- nss: get shadow_logfd with log_get_logfd() (#2038811)

- lib: make shadow_logfd and Prog not extern
- lib: rename Prog to shadow_progname
- lib: provide default values for shadow_progname
- libsubid: use log_set_progname in subid_init

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

shadow-4.9-getsubids.patch

@@ -0,0 +1,245 @@
+diff -up shadow-4.9/man/getsubids.1.xml.getsubids shadow-4.9/man/getsubids.1.xml
+--- shadow-4.9/man/getsubids.1.xml.getsubids	2021-11-18 16:27:33.951053120 +0100
++++ shadow-4.9/man/getsubids.1.xml	2021-11-18 16:27:33.951053120 +0100
+@@ -0,0 +1,141 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!--
++   Copyright (c) 2021 Iker Pedrosa
++   All rights reserved.
++
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
++  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
++<!-- SHADOW-CONFIG-HERE -->
++]>
++
++<refentry id='getsubids.1'>
++  <refentryinfo>
++    <author>
++      <firstname>Iker</firstname>
++      <surname>Pedrosa</surname>
++      <contrib>Creation, 2021</contrib>
++    </author>
++  </refentryinfo>
++  <refmeta>
++    <refentrytitle>getsubids</refentrytitle>
++    <manvolnum>1</manvolnum>
++    <refmiscinfo class="sectdesc">User Commands</refmiscinfo>
++    <refmiscinfo class="source">shadow-utils</refmiscinfo>
++    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
++  </refmeta>
++  <refnamediv id='name'>
++    <refname>getsubids</refname>
++    <refpurpose>get the subordinate id ranges for a user</refpurpose>
++  </refnamediv>
++
++  <refsynopsisdiv id='synopsis'>
++    <cmdsynopsis>
++      <command>getsubids</command>
++      <arg choice='opt'>
++        <replaceable>options</replaceable>
++      </arg>
++      <arg choice='plain'>
++        <replaceable>USER</replaceable>
++      </arg>
++    </cmdsynopsis>
++  </refsynopsisdiv>
++
++  <refsect1 id='description'>
++    <title>DESCRIPTION</title>
++    <para>
++      The <command>getsubids</command> command lists the subordinate user ID
++      ranges for a given user. The subordinate group IDs can be listed using
++      the <option>-g</option> option.
++    </para>
++  </refsect1>
++
++  <refsect1 id='options'>
++    <title>OPTIONS</title>
++    <para>
++      The options which apply to the <command>getsubids</command> command are:
++    </para>
++    <variablelist remap='IP'>
++      <varlistentry>
++        <term>
++          <option>-g</option>
++        </term>
++        <listitem>
++          <para>
++            List the subordinate group ID ranges.
++          </para>
++        </listitem>
++      </varlistentry>
++    </variablelist>
++  </refsect1>
++
++  <refsect1 id='example'>
++    <title>EXAMPLE</title>
++    <para>
++      For example, to obtain the subordinate UIDs of the testuser:
++    </para>
++    <para>
++<programlisting>
++$ getsubids testuser
++0: testuser 100000 65536
++</programlisting>
++    </para>
++    <para>
++      This command output provides (in order from left to right) the list
++      index, username, UID range start, and number of UIDs in range.
++    </para>
++  </refsect1>
++
++  <refsect1 id='see_also'>
++    <title>SEE ALSO</title>
++    <para>
++      <citerefentry>
++        <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++        <refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>.
++      <citerefentry>
++        <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>,
++    </para>
++  </refsect1>
++</refentry>
+diff -up shadow-4.9/man/Makefile.am.getsubids shadow-4.9/man/Makefile.am
+--- shadow-4.9/man/Makefile.am.getsubids	2021-07-22 23:55:35.000000000 +0200
++++ shadow-4.9/man/Makefile.am	2021-11-18 16:27:33.951053120 +0100
+@@ -62,6 +62,7 @@ man_MANS += $(man_nopam)
+ endif
+ 
+ man_subids = \
++	man1/getsubids.1 \
+ 	man1/newgidmap.1 \
+ 	man1/newuidmap.1 \
+ 	man5/subgid.5 \
+@@ -80,6 +81,7 @@ man_XMANS = \
+ 	expiry.1.xml \
+ 	faillog.5.xml \
+ 	faillog.8.xml \
++	getsubids.1.xml \
+ 	gpasswd.1.xml \
+ 	groupadd.8.xml \
+ 	groupdel.8.xml \
+diff -up shadow-4.9/src/getsubids.c.getsubids shadow-4.9/src/getsubids.c
+--- shadow-4.9/src/getsubids.c.getsubids	2021-11-18 16:27:33.951053120 +0100
++++ shadow-4.9/src/getsubids.c	2021-11-18 16:27:33.951053120 +0100
+@@ -0,0 +1,46 @@
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include "subid.h"
++#include "prototypes.h"
++
++const char *Prog;
++FILE *shadow_logfd = NULL;
++
++void usage(void)
++{
++	fprintf(stderr, "Usage: %s [-g] user\n", Prog);
++	fprintf(stderr, "    list subuid ranges for user\n");
++	fprintf(stderr, "    pass -g to list subgid ranges\n");
++	exit(EXIT_FAILURE);
++}
++
++int main(int argc, char *argv[])
++{
++	int i, count=0;
++	struct subid_range *ranges;
++	const char *owner;
++
++	Prog = Basename (argv[0]);
++	shadow_logfd = stderr;
++	if (argc < 2)
++		usage();
++	owner = argv[1];
++	if (argc == 3 && strcmp(argv[1], "-g") == 0) {
++		owner = argv[2];
++		count = get_subgid_ranges(owner, &ranges);
++	} else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
++		usage();
++	} else {
++		count = get_subuid_ranges(owner, &ranges);
++	}
++	if (!ranges) {
++		fprintf(stderr, "Error fetching ranges\n");
++		exit(1);
++	}
++	for (i = 0; i < count; i++) {
++		printf("%d: %s %lu %lu\n", i, owner,
++			ranges[i].start, ranges[i].count);
++	}
++	return 0;
++}
+diff -up shadow-4.9/src/list_subid_ranges.c.getsubids shadow-4.9/src/list_subid_ranges.c
+diff -up shadow-4.9/src/Makefile.am.getsubids shadow-4.9/src/Makefile.am
+--- shadow-4.9/src/Makefile.am.getsubids	2021-11-18 16:27:33.943053061 +0100
++++ shadow-4.9/src/Makefile.am	2021-11-18 16:28:03.647272392 +0100
+@@ -157,8 +157,8 @@ if FCAPS
+ 	setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
+ endif
+ 
+-noinst_PROGRAMS += list_subid_ranges  \
+-					get_subid_owners \
++bin_PROGRAMS    +=  getsubids
++noinst_PROGRAMS +=  get_subid_owners \
+ 					new_subid_range \
+ 					free_subid_range \
+ 					check_subid_range
+@@ -174,13 +174,13 @@ MISCLIBS = \
+ 	$(LIBCRYPT) \
+ 	$(LIBTCB)
+ 
+-list_subid_ranges_LDADD = \
++getsubids_LDADD = \
+ 	$(top_builddir)/lib/libshadow.la \
+ 	$(top_builddir)/libmisc/libmisc.la \
+ 	$(top_builddir)/libsubid/libsubid.la \
+ 	$(MISCLIBS) -ldl
+ 
+-list_subid_ranges_CPPFLAGS = \
++getsubids_CPPFLAGS = \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/libmisc \
+ 	-I$(top_srcdir)/libsubid

shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch

@@ -0,0 +1,13 @@
+diff -up shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist shadow-4.9/libmisc/prefix_flag.c
+--- shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist	2021-11-19 09:21:36.997091941 +0100
++++ shadow-4.9/libmisc/prefix_flag.c	2021-11-19 09:22:19.001341010 +0100
+@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
+ 	if(!passwd_db_file) {
+ 		return getpwent();
+ 	}
++	if (!fp_pwent) {
++		return NULL;
++	}
+ 	return fgetpwent(fp_pwent);
+ }
+ extern void prefix_endpwent()

shadow-4.9-move-create-home.patch

@@ -1,8 +1,22 @@
+From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Fri, 8 Oct 2021 13:09:59 +0200
+Subject: [PATCH] useradd: create directories after the SELinux user
+
+Create the home and mail folders after the SELinux user has been set for
+the added user. This will allow the folders to be created with the
+SELinux user label.
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ src/useradd.c | 46 +++++++++++++++++++++++-----------------------
+ 1 file changed, 23 insertions(+), 23 deletions(-)
+
 diff --git a/src/useradd.c b/src/useradd.c
-index baeffb35..02e1402c 100644
+index 6269c01c..b463a170 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
-@@ -2644,27 +2644,12 @@ int main (int argc, char **argv)
+@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
  
  	usr_update ();
  
@@ -34,17 +48,14 @@ index baeffb35..02e1402c 100644
  	/*
  	 * tallylog_reset needs to be able to lookup
  	 * a valid existing user name,
-@@ -2695,9 +2680,24 @@ int main (int argc, char **argv)
- 		exit(1);
+@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
  	}
+ #endif				/* WITH_SELINUX */
  
--	nscd_flush_cache ("passwd");
--	nscd_flush_cache ("group");
--	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
 +	if (mflg) {
 +		create_home ();
 +		if (home_added) {
-+			copy_tree (def_template, prefix_user_home, false, true,
++			copy_tree (def_template, prefix_user_home, false, false,
 +			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 +		} else {
 +			fprintf (stderr,
@@ -59,6 +70,19 @@ index baeffb35..02e1402c 100644
 +	if (!rflg) {
 +		create_mail ();
 +	}
++
+ 	if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
+ 			"useradd")) {
+ 		exit(1);
+ 	}
  
+-	nscd_flush_cache ("passwd");
+-	nscd_flush_cache ("group");
+-	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+-
  	return E_SUCCESS;
  }
+ 
+-- 
+2.31.1
+

shadow-4.9-newgrp-fix-segmentation-fault.patch

@@ -0,0 +1,35 @@
+From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Wed, 10 Nov 2021 12:02:04 +0100
+Subject: [PATCH] newgrp: fix segmentation fault
+
+Fix segmentation fault in newgrp when xgetspnam() returns a NULL value
+that is immediately freed.
+
+The error was committed in
+https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ src/newgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/newgrp.c b/src/newgrp.c
+index 730f47e8..566f1c89 100644
+--- a/src/newgrp.c
++++ b/src/newgrp.c
+@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
+ 	spwd = xgetspnam (pwd->pw_name);
+ 	if (NULL != spwd) {
+ 		pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
++		spw_free (spwd);
+ 	}
+-	spw_free (spwd);
+ 
+ 	if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
+ 		needspasswd = true;
+-- 
+2.31.1
+

shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch

@@ -0,0 +1,48 @@
+From e101219ad71de11da3fdd1b3ec2620fd1a97b92c Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 10 Jan 2022 15:30:28 +0100
+Subject: [PATCH] nss: get shadow_logfd with log_get_logfd()
+
+If /etc/nsswitch.conf doesn't exist podman crashes because shadow_logfd
+is NULL. In order to avoid that load the log file descriptor with the
+log_get_logfd() helper function.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2038811
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ lib/nss.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 02742902..06fa48e5 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -9,6 +9,7 @@
+ #include "prototypes.h"
+ #include "../libsubid/subid.h"
+ #include "shadowlog_internal.h"
++#include "shadowlog.h"
+ 
+ #define NSSWITCH "/etc/nsswitch.conf"
+ 
+@@ -42,6 +43,7 @@ void nss_init(const char *nsswitch_path) {
+ 	FILE *nssfp = NULL;
+ 	char *line = NULL, *p, *token, *saveptr;
+ 	size_t len = 0;
++	FILE *shadow_logfd = log_get_logfd();
+ 
+ 	if (atomic_flag_test_and_set(&nss_init_started)) {
+ 		// Another thread has started nss_init, wait for it to complete
+@@ -57,7 +59,7 @@ void nss_init(const char *nsswitch_path) {
+ 	//   subid:	files
+ 	nssfp = fopen(nsswitch_path, "r");
+ 	if (!nssfp) {
+-		fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
++		fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
+ 		atomic_store(&nss_init_completed, true);
+ 		return;
+ 	}
+-- 
+2.34.1
+

shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch

@@ -0,0 +1,30 @@
+From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 15 Nov 2021 12:40:15 +0100
+Subject: [PATCH] pwck: fix segfault when calling fprintf()
+
+As shadow_logfd variable is not set at the beginning of the program if
+something fails and fprintf() is called a segmentation fault happens.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ src/pwck.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pwck.c b/src/pwck.c
+index 4248944a..4ce86af2 100644
+--- a/src/pwck.c
++++ b/src/pwck.c
+@@ -857,6 +857,7 @@ int main (int argc, char **argv)
+ 	 * Get my name so that I can use it to report errors.
+ 	 */
+ 	Prog = Basename (argv[0]);
++	shadow_logfd = stderr;
+ 
+ 	(void) setlocale (LC_ALL, "");
+ 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
+-- 
+2.31.1
+

shadow-4.9-rename-prog-to-shadow-progname.patch

@@ -0,0 +1,507 @@
+diff -up shadow-4.9/lib/commonio.c.debug2 shadow-4.9/lib/commonio.c
+--- shadow-4.9/lib/commonio.c.debug2	2022-01-10 10:57:47.535238522 +0100
++++ shadow-4.9/lib/commonio.c	2022-01-10 10:57:47.544238586 +0100
+@@ -147,7 +147,7 @@ static int do_lock_file (const char *fil
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: %s: %s\n",
+-			                Prog, file, strerror (errno));
++			                shadow_progname, file, strerror (errno));
+ 		}
+ 		return 0;
+ 	}
+@@ -159,7 +159,7 @@ static int do_lock_file (const char *fil
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: %s file write error: %s\n",
+-			                Prog, file, strerror (errno));
++			                shadow_progname, file, strerror (errno));
+ 		}
+ 		(void) close (fd);
+ 		unlink (file);
+@@ -169,7 +169,7 @@ static int do_lock_file (const char *fil
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: %s file sync error: %s\n",
+-			                Prog, file, strerror (errno));
++			                shadow_progname, file, strerror (errno));
+ 		}
+ 		(void) close (fd);
+ 		unlink (file);
+@@ -182,7 +182,7 @@ static int do_lock_file (const char *fil
+ 		if ((0==retval) && log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: %s: lock file already used\n",
+-			                Prog, file);
++			                shadow_progname, file);
+ 		}
+ 		unlink (file);
+ 		return retval;
+@@ -193,7 +193,7 @@ static int do_lock_file (const char *fil
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: %s: %s\n",
+-			                Prog, lock, strerror (errno));
++			                shadow_progname, lock, strerror (errno));
+ 		}
+ 		unlink (file);
+ 		errno = EINVAL;
+@@ -205,7 +205,7 @@ static int do_lock_file (const char *fil
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: existing lock file %s without a PID\n",
+-			                Prog, lock);
++			                shadow_progname, lock);
+ 		}
+ 		unlink (file);
+ 		errno = EINVAL;
+@@ -216,7 +216,7 @@ static int do_lock_file (const char *fil
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: existing lock file %s with an invalid PID '%s'\n",
+-			                Prog, lock, buf);
++			                shadow_progname, lock, buf);
+ 		}
+ 		unlink (file);
+ 		errno = EINVAL;
+@@ -226,7 +226,7 @@ static int do_lock_file (const char *fil
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: lock %s already used by PID %lu\n",
+-			                Prog, lock, (unsigned long) pid);
++			                shadow_progname, lock, (unsigned long) pid);
+ 		}
+ 		unlink (file);
+ 		errno = EEXIST;
+@@ -236,7 +236,7 @@ static int do_lock_file (const char *fil
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: cannot get lock %s: %s\n",
+-			                Prog, lock, strerror (errno));
++			                shadow_progname, lock, strerror (errno));
+ 		}
+ 		unlink (file);
+ 		return 0;
+@@ -248,13 +248,13 @@ static int do_lock_file (const char *fil
+ 		if ((0==retval) && log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: %s: lock file already used\n",
+-			                Prog, file);
++			                shadow_progname, file);
+ 		}
+ 	} else {
+ 		if (log) {
+ 			(void) fprintf (shadow_logfd,
+ 			                "%s: cannot get lock %s: %s\n",
+-			                Prog, lock, strerror (errno));
++			                shadow_progname, lock, strerror (errno));
+ 		}
+ 	}
+ 
+@@ -449,7 +449,7 @@ int commonio_lock (struct commonio_db *d
+ 				if (geteuid () != 0) {
+ 					(void) fprintf (shadow_logfd,
+ 					                "%s: Permission denied.\n",
+-					                Prog);
++					                shadow_progname);
+ 				}
+ 				return 0;	/* failure */
+ 			}
+@@ -484,7 +484,7 @@ int commonio_lock (struct commonio_db *d
+ 		/* no unnecessary retries on "permission denied" errors */
+ 		if (geteuid () != 0) {
+ 			(void) fprintf (shadow_logfd, "%s: Permission denied.\n",
+-			                Prog);
++			                shadow_progname);
+ 			return 0;
+ 		}
+ 	}
+diff -up shadow-4.9/lib/nscd.c.debug2 shadow-4.9/lib/nscd.c
+--- shadow-4.9/lib/nscd.c.debug2	2022-01-10 10:57:47.537238536 +0100
++++ shadow-4.9/lib/nscd.c	2022-01-10 10:57:47.544238586 +0100
+@@ -26,7 +26,7 @@ int nscd_flush_cache (const char *servic
+ 
+ 	if (run_command (cmd, spawnedArgs, spawnedEnv, &status) != 0) {
+ 		/* run_command writes its own more detailed message. */
+-		(void) fprintf (shadow_logfd, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog);
++		(void) fprintf (shadow_logfd, _(MSG_NSCD_FLUSH_CACHE_FAILED), shadow_progname);
+ 		return -1;
+ 	}
+ 
+@@ -34,7 +34,7 @@ int nscd_flush_cache (const char *servic
+ 	if (!WIFEXITED (status)) {
+ 		(void) fprintf (shadow_logfd,
+ 		                _("%s: nscd did not terminate normally (signal %d)\n"),
+-		                Prog, WTERMSIG (status));
++		                shadow_progname, WTERMSIG (status));
+ 		return -1;
+ 	} else if (code == E_CMD_NOTFOUND) {
+ 		/* nscd is not installed, or it is installed but uses an
+@@ -45,8 +45,8 @@ int nscd_flush_cache (const char *servic
+ 		return 0;
+ 	} else if (code != 0) {
+ 		(void) fprintf (shadow_logfd, _("%s: nscd exited with status %d\n"),
+-		                Prog, code);
+-		(void) fprintf (shadow_logfd, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog);
++		                shadow_progname, code);
++		(void) fprintf (shadow_logfd, _(MSG_NSCD_FLUSH_CACHE_FAILED), shadow_progname);
+ 		return -1;
+ 	}
+ 
+diff -up shadow-4.9/lib/selinux.c.debug2 shadow-4.9/lib/selinux.c
+--- shadow-4.9/lib/selinux.c.debug2	2022-01-10 10:57:47.538238543 +0100
++++ shadow-4.9/lib/selinux.c	2022-01-10 10:57:47.544238586 +0100
+@@ -216,7 +216,7 @@ int check_selinux_permit (const char *pe
+ 	if (getprevcon_raw (&user_context_raw) != 0) {
+ 		fprintf (shadow_logfd,
+ 		    _("%s: can not get previous SELinux process context: %s\n"),
+-		    Prog, strerror (errno));
++		    shadow_progname, strerror (errno));
+ 		SYSLOG ((LOG_WARN,
+ 		    "can not get previous SELinux process context: %s",
+ 		    strerror (errno)));
+diff -up shadow-4.9/lib/shadowlog.c.debug2 shadow-4.9/lib/shadowlog.c
+--- shadow-4.9/lib/shadowlog.c.debug2	2022-01-10 10:57:47.538238543 +0100
++++ shadow-4.9/lib/shadowlog.c	2022-01-10 10:57:47.544238586 +0100
+@@ -2,14 +2,17 @@
+ 
+ #include "lib/shadowlog_internal.h"
+ 
++const char *shadow_progname;
++FILE *shadow_logfd;
++
+ void log_set_progname(const char *progname)
+ {
+-	Prog = progname;
++	shadow_progname = progname;
+ }
+ 
+ const char *log_get_progname(void)
+ {
+-	return Prog;
++	return shadow_progname;
+ }
+ 
+ void log_set_logfd(FILE *fd)
+diff -up shadow-4.9/lib/shadowlog_internal.h.debug2 shadow-4.9/lib/shadowlog_internal.h
+--- shadow-4.9/lib/shadowlog_internal.h.debug2	2022-01-10 10:57:47.538238543 +0100
++++ shadow-4.9/lib/shadowlog_internal.h	2022-01-10 10:57:47.544238586 +0100
+@@ -1,2 +1,2 @@
+-const char *Prog; /* Program name showed in error messages */
+-FILE *shadow_logfd;  /* file descripter to which error messages are printed */
++extern const char *shadow_progname; /* Program name showed in error messages */
++extern FILE *shadow_logfd;  /* file descripter to which error messages are printed */
+diff -up shadow-4.9/lib/spawn.c.debug2 shadow-4.9/lib/spawn.c
+--- shadow-4.9/lib/spawn.c.debug2	2022-01-10 10:57:47.538238543 +0100
++++ shadow-4.9/lib/spawn.c	2022-01-10 10:57:47.544238586 +0100
+@@ -60,11 +60,11 @@ int run_command (const char *cmd, const
+ 			exit (E_CMD_NOTFOUND);
+ 		}
+ 		fprintf (shadow_logfd, "%s: cannot execute %s: %s\n",
+-		         Prog, cmd, strerror (errno));
++		         shadow_progname, cmd, strerror (errno));
+ 		exit (E_CMD_NOEXEC);
+ 	} else if ((pid_t)-1 == pid) {
+ 		fprintf (shadow_logfd, "%s: cannot execute %s: %s\n",
+-		         Prog, cmd, strerror (errno));
++		         shadow_progname, cmd, strerror (errno));
+ 		return -1;
+ 	}
+ 
+@@ -77,7 +77,7 @@ int run_command (const char *cmd, const
+ 
+ 	if ((pid_t)-1 == wpid) {
+ 		fprintf (shadow_logfd, "%s: waitpid (status: %d): %s\n",
+-		         Prog, *status, strerror (errno));
++		         shadow_progname, *status, strerror (errno));
+ 		return -1;
+ 	}
+ 
+diff -up shadow-4.9/lib/sssd.c.debug2 shadow-4.9/lib/sssd.c
+--- shadow-4.9/lib/sssd.c.debug2	2022-01-10 10:57:47.538238543 +0100
++++ shadow-4.9/lib/sssd.c	2022-01-10 10:57:47.544238586 +0100
+@@ -48,22 +48,22 @@ int sssd_flush_cache (int dbflags)
+ 	free(sss_cache_args);
+ 	if (rv != 0) {
+ 		/* run_command writes its own more detailed message. */
+-		SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
++		SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, shadow_progname));
+ 		return -1;
+ 	}
+ 
+ 	code = WEXITSTATUS (status);
+ 	if (!WIFEXITED (status)) {
+ 		SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)",
+-			Prog, WTERMSIG (status)));
++			shadow_progname, WTERMSIG (status)));
+ 		return -1;
+ 	} else if (code == E_CMD_NOTFOUND) {
+ 		/* sss_cache is not installed, or it is installed but uses an
+ 		   interpreter that is missing.  Probably the former. */
+ 		return 0;
+ 	} else if (code != 0) {
+-		SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code));
+-		SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
++		SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", shadow_progname, code));
++		SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, shadow_progname));
+ 		return -1;
+ 	}
+ 
+diff -up shadow-4.9/lib/tcbfuncs.c.debug2 shadow-4.9/lib/tcbfuncs.c
+--- shadow-4.9/lib/tcbfuncs.c.debug2	2022-01-10 10:57:47.538238543 +0100
++++ shadow-4.9/lib/tcbfuncs.c	2022-01-10 10:59:01.228764507 +0100
+@@ -74,7 +74,7 @@ shadowtcb_status shadowtcb_gain_priv (vo
+  * to exit soon.
+  */
+ #define OUT_OF_MEMORY do { \
+-	fprintf (shadow_logfd, _("%s: out of memory\n"), Prog); \
++	fprintf (shadow_logfd, _("%s: out of memory\n"), shadow_progname); \
+ 	(void) fflush (shadow_logfd); \
+ } while (false)
+ 
+@@ -120,7 +120,7 @@ static /*@null@*/ char *shadowtcb_path_r
+ 	if (lstat (path, &st) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot stat %s: %s\n"),
+-		         Prog, path, strerror (errno));
++		         shadow_progname, path, strerror (errno));
+ 		free (path);
+ 		return NULL;
+ 	}
+@@ -136,7 +136,7 @@ static /*@null@*/ char *shadowtcb_path_r
+ 	if (!S_ISLNK (st.st_mode)) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: %s is neither a directory, nor a symlink.\n"),
+-		         Prog, path);
++		         shadow_progname, path);
+ 		free (path);
+ 		return NULL;
+ 	}
+@@ -144,7 +144,7 @@ static /*@null@*/ char *shadowtcb_path_r
+ 	if (-1 == ret) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot read symbolic link %s: %s\n"),
+-		         Prog, path, strerror (errno));
++		         shadow_progname, path, strerror (errno));
+ 		free (path);
+ 		return NULL;
+ 	}
+@@ -153,7 +153,7 @@ static /*@null@*/ char *shadowtcb_path_r
+ 		link[sizeof(link) - 1] = '\0';
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Suspiciously long symlink: %s\n"),
+-		         Prog, link);
++		         shadow_progname, link);
+ 		return NULL;
+ 	}
+ 	link[(size_t)ret] = '\0';
+@@ -211,7 +211,7 @@ static shadowtcb_status mkdir_leading (c
+ 	if (stat (TCB_DIR, &st) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot stat %s: %s\n"),
+-		         Prog, TCB_DIR, strerror (errno));
++		         shadow_progname, TCB_DIR, strerror (errno));
+ 		goto out_free_path;
+ 	}
+ 	while ((ind = strchr (ptr, '/'))) {
+@@ -223,19 +223,19 @@ static shadowtcb_status mkdir_leading (c
+ 		if ((mkdir (dir, 0700) != 0) && (errno != EEXIST)) {
+ 			fprintf (shadow_logfd,
+ 			         _("%s: Cannot create directory %s: %s\n"),
+-			         Prog, dir, strerror (errno));
++			         shadow_progname, dir, strerror (errno));
+ 			goto out_free_dir;
+ 		}
+ 		if (chown (dir, 0, st.st_gid) != 0) {
+ 			fprintf (shadow_logfd,
+ 			         _("%s: Cannot change owner of %s: %s\n"),
+-			         Prog, dir, strerror (errno));
++			         shadow_progname, dir, strerror (errno));
+ 			goto out_free_dir;
+ 		}
+ 		if (chmod (dir, 0711) != 0) {
+ 			fprintf (shadow_logfd,
+ 			         _("%s: Cannot change mode of %s: %s\n"),
+-			         Prog, dir, strerror (errno));
++			         shadow_progname, dir, strerror (errno));
+ 			goto out_free_dir;
+ 		}
+ 		free (dir);
+@@ -265,7 +265,7 @@ static shadowtcb_status unlink_suffs (co
+ 		if ((unlink (tmp) != 0) && (errno != ENOENT)) {
+ 			fprintf (shadow_logfd,
+ 			         _("%s: unlink: %s: %s\n"),
+-			         Prog, tmp, strerror (errno));
++			         shadow_progname, tmp, strerror (errno));
+ 			free (tmp);
+ 			return SHADOWTCB_FAILURE;
+ 		}
+@@ -290,7 +290,7 @@ static shadowtcb_status rmdir_leading (c
+ 			if (errno != ENOTEMPTY) {
+ 				fprintf (shadow_logfd,
+ 				         _("%s: Cannot remove directory %s: %s\n"),
+-				         Prog, dir, strerror (errno));
++				         shadow_progname, dir, strerror (errno));
+ 				ret = SHADOWTCB_FAILURE;
+ 			}
+ 			free (dir);
+@@ -319,7 +319,7 @@ static shadowtcb_status move_dir (const
+ 	if (stat (olddir, &oldmode) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot stat %s: %s\n"),
+-		         Prog, olddir, strerror (errno));
++		         shadow_progname, olddir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	old_uid = oldmode.st_uid;
+@@ -346,7 +346,7 @@ static shadowtcb_status move_dir (const
+ 	if (rename (real_old_dir, real_new_dir) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot rename %s to %s: %s\n"),
+-		         Prog, real_old_dir, real_new_dir, strerror (errno));
++		         shadow_progname, real_old_dir, real_new_dir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (rmdir_leading (real_old_dir_rel) == SHADOWTCB_FAILURE) {
+@@ -355,7 +355,7 @@ static shadowtcb_status move_dir (const
+ 	if ((unlink (olddir) != 0) && (errno != ENOENT)) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot remove %s: %s\n"),
+-		         Prog, olddir, strerror (errno));
++		         shadow_progname, olddir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (asprintf (&newdir, TCB_DIR "/%s", user_newname) == -1) {
+@@ -369,7 +369,7 @@ static shadowtcb_status move_dir (const
+ 	    && (symlink (real_new_dir_rel, newdir) != 0)) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot create symbolic link %s: %s\n"),
+-		         Prog, real_new_dir_rel, strerror (errno));
++		         shadow_progname, real_new_dir_rel, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	ret = SHADOWTCB_SUCCESS;
+@@ -468,31 +468,31 @@ shadowtcb_status shadowtcb_move (/*@NULL
+ 	if (stat (tcbdir, &dirmode) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot stat %s: %s\n"),
+-		         Prog, tcbdir, strerror (errno));
++		         shadow_progname, tcbdir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (chown (tcbdir, 0, 0) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot change owners of %s: %s\n"),
+-		         Prog, tcbdir, strerror (errno));
++		         shadow_progname, tcbdir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (chmod (tcbdir, 0700) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot change mode of %s: %s\n"),
+-		         Prog, tcbdir, strerror (errno));
++		         shadow_progname, tcbdir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (lstat (shadow, &filemode) != 0) {
+ 		if (errno != ENOENT) {
+ 			fprintf (shadow_logfd,
+ 			         _("%s: Cannot lstat %s: %s\n"),
+-			         Prog, shadow, strerror (errno));
++			         shadow_progname, shadow, strerror (errno));
+ 			goto out_free;
+ 		}
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Warning, user %s has no tcb shadow file.\n"),
+-		         Prog, user_newname);
++		         shadow_progname, user_newname);
+ 	} else {
+ 		if (!S_ISREG (filemode.st_mode) ||
+ 			filemode.st_nlink != 1) {
+@@ -500,19 +500,19 @@ shadowtcb_status shadowtcb_move (/*@NULL
+ 			         _("%s: Emergency: %s's tcb shadow is not a "
+ 			           "regular file with st_nlink=1.\n"
+ 			           "The account is left locked.\n"),
+-			         Prog, user_newname);
++			         shadow_progname, user_newname);
+ 			goto out_free;
+ 		}
+ 		if (chown (shadow, user_newid, filemode.st_gid) != 0) {
+ 			fprintf (shadow_logfd,
+ 			         _("%s: Cannot change owner of %s: %s\n"),
+-			         Prog, shadow, strerror (errno));
++			         shadow_progname, shadow, strerror (errno));
+ 			goto out_free;
+ 		}
+ 		if (chmod (shadow, filemode.st_mode & 07777) != 0) {
+ 			fprintf (shadow_logfd,
+ 			         _("%s: Cannot change mode of %s: %s\n"),
+-			         Prog, shadow, strerror (errno));
++			         shadow_progname, shadow, strerror (errno));
+ 			goto out_free;
+ 		}
+ 	}
+@@ -522,7 +522,7 @@ shadowtcb_status shadowtcb_move (/*@NULL
+ 	if (chown (tcbdir, user_newid, dirmode.st_gid) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot change owner of %s: %s\n"),
+-		         Prog, tcbdir, strerror (errno));
++		         shadow_progname, tcbdir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	ret = SHADOWTCB_SUCCESS;
+@@ -547,7 +547,7 @@ shadowtcb_status shadowtcb_create (const
+ 	if (stat (TCB_DIR, &tcbdir_stat) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot stat %s: %s\n"),
+-		         Prog, TCB_DIR, strerror (errno));
++		         shadow_progname, TCB_DIR, strerror (errno));
+ 		return SHADOWTCB_FAILURE;
+ 	}
+ 	shadowgid = tcbdir_stat.st_gid;
+@@ -567,39 +567,39 @@ shadowtcb_status shadowtcb_create (const
+ 	if (mkdir (dir, 0700) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: mkdir: %s: %s\n"),
+-		         Prog, dir, strerror (errno));
++		         shadow_progname, dir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	fd = open (shadow, O_RDWR | O_CREAT | O_TRUNC, 0600);
+ 	if (fd < 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot open %s: %s\n"),
+-		         Prog, shadow, strerror (errno));
++		         shadow_progname, shadow, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	close (fd);
+ 	if (chown (shadow, 0, authgid) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot change owner of %s: %s\n"),
+-		         Prog, shadow, strerror (errno));
++		         shadow_progname, shadow, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (chmod (shadow, (mode_t) ((authgid == shadowgid) ? 0600 : 0640)) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot change mode of %s: %s\n"),
+-		         Prog, shadow, strerror (errno));
++		         shadow_progname, shadow, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (chown (dir, 0, authgid) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot change owner of %s: %s\n"),
+-		         Prog, dir, strerror (errno));
++		         shadow_progname, dir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (chmod (dir, (mode_t) ((authgid == shadowgid) ? 02700 : 02710)) != 0) {
+ 		fprintf (shadow_logfd,
+ 		         _("%s: Cannot change mode of %s: %s\n"),
+-		         Prog, dir, strerror (errno));
++		         shadow_progname, dir, strerror (errno));
+ 		goto out_free;
+ 	}
+ 	if (   (shadowtcb_set_user (name) == SHADOWTCB_FAILURE)

shadow-4.9-revert-useradd-fix-memleak.patch

@@ -0,0 +1,30 @@
+From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sat, 14 Aug 2021 19:37:24 -0500
+Subject: [PATCH] Revert "useradd.c:fix memleaks of grp"
+
+In some cases, the value which was being freed is not actually
+safe to free.
+
+Closes #394
+
+This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5.
+---
+ src/useradd.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index f90127cd..0d3f390d 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -413,7 +413,6 @@ static void get_defaults (void)
+ 			} else {
+ 				def_group = grp->gr_gid;
+ 				def_gname = xstrdup (grp->gr_name);
+-				gr_free(grp);
+ 			}
+ 		}
+ 
+-- 
+2.31.1
+

shadow-4.9-semanage-close-the-selabel-handle.patch

@@ -0,0 +1,61 @@
+From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Fri, 8 Oct 2021 13:13:13 +0200
+Subject: [PATCH] semanage: close the selabel handle
+
+Close the selabel handle to update the file_context. This means that the
+file_context will be remmaped and used by selabel_lookup() to return
+the appropriate context to label the home folder.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ lib/prototypes.h | 1 +
+ lib/selinux.c    | 5 +++++
+ lib/semanage.c   | 1 +
+ 3 files changed, 7 insertions(+)
+
+diff --git a/lib/prototypes.h b/lib/prototypes.h
+index 1d1586d4..b697e0ec 100644
+--- a/lib/prototypes.h
++++ b/lib/prototypes.h
+@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+ extern int set_selinux_file_context (const char *dst_name, mode_t mode);
++extern void reset_selinux_handle (void);
+ extern int reset_selinux_file_context (void);
+ extern int check_selinux_permit (const char *perm_name);
+ #endif
+diff --git a/lib/selinux.c b/lib/selinux.c
+index c83545f9..b075d4c0 100644
+--- a/lib/selinux.c
++++ b/lib/selinux.c
+@@ -50,6 +50,11 @@ static void cleanup(void)
+ 	}
+ }
+ 
++void reset_selinux_handle (void)
++{
++    cleanup();
++}
++
+ /*
+  * set_selinux_file_context - Set the security context before any file or
+  *                            directory creation.
+diff --git a/lib/semanage.c b/lib/semanage.c
+index 0d30456a..a5bf9218 100644
+--- a/lib/semanage.c
++++ b/lib/semanage.c
+@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
+ 	}
+ 
+ 	ret = 0;
++	reset_selinux_handle();
+ 
+ done:
+ 	semanage_seuser_key_free (key);
+-- 
+2.31.1
+

shadow-4.9-shadow-progname-default-init.patch

@@ -0,0 +1,39 @@
+diff -up shadow-4.9/lib/shadowlog.c.debug3 shadow-4.9/lib/shadowlog.c
+--- shadow-4.9/lib/shadowlog.c.debug3	2022-01-10 11:16:31.636261531 +0100
++++ shadow-4.9/lib/shadowlog.c	2022-01-10 11:16:31.637261538 +0100
+@@ -2,8 +2,8 @@
+ 
+ #include "lib/shadowlog_internal.h"
+ 
+-const char *shadow_progname;
+-FILE *shadow_logfd;
++const char *shadow_progname = "libshadow";
++FILE *shadow_logfd = NULL;
+ 
+ void log_set_progname(const char *progname)
+ {
+diff -up shadow-4.9/libsubid/api.c.debug3 shadow-4.9/libsubid/api.c
+--- shadow-4.9/libsubid/api.c.debug3	2022-01-10 11:16:31.637261538 +0100
++++ shadow-4.9/libsubid/api.c	2022-01-10 11:17:15.431574120 +0100
+@@ -40,17 +40,16 @@
+ #include "subid.h"
+ #include "shadowlog.h"
+ 
+-const char *Prog = "(libsubid)";
+-
+ bool libsubid_init(const char *progname, FILE * logfd)
+ {
+ 	FILE *shadow_logfd;
+ 	if (progname) {
+ 		progname = strdup(progname);
+-		if (progname)
+-			Prog = progname;
+-		else
++		if (!progname)
+ 			return false;
++		log_set_progname(progname);
++	} else {
++		log_set_progname("(libsubid)");
+ 	}
+ 
+ 	if (logfd) {

shadow-4.9-useradd-copy-tree-argument.patch

@@ -0,0 +1,13 @@
+diff --git a/src/useradd.c b/src/useradd.c
+index b463a170..f7c97958 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2704,7 +2704,7 @@ int main (int argc, char **argv)
+ 	if (mflg) {
+ 		create_home ();
+ 		if (home_added) {
+-			copy_tree (def_template, prefix_user_home, false, false,
++			copy_tree (def_template, prefix_user_home, false, true,
+ 			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ 		} else {
+ 			fprintf (stderr,

shadow-utils.login.defs

@@ -293,13 +293,3 @@ CREATE_HOME	yes
 # missing.
 #
 #FORCE_SHADOW    yes
-
-#
-# Select the HMAC cryptography algorithm.
-# Used in pam_timestamp module to calculate the keyed-hash message
-# authentication code.
-#
-# Note: It is recommended to check hmac(3) to see the possible algorithms
-# that are available in your system.
-#
-HMAC_CRYPTO_ALGO SHA512

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.9
-Release: 4%{?dist}
+Release: 9%{?dist}
 Epoch: 2
 License: BSD and GPLv2+
 URL: https://github.com/shadow-maint/shadow
@@ -21,7 +21,7 @@ Source6: shadow-utils.HOME_MODE.xml
 Patch0: shadow-4.9-redhat.patch
 # Be more lenient with acceptable user/group names - non upstreamable
 Patch1: shadow-4.8-goodname.patch
-# Move create home to the end of main - upstreamability unknown
+# https://github.com/shadow-maint/shadow/commit/09c752f00f9dfc610f66d68be38c9e5be8ca7f15
 Patch2: shadow-4.9-move-create-home.patch
 # SElinux related - upstreamability unknown
 Patch3: shadow-4.9-default-range.patch
@@ -53,6 +53,29 @@ Patch15: shadow-4.9-usermod-allow-all-group-types.patch
 Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
 # https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62
 Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
+# https://github.com/shadow-maint/shadow/commit/234af5cf67fc1a3ba99fc246ba65869a3c416545
+Patch18: shadow-4.9-semanage-close-the-selabel-handle.patch
+# https://github.com/shadow-maint/shadow/commit/4624e9fca1b02b64e25e8b2280a0186182ab73ba
+Patch19: shadow-4.9-revert-useradd-fix-memleak.patch
+# https://github.com/shadow-maint/shadow/commit/06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2
+Patch20: shadow-4.9-useradd-copy-tree-argument.patch
+# https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f
+Patch21: shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch
+# https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948
+Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch
+# https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734
+Patch23: shadow-4.9-getsubids.patch
+# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
+Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
+# https://github.com/shadow-maint/shadow/commit/79157cbad87f42cdc2068d72e798488572c68bb2
+Patch25: shadow-4.9-make-shadow-logfd-and-prog-not-extern.patch
+# https://github.com/shadow-maint/shadow/commit/0e6fe5e728a45baff3977d73e81a27adb6ae30c6
+Patch26: shadow-4.9-rename-prog-to-shadow-progname.patch
+# https://github.com/shadow-maint/shadow/commit/2b0bdef6f9a18382e92b0fb6d893c4339123ffac
+# https://github.com/shadow-maint/shadow/commit/9750fd681919ed558a9b044248a284d567cddf1a
+Patch27: shadow-4.9-shadow-progname-default-init.patch
+# https://github.com/shadow-maint/shadow/commit/e101219ad71de11da3fdd1b3ec2620fd1a97b92c
+Patch28: shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch
 
 ### Dependencies ###
 Requires: audit-libs >= 1.6.5
@@ -130,6 +153,17 @@ Development files for shadow-utils-subid.
 %patch15 -p1 -b .usermod-allow-all-group-types
 %patch16 -p1 -b .useradd-avoid-generating-empty-subid-range
 %patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds
+%patch18 -p1 -b .semanage-close-the-selabel-handle
+%patch19 -p1 -b .revert-useradd-fix-memleak
+%patch20 -p1 -b .useradd-copy-tree-argument
+%patch21 -p1 -b .pwck-fix-segfault-when-calling-fprintf
+%patch22 -p1 -b .newgrp-fix-segmentation-fault
+%patch23 -p1 -b .getsubids
+%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
+%patch25 -p1 -b .make-shadow-logfd-and-prog-not-extern
+%patch26 -p1 -b .rename-prog-to-shadow-progname
+%patch27 -p1 -b .shadow-progname-default-init
+%patch28 -p1 -b .nss-get-shadow-logfd-with-log-get-logfd
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -294,14 +328,35 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 
 %files subid
 %{_libdir}/libsubid.so.*
+%{_bindir}/getsubids
+%{_mandir}/man1/getsubids.1*
 
 %files subid-devel
 %{includesubiddir}/subid.h
 %{_libdir}/libsubid.so
 
 %changelog
-* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
-- login.defs: include HMAC_CRYPTO_ALGO key
+* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
+- nss: get shadow_logfd with log_get_logfd() (#2038811)
+- lib: make shadow_logfd and Prog not extern
+- lib: rename Prog to shadow_progname
+- lib: provide default values for shadow_progname
+- libsubid: use log_set_progname in subid_init
+
+* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
+- getsubids: provide system binary and man page (#1980780)
+- pwck: fix segfault when calling fprintf() (#2021339)
+- newgrp: fix segmentation fault (#2019553)
+- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
+
+* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
+- useradd: change SELinux labels for home files (#2022658)
+
+* Tue Nov  9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
+- useradd: revert fix memleak of grp (#2018697)
+
+* Tue Nov  2 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
+- useradd: generate home and mail directories with selinux user attribute
 - Clean spec file: organize dependencies and move License location
 
 * Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3