From 8633999acfd789cb9e61ba40011761a08729d36c Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 2 Nov 2017 11:50:59 +0100
Subject: [PATCH] fix userdel in chroot (#1316168) add useful chage -E example
 to chage manpage

---
 shadow-4.3.1-manfix.patch       |  14 +++++
 shadow-4.5-userdel-chroot.patch | 108 ++++++++++++++++++++++++++++++++
 shadow-utils.spec               |   9 ++-
 3 files changed, 129 insertions(+), 2 deletions(-)
 create mode 100644 shadow-4.5-userdel-chroot.patch

diff --git a/shadow-4.3.1-manfix.patch b/shadow-4.3.1-manfix.patch
index 2aeb0a8..4ca6054 100644
--- a/shadow-4.3.1-manfix.patch
+++ b/shadow-4.3.1-manfix.patch
@@ -38,6 +38,20 @@ diff -up shadow-4.3.1/man/chage.1.xml.manfix shadow-4.3.1/man/chage.1.xml
  	  </para>
  	</listitem>
        </varlistentry>
+@@ -119,6 +122,13 @@
+ 	    system again.
+ 	  </para>
+ 	  <para>
++	    For example the following can be used to set an account to expire
++	    in 180 days:
++	  </para>
++	  <programlisting>
++	    chage -E $(date -d +180days +%Y-%m-%d)
++	  </programlisting>
++	  <para>
+ 	    Passing the number <emphasis remap='I'>-1</emphasis> as the
+ 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
+ 	    expiration date.
 diff -up shadow-4.3.1/man/ja/man5/login.defs.5.manfix shadow-4.3.1/man/ja/man5/login.defs.5
 --- shadow-4.3.1/man/ja/man5/login.defs.5.manfix	2016-08-15 06:00:59.000000000 +0200
 +++ shadow-4.3.1/man/ja/man5/login.defs.5	2016-08-22 17:08:48.486332066 +0200
diff --git a/shadow-4.5-userdel-chroot.patch b/shadow-4.5-userdel-chroot.patch
new file mode 100644
index 0000000..e5cf287
--- /dev/null
+++ b/shadow-4.5-userdel-chroot.patch
@@ -0,0 +1,108 @@
+diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c
+--- shadow-4.5/lib/selinux.c.userdel-chroot	2017-11-02 10:19:11.886588281 +0100
++++ shadow-4.5/lib/selinux.c	2017-11-02 11:38:32.029906306 +0100
+@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
+ 	}
+ 	return 0;
+     error:
+-	if (security_getenforce () != 0) {
++	if (security_getenforce () > 0) {
+ 		return 1;
+ 	}
+ 	return 0;
+@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
+ 		selinux_checked = true;
+ 	}
+ 	if (selinux_enabled) {
+-		if (setfscreatecon (NULL) != 0) {
++		if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
+ 			return 1;
+ 		}
+ 	}
+diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c
+--- shadow-4.5/src/userdel.c.userdel-chroot	2017-11-02 10:19:11.899588578 +0100
++++ shadow-4.5/src/userdel.c	2017-11-02 11:16:07.437048450 +0100
+@@ -96,6 +96,7 @@ static char *user_home;
+ static bool fflg = false;
+ static bool rflg = false;
+ static bool Zflg = false;
++static bool Rflg = false;
+ 
+ static bool is_shadow_pwd;
+ 
+@@ -958,6 +959,7 @@ int main (int argc, char **argv)
+ 				rflg = true;
+ 				break;
+ 			case 'R': /* no-op, handled in process_root_flag () */
++				Rflg = true;
+ 				break;
+ #ifdef WITH_SELINUX             
+ 			case 'Z':
+@@ -1031,9 +1033,11 @@ int main (int argc, char **argv)
+ 	 * Start with a quick check to see if the user exists.
+ 	 */
+ 	user_name = argv[argc - 1];
++	open_files ();
++
+ 	{
+-		struct passwd *pwd;
+-		pwd = getpwnam (user_name); /* local, no need for xgetpwnam */
++		const struct passwd *pwd;
++		pwd = pw_locate (user_name); /* we care only about local users */
+ 		if (NULL == pwd) {
+ 			fprintf (stderr, _("%s: user '%s' does not exist\n"),
+ 				 Prog, user_name);
+@@ -1043,7 +1047,7 @@ int main (int argc, char **argv)
+ 			              user_name, AUDIT_NO_ID,
+ 			              SHADOW_AUDIT_FAILURE);
+ #endif				/* WITH_AUDIT */
+-			exit (E_NOTFOUND);
++			fail_exit (E_NOTFOUND);
+ 		}
+ 		user_id = pwd->pw_uid;
+ 		user_gid = pwd->pw_gid;
+@@ -1051,7 +1055,7 @@ int main (int argc, char **argv)
+ 	}
+ #ifdef WITH_TCB
+ 	if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) {
+-		exit (E_NOTFOUND);
++		fail_exit (E_NOTFOUND);
+ 	}
+ #endif				/* WITH_TCB */
+ #ifdef	USE_NIS
+@@ -1071,7 +1075,7 @@ int main (int argc, char **argv)
+ 			         _("%s: %s is the NIS master\n"),
+ 			         Prog, nis_master);
+ 		}
+-		exit (E_NOTFOUND);
++		fail_exit (E_NOTFOUND);
+ 	}
+ #endif				/* USE_NIS */
+ 	/*
+@@ -1079,7 +1083,7 @@ int main (int argc, char **argv)
+ 	 * Note: This is a best effort basis. The user may log in between,
+ 	 * a cron job may be started on her behalf, etc.
+ 	 */
+-	if (user_busy (user_name, user_id) != 0) {
++	if (!Rflg && user_busy (user_name, user_id) != 0) {
+ 		if (!fflg) {
+ #ifdef WITH_AUDIT
+ 			audit_logger (AUDIT_DEL_USER, Prog,
+@@ -1087,15 +1091,14 @@ int main (int argc, char **argv)
+ 			              user_name, AUDIT_NO_ID,
+ 			              SHADOW_AUDIT_FAILURE);
+ #endif				/* WITH_AUDIT */
+-			exit (E_USER_BUSY);
++			fail_exit (E_USER_BUSY);
+ 		}
+ 	}
+ 
+ 	/*
+-	 * Do the hard stuff - open the files, create the user entries,
++	 * Do the hard stuff - create the user entries,
+ 	 * create the home directory, then close and update the files.
+ 	 */
+-	open_files ();
+ 	update_user ();
+ 	update_groups ();
+ 
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 4b030dd..32f70ce 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.5
-Release: 5%{?dist}
+Release: 6%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@@ -29,6 +29,7 @@ Patch24: shadow-4.2.1-no-lock-dos.patch
 Patch28: shadow-4.3.1-selinux-perms.patch
 Patch29: shadow-4.2.1-null-tm.patch
 Patch30: shadow-4.1.5.1-newgrp-grouplist.patch
+Patch31: shadow-4.5-userdel-chroot.patch
 
 License: BSD and GPLv2+
 Group: System Environment/Base
@@ -78,6 +79,7 @@ are used for managing group accounts.
 %patch28 -p1 -b .selinux-perms
 %patch29 -p1 -b .null-tm
 %patch30 -p1 -b .grouplist
+%patch31 -p1 -b .userdel-chroot
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -116,7 +118,6 @@ install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
 
 
 ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
-#ln -s %{_mandir}/man8/useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
 ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
 for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
         test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
@@ -234,6 +235,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Thu Nov  2 2017 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-6
+- fix userdel in chroot (#1316168)
+- add useful chage -E example to chage manpage
+
 * Fri Sep 15 2017 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-5
 - do not allow "." and ".." user names