commonio: force lock file sync (#1862056)

The upstream source tarball is actually called 'shadow' rather than 'shadow-utils'.
Add a compat provides for the former.

.gitignore

@@ -12,3 +12,5 @@ shadow-4.1.4.2.tar.bz2
 /shadow-4.6.tar.xz.asc
 /shadow-4.8.tar.xz
 /shadow-4.8.tar.xz.asc
+/shadow-4.8.1.tar.xz
+/shadow-4.8.1.tar.xz.asc

shadow-4.8-invalid-shell-check.patch

@@ -1,30 +0,0 @@
-diff -up shadow-4.8/src/useradd.c.invalid-shell shadow-4.8/src/useradd.c
---- shadow-4.8/src/useradd.c.invalid-shell	2020-01-16 08:47:13.841921106 +0100
-+++ shadow-4.8/src/useradd.c	2020-01-16 08:57:26.338421901 +0100
-@@ -1277,15 +1277,22 @@ static void process_flags (int argc, cha
- 				if (   ( !VALID (optarg) )
- 				    || (   ('\0' != optarg[0])
- 				        && ('/'  != optarg[0])
--				        && ('*'  != optarg[0]) )
--				    || (stat(optarg, &st) != 0)
--				    || (S_ISDIR(st.st_mode))
--				    || (access(optarg, X_OK) != 0)) {
-+				        && ('*'  != optarg[0]) )) {
- 					fprintf (stderr,
- 					         _("%s: invalid shell '%s'\n"),
- 					         Prog, optarg);
- 					exit (E_BAD_ARG);
- 				}
-+				if (    '\0' != optarg[0]
-+				     && '*'  != optarg[0]
-+				     && strcmp(optarg, "/sbin/nologin") != 0
-+				     && (   stat(optarg, &st) != 0
-+				         || S_ISDIR(st.st_mode)
-+				         || access(optarg, X_OK) != 0)) {
-+					fprintf (stderr,
-+					         _("%s: Warning: missing or non-executable shell '%s'\n"),
-+					         Prog, optarg);
-+				}
- 				user_shell = optarg;
- 				def_shell = optarg;
- 				sflg = true;

shadow-4.8-useradd-selinux-mail.patch

@@ -0,0 +1,61 @@
+From 4dc62ebcf37d7568be1d4ca54367215eba8b8a28 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 5 Feb 2020 15:04:39 +0100
+Subject: [PATCH] useradd: doesn't generate /var/spool/mail/$USER with the
+ proper SELinux user identity
+
+Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
+---
+ src/useradd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index a679392d..645d4a40 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -190,6 +190,7 @@ static bool home_added = false;
+ #define E_NAME_IN_USE	9	/* username already in use */
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't create home directory */
++#define E_MAILBOXFILE	13	/* can't create mailbox file */
+ #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
+ #ifdef ENABLE_SUBIDS
+ #define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
+@@ -2210,6 +2211,16 @@ static void create_mail (void)
+ 			sprintf (file, "%s/%s/%s", prefix, spool, user_name);
+ 		else
+ 			sprintf (file, "%s/%s", spool, user_name);
++
++#ifdef WITH_SELINUX
++		if (set_selinux_file_context (file, NULL) != 0) {
++			fprintf (stderr,
++			         _("%s: cannot set SELinux context for mailbox file %s\n"),
++			         Prog, file);
++			fail_exit (E_MAILBOXFILE);
++		}
++#endif
++
+ 		fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
+ 		if (fd < 0) {
+ 			perror (_("Creating mailbox file"));
+@@ -2234,6 +2245,15 @@ static void create_mail (void)
+ 
+ 		fsync (fd);
+ 		close (fd);
++#ifdef WITH_SELINUX
++		/* Reset SELinux to create files with default contexts */
++		if (reset_selinux_file_context () != 0) {
++			fprintf (stderr,
++			         _("%s: cannot reset SELinux file creation context\n"),
++			         Prog);
++			fail_exit (E_MAILBOXFILE);
++		}
++#endif
+ 	}
+ }
+ 
+-- 
+2.24.1
+

shadow-4.8.1-audit-update.patch

@@ -1,6 +1,6 @@
-diff -up shadow-4.8/libmisc/audit_help.c.audit-update shadow-4.8/libmisc/audit_help.c
---- shadow-4.8/libmisc/audit_help.c.audit-update	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/libmisc/audit_help.c	2020-01-13 10:15:51.802073378 +0100
+diff -up shadow-4.8.1/libmisc/audit_help.c.audit-update shadow-4.8.1/libmisc/audit_help.c
+--- shadow-4.8.1/libmisc/audit_help.c.audit-update	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/libmisc/audit_help.c	2020-03-17 16:53:44.371943299 +0100
 @@ -68,7 +68,7 @@ void audit_help_open (void)
   * This function will log a message to the audit system using a predefined
   * message format. Parameter usage is as follows:
@@ -50,9 +50,9 @@ diff -up shadow-4.8/libmisc/audit_help.c.audit-update shadow-4.8/libmisc/audit_h
  void audit_logger_message (const char *message, shadow_audit_result result)
  {
  	if (audit_fd < 0) {
-diff -up shadow-4.8/libmisc/cleanup_group.c.audit-update shadow-4.8/libmisc/cleanup_group.c
---- shadow-4.8/libmisc/cleanup_group.c.audit-update	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/libmisc/cleanup_group.c	2020-01-13 10:15:51.802073378 +0100
+diff -up shadow-4.8.1/libmisc/cleanup_group.c.audit-update shadow-4.8.1/libmisc/cleanup_group.c
+--- shadow-4.8.1/libmisc/cleanup_group.c.audit-update	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/libmisc/cleanup_group.c	2020-03-17 16:53:44.371943299 +0100
 @@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle
  	         gr_dbname (),
  	         info->action));
@@ -131,9 +131,9 @@ diff -up shadow-4.8/libmisc/cleanup_group.c.audit-update shadow-4.8/libmisc/clea
  		                      SHADOW_AUDIT_FAILURE);
  #endif
  	}
-diff -up shadow-4.8/libmisc/cleanup_user.c.audit-update shadow-4.8/libmisc/cleanup_user.c
---- shadow-4.8/libmisc/cleanup_user.c.audit-update	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/libmisc/cleanup_user.c	2020-01-13 10:15:51.802073378 +0100
+diff -up shadow-4.8.1/libmisc/cleanup_user.c.audit-update shadow-4.8.1/libmisc/cleanup_user.c
+--- shadow-4.8.1/libmisc/cleanup_user.c.audit-update	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/libmisc/cleanup_user.c	2020-03-17 16:53:44.371943299 +0100
 @@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl
  	         pw_dbname (),
  	         info->action));
@@ -181,9 +181,9 @@ diff -up shadow-4.8/libmisc/cleanup_user.c.audit-update shadow-4.8/libmisc/clean
  		                      SHADOW_AUDIT_FAILURE);
  #endif
  	}
-diff -up shadow-4.8/lib/prototypes.h.audit-update shadow-4.8/lib/prototypes.h
---- shadow-4.8/lib/prototypes.h.audit-update	2020-01-13 10:15:51.785073664 +0100
-+++ shadow-4.8/lib/prototypes.h	2020-01-13 10:15:51.803073362 +0100
+diff -up shadow-4.8.1/lib/prototypes.h.audit-update shadow-4.8.1/lib/prototypes.h
+--- shadow-4.8.1/lib/prototypes.h.audit-update	2020-03-17 16:53:44.364943206 +0100
++++ shadow-4.8.1/lib/prototypes.h	2020-03-17 16:53:44.371943299 +0100
 @@ -219,12 +219,21 @@ extern int audit_fd;
  extern void audit_help_open (void);
  /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */
@@ -206,9 +206,9 @@ diff -up shadow-4.8/lib/prototypes.h.audit-update shadow-4.8/lib/prototypes.h
  void audit_logger_message (const char *message, shadow_audit_result result);
  #endif
  
-diff -up shadow-4.8/src/chage.c.audit-update shadow-4.8/src/chage.c
---- shadow-4.8/src/chage.c.audit-update	2019-11-12 01:18:25.000000000 +0100
-+++ shadow-4.8/src/chage.c	2020-01-13 10:15:51.806073311 +0100
+diff -up shadow-4.8.1/src/chage.c.audit-update shadow-4.8.1/src/chage.c
+--- shadow-4.8.1/src/chage.c.audit-update	2019-11-12 01:18:25.000000000 +0100
++++ shadow-4.8.1/src/chage.c	2020-03-17 16:53:44.371943299 +0100
 @@ -123,9 +123,10 @@ static /*@noreturn@*/void fail_exit (int
  
  #ifdef WITH_AUDIT
@@ -296,9 +296,9 @@ diff -up shadow-4.8/src/chage.c.audit-update shadow-4.8/src/chage.c
  			              user_name, (unsigned int) user_uid, 1);
  		}
  #endif
-diff -up shadow-4.8/src/gpasswd.c.audit-update shadow-4.8/src/gpasswd.c
---- shadow-4.8/src/gpasswd.c.audit-update	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/src/gpasswd.c	2020-01-13 10:15:51.803073362 +0100
+diff -up shadow-4.8.1/src/gpasswd.c.audit-update shadow-4.8.1/src/gpasswd.c
+--- shadow-4.8.1/src/gpasswd.c.audit-update	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/src/gpasswd.c	2020-03-17 16:53:44.371943299 +0100
 @@ -138,7 +138,7 @@ static void usage (int status)
  	(void) fputs (_("  -d, --delete USER             remove USER from GROUP\n"), usageout);
  	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
@@ -562,9 +562,9 @@ diff -up shadow-4.8/src/gpasswd.c.audit-update shadow-4.8/src/gpasswd.c
  		              SHADOW_AUDIT_SUCCESS);
  #endif
  	}
-diff -up shadow-4.8/src/groupadd.c.audit-update shadow-4.8/src/groupadd.c
---- shadow-4.8/src/groupadd.c.audit-update	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/src/groupadd.c	2020-01-13 10:15:51.804073345 +0100
+diff -up shadow-4.8.1/src/groupadd.c.audit-update shadow-4.8.1/src/groupadd.c
+--- shadow-4.8.1/src/groupadd.c.audit-update	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/src/groupadd.c	2020-03-17 16:53:44.372943312 +0100
 @@ -131,6 +131,15 @@ static /*@noreturn@*/void usage (int sta
  	exit (status);
  }
@@ -740,9 +740,9 @@ diff -up shadow-4.8/src/groupadd.c.audit-update shadow-4.8/src/groupadd.c
  		}
  	}
  
-diff -up shadow-4.8/src/groupdel.c.audit-update shadow-4.8/src/groupdel.c
---- shadow-4.8/src/groupdel.c.audit-update	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/src/groupdel.c	2020-01-13 10:15:51.804073345 +0100
+diff -up shadow-4.8.1/src/groupdel.c.audit-update shadow-4.8.1/src/groupdel.c
+--- shadow-4.8.1/src/groupdel.c.audit-update	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/src/groupdel.c	2020-03-17 16:53:44.372943312 +0100
 @@ -106,6 +106,15 @@ static /*@noreturn@*/void usage (int sta
  	exit (status);
  }
@@ -912,9 +912,9 @@ diff -up shadow-4.8/src/groupdel.c.audit-update shadow-4.8/src/groupdel.c
  	}
  #endif
  
-diff -up shadow-4.8/src/groupmod.c.audit-update shadow-4.8/src/groupmod.c
---- shadow-4.8/src/groupmod.c.audit-update	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/src/groupmod.c	2020-01-13 10:15:51.805073328 +0100
+diff -up shadow-4.8.1/src/groupmod.c.audit-update shadow-4.8.1/src/groupmod.c
+--- shadow-4.8.1/src/groupmod.c.audit-update	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/src/groupmod.c	2020-03-17 16:53:44.372943312 +0100
 @@ -450,7 +450,7 @@ static void close_files (void)
  		exit (E_GRP_UPDATE);
  	}
@@ -1118,9 +1118,9 @@ diff -up shadow-4.8/src/groupmod.c.audit-update shadow-4.8/src/groupmod.c
  
  // FIXME: add a system cleanup
  	add_cleanup (cleanup_report_mod_group, &info_group);
-diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
---- shadow-4.8/src/newgrp.c.audit-update	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/src/newgrp.c	2020-01-13 10:15:51.806073311 +0100
+diff -up shadow-4.8.1/src/newgrp.c.audit-update shadow-4.8.1/src/newgrp.c
+--- shadow-4.8.1/src/newgrp.c.audit-update	2020-01-12 15:19:28.000000000 +0100
++++ shadow-4.8.1/src/newgrp.c	2020-03-17 16:53:44.372943312 +0100
 @@ -206,11 +206,12 @@ static void check_perms (const struct gr
  		    strcmp (cpasswd, grp->gr_passwd) != 0) {
  #ifdef WITH_AUDIT
@@ -1203,7 +1203,7 @@ diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
  			}
  #endif
  			exit (EXIT_FAILURE);
-@@ -457,7 +458,7 @@ int main (int argc, char **argv)
+@@ -458,7 +459,7 @@ int main (int argc, char **argv)
  #ifdef WITH_AUDIT
  		audit_logger (AUDIT_CHGRP_ID, Prog,
  		              "changing", NULL,
@@ -1212,7 +1212,7 @@ diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
  #endif
  		SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)",
  		         (unsigned long) getuid ()));
-@@ -573,15 +574,26 @@ int main (int argc, char **argv)
+@@ -574,15 +575,26 @@ int main (int argc, char **argv)
  		perror ("getgroups");
  #ifdef WITH_AUDIT
  		if (group) {
@@ -1243,7 +1243,7 @@ diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
  		}
  #endif
  		exit (EXIT_FAILURE);
-@@ -738,10 +750,10 @@ int main (int argc, char **argv)
+@@ -739,10 +751,10 @@ int main (int argc, char **argv)
  		perror ("setgid");
  #ifdef WITH_AUDIT
  		snprintf (audit_buf, sizeof(audit_buf),
@@ -1256,7 +1256,7 @@ diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
  #endif
  		exit (EXIT_FAILURE);
  	}
-@@ -750,10 +762,10 @@ int main (int argc, char **argv)
+@@ -751,10 +763,10 @@ int main (int argc, char **argv)
  		perror ("setuid");
  #ifdef WITH_AUDIT
  		snprintf (audit_buf, sizeof(audit_buf),
@@ -1269,7 +1269,7 @@ diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
  #endif
  		exit (EXIT_FAILURE);
  	}
-@@ -767,10 +779,10 @@ int main (int argc, char **argv)
+@@ -768,10 +780,10 @@ int main (int argc, char **argv)
  		execl (SHELL, "sh", "-c", command, (char *) 0);
  #ifdef WITH_AUDIT
  		snprintf (audit_buf, sizeof(audit_buf),
@@ -1282,7 +1282,7 @@ diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
  #endif
  		perror (SHELL);
  		exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
-@@ -834,11 +846,11 @@ int main (int argc, char **argv)
+@@ -835,11 +847,11 @@ int main (int argc, char **argv)
  	}
  
  #ifdef WITH_AUDIT
@@ -1296,7 +1296,7 @@ diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
  #endif
  	/*
  	 * Exec the login shell and go away. We are trying to get back to
-@@ -862,15 +874,24 @@ int main (int argc, char **argv)
+@@ -863,15 +875,24 @@ int main (int argc, char **argv)
  	closelog ();
  #ifdef WITH_AUDIT
  	if (NULL != group) {
@@ -1325,9 +1325,9 @@ diff -up shadow-4.8/src/newgrp.c.audit-update shadow-4.8/src/newgrp.c
  	}
  #endif
  	exit (EXIT_FAILURE);
-diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
---- shadow-4.8/src/useradd.c.audit-update	2020-01-13 10:15:51.789073597 +0100
-+++ shadow-4.8/src/useradd.c	2020-01-13 10:17:30.929406913 +0100
+diff -up shadow-4.8.1/src/useradd.c.audit-update shadow-4.8.1/src/useradd.c
+--- shadow-4.8.1/src/useradd.c.audit-update	2020-03-17 16:53:44.365943219 +0100
++++ shadow-4.8.1/src/useradd.c	2020-03-17 17:03:11.614503929 +0100
 @@ -233,6 +233,8 @@ static void create_mail (void);
   */
  static void fail_exit (int code)
@@ -1510,7 +1510,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  		              SHADOW_AUDIT_SUCCESS);
  #endif
  		SYSLOG ((LOG_INFO,
-@@ -1445,7 +1393,7 @@ static void process_flags (int argc, cha
+@@ -1452,7 +1400,7 @@ static void process_flags (int argc, cha
  			         Prog, user_name);
  #ifdef WITH_AUDIT
  			audit_logger (AUDIT_ADD_USER, Prog,
@@ -1519,7 +1519,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  			              user_name, AUDIT_NO_ID,
  			              SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1560,7 +1508,7 @@ static void close_files (void)
+@@ -1567,7 +1515,7 @@ static void close_files (void)
  			SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
  #ifdef WITH_AUDIT
  			audit_logger (AUDIT_ADD_USER, Prog,
@@ -1528,7 +1528,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  			              user_name, AUDIT_NO_ID,
  			              SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1573,7 +1521,7 @@ static void close_files (void)
+@@ -1580,7 +1528,7 @@ static void close_files (void)
  		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
  #ifdef WITH_AUDIT
  		audit_logger (AUDIT_ADD_USER, Prog,
@@ -1537,7 +1537,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  		              user_name, AUDIT_NO_ID,
  		              SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1585,7 +1533,7 @@ static void close_files (void)
+@@ -1592,7 +1540,7 @@ static void close_files (void)
  		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
  #ifdef WITH_AUDIT
  		audit_logger (AUDIT_ADD_USER, Prog,
@@ -1546,7 +1546,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  		              user_name, AUDIT_NO_ID,
  		              SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1599,7 +1547,7 @@ static void close_files (void)
+@@ -1606,7 +1554,7 @@ static void close_files (void)
  			SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
  #ifdef WITH_AUDIT
  			audit_logger (AUDIT_ADD_USER, Prog,
@@ -1555,7 +1555,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  			              user_name, AUDIT_NO_ID,
  			              SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1615,7 +1563,7 @@ static void close_files (void)
+@@ -1622,7 +1570,7 @@ static void close_files (void)
  			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
  #ifdef WITH_AUDIT
  			audit_logger (AUDIT_ADD_USER, Prog,
@@ -1564,7 +1564,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  				user_name, AUDIT_NO_ID,
  				SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1629,7 +1577,7 @@ static void close_files (void)
+@@ -1636,7 +1584,7 @@ static void close_files (void)
  			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
  #ifdef WITH_AUDIT
  			audit_logger (AUDIT_ADD_USER, Prog,
@@ -1573,7 +1573,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  				user_name, AUDIT_NO_ID,
  				SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1821,7 +1769,7 @@ static void grp_add (void)
+@@ -1828,7 +1776,7 @@ static void grp_add (void)
  		         Prog, gr_dbname (), grp.gr_name);
  #ifdef WITH_AUDIT
  		audit_logger (AUDIT_ADD_GROUP, Prog,
@@ -1582,7 +1582,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  		              grp.gr_name, AUDIT_NO_ID,
  		              SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1837,7 +1785,7 @@ static void grp_add (void)
+@@ -1844,7 +1792,7 @@ static void grp_add (void)
  		         Prog, sgr_dbname (), sgrp.sg_name);
  #ifdef WITH_AUDIT
  		audit_logger (AUDIT_ADD_GROUP, Prog,
@@ -1591,7 +1591,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  		              grp.gr_name, AUDIT_NO_ID,
  		              SHADOW_AUDIT_FAILURE);
  #endif
-@@ -1847,7 +1795,7 @@ static void grp_add (void)
+@@ -1854,7 +1802,7 @@ static void grp_add (void)
  	SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid));
  #ifdef WITH_AUDIT
  	audit_logger (AUDIT_ADD_GROUP, Prog,
@@ -1600,7 +1600,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  	              grp.gr_name, AUDIT_NO_ID,
  	              SHADOW_AUDIT_SUCCESS);
  #endif
-@@ -2015,12 +1963,6 @@ static void usr_update (void)
+@@ -2025,12 +1973,6 @@ static void usr_update (void)
  		fprintf (stderr,
  		         _("%s: failed to prepare the new %s entry '%s'\n"),
  		         Prog, spw_dbname (), spent.sp_namp);
@@ -1613,7 +1613,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  		fail_exit (E_PW_UPDATE);
  	}
  #ifdef ENABLE_SUBIDS
-@@ -2041,9 +1983,14 @@ static void usr_update (void)
+@@ -2051,9 +1993,14 @@ static void usr_update (void)
  #endif				/* ENABLE_SUBIDS */
  
  #ifdef WITH_AUDIT
@@ -1630,7 +1630,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  	              SHADOW_AUDIT_SUCCESS);
  #endif
  	/*
-@@ -2130,12 +2077,6 @@ static void create_home (void)
+@@ -2140,12 +2087,6 @@ static void create_home (void)
  			fprintf (stderr,
  							_("%s: cannot create directory %s\n"),
  							Prog, path);
@@ -1643,8 +1643,8 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  			fail_exit (E_HOMEDIR);
  		}
  				if (chown (path, 0, 0) < 0) {
-@@ -2157,8 +2098,8 @@ static void create_home (void)
- 		       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+@@ -2168,8 +2109,8 @@ static void create_home (void)
+ 		chmod (prefix_user_home, mode);
  		home_added = true;
  #ifdef WITH_AUDIT
 -		audit_logger (AUDIT_ADD_USER, Prog,
@@ -1654,7 +1654,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  		              user_name, (unsigned int) user_id,
  		              SHADOW_AUDIT_SUCCESS);
  #endif
-@@ -2343,12 +2284,6 @@ int main (int argc, char **argv)
+@@ -2354,12 +2295,6 @@ int main (int argc, char **argv)
  	 */
  	if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */
  		fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name);
@@ -1667,7 +1667,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  		fail_exit (E_NAME_IN_USE);
  	}
  
-@@ -2364,12 +2299,6 @@ int main (int argc, char **argv)
+@@ -2375,12 +2310,6 @@ int main (int argc, char **argv)
  			fprintf (stderr,
  			         _("%s: group %s exists - if you want to add this user to that group, use -g.\n"),
  			         Prog, user_name);
@@ -1680,7 +1680,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  			fail_exit (E_NAME_IN_USE);
  		}
  	}
-@@ -2399,12 +2328,6 @@ int main (int argc, char **argv)
+@@ -2410,12 +2339,6 @@ int main (int argc, char **argv)
  				fprintf (stderr,
  				         _("%s: UID %lu is not unique\n"),
  				         Prog, (unsigned long) user_id);
@@ -1693,7 +1693,7 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  				fail_exit (E_UID_IN_USE);
  			}
  		}
-@@ -2478,9 +2401,10 @@ int main (int argc, char **argv)
+@@ -2489,9 +2412,10 @@ int main (int argc, char **argv)
  			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
  			         Prog, user_name, user_selinux);
  #ifdef WITH_AUDIT
@@ -1707,9 +1707,9 @@ diff -up shadow-4.8/src/useradd.c.audit-update shadow-4.8/src/useradd.c
  #endif				/* WITH_AUDIT */
  			rv = E_SE_UPDATE;
  		    }
-diff -up shadow-4.8/src/userdel.c.audit-update shadow-4.8/src/userdel.c
---- shadow-4.8/src/userdel.c.audit-update	2020-01-13 10:15:51.797073462 +0100
-+++ shadow-4.8/src/userdel.c	2020-01-13 10:15:51.809073261 +0100
+diff -up shadow-4.8.1/src/userdel.c.audit-update shadow-4.8.1/src/userdel.c
+--- shadow-4.8.1/src/userdel.c.audit-update	2020-03-17 16:53:44.368943259 +0100
++++ shadow-4.8.1/src/userdel.c	2020-03-17 16:53:44.373943325 +0100
 @@ -222,9 +222,9 @@ static void update_groups (void)
  		 * Update the DBM group file with the new entry as well.
  		 */
@@ -2037,9 +2037,9 @@ diff -up shadow-4.8/src/userdel.c.audit-update shadow-4.8/src/userdel.c
  			              user_name, (unsigned int) user_id,
  			              SHADOW_AUDIT_FAILURE);
  #endif				/* WITH_AUDIT */
-diff -up shadow-4.8/src/usermod.c.audit-update shadow-4.8/src/usermod.c
---- shadow-4.8/src/usermod.c.audit-update	2020-01-13 10:15:51.800073412 +0100
-+++ shadow-4.8/src/usermod.c	2020-01-13 10:15:51.812073210 +0100
+diff -up shadow-4.8.1/src/usermod.c.audit-update shadow-4.8.1/src/usermod.c
+--- shadow-4.8.1/src/usermod.c.audit-update	2020-03-17 16:53:44.370943285 +0100
++++ shadow-4.8.1/src/usermod.c	2020-03-17 16:53:44.373943325 +0100
 @@ -457,8 +457,8 @@ static char *new_pw_passwd (char *pw_pas
  
  #ifdef WITH_AUDIT

shadow-4.8.1-commonio-force-lock-file-sync.patch

@@ -0,0 +1,39 @@
+From fb0f702cbf958a5ee9097c1611212c9880b347ce Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Mon, 2 Nov 2020 17:08:55 +0100
+Subject: [PATCH] commonio: force lock file sync
+
+lib/commonio.c: after writing to the lock file, force a file sync to
+the storage system.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1862056
+---
+ lib/commonio.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 16fa7e75..c5b3d104 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -157,7 +157,17 @@ static int do_lock_file (const char *file, const char *lock, bool log)
+ 	if (write (fd, buf, (size_t) len) != len) {
+ 		if (log) {
+ 			(void) fprintf (stderr,
+-			                "%s: %s: %s\n",
++			                "%s: %s file write error: %s\n",
++			                Prog, file, strerror (errno));
++		}
++		(void) close (fd);
++		unlink (file);
++		return 0;
++	}
++	if (fdatasync (fd) == -1) {
++		if (log) {
++			(void) fprintf (stderr,
++			                "%s: %s file sync error: %s\n",
+ 			                Prog, file, strerror (errno));
+ 		}
+ 		(void) close (fd);
+-- 
+2.26.2
+

shadow-4.8.1-manfix.patch

@@ -1,6 +1,6 @@
-diff -up shadow-4.8/man/chage.1.xml.manfix shadow-4.8/man/chage.1.xml
---- shadow-4.8/man/chage.1.xml.manfix	2019-10-05 01:28:34.000000000 +0200
-+++ shadow-4.8/man/chage.1.xml	2020-01-13 10:12:48.445155882 +0100
+diff -up shadow-4.8.1/man/chage.1.xml.manfix shadow-4.8.1/man/chage.1.xml
+--- shadow-4.8.1/man/chage.1.xml.manfix	2019-10-05 01:28:34.000000000 +0200
++++ shadow-4.8.1/man/chage.1.xml	2020-03-17 15:34:48.750414984 +0100
 @@ -102,6 +102,9 @@
  	    Set the number of days since January 1st, 1970 when the password
  	    was last changed. The date may also be expressed in the format
@@ -44,9 +44,9 @@ diff -up shadow-4.8/man/chage.1.xml.manfix shadow-4.8/man/chage.1.xml
      <para>The <command>chage</command> command is restricted to the root
        user, except for the <option>-l</option> option, which may be used by
        an unprivileged user to determine when their password or account is due
-diff -up shadow-4.8/man/groupadd.8.xml.manfix shadow-4.8/man/groupadd.8.xml
---- shadow-4.8/man/groupadd.8.xml.manfix	2020-01-13 10:12:48.432156100 +0100
-+++ shadow-4.8/man/groupadd.8.xml	2020-01-13 10:13:06.096859122 +0100
+diff -up shadow-4.8.1/man/groupadd.8.xml.manfix shadow-4.8.1/man/groupadd.8.xml
+--- shadow-4.8.1/man/groupadd.8.xml.manfix	2020-03-17 15:34:48.745414917 +0100
++++ shadow-4.8.1/man/groupadd.8.xml	2020-03-17 15:34:48.750414984 +0100
 @@ -320,13 +320,13 @@
  	<varlistentry>
  	  <term><replaceable>4</replaceable></term>
@@ -63,15 +63,15 @@ diff -up shadow-4.8/man/groupadd.8.xml.manfix shadow-4.8/man/groupadd.8.xml
  	  </listitem>
  	</varlistentry>
  	<varlistentry>
-diff -up shadow-4.8/man/groupmems.8.xml.manfix shadow-4.8/man/groupmems.8.xml
---- shadow-4.8/man/groupmems.8.xml.manfix	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/man/groupmems.8.xml	2020-01-13 10:12:48.445155882 +0100
+diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
+--- shadow-4.8.1/man/groupmems.8.xml.manfix	2020-03-17 15:34:48.750414984 +0100
++++ shadow-4.8.1/man/groupmems.8.xml	2020-03-17 15:41:13.383588722 +0100
 @@ -179,20 +179,10 @@
    <refsect1 id='setup'>
      <title>SETUP</title>
      <para>
 -      The <command>groupmems</command> executable should be in mode
--      <literal>2770</literal> as user <emphasis>root</emphasis> and in group
+-      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
 -      <emphasis>groups</emphasis>. The system administrator can add users to
 -      group <emphasis>groups</emphasis> to allow or disallow them using the
 -      <command>groupmems</command> utility to manage their own group
@@ -83,16 +83,16 @@ diff -up shadow-4.8/man/groupmems.8.xml.manfix shadow-4.8/man/groupmems.8.xml
 -
 -    <programlisting>
 -	$ groupadd -r groups
--	$ chmod 2770 groupmems
+-	$ chmod 2710 groupmems
 -	$ chown root.groups groupmems
 -	$ groupmems -g groups -a gk4
 -    </programlisting>
    </refsect1>
  
    <refsect1 id='configuration'>
-diff -up shadow-4.8/man/ja/man5/login.defs.5.manfix shadow-4.8/man/ja/man5/login.defs.5
---- shadow-4.8/man/ja/man5/login.defs.5.manfix	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/man/ja/man5/login.defs.5	2020-01-13 10:12:48.445155882 +0100
+diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
+--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/man/ja/man5/login.defs.5	2020-03-17 15:34:48.750414984 +0100
 @@ -147,10 +147,6 @@ 以下の参照表は、
  shadow パスワード機能のどのプログラムが
  どのパラメータを使用するかを示したものである。
@@ -104,10 +104,10 @@ diff -up shadow-4.8/man/ja/man5/login.defs.5.manfix shadow-4.8/man/ja/man5/login
  .IP groupadd 12
  GID_MAX GID_MIN
  .IP newusers 12
-diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml
---- shadow-4.8/man/login.defs.5.xml.manfix	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/man/login.defs.5.xml	2020-01-13 10:14:10.491776547 +0100
-@@ -163,6 +163,17 @@
+diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
+--- shadow-4.8.1/man/login.defs.5.xml.manfix	2020-01-17 16:47:56.000000000 +0100
++++ shadow-4.8.1/man/login.defs.5.xml	2020-03-17 15:34:48.750414984 +0100
+@@ -164,6 +164,17 @@
        long numeric parameters is machine-dependent.
      </para>
  
@@ -125,7 +125,7 @@ diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml
      <para>The following configuration items are provided:</para>
  
      <variablelist remap='IP'>
-@@ -254,16 +265,6 @@
+@@ -256,16 +267,6 @@
  	</listitem>
        </varlistentry>
        <varlistentry>
@@ -142,7 +142,7 @@ diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml
  	<term>chgpasswd</term>
  	<listitem>
  	  <para>
-@@ -284,14 +285,6 @@
+@@ -286,14 +287,6 @@
  	  </para>
  	</listitem>
        </varlistentry>
@@ -157,7 +157,7 @@ diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml
        <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
        <!-- faillog: no variables -->
        <varlistentry>
-@@ -357,34 +350,6 @@
+@@ -359,34 +352,6 @@
  	  <para>LASTLOG_UID_MAX</para>
  	</listitem>
        </varlistentry>
@@ -192,7 +192,7 @@ diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml
        <!-- logoutd: no variables -->
        <varlistentry>
  	<term>newgrp / sg</term>
-@@ -412,17 +377,6 @@
+@@ -415,17 +380,6 @@
  	</listitem>
        </varlistentry>
        <!-- nologin: no variables -->
@@ -210,7 +210,7 @@ diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml
        <varlistentry>
  	<term>pwck</term>
  	<listitem>
-@@ -449,32 +403,6 @@
+@@ -452,32 +406,6 @@
  	  </para>
  	</listitem>
        </varlistentry>
@@ -243,9 +243,9 @@ diff -up shadow-4.8/man/login.defs.5.xml.manfix shadow-4.8/man/login.defs.5.xml
        <varlistentry>
  	<term>useradd</term>
  	<listitem>
-diff -up shadow-4.8/man/shadow.5.xml.manfix shadow-4.8/man/shadow.5.xml
---- shadow-4.8/man/shadow.5.xml.manfix	2019-12-01 17:52:32.000000000 +0100
-+++ shadow-4.8/man/shadow.5.xml	2020-01-13 10:12:48.446155865 +0100
+diff -up shadow-4.8.1/man/shadow.5.xml.manfix shadow-4.8.1/man/shadow.5.xml
+--- shadow-4.8.1/man/shadow.5.xml.manfix	2019-12-01 17:52:32.000000000 +0100
++++ shadow-4.8.1/man/shadow.5.xml	2020-03-17 15:34:48.750414984 +0100
 @@ -129,7 +129,7 @@
  	<listitem>
  	  <para>
@@ -275,10 +275,10 @@ diff -up shadow-4.8/man/shadow.5.xml.manfix shadow-4.8/man/shadow.5.xml
  	  </para>
  	  <para>
  	    Note that an account expiration differs from a password
-diff -up shadow-4.8/man/useradd.8.xml.manfix shadow-4.8/man/useradd.8.xml
---- shadow-4.8/man/useradd.8.xml.manfix	2020-01-13 10:12:48.432156100 +0100
-+++ shadow-4.8/man/useradd.8.xml	2020-01-13 10:12:48.446155865 +0100
-@@ -358,6 +358,11 @@
+diff -up shadow-4.8.1/man/useradd.8.xml.manfix shadow-4.8.1/man/useradd.8.xml
+--- shadow-4.8.1/man/useradd.8.xml.manfix	2020-03-17 15:34:48.745414917 +0100
++++ shadow-4.8.1/man/useradd.8.xml	2020-03-17 15:34:48.751414997 +0100
+@@ -359,6 +359,11 @@
  	    <option>CREATE_HOME</option> is not enabled, no home
  	    directories are created.
  	  </para>
@@ -290,10 +290,10 @@ diff -up shadow-4.8/man/useradd.8.xml.manfix shadow-4.8/man/useradd.8.xml
  	</listitem>
        </varlistentry>
        <varlistentry>
-diff -up shadow-4.8/man/usermod.8.xml.manfix shadow-4.8/man/usermod.8.xml
---- shadow-4.8/man/usermod.8.xml.manfix	2019-10-05 03:23:58.000000000 +0200
-+++ shadow-4.8/man/usermod.8.xml	2020-01-13 10:12:48.446155865 +0100
-@@ -153,7 +153,8 @@
+diff -up shadow-4.8.1/man/usermod.8.xml.manfix shadow-4.8.1/man/usermod.8.xml
+--- shadow-4.8.1/man/usermod.8.xml.manfix	2019-12-20 06:58:23.000000000 +0100
++++ shadow-4.8.1/man/usermod.8.xml	2020-03-17 15:34:48.751414997 +0100
+@@ -143,7 +143,8 @@
  	    If the <option>-m</option>
  	    option is given, the contents of the current home directory will
  	    be moved to the new home directory, which is created if it does
@@ -303,7 +303,7 @@ diff -up shadow-4.8/man/usermod.8.xml.manfix shadow-4.8/man/usermod.8.xml
  	  </para>
  	</listitem>
        </varlistentry>
-@@ -215,6 +216,12 @@
+@@ -205,6 +206,12 @@
  	    The group ownership of files outside of the user's home directory
  	    must be fixed manually.
  	  </para>
@@ -316,7 +316,7 @@ diff -up shadow-4.8/man/usermod.8.xml.manfix shadow-4.8/man/usermod.8.xml
  	</listitem>
        </varlistentry>
        <varlistentry>
-@@ -277,7 +284,8 @@
+@@ -267,7 +274,8 @@
  	<listitem>
  	  <para>
  	    Move the content of the user's home directory to the new
@@ -326,7 +326,7 @@ diff -up shadow-4.8/man/usermod.8.xml.manfix shadow-4.8/man/usermod.8.xml
  	  </para>
  	  <para>
  	    This option is only valid in combination with the
-@@ -391,6 +399,12 @@
+@@ -381,6 +389,12 @@
  	    must be fixed manually.
  	  </para>
  	  <para>

shadow-4.8.1-useradd-man-clarification.patch

@@ -0,0 +1,35 @@
+From 6543c600d841e4f7779269412d470e50eae25b13 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 4 Mar 2020 14:50:04 +0100
+Subject: [PATCH] useradd: clarify the useradd -d parameter behavior in man
+ page
+
+Explanation: clarify the useradd -d parameter as it does create directory HOME_DIR if it doesn't exit.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1677005
+
+Changelog: [serge] minor tweak to the text
+---
+ man/useradd.8.xml | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 03612ce8..023c0d69 100644
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -181,8 +181,10 @@
+ 	    login directory. The default is to append the
+ 	    <replaceable>LOGIN</replaceable> name to
+ 	    <replaceable>BASE_DIR</replaceable> and use that as the login
+-	    directory name. The directory <replaceable>HOME_DIR</replaceable>
+-	    does not have to exist but will not be created if it is missing.
++	    directory name.  If the directory
++	    <replaceable>HOME_DIR</replaceable> does not exist, then it
++	    will be created unless the <option>-M</option> option is
++	    specified.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-- 
+2.25.1
+

shadow-utils.HOME_MODE.xml

@@ -0,0 +1,43 @@
+<!--
+   Copyright (c) 1991 - 1993, Julianne Frances Haugh
+   Copyright (c) 1991 - 1993, Chip Rosenthal
+   Copyright (c) 2007 - 2009, Nicolas François
+   All rights reserved.
+  
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. The name of the copyright holders or contributors may not be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+  
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+  <term><option>HOME_MODE</option> (number)</term>
+  <listitem>
+    <para>
+      The mode for new home directories. If not specified,
+      the <option>UMASK</option> is used to create the mode.
+    </para>
+    <para>
+      <command>useradd</command> and <command>newusers</command> use this
+      to set the mode of the home directory they create.
+    </para>
+  </listitem>
+</varlistentry>

shadow-utils.login.defs

@@ -6,15 +6,121 @@
 # /etc/pam.d/system-auth for more information.
 #
 
+#
+# Delay in seconds before being allowed another attempt after a login failure
+# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
+#       pam_unix(8) enforces a 2s delay)
+#
+#FAIL_DELAY		3
+
+# Currently FAILLOG_ENAB is not supported
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+#LOG_UNKFAIL_ENAB	no
+
+# Currently LOG_OK_LOGINS is not supported
+
+# Currently LASTLOG_ENAB is not supported
+
+#
+# Limit the highest user ID number for which the lastlog entries should
+# be updated.
+#
+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
+# lastlog entries.
+#
+#LASTLOG_UID_MAX
+
+# Currently MAIL_CHECK_ENAB is not supported
+
+# Currently OBSCURE_CHECKS_ENAB is not supported
+
+# Currently PORTTIME_CHECKS_ENAB is not supported
+
+# Currently QUOTAS_ENAB is not supported
+
+# Currently SYSLOG_SU_ENAB is not supported
+
+#
+# Enable "syslog" logging of newgrp(1) and sg(1) activity.
+#
+#SYSLOG_SG_ENAB		yes
+
+# Currently CONSOLE is not supported
+
+# Currently SULOG_FILE is not supported
+
+# Currently MOTD_FILE is not supported
+
+# Currently ISSUE_FILE is not supported
+
+# Currently TTYTYPE_FILE is not supported
+
+# Currently FTMP_FILE is not supported
+
+# Currently NOLOGINS_FILE is not supported
+
+# Currently SU_NAME is not supported
+
 # *REQUIRED*
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
-#   QMAIL_DIR is for Qmail
 #
-#QMAIL_DIR	Maildir
 MAIL_DIR	/var/spool/mail
 #MAIL_FILE	.mail
 
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+#HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+# Currently ENV_TZ is not supported
+
+# Currently ENV_HZ is not supported
+
+#
+# The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+#ENV_PATH	PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a write(1) program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP as the number of such group
+# and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
+# set TTYPERM to either 622 or 600.
+#
+#TTYGROUP	tty
+#TTYPERM		0600
+
+# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
+
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories if HOME_MODE is not set.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up their mind.
+UMASK		022
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+HOME_MODE	0700
+
 # Password aging controls:
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
@@ -24,26 +130,105 @@ MAIL_DIR	/var/spool/mail
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
-PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 
+# Currently PASS_MIN_LEN is not supported
+
+# Currently SU_WHEEL_ONLY is not supported
+
+# Currently CRACKLIB_DICTPATH is not supported
+
 #
-# Min/max values for automatic uid selection in useradd
+# Min/max values for automatic uid selection in useradd(8)
 #
 UID_MIN                  1000
 UID_MAX                 60000
 # System accounts
 SYS_UID_MIN               201
 SYS_UID_MAX               999
+# Extra per user uids
+SUB_UID_MIN		   100000
+SUB_UID_MAX		600100000
+SUB_UID_COUNT		    65536
 
 #
-# Min/max values for automatic gid selection in groupadd
+# Min/max values for automatic gid selection in groupadd(8)
 #
 GID_MIN                  1000
 GID_MAX                 60000
 # System accounts
 SYS_GID_MIN               201
 SYS_GID_MAX               999
+# Extra per user group ids
+SUB_GID_MIN		   100000
+SUB_GID_MAX		600100000
+SUB_GID_COUNT		    65536
+
+#
+# Max number of login(1) retries if password is bad
+#
+#LOGIN_RETRIES		3
+
+#
+# Max time in seconds for login(1)
+#
+#LOGIN_TIMEOUT		60
+
+# Currently PASS_CHANGE_TRIES is not supported
+
+# Currently PASS_ALWAYS_WARN is not supported
+
+# Currently PASS_MAX_LEN is not supported
+
+# Currently CHFN_AUTH is not supported
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+#CHFN_RESTRICT		rwh
+
+# Currently LOGIN_STRING is not supported
+
+# Currently MD5_CRYPT_ENAB is not supported
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+#
+ENCRYPT_METHOD SHA512
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be within the 1000-999999999 range.
+#
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+# Currently SHA_CRYPT_MIN_ROUNDS is not supported
+
+# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported
+
+# Currently CONSOLE_GROUPS is not supported
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is yes.
+#
+#DEFAULT_HOME	yes
+
+# Currently ENVIRON_FILE is not supported
 
 #
 # If defined, this command is run when removing a user.
@@ -53,20 +238,31 @@ SYS_GID_MAX               999
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If useradd should create home directories for users by default
-# On RH systems, we do. This option is overridden with the -m flag on
-# useradd command line.
-#
-CREATE_HOME	yes
-
-# The permission mask is initialized to this value. If not specified, 
-# the permission mask will be initialized to 022.
-UMASK           077
-
-# This enables userdel to remove user groups if no members exist.
+# Enables userdel(8) to remove user groups if no members exist.
 #
 USERGROUPS_ENAB yes
 
-# Use SHA512 to encrypt password.
-ENCRYPT_METHOD SHA512
+#
+# If set to a non-zero number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permits to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP	0
 
+#
+# If useradd(8) should create home directories for users by default (non
+# system users only).
+# This option is overridden with the -M or -m flags on the useradd(8)
+# command-line.
+#
+CREATE_HOME	yes
+
+#
+# Force use shadow, even if shadow passwd & shadow group files are
+# missing.
+#
+#FORCE_SHADOW    yes

shadow-utils.spec

@@ -1,6 +1,6 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
-Version: 4.8
+Version: 4.8.1
 Release: 3%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
@@ -10,6 +10,7 @@ Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
 Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+Source6: shadow-utils.HOME_MODE.xml
 # Misc small changes - most probably non-upstreamable
 Patch0: shadow-4.6-redhat.patch
 # Be more lenient with acceptable user/group names - non upstreamable
@@ -23,7 +24,7 @@ Patch11: shadow-4.1.5.1-logmsg.patch
 # SElinux related - upstreamability unknown
 Patch14: shadow-4.1.5.1-default-range.patch
 # Misc manual page changes - only some of them could be upstreamed
-Patch15: shadow-4.8-manfix.patch
+Patch15: shadow-4.8.1-manfix.patch
 # Userdel usage message change - could be upstreamed
 Patch17: shadow-4.1.5.1-userdel-helpfix.patch
 # Date parsing improvement - could be upstreamed
@@ -31,7 +32,7 @@ Patch19: shadow-4.2.1-date-parsing.patch
 # Additional error message - could be upstreamed
 Patch21: shadow-4.6-move-home.patch
 # Audit message changes - upstreamability unknown
-Patch22: shadow-4.8-audit-update.patch
+Patch22: shadow-4.8.1-audit-update.patch
 # Changes related to password unlocking - could be upstreamed
 Patch23: shadow-4.5-usermod-unlock.patch
 # Additional SElinux related changes - upstreamability unknown
@@ -48,8 +49,12 @@ Patch33: shadow-4.8-long-entry.patch
 Patch38: shadow-4.6-sysugid-min-limit.patch
 # Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
 Patch40: shadow-4.8-ignore-login-prompt.patch
-# Make the missing shell check into warning - could be upstreamed
-Patch41: shadow-4.8-invalid-shell-check.patch
+# Generate /var/spool/mail/$USER with the proper SELinux user identity - already upstreamed
+Patch42: shadow-4.8-useradd-selinux-mail.patch
+# Clarify useradd man regarding "-d" parameter - already upstreamed
+Patch43: shadow-4.8.1-useradd-man-clarification.patch
+# https://github.com/shadow-maint/shadow/commit/599cc003daf833bffdc9cbe0d33dc8b3e7ec74c8
+Patch44: shadow-4.8.1-commonio-force-lock-file-sync.patch
 
 License: BSD and GPLv2+
 BuildRequires: gcc
@@ -63,6 +68,7 @@ BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
 Requires: libselinux >= 1.25.2-1
 Requires: audit-libs >= 1.6.5
 Requires: setup
+Provides: shadow = %{epoch}:%{version}-%{release}
 
 %description
 The shadow-utils package includes the necessary programs for
@@ -97,12 +103,15 @@ are used for managing group accounts.
 %patch33 -p1 -b .long-entry
 %patch38 -p1 -b .sysugid-min-limit
 %patch40 -p1 -b .login-prompt
-%patch41 -p1 -b .invalid-shell
+%patch42 -p1 -b .useradd-selinux-mail
+%patch43 -p1 -b .useradd-man-clarification
+%patch44 -p1 -b .commonio-force-lock-file-sync
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
 
 cp -a %{SOURCE4} %{SOURCE5} .
+cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml
 
 # Force regeneration of getdate.c
 rm libmisc/getdate.c
@@ -252,6 +261,23 @@ done
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Mon Nov 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
+- commonio: force lock file sync (#1862056)
+- spec: add Provides keyword
+
+* Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
+- useradd: clarify the useradd -d parameter behavior in man page
+
+* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-1
+- updated upstream to 4.8.1
+
+* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-5
+- synchronized login.defs with upstream file (#1261099 and #1807957)
+
+* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-4
+- fix useradd: doesn't generate spool mail with the proper SELinux user identity
+  (#1690527)
+
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 

sources

@@ -1,2 +1,2 @@
-SHA512 (shadow-4.8.tar.xz) = 1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece
-SHA512 (shadow-4.8.tar.xz.asc) = 200f7793e55447cc5c0d11988ee26511167c5fe23e1f6622b6b0c8cb74498052f2df855f02e351fee0da16562f6a6510ad3954b4c5e13dd9a8da0d998f8dc5e6
+SHA512 (shadow-4.8.1.tar.xz) = 780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b
+SHA512 (shadow-4.8.1.tar.xz.asc) = ec7686263c81d3feb8ee4314c3323a9a3ada74aafaaf99f4f0d9af9b1341f8c5ff5477ecf98dd94dbb7d921f532d655b0b6a87d94c71893f35dc9bc54c84dd42