useradd: generate /var/spool/mail/$USER with the proper SELinux user identity

Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527

.gitignore

@@ -10,11 +10,3 @@ shadow-4.1.4.2.tar.bz2
 /shadow-4.5.tar.xz.asc
 /shadow-4.6.tar.xz
 /shadow-4.6.tar.xz.asc
-/shadow-4.8.tar.xz
-/shadow-4.8.tar.xz.asc
-/shadow-4.8.1.tar.xz
-/shadow-4.8.1.tar.xz.asc
-/shadow-4.9.tar.xz
-/shadow-4.9.tar.xz.asc
-/shadow-4.11.1.tar.xz
-/shadow-4.11.1.tar.xz.asc

shadow-4.1.5.1-default-range.patch

@@ -1,6 +1,7 @@
-diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
---- shadow-4.9/lib/semanage.c.default-range	2021-07-22 23:55:35.000000000 +0200
-+++ shadow-4.9/lib/semanage.c	2021-08-02 12:43:16.822817392 +0200
+Index: shadow-4.5/lib/semanage.c
+===================================================================
+--- shadow-4.5.orig/lib/semanage.c
++++ shadow-4.5/lib/semanage.c
 @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
  		goto done;
  	}
@@ -8,7 +9,7 @@ diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
 +#if 0
  	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
  	if (ret != 0) {
- 		fprintf (shadow_logfd,
+ 		fprintf (stderr,
 @@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
  		ret = 1;
  		goto done;
@@ -24,7 +25,7 @@ diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
 +#if 0
  	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
  	if (ret != 0) {
- 		fprintf (shadow_logfd,
+ 		fprintf (stderr,
 @@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
  		ret = 1;
  		goto done;

shadow-4.1.5.1-info-parent-dir.patch

@@ -0,0 +1,21 @@
+Index: shadow-4.5/man/newusers.8.xml
+===================================================================
+--- shadow-4.5.orig/man/newusers.8.xml
++++ shadow-4.5/man/newusers.8.xml
+@@ -218,7 +218,15 @@
+ 	  <para>
+ 	    If this field does not specify an existing directory, the
+ 	    specified directory is created, with ownership set to the
+-	    user being created or updated and its primary group.
++	    user being created or updated and its primary group. Note 
++            that newusers does not create parent directories of the new 
++            user's home directory. The newusers command will fail to 
++            create the home directory if the parent directories do not 
++            exist, and will send a message to stderr informing the user 
++            of the failure. The newusers command will not halt or return 
++            a failure to the calling shell if it fails to create the home 
++            directory, it will continue to process the batch of new users 
++            specified.
+ 	  </para>
+ 	  <para>
+ 	    If the home directory of an existing user is changed,

shadow-4.1.5.1-logmsg.patch

@@ -0,0 +1,13 @@
+Index: shadow-4.5/src/useradd.c
+===================================================================
+--- shadow-4.5.orig/src/useradd.c
++++ shadow-4.5/src/useradd.c
+@@ -323,7 +323,7 @@ static void fail_exit (int code)
+ 	              user_name, AUDIT_NO_ID,
+ 	              SHADOW_AUDIT_FAILURE);
+ #endif
+-	SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
++	SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
+ 	exit (code);
+ }
+ 

shadow-4.1.5.1-userdel-helpfix.patch

@@ -0,0 +1,16 @@
+Index: shadow-4.5/src/userdel.c
+===================================================================
+--- shadow-4.5.orig/src/userdel.c
++++ shadow-4.5/src/userdel.c
+@@ -143,8 +143,9 @@ static void usage (int status)
+ 	                  "\n"
+ 	                  "Options:\n"),
+ 	                Prog);
+-	(void) fputs (_("  -f, --force                   force removal of files,\n"
+-	                "                                even if not owned by user\n"),
++	(void) fputs (_("  -f, --force                   force some actions that would fail otherwise\n"
++			"                                e.g. removal of user still logged in\n"
++			"                                or files, even if not owned by the user\n"),
+ 	              usageout);
+ 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -r, --remove                  remove home directory and mail spool\n"), usageout);

shadow-4.11.1-null-tm.patch

@@ -1,22 +0,0 @@
-diff -up shadow-4.11.1/src/chage.c.null-tm shadow-4.11.1/src/chage.c
-diff -up shadow-4.11.1/src/lastlog.c.null-tm shadow-4.11.1/src/lastlog.c
---- shadow-4.11.1/src/lastlog.c.null-tm	2022-01-03 15:31:56.348555620 +0100
-+++ shadow-4.11.1/src/lastlog.c	2022-01-03 15:38:41.262229024 +0100
-@@ -151,9 +151,12 @@ static void print_one (/*@null@*/const s
- 
- 	ll_time = ll.ll_time;
- 	tm = localtime (&ll_time);
--	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
--	cp = ptime;
--
-+	if (tm == NULL) {
-+		cp = "(unknown)";
-+	} else {
-+		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
-+		cp = ptime;
-+	}
- 	if (ll.ll_time == (time_t) 0) {
- 		cp = _("**Never logged in**\0");
- 	}
-diff -up shadow-4.11.1/src/passwd.c.null-tm shadow-4.11.1/src/passwd.c
-diff -up shadow-4.11.1/src/usermod.c.null-tm shadow-4.11.1/src/usermod.c

shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch

@@ -1,40 +0,0 @@
-From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Tue, 4 Jan 2022 13:06:00 +0100
-Subject: [PATCH] useradd: modify check ID range for system users
-
-useradd warns that a system user ID less than SYS_UID_MIN is outside the
-expected range, even though that ID has been specifically selected with
-the "-u" option.
-
-In my opinion all the user ID's below SYS_UID_MAX are for the system,
-thus I change the condition to take that into account.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- src/useradd.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/useradd.c b/src/useradd.c
-index 34376fa5..4c71c38a 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
- 	uid_t uid_min ;
- 	uid_t uid_max ;
- 	if (rflg) {
--		uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
- 		uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
--		if (uid_min <= uid_max) {
--			if (user_id < uid_min || user_id >uid_max)
--				fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
-+		if (user_id > uid_max) {
-+			fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
- 		}
- 	}else{
- 		uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
--- 
-2.37.1
-

shadow-4.2.1-no-lock-dos.patch

@@ -0,0 +1,16 @@
+Index: shadow-4.5/lib/commonio.c
+===================================================================
+--- shadow-4.5.orig/lib/commonio.c
++++ shadow-4.5/lib/commonio.c
+@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
+ 	int retval;
+ 	char buf[32];
+ 
+-	fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
++	/* We depend here on the fact, that the file name is pid-specific.
++	 * So no O_EXCL here and no DoS.
++	 */
++	fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+ 	if (-1 == fd) {
+ 		if (log) {
+ 			(void) fprintf (stderr,

shadow-4.2.1-null-tm.patch

@@ -0,0 +1,91 @@
+Index: shadow-4.5/src/faillog.c
+===================================================================
+--- shadow-4.5.orig/src/faillog.c
++++ shadow-4.5/src/faillog.c
+@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
+ 	}
+ 
+ 	tm = localtime (&fl.fail_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
++		cp = ptime;
+ #endif
++	}
+ 	printf ("%-9s   %5d    %5d   ",
+ 	        pw->pw_name, fl.fail_cnt, fl.fail_max);
+ 	/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
+Index: shadow-4.5/src/chage.c
+===================================================================
+--- shadow-4.5.orig/src/chage.c
++++ shadow-4.5/src/chage.c
+@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
+ 	struct tm *tp;
+ 
+ 	tp = gmtime (&date);
++	if (tp == NULL) {
++		(void) snprintf (buf, maxsize, "(unknown)");
++		return;
++	}
+ #ifdef HAVE_STRFTIME
+ 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
+ #else
+Index: shadow-4.5/src/lastlog.c
+===================================================================
+--- shadow-4.5.orig/src/lastlog.c
++++ shadow-4.5/src/lastlog.c
+@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
+ 
+ 	ll_time = ll.ll_time;
+ 	tm = localtime (&ll_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
++		cp = ptime;
+ #else
+-	cp = asctime (tm);
+-	cp[24] = '\0';
++		cp = asctime (tm);
++		cp[24] = '\0';
+ #endif
++	}
+ 
+ 	if (ll.ll_time == (time_t) 0) {
+ 		cp = _("**Never logged in**\0");
+Index: shadow-4.5/src/passwd.c
+===================================================================
+--- shadow-4.5.orig/src/passwd.c
++++ shadow-4.5/src/passwd.c
+@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
+ 	struct tm *tm;
+ 
+ 	tm = gmtime (&t);
++	if (tm == NULL) {
++		return "(unknown)";
++	}
+ #ifdef HAVE_STRFTIME
+ 	(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
+ #else				/* !HAVE_STRFTIME */
+Index: shadow-4.5/src/usermod.c
+===================================================================
+--- shadow-4.5.orig/src/usermod.c
++++ shadow-4.5/src/usermod.c
+@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
+ 	} else {
+ 		time_t t = (time_t) date;
+ 		tp = gmtime (&t);
++		if (tp == NULL) {
++			strncpy (buf, "unknown", maxsize);
++			return;
++		}
+ #ifdef HAVE_STRFTIME
+ 		strftime (buf, maxsize, "%Y-%m-%d", tp);
+ #else

shadow-4.3.1-manfix.patch

@@ -0,0 +1,310 @@
+Index: shadow-4.5/man/groupmems.8.xml
+===================================================================
+--- shadow-4.5.orig/man/groupmems.8.xml
++++ shadow-4.5/man/groupmems.8.xml
+@@ -179,20 +179,10 @@
+   <refsect1 id='setup'>
+     <title>SETUP</title>
+     <para>
+-      The <command>groupmems</command> executable should be in mode
+-      <literal>2770</literal> as user <emphasis>root</emphasis> and in group
+-      <emphasis>groups</emphasis>. The system administrator can add users to
+-      group <emphasis>groups</emphasis> to allow or disallow them using the
+-      <command>groupmems</command> utility to manage their own group
+-      membership list.
++      In this operating system the <command>groupmems</command> executable
++      is not setuid and regular users cannot use it to manipulate
++      the membership of their own group.
+     </para>
+-
+-    <programlisting>
+-	$ groupadd -r groups
+-	$ chmod 2770 groupmems
+-	$ chown root.groups groupmems
+-	$ groupmems -g groups -a gk4
+-    </programlisting>
+   </refsect1>
+ 
+   <refsect1 id='configuration'>
+Index: shadow-4.5/man/chage.1.xml
+===================================================================
+--- shadow-4.5.orig/man/chage.1.xml
++++ shadow-4.5/man/chage.1.xml
+@@ -102,6 +102,9 @@
+ 	    Set the number of days since January 1st, 1970 when the password
+ 	    was last changed. The date may also be expressed in the format
+ 	    YYYY-MM-DD (or the format more commonly used in your area).
++	    If the <replaceable>LAST_DAY</replaceable> is set to
++	    <emphasis>0</emphasis> the user is forced to change his password
++	    on the next log on.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -119,6 +122,13 @@
+ 	    system again.
+ 	  </para>
+ 	  <para>
++	    For example the following can be used to set an account to expire
++	    in 180 days:
++	  </para>
++	  <programlisting>
++	    chage -E $(date -d +180days +%Y-%m-%d)
++	  </programlisting>
++	  <para>
+ 	    Passing the number <emphasis remap='I'>-1</emphasis> as the
+ 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
+ 	    expiration date.
+Index: shadow-4.5/man/ja/man5/login.defs.5
+===================================================================
+--- shadow-4.5.orig/man/ja/man5/login.defs.5
++++ shadow-4.5/man/ja/man5/login.defs.5
+@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_
+ shadow パスワード機能のどのプログラムが
+ どのパラメータを使用するかを示したものである。
+ .na
+-.IP chfn 12
+-CHFN_AUTH CHFN_RESTRICT
+-.IP chsh 12
+-CHFN_AUTH
+ .IP groupadd 12
+ GID_MAX GID_MIN
+ .IP newusers 12
+Index: shadow-4.5/man/login.defs.5.xml
+===================================================================
+--- shadow-4.5.orig/man/login.defs.5.xml
++++ shadow-4.5/man/login.defs.5.xml
+@@ -162,6 +162,17 @@
+       long numeric parameters is machine-dependent.
+     </para>
+ 
++    <para>
++      Please note that the parameters in this configuration file control the
++      behavior of the tools from the shadow-utils component. None of these
++      tools uses the PAM mechanism, and the utilities that use PAM (such as the
++      passwd command) should be configured elsewhere. The only values that
++      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
++      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
++      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
++      pam(8) for more information.
++    </para>
++
+     <para>The following configuration items are provided:</para>
+ 
+     <variablelist remap='IP'>
+@@ -252,16 +263,6 @@
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+-	<term>chfn</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CHFN_AUTH</phrase>
+-	    CHFN_RESTRICT
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+ 	<term>chgpasswd</term>
+ 	<listitem>
+ 	  <para>
+@@ -282,14 +283,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry condition="no_pam">
+-	<term>chsh</term>
+-	<listitem>
+-	  <para>
+-	    CHSH_AUTH LOGIN_STRING
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
+       <!-- faillog: no variables -->
+       <varlistentry>
+@@ -350,34 +343,6 @@
+       </varlistentry>
+       <!-- id: no variables -->
+       <!-- lastlog: no variables -->
+-      <varlistentry>
+-	<term>login</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+-	    ENV_TZ ENVIRON_FILE</phrase>
+-	    ERASECHAR FAIL_DELAY
+-	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+-	    FAKE_SHELL
+-	    <phrase condition="no_pam">FTMP_FILE</phrase>
+-	    HUSHLOGIN_FILE
+-	    <phrase condition="no_pam">ISSUE_FILE</phrase>
+-	    KILLCHAR
+-	    <phrase condition="no_pam">LASTLOG_ENAB</phrase>
+-	    LOGIN_RETRIES
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+-	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+-	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+-	    QUOTAS_ENAB</phrase>
+-	    TTYGROUP TTYPERM TTYTYPE_FILE
+-	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
+-	    USERGROUPS_ENAB
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- logoutd: no variables -->
+       <varlistentry>
+ 	<term>newgrp / sg</term>
+@@ -405,17 +370,6 @@
+ 	</listitem>
+       </varlistentry>
+       <!-- nologin: no variables -->
+-      <varlistentry condition="no_pam">
+-	<term>passwd</term>
+-	<listitem>
+-	  <para>
+-	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
+-	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
+-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>pwck</term>
+ 	<listitem>
+@@ -442,32 +396,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>su</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+-	    ENV_PATH ENV_SUPATH
+-	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+-	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+-	    SULOG_FILE SU_NAME
+-	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+-	    SYSLOG_SU_ENAB
+-	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>sulogin</term>
+-	<listitem>
+-	  <para>
+-	    ENV_HZ
+-	    <phrase condition="no_pam">ENV_TZ</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>useradd</term>
+ 	<listitem>
+Index: shadow-4.5/man/shadow.5.xml
+===================================================================
+--- shadow-4.5.orig/man/shadow.5.xml
++++ shadow-4.5/man/shadow.5.xml
+@@ -129,7 +129,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of the last password change, expressed as the number
+-	    of days since Jan 1, 1970.
++	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    The value 0 has a special meaning, which is that the user
+@@ -208,8 +208,8 @@
+ 	  </para>
+ 	  <para>
+ 	    After expiration of the password and this expiration period is
+-	    elapsed, no login is possible using the current user's
+-	    password.  The user should contact her administrator.
++	    elapsed, no login is possible for the user.
++	    The user should contact her administrator.
+ 	  </para>
+ 	  <para>
+ 	    An empty field means that there are no enforcement of an
+@@ -224,7 +224,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of expiration of the account, expressed as the number
+-	    of days since Jan 1, 1970.
++	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    Note that an account expiration differs from a password
+Index: shadow-4.5/man/useradd.8.xml
+===================================================================
+--- shadow-4.5.orig/man/useradd.8.xml
++++ shadow-4.5/man/useradd.8.xml
+@@ -347,6 +347,11 @@
+ 	    <option>CREATE_HOME</option> is not enabled, no home
+ 	    directories are created.
+ 	  </para>
++	  <para>
++	    The directory where the user's home directory is created must
++	    exist and have proper SELinux context and permissions. Otherwise
++	    the user's home directory cannot be created or accessed.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+Index: shadow-4.5/man/usermod.8.xml
+===================================================================
+--- shadow-4.5.orig/man/usermod.8.xml
++++ shadow-4.5/man/usermod.8.xml
+@@ -132,7 +132,8 @@
+ 	    If the <option>-m</option>
+ 	    option is given, the contents of the current home directory will
+ 	    be moved to the new home directory, which is created if it does
+-	    not already exist.
++	    not already exist. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -256,7 +257,8 @@
+ 	<listitem>
+ 	  <para>
+ 	    Move the content of the user's home directory to the new
+-	    location.
++	    location. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	  <para>
+ 	    This option is only valid in combination with the
+diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml
+index 01ace007..93fe7421 100644
+--- a/man/login.defs.d/SUB_GID_COUNT.xml
++++ b/man/login.defs.d/SUB_GID_COUNT.xml
+@@ -42,7 +42,7 @@
+     <para>
+       The default values for <option>SUB_GID_MIN</option>,
+       <option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
+-      are respectively 100000, 600100000 and 10000.
++      are respectively 100000, 600100000 and 65536.
+     </para>
+   </listitem>
+ </varlistentry>
+diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml
+index 5ad812f7..516417b7 100644
+--- a/man/login.defs.d/SUB_UID_COUNT.xml
++++ b/man/login.defs.d/SUB_UID_COUNT.xml
+@@ -42,7 +42,7 @@
+     <para>
+       The default values for <option>SUB_UID_MIN</option>,
+       <option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
+-      are respectively 100000, 600100000 and 10000.
++      are respectively 100000, 600100000 and 65536.
+     </para>
+   </listitem>
+ </varlistentry>

shadow-4.3.1-selinux-perms.patch

@@ -1,6 +1,7 @@
-diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
---- shadow-4.8/src/chgpasswd.c.selinux-perms	2019-12-01 18:02:43.000000000 +0100
-+++ shadow-4.8/src/chgpasswd.c	2020-01-13 10:21:44.558107260 +0100
+Index: shadow-4.5/src/chgpasswd.c
+===================================================================
+--- shadow-4.5.orig/src/chgpasswd.c
++++ shadow-4.5/src/chgpasswd.c
 @@ -39,6 +39,13 @@
  #include <pwd.h>
  #include <stdio.h>
@@ -15,7 +16,7 @@ diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
  #ifdef ACCT_TOOLS_SETUID
  #ifdef USE_PAM
  #include "pam_defs.h"
-@@ -80,6 +87,9 @@ static bool sgr_locked = false;
+@@ -76,6 +83,9 @@ static bool sgr_locked = false;
  #endif
  static bool gr_locked = false;
  
@@ -25,7 +26,7 @@ diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
  /* local function prototypes */
  static void fail_exit (int code);
  static /*@noreturn@*/void usage (int status);
-@@ -334,6 +344,63 @@ static void check_perms (void)
+@@ -300,6 +310,63 @@ static void check_perms (void)
  #endif				/* ACCT_TOOLS_SETUID */
  }
  
@@ -89,7 +90,7 @@ diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
  /*
   * open_files - lock and open the group databases
   */
-@@ -427,6 +494,7 @@ int main (int argc, char **argv)
+@@ -393,6 +460,7 @@ int main (int argc, char **argv)
  
  	const struct group *gr;
  	struct group newgr;
@@ -97,17 +98,7 @@ diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
  	int errors = 0;
  	int line = 0;
  
-@@ -436,12 +504,37 @@ int main (int argc, char **argv)
- 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
- 	(void) textdomain (PACKAGE);
- 
-+#ifdef WITH_SELINUX
-+	selinux_check_root ();
-+#endif
-+
- 	process_root_flag ("-R", argc, argv);
- 
- 	process_flags (argc, argv);
+@@ -408,8 +476,33 @@ int main (int argc, char **argv)
  
  	OPENLOG ("chgpasswd");
  
@@ -134,10 +125,33 @@ diff -up shadow-4.8/src/chgpasswd.c.selinux-perms shadow-4.8/src/chgpasswd.c
 +
  	check_perms ();
  
++#ifdef WITH_SELINUX
++	selinux_check_root ();
++#endif
++
  #ifdef SHADOWGRP
-diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
---- shadow-4.8/src/chpasswd.c.selinux-perms	2019-12-01 18:02:43.000000000 +0100
-+++ shadow-4.8/src/chpasswd.c	2020-01-13 10:21:44.558107260 +0100
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+@@ -536,6 +629,15 @@ int main (int argc, char **argv)
+ 			newgr.gr_passwd = cp;
+ 		}
+ 
++#ifdef WITH_AUDIT
++		{
++
++			audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
++		              "change-password",
++		              myname, AUDIT_NO_ID, gr->gr_name,
++		              SHADOW_AUDIT_SUCCESS);
++		}
++#endif
+ 		/* 
+ 		 * The updated group file entry is then put back and will
+ 		 * be written to the group file later, after all the
+Index: shadow-4.5/src/chpasswd.c
+===================================================================
+--- shadow-4.5.orig/src/chpasswd.c
++++ shadow-4.5/src/chpasswd.c
 @@ -39,6 +39,13 @@
  #include <pwd.h>
  #include <stdio.h>
@@ -152,7 +166,7 @@ diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
  #ifdef USE_PAM
  #include "pam_defs.h"
  #endif				/* USE_PAM */
-@@ -332,6 +339,63 @@ static void check_perms (void)
+@@ -297,6 +304,63 @@ static void check_perms (void)
  #endif				/* USE_PAM */
  }
  
@@ -216,18 +230,7 @@ diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
  /*
   * open_files - lock and open the password databases
   */
-@@ -428,6 +492,10 @@ int main (int argc, char **argv)
- 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
- 	(void) textdomain (PACKAGE);
- 
-+#ifdef WITH_SELINUX
-+	selinux_check_root ();
-+#endif
-+
- 	process_root_flag ("-R", argc, argv);
- 
- 	process_flags (argc, argv);
-@@ -440,6 +508,10 @@ int main (int argc, char **argv)
+@@ -405,8 +469,16 @@ int main (int argc, char **argv)
  
  	OPENLOG ("chpasswd");
  
@@ -237,4 +240,38 @@ diff -up shadow-4.8/src/chpasswd.c.selinux-perms shadow-4.8/src/chpasswd.c
 +
  	check_perms ();
  
++#ifdef WITH_SELINUX
++	selinux_check_root ();
++#endif
++
  #ifdef USE_PAM
+ 	if (!use_pam)
+ #endif				/* USE_PAM */
+@@ -566,6 +638,11 @@ int main (int argc, char **argv)
+ 			newpw.pw_passwd = cp;
+ 		}
+ 
++#ifdef WITH_AUDIT
++		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++		              "updating-password",
++		              pw->pw_name, (unsigned int) pw->pw_uid, 1);
++#endif
+ 		/* 
+ 		 * The updated password file entry is then put back and will
+ 		 * be written to the password file later, after all the
+Index: shadow-4.5/src/Makefile.am
+===================================================================
+--- shadow-4.5.orig/src/Makefile.am
++++ shadow-4.5/src/Makefile.am
+@@ -87,9 +87,9 @@ chage_LDADD    = $(LDADD) $(LIBPAM_SUID)
+ newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+ newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)

shadow-4.5-crypt_h.patch

@@ -0,0 +1,41 @@
+Index: shadow-4.5/configure.ac
+===================================================================
+--- shadow-4.5.orig/configure.ac
++++ shadow-4.5/configure.ac
+@@ -32,9 +32,9 @@ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+ AC_HEADER_STDBOOL
+ 
+-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
+-	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
+-	utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
++	utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
++	paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
+ 	locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
+ 	attr/error_context.h)
+ 
+Index: shadow-4.5/lib/defines.h
+===================================================================
+--- shadow-4.5.orig/lib/defines.h
++++ shadow-4.5/lib/defines.h
+@@ -4,6 +4,8 @@
+ #ifndef _DEFINES_H_
+ #define _DEFINES_H_
+ 
++#include "config.h"
++
+ #if HAVE_STDBOOL_H
+ # include <stdbool.h>
+ #else
+@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
+ # include <unistd.h>
+ #endif
+ 
++#if HAVE_CRYPT_H
++# include <crypt.h>		/* crypt(3) may be defined in here */
++#endif
++
+ #if TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>

shadow-4.5-goodname.patch

@@ -1,12 +1,18 @@
-diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
---- shadow-4.8/libmisc/chkname.c.goodname	2020-01-13 09:44:41.968507996 +0100
-+++ shadow-4.8/libmisc/chkname.c	2020-01-13 09:46:27.863727732 +0100
-@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
- 	}
+Index: shadow-4.5/libmisc/chkname.c
+===================================================================
+--- shadow-4.5.orig/libmisc/chkname.c
++++ shadow-4.5/libmisc/chkname.c
+@@ -47,27 +47,46 @@
+ #include "chkname.h"
  
+ static bool is_valid_name (const char *name)
+-{
++{      
  	/*
 -	 * User/group names must match [a-z_][a-z0-9_-]*[$]
 -	 */
+-	if (('\0' == *name) ||
+-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
 +         * User/group names must match gnu e-regex:
 +         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
 +         *
@@ -16,9 +22,7 @@ diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
 +         * Also do not allow fully numeric names or just "." or "..".
 +         */
 +	int numeric;
- 
--	if (('\0' == *name) ||
--	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
++
 +	if ('\0' == *name ||
 +	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
 +			      '\0' == name[1])) ||
@@ -56,10 +60,11 @@ diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
  }
  
  bool is_valid_user_name (const char *name)
-diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
---- shadow-4.8/man/groupadd.8.xml.goodname	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/man/groupadd.8.xml	2020-01-13 09:44:41.968507996 +0100
-@@ -273,10 +273,12 @@
+Index: shadow-4.5/man/groupadd.8.xml
+===================================================================
+--- shadow-4.5.orig/man/groupadd.8.xml
++++ shadow-4.5/man/groupadd.8.xml
+@@ -256,10 +256,12 @@
     <refsect1 id='caveats'>
       <title>CAVEATS</title>
       <para>
@@ -76,10 +81,11 @@ diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
       </para>
       <para>
         Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
-diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
---- shadow-4.8/man/useradd.8.xml.goodname	2019-10-05 03:23:58.000000000 +0200
-+++ shadow-4.8/man/useradd.8.xml	2020-01-13 09:44:41.968507996 +0100
-@@ -661,10 +661,14 @@
+Index: shadow-4.5/man/useradd.8.xml
+===================================================================
+--- shadow-4.5.orig/man/useradd.8.xml
++++ shadow-4.5/man/useradd.8.xml
+@@ -633,10 +633,14 @@
      </para>
  
      <para>

shadow-4.5-long-entry.patch

@@ -1,19 +1,17 @@
-diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
---- shadow-4.8/lib/defines.h.long-entry	2020-01-13 10:29:45.288957339 +0100
-+++ shadow-4.8/lib/defines.h	2020-01-13 10:30:47.482902954 +0100
-@@ -388,6 +388,9 @@ extern char *strerror ();
+diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
+--- shadow-4.5/lib/defines.h.long-entry	2014-09-01 16:36:40.000000000 +0200
++++ shadow-4.5/lib/defines.h	2018-04-20 11:53:07.419308212 +0200
+@@ -382,4 +382,7 @@ extern char *strerror ();
  # endif
  #endif
  
 +/* Maximum length of passwd entry */
 +#define PASSWD_ENTRY_MAX_LENGTH 32768
 +
- #ifdef HAVE_SECURE_GETENV
- #  define shadow_getenv(name) secure_getenv(name)
- # else
-diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
---- shadow-4.8/lib/pwio.c.long-entry	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/lib/pwio.c	2020-01-13 10:29:45.288957339 +0100
+ #endif				/* _DEFINES_H_ */
+diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
+--- shadow-4.5/lib/pwio.c.long-entry	2015-11-17 17:45:15.000000000 +0100
++++ shadow-4.5/lib/pwio.c	2018-04-20 12:10:24.400837235 +0200
 @@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
  	    || (pw->pw_gid == (gid_t)-1)
  	    || (valid_field (pw->pw_gecos, ":\n") == -1)
@@ -26,9 +24,9 @@ diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
  		return -1;
  	}
  
-diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
---- shadow-4.8/lib/sgetpwent.c.long-entry	2019-10-05 03:23:58.000000000 +0200
-+++ shadow-4.8/lib/sgetpwent.c	2020-01-13 10:29:45.288957339 +0100
+diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
+--- shadow-4.5/lib/sgetpwent.c.long-entry	2014-09-01 16:36:40.000000000 +0200
++++ shadow-4.5/lib/sgetpwent.c	2018-04-20 12:16:31.911513808 +0200
 @@ -57,7 +57,7 @@
  struct passwd *sgetpwent (const char *buf)
  {
@@ -50,9 +48,9 @@ diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
  	strcpy (pwdbuf, buf);
  
  	/*
-diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
---- shadow-4.8/lib/sgetspent.c.long-entry	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/lib/sgetspent.c	2020-01-13 10:29:45.289957322 +0100
+diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
+--- shadow-4.5/lib/sgetspent.c.long-entry	2014-09-01 16:36:40.000000000 +0200
++++ shadow-4.5/lib/sgetspent.c	2018-04-20 12:16:54.505056257 +0200
 @@ -48,7 +48,7 @@
   */
  struct spwd *sgetspent (const char *string)
@@ -70,9 +68,9 @@ diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
  		return 0;	/* fail if too long */
  	}
  	strcpy (spwbuf, string);
-diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
---- shadow-4.8/lib/shadowio.c.long-entry	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8/lib/shadowio.c	2020-01-13 10:29:45.289957322 +0100
+diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
+--- shadow-4.5/lib/shadowio.c.long-entry	2016-12-07 06:30:41.000000001 +0100
++++ shadow-4.5/lib/shadowio.c	2018-04-20 12:12:03.292171667 +0200
 @@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
  
  	if (   (NULL == sp)

shadow-4.6-chgrp-guard.patch

@@ -0,0 +1,44 @@
+diff -up shadow-4.6/man/usermod.8.xml.chgrp-guard shadow-4.6/man/usermod.8.xml
+--- shadow-4.6/man/usermod.8.xml.chgrp-guard	2018-11-06 09:08:54.170095358 +0100
++++ shadow-4.6/man/usermod.8.xml	2018-12-18 15:24:12.283181180 +0100
+@@ -195,6 +195,12 @@
+ 	    The group ownership of files outside of the user's home directory
+ 	    must be fixed manually.
+ 	  </para>
++	  <para>
++	    The change of the group ownership of files inside of the user's
++	    home directory is also not done if the home dir owner uid is
++	    different from the current or new user id. This is safety measure
++	    for special home directories such as <filename>/</filename>.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+@@ -372,6 +378,12 @@
+ 	    must be fixed manually.
+ 	  </para>
+ 	  <para>
++	    The change of the user ownership of files inside of the user's
++	    home directory is also not done if the home dir owner uid is
++	    different from the current or new user id. This is safety measure
++	    for special home directories such as <filename>/</filename>.
++	  </para>
++	  <para>
+ 	    No checks will be performed with regard to the
+ 	    <option>UID_MIN</option>, <option>UID_MAX</option>,
+ 	    <option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
+diff -up shadow-4.6/src/usermod.c.chgrp-guard shadow-4.6/src/usermod.c
+--- shadow-4.6/src/usermod.c.chgrp-guard	2018-12-18 15:24:12.286181249 +0100
++++ shadow-4.6/src/usermod.c	2018-12-18 15:26:51.227841435 +0100
+@@ -2336,7 +2336,10 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	if (!mflg && (uflg || gflg)) {
+-		if (access (dflg ? prefix_user_newhome : prefix_user_home, F_OK) == 0) {
++		struct stat sb;
++
++		if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
++			((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
+ 			/*
+ 			 * Change the UID on all of the files owned by
+ 			 * `user_id' to `user_newid' in the user's home

shadow-4.6-coverity.patch

@@ -0,0 +1,223 @@
+diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
+--- shadow-4.6/lib/commonio.c.coverity	2018-10-10 09:50:59.307738194 +0200
++++ shadow-4.6/lib/commonio.c	2018-10-10 09:55:32.919319048 +0200
+@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
+ 	char* lock = NULL;
+ 	size_t lock_file_len;
+ 	size_t file_len;
+-	int err;
++	int err = 0;
+ 
+ 	if (db->locked) {
+ 		return 1;
+@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
+ 	lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
+ 	file = (char*)malloc(file_len);
+ 	if(file == NULL) {
+-		err = ENOMEM;
+ 		goto cleanup_ENOMEM;
+ 	}
+ 	lock = (char*)malloc(lock_file_len);
+ 	if(lock == NULL) {
+-		err = ENOMEM;
+ 		goto cleanup_ENOMEM;
+ 	}
+ 	snprintf (file, file_len, "%s.%lu",
+diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
+--- shadow-4.6/libmisc/console.c.coverity	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/libmisc/console.c	2018-10-10 11:56:51.368837533 +0200
+@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
+ static bool is_listed (const char *cfgin, const char *tty, bool def)
+ {
+ 	FILE *fp;
+-	char buf[200], *s;
++	char buf[1024], *s;
+ 	const char *cons;
+ 
+ 	/*
+@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
+ 
+ 	if (*cons != '/') {
+ 		char *pbuf;
+-		strcpy (buf, cons);
++		strncpy (buf, cons, sizeof (buf));
++		buf[sizeof (buf) - 1] = '\0';
+ 		pbuf = &buf[0];
+ 		while ((s = strtok (pbuf, ":")) != NULL) {
+ 			if (strcmp (s, tty) == 0) {
+diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
+--- shadow-4.6/lib/spawn.c.coverity	2018-04-29 18:42:37.000000001 +0200
++++ shadow-4.6/lib/spawn.c	2018-10-10 11:36:49.035784609 +0200
+@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
+ 	do {
+ 		wpid = waitpid (pid, status, 0);
+ 	} while (   ((pid_t)-1 == wpid && errno == EINTR)
+-	         || (wpid != pid));
++	         || ((pid_t)-1 != wpid && wpid != pid));
+ 
+ 	if ((pid_t)-1 == wpid) {
+ 		fprintf (stderr, "%s: waitpid (status: %d): %s\n",
+diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.coverity	2018-10-10 09:50:59.303738098 +0200
++++ shadow-4.6/src/useradd.c	2018-10-12 13:51:54.480490257 +0200
+@@ -314,7 +314,7 @@ static void fail_exit (int code)
+ static void get_defaults (void)
+ {
+ 	FILE *fp;
+-	char* default_file = USER_DEFAULTS_FILE;
++	char *default_file = USER_DEFAULTS_FILE;
+ 	char buf[1024];
+ 	char *cp;
+ 
+@@ -324,6 +324,8 @@ static void get_defaults (void)
+ 
+ 		len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
+ 		default_file = malloc(len);
++                if (default_file == NULL)
++                       return;
+ 		wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
+ 		assert (wlen == (int) len -1);
+ 	}
+@@ -334,7 +336,7 @@ static void get_defaults (void)
+ 
+ 	fp = fopen (default_file, "r");
+ 	if (NULL == fp) {
+-		return;
++		goto getdef_err;
+ 	}
+ 
+ 	/*
+@@ -445,7 +447,7 @@ static void get_defaults (void)
+ 		}
+ 	}
+ 	(void) fclose (fp);
+-
++     getdef_err:
+ 	if(prefix[0]) {
+ 		free(default_file);
+ 	}
+@@ -480,8 +482,8 @@ static int set_defaults (void)
+ 	FILE *ifp;
+ 	FILE *ofp;
+ 	char buf[1024];
+-	char* new_file = NEW_USER_FILE;
+-	char* default_file = USER_DEFAULTS_FILE;
++	char *new_file = NULL;
++	char *default_file = USER_DEFAULTS_FILE;
+ 	char *cp;
+ 	int ofd;
+ 	int wlen;
+@@ -492,17 +494,30 @@ static int set_defaults (void)
+ 	bool out_shell = false;
+ 	bool out_skel = false;
+ 	bool out_create_mail_spool = false;
++	size_t len;
++	int ret = -1;
+ 
+-	if(prefix[0]) {
+-		size_t len;
+ 
+-		len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
+-		new_file = malloc(len);
+-		wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
+-		assert (wlen == (int) len -1);
++	len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
++	new_file = malloc(len);
++        if (new_file == NULL) {
++		fprintf (stderr,
++		         _("%s: cannot create new defaults file: %s\n"),
++		         Prog, strerror(errno));
++		return -1;
++        }
++	wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
++	assert (wlen <= (int) len -1);
+ 
++	if(prefix[0]) {
+ 		len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
+ 		default_file = malloc(len);
++		if (default_file == NULL) {
++			fprintf (stderr,
++			         _("%s: cannot create new defaults file: %s\n"),
++			         Prog, strerror(errno));
++			goto setdef_err;
++		}
+ 		wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
+ 		assert (wlen == (int) len -1);
+ 	}
+@@ -515,7 +530,7 @@ static int set_defaults (void)
+ 		fprintf (stderr,
+ 		         _("%s: cannot create new defaults file\n"),
+ 		         Prog);
+-		return -1;
++		goto setdef_err;
+ 	}
+ 
+ 	ofp = fdopen (ofd, "w");
+@@ -523,7 +538,7 @@ static int set_defaults (void)
+ 		fprintf (stderr,
+ 		         _("%s: cannot open new defaults file\n"),
+ 		         Prog);
+-		return -1;
++		goto setdef_err;
+ 	}
+ 
+ 	/*
+@@ -550,7 +565,7 @@ static int set_defaults (void)
+ 				         _("%s: line too long in %s: %s..."),
+ 				         Prog, default_file, buf);
+ 				(void) fclose (ifp);
+-				return -1;
++				goto setdef_err;
+ 			}
+ 		}
+ 
+@@ -614,7 +629,7 @@ static int set_defaults (void)
+ 	    || (fsync (fileno (ofp)) != 0)
+ 	    || (fclose (ofp) != 0)) {
+ 		unlink (new_file);
+-		return -1;
++		goto setdef_err;
+ 	}
+ 
+ 	/*
+@@ -629,7 +644,7 @@ static int set_defaults (void)
+ 		         _("%s: Cannot create backup file (%s): %s\n"),
+ 		         Prog, buf, strerror (err));
+ 		unlink (new_file);
+-		return -1;
++		goto setdef_err;
+ 	}
+ 
+ 	/*
+@@ -640,11 +655,11 @@ static int set_defaults (void)
+ 		fprintf (stderr,
+ 		         _("%s: rename: %s: %s\n"),
+ 		         Prog, new_file, strerror (err));
+-		return -1;
++		goto setdef_err;
+ 	}
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_USYS_CONFIG, Prog,
+-	              "changing-useradd-defaults",
++	              "changing useradd defaults",
+ 	              NULL, AUDIT_NO_ID,
+ 	              SHADOW_AUDIT_SUCCESS);
+ #endif
+@@ -654,13 +669,14 @@ static int set_defaults (void)
+ 	         (unsigned int) def_group, def_home, def_shell,
+ 	         def_inactive, def_expire, def_template,
+ 	         def_create_mail_spool));
+-
++	ret = 0;
++    setdef_err:
++	free(new_file);
+ 	if(prefix[0]) {
+-		free(new_file);
+ 		free(default_file);
+ 	}
+ 
+-	return 0;
++	return ret;
+ }
+ 
+ /*

shadow-4.6-getenforce.patch

@@ -0,0 +1,21 @@
+diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
+--- shadow-4.6/lib/selinux.c.getenforce	2018-05-28 15:10:15.870315221 +0200
++++ shadow-4.6/lib/selinux.c	2018-05-28 15:10:15.894315731 +0200
+@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
+ 	}
+ 	return 0;
+     error:
+-	if (security_getenforce () != 0) {
++	if (security_getenforce () > 0) {
+ 		return 1;
+ 	}
+ 	return 0;
+@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
+ 		selinux_checked = true;
+ 	}
+ 	if (selinux_enabled) {
+-		if (setfscreatecon (NULL) != 0) {
++		if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
+ 			return 1;
+ 		}
+ 	}

shadow-4.6-orig-context.patch

@@ -0,0 +1,128 @@
+diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
+--- shadow-4.6/lib/commonio.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/commonio.c	2018-05-28 14:56:37.287929667 +0200
+@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
+ 		snprintf (buf, sizeof buf, "%s-", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (buf) != 0) {
++		if (set_selinux_file_context (buf, db->filename) != 0) {
+ 			errors++;
+ 		}
+ #endif
+@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (buf) != 0) {
++	if (set_selinux_file_context (buf, db->filename) != 0) {
+ 		errors++;
+ 	}
+ #endif
+diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
+--- shadow-4.6/libmisc/copydir.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/libmisc/copydir.c	2018-05-28 14:56:37.287929667 +0200
+@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
+ 	 */
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		free (oldlink);
+ 		return -1;
+ 	}
+@@ -684,7 +684,7 @@ static int copy_special (const char *src
+ 	int err = 0;
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
+ 		return -1;
+ 	}
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
+--- shadow-4.6/lib/prototypes.h.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/prototypes.h	2018-05-28 14:56:37.287929667 +0200
+@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
+ 
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+-extern int set_selinux_file_context (const char *dst_name);
++extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
+ extern int reset_selinux_file_context (void);
+ #endif
+ 
+diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
+--- shadow-4.6/lib/selinux.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/selinux.c	2018-05-28 14:56:37.287929667 +0200
+@@ -50,7 +50,7 @@ static bool selinux_enabled;
+  *	Callers may have to Reset SELinux to create files with default
+  *	contexts with reset_selinux_file_context
+  */
+-int set_selinux_file_context (const char *dst_name)
++int set_selinux_file_context (const char *dst_name, const char *orig_name)
+ {
+ 	/*@null@*/security_context_t scontext = NULL;
+ 
+@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
+ 	if (selinux_enabled) {
+ 		/* Get the default security context for this file */
+ 		if (matchpathcon (dst_name, 0, &scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
++			/* We could not get the default, copy the original */
++			if (orig_name == NULL)
++				goto error;
++			if (getfilecon (orig_name, &scontext) < 0)
++				goto error;
+ 		}
+ 		/* Set the security context for the next created file */
+-		if (setfscreatecon (scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
+-		}
++		if (setfscreatecon (scontext) < 0)
++			goto error;
+ 		freecon (scontext);
+ 	}
+ 	return 0;
++    error:
++	if (security_getenforce () != 0) {
++		return 1;
++	}
++	return 0;
+ }
+ 
+ /*
+diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.orig-context	2018-05-28 14:56:37.288929688 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 14:58:02.242730903 +0200
+@@ -2020,7 +2020,7 @@ static void create_home (void)
+ {
+ 	if (access (prefix_user_home, F_OK) != 0) {
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (prefix_user_home) != 0) {
++		if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
+ 			fprintf (stderr,
+ 			         _("%s: cannot set SELinux context for home directory %s\n"),
+ 			         Prog, user_home);

shadow-4.6-redhat.patch

@@ -1,16 +1,16 @@
-diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
---- shadow-4.11.1/src/useradd.c.redhat	2022-01-03 01:46:53.000000000 +0100
-+++ shadow-4.11.1/src/useradd.c	2022-01-03 14:53:12.988484829 +0100
-@@ -82,7 +82,7 @@ const char *Prog;
- static gid_t def_group = 1000;
+diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.redhat	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 13:37:16.695651258 +0200
+@@ -98,7 +98,7 @@ const char *Prog;
+ static gid_t def_group = 100;
  static const char *def_gname = "other";
  static const char *def_home = "/home";
--static const char *def_shell = "/bin/bash";
+-static const char *def_shell = "";
 +static const char *def_shell = "/sbin/nologin";
  static const char *def_template = SKEL_DIR;
- static const char *def_create_mail_spool = "yes";
- static const char *def_log_init = "yes";
-@@ -93,7 +93,7 @@ static const char *def_expire = "";
+ static const char *def_create_mail_spool = "no";
+ 
+@@ -108,7 +108,7 @@ static const char *def_expire = "";
  #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
  
  static const char *user_name = "";
@@ -19,7 +19,7 @@ diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
  static uid_t user_id;
  static gid_t user_gid;
  static const char *user_comment = "";
-@@ -1219,9 +1219,9 @@ static void process_flags (int argc, cha
+@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -31,7 +31,7 @@ diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1378,6 +1378,7 @@ static void process_flags (int argc, cha
+@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
  			case 'M':
  				Mflg = true;
  				break;

shadow-4.6-selinux.patch

@@ -0,0 +1,115 @@
+diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
+--- shadow-4.6/lib/semanage.c.selinux	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/semanage.c	2018-05-28 13:38:20.551008911 +0200
+@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
+ 
+ 	ret = 0;
+ 
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_seuser_key_free (key);
+ 	semanage_handle_destroy (handle);
+@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
+ 	}
+ 
+ 	ret = 0;
++
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.selinux	2018-05-28 13:43:30.996748997 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 13:44:04.645486199 +0200
+@@ -2120,6 +2120,7 @@ static void create_mail (void)
+  */
+ int main (int argc, char **argv)
+ {
++	int rv = E_SUCCESS;
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ 	pam_handle_t *pamh = NULL;
+@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
+ 
+ 	usr_update ();
+ 
+-	if (mflg) {
+-		create_home ();
+-		if (home_added) {
+-			copy_tree (def_template, prefix_user_home, false, false,
+-			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
+-		} else {
+-			fprintf (stderr,
+-			         _("%s: warning: the home directory already exists.\n"
+-			           "Not copying any file from skel directory into it.\n"),
+-			         Prog);
+-		}
+-
+-	}
+-
+-	/* Do not create mail directory for system accounts */
+-	if (!rflg) {
+-		create_mail ();
+-	}
+-
+ 	close_files ();
+ 
++	nscd_flush_cache ("passwd");
++	nscd_flush_cache ("group");
++
+ 	/*
+ 	 * tallylog_reset needs to be able to lookup
+ 	 * a valid existing user name,
+@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (Zflg) {
+-		if (set_seuser (user_name, user_selinux) != 0) {
++	if (Zflg && *user_selinux) {
++		if (is_selinux_enabled () > 0) {
++		    if (set_seuser (user_name, user_selinux) != 0) {
+ 			fprintf (stderr,
+ 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ 			         Prog, user_name, user_selinux);
+@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
+ 			              "adding SELinux user mapping",
+ 			              user_name, (unsigned int) user_id, 0);
+ #endif				/* WITH_AUDIT */
+-			fail_exit (E_SE_UPDATE);
++			rv = E_SE_UPDATE;
++		    }
+ 		}
+ 	}
+-#endif				/* WITH_SELINUX */
++#endif
+ 
+-	nscd_flush_cache ("passwd");
+-	nscd_flush_cache ("group");
++	if (mflg) {
++		create_home ();
++		if (home_added) {
++			copy_tree (def_template, prefix_user_home, false, true,
++			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
++		} else {
++			fprintf (stderr,
++			         _("%s: warning: the home directory already exists.\n"
++			           "Not copying any file from skel directory into it.\n"),
++			         Prog);
++		}
++
++	}
++
++	/* Do not create mail directory for system accounts */
++	if (!rflg) {
++		create_mail ();
++	}
+ 
+-	return E_SUCCESS;
++	return rv;
+ }
+ 

shadow-4.6-sssd-flush.patch

@@ -0,0 +1,641 @@
+From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Wed, 12 Sep 2018 14:22:11 +0200
+Subject: [PATCH] Flush sssd caches in addition to nscd caches
+
+Some distributions, notably Fedora, have the following order of nsswitch
+modules by default:
+    passwd: sss files
+    group:  sss files
+
+The advantage of serving local users through SSSD is that the nss_sss
+module has a fast mmapped-cache that speeds up NSS lookups compared to
+accessing the disk an opening the files on each NSS request.
+
+Traditionally, this has been done with the help of nscd, but using nscd
+in parallel with sssd is cumbersome, as both SSSD and nscd use their own
+independent caching, so using nscd in setups where sssd is also serving
+users from some remote domain (LDAP, AD, ...) can result in a bit of
+unpredictability.
+
+More details about why Fedora chose to use sss before files can be found
+on e.g.:
+    https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
+or:
+    https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
+
+Now, even though sssd watches the passwd and group files with the help
+of inotify, there can still be a small window where someone requests a
+user or a group, finds that it doesn't exist, adds the entry and checks
+again. Without some support in shadow-utils that would explicitly drop
+the sssd caches, the inotify watch can fire a little late, so a
+combination of commands like this:
+    getent passwd user || useradd user; getent passwd user
+can result in the second getent passwd not finding the newly added user
+as the racy behaviour might still return the cached negative hit from
+the first getent passwd.
+
+This patch more or less copies the already existing support that
+shadow-utils had for dropping nscd caches, except using the "sss_cache"
+tool that sssd ships.
+---
+ configure.ac    | 10 +++++++
+ lib/Makefile.am |  2 ++
+ lib/commonio.c  |  2 ++
+ lib/sssd.c      | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/sssd.h      | 17 +++++++++++
+ src/chfn.c      |  2 ++
+ src/chgpasswd.c |  2 ++
+ src/chpasswd.c  |  2 ++
+ src/chsh.c      |  2 ++
+ src/gpasswd.c   |  2 ++
+ src/groupadd.c  |  2 ++
+ src/groupdel.c  |  2 ++
+ src/groupmod.c  |  2 ++
+ src/grpck.c     |  2 ++
+ src/grpconv.c   |  2 ++
+ src/grpunconv.c |  2 ++
+ src/newusers.c  |  2 ++
+ src/passwd.c    |  2 ++
+ src/pwck.c      |  2 ++
+ src/pwconv.c    |  2 ++
+ src/pwunconv.c  |  2 ++
+ src/useradd.c   |  2 ++
+ src/userdel.c   |  2 ++
+ src/usermod.c   |  2 ++
+ src/vipw.c      |  2 ++
+ 25 files changed, 146 insertions(+)
+ create mode 100644 lib/sssd.c
+ create mode 100644 lib/sssd.h
+
+diff --git a/configure.ac b/configure.ac
+index 41068a5d..10ad70cf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
+ AC_ARG_WITH(nscd,
+ 	[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
+ 	[with_nscd=$withval], [with_nscd=yes])
++AC_ARG_WITH(sssd,
++	[AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
++	[with_sssd=$withval], [with_sssd=yes])
+ AC_ARG_WITH(group-name-max-length,
+ 	[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
+ 	[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
+@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
+ 	              [AC_MSG_ERROR([posix_spawn is needed for nscd support])])
+ fi
+ 
++if test "$with_sssd" = "yes"; then
++	AC_CHECK_FUNC(posix_spawn,
++	              [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
++	              [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
++fi
++
+ dnl Check for some functions in libc first, only if not found check for
+ dnl other libraries.  This should prevent linking libnsl if not really
+ dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
+@@ -679,5 +688,6 @@ echo "	shadow group support:		$enable_shadowgrp"
+ echo "	S/Key support:			$with_skey"
+ echo "	SHA passwords encryption:	$with_sha_crypt"
+ echo "	nscd support:			$with_nscd"
++echo "	sssd support:			$with_sssd"
+ echo "	subordinate IDs support:	$enable_subids"
+ echo
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index 6db86cd6..fd634542 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
+ 	lockpw.c \
+ 	nscd.c \
+ 	nscd.h \
++	sssd.c \
++	sssd.h \
+ 	pam_defs.h \
+ 	port.c \
+ 	port.h \
+diff --git a/lib/commonio.c b/lib/commonio.c
+index d06b8e7d..96f2d5f7 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -45,6 +45,7 @@
+ #include <stdio.h>
+ #include <signal.h>
+ #include "nscd.h"
++#include "sssd.h"
+ #ifdef WITH_TCB
+ #include <tcb.h>
+ #endif				/* WITH_TCB */
+@@ -485,6 +486,7 @@ static void dec_lock_count (void)
+ 			if (nscd_need_reload) {
+ 				nscd_flush_cache ("passwd");
+ 				nscd_flush_cache ("group");
++				sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 				nscd_need_reload = false;
+ 			}
+ #ifdef HAVE_LCKPWDF
+diff --git a/lib/sssd.c b/lib/sssd.c
+new file mode 100644
+index 00000000..80e49e55
+--- /dev/null
++++ b/lib/sssd.c
+@@ -0,0 +1,75 @@
++/* Author: Peter Vrabec <pvrabec@redhat.com> */
++
++#include <config.h>
++#ifdef USE_SSSD
++
++#include <stdio.h>
++#include <sys/wait.h>
++#include <sys/types.h>
++#include "exitcodes.h"
++#include "defines.h"
++#include "prototypes.h"
++#include "sssd.h"
++
++#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
++
++int sssd_flush_cache (int dbflags)
++{
++	int status, code, rv;
++	const char *cmd = "/usr/sbin/sss_cache";
++	char *sss_cache_args = NULL;
++	const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
++	const char *spawnedEnv[] = {NULL};
++	int i = 0;
++
++	sss_cache_args = malloc(4);
++	if (sss_cache_args == NULL) {
++	    return -1;
++	}
++
++	sss_cache_args[i++] = '-';
++	if (dbflags & SSSD_DB_PASSWD) {
++		sss_cache_args[i++] = 'U';
++	}
++	if (dbflags & SSSD_DB_GROUP) {
++		sss_cache_args[i++] = 'G';
++	}
++	sss_cache_args[i++] = '\0';
++	if (i == 2) {
++		/* Neither passwd nor group, nothing to do */
++		free(sss_cache_args);
++		return 0;
++	}
++	spawnedArgs[1] = sss_cache_args;
++
++	rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
++	free(sss_cache_args);
++	if (rv != 0) {
++		/* run_command writes its own more detailed message. */
++		(void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
++		return -1;
++	}
++
++	code = WEXITSTATUS (status);
++	if (!WIFEXITED (status)) {
++		(void) fprintf (stderr,
++		                _("%s: sss_cache did not terminate normally (signal %d)\n"),
++		                Prog, WTERMSIG (status));
++		return -1;
++	} else if (code == E_CMD_NOTFOUND) {
++		/* sss_cache is not installed, or it is installed but uses an
++		   interpreter that is missing.  Probably the former. */
++		return 0;
++	} else if (code != 0) {
++		(void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
++		                Prog, code);
++		(void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
++		return -1;
++	}
++
++	return 0;
++}
++#else				/* USE_SSSD */
++extern int errno;		/* warning: ANSI C forbids an empty source file */
++#endif				/* USE_SSSD */
++
+diff --git a/lib/sssd.h b/lib/sssd.h
+new file mode 100644
+index 00000000..00ff2a8a
+--- /dev/null
++++ b/lib/sssd.h
+@@ -0,0 +1,17 @@
++#ifndef _SSSD_H_
++#define _SSSD_H_
++
++#define SSSD_DB_PASSWD	0x001
++#define SSSD_DB_GROUP	0x002
++
++/*
++ * sssd_flush_cache - flush specified service buffer in sssd cache
++ */
++#ifdef	USE_SSSD
++extern int sssd_flush_cache (int dbflags);
++#else
++#define sssd_flush_cache(service) (0)
++#endif
++
++#endif
++
+diff --git a/src/chfn.c b/src/chfn.c
+index 18aa3de7..0725e1c7 100644
+--- a/src/chfn.c
++++ b/src/chfn.c
+@@ -47,6 +47,7 @@
+ #include "defines.h"
+ #include "getdef.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #ifdef USE_PAM
+ #include "pam_defs.h"
+ #endif
+@@ -746,6 +747,7 @@ int main (int argc, char **argv)
+ 	SYSLOG ((LOG_INFO, "changed user '%s' information", user));
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	closelog ();
+ 	exit (E_SUCCESS);
+diff --git a/src/chgpasswd.c b/src/chgpasswd.c
+index 13203a46..e5f2eb7e 100644
+--- a/src/chgpasswd.c
++++ b/src/chgpasswd.c
+@@ -46,6 +46,7 @@
+ #endif				/* ACCT_TOOLS_SETUID */
+ #include "defines.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "groupio.h"
+ #ifdef	SHADOWGRP
+@@ -581,6 +582,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return (0);
+ }
+diff --git a/src/chpasswd.c b/src/chpasswd.c
+index 918b27ee..49e79cdb 100644
+--- a/src/chpasswd.c
++++ b/src/chpasswd.c
+@@ -44,6 +44,7 @@
+ #endif				/* USE_PAM */
+ #include "defines.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "getdef.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+@@ -624,6 +625,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	return (0);
+ }
+diff --git a/src/chsh.c b/src/chsh.c
+index c89708b9..910e3dd4 100644
+--- a/src/chsh.c
++++ b/src/chsh.c
+@@ -46,6 +46,7 @@
+ #include "defines.h"
+ #include "getdef.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -557,6 +558,7 @@ int main (int argc, char **argv)
+ 	SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	closelog ();
+ 	exit (E_SUCCESS);
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index c4a492b1..4d75af96 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -45,6 +45,7 @@
+ #include "defines.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #ifdef SHADOWGRP
+ #include "sgroupio.h"
+@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	exit (E_SUCCESS);
+ }
+diff --git a/src/groupadd.c b/src/groupadd.c
+index b57006c5..2dd8eec9 100644
+--- a/src/groupadd.c
++++ b/src/groupadd.c
+@@ -51,6 +51,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #ifdef	SHADOWGRP
+ #include "sgroupio.h"
+@@ -625,6 +626,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return E_SUCCESS;
+ }
+diff --git a/src/groupdel.c b/src/groupdel.c
+index 70bed010..f941a84a 100644
+--- a/src/groupdel.c
++++ b/src/groupdel.c
+@@ -49,6 +49,7 @@
+ #include "defines.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #ifdef	SHADOWGRP
+ #include "sgroupio.h"
+@@ -492,6 +493,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return E_SUCCESS;
+ }
+diff --git a/src/groupmod.c b/src/groupmod.c
+index b293b98f..1dca5fc9 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -51,6 +51,7 @@
+ #include "groupio.h"
+ #include "pwio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #ifdef	SHADOWGRP
+ #include "sgroupio.h"
+@@ -877,6 +878,7 @@ int main (int argc, char **argv)
+ 	close_files ();
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return E_SUCCESS;
+ }
+diff --git a/src/grpck.c b/src/grpck.c
+index ea5d3b39..6140b10d 100644
+--- a/src/grpck.c
++++ b/src/grpck.c
+@@ -45,6 +45,7 @@
+ #include "defines.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ 
+ #ifdef SHADOWGRP
+@@ -870,6 +871,7 @@ int main (int argc, char **argv)
+ 	close_files (changed);
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	/*
+ 	 * Tell the user what we did and exit.
+diff --git a/src/grpconv.c b/src/grpconv.c
+index f95f4960..5e5eaaca 100644
+--- a/src/grpconv.c
++++ b/src/grpconv.c
+@@ -48,6 +48,7 @@
+ #include <unistd.h>
+ #include <getopt.h>
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ /*@-exitarg@*/
+ #include "exitcodes.h"
+@@ -273,6 +274,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return 0;
+ }
+diff --git a/src/grpunconv.c b/src/grpunconv.c
+index 253f06f5..e4105c26 100644
+--- a/src/grpunconv.c
++++ b/src/grpunconv.c
+@@ -48,6 +48,7 @@
+ #include <grp.h>
+ #include <getopt.h>
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ /*@-exitarg@*/
+ #include "exitcodes.h"
+@@ -236,6 +237,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ 	return 0;
+ }
+diff --git a/src/newusers.c b/src/newusers.c
+index 8e4bef97..7c3bb1c2 100644
+--- a/src/newusers.c
++++ b/src/newusers.c
+@@ -62,6 +62,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "pwio.h"
+ #include "sgroupio.h"
+ #include "shadowio.h"
+@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ #ifdef USE_PAM
+ 	unsigned int i;
+diff --git a/src/passwd.c b/src/passwd.c
+index 3af3e651..5bea2765 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -51,6 +51,7 @@
+ #include "defines.h"
+ #include "getdef.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ 	SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
+ 	closelog ();
+diff --git a/src/pwck.c b/src/pwck.c
+index 05df68ec..0ffb711e 100644
+--- a/src/pwck.c
++++ b/src/pwck.c
+@@ -48,6 +48,7 @@
+ #include "shadowio.h"
+ #include "getdef.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #ifdef WITH_TCB
+ #include "tcbfuncs.h"
+ #endif				/* WITH_TCB */
+@@ -877,6 +878,7 @@ int main (int argc, char **argv)
+ 	close_files (changed);
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	/*
+ 	 * Tell the user what we did and exit.
+diff --git a/src/pwconv.c b/src/pwconv.c
+index d6ee31a8..9c69fa13 100644
+--- a/src/pwconv.c
++++ b/src/pwconv.c
+@@ -72,6 +72,7 @@
+ #include "pwio.h"
+ #include "shadowio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ 
+ /*
+  * exit status values
+@@ -328,6 +329,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	return E_SUCCESS;
+ }
+diff --git a/src/pwunconv.c b/src/pwunconv.c
+index fabf0237..e11ea494 100644
+--- a/src/pwunconv.c
++++ b/src/pwunconv.c
+@@ -42,6 +42,7 @@
+ #include <getopt.h>
+ #include "defines.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+ #include "shadowio.h"
+@@ -250,6 +251,7 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	nscd_flush_cache ("passwd");
++	sssd_flush_cache (SSSD_DB_PASSWD);
+ 
+ 	return 0;
+ }
+diff --git a/src/useradd.c b/src/useradd.c
+index ca90f076..b0c2224d 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -60,6 +60,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ 	/*
+ 	 * tallylog_reset needs to be able to lookup
+diff --git a/src/userdel.c b/src/userdel.c
+index c8de1d31..0715e4fe 100644
+--- a/src/userdel.c
++++ b/src/userdel.c
+@@ -53,6 +53,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ 	return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
+ }
+diff --git a/src/usermod.c b/src/usermod.c
+index 7355ad31..fd9a98a6 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -57,6 +57,7 @@
+ #include "getdef.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwauth.h"
+ #include "pwio.h"
+@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ #ifdef WITH_SELINUX
+ 	if (Zflg) {
+diff --git a/src/vipw.c b/src/vipw.c
+index 6d730f65..2cfac6b4 100644
+--- a/src/vipw.c
++++ b/src/vipw.c
+@@ -42,6 +42,7 @@
+ #include "defines.h"
+ #include "groupio.h"
+ #include "nscd.h"
++#include "sssd.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+ #include "sgroupio.h"
+@@ -556,6 +557,7 @@ int main (int argc, char **argv)
+ 
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ 
+ 	return E_SUCCESS;
+ }

shadow-4.6-use-itstool.patch

@@ -0,0 +1,31 @@
+diff -up shadow-4.6/man/generate_translations.mak.use-itstool shadow-4.6/man/generate_translations.mak
+--- shadow-4.6/man/generate_translations.mak.use-itstool	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/generate_translations.mak	2018-07-31 16:42:21.623990969 +0200
+@@ -5,8 +5,19 @@ config.xml: ../config.xml.in
+ 	$(MAKE) -C .. config.xml
+ 	cp ../config.xml $@
+ 
+-%.xml: ../%.xml ../po/$(LANG).po
+-	xml2po --expand-all-entities -l $(LANG) -p ../po/$(LANG).po -o $@ ../$@
++messages.mo: ../po/$(LANG).po
++	msgfmt ../po/$(LANG).po -o messages.mo
++
++login.defs.d:
++	ln -sf ../login.defs.d login.defs.d
++
++%.xml: ../%.xml messages.mo login.defs.d
++	if grep -q SHADOW-CONFIG-HERE $< ; then \
++	    sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $< > $@; \
++	else \
++	    sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $< > $@; \
++	fi
++	itstool -d -l $(LANG) -m messages.mo -o . $@
+ 	sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
+ 
+ include ../generate_mans.mak
+@@ -16,4 +27,4 @@ $(man_MANS):
+ 	@echo you need to run configure with --enable-man to generate man pages
+ endif
+ 
+-CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml
++CLEANFILES = messages.mo login.defs.d $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml

shadow-4.6-useradd-selinux-mail.patch

@@ -0,0 +1,61 @@
+From 4dc62ebcf37d7568be1d4ca54367215eba8b8a28 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 5 Feb 2020 15:04:39 +0100
+Subject: [PATCH] useradd: doesn't generate /var/spool/mail/$USER with the
+ proper SELinux user identity
+
+Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
+---
+ src/useradd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index a679392d..645d4a40 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -190,6 +190,7 @@ static bool home_added = false;
+ #define E_NAME_IN_USE	9	/* username already in use */
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't create home directory */
++#define E_MAILBOXFILE	13	/* can't create mailbox file */
+ #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
+ #ifdef ENABLE_SUBIDS
+ #define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
+@@ -2210,6 +2211,16 @@ static void create_mail (void)
+ 			sprintf (file, "%s/%s/%s", prefix, spool, user_name);
+ 		else
+ 			sprintf (file, "%s/%s", spool, user_name);
++
++#ifdef WITH_SELINUX
++		if (set_selinux_file_context (file, NULL) != 0) {
++			fprintf (stderr,
++			         _("%s: cannot set SELinux context for mailbox file %s\n"),
++			         Prog, file);
++			fail_exit (E_MAILBOXFILE);
++		}
++#endif
++
+ 		fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
+ 		if (fd < 0) {
+ 			perror (_("Creating mailbox file"));
+@@ -2234,6 +2245,15 @@ static void create_mail (void)
+ 
+ 		fsync (fd);
+ 		close (fd);
++#ifdef WITH_SELINUX
++		/* Reset SELinux to create files with default contexts */
++		if (reset_selinux_file_context () != 0) {
++			fprintf (stderr,
++			         _("%s: cannot reset SELinux file creation context\n"),
++			         Prog);
++			fail_exit (E_MAILBOXFILE);
++		}
++#endif
+ 	}
+ }
+ 
+-- 
+2.24.1
+

shadow-4.6-usermod-crash.patch

@@ -0,0 +1,42 @@
+diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
+--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/libmisc/prefix_flag.c	2018-05-28 15:14:10.642302440 +0200
+@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
+ {
+ 	long long int gid;
+ 	char *endptr;
++	struct group *g;
+ 
+ 	if (NULL == grname) {
+ 		return NULL;
+@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
+ 	    	&& (gid == (gid_t)gid)) {
+ 			return prefix_getgrgid ((gid_t) gid);
+ 		}
+-		return prefix_getgrnam (grname);
++		g = prefix_getgrnam (grname);
++		return g ? __gr_dup(g) : NULL;
+ 	}
+ 	else
+ 		return getgr_nam_gid(grname);
+diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
+--- shadow-4.6/src/usermod.c.usermod-crash	2018-05-28 15:12:37.920332763 +0200
++++ shadow-4.6/src/usermod.c	2018-05-28 15:15:50.337422470 +0200
+@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
+ 		prefix_user_home = xmalloc(len);
+ 		wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
+ 		assert (wlen == (int) len -1);
++		if (user_newhome) {
++			len = strlen(prefix) + strlen(user_newhome) + 2;
++			prefix_user_newhome = xmalloc(len);
++			wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
++			assert (wlen == (int) len -1);
++		}
+ 
+-		len = strlen(prefix) + strlen(user_newhome) + 2;
+-		prefix_user_newhome = xmalloc(len);
+-		wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
+-		assert (wlen == (int) len -1);
+ 	}
+ 	else {
+ 		prefix_user_home = user_home;

shadow-4.8-ignore-login-prompt.patch

@@ -1,11 +0,0 @@
-diff -up shadow-4.8/lib/getdef.c.login-prompt shadow-4.8/lib/getdef.c
---- shadow-4.8/lib/getdef.c.login-prompt	2020-01-13 10:38:44.852796681 +0100
-+++ shadow-4.8/lib/getdef.c	2020-01-13 10:39:54.472612511 +0100
-@@ -98,6 +98,7 @@ static struct itemdef def_table[] = {
- 	{"LASTLOG_UID_MAX", NULL},
- 	{"LOGIN_RETRIES", NULL},
- 	{"LOGIN_TIMEOUT", NULL},
-+	{"LOGIN_PLAIN_PROMPT", NULL},
- 	{"LOG_OK_LOGINS", NULL},
- 	{"LOG_UNKFAIL_ENAB", NULL},
- 	{"MAIL_DIR", NULL},

shadow-4.9-manfix.patch

@@ -1,180 +0,0 @@
-diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
---- shadow-4.8.1/man/groupmems.8.xml.manfix	2020-03-17 15:34:48.750414984 +0100
-+++ shadow-4.8.1/man/groupmems.8.xml	2020-03-17 15:41:13.383588722 +0100
-@@ -179,20 +179,10 @@
-   <refsect1 id='setup'>
-     <title>SETUP</title>
-     <para>
--      The <command>groupmems</command> executable should be in mode
--      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
--      <emphasis>groups</emphasis>. The system administrator can add users to
--      group <emphasis>groups</emphasis> to allow or disallow them using the
--      <command>groupmems</command> utility to manage their own group
--      membership list.
-+      In this operating system the <command>groupmems</command> executable
-+      is not setuid and regular users cannot use it to manipulate
-+      the membership of their own group.
-     </para>
--
--    <programlisting>
--	$ groupadd -r groups
--	$ chmod 2710 groupmems
--	$ chown root.groups groupmems
--	$ groupmems -g groups -a gk4
--    </programlisting>
-   </refsect1>
- 
-   <refsect1 id='configuration'>
-diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
---- shadow-4.8.1/man/ja/man5/login.defs.5.manfix	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8.1/man/ja/man5/login.defs.5	2020-03-17 15:34:48.750414984 +0100
-@@ -147,10 +147,6 @@ 以下の参照表は、
- shadow パスワード機能のどのプログラムが
- どのパラメータを使用するかを示したものである。
- .na
--.IP chfn 12
--CHFN_AUTH CHFN_RESTRICT
--.IP chsh 12
--CHFN_AUTH
- .IP groupadd 12
- GID_MAX GID_MIN
- .IP newusers 12
-diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
---- shadow-4.8.1/man/login.defs.5.xml.manfix	2020-01-17 16:47:56.000000000 +0100
-+++ shadow-4.8.1/man/login.defs.5.xml	2020-03-17 15:34:48.750414984 +0100
-@@ -164,6 +164,17 @@
-       long numeric parameters is machine-dependent.
-     </para>
- 
-+    <para>
-+      Please note that the parameters in this configuration file control the
-+      behavior of the tools from the shadow-utils component. None of these
-+      tools uses the PAM mechanism, and the utilities that use PAM (such as the
-+      passwd command) should be configured elsewhere. The only values that
-+      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
-+      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
-+      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
-+      pam(8) for more information.
-+    </para>
-+
-     <para>The following configuration items are provided:</para>
- 
-     <variablelist remap='IP'>
-@@ -256,16 +267,6 @@
- 	</listitem>
-       </varlistentry>
-       <varlistentry>
--	<term>chfn</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CHFN_AUTH</phrase>
--	    CHFN_RESTRICT
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
- 	<term>chgpasswd</term>
- 	<listitem>
- 	  <para>
-@@ -286,14 +287,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry condition="no_pam">
--	<term>chsh</term>
--	<listitem>
--	  <para>
--	    CHSH_AUTH LOGIN_STRING
--	  </para>
--	</listitem>
--      </varlistentry>
-       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
-       <!-- faillog: no variables -->
-       <varlistentry>
-@@ -359,34 +352,6 @@
- 	  <para>LASTLOG_UID_MAX</para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>login</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
--	    ENV_TZ ENVIRON_FILE</phrase>
--	    ERASECHAR FAIL_DELAY
--	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
--	    FAKE_SHELL
--	    <phrase condition="no_pam">FTMP_FILE</phrase>
--	    HUSHLOGIN_FILE
--	    <phrase condition="no_pam">ISSUE_FILE</phrase>
--	    KILLCHAR
--	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
--	    LOGIN_RETRIES
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
--	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
--	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
--	    QUOTAS_ENAB</phrase>
--	    TTYGROUP TTYPERM TTYTYPE_FILE
--	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
--	    USERGROUPS_ENAB
--	  </para>
--	</listitem>
--      </varlistentry>
-       <!-- logoutd: no variables -->
-       <varlistentry>
- 	<term>newgrp / sg</term>
-@@ -415,17 +380,6 @@
- 	</listitem>
-       </varlistentry>
-       <!-- nologin: no variables -->
--      <varlistentry condition="no_pam">
--	<term>passwd</term>
--	<listitem>
--	  <para>
--	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
--	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
--	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
--	    SHA_CRYPT_MIN_ROUNDS</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>pwck</term>
- 	<listitem>
-@@ -452,32 +406,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>su</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
--	    ENV_PATH ENV_SUPATH
--	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
--	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
--	    SULOG_FILE SU_NAME
--	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
--	    SYSLOG_SU_ENAB
--	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
--	<term>sulogin</term>
--	<listitem>
--	  <para>
--	    ENV_HZ
--	    <phrase condition="no_pam">ENV_TZ</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>useradd</term>
- 	<listitem>

shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch

@@ -1,48 +0,0 @@
-From e101219ad71de11da3fdd1b3ec2620fd1a97b92c Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Mon, 10 Jan 2022 15:30:28 +0100
-Subject: [PATCH] nss: get shadow_logfd with log_get_logfd()
-
-If /etc/nsswitch.conf doesn't exist podman crashes because shadow_logfd
-is NULL. In order to avoid that load the log file descriptor with the
-log_get_logfd() helper function.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2038811
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- lib/nss.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/lib/nss.c b/lib/nss.c
-index 02742902..06fa48e5 100644
---- a/lib/nss.c
-+++ b/lib/nss.c
-@@ -9,6 +9,7 @@
- #include "prototypes.h"
- #include "../libsubid/subid.h"
- #include "shadowlog_internal.h"
-+#include "shadowlog.h"
- 
- #define NSSWITCH "/etc/nsswitch.conf"
- 
-@@ -42,6 +43,7 @@ void nss_init(const char *nsswitch_path) {
- 	FILE *nssfp = NULL;
- 	char *line = NULL, *p, *token, *saveptr;
- 	size_t len = 0;
-+	FILE *shadow_logfd = log_get_logfd();
- 
- 	if (atomic_flag_test_and_set(&nss_init_started)) {
- 		// Another thread has started nss_init, wait for it to complete
-@@ -57,7 +59,7 @@ void nss_init(const char *nsswitch_path) {
- 	//   subid:	files
- 	nssfp = fopen(nsswitch_path, "r");
- 	if (!nssfp) {
--		fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
-+		fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
- 		atomic_store(&nss_init_completed, true);
- 		return;
- 	}
--- 
-2.34.1
-

shadow-utils.HOME_MODE.xml

@@ -1,43 +0,0 @@
-<!--
-   Copyright (c) 1991 - 1993, Julianne Frances Haugh
-   Copyright (c) 1991 - 1993, Chip Rosenthal
-   Copyright (c) 2007 - 2009, Nicolas François
-   All rights reserved.
-  
-   Redistribution and use in source and binary forms, with or without
-   modification, are permitted provided that the following conditions
-   are met:
-   1. Redistributions of source code must retain the above copyright
-      notice, this list of conditions and the following disclaimer.
-   2. Redistributions in binary form must reproduce the above copyright
-      notice, this list of conditions and the following disclaimer in the
-      documentation and/or other materials provided with the distribution.
-   3. The name of the copyright holders or contributors may not be used to
-      endorse or promote products derived from this software without
-      specific prior written permission.
-  
-   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
-   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--->
-<varlistentry>
-  <term><option>HOME_MODE</option> (number)</term>
-  <listitem>
-    <para>
-      The mode for new home directories. If not specified,
-      the <option>UMASK</option> is used to create the mode.
-    </para>
-    <para>
-      <command>useradd</command> and <command>newusers</command> use this
-      to set the mode of the home directory they create.
-    </para>
-  </listitem>
-</varlistentry>

shadow-utils.login.defs

@@ -6,121 +6,15 @@
 # /etc/pam.d/system-auth for more information.
 #
 
-#
-# Delay in seconds before being allowed another attempt after a login failure
-# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
-#       pam_unix(8) enforces a 2s delay)
-#
-#FAIL_DELAY		3
-
-# Currently FAILLOG_ENAB is not supported
-
-#
-# Enable display of unknown usernames when login(1) failures are recorded.
-#
-#LOG_UNKFAIL_ENAB	no
-
-# Currently LOG_OK_LOGINS is not supported
-
-# Currently LASTLOG_ENAB is not supported
-
-#
-# Limit the highest user ID number for which the lastlog entries should
-# be updated.
-#
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-# lastlog entries.
-#
-#LASTLOG_UID_MAX
-
-# Currently MAIL_CHECK_ENAB is not supported
-
-# Currently OBSCURE_CHECKS_ENAB is not supported
-
-# Currently PORTTIME_CHECKS_ENAB is not supported
-
-# Currently QUOTAS_ENAB is not supported
-
-# Currently SYSLOG_SU_ENAB is not supported
-
-#
-# Enable "syslog" logging of newgrp(1) and sg(1) activity.
-#
-#SYSLOG_SG_ENAB		yes
-
-# Currently CONSOLE is not supported
-
-# Currently SULOG_FILE is not supported
-
-# Currently MOTD_FILE is not supported
-
-# Currently ISSUE_FILE is not supported
-
-# Currently TTYTYPE_FILE is not supported
-
-# Currently FTMP_FILE is not supported
-
-# Currently NOLOGINS_FILE is not supported
-
-# Currently SU_NAME is not supported
-
 # *REQUIRED*
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#   QMAIL_DIR is for Qmail
 #
+#QMAIL_DIR	Maildir
 MAIL_DIR	/var/spool/mail
 #MAIL_FILE	.mail
 
-#
-# If defined, file which inhibits all the usual chatter during the login
-# sequence.  If a full pathname, then hushed mode will be enabled if the
-# user's name or shell are found in the file.  If not a full pathname, then
-# hushed mode will be enabled if the file exists in the user's home directory.
-#
-#HUSHLOGIN_FILE	.hushlogin
-#HUSHLOGIN_FILE	/etc/hushlogins
-
-# Currently ENV_TZ is not supported
-
-# Currently ENV_HZ is not supported
-
-#
-# The default PATH settings, for superuser and normal users.
-#
-# (they are minimal, add the rest in the shell startup files)
-#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-#ENV_PATH	PATH=/bin:/usr/bin
-
-#
-# Terminal permissions
-#
-#	TTYGROUP	Login tty will be assigned this group ownership.
-#	TTYPERM		Login tty will be set to this permission.
-#
-# If you have a write(1) program which is "setgid" to a special group
-# which owns the terminals, define TTYGROUP as the number of such group
-# and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
-# set TTYPERM to either 622 or 600.
-#
-#TTYGROUP	tty
-#TTYPERM		0600
-
-# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
-
-# Default initial "umask" value used by login(1) on non-PAM enabled systems.
-# Default "umask" value for pam_umask(8) on PAM enabled systems.
-# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories if HOME_MODE is not set.
-# 022 is the default value, but 027, or even 077, could be considered
-# for increased privacy. There is no One True Answer here: each sysadmin
-# must make up their mind.
-UMASK		022
-
-# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
-# If HOME_MODE is not set, the value of UMASK is used to create the mode.
-HOME_MODE	0700
-
 # Password aging controls:
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
@@ -130,132 +24,26 @@ HOME_MODE	0700
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
+PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 
-# Currently PASS_MIN_LEN is not supported
-
-# Currently SU_WHEEL_ONLY is not supported
-
-# Currently CRACKLIB_DICTPATH is not supported
-
 #
-# Min/max values for automatic uid selection in useradd(8)
+# Min/max values for automatic uid selection in useradd
 #
 UID_MIN                  1000
 UID_MAX                 60000
 # System accounts
 SYS_UID_MIN               201
 SYS_UID_MAX               999
-# Extra per user uids
-SUB_UID_MIN		   100000
-SUB_UID_MAX		600100000
-SUB_UID_COUNT		    65536
 
 #
-# Min/max values for automatic gid selection in groupadd(8)
+# Min/max values for automatic gid selection in groupadd
 #
 GID_MIN                  1000
 GID_MAX                 60000
 # System accounts
 SYS_GID_MIN               201
 SYS_GID_MAX               999
-# Extra per user group ids
-SUB_GID_MIN		   100000
-SUB_GID_MAX		600100000
-SUB_GID_COUNT		    65536
-
-#
-# Max number of login(1) retries if password is bad
-#
-#LOGIN_RETRIES		3
-
-#
-# Max time in seconds for login(1)
-#
-#LOGIN_TIMEOUT		60
-
-# Currently PASS_CHANGE_TRIES is not supported
-
-# Currently PASS_ALWAYS_WARN is not supported
-
-# Currently PASS_MAX_LEN is not supported
-
-# Currently CHFN_AUTH is not supported
-
-#
-# Which fields may be changed by regular users using chfn(1) - use
-# any combination of letters "frwh" (full name, room number, work
-# phone, home phone).  If not defined, no changes are allowed.
-# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-# 
-#CHFN_RESTRICT		rwh
-
-# Currently LOGIN_STRING is not supported
-
-# Currently MD5_CRYPT_ENAB is not supported
-
-#
-# If set to MD5, MD5-based algorithm will be used for encrypting password
-# If set to SHA256, SHA256-based algorithm will be used for encrypting password
-# If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
-# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
-# If set to DES, DES-based algorithm will be used for encrypting password (default)
-#
-ENCRYPT_METHOD YESCRYPT
-
-#
-# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-#
-# Define the number of SHA rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, the libc will choose the default number of rounds (5000).
-# The values must be within the 1000-999999999 range.
-#
-#SHA_CRYPT_MAX_ROUNDS 5000
-
-# Currently SHA_CRYPT_MIN_ROUNDS is not supported
-
-#
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 31
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
-#
-#YESCRYPT_COST_FACTOR 5
-
-# Currently CONSOLE_GROUPS is not supported
-
-#
-# Should login be allowed if we can't cd to the home directory?
-# Default is yes.
-#
-#DEFAULT_HOME	yes
-
-# Currently ENVIRON_FILE is not supported
 
 #
 # If defined, this command is run when removing a user.
@@ -265,41 +53,20 @@ ENCRYPT_METHOD YESCRYPT
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# Enables userdel(8) to remove user groups if no members exist.
-#
-USERGROUPS_ENAB yes
-
-#
-# If set to a non-zero number, the shadow utilities will make sure that
-# groups never have more than this number of users on one line.
-# This permits to support split groups (groups split into multiple lines,
-# with the same group ID, to avoid limitation of the line length in the
-# group file).
-#
-# 0 is the default value and disables this feature.
-#
-#MAX_MEMBERS_PER_GROUP	0
-
-#
-# If useradd(8) should create home directories for users by default (non
-# system users only).
-# This option is overridden with the -M or -m flags on the useradd(8)
-# command-line.
+# If useradd should create home directories for users by default
+# On RH systems, we do. This option is overridden with the -m flag on
+# useradd command line.
 #
 CREATE_HOME	yes
 
-#
-# Force use shadow, even if shadow passwd & shadow group files are
-# missing.
-#
-#FORCE_SHADOW    yes
+# The permission mask is initialized to this value. If not specified, 
+# the permission mask will be initialized to 022.
+UMASK           077
 
+# This enables userdel to remove user groups if no members exist.
 #
-# Select the HMAC cryptography algorithm.
-# Used in pam_timestamp module to calculate the keyed-hash message
-# authentication code.
-#
-# Note: It is recommended to check hmac(3) to see the possible algorithms
-# that are available in your system.
-#
-HMAC_CRYPTO_ALGO SHA512
+USERGROUPS_ENAB yes
+
+# Use SHA512 to encrypt password.
+ENCRYPT_METHOD SHA512
+

shadow-utils.spec

@@ -1,79 +1,57 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
-Version: 4.11.1
-Release: 4%{?dist}
+Version: 4.6
+Release: 9%{?dist}
 Epoch: 2
-License: BSD and GPLv2+
-URL: https://github.com/shadow-maint/shadow
-Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
-Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
+URL: http://pkg-shadow.alioth.debian.org/
+Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
+Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
 Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
-Source6: shadow-utils.HOME_MODE.xml
+Patch0: shadow-4.6-redhat.patch
+Patch1: shadow-4.5-goodname.patch
+Patch2: shadow-4.1.5.1-info-parent-dir.patch
+Patch6: shadow-4.6-selinux.patch
+Patch10: shadow-4.6-orig-context.patch
+Patch11: shadow-4.1.5.1-logmsg.patch
+Patch14: shadow-4.1.5.1-default-range.patch
+Patch15: shadow-4.3.1-manfix.patch
+Patch17: shadow-4.1.5.1-userdel-helpfix.patch
+Patch19: shadow-4.2.1-date-parsing.patch
+Patch21: shadow-4.6-move-home.patch
+Patch22: shadow-4.6-audit-update.patch
+Patch23: shadow-4.5-usermod-unlock.patch
+Patch24: shadow-4.2.1-no-lock-dos.patch
+Patch28: shadow-4.3.1-selinux-perms.patch
+Patch29: shadow-4.2.1-null-tm.patch
+Patch31: shadow-4.6-getenforce.patch
+Patch32: shadow-4.5-crypt_h.patch
+Patch33: shadow-4.5-long-entry.patch
+Patch34: shadow-4.6-usermod-crash.patch
+Patch35: shadow-4.6-coverity.patch
+Patch36: shadow-4.6-use-itstool.patch
+Patch37: shadow-4.6-sssd-flush.patch
+Patch38: shadow-4.6-sysugid-min-limit.patch
+Patch39: shadow-4.6-chgrp-guard.patch
+# Generate /var/spool/mail/$USER with the proper SELinux user identity - already upstreamed
+Patch40: shadow-4.6-useradd-selinux-mail.patch
 
-### Globals ###
-%global includesubiddir %{_includedir}/shadow
-
-### Patches ###
-# Misc small changes - most probably non-upstreamable
-Patch0: shadow-4.11.1-redhat.patch
-# Be more lenient with acceptable user/group names - non upstreamable
-Patch1: shadow-4.8-goodname.patch
-# SElinux related - upstreamability unknown
-Patch3: shadow-4.9-default-range.patch
-# Misc manual page changes - non-upstreamable
-Patch4: shadow-4.9-manfix.patch
-# Date parsing improvement - could be upstreamed
-Patch5: shadow-4.2.1-date-parsing.patch
-# Additional error message - could be upstreamed
-Patch6: shadow-4.6-move-home.patch
-# Audit message changes - upstreamability unknown
-Patch7: shadow-4.11.1-audit-update.patch
-# Changes related to password unlocking - could be upstreamed
-Patch8: shadow-4.5-usermod-unlock.patch
-# Additional SElinux related changes - upstreamability unknown
-Patch9: shadow-4.8-selinux-perms.patch
-# Handle NULL return from *time funcs - upstreamable
-Patch10: shadow-4.11.1-null-tm.patch
-# Handle /etc/passwd corruption - could be upstreamed
-Patch11: shadow-4.8-long-entry.patch
-# Limit uid/gid allocation to non-zero - could be upstreamed
-Patch12: shadow-4.6-sysugid-min-limit.patch
-# Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
-Patch13: shadow-4.8-ignore-login-prompt.patch
-# https://github.com/shadow-maint/shadow/commit/e101219ad71de11da3fdd1b3ec2620fd1a97b92c
-Patch14: shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch
-# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
-Patch15: shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch
-
-### Dependencies ###
-Requires: audit-libs >= 1.6.5
-Requires: libselinux >= 1.25.2-1
-Requires: setup
-
-### Build Dependencies ###
-BuildRequires: audit-libs-devel >= 1.6.5
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: bison
-BuildRequires: docbook-dtds
-BuildRequires: docbook-style-xsl
-BuildRequires: flex
+License: BSD and GPLv2+
 BuildRequires: gcc
-BuildRequires: gettext-devel
-BuildRequires: itstool
-BuildRequires: libacl-devel
-BuildRequires: libattr-devel
 BuildRequires: libselinux-devel >= 1.25.2-1
+BuildRequires: audit-libs-devel >= 1.6.5
 BuildRequires: libsemanage-devel
-BuildRequires: libtool
-BuildRequires: libxslt
-BuildRequires: make
-
-### Provides ###
-Provides: shadow = %{epoch}:%{version}-%{release}
+BuildRequires: libacl-devel, libattr-devel
+BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
+BuildRequires: autoconf, automake, libtool, gettext-devel
+BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
+Requires: libselinux >= 1.25.2-1
+Requires: audit-libs >= 1.6.5
+Requires: setup
+Requires(pre): coreutils
+Requires(post): coreutils
 
 %description
 The shadow-utils package includes the necessary programs for
@@ -87,50 +65,39 @@ for all users. The useradd, userdel, and usermod commands are used for
 managing user accounts. The groupadd, groupdel, and groupmod commands
 are used for managing group accounts.
 
-
-### Subpackages ###
-%package subid
-Summary: A library to manage subordinate uid and gid ranges
-License: BSD and GPLv2+
-
-%description subid
-Utility library that provides a way to manage subid ranges.
-
-
-%package subid-devel
-Summary: Development package for shadow-utils-subid
-License: BSD and GPLv2+
-Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
-
-%description subid-devel
-Development files for shadow-utils-subid.
-
 %prep
 %setup -q -n shadow-%{version}
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .goodname
-%patch3 -p1 -b .default-range
-%patch4 -p1 -b .manfix
-%patch5 -p1 -b .date-parsing
-%patch6 -p1 -b .move-home
-%patch7 -p1 -b .audit-update
-%patch8 -p1 -b .unlock
-%patch9 -p1 -b .selinux-perms
-%patch10 -p1 -b .null-tm
-%patch11 -p1 -b .long-entry
-%patch12 -p1 -b .sysugid-min-limit
-%patch13 -p1 -b .login-prompt
-%patch14 -p1 -b .nss-get-shadow-logfd-with-log-get-logfd
-%patch15 -p1 -b .useradd-modify-check-ID-range-for-system-users
+%patch2 -p1 -b .info-parent-dir
+%patch6 -p1 -b .selinux
+%patch10 -p1 -b .orig-context
+%patch11 -p1 -b .logmsg
+%patch14 -p1 -b .default-range
+%patch15 -p1 -b .manfix
+%patch17 -p1 -b .userdel
+%patch19 -p1 -b .date-parsing
+%patch21 -p1 -b .move-home
+%patch22 -p1 -b .audit-update
+%patch23 -p1 -b .unlock
+%patch24 -p1 -b .no-lock-dos
+%patch28 -p1 -b .selinux-perms
+%patch29 -p1 -b .null-tm
+%patch31 -p1 -b .getenforce
+%patch32 -p1 -b .crypt_h
+%patch33 -p1 -b .long-entry
+%patch34 -p1 -b .usermod-crash
+%patch35 -p1 -b .coverity
+%patch36 -p1 -b .use-itstool
+%patch37 -p1 -b .sssd-flush
+%patch38 -p1 -b .sysugid-min-limit
+%patch39 -p1 -b .chgrp-guard
+%patch40 -p1 -b .useradd-selinux-mail
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
 
 cp -a %{SOURCE4} %{SOURCE5} .
-cp -a %{SOURCE6} man/login.defs.d/HOME_MODE.xml
-
-# Force regeneration of getdate.c
-rm libmisc/getdate.c
 
 %build
 %ifarch sparc64
@@ -148,75 +115,74 @@ autoreconf
         --enable-man \
         --with-audit \
         --with-sha-crypt \
-        --with-bcrypt \
-        --with-yescrypt \
         --with-selinux \
         --without-libcrack \
         --without-libpam \
-        --enable-shared \
+        --disable-shared \
         --with-group-name-max-length=32
 %make_build
 
 %install
-%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
-install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
-install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
-install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
+rm -rf $RPM_BUILD_ROOT
+%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
+install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
+install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
+install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
 
 
 ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
-ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
-for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
+ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
+for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
         test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
 done
 
 # Remove binaries we don't use.
-rm $RPM_BUILD_ROOT%{_bindir}/chfn
-rm $RPM_BUILD_ROOT%{_bindir}/chsh
-rm $RPM_BUILD_ROOT%{_bindir}/expiry
-rm $RPM_BUILD_ROOT%{_bindir}/groups
-rm $RPM_BUILD_ROOT%{_bindir}/login
-rm $RPM_BUILD_ROOT%{_bindir}/passwd
-rm $RPM_BUILD_ROOT%{_bindir}/su
-rm $RPM_BUILD_ROOT%{_bindir}/faillog
-rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
-rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
-rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
-rm $RPM_BUILD_ROOT%{_sbindir}/nologin
-rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
-rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
+rm $RPM_BUILD_ROOT/%{_bindir}/chfn
+rm $RPM_BUILD_ROOT/%{_bindir}/chsh
+rm $RPM_BUILD_ROOT/%{_bindir}/expiry
+rm $RPM_BUILD_ROOT/%{_bindir}/groups
+rm $RPM_BUILD_ROOT/%{_bindir}/login
+rm $RPM_BUILD_ROOT/%{_bindir}/passwd
+rm $RPM_BUILD_ROOT/%{_bindir}/su
+rm $RPM_BUILD_ROOT/%{_bindir}/faillog
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
+rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
+rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
 
 find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
 %find_lang shadow
@@ -228,17 +194,9 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
     echo "%%lang($lang) $dir/man*/*" >> shadow.lang
 done
 
-# Move header files to its own folder
-echo $(ls)
-mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
-install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
-
-# Remove .la and .a files created by libsubid
-rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
-rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
-
 %files -f shadow.lang
 %doc NEWS doc/HOWTO README
+%{!?_licensedir:%global license %%doc}
 %license gpl-2.0.txt shadow-bsd.txt
 %attr(0644,root,root)   %config(noreplace) %{_sysconfdir}/login.defs
 %attr(0644,root,root)   %config(noreplace) %{_sysconfdir}/default/useradd
@@ -285,192 +243,11 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
 %{_mandir}/man8/vipw.8*
 %{_mandir}/man8/vigr.8*
 
-%files subid
-%{_libdir}/libsubid.so.*
-%{_bindir}/getsubids
-%{_mandir}/man1/getsubids.1*
-
-%files subid-devel
-%{includesubiddir}/subid.h
-%{_libdir}/libsubid.so
-
 %changelog
-* Mon Aug  1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
-- useradd: modify check ID range for system users. Resolves: #2093692
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
-- Fix explicit subid requirement for subid-devel
-
-* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
-- Rebase to version 4.11.1 (#2034038)
-- Fix release sources
-- Add explicit subid requirement for subid-devel
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
-- nss: get shadow_logfd with log_get_logfd() (#2038811)
-- lib: make shadow_logfd and Prog not extern
-- lib: rename Prog to shadow_progname
-- lib: provide default values for shadow_progname
-- libsubid: use log_set_progname in subid_init
-
-* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
-- getsubids: provide system binary and man page (#1980780)
-- pwck: fix segfault when calling fprintf() (#2021339)
-- newgrp: fix segmentation fault (#2019553)
-- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
-
-* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
-- useradd: change SELinux labels for home files (#2022658)
-
-* Thu Nov  4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
-- useradd: revert fix memleak of grp (#2018697)
-
-* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
-- useradd: generate home and mail directories with selinux user attribute
-
-* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
-- login.defs: include HMAC_CRYPTO_ALGO key
-- Clean spec file: organize dependencies and move License location
-
-* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
-- libmisc: fix default value in SHA_get_salt_rounds()
-
-* Mon Aug  9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
-- useradd: avoid generating an empty subid range (#1990653)
-
-* Wed Aug  4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
-- Rebase to version 4.9
-- usermod: allow all group types with -G option (#1975327)
-- Clean spec file
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
-- Add patch to fix 'fread returns element count, not element size'
-
-* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
-- Fix regression issues detected in rhbz#667593 and rhbz#672510
-
-* Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
-- Enable bcrypt support, as libxcrypt supports it well
-
-* Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
-- Add a patch to obtain random bytes using getentropy()
-- Update shadow-4.8-crypt_h.patch with the upstreamed version
-- Add a patch to make use of crypt_gensalt() from libxcrypt
-
-* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
-- useradd: free correct pointer (#1976809)
-
-* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
-- Add a patch to fix the used prefix for the bcrypt hash method
-- Add a patch to cleanup the code in libmisc/salt.c
-- Add a patch adding some clarifying comments in libmisc/salt.c
-- Add a patch to obtain random bytes from /dev/urandom
-
-* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
-- Covscan fixes
-
-* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
-- Backport support for yescrypt hash method
-- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
-
-* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
-- libsubid: don't print error messages on stderr by default
-- libsubid: libsubid_init return false if out of memory
-- useradd: fix SUB_UID_COUNT=0
-- libsubid: don't return owner in list_owner_ranges API call
-- libsubid: libsubid_init don't print messages on error
-- libsubid: fix newusers when nss provides subids
-- man: clarify subid delegation
-- libsubid: make shadow_logfd not extern
-
-* Thu May  6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
-- man: mention NSS in new[ug]idmap manpages
-- libsubid: move development header to shadow folder
-
-* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
-- libsubid: creation and nsswitch support
-- Creation of subid and subid-devel subpackages
-
-* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
-- man: include lastlog file caveat (#951564)
-- Upstream links to several patches
-- Spec file cleanup by Robert Scheck
-- Add BuildRequires: make by Tom Stellard
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Mon Nov  9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
-- commonio: force lock file sync (#1862056)
-
-* Tue Nov  3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
-- Rebuild with libsemanage.so.2
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-3
-- check only local groups when adding new supplementary groups to a user (#1727236)
-
-* Tue Mar 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-2
-- useradd: clarify the useradd -d parameter behavior in man page
-
-* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-1
-- updated upstream to 4.8.1
-
-* Tue Mar 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-5
-- synchronized login.defs with upstream file (#1261099 and #1807957)
-
-* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-4
+* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-9
 - fix useradd: doesn't generate spool mail with the proper SELinux user identity
   (#1690527)
 
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Jan 16 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-2
-- make the invalid shell check into warning
-
-* Mon Jan 13 2020 Tomáš Mráz <tmraz@redhat.com> - 2:4.8-1
-- update to current upstream release 4.8
-
-* Mon Sep  2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-16
-- fix SELinux related problem in chpasswd/chgpasswd when run with -R
-  (patch by Petr Lautrbach) (#1747215)
-
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-15
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Jun  7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-14
-- minor auditing fixes
-
-* Fri May  3 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-13
-- use lckpwdf() again to disable concurrent edits of databases by
-  other applications
-
-* Tue Apr  2 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-12
-- force regeneration of getdate.c otherwise the date parsing fix
-  is not applied
-
-* Fri Mar 22 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-11
-- clarify chage manual page in regards to shadow and passwd
-  inconsistency (#1686440)
-
-* Thu Mar 21 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-10
-- Ignore LOGIN_PLAIN_PROMPT variable in login.defs
-
-* Thu Mar  7 2019 Tim Landscheidt <tim@tim-landscheidt.de> - 2:4.6-9
-- Remove obsolete requirements for post/pre scriptlets
-
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 

sources

@@ -1,2 +1,2 @@
-SHA512 (shadow-4.11.1.tar.xz) = 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
-SHA512 (shadow-4.11.1.tar.xz.asc) = 4594189678cc9bcc8831f62a5d42c605b085be4a3b540429d7c800f4304e2e8fe04358547917eb90c1513646fade7c714611bfdc98af7dec5321a3dc3e65c4fd
+SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631
+SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed