allow all types of groups when modifying supplementary groups (#1975327)

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

.gitignore

@@ -14,7 +14,3 @@ shadow-4.1.4.2.tar.bz2
 /shadow-4.8.tar.xz.asc
 /shadow-4.8.1.tar.xz
 /shadow-4.8.1.tar.xz.asc
-/shadow-4.9.tar.xz
-/shadow-4.9.tar.xz.asc
-/shadow-4.11.1.tar.xz
-/shadow-4.11.1.tar.xz.asc

shadow-4.1.5.1-default-range.patch

@@ -1,6 +1,7 @@
-diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
---- shadow-4.9/lib/semanage.c.default-range	2021-07-22 23:55:35.000000000 +0200
-+++ shadow-4.9/lib/semanage.c	2021-08-02 12:43:16.822817392 +0200
+Index: shadow-4.5/lib/semanage.c
+===================================================================
+--- shadow-4.5.orig/lib/semanage.c
++++ shadow-4.5/lib/semanage.c
 @@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
  		goto done;
  	}
@@ -8,7 +9,7 @@ diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
 +#if 0
  	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
  	if (ret != 0) {
- 		fprintf (shadow_logfd,
+ 		fprintf (stderr,
 @@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
  		ret = 1;
  		goto done;
@@ -24,7 +25,7 @@ diff -up shadow-4.9/lib/semanage.c.default-range shadow-4.9/lib/semanage.c
 +#if 0
  	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
  	if (ret != 0) {
- 		fprintf (shadow_logfd,
+ 		fprintf (stderr,
 @@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
  		ret = 1;
  		goto done;

shadow-4.1.5.1-info-parent-dir.patch

@@ -0,0 +1,21 @@
+Index: shadow-4.5/man/newusers.8.xml
+===================================================================
+--- shadow-4.5.orig/man/newusers.8.xml
++++ shadow-4.5/man/newusers.8.xml
+@@ -218,7 +218,15 @@
+ 	  <para>
+ 	    If this field does not specify an existing directory, the
+ 	    specified directory is created, with ownership set to the
+-	    user being created or updated and its primary group.
++	    user being created or updated and its primary group. Note 
++            that newusers does not create parent directories of the new 
++            user's home directory. The newusers command will fail to 
++            create the home directory if the parent directories do not 
++            exist, and will send a message to stderr informing the user 
++            of the failure. The newusers command will not halt or return 
++            a failure to the calling shell if it fails to create the home 
++            directory, it will continue to process the batch of new users 
++            specified.
+ 	  </para>
+ 	  <para>
+ 	    If the home directory of an existing user is changed,

shadow-4.1.5.1-logmsg.patch

@@ -0,0 +1,13 @@
+Index: shadow-4.5/src/useradd.c
+===================================================================
+--- shadow-4.5.orig/src/useradd.c
++++ shadow-4.5/src/useradd.c
+@@ -323,7 +323,7 @@ static void fail_exit (int code)
+ 	              user_name, AUDIT_NO_ID,
+ 	              SHADOW_AUDIT_FAILURE);
+ #endif
+-	SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
++	SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
+ 	exit (code);
+ }
+ 

shadow-4.1.5.1-userdel-helpfix.patch

@@ -0,0 +1,16 @@
+Index: shadow-4.5/src/userdel.c
+===================================================================
+--- shadow-4.5.orig/src/userdel.c
++++ shadow-4.5/src/userdel.c
+@@ -143,8 +143,9 @@ static void usage (int status)
+ 	                  "\n"
+ 	                  "Options:\n"),
+ 	                Prog);
+-	(void) fputs (_("  -f, --force                   force removal of files,\n"
+-	                "                                even if not owned by user\n"),
++	(void) fputs (_("  -f, --force                   force some actions that would fail otherwise\n"
++			"                                e.g. removal of user still logged in\n"
++			"                                or files, even if not owned by the user\n"),
+ 	              usageout);
+ 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -r, --remove                  remove home directory and mail spool\n"), usageout);

shadow-4.11.1-null-tm.patch

@@ -1,22 +0,0 @@
-diff -up shadow-4.11.1/src/chage.c.null-tm shadow-4.11.1/src/chage.c
-diff -up shadow-4.11.1/src/lastlog.c.null-tm shadow-4.11.1/src/lastlog.c
---- shadow-4.11.1/src/lastlog.c.null-tm	2022-01-03 15:31:56.348555620 +0100
-+++ shadow-4.11.1/src/lastlog.c	2022-01-03 15:38:41.262229024 +0100
-@@ -151,9 +151,12 @@ static void print_one (/*@null@*/const s
- 
- 	ll_time = ll.ll_time;
- 	tm = localtime (&ll_time);
--	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
--	cp = ptime;
--
-+	if (tm == NULL) {
-+		cp = "(unknown)";
-+	} else {
-+		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
-+		cp = ptime;
-+	}
- 	if (ll.ll_time == (time_t) 0) {
- 		cp = _("**Never logged in**\0");
- 	}
-diff -up shadow-4.11.1/src/passwd.c.null-tm shadow-4.11.1/src/passwd.c
-diff -up shadow-4.11.1/src/usermod.c.null-tm shadow-4.11.1/src/usermod.c

shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch

@@ -1,40 +0,0 @@
-From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Tue, 4 Jan 2022 13:06:00 +0100
-Subject: [PATCH] useradd: modify check ID range for system users
-
-useradd warns that a system user ID less than SYS_UID_MIN is outside the
-expected range, even though that ID has been specifically selected with
-the "-u" option.
-
-In my opinion all the user ID's below SYS_UID_MAX are for the system,
-thus I change the condition to take that into account.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- src/useradd.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/useradd.c b/src/useradd.c
-index 34376fa5..4c71c38a 100644
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
- 	uid_t uid_min ;
- 	uid_t uid_max ;
- 	if (rflg) {
--		uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
- 		uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
--		if (uid_min <= uid_max) {
--			if (user_id < uid_min || user_id >uid_max)
--				fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
-+		if (user_id > uid_max) {
-+			fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
- 		}
- 	}else{
- 		uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
--- 
-2.37.1
-

shadow-4.2.1-null-tm.patch

@@ -0,0 +1,91 @@
+Index: shadow-4.5/src/faillog.c
+===================================================================
+--- shadow-4.5.orig/src/faillog.c
++++ shadow-4.5/src/faillog.c
+@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
+ 	}
+ 
+ 	tm = localtime (&fl.fail_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
++		cp = ptime;
+ #endif
++	}
+ 	printf ("%-9s   %5d    %5d   ",
+ 	        pw->pw_name, fl.fail_cnt, fl.fail_max);
+ 	/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
+Index: shadow-4.5/src/chage.c
+===================================================================
+--- shadow-4.5.orig/src/chage.c
++++ shadow-4.5/src/chage.c
+@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
+ 	struct tm *tp;
+ 
+ 	tp = gmtime (&date);
++	if (tp == NULL) {
++		(void) snprintf (buf, maxsize, "(unknown)");
++		return;
++	}
+ #ifdef HAVE_STRFTIME
+ 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
+ #else
+Index: shadow-4.5/src/lastlog.c
+===================================================================
+--- shadow-4.5.orig/src/lastlog.c
++++ shadow-4.5/src/lastlog.c
+@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
+ 
+ 	ll_time = ll.ll_time;
+ 	tm = localtime (&ll_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
++		cp = ptime;
+ #else
+-	cp = asctime (tm);
+-	cp[24] = '\0';
++		cp = asctime (tm);
++		cp[24] = '\0';
+ #endif
++	}
+ 
+ 	if (ll.ll_time == (time_t) 0) {
+ 		cp = _("**Never logged in**\0");
+Index: shadow-4.5/src/passwd.c
+===================================================================
+--- shadow-4.5.orig/src/passwd.c
++++ shadow-4.5/src/passwd.c
+@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
+ 	struct tm *tm;
+ 
+ 	tm = gmtime (&t);
++	if (tm == NULL) {
++		return "(unknown)";
++	}
+ #ifdef HAVE_STRFTIME
+ 	(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
+ #else				/* !HAVE_STRFTIME */
+Index: shadow-4.5/src/usermod.c
+===================================================================
+--- shadow-4.5.orig/src/usermod.c
++++ shadow-4.5/src/usermod.c
+@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
+ 	} else {
+ 		time_t t = (time_t) date;
+ 		tp = gmtime (&t);
++		if (tp == NULL) {
++			strncpy (buf, "unknown", maxsize);
++			return;
++		}
+ #ifdef HAVE_STRFTIME
+ 		strftime (buf, maxsize, "%Y-%m-%d", tp);
+ #else

shadow-4.6-getenforce.patch

@@ -0,0 +1,21 @@
+diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
+--- shadow-4.6/lib/selinux.c.getenforce	2018-05-28 15:10:15.870315221 +0200
++++ shadow-4.6/lib/selinux.c	2018-05-28 15:10:15.894315731 +0200
+@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
+ 	}
+ 	return 0;
+     error:
+-	if (security_getenforce () != 0) {
++	if (security_getenforce () > 0) {
+ 		return 1;
+ 	}
+ 	return 0;
+@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
+ 		selinux_checked = true;
+ 	}
+ 	if (selinux_enabled) {
+-		if (setfscreatecon (NULL) != 0) {
++		if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
+ 			return 1;
+ 		}
+ 	}

shadow-4.6-redhat.patch

@@ -1,16 +1,16 @@
-diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
---- shadow-4.11.1/src/useradd.c.redhat	2022-01-03 01:46:53.000000000 +0100
-+++ shadow-4.11.1/src/useradd.c	2022-01-03 14:53:12.988484829 +0100
-@@ -82,7 +82,7 @@ const char *Prog;
- static gid_t def_group = 1000;
+diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.redhat	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 13:37:16.695651258 +0200
+@@ -98,7 +98,7 @@ const char *Prog;
+ static gid_t def_group = 100;
  static const char *def_gname = "other";
  static const char *def_home = "/home";
--static const char *def_shell = "/bin/bash";
+-static const char *def_shell = "";
 +static const char *def_shell = "/sbin/nologin";
  static const char *def_template = SKEL_DIR;
- static const char *def_create_mail_spool = "yes";
- static const char *def_log_init = "yes";
-@@ -93,7 +93,7 @@ static const char *def_expire = "";
+ static const char *def_create_mail_spool = "no";
+ 
+@@ -108,7 +108,7 @@ static const char *def_expire = "";
  #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
  
  static const char *user_name = "";
@@ -19,7 +19,7 @@ diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
  static uid_t user_id;
  static gid_t user_gid;
  static const char *user_comment = "";
-@@ -1219,9 +1219,9 @@ static void process_flags (int argc, cha
+@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -31,7 +31,7 @@ diff -up shadow-4.11.1/src/useradd.c.redhat shadow-4.11.1/src/useradd.c
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1378,6 +1378,7 @@ static void process_flags (int argc, cha
+@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
  			case 'M':
  				Mflg = true;
  				break;

shadow-4.8-crypt_h.patch

@@ -0,0 +1,35 @@
+diff -up shadow-4.8/configure.ac.crypt_h shadow-4.8/configure.ac
+--- shadow-4.8/configure.ac.crypt_h	2020-01-13 10:26:17.400481712 +0100
++++ shadow-4.8/configure.ac	2020-01-13 10:29:11.563529093 +0100
+@@ -32,7 +32,7 @@ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+ AC_HEADER_STDBOOL
+ 
+-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
+ 	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
+ 	utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \
+ 	locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
+diff -up shadow-4.8/lib/defines.h.crypt_h shadow-4.8/lib/defines.h
+--- shadow-4.8/lib/defines.h.crypt_h	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8/lib/defines.h	2020-01-13 10:26:17.400481712 +0100
+@@ -4,6 +4,8 @@
+ #ifndef _DEFINES_H_
+ #define _DEFINES_H_
+ 
++#include "config.h"
++
+ #if HAVE_STDBOOL_H
+ # include <stdbool.h>
+ #else
+@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
+ # include <unistd.h>
+ #endif
+ 
++#if HAVE_CRYPT_H
++# include <crypt.h>		/* crypt(3) may be defined in here */
++#endif
++
+ #if TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>

shadow-4.8-selinux.patch

@@ -0,0 +1,241 @@
+diff -up shadow-4.8/lib/commonio.c.selinux shadow-4.8/lib/commonio.c
+--- shadow-4.8/lib/commonio.c.selinux	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8/lib/commonio.c	2020-01-13 10:08:53.769101131 +0100
+@@ -964,7 +964,7 @@ int commonio_close (struct commonio_db *
+ 		snprintf (buf, sizeof buf, "%s-", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (buf) != 0) {
++		if (set_selinux_file_context (buf, db->filename) != 0) {
+ 			errors++;
+ 		}
+ #endif
+@@ -997,7 +997,7 @@ int commonio_close (struct commonio_db *
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (buf) != 0) {
++	if (set_selinux_file_context (buf, db->filename) != 0) {
+ 		errors++;
+ 	}
+ #endif
+diff -up shadow-4.8/libmisc/copydir.c.selinux shadow-4.8/libmisc/copydir.c
+--- shadow-4.8/libmisc/copydir.c.selinux	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8/libmisc/copydir.c	2020-01-13 10:08:53.769101131 +0100
+@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
+ 	 */
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		free (oldlink);
+ 		return -1;
+ 	}
+@@ -684,7 +684,7 @@ static int copy_special (const char *src
+ 	int err = 0;
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
+ 		return -1;
+ 	}
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+diff -up shadow-4.8/lib/prototypes.h.selinux shadow-4.8/lib/prototypes.h
+--- shadow-4.8/lib/prototypes.h.selinux	2020-01-13 10:08:53.769101131 +0100
++++ shadow-4.8/lib/prototypes.h	2020-01-13 10:11:20.914627399 +0100
+@@ -334,7 +334,7 @@ extern /*@observer@*/const char *crypt_m
+ 
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+-extern int set_selinux_file_context (const char *dst_name);
++extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
+ extern int reset_selinux_file_context (void);
+ extern int check_selinux_permit (const char *perm_name);
+ #endif
+diff -up shadow-4.8/lib/selinux.c.selinux shadow-4.8/lib/selinux.c
+--- shadow-4.8/lib/selinux.c.selinux	2019-11-12 01:18:25.000000000 +0100
++++ shadow-4.8/lib/selinux.c	2020-01-13 10:08:53.769101131 +0100
+@@ -51,7 +51,7 @@ static bool selinux_enabled;
+  *	Callers may have to Reset SELinux to create files with default
+  *	contexts with reset_selinux_file_context
+  */
+-int set_selinux_file_context (const char *dst_name)
++int set_selinux_file_context (const char *dst_name, const char *orig_name)
+ {
+ 	/*@null@*/security_context_t scontext = NULL;
+ 
+@@ -63,19 +63,23 @@ int set_selinux_file_context (const char
+ 	if (selinux_enabled) {
+ 		/* Get the default security context for this file */
+ 		if (matchpathcon (dst_name, 0, &scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
++			/* We could not get the default, copy the original */
++			if (orig_name == NULL)
++				goto error;
++			if (getfilecon (orig_name, &scontext) < 0)
++				goto error;
+ 		}
+ 		/* Set the security context for the next created file */
+-		if (setfscreatecon (scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
+-		}
++		if (setfscreatecon (scontext) < 0)
++			goto error;
+ 		freecon (scontext);
+ 	}
+ 	return 0;
++    error:
++	if (security_getenforce () != 0) {
++		return 1;
++	}
++	return 0;
+ }
+ 
+ /*
+diff -up shadow-4.8/lib/semanage.c.selinux shadow-4.8/lib/semanage.c
+--- shadow-4.8/lib/semanage.c.selinux	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8/lib/semanage.c	2020-01-13 10:08:53.766101181 +0100
+@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
+ 
+ 	ret = 0;
+ 
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_seuser_key_free (key);
+ 	semanage_handle_destroy (handle);
+@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
+ 	}
+ 
+ 	ret = 0;
++
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+diff -up shadow-4.8/src/useradd.c.selinux shadow-4.8/src/useradd.c
+--- shadow-4.8/src/useradd.c.selinux	2020-01-13 10:08:53.762101248 +0100
++++ shadow-4.8/src/useradd.c	2020-01-13 10:08:53.767101164 +0100
+@@ -2078,7 +2078,7 @@ static void create_home (void)
+ 		++bhome;
+ 
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (prefix_user_home) != 0) {
++		if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
+ 			fprintf (stderr,
+ 			         _("%s: cannot set SELinux context for home directory %s\n"),
+ 			         Prog, user_home);
+@@ -2232,6 +2232,7 @@ static void create_mail (void)
+  */
+ int main (int argc, char **argv)
+ {
++	int rv = E_SUCCESS;
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ 	pam_handle_t *pamh = NULL;
+@@ -2454,27 +2455,12 @@ int main (int argc, char **argv)
+ 
+ 	usr_update ();
+ 
+-	if (mflg) {
+-		create_home ();
+-		if (home_added) {
+-			copy_tree (def_template, prefix_user_home, false, false,
+-			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
+-		} else {
+-			fprintf (stderr,
+-			         _("%s: warning: the home directory %s already exists.\n"
+-			           "%s: Not copying any file from skel directory into it.\n"),
+-			         Prog, user_home, Prog);
+-		}
+-
+-	}
+-
+-	/* Do not create mail directory for system accounts */
+-	if (!rflg) {
+-		create_mail ();
+-	}
+-
+ 	close_files ();
+ 
++	nscd_flush_cache ("passwd");
++	nscd_flush_cache ("group");
++	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
++
+ 	/*
+ 	 * tallylog_reset needs to be able to lookup
+ 	 * a valid existing user name,
+@@ -2485,8 +2471,9 @@ int main (int argc, char **argv)
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (Zflg) {
+-		if (set_seuser (user_name, user_selinux) != 0) {
++	if (Zflg && *user_selinux) {
++		if (is_selinux_enabled () > 0) {
++		    if (set_seuser (user_name, user_selinux) != 0) {
+ 			fprintf (stderr,
+ 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ 			         Prog, user_name, user_selinux);
+@@ -2495,15 +2482,31 @@ int main (int argc, char **argv)
+ 			              "adding SELinux user mapping",
+ 			              user_name, (unsigned int) user_id, 0);
+ #endif				/* WITH_AUDIT */
+-			fail_exit (E_SE_UPDATE);
++			rv = E_SE_UPDATE;
++		    }
+ 		}
+ 	}
+ #endif				/* WITH_SELINUX */
+ 
+-	nscd_flush_cache ("passwd");
+-	nscd_flush_cache ("group");
+-	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
++	if (mflg) {
++		create_home ();
++		if (home_added) {
++			copy_tree (def_template, prefix_user_home, false, true,
++			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
++		} else {
++			fprintf (stderr,
++			         _("%s: warning: the home directory %s already exists.\n"
++			           "%s: Not copying any file from skel directory into it.\n"),
++			         Prog, user_home, Prog);
++		}
++
++	}
++
++	/* Do not create mail directory for system accounts */
++	if (!rflg) {
++		create_mail ();
++	}
+ 
+-	return E_SUCCESS;
++	return rv;
+ }
+ 

shadow-4.8-useradd-selinux-mail.patch

@@ -0,0 +1,61 @@
+From 4dc62ebcf37d7568be1d4ca54367215eba8b8a28 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 5 Feb 2020 15:04:39 +0100
+Subject: [PATCH] useradd: doesn't generate /var/spool/mail/$USER with the
+ proper SELinux user identity
+
+Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
+---
+ src/useradd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index a679392d..645d4a40 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -190,6 +190,7 @@ static bool home_added = false;
+ #define E_NAME_IN_USE	9	/* username already in use */
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't create home directory */
++#define E_MAILBOXFILE	13	/* can't create mailbox file */
+ #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
+ #ifdef ENABLE_SUBIDS
+ #define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
+@@ -2210,6 +2211,16 @@ static void create_mail (void)
+ 			sprintf (file, "%s/%s/%s", prefix, spool, user_name);
+ 		else
+ 			sprintf (file, "%s/%s", spool, user_name);
++
++#ifdef WITH_SELINUX
++		if (set_selinux_file_context (file, NULL) != 0) {
++			fprintf (stderr,
++			         _("%s: cannot set SELinux context for mailbox file %s\n"),
++			         Prog, file);
++			fail_exit (E_MAILBOXFILE);
++		}
++#endif
++
+ 		fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
+ 		if (fd < 0) {
+ 			perror (_("Creating mailbox file"));
+@@ -2234,6 +2245,15 @@ static void create_mail (void)
+ 
+ 		fsync (fd);
+ 		close (fd);
++#ifdef WITH_SELINUX
++		/* Reset SELinux to create files with default contexts */
++		if (reset_selinux_file_context () != 0) {
++			fprintf (stderr,
++			         _("%s: cannot reset SELinux file creation context\n"),
++			         Prog);
++			fail_exit (E_MAILBOXFILE);
++		}
++#endif
+ 	}
+ }
+ 
+-- 
+2.24.1
+

shadow-4.8.1-check-local-groups.patch

@@ -0,0 +1,331 @@
+From 8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Mon, 30 Mar 2020 09:08:23 +0200
+Subject: [PATCH 2/2] useradd: check only local groups with -G option
+
+Check only local groups when adding new supplementary groups to a user
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1727236
+---
+ src/useradd.c | 234 +++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 157 insertions(+), 77 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 645d4a40..90210233 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -211,6 +211,7 @@ static void get_defaults (void);
+ static void show_defaults (void);
+ static int set_defaults (void);
+ static int get_groups (char *);
++static struct group * get_local_group (char * grp_name);
+ static void usage (int status);
+ static void new_pwent (struct passwd *);
+ 
+@@ -220,7 +221,10 @@ static void grp_update (void);
+ 
+ static void process_flags (int argc, char **argv);
+ static void close_files (void);
++static void close_group_files (void);
++static void unlock_group_files (void);
+ static void open_files (void);
++static void open_group_files (void);
+ static void open_shadow (void);
+ static void faillog_reset (uid_t);
+ static void lastlog_reset (uid_t);
+@@ -731,6 +735,11 @@ static int get_groups (char *list)
+ 		return 0;
+ 	}
+ 
++	/*
++	 * Open the group files
++	 */
++	open_group_files ();
++
+ 	/*
+ 	 * So long as there is some data to be converted, strip off
+ 	 * each name and look it up. A mix of numerical and string
+@@ -749,7 +758,7 @@ static int get_groups (char *list)
+ 		 * Names starting with digits are treated as numerical
+ 		 * GID values, otherwise the string is looked up as is.
+ 		 */
+-		grp = prefix_getgr_nam_gid (list);
++		grp = get_local_group (list);
+ 
+ 		/*
+ 		 * There must be a match, either by GID value or by
+@@ -799,6 +808,9 @@ static int get_groups (char *list)
+ 		user_groups[ngroups++] = xstrdup (grp->gr_name);
+ 	} while (NULL != list);
+ 
++	close_group_files ();
++	unlock_group_files ();
++
+ 	user_groups[ngroups] = (char *) 0;
+ 
+ 	/*
+@@ -811,6 +823,44 @@ static int get_groups (char *list)
+ 	return 0;
+ }
+ 
++/*
++ * get_local_group - checks if a given group name exists locally
++ *
++ *	get_local_group() checks if a given group name exists locally.
++ *	If the name exists the group information is returned, otherwise NULL is
++ *	returned.
++ */
++static struct group * get_local_group(char * grp_name)
++{
++	const struct group *grp;
++	struct group *result_grp = NULL;
++	long long int gid;
++	char *endptr;
++
++	gid = strtoll (grp_name, &endptr, 10);
++	if (   ('\0' != *grp_name)
++		&& ('\0' == *endptr)
++		&& (ERANGE != errno)
++		&& (gid == (gid_t)gid)) {
++		grp = gr_locate_gid ((gid_t) gid);
++	}
++	else {
++		grp = gr_locate(grp_name);
++	}
++
++	if (grp != NULL) {
++		result_grp = __gr_dup (grp);
++		if (NULL == result_grp) {
++			fprintf (stderr,
++					_("%s: Out of memory. Cannot find group '%s'.\n"),
++					Prog, grp_name);
++			fail_exit (E_GRP_UPDATE);
++		}
++	}
++
++	return result_grp;
++}
++
+ /*
+  * usage - display usage message and exit
+  */
+@@ -1530,23 +1580,9 @@ static void close_files (void)
+ 		SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ()));
+ 		fail_exit (E_PW_UPDATE);
+ 	}
+-	if (do_grp_update) {
+-		if (gr_close () == 0) {
+-			fprintf (stderr,
+-			         _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
+-			SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-#ifdef	SHADOWGRP
+-		if (is_shadow_grp && (sgr_close () == 0)) {
+-			fprintf (stderr,
+-			         _("%s: failure while writing changes to %s\n"),
+-			         Prog, sgr_dbname ());
+-			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-#endif
+-	}
++
++	close_group_files ();
++
+ #ifdef ENABLE_SUBIDS
+ 	if (is_sub_uid  && (sub_uid_close () == 0)) {
+ 		fprintf (stderr,
+@@ -1587,34 +1623,9 @@ static void close_files (void)
+ 		/* continue */
+ 	}
+ 	pw_locked = false;
+-	if (gr_unlock () == 0) {
+-		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
+-		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
+-#ifdef WITH_AUDIT
+-		audit_logger (AUDIT_ADD_USER, Prog,
+-		              "unlocking-group-file",
+-		              user_name, AUDIT_NO_ID,
+-		              SHADOW_AUDIT_FAILURE);
+-#endif
+-		/* continue */
+-	}
+-	gr_locked = false;
+-#ifdef	SHADOWGRP
+-	if (is_shadow_grp) {
+-		if (sgr_unlock () == 0) {
+-			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
+-			SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
+-#ifdef WITH_AUDIT
+-			audit_logger (AUDIT_ADD_USER, Prog,
+-			              "unlocking-gshadow-file",
+-			              user_name, AUDIT_NO_ID,
+-			              SHADOW_AUDIT_FAILURE);
+-#endif
+-			/* continue */
+-		}
+-		sgr_locked = false;
+-	}
+-#endif
++
++	unlock_group_files ();
++
+ #ifdef ENABLE_SUBIDS
+ 	if (is_sub_uid) {
+ 		if (sub_uid_unlock () == 0) {
+@@ -1647,6 +1658,71 @@ static void close_files (void)
+ #endif				/* ENABLE_SUBIDS */
+ }
+ 
++/*
++ * close_group_files - close all of the files that were opened
++ *
++ *	close_group_files() closes all of the files that were opened related
++ *  with groups. This causes any modified entries to be written out.
++ */
++static void close_group_files (void)
++{
++	if (do_grp_update) {
++		if (gr_close () == 0) {
++			fprintf (stderr,
++			         _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
++			fail_exit (E_GRP_UPDATE);
++		}
++#ifdef	SHADOWGRP
++		if (is_shadow_grp && (sgr_close () == 0)) {
++			fprintf (stderr,
++			         _("%s: failure while writing changes to %s\n"),
++			         Prog, sgr_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
++			fail_exit (E_GRP_UPDATE);
++		}
++#endif /* SHADOWGRP */
++	}
++}
++
++/*
++ * unlock_group_files - unlock all of the files that were locked
++ *
++ *	unlock_group_files() unlocks all of the files that were locked related
++ *  with groups. This causes any modified entries to be written out.
++ */
++static void unlock_group_files (void)
++{
++	if (gr_unlock () == 0) {
++		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
++		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
++#ifdef WITH_AUDIT
++		audit_logger (AUDIT_ADD_USER, Prog,
++		              "unlocking-group-file",
++		              user_name, AUDIT_NO_ID,
++		              SHADOW_AUDIT_FAILURE);
++#endif /* WITH_AUDIT */
++		/* continue */
++	}
++	gr_locked = false;
++#ifdef	SHADOWGRP
++	if (is_shadow_grp) {
++		if (sgr_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++			              "unlocking-gshadow-file",
++			              user_name, AUDIT_NO_ID,
++			              SHADOW_AUDIT_FAILURE);
++#endif /* WITH_AUDIT */
++			/* continue */
++		}
++		sgr_locked = false;
++	}
++#endif /* SHADOWGRP */
++}
++
+ /*
+  * open_files - lock and open the password files
+  *
+@@ -1668,37 +1744,8 @@ static void open_files (void)
+ 
+ 	/* shadow file will be opened by open_shadow(); */
+ 
+-	/*
+-	 * Lock and open the group file.
+-	 */
+-	if (gr_lock () == 0) {
+-		fprintf (stderr,
+-		         _("%s: cannot lock %s; try again later.\n"),
+-		         Prog, gr_dbname ());
+-		fail_exit (E_GRP_UPDATE);
+-	}
+-	gr_locked = true;
+-	if (gr_open (O_CREAT | O_RDWR) == 0) {
+-		fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
+-		fail_exit (E_GRP_UPDATE);
+-	}
+-#ifdef  SHADOWGRP
+-	if (is_shadow_grp) {
+-		if (sgr_lock () == 0) {
+-			fprintf (stderr,
+-			         _("%s: cannot lock %s; try again later.\n"),
+-			         Prog, sgr_dbname ());
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-		sgr_locked = true;
+-		if (sgr_open (O_CREAT | O_RDWR) == 0) {
+-			fprintf (stderr,
+-			         _("%s: cannot open %s\n"),
+-			         Prog, sgr_dbname ());
+-			fail_exit (E_GRP_UPDATE);
+-		}
+-	}
+-#endif
++	open_group_files ();
++
+ #ifdef ENABLE_SUBIDS
+ 	if (is_sub_uid) {
+ 		if (sub_uid_lock () == 0) {
+@@ -1733,6 +1780,39 @@ static void open_files (void)
+ #endif				/* ENABLE_SUBIDS */
+ }
+ 
++static void open_group_files (void)
++{
++	if (gr_lock () == 0) {
++		fprintf (stderr,
++		         _("%s: cannot lock %s; try again later.\n"),
++		         Prog, gr_dbname ());
++		fail_exit (E_GRP_UPDATE);
++	}
++	gr_locked = true;
++	if (gr_open (O_CREAT | O_RDWR) == 0) {
++		fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
++		fail_exit (E_GRP_UPDATE);
++	}
++
++#ifdef  SHADOWGRP
++	if (is_shadow_grp) {
++		if (sgr_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sgr_dbname ());
++			fail_exit (E_GRP_UPDATE);
++		}
++		sgr_locked = true;
++		if (sgr_open (O_CREAT | O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sgr_dbname ());
++			fail_exit (E_GRP_UPDATE);
++		}
++	}
++#endif /* SHADOWGRP */
++}
++
+ static void open_shadow (void)
+ {
+ 	if (!is_shadow_pwd) {
+-- 
+2.25.4
+

shadow-4.8.1-commonio-force-lock-file-sync.patch

@@ -0,0 +1,39 @@
+From fb0f702cbf958a5ee9097c1611212c9880b347ce Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Mon, 2 Nov 2020 17:08:55 +0100
+Subject: [PATCH] commonio: force lock file sync
+
+lib/commonio.c: after writing to the lock file, force a file sync to
+the storage system.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1862056
+---
+ lib/commonio.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 16fa7e75..c5b3d104 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -157,7 +157,17 @@ static int do_lock_file (const char *file, const char *lock, bool log)
+ 	if (write (fd, buf, (size_t) len) != len) {
+ 		if (log) {
+ 			(void) fprintf (stderr,
+-			                "%s: %s: %s\n",
++			                "%s: %s file write error: %s\n",
++			                Prog, file, strerror (errno));
++		}
++		(void) close (fd);
++		unlink (file);
++		return 0;
++	}
++	if (fdatasync (fd) == -1) {
++		if (log) {
++			(void) fprintf (stderr,
++			                "%s: %s file sync error: %s\n",
+ 			                Prog, file, strerror (errno));
+ 		}
+ 		(void) close (fd);
+-- 
+2.26.2
+

shadow-4.8.1-man-include-lastlog-file-caveat.patch

@@ -0,0 +1,33 @@
+From df6ec1d1693c8c80c323b40d6fc82bb549363db3 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 29 Mar 2021 05:26:28 +0200
+Subject: [PATCH] man: include lastlog file caveat (#313)
+
+man/lastlog.8.xml: add another point to the caveats section regarding
+the handling of the lastlog file by external tools.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=951564
+---
+ man/lastlog.8.xml | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/man/lastlog.8.xml b/man/lastlog.8.xml
+index fc096c8f..7e68282f 100644
+--- a/man/lastlog.8.xml
++++ b/man/lastlog.8.xml
+@@ -233,5 +233,12 @@
+       is no entries for users with UID between 170 and 800 lastlog will appear
+       to hang as it processes entries with UIDs 171-799).
+     </para>
++    <para>
++      Having high UIDs can create problems when handling the <term><filename>
++      /var/log/lastlog</filename></term> with external tools. Although the
++      actual file is sparse and does not use too much space, certain
++      applications are not designed to identify sparse files by default and may
++      require a specific option to handle them.
++    </para>
+   </refsect1>
+ </refentry>
+-- 
+2.30.2
+

shadow-4.8.1-manfix.patch

@@ -0,0 +1,341 @@
+diff -up shadow-4.8.1/man/chage.1.xml.manfix shadow-4.8.1/man/chage.1.xml
+--- shadow-4.8.1/man/chage.1.xml.manfix	2019-10-05 01:28:34.000000000 +0200
++++ shadow-4.8.1/man/chage.1.xml	2020-03-17 15:34:48.750414984 +0100
+@@ -102,6 +102,9 @@
+ 	    Set the number of days since January 1st, 1970 when the password
+ 	    was last changed. The date may also be expressed in the format
+ 	    YYYY-MM-DD (or the format more commonly used in your area).
++	    If the <replaceable>LAST_DAY</replaceable> is set to
++	    <emphasis>0</emphasis> the user is forced to change his password
++	    on the next log on.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -119,6 +122,13 @@
+ 	    system again.
+ 	  </para>
+ 	  <para>
++	    For example the following can be used to set an account to expire
++	    in 180 days:
++	  </para>
++	  <programlisting>
++	    chage -E $(date -d +180days +%Y-%m-%d)
++	  </programlisting>
++	  <para>
+ 	    Passing the number <emphasis remap='I'>-1</emphasis> as the
+ 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
+ 	    expiration date.
+@@ -239,6 +249,18 @@
+       The <command>chage</command> program requires a shadow password file to
+       be available.
+     </para>
++    <para>
++      The chage program will report only the information from the shadow
++      password file. This implies that configuration from other sources
++     (e.g. LDAP or empty password hash field from the passwd file) that
++     affect the user's login will not be shown in the chage output.
++    </para>
++    <para>
++      The <command>chage</command> program will also not report any
++      inconsistency between the shadow and passwd files (e.g. missing x in
++      the passwd file). The <command>pwck</command> can be used to check
++      for this kind of inconsistencies.
++    </para>
+     <para>The <command>chage</command> command is restricted to the root
+       user, except for the <option>-l</option> option, which may be used by
+       an unprivileged user to determine when their password or account is due
+diff -up shadow-4.8.1/man/groupadd.8.xml.manfix shadow-4.8.1/man/groupadd.8.xml
+--- shadow-4.8.1/man/groupadd.8.xml.manfix	2020-03-17 15:34:48.745414917 +0100
++++ shadow-4.8.1/man/groupadd.8.xml	2020-03-17 15:34:48.750414984 +0100
+@@ -320,13 +320,13 @@
+ 	<varlistentry>
+ 	  <term><replaceable>4</replaceable></term>
+ 	  <listitem>
+-	    <para>GID not unique (when <option>-o</option> not used)</para>
++	    <para>GID is already used (when called without <option>-o</option>)</para>
+ 	  </listitem>
+ 	</varlistentry>
+ 	<varlistentry>
+ 	  <term><replaceable>9</replaceable></term>
+ 	  <listitem>
+-	    <para>group name not unique</para>
++	    <para>group name is already used</para>
+ 	  </listitem>
+ 	</varlistentry>
+ 	<varlistentry>
+diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
+--- shadow-4.8.1/man/groupmems.8.xml.manfix	2020-03-17 15:34:48.750414984 +0100
++++ shadow-4.8.1/man/groupmems.8.xml	2020-03-17 15:41:13.383588722 +0100
+@@ -179,20 +179,10 @@
+   <refsect1 id='setup'>
+     <title>SETUP</title>
+     <para>
+-      The <command>groupmems</command> executable should be in mode
+-      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
+-      <emphasis>groups</emphasis>. The system administrator can add users to
+-      group <emphasis>groups</emphasis> to allow or disallow them using the
+-      <command>groupmems</command> utility to manage their own group
+-      membership list.
++      In this operating system the <command>groupmems</command> executable
++      is not setuid and regular users cannot use it to manipulate
++      the membership of their own group.
+     </para>
+-
+-    <programlisting>
+-	$ groupadd -r groups
+-	$ chmod 2710 groupmems
+-	$ chown root.groups groupmems
+-	$ groupmems -g groups -a gk4
+-    </programlisting>
+   </refsect1>
+ 
+   <refsect1 id='configuration'>
+diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
+--- shadow-4.8.1/man/ja/man5/login.defs.5.manfix	2019-07-23 17:26:08.000000000 +0200
++++ shadow-4.8.1/man/ja/man5/login.defs.5	2020-03-17 15:34:48.750414984 +0100
+@@ -147,10 +147,6 @@ 以下の参照表は、
+ shadow パスワード機能のどのプログラムが
+ どのパラメータを使用するかを示したものである。
+ .na
+-.IP chfn 12
+-CHFN_AUTH CHFN_RESTRICT
+-.IP chsh 12
+-CHFN_AUTH
+ .IP groupadd 12
+ GID_MAX GID_MIN
+ .IP newusers 12
+diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
+--- shadow-4.8.1/man/login.defs.5.xml.manfix	2020-01-17 16:47:56.000000000 +0100
++++ shadow-4.8.1/man/login.defs.5.xml	2020-03-17 15:34:48.750414984 +0100
+@@ -164,6 +164,17 @@
+       long numeric parameters is machine-dependent.
+     </para>
+ 
++    <para>
++      Please note that the parameters in this configuration file control the
++      behavior of the tools from the shadow-utils component. None of these
++      tools uses the PAM mechanism, and the utilities that use PAM (such as the
++      passwd command) should be configured elsewhere. The only values that
++      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
++      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
++      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
++      pam(8) for more information.
++    </para>
++
+     <para>The following configuration items are provided:</para>
+ 
+     <variablelist remap='IP'>
+@@ -256,16 +267,6 @@
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+-	<term>chfn</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CHFN_AUTH</phrase>
+-	    CHFN_RESTRICT
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+ 	<term>chgpasswd</term>
+ 	<listitem>
+ 	  <para>
+@@ -286,14 +287,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry condition="no_pam">
+-	<term>chsh</term>
+-	<listitem>
+-	  <para>
+-	    CHSH_AUTH LOGIN_STRING
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
+       <!-- faillog: no variables -->
+       <varlistentry>
+@@ -359,34 +352,6 @@
+ 	  <para>LASTLOG_UID_MAX</para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>login</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+-	    ENV_TZ ENVIRON_FILE</phrase>
+-	    ERASECHAR FAIL_DELAY
+-	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+-	    FAKE_SHELL
+-	    <phrase condition="no_pam">FTMP_FILE</phrase>
+-	    HUSHLOGIN_FILE
+-	    <phrase condition="no_pam">ISSUE_FILE</phrase>
+-	    KILLCHAR
+-	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
+-	    LOGIN_RETRIES
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+-	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+-	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+-	    QUOTAS_ENAB</phrase>
+-	    TTYGROUP TTYPERM TTYTYPE_FILE
+-	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
+-	    USERGROUPS_ENAB
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- logoutd: no variables -->
+       <varlistentry>
+ 	<term>newgrp / sg</term>
+@@ -415,17 +380,6 @@
+ 	</listitem>
+       </varlistentry>
+       <!-- nologin: no variables -->
+-      <varlistentry condition="no_pam">
+-	<term>passwd</term>
+-	<listitem>
+-	  <para>
+-	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
+-	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
+-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>pwck</term>
+ 	<listitem>
+@@ -452,32 +406,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>su</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+-	    ENV_PATH ENV_SUPATH
+-	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+-	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+-	    SULOG_FILE SU_NAME
+-	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+-	    SYSLOG_SU_ENAB
+-	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>sulogin</term>
+-	<listitem>
+-	  <para>
+-	    ENV_HZ
+-	    <phrase condition="no_pam">ENV_TZ</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>useradd</term>
+ 	<listitem>
+diff -up shadow-4.8.1/man/shadow.5.xml.manfix shadow-4.8.1/man/shadow.5.xml
+--- shadow-4.8.1/man/shadow.5.xml.manfix	2019-12-01 17:52:32.000000000 +0100
++++ shadow-4.8.1/man/shadow.5.xml	2020-03-17 15:34:48.750414984 +0100
+@@ -129,7 +129,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of the last password change, expressed as the number
+-	    of days since Jan 1, 1970.
++	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    The value 0 has a special meaning, which is that the user
+@@ -208,8 +208,8 @@
+ 	  </para>
+ 	  <para>
+ 	    After expiration of the password and this expiration period is
+-	    elapsed, no login is possible using the current user's
+-	    password.  The user should contact her administrator.
++	    elapsed, no login is possible for the user.
++	    The user should contact her administrator.
+ 	  </para>
+ 	  <para>
+ 	    An empty field means that there are no enforcement of an
+@@ -224,7 +224,7 @@
+ 	<listitem>
+ 	  <para>
+ 	    The date of expiration of the account, expressed as the number
+-	    of days since Jan 1, 1970.
++	    of days since Jan 1, 1970 00:00 UTC.
+ 	  </para>
+ 	  <para>
+ 	    Note that an account expiration differs from a password
+diff -up shadow-4.8.1/man/useradd.8.xml.manfix shadow-4.8.1/man/useradd.8.xml
+--- shadow-4.8.1/man/useradd.8.xml.manfix	2020-03-17 15:34:48.745414917 +0100
++++ shadow-4.8.1/man/useradd.8.xml	2020-03-17 15:34:48.751414997 +0100
+@@ -359,6 +359,11 @@
+ 	    <option>CREATE_HOME</option> is not enabled, no home
+ 	    directories are created.
+ 	  </para>
++	  <para>
++	    The directory where the user's home directory is created must
++	    exist and have proper SELinux context and permissions. Otherwise
++	    the user's home directory cannot be created or accessed.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+diff -up shadow-4.8.1/man/usermod.8.xml.manfix shadow-4.8.1/man/usermod.8.xml
+--- shadow-4.8.1/man/usermod.8.xml.manfix	2019-12-20 06:58:23.000000000 +0100
++++ shadow-4.8.1/man/usermod.8.xml	2020-03-17 15:34:48.751414997 +0100
+@@ -143,7 +143,8 @@
+ 	    If the <option>-m</option>
+ 	    option is given, the contents of the current home directory will
+ 	    be moved to the new home directory, which is created if it does
+-	    not already exist.
++	    not already exist. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -205,6 +206,12 @@
+ 	    The group ownership of files outside of the user's home directory
+ 	    must be fixed manually.
+ 	  </para>
++	  <para>
++	    The change of the group ownership of files inside of the user's
++	    home directory is also not done if the home dir owner uid is
++	    different from the current or new user id. This is safety measure
++	    for special home directories such as <filename>/</filename>.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+@@ -267,7 +274,8 @@
+ 	<listitem>
+ 	  <para>
+ 	    Move the content of the user's home directory to the new
+-	    location.
++	    location. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	  <para>
+ 	    This option is only valid in combination with the
+@@ -381,6 +389,12 @@
+ 	    must be fixed manually.
+ 	  </para>
+ 	  <para>
++	    The change of the user ownership of files inside of the user's
++	    home directory is also not done if the home dir owner uid is
++	    different from the current or new user id. This is safety measure
++	    for special home directories such as <filename>/</filename>.
++	  </para>
++	  <para>
+ 	    No checks will be performed with regard to the
+ 	    <option>UID_MIN</option>, <option>UID_MAX</option>,
+ 	    <option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>

shadow-4.8.1-useradd-man-clarification.patch

@@ -0,0 +1,35 @@
+From 6543c600d841e4f7779269412d470e50eae25b13 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 4 Mar 2020 14:50:04 +0100
+Subject: [PATCH] useradd: clarify the useradd -d parameter behavior in man
+ page
+
+Explanation: clarify the useradd -d parameter as it does create directory HOME_DIR if it doesn't exit.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1677005
+
+Changelog: [serge] minor tweak to the text
+---
+ man/useradd.8.xml | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 03612ce8..023c0d69 100644
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -181,8 +181,10 @@
+ 	    login directory. The default is to append the
+ 	    <replaceable>LOGIN</replaceable> name to
+ 	    <replaceable>BASE_DIR</replaceable> and use that as the login
+-	    directory name. The directory <replaceable>HOME_DIR</replaceable>
+-	    does not have to exist but will not be created if it is missing.
++	    directory name.  If the directory
++	    <replaceable>HOME_DIR</replaceable> does not exist, then it
++	    will be created unless the <option>-M</option> option is
++	    specified.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-- 
+2.25.1
+

shadow-4.9-manfix.patch

@@ -1,180 +0,0 @@
-diff -up shadow-4.8.1/man/groupmems.8.xml.manfix shadow-4.8.1/man/groupmems.8.xml
---- shadow-4.8.1/man/groupmems.8.xml.manfix	2020-03-17 15:34:48.750414984 +0100
-+++ shadow-4.8.1/man/groupmems.8.xml	2020-03-17 15:41:13.383588722 +0100
-@@ -179,20 +179,10 @@
-   <refsect1 id='setup'>
-     <title>SETUP</title>
-     <para>
--      The <command>groupmems</command> executable should be in mode
--      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
--      <emphasis>groups</emphasis>. The system administrator can add users to
--      group <emphasis>groups</emphasis> to allow or disallow them using the
--      <command>groupmems</command> utility to manage their own group
--      membership list.
-+      In this operating system the <command>groupmems</command> executable
-+      is not setuid and regular users cannot use it to manipulate
-+      the membership of their own group.
-     </para>
--
--    <programlisting>
--	$ groupadd -r groups
--	$ chmod 2710 groupmems
--	$ chown root.groups groupmems
--	$ groupmems -g groups -a gk4
--    </programlisting>
-   </refsect1>
- 
-   <refsect1 id='configuration'>
-diff -up shadow-4.8.1/man/ja/man5/login.defs.5.manfix shadow-4.8.1/man/ja/man5/login.defs.5
---- shadow-4.8.1/man/ja/man5/login.defs.5.manfix	2019-07-23 17:26:08.000000000 +0200
-+++ shadow-4.8.1/man/ja/man5/login.defs.5	2020-03-17 15:34:48.750414984 +0100
-@@ -147,10 +147,6 @@ 以下の参照表は、
- shadow パスワード機能のどのプログラムが
- どのパラメータを使用するかを示したものである。
- .na
--.IP chfn 12
--CHFN_AUTH CHFN_RESTRICT
--.IP chsh 12
--CHFN_AUTH
- .IP groupadd 12
- GID_MAX GID_MIN
- .IP newusers 12
-diff -up shadow-4.8.1/man/login.defs.5.xml.manfix shadow-4.8.1/man/login.defs.5.xml
---- shadow-4.8.1/man/login.defs.5.xml.manfix	2020-01-17 16:47:56.000000000 +0100
-+++ shadow-4.8.1/man/login.defs.5.xml	2020-03-17 15:34:48.750414984 +0100
-@@ -164,6 +164,17 @@
-       long numeric parameters is machine-dependent.
-     </para>
- 
-+    <para>
-+      Please note that the parameters in this configuration file control the
-+      behavior of the tools from the shadow-utils component. None of these
-+      tools uses the PAM mechanism, and the utilities that use PAM (such as the
-+      passwd command) should be configured elsewhere. The only values that
-+      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
-+      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
-+      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
-+      pam(8) for more information.
-+    </para>
-+
-     <para>The following configuration items are provided:</para>
- 
-     <variablelist remap='IP'>
-@@ -256,16 +267,6 @@
- 	</listitem>
-       </varlistentry>
-       <varlistentry>
--	<term>chfn</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CHFN_AUTH</phrase>
--	    CHFN_RESTRICT
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
- 	<term>chgpasswd</term>
- 	<listitem>
- 	  <para>
-@@ -286,14 +287,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry condition="no_pam">
--	<term>chsh</term>
--	<listitem>
--	  <para>
--	    CHSH_AUTH LOGIN_STRING
--	  </para>
--	</listitem>
--      </varlistentry>
-       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
-       <!-- faillog: no variables -->
-       <varlistentry>
-@@ -359,34 +352,6 @@
- 	  <para>LASTLOG_UID_MAX</para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>login</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
--	    ENV_TZ ENVIRON_FILE</phrase>
--	    ERASECHAR FAIL_DELAY
--	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
--	    FAKE_SHELL
--	    <phrase condition="no_pam">FTMP_FILE</phrase>
--	    HUSHLOGIN_FILE
--	    <phrase condition="no_pam">ISSUE_FILE</phrase>
--	    KILLCHAR
--	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
--	    LOGIN_RETRIES
--	    <phrase condition="no_pam">LOGIN_STRING</phrase>
--	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
--	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
--	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
--	    QUOTAS_ENAB</phrase>
--	    TTYGROUP TTYPERM TTYTYPE_FILE
--	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
--	    USERGROUPS_ENAB
--	  </para>
--	</listitem>
--      </varlistentry>
-       <!-- logoutd: no variables -->
-       <varlistentry>
- 	<term>newgrp / sg</term>
-@@ -415,17 +380,6 @@
- 	</listitem>
-       </varlistentry>
-       <!-- nologin: no variables -->
--      <varlistentry condition="no_pam">
--	<term>passwd</term>
--	<listitem>
--	  <para>
--	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
--	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
--	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
--	    SHA_CRYPT_MIN_ROUNDS</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>pwck</term>
- 	<listitem>
-@@ -452,32 +406,6 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
--      <varlistentry>
--	<term>su</term>
--	<listitem>
--	  <para>
--	    <phrase condition="no_pam">CONSOLE</phrase>
--	    CONSOLE_GROUPS DEFAULT_HOME
--	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
--	    ENV_PATH ENV_SUPATH
--	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
--	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
--	    SULOG_FILE SU_NAME
--	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
--	    SYSLOG_SU_ENAB
--	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
--      <varlistentry>
--	<term>sulogin</term>
--	<listitem>
--	  <para>
--	    ENV_HZ
--	    <phrase condition="no_pam">ENV_TZ</phrase>
--	  </para>
--	</listitem>
--      </varlistentry>
-       <varlistentry>
- 	<term>useradd</term>
- 	<listitem>

shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch

@@ -1,48 +0,0 @@
-From e101219ad71de11da3fdd1b3ec2620fd1a97b92c Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Mon, 10 Jan 2022 15:30:28 +0100
-Subject: [PATCH] nss: get shadow_logfd with log_get_logfd()
-
-If /etc/nsswitch.conf doesn't exist podman crashes because shadow_logfd
-is NULL. In order to avoid that load the log file descriptor with the
-log_get_logfd() helper function.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2038811
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
----
- lib/nss.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/lib/nss.c b/lib/nss.c
-index 02742902..06fa48e5 100644
---- a/lib/nss.c
-+++ b/lib/nss.c
-@@ -9,6 +9,7 @@
- #include "prototypes.h"
- #include "../libsubid/subid.h"
- #include "shadowlog_internal.h"
-+#include "shadowlog.h"
- 
- #define NSSWITCH "/etc/nsswitch.conf"
- 
-@@ -42,6 +43,7 @@ void nss_init(const char *nsswitch_path) {
- 	FILE *nssfp = NULL;
- 	char *line = NULL, *p, *token, *saveptr;
- 	size_t len = 0;
-+	FILE *shadow_logfd = log_get_logfd();
- 
- 	if (atomic_flag_test_and_set(&nss_init_started)) {
- 		// Another thread has started nss_init, wait for it to complete
-@@ -57,7 +59,7 @@ void nss_init(const char *nsswitch_path) {
- 	//   subid:	files
- 	nssfp = fopen(nsswitch_path, "r");
- 	if (!nssfp) {
--		fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
-+		fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
- 		atomic_store(&nss_init_completed, true);
- 		return;
- 	}
--- 
-2.34.1
-

shadow-utils.login.defs

@@ -198,11 +198,10 @@ SUB_GID_COUNT		    65536
 # If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
-# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password
 # If set to DES, DES-based algorithm will be used for encrypting password (default)
 #
-ENCRYPT_METHOD YESCRYPT
+ENCRYPT_METHOD SHA512
 
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -219,33 +218,7 @@ ENCRYPT_METHOD YESCRYPT
 
 # Currently SHA_CRYPT_MIN_ROUNDS is not supported
 
-#
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 31
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
-#
-#YESCRYPT_COST_FACTOR 5
+# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported
 
 # Currently CONSOLE_GROUPS is not supported
 
@@ -293,13 +266,3 @@ CREATE_HOME	yes
 # missing.
 #
 #FORCE_SHADOW    yes
-
-#
-# Select the HMAC cryptography algorithm.
-# Used in pam_timestamp module to calculate the keyed-hash message
-# authentication code.
-#
-# Note: It is recommended to check hmac(3) to see the possible algorithms
-# that are available in your system.
-#
-HMAC_CRYPTO_ALGO SHA512

shadow-utils.spec

@@ -1,78 +1,79 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
-Version: 4.11.1
-Release: 4%{?dist}
+Version: 4.8.1
+Release: 7%{?dist}
 Epoch: 2
-License: BSD and GPLv2+
-URL: https://github.com/shadow-maint/shadow
-Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
-Source1: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
+URL: http://pkg-shadow.alioth.debian.org/
+Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
+Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
 Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Source6: shadow-utils.HOME_MODE.xml
-
-### Globals ###
-%global includesubiddir %{_includedir}/shadow
-
-### Patches ###
 # Misc small changes - most probably non-upstreamable
-Patch0: shadow-4.11.1-redhat.patch
+Patch0: shadow-4.6-redhat.patch
 # Be more lenient with acceptable user/group names - non upstreamable
 Patch1: shadow-4.8-goodname.patch
+# https://github.com/shadow-maint/shadow/commit/7384865775b0203b9cf5337a047744f0a4555868
+Patch2: shadow-4.1.5.1-info-parent-dir.patch
+# Misc SElinux related changes - upstreamability unknown
+Patch6: shadow-4.8-selinux.patch
+# https://github.com/shadow-maint/shadow/commit/a8361e741040cd926c9c93aac89820052531b1a3
+Patch11: shadow-4.1.5.1-logmsg.patch
 # SElinux related - upstreamability unknown
-Patch3: shadow-4.9-default-range.patch
-# Misc manual page changes - non-upstreamable
-Patch4: shadow-4.9-manfix.patch
+Patch14: shadow-4.1.5.1-default-range.patch
+# Misc manual page changes
+# https://github.com/shadow-maint/shadow/commit/c0818ab01d1896784245eedec9495e1e6e0260af
+# Changes in man/groupmems.8.xml, man/ja/man5/login.defs.5 and man/login.defs.5.xml not upstreamed
+Patch15: shadow-4.8.1-manfix.patch
+# https://github.com/shadow-maint/shadow/commit/f4cbf38ad7801bab6fae50e9b5a2effc3c48a1ea
+Patch17: shadow-4.1.5.1-userdel-helpfix.patch
 # Date parsing improvement - could be upstreamed
-Patch5: shadow-4.2.1-date-parsing.patch
+Patch19: shadow-4.2.1-date-parsing.patch
 # Additional error message - could be upstreamed
-Patch6: shadow-4.6-move-home.patch
+Patch21: shadow-4.6-move-home.patch
 # Audit message changes - upstreamability unknown
-Patch7: shadow-4.11.1-audit-update.patch
+Patch22: shadow-4.8.1-audit-update.patch
 # Changes related to password unlocking - could be upstreamed
-Patch8: shadow-4.5-usermod-unlock.patch
+Patch23: shadow-4.5-usermod-unlock.patch
 # Additional SElinux related changes - upstreamability unknown
-Patch9: shadow-4.8-selinux-perms.patch
-# Handle NULL return from *time funcs - upstreamable
-Patch10: shadow-4.11.1-null-tm.patch
+Patch28: shadow-4.8-selinux-perms.patch
+# Handle NULL return from *time funcs - could be upstreamed
+Patch29: shadow-4.2.1-null-tm.patch
+# SElinux related - upstreamability unknown
+Patch31: shadow-4.6-getenforce.patch
+# Handle include of crypt.h - could be upstreamed
+Patch32: shadow-4.8-crypt_h.patch
 # Handle /etc/passwd corruption - could be upstreamed
-Patch11: shadow-4.8-long-entry.patch
+Patch33: shadow-4.8-long-entry.patch
 # Limit uid/gid allocation to non-zero - could be upstreamed
-Patch12: shadow-4.6-sysugid-min-limit.patch
+Patch38: shadow-4.6-sysugid-min-limit.patch
 # Ignore LOGIN_PLAIN_PROMPT in login.defs - upstreamability unknown
-Patch13: shadow-4.8-ignore-login-prompt.patch
-# https://github.com/shadow-maint/shadow/commit/e101219ad71de11da3fdd1b3ec2620fd1a97b92c
-Patch14: shadow-4.9-nss-get-shadow-logfd-with-log-get-logfd.patch
-# https://github.com/shadow-maint/shadow/commit/f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92
-Patch15: shadow-4.11.1-useradd-modify-check-ID-range-for-system-users.patch
+Patch40: shadow-4.8-ignore-login-prompt.patch
+# Generate /var/spool/mail/$USER with the proper SELinux user identity - already upstreamed
+Patch42: shadow-4.8-useradd-selinux-mail.patch
+# Clarify useradd man regarding "-d" parameter - already upstreamed
+Patch43: shadow-4.8.1-useradd-man-clarification.patch
+# https://github.com/shadow-maint/shadow/commit/8762f465d487a52bf68f9c0b7c3c1eb3caea7bc9
+Patch44: shadow-4.8.1-check-local-groups.patch
+# https://github.com/shadow-maint/shadow/commit/599cc003daf833bffdc9cbe0d33dc8b3e7ec74c8
+Patch45: shadow-4.8.1-commonio-force-lock-file-sync.patch
+# https://github.com/shadow-maint/shadow/commit/df6ec1d1693c8c80c323b40d6fc82bb549363db3
+Patch46: shadow-4.8.1-man-include-lastlog-file-caveat.patch
 
-### Dependencies ###
-Requires: audit-libs >= 1.6.5
-Requires: libselinux >= 1.25.2-1
-Requires: setup
-
-### Build Dependencies ###
-BuildRequires: audit-libs-devel >= 1.6.5
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: bison
-BuildRequires: docbook-dtds
-BuildRequires: docbook-style-xsl
-BuildRequires: flex
+License: BSD and GPLv2+
 BuildRequires: gcc
-BuildRequires: gettext-devel
-BuildRequires: itstool
-BuildRequires: libacl-devel
-BuildRequires: libattr-devel
 BuildRequires: libselinux-devel >= 1.25.2-1
+BuildRequires: audit-libs-devel >= 1.6.5
 BuildRequires: libsemanage-devel
-BuildRequires: libtool
-BuildRequires: libxslt
-BuildRequires: make
-
-### Provides ###
+BuildRequires: libacl-devel, libattr-devel
+BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
+BuildRequires: autoconf, automake, libtool, gettext-devel
+BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
+Requires: libselinux >= 1.25.2-1
+Requires: audit-libs >= 1.6.5
+Requires: setup
 Provides: shadow = %{epoch}:%{version}-%{release}
 
 %description
@@ -87,41 +88,32 @@ for all users. The useradd, userdel, and usermod commands are used for
 managing user accounts. The groupadd, groupdel, and groupmod commands
 are used for managing group accounts.
 
-
-### Subpackages ###
-%package subid
-Summary: A library to manage subordinate uid and gid ranges
-License: BSD and GPLv2+
-
-%description subid
-Utility library that provides a way to manage subid ranges.
-
-
-%package subid-devel
-Summary: Development package for shadow-utils-subid
-License: BSD and GPLv2+
-Requires: shadow-utils-subid = %{epoch}:%{version}-%{release}
-
-%description subid-devel
-Development files for shadow-utils-subid.
-
 %prep
 %setup -q -n shadow-%{version}
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .goodname
-%patch3 -p1 -b .default-range
-%patch4 -p1 -b .manfix
-%patch5 -p1 -b .date-parsing
-%patch6 -p1 -b .move-home
-%patch7 -p1 -b .audit-update
-%patch8 -p1 -b .unlock
-%patch9 -p1 -b .selinux-perms
-%patch10 -p1 -b .null-tm
-%patch11 -p1 -b .long-entry
-%patch12 -p1 -b .sysugid-min-limit
-%patch13 -p1 -b .login-prompt
-%patch14 -p1 -b .nss-get-shadow-logfd-with-log-get-logfd
-%patch15 -p1 -b .useradd-modify-check-ID-range-for-system-users
+%patch2 -p1 -b .info-parent-dir
+%patch6 -p1 -b .selinux
+%patch11 -p1 -b .logmsg
+%patch14 -p1 -b .default-range
+%patch15 -p1 -b .manfix
+%patch17 -p1 -b .userdel
+%patch19 -p1 -b .date-parsing
+%patch21 -p1 -b .move-home
+%patch22 -p1 -b .audit-update
+%patch23 -p1 -b .unlock
+%patch28 -p1 -b .selinux-perms
+%patch29 -p1 -b .null-tm
+%patch31 -p1 -b .getenforce
+%patch32 -p1 -b .crypt_h
+%patch33 -p1 -b .long-entry
+%patch38 -p1 -b .sysugid-min-limit
+%patch40 -p1 -b .login-prompt
+%patch42 -p1 -b .useradd-selinux-mail
+%patch43 -p1 -b .useradd-man-clarification
+%patch44 -p1 -b .check-local-groups
+%patch45 -p1 -b .commonio-force-lock-file-sync
+%patch46 -p1 -b .man-include-lastlog-file-caveat
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -148,75 +140,74 @@ autoreconf
         --enable-man \
         --with-audit \
         --with-sha-crypt \
-        --with-bcrypt \
-        --with-yescrypt \
         --with-selinux \
         --without-libcrack \
         --without-libpam \
-        --enable-shared \
+        --disable-shared \
         --with-group-name-max-length=32
 %make_build
 
 %install
-%make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
-install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/default
-install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
-install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
+rm -rf $RPM_BUILD_ROOT
+%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
+install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
+install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
+install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
 
 
 ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
-ln -s useradd.8 $RPM_BUILD_ROOT%{_mandir}/man8/adduser.8
-for subdir in $RPM_BUILD_ROOT%{_mandir}/{??,??_??,??_??.*}/man* ; do
+ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
+for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
         test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
 done
 
 # Remove binaries we don't use.
-rm $RPM_BUILD_ROOT%{_bindir}/chfn
-rm $RPM_BUILD_ROOT%{_bindir}/chsh
-rm $RPM_BUILD_ROOT%{_bindir}/expiry
-rm $RPM_BUILD_ROOT%{_bindir}/groups
-rm $RPM_BUILD_ROOT%{_bindir}/login
-rm $RPM_BUILD_ROOT%{_bindir}/passwd
-rm $RPM_BUILD_ROOT%{_bindir}/su
-rm $RPM_BUILD_ROOT%{_bindir}/faillog
-rm $RPM_BUILD_ROOT%{_sysconfdir}/login.access
-rm $RPM_BUILD_ROOT%{_sysconfdir}/limits
-rm $RPM_BUILD_ROOT%{_sbindir}/logoutd
-rm $RPM_BUILD_ROOT%{_sbindir}/nologin
-rm $RPM_BUILD_ROOT%{_mandir}/man1/chfn.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chfn.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/chsh.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/chsh.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/expiry.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/expiry.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/groups.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/groups.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/login.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/login.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man1/su.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man1/su.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/limits.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/limits.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/login.access.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/login.access.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/passwd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/porttime.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/porttime.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/suauth.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/suauth.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/logoutd.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/logoutd.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/nologin.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/nologin.*
-rm $RPM_BUILD_ROOT%{_mandir}/man3/getspnam.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man3/getspnam.*
-rm $RPM_BUILD_ROOT%{_mandir}/man5/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man5/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/man8/faillog.*
-rm $RPM_BUILD_ROOT%{_mandir}/*/man8/faillog.*
+rm $RPM_BUILD_ROOT/%{_bindir}/chfn
+rm $RPM_BUILD_ROOT/%{_bindir}/chsh
+rm $RPM_BUILD_ROOT/%{_bindir}/expiry
+rm $RPM_BUILD_ROOT/%{_bindir}/groups
+rm $RPM_BUILD_ROOT/%{_bindir}/login
+rm $RPM_BUILD_ROOT/%{_bindir}/passwd
+rm $RPM_BUILD_ROOT/%{_bindir}/su
+rm $RPM_BUILD_ROOT/%{_bindir}/faillog
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
+rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
+rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/limits.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/limits.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/login.access.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/login.access.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/porttime.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/porttime.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
 
 find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
 %find_lang shadow
@@ -228,17 +219,9 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
     echo "%%lang($lang) $dir/man*/*" >> shadow.lang
 done
 
-# Move header files to its own folder
-echo $(ls)
-mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
-install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
-
-# Remove .la and .a files created by libsubid
-rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
-rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
-
 %files -f shadow.lang
 %doc NEWS doc/HOWTO README
+%{!?_licensedir:%global license %%doc}
 %license gpl-2.0.txt shadow-bsd.txt
 %attr(0644,root,root)   %config(noreplace) %{_sysconfdir}/login.defs
 %attr(0644,root,root)   %config(noreplace) %{_sysconfdir}/default/useradd
@@ -285,135 +268,17 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.a
 %{_mandir}/man8/vipw.8*
 %{_mandir}/man8/vigr.8*
 
-%files subid
-%{_libdir}/libsubid.so.*
-%{_bindir}/getsubids
-%{_mandir}/man1/getsubids.1*
-
-%files subid-devel
-%{includesubiddir}/subid.h
-%{_libdir}/libsubid.so
-
 %changelog
-* Mon Aug  1 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-4
-- useradd: modify check ID range for system users. Resolves: #2093692
+* Mon Aug 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-7
+- allow all types of groups when modifying supplementary groups (#1975327)
 
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.11.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Thu Feb 10 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-2
-- Fix explicit subid requirement for subid-devel
-
-* Tue Jan 25 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.11.1-1
-- Rebase to version 4.11.1 (#2034038)
-- Fix release sources
-- Add explicit subid requirement for subid-devel
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.9-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Mon Jan 17 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-9
-- nss: get shadow_logfd with log_get_logfd() (#2038811)
-- lib: make shadow_logfd and Prog not extern
-- lib: rename Prog to shadow_progname
-- lib: provide default values for shadow_progname
-- libsubid: use log_set_progname in subid_init
-
-* Fri Nov 19 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-8
-- getsubids: provide system binary and man page (#1980780)
-- pwck: fix segfault when calling fprintf() (#2021339)
-- newgrp: fix segmentation fault (#2019553)
-- groupdel: fix SIGSEGV when passwd does not exist (#1986111)
-
-* Fri Nov 12 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-7
-- useradd: change SELinux labels for home files (#2022658)
-
-* Thu Nov  4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-6
-- useradd: revert fix memleak of grp (#2018697)
-
-* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
-- useradd: generate home and mail directories with selinux user attribute
-
-* Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
-- login.defs: include HMAC_CRYPTO_ALGO key
-- Clean spec file: organize dependencies and move License location
-
-* Tue Aug 17 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-3
-- libmisc: fix default value in SHA_get_salt_rounds()
-
-* Mon Aug  9 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-2
-- useradd: avoid generating an empty subid range (#1990653)
-
-* Wed Aug  4 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-1
-- Rebase to version 4.9
-- usermod: allow all group types with -G option (#1975327)
-- Clean spec file
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-20
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Wed Jul 14 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-19
-- Add patch to fix 'fread returns element count, not element size'
-
-* Wed Jul 14 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-18
-- Fix regression issues detected in rhbz#667593 and rhbz#672510
-
-* Mon Jul 12 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-17
-- Enable bcrypt support, as libxcrypt supports it well
-
-* Sun Jul 04 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-16
-- Add a patch to obtain random bytes using getentropy()
-- Update shadow-4.8-crypt_h.patch with the upstreamed version
-- Add a patch to make use of crypt_gensalt() from libxcrypt
-
-* Tue Jun 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-15
-- useradd: free correct pointer (#1976809)
-
-* Mon Jun 28 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-14
-- Add a patch to fix the used prefix for the bcrypt hash method
-- Add a patch to cleanup the code in libmisc/salt.c
-- Add a patch adding some clarifying comments in libmisc/salt.c
-- Add a patch to obtain random bytes from /dev/urandom
-
-* Mon Jun 28 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-13
-- Covscan fixes
-
-* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 2:4.8.1-12
-- Backport support for yescrypt hash method
-- Add a patch to fix the parameter type of YESCRYPT_salt_cost()
-
-* Mon Jun 21 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-11
-- libsubid: don't print error messages on stderr by default
-- libsubid: libsubid_init return false if out of memory
-- useradd: fix SUB_UID_COUNT=0
-- libsubid: don't return owner in list_owner_ranges API call
-- libsubid: libsubid_init don't print messages on error
-- libsubid: fix newusers when nss provides subids
-- man: clarify subid delegation
-- libsubid: make shadow_logfd not extern
-
-* Thu May  6 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-10
-- man: mention NSS in new[ug]idmap manpages
-- libsubid: move development header to shadow folder
-
-* Fri Apr 16 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-9
-- libsubid: creation and nsswitch support
-- Creation of subid and subid-devel subpackages
-
-* Mon Mar 29 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-8
+* Mon Apr 26 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
 - man: include lastlog file caveat (#951564)
 - Upstream links to several patches
-- Spec file cleanup by Robert Scheck
-- Add BuildRequires: make by Tom Stellard
 
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Mon Nov  9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-6
+* Mon Nov 16 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8.1-5
 - commonio: force lock file sync (#1862056)
-
-* Tue Nov  3 2020 Petr Lautrbach <plautrba@redhat.com> - 2:4.8.1-5
-- Rebuild with libsemanage.so.2
+- spec: add Provides keyword
 
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

sources

@@ -1,2 +1,2 @@
-SHA512 (shadow-4.11.1.tar.xz) = 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
-SHA512 (shadow-4.11.1.tar.xz.asc) = 4594189678cc9bcc8831f62a5d42c605b085be4a3b540429d7c800f4304e2e8fe04358547917eb90c1513646fade7c714611bfdc98af7dec5321a3dc3e65c4fd
+SHA512 (shadow-4.8.1.tar.xz) = 780a983483d847ed3c91c82064a0fa902b6f4185225978241bc3bc03fcc3aa143975b46aee43151c6ba43efcfdb1819516b76ba7ad3d1d3c34fcc38ea42e917b
+SHA512 (shadow-4.8.1.tar.xz.asc) = ec7686263c81d3feb8ee4314c3323a9a3ada74aafaaf99f4f0d9af9b1341f8c5ff5477ecf98dd94dbb7d921f532d655b0b6a87d94c71893f35dc9bc54c84dd42