  </para>
-+	  <para>
-+	    The directory where the user's home directory is created must
-+	    exist and have proper SELinux context and permissions. Otherwise
-+	    the user's home directory cannot be created or accessed.
-+	  </para>
- 	</listitem>
-       </varlistentry>
-       <varlistentry>
-diff -up shadow-4.8.1/man/usermod.8.xml.manfix shadow-4.8.1/man/usermod.8.xml
---- shadow-4.8.1/man/usermod.8.xml.manfix	2019-12-20 06:58:23.000000000 +0100
-+++ shadow-4.8.1/man/usermod.8.xml	2020-03-17 15:34:48.751414997 +0100
-@@ -143,7 +143,8 @@
- 	    If the <option>-m</option>
- 	    option is given, the contents of the current home directory will
- 	    be moved to the new home directory, which is created if it does
--	    not already exist.
-+	    not already exist. If the current home directory does not exist
-+	    the new home directory will not be created.
- 	  </para>
- 	</listitem>
-       </varlistentry>
-@@ -205,6 +206,12 @@
- 	    The group ownership of files outside of the user's home directory
- 	    must be fixed manually.
- 	  </para>
-+	  <para>
-+	    The change of the group ownership of files inside of the user's
-+	    home directory is also not done if the home dir owner uid is
-+	    different from the current or new user id. This is safety measure
-+	    for special home directories such as <filename>/</filename>.
-+	  </para>
- 	</listitem>
-       </varlistentry>
-       <varlistentry>
-@@ -267,7 +274,8 @@
- 	<listitem>
- 	  <para>
- 	    Move the content of the user's home directory to the new
--	    location.
-+	    location. If the current home directory does not exist
-+	    the new home directory will not be created.
- 	  </para>
- 	  <para>
- 	    This option is only valid in combination with the
-@@ -381,6 +389,12 @@
- 	    must be fixed manually.
- 	  </para>
- 	  <para>
-+	    The change of the user ownership of files inside of the user's
-+	    home directory is also not done if the home dir owner uid is
-+	    different from the current or new user id. This is safety measure
-+	    for special home directories such as <filename>/</filename>.
-+	  </para>
-+	  <para>
- 	    No checks will be performed with regard to the
- 	    <option>UID_MIN</option>, <option>UID_MAX</option>,
- 	    <option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>

shadow-4.8.1-useradd-man-clarification.patch

@@ -1,35 +0,0 @@
-From 6543c600d841e4f7779269412d470e50eae25b13 Mon Sep 17 00:00:00 2001
-From: ikerexxe <ipedrosa@redhat.com>
-Date: Wed, 4 Mar 2020 14:50:04 +0100
-Subject: [PATCH] useradd: clarify the useradd -d parameter behavior in man
- page
-
-Explanation: clarify the useradd -d parameter as it does create directory HOME_DIR if it doesn't exit.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1677005
-
-Changelog: [serge] minor tweak to the text
----
- man/useradd.8.xml | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/man/useradd.8.xml b/man/useradd.8.xml
-index 03612ce8..023c0d69 100644
---- a/man/useradd.8.xml
-+++ b/man/useradd.8.xml
-@@ -181,8 +181,10 @@
- 	    login directory. The default is to append the
- 	    <replaceable>LOGIN</replaceable> name to
- 	    <replaceable>BASE_DIR</replaceable> and use that as the login
--	    directory name. The directory <replaceable>HOME_DIR</replaceable>
--	    does not have to exist but will not be created if it is missing.
-+	    directory name.  If the directory
-+	    <replaceable>HOME_DIR</replaceable> does not exist, then it
-+	    will be created unless the <option>-M</option> option is
-+	    specified.
- 	  </para>
- 	</listitem>
-       </varlistentry>
--- 
-2.25.1
-

shadow-4.9-default-range.patch

@@ -1,7 +1,6 @@
-Index: shadow-4.5/lib/semanage.c
+diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
-===================================================================
+--- shadow-4.9/lib/semanage.c.default-range	2021-07-22 23:55:35.000000000 +0200
---- shadow-4.5.orig/lib/semanage.c
++++ shadow-4.9/lib/semanage.c	2021-08-02 12:43:16.822817392 +0200
-+++ shadow-4.5/lib/semanage.c
 @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
  		goto done;
  	}
@@ -9,7 +8,7 @@ Index: shadow-4.5/lib/semanage.c
 +#if 0
  	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
  	if (ret != 0) {
- 		fprintf (stderr,
+ 		fprintf (shadow_logfd,
 @@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
  		ret = 1;
  		goto done;
@@ -25,7 +24,7 @@ Index: shadow-4.5/lib/semanage.c
 +#if 0
  	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
  	if (ret != 0) {
- 		fprintf (stderr,
+ 		fprintf (shadow_logfd,
 @@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
  		ret = 1;
  		goto done;

shadow-4.9-manfix.patch

@@ -0,0 +1,180 @@
+diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
+--- shadow-4.8.1/man/groupmems.8.xml.manfix	2020-03-17 15:34:48.750414984 +0100
++++ shadow-4.8.1/man/groupmems.8.xml	2020-03-17 15:41:13.383588722 +0100
+@@ -179,20 +179,10 @@
+   <refsect1 id='setup'>
+     <title>SETUP</title>
+     <para>
+-      The <command>groupmems</command> executable should be in mode
+-      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
+-      <emphasis>groups</emphasis>. The system administrator can add users to
+-      group <emphasis>groups</emphasis> to allow or disallow them using the
+-      <command>groupmems</command> utility to manage their own group
+-      membership list.
++      In this operating system the <command>groupmems</command> executable
++      is not setuid and regular users cannot use it to manipulate
++      the membership of their own group.
+     </para>
+-
+-    <programlisting>
+-	$ groupadd -r groups
+-	$ chmod 2710 groupmems
+-	$ chown root.groups groupmems
+-	$ groupmems -g groups -a gk4
+-    </programlisting>
+   </refsect1>
+ 
+   <refsect1 id='configuration'>
+diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
+--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/man/ja/man5/login.defs.5	2020-03-17 15:34:48.750414984 +0100
+@@ -147,10 +147,6 @@ 以下の参照表は、
+ shadow パスワード機能のどのプログラムが
+ どのパラメータを使用するかを示したものである。
+ .na
+-.IP chfn 12
+-CHFN_AUTH CHFN_RESTRICT
+-.IP chsh 12
+-CHFN_AUTH
+ .IP groupadd 12
+ GID_MAX GID_MIN
+ .IP newusers 12
+diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
+--- shadow-4.8.1/man/login.defs.5.xml.manfix	2020-01-17 16:47:56.000000000 +0100
++++ shadow-4.8.1/man/login.defs.5.xml	2020-03-17 15:34:48.750414984 +0100
+@@ -164,6 +164,17 @@
+       long numeric parameters is machine-dependent.
+     </para>
+ 
++    <para>
++      Please note that the parameters in this configuration file control the
++      behavior of the tools from the shadow-utils component. None of these
++      tools uses the PAM mechanism, and the utilities that use PAM (such as the
++      passwd command) should be configured elsewhere. The only values that
++      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
++      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
++      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
++      pam(8) for more information.
++    </para>
++
+     <para>The following configuration items are provided:</para>
+ 
+     <variablelist remap='IP'>
+@@ -256,16 +267,6 @@
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+-	<term>chfn</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CHFN_AUTH</phrase>
+-	    CHFN_RESTRICT
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+ 	<term>chgpasswd</term>
+ 	<listitem>
+ 	  <para>
+@@ -286,14 +287,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry condition="no_pam">
+-	<term>chsh</term>
+-	<listitem>
+-	  <para>
+-	    CHSH_AUTH LOGIN_STRING
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
+       <!-- faillog: no variables -->
+       <varlistentry>
+@@ -359,34 +352,6 @@
+ 	  <para>LASTLOG_UID_MAX</para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>login</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+-	    ENV_TZ ENVIRON_FILE</phrase>
+-	    ERASECHAR FAIL_DELAY
+-	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+-	    FAKE_SHELL
+-	    <phrase condition="no_pam">FTMP_FILE</phrase>
+-	    HUSHLOGIN_FILE
+-	    <phrase condition="no_pam">ISSUE_FILE</phrase>
+-	    KILLCHAR
+-	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
+-	    LOGIN_RETRIES
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+-	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+-	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+-	    QUOTAS_ENAB</phrase>
+-	    TTYGROUP TTYPERM TTYTYPE_FILE
+-	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
+-	    USERGROUPS_ENAB
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- logoutd: no variables -->
+       <varlistentry>
+ 	<term>newgrp / sg</term>
+@@ -415,17 +380,6 @@
+ 	</listitem>
+       </varlistentry>
+       <!-- nologin: no variables -->
+-      <varlistentry condition="no_pam">
+-	<term>passwd</term>
+-	<listitem>
+-	  <para>
+-	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
+-	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
+-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>pwck</term>
+ 	<listitem>
+@@ -452,32 +406,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>su</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+-	    ENV_PATH ENV_SUPATH
+-	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+-	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+-	    SULOG_FILE SU_NAME
+-	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+-	    SYSLOG_SU_ENAB
+-	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>sulogin</term>
+-	<listitem>
+-	  <para>
+-	    ENV_HZ
+-	    <phrase condition="no_pam">ENV_TZ</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>useradd</term>
+ 	<listitem>

shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch

@@ -0,0 +1,48 @@
+From e101219ad71de11da3fdd1b3ec2620fd1a97b92c Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 10 Jan 2022 15:30:28 +0100
+Subject: [PATCH] nss: get shadow_logfd with log_get_logfd()
+
+If /etc/nsswitch.conf doesn't exist podman crashes because shadow_logfd
+is NULL. In order to avoid that load the log file descriptor with the
+log_get_logfd() helper function.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2038811
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ lib/nss.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 02742902..06fa48e5 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -9,6 +9,7 @@
+ #include "prototypes.h"
+ #include "../libsubid/subid.h"
+ #include "shadowlog_internal.h"
++#include "shadowlog.h"
+ 
+ #define NSSWITCH "/etc/nsswitch.conf"
+ 
+@@ -42,6 +43,7 @@ void nss_init(const char *nsswitch_path) {
+ 	FILE *nssfp = NULL;
+ 	char *line = NULL, *p, *token, *saveptr;
+ 	size_t len = 0;
++	FILE *shadow_logfd = log_get_logfd();
+ 
+ 	if (atomic_flag_test_and_set(&nss_init_started)) {
+ 		// Another thread has started nss_init, wait for it to complete
+@@ -57,7 +59,7 @@ void nss_init(const char *nsswitch_path) {
+ 	//   subid:	files
+ 	nssfp = fopen(nsswitch_path, "r");
+ 	if (!nssfp) {
+-		fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
++		fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
+ 		atomic_store(&nss_init_completed, true);
+ 		return;
+ 	}
+-- 
+2.34.1
+

shadow-utils.login.defs

@@ -198,10 +198,11 @@ SUB_GID_COUNT		    65536
 # If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
 # If set to DES, DES-based algorithm will be used for encrypting password (default)
 #
-ENCRYPT_METHOD SHA512
+ENCRYPT_METHOD YESCRYPT
 
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -218,7 +219,33 @@ ENCRYPT_METHOD SHA512
 
 # Currently SHA_CRYPT_MIN_ROUNDS is not supported
 
-# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported
+#
+# Only works if ENCRYPT_METHOD is set to BCRYPT.
+#
+# Define the number of BCRYPT rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, 13 rounds will be attempted.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#BCRYPT_MIN_ROUNDS 13
+#BCRYPT_MAX_ROUNDS 31
+
+#
+# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+#
+# Define the YESCRYPT cost factor.
+# With a higher cost factor, it is more difficult to brute-force the password.
+# However, more CPU time and more memory will be needed to authenticate users
+# if this value is increased.
+#
+# If not specified, a cost factor of 5 will be used.
+# The value must be within the 1-11 range.
+#
+#YESCRYPT_COST_FACTOR 5
 
 # Currently CONSOLE_GROUPS is not supported
 
@@ -266,3 +293,13 @@ CREATE_HOME	yes
 # missing.
 #
 #FORCE_SHADOW    yes
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+HMAC_CRYPTO_ALGO SHA512

shadow-utils.spec

@@ -1,73 +1,78 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
-Version: 4.8.1
+Version: 4.11.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
-URL: http://pkg-shadow.alioth.debian.org/
+License: BSD and GPLv2+
-Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
+URL: https://github.com/shadow-maint/shadow
-Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
+Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
+Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
 Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Source6: shadow-utils.HOME_MODE.xml
+
+### Globals ###
+%global includesubiddir %{_includedir}/shadow
+
+### Patches ###
 # Misc small changes - most probably non-upstreamable
-Patch0: shadow-4.6-redhat.patch
+Patch0: shadow-4.11.1-redhat.patch
 # Be more lenient with acceptable user/group names - non upstreamable
 Patch1: shadow-4.8-goodname.patch
-# Docfix for newusers - could be upstreamed
-Patch2: shadow-4.1.5.1-info-parent-dir.patch
-# Misc SElinux related changes - upstreamability unknown
-Patch6: shadow-4.8-selinux.patch
-# Syslog message change - could be upstreamed
-Patch11: shadow-4.1.5.1-logmsg.patch
 # SElinux related - upstreamability unknown
-Patch14: shadow-4.1.5.1-default-range.patch
+Patch3: shadow-4.9-default-range.patch
-# Misc manual page changes - only some of them could be upstreamed
+# Misc manual page changes - non-upstreamable
-Patch15: shadow-4.8.1-manfix.patch
+Patch4: shadow-4.9-manfix.patch
-# Userdel usage message change - could be upstreamed
-Patch17: shadow-4.1.5.1-userdel-helpfix.patch
 # Date parsing improvement - could be upstreamed
-Patch19: shadow-4.2.1-date-parsing.patch
+Patch5: shadow-4.2.1-date-parsing.patch
 # Additional error message - could be upstreamed
-Patch21: shadow-4.6-move-home.patch
+Patch6: shadow-4.6-move-home.patch
 # Audit message changes - upstreamability unknown
-Patch22: shadow-4.8.1-audit-update.patch
+Patch7: shadow-4.11.1-audit-update.patch
 # Changes related to password unlocking - could be upstreamed
-Patch23: shadow-4.5-usermod-unlock.patch
+Patch8: shadow-4.5-usermod-unlock.patch
 # Additional SElinux related changes - upstreamability unknown
-Patch28: shadow-4.8-selinux-perms.patch
+Patch9: shadow-4.8-selinux-perms.patch
-# Handle NULL return from *time funcs - could be upstreamed
+# Handle NULL return from *time funcs - upstreamable
-Patch29: shadow-4.2.1-null-tm.patch
+Patch10: shadow-4.11.1-null-tm.patch
-# SElinux related - upstreamability unknown
-Patch31: shadow-4.6-getenforce.patch
-# Handle include of crypt.h - could be upstreamed
-Patch32: shadow-4.8-crypt_h.patch
 # Handle /etc/passwd corruption - could be upstreamed
-Patch33: shadow-4.8-long-entry.patch
+Patch11: shadow-4.8-long-entry.patch
 # Limit uid/gid allocation to non-zero - could be upstreamed
-Patch38: shadow-4.6-sysugid-min-limit.patch
+Patch12: shadow-4.6-sysugid-min-limit.patch
 # Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
-Patch40: shadow-4.8-ignore-login-prompt.patch
+Patch13: shadow-4.8-ignore-login-prompt.patch
-# Generate /var/spool/mail/$USER with the proper SELinux user identity - already upstreamed
+# https://github.com/shadow-maint/shadow/commit/e101219ad71de11da3fdd1b3ec2620fd1a97b92c
-Patch42: shadow-4.8-useradd-selinux-mail.patch
+Patch14: shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch
-# Clarify useradd man regarding "-d" parameter - already upstreamed
+# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
-Patch43: shadow-4.8.1-useradd-man-clarification.patch
+Patch15: shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch
-# https://github.com/shadow-maint/shadow/commit/599cc003daf833bffdc9cbe0d33dc8b3e7ec74c8
-Patch44: shadow-4.8.1-commonio-force-lock-file-sync.patch
 
-License: BSD and GPLv2+
+### Dependencies ###
-BuildRequires: gcc
-BuildRequires: libselinux-devel >= 1.25.2-1
-BuildRequires: audit-libs-devel >= 1.6.5
-BuildRequires: libsemanage-devel
-BuildRequires: libacl-devel, libattr-devel
-BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
-BuildRequires: autoconf, automake, libtool, gettext-devel
-BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
-Requires: libselinux >= 1.25.2-1
 Requires: audit-libs >= 1.6.5
+Requires: libselinux >= 1.25.2-1
 Requires: setup
+
+### Build Dependencies ###
+BuildRequires: audit-libs-devel >= 1.6.5
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: bison
+BuildRequires: docbook-dtds
+BuildRequires: docbook-style-xsl
+BuildRequires: flex
+BuildRequires: gcc
+BuildRequires: gettext-devel
+BuildRequires: itstool
+BuildRequires: libacl-devel
+BuildRequires: libattr-devel
+BuildRequires: libselinux-devel >= 1.25.2-1
+BuildRequires: libsemanage-devel
+BuildRequires: libtool
+BuildRequires: libxslt
+BuildRequires: make
+
+### Provides ###
 Provides: shadow = %{epoch}:%{version}-%{release}
 
 %description
@@ -82,30 +87,41 @@ for all users. The useradd, userdel, and usermod commands are used for
 managing user accounts. The groupadd, groupdel, and groupmod commands
 are used for managing group accounts.
 
+
+### Subpackages ###
+%package subid
+Summary: A library to manage subordinate uid and gid ranges
+License: BSD and GPLv2+
+
+%description subid
+Utility library that provides a way to manage subid ranges.
+
+
+%package subid-devel
+Summary: Development package for shadow-utils-subid
+License: BSD and GPLv2+
+Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
+
+%description subid-devel
+Development files for shadow-utils-subid.
+
 %prep
 %setup -q -n shadow-%{version}
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .goodname
-%patch2 -p1 -b .info-parent-dir
+%patch3 -p1 -b .default-range
-%patch6 -p1 -b .selinux
+%patch4 -p1 -b .manfix
-%patch11 -p1 -b .logmsg
+%patch5 -p1 -b .date-parsing
-%patch14 -p1 -b .default-range
+%patch6 -p1 -b .move-home
-%patch15 -p1 -b .manfix
+%patch7 -p1 -b .audit-update
-%patch17 -p1 -b .userdel
+%patch8 -p1 -b .unlock
-%patch19 -p1 -b .date-parsing
+%patch9 -p1 -b .selinux-perms
-%patch21 -p1 -b .move-home
+%patch10 -p1 -b .null-tm
-%patch22 -p1 -b .audit-update
+%patch11 -p1 -b .long-entry
-%patch23 -p1 -b .unlock
+%patch12 -p1 -b .sysugid-min-limit
-%patch28 -p1 -b .selinux-perms
+%patch13 -p1 -b .login-prompt
-%patch29 -p1 -b .null-tm
+%patch14 -p1 -b .nss-get-shadow-logfd-with-log-get-logfd
-%patch31 -p1 -b .getenforce
+%patch15 -p1 -b .useradd-modify-check-ID-range-for-system-users
-%patch32 -p1 -b .crypt_h
-%patch33 -p1 -b .long-entry
-%patch38 -p1 -b .sysugid-min-limit
-%patch40 -p1 -b .login-prompt
-%patch42 -p1 -b .useradd-selinux-mail
-%patch43 -p1 -b .useradd-man-clarification
-%patch44 -p1 -b .commonio-force-lock-file-sync
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -132,74 +148,75 @@ autoreconf
         --enable-man \
         --with-audit \
         --with-sha-crypt \
+        --with-bcrypt \
+        --with-yescrypt \
         --with-selinux \
         --without-libcrack \
         --without-libpam \
-        --disable-shared \
+        --enable-shared \
         --with-group-name-max-length=32
 %make_build
 
 %install
-rm -rf $RPM_BUILD_ROOT
+%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
-%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
+install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
-install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
+install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
-install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
+install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
-install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
 
 
 ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
-ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
+ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
-for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
+for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
         test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
 done
 
 # Remove binaries we don't use.
-rm $RPM_BUILD_ROOT/%{_bindir}/chfn
+rm $RPM_BUILD_ROOT%{_bindir}/chfn
-rm $RPM_BUILD_ROOT/%{_bindir}/chsh
+rm $RPM_BUILD_ROOT%{_bindir}/chsh
-rm $RPM_BUILD_ROOT/%{_bindir}/expiry
+rm $RPM_BUILD_ROOT%{_bindir}/expiry
-rm $RPM_BUILD_ROOT/%{_bindir}/groups
+rm $RPM_BUILD_ROOT%{_bindir}/groups
-rm $RPM_BUILD_ROOT/%{_bindir}/login
+rm $RPM_BUILD_ROOT%{_bindir}/login
-rm $RPM_BUILD_ROOT/%{_bindir}/passwd
+rm $RPM_BUILD_ROOT%{_bindir}/passwd
-rm $RPM_BUILD_ROOT/%{_bindir}/su
+rm $RPM_BUILD_ROOT%{_bindir}/su
-rm $RPM_BUILD_ROOT/%{_bindir}/faillog
+rm $RPM_BUILD_ROOT%{_bindir}/faillog
-rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
+rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
-rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
+rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
-rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
+rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
-rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
+rm $RPM_BUILD_ROOT%{_sbindir}/nologin
-rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
+rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
+rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
+rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
+rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
+rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
+rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
+rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
+rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
+rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
+rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
+rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
+rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
+rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
+rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
+rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
+rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
-rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
+rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
-rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
+rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
 
 find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
 %find_lang shadow
@@ -211,9 +228,17 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
     echo "%%lang($lang) $dir/man*/*" >> shadow.lang
 done
 
+# Move header files to its own folder
+echo $(ls)
+mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
+install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
+
+# Remove .la and .a files created by libsubid
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
+
 %files -f shadow.lang
 %doc NEWS doc/HOWTO README
-%{!?_licensedir:%global license %%doc}
 %license gpl-2.0.txt shadow-bsd.txt
 %attr(0644,root,root)   %config(noreplace) %{_sysconfdir}/login.defs
 %attr(0644,root,root)   %config(noreplace) %{_sysconfdir}/default/useradd
@@ -260,10 +285,141 @@ done
 %{_mandir}/man8/vipw.8*
 %{_mandir}/man8/vigr.8*
 
+%files subid
+%{_libdir}/libsubid.so.*
+%{_bindir}/getsubids
+%{_mandir}/man1/getsubids.1*
+
+%files subid-devel
+%{includesubiddir}/subid.h
+%{_libdir}/libsubid.so
+
 %changelog
-* Mon Nov 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
+* Mon Aug  1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
+- useradd: modify check ID range for system users. Resolves: #2093692
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
+- Fix explicit subid requirement for subid-devel
+
+* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
+- Rebase to version 4.11.1 (#2034038)
+- Fix release sources
+- Add explicit subid requirement for subid-devel
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
+- nss: get shadow_logfd with log_get_logfd() (#2038811)
+- lib: make shadow_logfd and Prog not extern
+- lib: rename Prog to shadow_progname
+- lib: provide default values for shadow_progname
+- libsubid: use log_set_progname in subid_init
+
+* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
+- getsubids: provide system binary and man page (#1980780)
+- pwck: fix segfault when calling fprintf() (#2021339)
+- newgrp: fix segmentation fault (#2019553)
+- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
+
+* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
+- useradd: change SELinux labels for home files (#2022658)
+
+* Thu Nov  4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
+- useradd: revert fix memleak of grp (#2018697)
+
+* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
+- useradd: generate home and mail directories with selinux user attribute
+
+* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
+- login.defs: include HMAC_CRYPTO_ALGO key
+- Clean spec file: organize dependencies and move License location
+
+* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
+- libmisc: fix default value in SHA_get_salt_rounds()
+
+* Mon Aug  9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
+- useradd: avoid generating an empty subid range (#1990653)
+
+* Wed Aug  4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
+- Rebase to version 4.9
+- usermod: allow all group types with -G option (#1975327)
+- Clean spec file
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
+- Add patch to fix 'fread returns element count, not element size'
+
+* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
+- Fix regression issues detected in rhbz#667593 and rhbz#672510
+
+* Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
+- Enable bcrypt support, as libxcrypt supports it well
+
+* Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
+- Add a patch to obtain random bytes using getentropy()
+- Update shadow-4.8-crypt_h.patch with the upstreamed version
+- Add a patch to make use of crypt_gensalt() from libxcrypt
+
+* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
+- useradd: free correct pointer (#1976809)
+
+* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
+- Add a patch to fix the used prefix for the bcrypt hash method
+- Add a patch to cleanup the code in libmisc/salt.c
+- Add a patch adding some clarifying comments in libmisc/salt.c
+- Add a patch to obtain random bytes from /dev/urandom
+
+* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
+- Covscan fixes
+
+* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
+- Backport support for yescrypt hash method
+- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
+
+* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
+- libsubid: don't print error messages on stderr by default
+- libsubid: libsubid_init return false if out of memory
+- useradd: fix SUB_UID_COUNT=0
+- libsubid: don't return owner in list_owner_ranges API call
+- libsubid: libsubid_init don't print messages on error
+- libsubid: fix newusers when nss provides subids
+- man: clarify subid delegation
+- libsubid: make shadow_logfd not extern
+
+* Thu May  6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
+- man: mention NSS in new[ug]idmap manpages
+- libsubid: move development header to shadow folder
+
+* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
+- libsubid: creation and nsswitch support
+- Creation of subid and subid-devel subpackages
+
+* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
+- man: include lastlog file caveat (#951564)
+- Upstream links to several patches
+- Spec file cleanup by Robert Scheck
+- Add BuildRequires: make by Tom Stellard
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Nov  9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
 - commonio: force lock file sync (#1862056)
-- spec: add Provides keyword
+
+* Tue Nov  3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
+- Rebuild with libsemanage.so.2
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
+- check only local groups when adding new supplementary groups to a user (#1727236)
 
 * Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
 - useradd: clarify the useradd -d parameter behavior in man page

sources

@@ -1,2 +1,2 @@
-SHA512 (shadow-4.8.1.tar.xz) = 780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b
+SHA512 (shadow-4.11.1.tar.xz) = 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
-SHA512 (shadow-4.8.1.tar.xz.asc) = ec7686263c81d3feb8ee4314c3323a9a3ada74aafaaf99f4f0d9af9b1341f8c5ff5477ecf98dd94dbb7d921f532d655b0b6a87d94c71893f35dc9bc54c84dd42
+SHA512 (shadow-4.11.1.tar.xz.asc) = 4594189678cc9bcc8831f62a5d42c605b085be4a3b540429d7c800f4304e2e8fe04358547917eb90c1513646fade7c714611bfdc98af7dec5321a3dc3e65c4fd