useradd: modify check ID range for system users

Resolves: #2093692

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

.gitignore

@@ -16,3 +16,5 @@ shadow-4.1.4.2.tar.bz2
 /shadow-4.8.1.tar.xz.asc
 /shadow-4.9.tar.xz
 /shadow-4.9.tar.xz.asc
+/shadow-4.11.1.tar.xz
+/shadow-4.11.1.tar.xz.asc

shadow-4.11.1-null-tm.patch

@@ -0,0 +1,22 @@
+diff -up shadow-4.11.1/src/chage.c.null-tm shadow-4.11.1/src/chage.c
+diff -up shadow-4.11.1/src/lastlog.c.null-tm shadow-4.11.1/src/lastlog.c
+--- shadow-4.11.1/src/lastlog.c.null-tm	2022-01-03 15:31:56.348555620 +0100
++++ shadow-4.11.1/src/lastlog.c	2022-01-03 15:38:41.262229024 +0100
+@@ -151,9 +151,12 @@ static void print_one (/*@null@*/const s
+ 
+ 	ll_time = ll.ll_time;
+ 	tm = localtime (&ll_time);
+-	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+-	cp = ptime;
+-
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
++		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
++		cp = ptime;
++	}
+ 	if (ll.ll_time == (time_t) 0) {
+ 		cp = _("**Never logged in**\0");
+ 	}
+diff -up shadow-4.11.1/src/passwd.c.null-tm shadow-4.11.1/src/passwd.c
+diff -up shadow-4.11.1/src/usermod.c.null-tm shadow-4.11.1/src/usermod.c

shadow-4.11.1-redhat.patch

@@ -1,7 +1,7 @@
-diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
---- shadow-4.9/src/useradd.c.redhat	2021-07-22 23:55:35.000000000 +0200
-+++ shadow-4.9/src/useradd.c	2021-08-02 11:45:11.942867250 +0200
-@@ -104,7 +104,7 @@ FILE *shadow_logfd = NULL;
+diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
+--- shadow-4.11.1/src/useradd.c.redhat	2022-01-03 01:46:53.000000000 +0100
++++ shadow-4.11.1/src/useradd.c	2022-01-03 14:53:12.988484829 +0100
+@@ -82,7 +82,7 @@ const char *Prog;
  static gid_t def_group = 1000;
  static const char *def_gname = "other";
  static const char *def_home = "/home";
@@ -9,8 +9,8 @@ diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
 +static const char *def_shell = "/sbin/nologin";
  static const char *def_template = SKEL_DIR;
  static const char *def_create_mail_spool = "yes";
- 
-@@ -114,7 +114,7 @@ static const char *def_expire = "";
+ static const char *def_log_init = "yes";
+@@ -93,7 +93,7 @@ static const char *def_expire = "";
  #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
  
  static const char *user_name = "";
@@ -19,7 +19,7 @@ diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
  static uid_t user_id;
  static gid_t user_gid;
  static const char *user_comment = "";
-@@ -1204,9 +1204,9 @@ static void process_flags (int argc, cha
+@@ -1219,9 +1219,9 @@ static void process_flags (int argc, cha
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -31,7 +31,7 @@ diff -up shadow-4.9/src/useradd.c.redhat shadow-4.9/src/useradd.c
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1363,6 +1363,7 @@ static void process_flags (int argc, cha
+@@ -1378,6 +1378,7 @@ static void process_flags (int argc, cha
  			case 'M':
  				Mflg = true;
  				break;

shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch

@@ -0,0 +1,40 @@
+From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Tue, 4 Jan 2022 13:06:00 +0100
+Subject: [PATCH] useradd: modify check ID range for system users
+
+useradd warns that a system user ID less than SYS_UID_MIN is outside the
+expected range, even though that ID has been specifically selected with
+the "-u" option.
+
+In my opinion all the user ID's below SYS_UID_MAX are for the system,
+thus I change the condition to take that into account.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ src/useradd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 34376fa5..4c71c38a 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
+ 	uid_t uid_min ;
+ 	uid_t uid_max ;
+ 	if (rflg) {
+-		uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
+ 		uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
+-		if (uid_min <= uid_max) {
+-			if (user_id < uid_min || user_id >uid_max)
+-				fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
++		if (user_id > uid_max) {
++			fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
+ 		}
+ 	}else{
+ 		uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
+-- 
+2.37.1
+

shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch

@@ -1,60 +0,0 @@
-From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
-From: Mike Gilbert <floppym@gentoo.org>
-Date: Sat, 14 Aug 2021 13:24:34 -0400
-Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()
-
-If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
-use SHA_ROUNDS_DEFAULT.
-
-Previously, the code fell through, calling shadow_random(-1, -1). This
-ultimately set rounds = (unsigned long) -1, which ends up being a very
-large number! This then got capped to SHA_ROUNDS_MAX later in the
-function.
-
-The new behavior matches BCRYPT_get_salt_rounds().
-
-Bug: https://bugs.gentoo.org/808195
-Fixes: https://github.com/shadow-maint/shadow/issues/393
----
- libmisc/salt.c | 21 +++++++++++----------
- 1 file changed, 11 insertions(+), 10 deletions(-)
-
-diff --git a/libmisc/salt.c b/libmisc/salt.c
-index 91d528fd..30eefb9c 100644
---- a/libmisc/salt.c
-+++ b/libmisc/salt.c
-@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
- 		if ((-1 == min_rounds) && (-1 == max_rounds)) {
- 			rounds = SHA_ROUNDS_DEFAULT;
- 		}
-+		else {
-+			if (-1 == min_rounds) {
-+				min_rounds = max_rounds;
-+			}
- 
--		if (-1 == min_rounds) {
--			min_rounds = max_rounds;
--		}
-+			if (-1 == max_rounds) {
-+				max_rounds = min_rounds;
-+			}
- 
--		if (-1 == max_rounds) {
--			max_rounds = min_rounds;
--		}
-+			if (min_rounds > max_rounds) {
-+				max_rounds = min_rounds;
-+			}
- 
--		if (min_rounds > max_rounds) {
--			max_rounds = min_rounds;
-+			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
- 		}
--
--		rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
- 	} else if (0 == *prefered_rounds) {
- 		rounds = SHA_ROUNDS_DEFAULT;
- 	} else {
--- 
-2.31.1
-

shadow-4.9-move-create-home.patch

@@ -1,64 +0,0 @@
-diff --git a/src/useradd.c b/src/useradd.c
-index baeffb35..02e1402c 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -2644,27 +2644,12 @@ int main (int argc, char **argv)
- 
- 	usr_update ();
- 
--	if (mflg) {
--		create_home ();
--		if (home_added) {
--			copy_tree (def_template, prefix_user_home, false, false,
--			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
--		} else {
--			fprintf (stderr,
--			         _("%s: warning: the home directory %s already exists.\n"
--			           "%s: Not copying any file from skel directory into it.\n"),
--			         Prog, user_home, Prog);
--		}
--
--	}
--
--	/* Do not create mail directory for system accounts */
--	if (!rflg) {
--		create_mail ();
--	}
--
- 	close_files ();
- 
-+	nscd_flush_cache ("passwd");
-+	nscd_flush_cache ("group");
-+	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
-+
- 	/*
- 	 * tallylog_reset needs to be able to lookup
- 	 * a valid existing user name,
-@@ -2695,9 +2680,24 @@ int main (int argc, char **argv)
- 		exit(1);
- 	}
- 
--	nscd_flush_cache ("passwd");
--	nscd_flush_cache ("group");
--	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
-+	if (mflg) {
-+		create_home ();
-+		if (home_added) {
-+			copy_tree (def_template, prefix_user_home, false, true,
-+			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
-+		} else {
-+			fprintf (stderr,
-+			         _("%s: warning: the home directory %s already exists.\n"
-+			           "%s: Not copying any file from skel directory into it.\n"),
-+			         Prog, user_home, Prog);
-+		}
-+
-+	}
-+
-+	/* Do not create mail directory for system accounts */
-+	if (!rflg) {
-+		create_mail ();
-+	}
- 
- 	return E_SUCCESS;
- }

shadow-4.9-newuidmap-libeconf-dependency.patch

@@ -1,15 +0,0 @@
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 7c1a3491..6cc873be 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
- endif
- 
- chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
--newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
--newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
-+newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
-+newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
- chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
- chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
- chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)

shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch

@@ -0,0 +1,48 @@
+From e101219ad71de11da3fdd1b3ec2620fd1a97b92c Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 10 Jan 2022 15:30:28 +0100
+Subject: [PATCH] nss: get shadow_logfd with log_get_logfd()
+
+If /etc/nsswitch.conf doesn't exist podman crashes because shadow_logfd
+is NULL. In order to avoid that load the log file descriptor with the
+log_get_logfd() helper function.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2038811
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ lib/nss.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 02742902..06fa48e5 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -9,6 +9,7 @@
+ #include "prototypes.h"
+ #include "../libsubid/subid.h"
+ #include "shadowlog_internal.h"
++#include "shadowlog.h"
+ 
+ #define NSSWITCH "/etc/nsswitch.conf"
+ 
+@@ -42,6 +43,7 @@ void nss_init(const char *nsswitch_path) {
+ 	FILE *nssfp = NULL;
+ 	char *line = NULL, *p, *token, *saveptr;
+ 	size_t len = 0;
++	FILE *shadow_logfd = log_get_logfd();
+ 
+ 	if (atomic_flag_test_and_set(&nss_init_started)) {
+ 		// Another thread has started nss_init, wait for it to complete
+@@ -57,7 +59,7 @@ void nss_init(const char *nsswitch_path) {
+ 	//   subid:	files
+ 	nssfp = fopen(nsswitch_path, "r");
+ 	if (!nssfp) {
+-		fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
++		fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
+ 		atomic_store(&nss_init_completed, true);
+ 		return;
+ 	}
+-- 
+2.34.1
+

shadow-4.9-null-tm.patch

@@ -1,70 +0,0 @@
-Index: shadow-4.5/src/chage.c
-===================================================================
---- shadow-4.5.orig/src/chage.c
-+++ shadow-4.5/src/chage.c
-@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
- 	struct tm *tp;
- 
- 	tp = gmtime (&date);
-+	if (tp == NULL) {
-+		(void) snprintf (buf, maxsize, "(unknown)");
-+		return;
-+	}
- #ifdef HAVE_STRFTIME
- 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
- #else
-Index: shadow-4.5/src/lastlog.c
-===================================================================
---- shadow-4.5.orig/src/lastlog.c
-+++ shadow-4.5/src/lastlog.c
-@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
- 
- 	ll_time = ll.ll_time;
- 	tm = localtime (&ll_time);
-+	if (tm == NULL) {
-+		cp = "(unknown)";
-+	} else {
- #ifdef HAVE_STRFTIME
--	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
--	cp = ptime;
-+		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
-+		cp = ptime;
- #else
--	cp = asctime (tm);
--	cp[24] = '\0';
-+		cp = asctime (tm);
-+		cp[24] = '\0';
- #endif
-+	}
- 
- 	if (ll.ll_time == (time_t) 0) {
- 		cp = _("**Never logged in**\0");
-Index: shadow-4.5/src/passwd.c
-===================================================================
---- shadow-4.5.orig/src/passwd.c
-+++ shadow-4.5/src/passwd.c
-@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
- 	struct tm *tm;
- 
- 	tm = gmtime (&t);
-+	if (tm == NULL) {
-+		return "(unknown)";
-+	}
- #ifdef HAVE_STRFTIME
- 	(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
- #else				/* !HAVE_STRFTIME */
-Index: shadow-4.5/src/usermod.c
-===================================================================
---- shadow-4.5.orig/src/usermod.c
-+++ shadow-4.5/src/usermod.c
-@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
- 	} else {
- 		time_t t = (time_t) date;
- 		tp = gmtime (&t);
-+		if (tp == NULL) {
-+			strncpy (buf, "unknown", maxsize);
-+			return;
-+		}
- #ifdef HAVE_STRFTIME
- 		strftime (buf, maxsize, "%Y-%m-%d", tp);
- #else

shadow-4.9-useradd-avoid-generating-empty-subid-range.patch

@@ -1,79 +0,0 @@
-diff --git a/src/useradd.c b/src/useradd.c
-index baeffb35..9abeea6e 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -142,9 +142,7 @@ static bool is_sub_gid = false;
- static bool sub_uid_locked = false;
- static bool sub_gid_locked = false;
- static uid_t sub_uid_start;	/* New subordinate uid range */
--static unsigned long sub_uid_count;
- static gid_t sub_gid_start;	/* New subordinate gid range */
--static unsigned long sub_gid_count;
- #endif				/* ENABLE_SUBIDS */
- static bool pw_locked = false;
- static bool gr_locked = false;
-@@ -234,7 +232,7 @@ static void open_shadow (void);
- static void faillog_reset (uid_t);
- static void lastlog_reset (uid_t);
- static void tallylog_reset (const char *);
--static void usr_update (void);
-+static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
- static void create_home (void);
- static void create_mail (void);
- static void check_uid_range(int rflg, uid_t user_id);
-@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name)
-  *	usr_update() creates the password file entries for this user
-  *	and will update the group entries if required.
-  */
--static void usr_update (void)
-+static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
- {
- 	struct passwd pwent;
- 	struct spwd spent;
-@@ -2155,14 +2153,14 @@ static void usr_update (void)
- 	}
- #ifdef ENABLE_SUBIDS
- 	if (is_sub_uid &&
--	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
-+	    (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
- 		fprintf (stderr,
- 		         _("%s: failed to prepare the new %s entry\n"),
- 		         Prog, sub_uid_dbname ());
- 		fail_exit (E_SUB_UID_UPDATE);
- 	}
- 	if (is_sub_gid &&
--	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
-+	    (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
- 		fprintf (stderr,
- 		         _("%s: failed to prepare the new %s entry\n"),
- 		         Prog, sub_uid_dbname ());
-@@ -2624,16 +2622,16 @@ int main (int argc, char **argv)
- 	}
- 
- #ifdef ENABLE_SUBIDS
--	if (is_sub_uid && sub_uid_count != 0) {
--		if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
-+	if (is_sub_uid && subuid_count != 0) {
-+		if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
- 			fprintf (stderr,
- 			         _("%s: can't create subordinate user IDs\n"),
- 			         Prog);
- 			fail_exit(E_SUB_UID_UPDATE);
- 		}
- 	}
--	if (is_sub_gid && sub_gid_count != 0) {
--		if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
-+	if (is_sub_gid && subgid_count != 0) {
-+		if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
- 			fprintf (stderr,
- 			         _("%s: can't create subordinate group IDs\n"),
- 			         Prog);
-@@ -2642,7 +2640,7 @@ int main (int argc, char **argv)
- 	}
- #endif				/* ENABLE_SUBIDS */
- 
--	usr_update ();
-+	usr_update (subuid_count, subgid_count);
- 
- 	close_files ();
- 

shadow-4.9-usermod-allow-all-group-types.patch

@@ -1,322 +0,0 @@
-From e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Tue, 3 Aug 2021 08:57:20 +0200
-Subject: [PATCH] usermod: allow all group types with -G option
-
-The only way of removing a group from the supplementary list is to use
--G option, and list all groups that the user is a member of except for
-the one that wants to be removed. The problem lies when there's a user
-that contains both local and remote groups, and the group to be removed
-is a local one. As we need to include the remote group with -G option
-the command will fail.
-
-This reverts commit 140510de9de4771feb3af1d859c09604043a4c9b. This way,
-it would be possible to remove the remote groups from the supplementary
-list.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641
-Resolves: https://github.com/shadow-maint/shadow/issues/338
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- src/usermod.c | 220 ++++++++++++++++++--------------------------------
- 1 file changed, 77 insertions(+), 143 deletions(-)
-
-diff --git a/src/usermod.c b/src/usermod.c
-index 03bb9b9d..a0c03afa 100644
---- a/src/usermod.c
-+++ b/src/usermod.c
-@@ -187,7 +187,6 @@ static bool sub_gid_locked = false;
- static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
-                          long int date);
- static int get_groups (char *);
--static struct group * get_local_group (char * grp_name);
- static /*@noreturn@*/void usage (int status);
- static void new_pwent (struct passwd *);
- static void new_spent (struct spwd *);
-@@ -201,9 +200,7 @@ static void grp_update (void);
- 
- static void process_flags (int, char **);
- static void close_files (void);
--static void close_group_files (void);
- static void open_files (void);
--static void open_group_files (void);
- static void usr_update (void);
- static void move_home (void);
- static void update_lastlog (void);
-@@ -260,11 +257,6 @@ static int get_groups (char *list)
- 		return 0;
- 	}
- 
--	/*
--	 * Open the group files
--	 */
--	open_group_files ();
--
- 	/*
- 	 * So long as there is some data to be converted, strip off each
- 	 * name and look it up. A mix of numerical and string values for
-@@ -284,7 +276,7 @@ static int get_groups (char *list)
- 		 * Names starting with digits are treated as numerical GID
- 		 * values, otherwise the string is looked up as is.
- 		 */
--		grp = get_local_group (list);
-+		grp = prefix_getgr_nam_gid (list);
- 
- 		/*
- 		 * There must be a match, either by GID value or by
-@@ -334,8 +326,6 @@ static int get_groups (char *list)
- 		gr_free ((struct group *)grp);
- 	} while (NULL != list);
- 
--	close_group_files ();
--
- 	user_groups[ngroups] = (char *) 0;
- 
- 	/*
-@@ -348,44 +338,6 @@ static int get_groups (char *list)
- 	return 0;
- }
- 
--/*
-- * get_local_group - checks if a given group name exists locally
-- *
-- *	get_local_group() checks if a given group name exists locally.
-- *	If the name exists the group information is returned, otherwise NULL is
-- *	returned.
-- */
--static struct group * get_local_group(char * grp_name)
--{
--	const struct group *grp;
--	struct group *result_grp = NULL;
--	long long int gid;
--	char *endptr;
--
--	gid = strtoll (grp_name, &endptr, 10);
--	if (   ('\0' != *grp_name)
--		&& ('\0' == *endptr)
--		&& (ERANGE != errno)
--		&& (gid == (gid_t)gid)) {
--		grp = gr_locate_gid ((gid_t) gid);
--	}
--	else {
--		grp = gr_locate(grp_name);
--	}
--
--	if (grp != NULL) {
--		result_grp = __gr_dup (grp);
--		if (NULL == result_grp) {
--			fprintf (stderr,
--					_("%s: Out of memory. Cannot find group '%s'.\n"),
--					Prog, grp_name);
--			fail_exit (E_GRP_UPDATE);
--		}
--	}
--
--	return result_grp;
--}
--
- #ifdef ENABLE_SUBIDS
- struct ulong_range
- {
-@@ -1523,7 +1475,50 @@ static void close_files (void)
- 	}
- 
- 	if (Gflg || lflg) {
--		close_group_files ();
-+		if (gr_close () == 0) {
-+			fprintf (stderr,
-+			         _("%s: failure while writing changes to %s\n"),
-+			         Prog, gr_dbname ());
-+			SYSLOG ((LOG_ERR,
-+			         "failure while writing changes to %s",
-+			         gr_dbname ()));
-+			fail_exit (E_GRP_UPDATE);
-+		}
-+#ifdef SHADOWGRP
-+		if (is_shadow_grp) {
-+			if (sgr_close () == 0) {
-+				fprintf (stderr,
-+				         _("%s: failure while writing changes to %s\n"),
-+				         Prog, sgr_dbname ());
-+				SYSLOG ((LOG_ERR,
-+				         "failure while writing changes to %s",
-+				         sgr_dbname ()));
-+				fail_exit (E_GRP_UPDATE);
-+			}
-+		}
-+#endif
-+#ifdef SHADOWGRP
-+		if (is_shadow_grp) {
-+			if (sgr_unlock () == 0) {
-+				fprintf (stderr,
-+				         _("%s: failed to unlock %s\n"),
-+				         Prog, sgr_dbname ());
-+				SYSLOG ((LOG_ERR,
-+				         "failed to unlock %s",
-+				         sgr_dbname ()));
-+				/* continue */
-+			}
-+		}
-+#endif
-+		if (gr_unlock () == 0) {
-+			fprintf (stderr,
-+			         _("%s: failed to unlock %s\n"),
-+			         Prog, gr_dbname ());
-+			SYSLOG ((LOG_ERR,
-+			         "failed to unlock %s",
-+			         gr_dbname ()));
-+			/* continue */
-+		}
- 	}
- 
- 	if (is_shadow_pwd) {
-@@ -1592,60 +1587,6 @@ static void close_files (void)
- #endif
- }
- 
--/*
-- * close_group_files - close all of the files that were opened
-- *
-- *	close_group_files() closes all of the files that were opened related
-- *  with groups. This causes any modified entries to be written out.
-- */
--static void close_group_files (void)
--{
--	if (gr_close () == 0) {
--		fprintf (stderr,
--					_("%s: failure while writing changes to %s\n"),
--					Prog, gr_dbname ());
--		SYSLOG ((LOG_ERR,
--					"failure while writing changes to %s",
--					gr_dbname ()));
--		fail_exit (E_GRP_UPDATE);
--	}
--#ifdef SHADOWGRP
--	if (is_shadow_grp) {
--		if (sgr_close () == 0) {
--			fprintf (stderr,
--						_("%s: failure while writing changes to %s\n"),
--						Prog, sgr_dbname ());
--			SYSLOG ((LOG_ERR,
--						"failure while writing changes to %s",
--						sgr_dbname ()));
--			fail_exit (E_GRP_UPDATE);
--		}
--	}
--#endif
--#ifdef SHADOWGRP
--	if (is_shadow_grp) {
--		if (sgr_unlock () == 0) {
--			fprintf (stderr,
--						_("%s: failed to unlock %s\n"),
--						Prog, sgr_dbname ());
--			SYSLOG ((LOG_ERR,
--						"failed to unlock %s",
--						sgr_dbname ()));
--			/* continue */
--		}
--	}
--#endif
--	if (gr_unlock () == 0) {
--		fprintf (stderr,
--					_("%s: failed to unlock %s\n"),
--					Prog, gr_dbname ());
--		SYSLOG ((LOG_ERR,
--					"failed to unlock %s",
--					gr_dbname ()));
--		/* continue */
--	}
--}
--
- /*
-  * open_files - lock and open the password files
-  *
-@@ -1681,7 +1622,38 @@ static void open_files (void)
- 	}
- 
- 	if (Gflg || lflg) {
--		open_group_files ();
-+		/*
-+		 * Lock and open the group file. This will load all of the
-+		 * group entries.
-+		 */
-+		if (gr_lock () == 0) {
-+			fprintf (stderr,
-+			         _("%s: cannot lock %s; try again later.\n"),
-+			         Prog, gr_dbname ());
-+			fail_exit (E_GRP_UPDATE);
-+		}
-+		gr_locked = true;
-+		if (gr_open (O_CREAT | O_RDWR) == 0) {
-+			fprintf (stderr,
-+			         _("%s: cannot open %s\n"),
-+			         Prog, gr_dbname ());
-+			fail_exit (E_GRP_UPDATE);
-+		}
-+#ifdef SHADOWGRP
-+		if (is_shadow_grp && (sgr_lock () == 0)) {
-+			fprintf (stderr,
-+			         _("%s: cannot lock %s; try again later.\n"),
-+			         Prog, sgr_dbname ());
-+			fail_exit (E_GRP_UPDATE);
-+		}
-+		sgr_locked = true;
-+		if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
-+			fprintf (stderr,
-+			         _("%s: cannot open %s\n"),
-+			         Prog, sgr_dbname ());
-+			fail_exit (E_GRP_UPDATE);
-+		}
-+#endif
- 	}
- #ifdef ENABLE_SUBIDS
- 	if (vflg || Vflg) {
-@@ -1717,44 +1689,6 @@ static void open_files (void)
- #endif				/* ENABLE_SUBIDS */
- }
- 
--/*
-- * open_group_files - lock and open the group files
-- *
-- *	open_group_files() loads all of the group entries.
-- */
--static void open_group_files (void)
--{
--	if (gr_lock () == 0) {
--		fprintf (stderr,
--					_("%s: cannot lock %s; try again later.\n"),
--					Prog, gr_dbname ());
--		fail_exit (E_GRP_UPDATE);
--	}
--	gr_locked = true;
--	if (gr_open (O_CREAT | O_RDWR) == 0) {
--		fprintf (stderr,
--					_("%s: cannot open %s\n"),
--					Prog, gr_dbname ());
--		fail_exit (E_GRP_UPDATE);
--	}
--
--#ifdef SHADOWGRP
--	if (is_shadow_grp && (sgr_lock () == 0)) {
--		fprintf (stderr,
--					_("%s: cannot lock %s; try again later.\n"),
--					Prog, sgr_dbname ());
--		fail_exit (E_GRP_UPDATE);
--	}
--	sgr_locked = true;
--	if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
--		fprintf (stderr,
--					_("%s: cannot open %s\n"),
--					Prog, sgr_dbname ());
--		fail_exit (E_GRP_UPDATE);
--	}
--#endif
--}
--
- /*
-  * usr_update - create the user entries
-  *
--- 
-2.31.1
-

shadow-utils.spec

@@ -1,12 +1,12 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
-Version: 4.9
+Version: 4.11.1
 Release: 4%{?dist}
 Epoch: 2
 License: BSD and GPLv2+
 URL: https://github.com/shadow-maint/shadow
-Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
-Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
+Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
+Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
@@ -18,11 +18,9 @@ Source6: shadow-utils.HOME_MODE.xml
 
 ### Patches ###
 # Misc small changes - most probably non-upstreamable
-Patch0: shadow-4.9-redhat.patch
+Patch0: shadow-4.11.1-redhat.patch
 # Be more lenient with acceptable user/group names - non upstreamable
 Patch1: shadow-4.8-goodname.patch
-# Move create home to the end of main - upstreamability unknown
-Patch2: shadow-4.9-move-create-home.patch
 # SElinux related - upstreamability unknown
 Patch3: shadow-4.9-default-range.patch
 # Misc manual page changes - non-upstreamable
@@ -32,27 +30,23 @@ Patch5: shadow-4.2.1-date-parsing.patch
 # Additional error message - could be upstreamed
 Patch6: shadow-4.6-move-home.patch
 # Audit message changes - upstreamability unknown
-Patch7: shadow-4.9-audit-update.patch
+Patch7: shadow-4.11.1-audit-update.patch
 # Changes related to password unlocking - could be upstreamed
 Patch8: shadow-4.5-usermod-unlock.patch
 # Additional SElinux related changes - upstreamability unknown
 Patch9: shadow-4.8-selinux-perms.patch
-# Handle NULL return from *time funcs - could be upstreamed
-Patch10: shadow-4.9-null-tm.patch
+# Handle NULL return from *time funcs - upstreamable
+Patch10: shadow-4.11.1-null-tm.patch
 # Handle /etc/passwd corruption - could be upstreamed
 Patch11: shadow-4.8-long-entry.patch
 # Limit uid/gid allocation to non-zero - could be upstreamed
 Patch12: shadow-4.6-sysugid-min-limit.patch
 # Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
 Patch13: shadow-4.8-ignore-login-prompt.patch
-# https://github.com/shadow-maint/shadow/commit/c6847011e8b656adacd9a0d2a78418cad0de34cb
-Patch14: shadow-4.9-newuidmap-libeconf-dependency.patch
-# https://github.com/shadow-maint/shadow/commit/e481437ab9ebe9a8bf8fbaabe986d42b2f765991
-Patch15: shadow-4.9-usermod-allow-all-group-types.patch
-# https://github.com/shadow-maint/shadow/commit/9dd720a28578eef5be8171697aae0906e4c53249
-Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
-# https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62
-Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
+# https://github.com/shadow-maint/shadow/commit/e101219ad71de11da3fdd1b3ec2620fd1a97b92c
+Patch14: shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch
+# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
+Patch15: shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch
 
 ### Dependencies ###
 Requires: audit-libs >= 1.6.5
@@ -106,6 +100,7 @@ Utility library that provides a way to manage subid ranges.
 %package subid-devel
 Summary: Development package for shadow-utils-subid
 License: BSD and GPLv2+
+Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
 
 %description subid-devel
 Development files for shadow-utils-subid.
@@ -114,7 +109,6 @@ Development files for shadow-utils-subid.
 %setup -q -n shadow-%{version}
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .goodname
-%patch2 -p1 -b .move-create-home
 %patch3 -p1 -b .default-range
 %patch4 -p1 -b .manfix
 %patch5 -p1 -b .date-parsing
@@ -126,10 +120,8 @@ Development files for shadow-utils-subid.
 %patch11 -p1 -b .long-entry
 %patch12 -p1 -b .sysugid-min-limit
 %patch13 -p1 -b .login-prompt
-%patch14 -p1 -b .newuidmap-libeconf-dependency
-%patch15 -p1 -b .usermod-allow-all-group-types
-%patch16 -p1 -b .useradd-avoid-generating-empty-subid-range
-%patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds
+%patch14 -p1 -b .nss-get-shadow-logfd-with-log-get-logfd
+%patch15 -p1 -b .useradd-modify-check-ID-range-for-system-users
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -241,8 +233,9 @@ echo $(ls)
 mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
 install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
 
-# Remove .la files created by libsubid
+# Remove .la and .a files created by libsubid
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
 
 %files -f shadow.lang
 %doc NEWS doc/HOWTO README
@@ -294,12 +287,53 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 
 %files subid
 %{_libdir}/libsubid.so.*
+%{_bindir}/getsubids
+%{_mandir}/man1/getsubids.1*
 
 %files subid-devel
 %{includesubiddir}/subid.h
 %{_libdir}/libsubid.so
 
 %changelog
+* Mon Aug  1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
+- useradd: modify check ID range for system users. Resolves: #2093692
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
+- Fix explicit subid requirement for subid-devel
+
+* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
+- Rebase to version 4.11.1 (#2034038)
+- Fix release sources
+- Add explicit subid requirement for subid-devel
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
+- nss: get shadow_logfd with log_get_logfd() (#2038811)
+- lib: make shadow_logfd and Prog not extern
+- lib: rename Prog to shadow_progname
+- lib: provide default values for shadow_progname
+- libsubid: use log_set_progname in subid_init
+
+* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
+- getsubids: provide system binary and man page (#1980780)
+- pwck: fix segfault when calling fprintf() (#2021339)
+- newgrp: fix segmentation fault (#2019553)
+- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
+
+* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
+- useradd: change SELinux labels for home files (#2022658)
+
+* Thu Nov  4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
+- useradd: revert fix memleak of grp (#2018697)
+
+* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
+- useradd: generate home and mail directories with selinux user attribute
+
 * Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
 - login.defs: include HMAC_CRYPTO_ALGO key
 - Clean spec file: organize dependencies and move License location

sources

@@ -1,2 +1,2 @@
-SHA512 (shadow-4.9.tar.xz) = 254cda49bb14505a7604821e7fa898bf4bf317d648e9ddc881ab80a6860d52053dfffacad6feab87c7d16608c35ed6b6cee99e7757eac930da3a7b31cdcd4b95
-SHA512 (shadow-4.9.tar.xz.asc) = 16c0ff7be263c9d471b05656c9a1d14da8ec9b17544910323ca6ab854126d1a03ece221e0caf610e65a9b1d080b4cd1b8b46973f20e3ae45ea0e5581ce6c90d9
+SHA512 (shadow-4.11.1.tar.xz) = 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
+SHA512 (shadow-4.11.1.tar.xz.asc) = 4594189678cc9bcc8831f62a5d42c605b085be4a3b540429d7c800f4304e2e8fe04358547917eb90c1513646fade7c714611bfdc98af7dec5321a3dc3e65c4fd