change package name so "shadow-utils" won't attempt to update

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
source file is confusing the lookaside on copr
2018-10-09 10:15:32 -04:00 · 2018-10-02 04:49:10 -04:00 · 2018-10-02 04:35:53 -04:00 · 2018-10-02 04:14:39 -04:00 · 2018-10-02 04:12:27 -04:00 · 2018-07-14 06:02:14 +00:00
41 changed files with 2610 additions and 2076 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,3 +5,8 @@ shadow-4.1.4.2.tar.bz2
 /shadow-4.1.5.1.tar.bz2.sig
 /shadow-4.2.1.tar.xz
 /shadow-4.2.1.tar.xz.sig
 /shadow-4.3.1.tar.gz
 /shadow-4.5.tar.xz
 /shadow-4.5.tar.xz.asc
 /shadow-4.6.tar.xz
 /shadow-4.6.tar.xz.asc
--- a/shadow-4.1.5-2ndskip.patch
+++ b/shadow-4.1.5-2ndskip.patch
@ -1,100 +0,0 @@
 diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c
 --- shadow-4.1.5/src/grpconv.c.2ndskip	2012-06-18 13:08:34.438910815 +0200
 +++ shadow-4.1.5/src/grpconv.c	2012-06-18 13:12:51.270764552 +0200
@@ -143,6 +143,7 @@ int main (int argc, char **argv)
 	struct group grent;
 	const struct sgrp *sg;
 	struct sgrp sgent;
 +	char *np;
 	Prog = Basename (argv[0]);
@@ -184,20 +185,25 @@ int main (int argc, char **argv)
 	 * Remove /etc/gshadow entries for groups not in /etc/group.
 	 */
 	(void) sgr_rewind ();
 -	while ((sg = sgr_next ()) != NULL) {
 -		if (gr_locate (sg->sg_name) != NULL) {
 -			continue;
 -		}
 -
 -		if (sgr_remove (sg->sg_name) == 0) {
 -			/*
 -			 * This shouldn't happen (the entry exists) but...
 -			 */
 -			fprintf (stderr,
 -			         _("%s: cannot remove entry '%s' from %s\n"),
 -			         Prog, sg->sg_name, sgr_dbname ());
 -			fail_exit (3);
 +	sg = sgr_next ();
 +	np=NULL;
 +	while (sg != NULL) {
 +		np = strdup(sg->sg_name);
 +		sg = sgr_next ();
 +
 +		if(gr_locate (np) == NULL) {
 +			if (sgr_remove (np) == 0) {
 +				/*
 +				 * This shouldn't happen (the entry exists) but...
 +				 */
 +				fprintf (stderr,
 +					 _("%s: cannot remove entry '%s' from %s\n"),
 +					 Prog, np, sgr_dbname ());
 +				free(np);
 +				fail_exit (3);
 +			}
 		}
 +		free(np);
 	}
 	/*
 diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c
 --- shadow-4.1.5/src/pwconv.c.2ndskip	2012-06-18 11:23:33.938511797 +0200
 +++ shadow-4.1.5/src/pwconv.c	2012-06-18 12:57:18.396426194 +0200
@@ -173,6 +173,7 @@ int main (int argc, char **argv)
 	struct passwd pwent;
 	const struct spwd *sp;
 	struct spwd spent;
 +	char *np;
 	Prog = Basename (argv[0]);
@@ -223,20 +224,25 @@ int main (int argc, char **argv)
 	 * Remove /etc/shadow entries for users not in /etc/passwd.
 	 */
 	(void) spw_rewind ();
 -	while ((sp = spw_next ()) != NULL) {
 -		if (pw_locate (sp->sp_namp) != NULL) {
 -			continue;
 -		}
 -
 -		if (spw_remove (sp->sp_namp) == 0) {
 -			/*
 -			 * This shouldn't happen (the entry exists) but...
 -			 */
 -			fprintf (stderr,
 -			         _("%s: cannot remove entry '%s' from %s\n"),
 -			         Prog, sp->sp_namp, spw_dbname ());
 -			fail_exit (E_FAILURE);
 +	sp = spw_next ();
 +	np = NULL;
 +	while (sp != NULL) {
 +		np = strdup(sp->sp_namp);
 +		sp = spw_next ();
 +
 +		if (pw_locate (np) == NULL) {
 +			if (spw_remove (np) == 0) {
 +				/*
 +				 * This shouldn't happen (the entry exists) but...
 +				 */
 +				fprintf (stderr,
 +					 _("%s: cannot remove entry '%s' from %s\n"),
 +					 Prog, np, spw_dbname ());
 +				free(np);
 +				fail_exit (E_FAILURE);
 +			}
 		}
 +		free(np);
 	}
 	/*
--- a/shadow-4.1.5-grremove.patch
+++ b/shadow-4.1.5-grremove.patch
@ -1,45 +0,0 @@
 diff -up shadow-4.1.5/src/userdel.c.grremove shadow-4.1.5/src/userdel.c
 --- shadow-4.1.5/src/userdel.c.grremove	2012-03-20 12:19:13.260854838 +0100
 +++ shadow-4.1.5/src/userdel.c	2012-03-20 12:38:26.235622957 +0100
@@ -333,22 +333,22 @@ static void remove_usergroup (void)
 		 * We can remove this group, it is not the primary
 		 * group of any remaining user.
 		 */
 -		if (gr_remove (grp->gr_name) == 0) {
 +		if (gr_remove (user_name) == 0) {
 			fprintf (stderr,
 			         _("%s: cannot remove entry '%s' from %s\n"),
 -			         Prog, grp->gr_name, gr_dbname ());
 +			         Prog, user_name, gr_dbname ());
 			fail_exit (E_GRP_UPDATE);
 		}
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_DEL_GROUP, Prog,
 		              "deleting group",
 -		              grp->gr_name, AUDIT_NO_ID,
 +		              user_name, AUDIT_NO_ID,
 		              SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 		SYSLOG ((LOG_INFO,
 		         "removed group '%s' owned by '%s'\n",
 -		         grp->gr_name, user_name));
 +		         user_name, user_name));
 #ifdef	SHADOWGRP
 		if (sgr_locate (user_name) != NULL) {
@@ -361,12 +361,12 @@ static void remove_usergroup (void)
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_DEL_GROUP, Prog,
 			              "deleting shadow group",
 -			              grp->gr_name, AUDIT_NO_ID,
 +			              user_name, AUDIT_NO_ID,
 			              SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 			SYSLOG ((LOG_INFO,
 			         "removed shadow group '%s' owned by '%s'\n",
 -			         grp->gr_name, user_name));
 +			         user_name, user_name));
 		}
 #endif				/* SHADOWGRP */
--- a/shadow-4.1.5-uflg.patch
+++ b/shadow-4.1.5-uflg.patch
@ -1,23 +0,0 @@
 diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c
 --- shadow-4.1.5/libmisc/find_new_gid.c.uflg	2011-07-30 01:10:27.000000000 +0200
 +++ shadow-4.1.5/libmisc/find_new_gid.c	2012-03-19 12:51:46.090554116 +0100
@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group,
 			return -1;
 		}
 	} else {
 -		gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
 +		gid_min = (gid_t) 1;
 		gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
 		gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
 		if (gid_max < gid_min) {
@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group,
 		return 0;
 	}
 +        /* if we did not find free preffered system gid, we start to look for
 +         * one in the range assigned to dynamic system IDs */
 +        if (sys_group)
 +                gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
 	/*
 	 * Search the entire group file,
--- a/shadow-4.1.5.1-audit-owner.patch
+++ b/shadow-4.1.5.1-audit-owner.patch
@ -1,32 +0,0 @@
 diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c
 --- shadow-4.1.5.1/src/usermod.c.audit	2011-11-21 23:02:16.000000000 +0100
 +++ shadow-4.1.5.1/src/usermod.c	2013-06-14 14:54:20.237026550 +0200
@@ -1513,6 +1513,14 @@ static void move_home (void)
 			fail_exit (E_HOMEDIR);
 		}
 +#ifdef WITH_AUDIT
 +		if (uflg || gflg) {
 +			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
 +				      "changing home directory owner",
 +				      user_newname, (unsigned int) user_newid, 1);
 +		}
 +#endif
 +
 		if (rename (user_home, user_newhome) == 0) {
 			/* FIXME: rename above may have broken symlinks
 			 *        pointing to the user's home directory
@@ -1947,6 +1955,13 @@ int main (int argc, char **argv)
 			 * ownership.
 			 *
 			 */
 +#ifdef WITH_AUDIT
 +			if (uflg || gflg) {
 +				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
 +					      "changing home directory owner",
 +					      user_newname, (unsigned int) user_newid, 1);
 +			}
 +#endif
 			if (chown_tree (dflg ? user_newhome : user_home,
 			                user_id,
 			                uflg ? user_newid  : (uid_t)-1,
--- a/shadow-4.1.5.1-backup-mode.patch
+++ b/shadow-4.1.5.1-backup-mode.patch
@ -1,20 +0,0 @@
 diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c
 --- shadow-4.1.5.1/lib/commonio.c.backup-mode	2012-05-18 21:44:54.000000000 +0200
 +++ shadow-4.1.5.1/lib/commonio.c	2012-09-19 20:27:16.089444234 +0200
@@ -301,15 +301,12 @@ static int create_backup (const char *ba
 	struct utimbuf ub;
 	FILE *bkfp;
 	int c;
 -	mode_t mask;
 	if (fstat (fileno (fp), &sb) != 0) {
 		return -1;
 	}
 -	mask = umask (077);
 -	bkfp = fopen (backup, "w");
 -	(void) umask (mask);
 +	bkfp = fopen_set_perms (backup, "w", &sb);
 	if (NULL == bkfp) {
 		return -1;
 	}
--- a/shadow-4.1.5.1-default-range.patch
+++ b/shadow-4.1.5.1-default-range.patch
@ -1,6 +1,7 @@
-diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c
+Index: shadow-4.5/lib/semanage.c
--- shadow-4.1.5.1/lib/semanage.c.default-range	2012-01-08 17:35:44.000000000 +0100
+===================================================================
-+++ shadow-4.1.5.1/lib/semanage.c	2013-06-14 15:14:51.970237594 +0200
+--- shadow-4.5.orig/lib/semanage.c
 +++ shadow-4.5/lib/semanage.c
@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
 		goto done;
 	}
--- a/shadow-4.1.5.1-errmsg.patch
+++ b/shadow-4.1.5.1-errmsg.patch
@ -1,23 +0,0 @@
 diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c
 --- shadow-4.1.5.1/src/useradd.c.logmsg	2013-02-20 15:41:44.000000000 +0100
 +++ shadow-4.1.5.1/src/useradd.c	2013-06-14 14:22:59.529661095 +0200
@@ -1760,6 +1760,9 @@ static void create_home (void)
 	if (access (user_home, F_OK) != 0) {
 #ifdef WITH_SELINUX
 		if (set_selinux_file_context (user_home, NULL) != 0) {
 +			fprintf (stderr,
 +			         _("%s: cannot set SELinux context for home directory %s\n"),
 +			         Prog, user_home);
 			fail_exit (E_HOMEDIR);
 		}
 #endif
@@ -1789,6 +1792,9 @@ static void create_home (void)
 #ifdef WITH_SELINUX
 		/* Reset SELinux to create files with default contexts */
 		if (reset_selinux_file_context () != 0) {
 +			fprintf (stderr,
 +			         _("%s: cannot reset SELinux file creation context\n"),
 +			         Prog);
 			fail_exit (E_HOMEDIR);
 		}
 #endif
--- a/shadow-4.1.5.1-id-alloc.patch
+++ b/shadow-4.1.5.1-id-alloc.patch
--- a/shadow-4.1.5.1-info-parent-dir.patch
+++ b/shadow-4.1.5.1-info-parent-dir.patch
@ -1,7 +1,8 @@
-diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml
+Index: shadow-4.5/man/newusers.8.xml
--- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir	2012-05-25 13:45:28.000000000 +0200
+===================================================================
-+++ shadow-4.1.5.1/man/newusers.8.xml	2012-09-19 18:46:35.651613365 +0200
+--- shadow-4.5.orig/man/newusers.8.xml
-@@ -216,7 +216,15 @@
+++ shadow-4.5/man/newusers.8.xml
@@ -218,7 +218,15 @@
 	  <para>
 	    If this field does not specify an existing directory, the
 	    specified directory is created, with ownership set to the
--- a/shadow-4.1.5.1-ingroup.patch
+++ b/shadow-4.1.5.1-ingroup.patch
@ -1,63 +0,0 @@
 diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c
 --- shadow-4.1.5.1/src/newgrp.c.ingroup	2014-08-29 13:31:38.000000000 +0200
 +++ shadow-4.1.5.1/src/newgrp.c	2014-08-29 14:04:57.183849650 +0200
@@ -83,15 +83,29 @@ static void usage (void)
 	}
 }
 +static bool ingroup(const char *name, struct group *gr)
 +{
 +	char **look;
 +	bool notfound = true;
 +
 +	look = gr->gr_mem;
 +	while (*look && notfound)
 +		notfound = strcmp (*look++, name);
 +
 +	return !notfound;
 +}
 +
 /*
 - * find_matching_group - search all groups of a given group id for
 + * find_matching_group - search all groups of a gr's group id for
  *                       membership of a given username
 + *                       but check gr itself first
  */
 -static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid)
 +static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr)
 {
 -	struct group *gr;
 -	char **look;
 -	bool notfound = true;
 +	gid_t gid = gr->gr_gid;
 +
 +	if (ingroup(name, gr))
 +		return gr;
 	setgrent ();
 	while ((gr = getgrent ()) != NULL) {
@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc
 		 * A group with matching GID was found.
 		 * Test for membership of 'name'.
 		 */
 -		look = gr->gr_mem;
 -		while ((NULL != *look) && notfound) {
 -			notfound = (strcmp (*look, name) != 0);
 -			look++;
 -		}
 -		if (!notfound) {
 +		if (ingroup(name, gr))
 			break;
 -		}
 	}
 	endgrent ();
 	return gr;
@@ -616,7 +624,7 @@ int main (int argc, char **argv)
 	 * groups of the same GID like the requested group for
 	 * membership of the current user.
 	 */
 -	grp = find_matching_group (name, grp->gr_gid);
 +	grp = find_matching_group (name, grp);
 	if (NULL == grp) {
 		/*
 		 * No matching group found. As we already know that
--- a/shadow-4.1.5.1-logmsg.patch
+++ b/shadow-4.1.5.1-logmsg.patch
@ -1,7 +1,8 @@
-diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c
+Index: shadow-4.5/src/useradd.c
--- shadow-4.1.5.1/src/useradd.c.logmsg	2013-02-20 15:41:44.000000000 +0100
+===================================================================
-+++ shadow-4.1.5.1/src/useradd.c	2013-03-19 18:40:04.908292810 +0100
+--- shadow-4.5.orig/src/useradd.c
-@@ -275,7 +275,7 @@ static void fail_exit (int code)
+++ shadow-4.5/src/useradd.c
@@ -323,7 +323,7 @@ static void fail_exit (int code)
 	              user_name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
--- a/shadow-4.1.5.1-move-home.patch
+++ b/shadow-4.1.5.1-move-home.patch
@ -1,15 +0,0 @@
 diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c
 --- shadow-4.1.5.1/src/usermod.c.move-home	2014-08-29 13:31:38.000000000 +0200
 +++ shadow-4.1.5.1/src/usermod.c	2014-08-29 14:14:13.860671177 +0200
@@ -1571,6 +1571,11 @@ static void move_home (void)
 			         Prog, user_home, user_newhome);
 			fail_exit (E_HOMEDIR);
 		}
 +	} else {
 +		fprintf (stderr,
 +		         _("%s: The previous home directory (%s) does "
 +		           "not exist or is inaccessible. Move cannot be completed.\n"),
 +		         Prog, user_home);
 	}
 }
--- a/shadow-4.1.5.1-selinux.patch
+++ b/shadow-4.1.5.1-selinux.patch
@ -1,99 +0,0 @@
 diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c
 --- shadow-4.1.5.1/lib/semanage.c.selinux	2012-01-08 17:35:44.000000000 +0100
 +++ shadow-4.1.5.1/lib/semanage.c	2014-09-10 10:11:55.417506128 +0200
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
 	ret = 0;
 +        /* drop obsolete matchpathcon cache */
 +        matchpathcon_fini();
 +
 done:
 	semanage_seuser_key_free (key);
 	semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
 	}
 	ret = 0;
 +
 +        /* drop obsolete matchpathcon cache */
 +        matchpathcon_fini();
 +
 done:
 	semanage_handle_destroy (handle);
 	return ret;
 diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c
 --- shadow-4.1.5.1/src/useradd.c.selinux	2014-09-10 10:10:18.791280619 +0200
 +++ shadow-4.1.5.1/src/useradd.c	2014-09-10 10:10:18.798280781 +0200
@@ -1850,6 +1850,7 @@ static void create_mail (void)
  */
 int main (int argc, char **argv)
 {
 +	int rv = E_SUCCESS;
 #ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
@@ -2037,10 +2038,33 @@ int main (int argc, char **argv)
 	usr_update ();
 +	close_files ();
 +
 +	nscd_flush_cache ("passwd");
 +	nscd_flush_cache ("group");
 +
 +#ifdef WITH_SELINUX
 +	if (Zflg && *user_selinux) {
 +		if (is_selinux_enabled () > 0) {
 +		    if (set_seuser (user_name, user_selinux) != 0) {
 +			fprintf (stderr,
 +			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 +			         Prog, user_name, user_selinux);
 +#ifdef WITH_AUDIT
 +			audit_logger (AUDIT_ADD_USER, Prog,
 +			              "adding SELinux user mapping",
 +			              user_name, (unsigned int) user_id, 0);
 +#endif				/* WITH_AUDIT */
 +			rv = E_SE_UPDATE;
 +		    }
 +		}
 +	}
 +#endif
 +
 	if (mflg) {
 		create_home ();
 		if (home_added) {
 -			copy_tree (def_template, user_home, false, false,
 +			copy_tree (def_template, user_home, false, true,
 			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 		} else {
 			fprintf (stderr,
@@ -2056,27 +2080,6 @@ int main (int argc, char **argv)
 		create_mail ();
 	}
 -	close_files ();
 -
 -#ifdef WITH_SELINUX
 -	if (Zflg) {
 -		if (set_seuser (user_name, user_selinux) != 0) {
 -			fprintf (stderr,
 -			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 -			         Prog, user_name, user_selinux);
 -#ifdef WITH_AUDIT
 -			audit_logger (AUDIT_ADD_USER, Prog,
 -			              "adding SELinux user mapping",
 -			              user_name, (unsigned int) user_id, 0);
 -#endif				/* WITH_AUDIT */
 -			fail_exit (E_SE_UPDATE);
 -		}
 -	}
 -#endif				/* WITH_SELINUX */
 -
 -	nscd_flush_cache ("passwd");
 -	nscd_flush_cache ("group");
 -
 -	return E_SUCCESS;
 +	return rv;
 }
--- a/shadow-4.1.5.1-userdel-helpfix.patch
+++ b/shadow-4.1.5.1-userdel-helpfix.patch
@ -1,7 +1,8 @@
-diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c
+Index: shadow-4.5/src/userdel.c
--- shadow-4.1.5.1/src/userdel.c.userdel	2012-05-25 13:51:55.000000000 +0200
+===================================================================
-+++ shadow-4.1.5.1/src/userdel.c	2014-02-12 11:40:30.707686132 +0100
+--- shadow-4.5.orig/src/userdel.c
-@@ -130,8 +130,9 @@ static void usage (int status)
+++ shadow-4.5/src/userdel.c
@@ -143,8 +143,9 @@ static void usage (int status)
 	                  "\n"
 	                  "Options:\n"),
 	                Prog);
--- a/shadow-4.2.1-date-parsing.patch
+++ b/shadow-4.2.1-date-parsing.patch
@ -1,6 +1,7 @@
-diff -up shadow-4.2.1/libmisc/getdate.y.date-parsing shadow-4.2.1/libmisc/getdate.y
+Index: shadow-4.5/libmisc/getdate.y
--- shadow-4.2.1/libmisc/getdate.y.date-parsing	2014-03-01 18:50:05.000000000 +0100
+===================================================================
-+++ shadow-4.2.1/libmisc/getdate.y	2014-11-26 14:58:21.208153924 +0100
+--- shadow-4.5.orig/libmisc/getdate.y
 +++ shadow-4.5/libmisc/getdate.y
@@ -152,6 +152,7 @@ static int	yyHaveDay;
 static int	yyHaveRel;
 static int	yyHaveTime;
--- a/shadow-4.2.1-manfix.patch
+++ b/shadow-4.2.1-manfix.patch
@ -1,78 +0,0 @@
 diff -up shadow-4.2.1/man/chage.1.xml.manfix shadow-4.2.1/man/chage.1.xml
 --- shadow-4.2.1/man/chage.1.xml.manfix	2014-03-01 19:59:51.000000000 +0100
 +++ shadow-4.2.1/man/chage.1.xml	2014-11-26 15:34:51.256978960 +0100
@@ -102,6 +102,9 @@
 	    Set the number of days since January 1st, 1970 when the password
 	    was last changed. The date may also be expressed in the format
 	    YYYY-MM-DD (or the format more commonly used in your area).
 +	    If the <replaceable>LAST_DAY</replaceable> is set to
 +	    <emphasis>0</emphasis> the user is forced to change his password
 +	    on the next log on.
 	  </para>
 	</listitem>
       </varlistentry>
 diff -up shadow-4.2.1/man/login.defs.5.xml.manfix shadow-4.2.1/man/login.defs.5.xml
 --- shadow-4.2.1/man/login.defs.5.xml.manfix	2014-03-13 06:52:55.000000000 +0100
 +++ shadow-4.2.1/man/login.defs.5.xml	2014-11-26 15:34:51.257978963 +0100
@@ -162,6 +162,17 @@
       long numeric parameters is machine-dependent.
     </para>
 +    <para>
 +      Please note that the parameters in this configuration file control the
 +      behavior of the tools from the shadow-utils component. None of these
 +      tools uses the PAM mechanism, and the utilities that use PAM (such as the
 +      passwd command) should be configured elsewhere. The only values that
 +      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
 +      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
 +      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
 +      pam(8) for more information.
 +    </para>
 +
     <para>The following configuration items are provided:</para>
     <variablelist remap='IP'>
 diff -up shadow-4.2.1/man/useradd.8.xml.manfix shadow-4.2.1/man/useradd.8.xml
 --- shadow-4.2.1/man/useradd.8.xml.manfix	2014-11-26 15:34:51.234978891 +0100
 +++ shadow-4.2.1/man/useradd.8.xml	2014-11-26 15:34:51.257978963 +0100
@@ -347,11 +347,16 @@
 	    <option>CREATE_HOME</option> is not enabled, no home
 	    directories are created.
 	  </para>
 +	  <para>
 +	    The directory where the user's home directory is created must
 +	    exist and have proper SELinux context and permissions. Otherwise
 +	    the user's home directory cannot be created or accessed.
 +	  </para>
 	</listitem>
       </varlistentry>
       <varlistentry>
 	<term>
 -	  <option>-M</option>
 +	  <option>-M</option>, <option>--no-create-home</option>
 	</term>
 	<listitem>
 	  <para>
 diff -up shadow-4.2.1/man/usermod.8.xml.manfix shadow-4.2.1/man/usermod.8.xml
 --- shadow-4.2.1/man/usermod.8.xml.manfix	2014-03-01 19:59:51.000000000 +0100
 +++ shadow-4.2.1/man/usermod.8.xml	2014-11-26 15:34:51.257978963 +0100
@@ -132,7 +132,8 @@
 	    If the <option>-m</option>
 	    option is given, the contents of the current home directory will
 	    be moved to the new home directory, which is created if it does
 -	    not already exist.
 +	    not already exist. If the current home directory does not exist
 +	    the new home directory will not be created.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -256,7 +257,8 @@
 	<listitem>
 	  <para>
 	    Move the content of the user's home directory to the new
 -	    location.
 +	    location. If the current home directory does not exist
 +	    the new home directory will not be created.
 	  </para>
 	  <para>
 	    This option is only valid in combination with the
--- a/shadow-4.2.1-merge-group.patch
+++ b/shadow-4.2.1-merge-group.patch
@ -1,13 +0,0 @@
 diff -up shadow-4.2.1/lib/groupio.c.merge-group shadow-4.2.1/lib/groupio.c
 --- shadow-4.2.1/lib/groupio.c.merge-group	2014-11-26 14:33:54.039581662 +0100
 +++ shadow-4.2.1/lib/groupio.c	2014-11-26 14:46:02.841852886 +0100
@@ -335,8 +335,7 @@ static /*@null@*/struct commonio_entry *
 		errno = ENOMEM;
 		return NULL;
 	}
 -	snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line);
 -	new_line[new_line_len] = '\0';
 +	snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line);
 	/* Concatenate the 2 list of members */
 	for (i=0; NULL != gptr1->gr_mem[i]; i++);
--- a/shadow-4.2.1-no-lock-dos.patch
+++ b/shadow-4.2.1-no-lock-dos.patch
@ -0,0 +1,16 @@
 Index: shadow-4.5/lib/commonio.c
 ===================================================================
 --- shadow-4.5.orig/lib/commonio.c
 +++ shadow-4.5/lib/commonio.c
@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
 	int retval;
 	char buf[32];
 -	fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
 +	/* We depend here on the fact, that the file name is pid-specific.
 +	 * So no O_EXCL here and no DoS.
 +	 */
 +	fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
 	if (-1 == fd) {
 		if (log) {
 			(void) fprintf (stderr,
--- a/shadow-4.2.1-null-tm.patch
+++ b/shadow-4.2.1-null-tm.patch
@ -0,0 +1,91 @@
 Index: shadow-4.5/src/faillog.c
 ===================================================================
 --- shadow-4.5.orig/src/faillog.c
 +++ shadow-4.5/src/faillog.c
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
 	}
 	tm = localtime (&fl.fail_time);
 +	if (tm == NULL) {
 +		cp = "(unknown)";
 +	} else {
 #ifdef HAVE_STRFTIME
 -	strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
 -	cp = ptime;
 +		strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
 +		cp = ptime;
 #endif
 +	}
 	printf ("%-9s   %5d    %5d   ",
 	        pw->pw_name, fl.fail_cnt, fl.fail_max);
 	/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
 Index: shadow-4.5/src/chage.c
 ===================================================================
 --- shadow-4.5.orig/src/chage.c
 +++ shadow-4.5/src/chage.c
@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
 	struct tm *tp;
 	tp = gmtime (&date);
 +	if (tp == NULL) {
 +		(void) snprintf (buf, maxsize, "(unknown)");
 +		return;
 +	}
 #ifdef HAVE_STRFTIME
 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
 #else
 Index: shadow-4.5/src/lastlog.c
 ===================================================================
 --- shadow-4.5.orig/src/lastlog.c
 +++ shadow-4.5/src/lastlog.c
@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
 	ll_time = ll.ll_time;
 	tm = localtime (&ll_time);
 +	if (tm == NULL) {
 +		cp = "(unknown)";
 +	} else {
 #ifdef HAVE_STRFTIME
 -	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
 -	cp = ptime;
 +		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
 +		cp = ptime;
 #else
 -	cp = asctime (tm);
 -	cp[24] = '\0';
 +		cp = asctime (tm);
 +		cp[24] = '\0';
 #endif
 +	}
 	if (ll.ll_time == (time_t) 0) {
 		cp = _("**Never logged in**\0");
 Index: shadow-4.5/src/passwd.c
 ===================================================================
 --- shadow-4.5.orig/src/passwd.c
 +++ shadow-4.5/src/passwd.c
@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
 	struct tm *tm;
 	tm = gmtime (&t);
 +	if (tm == NULL) {
 +		return "(unknown)";
 +	}
 #ifdef HAVE_STRFTIME
 	(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
 #else				/* !HAVE_STRFTIME */
 Index: shadow-4.5/src/usermod.c
 ===================================================================
 --- shadow-4.5.orig/src/usermod.c
 +++ shadow-4.5/src/usermod.c
@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
 	} else {
 		time_t t = (time_t) date;
 		tp = gmtime (&t);
 +		if (tp == NULL) {
 +			strncpy (buf, "unknown", maxsize);
 +			return;
 +		}
 #ifdef HAVE_STRFTIME
 		strftime (buf, maxsize, "%Y-%m-%d", tp);
 #else
--- a/shadow-4.3.1-manfix.patch
+++ b/shadow-4.3.1-manfix.patch
@ -0,0 +1,266 @@
 Index: shadow-4.5/man/groupmems.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/groupmems.8.xml
 +++ shadow-4.5/man/groupmems.8.xml
@@ -179,20 +179,10 @@
   <refsect1 id='setup'>
     <title>SETUP</title>
     <para>
 -      The <command>groupmems</command> executable should be in mode
 -      <literal>2770</literal> as user <emphasis>root</emphasis> and in group
 -      <emphasis>groups</emphasis>. The system administrator can add users to
 -      group <emphasis>groups</emphasis> to allow or disallow them using the
 -      <command>groupmems</command> utility to manage their own group
 -      membership list.
 +      In this operating system the <command>groupmems</command> executable
 +      is not setuid and regular users cannot use it to manipulate
 +      the membership of their own group.
     </para>
 -
 -    <programlisting>
 -	$ groupadd -r groups
 -	$ chmod 2770 groupmems
 -	$ chown root.groups groupmems
 -	$ groupmems -g groups -a gk4
 -    </programlisting>
   </refsect1>
   <refsect1 id='configuration'>
 Index: shadow-4.5/man/chage.1.xml
 ===================================================================
 --- shadow-4.5.orig/man/chage.1.xml
 +++ shadow-4.5/man/chage.1.xml
@@ -102,6 +102,9 @@
 	    Set the number of days since January 1st, 1970 when the password
 	    was last changed. The date may also be expressed in the format
 	    YYYY-MM-DD (or the format more commonly used in your area).
 +	    If the <replaceable>LAST_DAY</replaceable> is set to
 +	    <emphasis>0</emphasis> the user is forced to change his password
 +	    on the next log on.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -119,6 +122,13 @@
 	    system again.
 	  </para>
 	  <para>
 +	    For example the following can be used to set an account to expire
 +	    in 180 days:
 +	  </para>
 +	  <programlisting>
 +	    chage -E $(date -d +180days +%Y-%m-%d)
 +	  </programlisting>
 +	  <para>
 	    Passing the number <emphasis remap='I'>-1</emphasis> as the
 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
 	    expiration date.
 Index: shadow-4.5/man/ja/man5/login.defs.5
 ===================================================================
 --- shadow-4.5.orig/man/ja/man5/login.defs.5
 +++ shadow-4.5/man/ja/man5/login.defs.5
@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_
 shadow パスワード機能のどのプログラムが
 どのパラメータを使用するかを示したものである。
 .na
 -.IP chfn 12
 -CHFN_AUTH CHFN_RESTRICT
 -.IP chsh 12
 -CHFN_AUTH
 .IP groupadd 12
 GID_MAX GID_MIN
 .IP newusers 12
 Index: shadow-4.5/man/login.defs.5.xml
 ===================================================================
 --- shadow-4.5.orig/man/login.defs.5.xml
 +++ shadow-4.5/man/login.defs.5.xml
@@ -162,6 +162,17 @@
       long numeric parameters is machine-dependent.
     </para>
 +    <para>
 +      Please note that the parameters in this configuration file control the
 +      behavior of the tools from the shadow-utils component. None of these
 +      tools uses the PAM mechanism, and the utilities that use PAM (such as the
 +      passwd command) should be configured elsewhere. The only values that
 +      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
 +      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
 +      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
 +      pam(8) for more information.
 +    </para>
 +
     <para>The following configuration items are provided:</para>
     <variablelist remap='IP'>
@@ -252,16 +263,6 @@
 	</listitem>
       </varlistentry>
       <varlistentry>
 -	<term>chfn</term>
 -	<listitem>
 -	  <para>
 -	    <phrase condition="no_pam">CHFN_AUTH</phrase>
 -	    CHFN_RESTRICT
 -	    <phrase condition="no_pam">LOGIN_STRING</phrase>
 -	  </para>
 -	</listitem>
 -      </varlistentry>
 -      <varlistentry>
 	<term>chgpasswd</term>
 	<listitem>
 	  <para>
@@ -282,14 +283,6 @@
 	  </para>
 	</listitem>
       </varlistentry>
 -      <varlistentry condition="no_pam">
 -	<term>chsh</term>
 -	<listitem>
 -	  <para>
 -	    CHSH_AUTH LOGIN_STRING
 -	  </para>
 -	</listitem>
 -      </varlistentry>
       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
       <!-- faillog: no variables -->
       <varlistentry>
@@ -350,34 +343,6 @@
       </varlistentry>
       <!-- id: no variables -->
       <!-- lastlog: no variables -->
 -      <varlistentry>
 -	<term>login</term>
 -	<listitem>
 -	  <para>
 -	    <phrase condition="no_pam">CONSOLE</phrase>
 -	    CONSOLE_GROUPS DEFAULT_HOME
 -	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
 -	    ENV_TZ ENVIRON_FILE</phrase>
 -	    ERASECHAR FAIL_DELAY
 -	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
 -	    FAKE_SHELL
 -	    <phrase condition="no_pam">FTMP_FILE</phrase>
 -	    HUSHLOGIN_FILE
 -	    <phrase condition="no_pam">ISSUE_FILE</phrase>
 -	    KILLCHAR
 -	    <phrase condition="no_pam">LASTLOG_ENAB</phrase>
 -	    LOGIN_RETRIES
 -	    <phrase condition="no_pam">LOGIN_STRING</phrase>
 -	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
 -	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
 -	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
 -	    QUOTAS_ENAB</phrase>
 -	    TTYGROUP TTYPERM TTYTYPE_FILE
 -	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
 -	    USERGROUPS_ENAB
 -	  </para>
 -	</listitem>
 -      </varlistentry>
       <!-- logoutd: no variables -->
       <varlistentry>
 	<term>newgrp / sg</term>
@@ -405,17 +370,6 @@
 	</listitem>
       </varlistentry>
       <!-- nologin: no variables -->
 -      <varlistentry condition="no_pam">
 -	<term>passwd</term>
 -	<listitem>
 -	  <para>
 -	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
 -	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
 -	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
 -	    SHA_CRYPT_MIN_ROUNDS</phrase>
 -	  </para>
 -	</listitem>
 -      </varlistentry>
       <varlistentry>
 	<term>pwck</term>
 	<listitem>
@@ -442,32 +396,6 @@
 	  </para>
 	</listitem>
       </varlistentry>
 -      <varlistentry>
 -	<term>su</term>
 -	<listitem>
 -	  <para>
 -	    <phrase condition="no_pam">CONSOLE</phrase>
 -	    CONSOLE_GROUPS DEFAULT_HOME
 -	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
 -	    ENV_PATH ENV_SUPATH
 -	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
 -	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
 -	    SULOG_FILE SU_NAME
 -	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
 -	    SYSLOG_SU_ENAB
 -	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
 -	  </para>
 -	</listitem>
 -      </varlistentry>
 -      <varlistentry>
 -	<term>sulogin</term>
 -	<listitem>
 -	  <para>
 -	    ENV_HZ
 -	    <phrase condition="no_pam">ENV_TZ</phrase>
 -	  </para>
 -	</listitem>
 -      </varlistentry>
       <varlistentry>
 	<term>useradd</term>
 	<listitem>
 Index: shadow-4.5/man/shadow.5.xml
 ===================================================================
 --- shadow-4.5.orig/man/shadow.5.xml
 +++ shadow-4.5/man/shadow.5.xml
@@ -208,8 +208,8 @@
 	  </para>
 	  <para>
 	    After expiration of the password and this expiration period is
 -	    elapsed, no login is possible using the current user's
 -	    password.  The user should contact her administrator.
 +	    elapsed, no login is possible for the user.
 +	    The user should contact her administrator.
 	  </para>
 	  <para>
 	    An empty field means that there are no enforcement of an
 Index: shadow-4.5/man/useradd.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/useradd.8.xml
 +++ shadow-4.5/man/useradd.8.xml
@@ -347,6 +347,11 @@
 	    <option>CREATE_HOME</option> is not enabled, no home
 	    directories are created.
 	  </para>
 +	  <para>
 +	    The directory where the user's home directory is created must
 +	    exist and have proper SELinux context and permissions. Otherwise
 +	    the user's home directory cannot be created or accessed.
 +	  </para>
 	</listitem>
       </varlistentry>
       <varlistentry>
 Index: shadow-4.5/man/usermod.8.xml
 ===================================================================
 --- shadow-4.5.orig/man/usermod.8.xml
 +++ shadow-4.5/man/usermod.8.xml
@@ -132,7 +132,8 @@
 	    If the <option>-m</option>
 	    option is given, the contents of the current home directory will
 	    be moved to the new home directory, which is created if it does
 -	    not already exist.
 +	    not already exist. If the current home directory does not exist
 +	    the new home directory will not be created.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -256,7 +257,8 @@
 	<listitem>
 	  <para>
 	    Move the content of the user's home directory to the new
 -	    location.
 +	    location. If the current home directory does not exist
 +	    the new home directory will not be created.
 	  </para>
 	  <para>
 	    This option is only valid in combination with the
--- a/shadow-4.3.1-selinux-perms.patch
+++ b/shadow-4.3.1-selinux-perms.patch
@ -0,0 +1,277 @@
 Index: shadow-4.5/src/chgpasswd.c
 ===================================================================
 --- shadow-4.5.orig/src/chgpasswd.c
 +++ shadow-4.5/src/chgpasswd.c
@@ -39,6 +39,13 @@
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 +#ifdef WITH_SELINUX
 +#include <selinux/selinux.h>
 +#include <selinux/avc.h>
 +#endif
 +#ifdef WITH_LIBAUDIT
 +#include <libaudit.h>
 +#endif
 #ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
@@ -76,6 +83,9 @@ static bool sgr_locked = false;
 #endif
 static bool gr_locked = false;
 +/* The name of the caller */
 +static char *myname = NULL;
 +
 /* local function prototypes */
 static void fail_exit (int code);
 static /*@noreturn@*/void usage (int status);
@@ -300,6 +310,63 @@ static void check_perms (void)
 #endif				/* ACCT_TOOLS_SETUID */
 }
 +#ifdef WITH_SELINUX
 +static int
 +log_callback (int type, const char *fmt, ...)
 +{
 +    int audit_fd;
 +    va_list ap;
 +
 +    va_start(ap, fmt);
 +#ifdef WITH_AUDIT
 +    audit_fd = audit_open();
 +
 +    if (audit_fd >= 0) {
 +	char *buf;
 +
 +	if (vasprintf (&buf, fmt, ap) < 0)
 +		goto ret;
 +	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
 +				   NULL, 0);
 +	audit_close(audit_fd);
 +	free(buf);
 +	goto ret;
 +    }
 +
 +#endif
 +    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
 +ret:
 +    va_end(ap);
 +    return 0;
 +}
 +
 +static void
 +selinux_check_root (void)
 +{
 +    int status = -1;
 +    security_context_t user_context;
 +    union selinux_callback old_callback;
 +
 +    if (is_selinux_enabled() < 1)
 +	return;
 +
 +    old_callback = selinux_get_callback(SELINUX_CB_LOG);
 +    /* setup callbacks */
 +    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
 +    if ((status = getprevcon(&user_context)) < 0) {
 +	selinux_set_callback(SELINUX_CB_LOG, old_callback);
 +	exit(1);
 +    }
 +
 +    status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
 +
 +    selinux_set_callback(SELINUX_CB_LOG, old_callback);
 +    freecon(user_context);
 +    if (status != 0 && security_getenforce() != 0)
 +	exit(1);
 +}
 +#endif
 +
 /*
  * open_files - lock and open the group databases
  */
@@ -393,6 +460,7 @@ int main (int argc, char **argv)
 	const struct group *gr;
 	struct group newgr;
 +	struct passwd *pw = NULL;
 	int errors = 0;
 	int line = 0;
@@ -408,8 +476,33 @@ int main (int argc, char **argv)
 	OPENLOG ("chgpasswd");
 +#ifdef WITH_AUDIT
 +	audit_help_open ();
 +#endif
 +
 +	/*
 +	 * Determine the name of the user that invoked this command. This
 +	 * is really hit or miss because there are so many ways that command
 +	 * can be executed and so many ways to trip up the routines that
 +	 * report the user name.
 +	 */
 +	pw = get_my_pwent ();
 +	if (NULL == pw) {
 +		fprintf (stderr, _("%s: Cannot determine your user name.\n"),
 +		         Prog);
 +		SYSLOG ((LOG_WARN,
 +		         "Cannot determine the user name of the caller (UID %lu)",
 +		         (unsigned long) getuid ()));
 +		exit (E_NOPERM);
 +	}
 +	myname = xstrdup (pw->pw_name);
 +
 	check_perms ();
 +#ifdef WITH_SELINUX
 +	selinux_check_root ();
 +#endif
 +
 #ifdef SHADOWGRP
 	is_shadow_grp = sgr_file_present ();
 #endif
@@ -536,6 +629,15 @@ int main (int argc, char **argv)
 			newgr.gr_passwd = cp;
 		}
 +#ifdef WITH_AUDIT
 +		{
 +
 +			audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
 +		              "change-password",
 +		              myname, AUDIT_NO_ID, gr->gr_name,
 +		              SHADOW_AUDIT_SUCCESS);
 +		}
 +#endif
 		/* 
 		 * The updated group file entry is then put back and will
 		 * be written to the group file later, after all the
 Index: shadow-4.5/src/chpasswd.c
 ===================================================================
 --- shadow-4.5.orig/src/chpasswd.c
 +++ shadow-4.5/src/chpasswd.c
@@ -39,6 +39,13 @@
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 +#ifdef WITH_SELINUX
 +#include <selinux/selinux.h>
 +#include <selinux/avc.h>
 +#endif
 +#ifdef WITH_LIBAUDIT
 +#include <libaudit.h>
 +#endif
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
@@ -297,6 +304,63 @@ static void check_perms (void)
 #endif				/* USE_PAM */
 }
 +#ifdef WITH_SELINUX
 +static int
 +log_callback (int type, const char *fmt, ...)
 +{
 +    int audit_fd;
 +    va_list ap;
 +
 +    va_start(ap, fmt);
 +#ifdef WITH_AUDIT
 +    audit_fd = audit_open();
 +
 +    if (audit_fd >= 0) {
 +	char *buf;
 +
 +	if (vasprintf (&buf, fmt, ap) < 0)
 +		goto ret;
 +	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
 +				   NULL, 0);
 +	audit_close(audit_fd);
 +	free(buf);
 +	goto ret;
 +    }
 +
 +#endif
 +    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
 +ret:
 +    va_end(ap);
 +    return 0;
 +}
 +
 +static void
 +selinux_check_root (void)
 +{
 +    int status = -1;
 +    security_context_t user_context;
 +    union selinux_callback old_callback;
 +
 +    if (is_selinux_enabled() < 1)
 +	return;
 +
 +    old_callback = selinux_get_callback(SELINUX_CB_LOG);
 +    /* setup callbacks */
 +    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
 +    if ((status = getprevcon(&user_context)) < 0) {
 +	selinux_set_callback(SELINUX_CB_LOG, old_callback);
 +	exit(1);
 +    }
 +
 +    status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
 +
 +    selinux_set_callback(SELINUX_CB_LOG, old_callback);
 +    freecon(user_context);
 +    if (status != 0 && security_getenforce() != 0)
 +	exit(1);
 +}
 +#endif
 +
 /*
  * open_files - lock and open the password databases
  */
@@ -405,8 +469,16 @@ int main (int argc, char **argv)
 	OPENLOG ("chpasswd");
 +#ifdef WITH_AUDIT
 +	audit_help_open ();
 +#endif
 +
 	check_perms ();
 +#ifdef WITH_SELINUX
 +	selinux_check_root ();
 +#endif
 +
 #ifdef USE_PAM
 	if (!use_pam)
 #endif				/* USE_PAM */
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
 			newpw.pw_passwd = cp;
 		}
 +#ifdef WITH_AUDIT
 +		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
 +		              "updating-password",
 +		              pw->pw_name, (unsigned int) pw->pw_uid, 1);
 +#endif
 		/* 
 		 * The updated password file entry is then put back and will
 		 * be written to the password file later, after all the
 Index: shadow-4.5/src/Makefile.am
 ===================================================================
 --- shadow-4.5.orig/src/Makefile.am
 +++ shadow-4.5/src/Makefile.am
@@ -87,9 +87,9 @@ chage_LDADD    = $(LDADD) $(LIBPAM_SUID)
 newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
 newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
 -chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
 +chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
 chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
 -chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
 +chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
 gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
 groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
--- a/shadow-4.5-crypt_h.patch
+++ b/shadow-4.5-crypt_h.patch
@ -0,0 +1,41 @@
 Index: shadow-4.5/configure.ac
 ===================================================================
 --- shadow-4.5.orig/configure.ac
 +++ shadow-4.5/configure.ac
@@ -32,9 +32,9 @@ AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
 AC_HEADER_STDBOOL
 -AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
 -	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
 -	utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
 +AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
 +	utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
 +	paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
 	locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
 	attr/error_context.h)
 Index: shadow-4.5/lib/defines.h
 ===================================================================
 --- shadow-4.5.orig/lib/defines.h
 +++ shadow-4.5/lib/defines.h
@@ -4,6 +4,8 @@
 #ifndef _DEFINES_H_
 #define _DEFINES_H_
 +#include "config.h"
 +
 #if HAVE_STDBOOL_H
 # include <stdbool.h>
 #else
@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
 # include <unistd.h>
 #endif
 +#if HAVE_CRYPT_H
 +# include <crypt.h>		/* crypt(3) may be defined in here */
 +#endif
 +
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>
--- a/shadow-4.1.5.1-goodname.patch
+++ b/shadow-4.1.5.1-goodname.patch
@ -1,7 +1,8 @@
-diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c
+Index: shadow-4.5/libmisc/chkname.c
--- shadow-4.1.5.1/libmisc/chkname.c.goodname	2009-07-13 00:24:45.000000000 +0200
+===================================================================
-+++ shadow-4.1.5.1/libmisc/chkname.c	2014-09-09 17:35:17.207303124 +0200
+--- shadow-4.5.orig/libmisc/chkname.c
-@@ -47,27 +47,42 @@
+++ shadow-4.5/libmisc/chkname.c
@@ -47,27 +47,46 @@
 #include "chkname.h"
 static bool is_valid_name (const char *name)
@ -18,16 +19,18 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam
 +         * as a non-POSIX, extension, allow "$" as the last char for
 +         * sake of Samba 3.x "add machine script"
 +         *
-+         * Also do not allow fully numeric names.
+         * Also do not allow fully numeric names or just "." or "..".
 +         */
 +	int numeric;
 +
-+	if ( ('\0' == *name) ||
+	if ('\0' == *name ||
-+             !((*name >= 'a' && *name <= 'z') ||
+	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
-+               (*name >= 'A' && *name <= 'Z') ||
+			      '\0' == name[1])) ||
-+               (*name >= '0' && *name <= '9') ||
+	    !((*name >= 'a' && *name <= 'z') ||
-+               (*name == '_') || (*name == '.') 
+	      (*name >= 'A' && *name <= 'Z') ||
-+	      )) {
+	      (*name >= '0' && *name <= '9') ||
 +	      *name == '_' ||
 +	      *name == '.')) {
 		return false;
 	}
@ -39,13 +42,14 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam
 -		      ('_' == *name) ||
 -		      ('-' == *name) ||
 -		      ( ('$' == *name) && ('\0' == *(name + 1)) )
-		     )) {
+		if (!((*name >= 'a' && *name <= 'z') ||
-+                if (!(  (*name >= 'a' && *name <= 'z') ||
+		      (*name >= 'A' && *name <= 'Z') ||
-+                        (*name >= 'A' && *name <= 'Z') ||
+		      (*name >= '0' && *name <= '9') ||
-+                        (*name >= '0' && *name <= '9') ||
+		      *name == '_' ||
-+                        (*name == '_') || (*name == '.') || (*name == '-') ||
+		      *name == '.' ||
-+                        (*name == '$' && *(name + 1) == '\0') 
+		      *name == '-' ||
-+                     )) {
+		      (*name == '$' && name[1] == '\0')
 		     )) {
 			return false;
 		}
 +		numeric &= isdigit(*name);
@ -56,10 +60,11 @@ diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chknam
 }
 bool is_valid_user_name (const char *name)
-diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml
+Index: shadow-4.5/man/groupadd.8.xml
--- shadow-4.1.5.1/man/groupadd.8.xml.goodname	2012-05-25 13:45:27.000000000 +0200
+===================================================================
-+++ shadow-4.1.5.1/man/groupadd.8.xml	2014-09-09 17:28:46.330300342 +0200
+--- shadow-4.5.orig/man/groupadd.8.xml
-@@ -259,12 +259,6 @@
+++ shadow-4.5/man/groupadd.8.xml
@@ -256,12 +256,6 @@
    <refsect1 id='caveats'>
      <title>CAVEATS</title>
      <para>
@ -72,19 +77,11 @@ diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.
        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
      </para>
      <para>
-diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml
+Index: shadow-4.5/man/useradd.8.xml
--- shadow-4.1.5.1/man/useradd.8.xml.goodname	2012-05-25 13:45:29.000000000 +0200
+===================================================================
-+++ shadow-4.1.5.1/man/useradd.8.xml	2014-09-09 17:28:46.330300342 +0200
+--- shadow-4.5.orig/man/useradd.8.xml
-@@ -366,7 +366,7 @@
+++ shadow-4.5/man/useradd.8.xml
- 	</term>
+@@ -633,12 +633,6 @@
 	<listitem>
 	  <para>
 -	    Do no create the user's home directory, even if the system
 +	    Do not create the user's home directory, even if the system
 	    wide setting from <filename>/etc/login.defs</filename>
 	    (<option>CREATE_HOME</option>) is set to
 	    <replaceable>yes</replaceable>.
@@ -654,12 +654,6 @@
     </para>
     <para>
--- a/shadow-4.5-long-entry.patch
+++ b/shadow-4.5-long-entry.patch
@ -0,0 +1,84 @@
 diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
 --- shadow-4.5/lib/defines.h.long-entry	2014-09-01 16:36:40.000000000 +0200
 +++ shadow-4.5/lib/defines.h	2018-04-20 11:53:07.419308212 +0200
@@ -382,4 +382,7 @@ extern char *strerror ();
 # endif
 #endif
 +/* Maximum length of passwd entry */
 +#define PASSWD_ENTRY_MAX_LENGTH 32768
 +
 #endif				/* _DEFINES_H_ */
 diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
 --- shadow-4.5/lib/pwio.c.long-entry	2015-11-17 17:45:15.000000000 +0100
 +++ shadow-4.5/lib/pwio.c	2018-04-20 12:10:24.400837235 +0200
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
 	    || (pw->pw_gid == (gid_t)-1)
 	    || (valid_field (pw->pw_gecos, ":\n") == -1)
 	    || (valid_field (pw->pw_dir, ":\n") == -1)
 -	    || (valid_field (pw->pw_shell, ":\n") == -1)) {
 +	    || (valid_field (pw->pw_shell, ":\n") == -1)
 +	    || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
 +	        strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
 +	        strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
 		return -1;
 	}
 diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
 --- shadow-4.5/lib/sgetpwent.c.long-entry	2014-09-01 16:36:40.000000000 +0200
 +++ shadow-4.5/lib/sgetpwent.c	2018-04-20 12:16:31.911513808 +0200
@@ -57,7 +57,7 @@
 struct passwd *sgetpwent (const char *buf)
 {
 	static struct passwd pwent;
 -	static char pwdbuf[1024];
 +	static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
 	register int i;
 	register char *cp;
 	char *fields[NFIELDS];
@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
 	 * the password structure remain valid.
 	 */
 -	if (strlen (buf) >= sizeof pwdbuf)
 +	if (strlen (buf) >= sizeof pwdbuf) {
 +		fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
 		return 0;	/* fail if too long */
 +	}
 	strcpy (pwdbuf, buf);
 	/*
 diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
 --- shadow-4.5/lib/sgetspent.c.long-entry	2014-09-01 16:36:40.000000000 +0200
 +++ shadow-4.5/lib/sgetspent.c	2018-04-20 12:16:54.505056257 +0200
@@ -48,7 +48,7 @@
  */
 struct spwd *sgetspent (const char *string)
 {
 -	static char spwbuf[1024];
 +	static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
 	static struct spwd spwd;
 	char *fields[FIELDS];
 	char *cp;
@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
 	 */
 	if (strlen (string) >= sizeof spwbuf) {
 +		fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
 		return 0;	/* fail if too long */
 	}
 	strcpy (spwbuf, string);
 diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
 --- shadow-4.5/lib/shadowio.c.long-entry	2016-12-07 06:30:41.000000001 +0100
 +++ shadow-4.5/lib/shadowio.c	2018-04-20 12:12:03.292171667 +0200
@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
 	if (   (NULL == sp)
 	    || (valid_field (sp->sp_namp, ":\n") == -1)
 -	    || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
 +	    || (valid_field (sp->sp_pwdp, ":\n") == -1)
 +	    || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
 +	        1000 > PASSWD_ENTRY_MAX_LENGTH)) {
 		return -1;
 	}
--- a/shadow-4.5-usermod-unlock.patch
+++ b/shadow-4.5-usermod-unlock.patch
@ -0,0 +1,64 @@
 Index: shadow-4.5/src/usermod.c
 ===================================================================
 --- shadow-4.5.orig/src/usermod.c
 +++ shadow-4.5/src/usermod.c
@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas
 		strcat (buf, pw_pass);
 		pw_pass = buf;
 	} else if (Uflg && pw_pass[0] == '!') {
 -		char *s;
 +		char *s = pw_pass;
 -		if (pw_pass[1] == '\0') {
 +		while ('!' == *s)
 +			++s;
 +
 +		if (*s == '\0') {
 			fprintf (stderr,
 			         _("%s: unlocking the user's password would result in a passwordless account.\n"
 			           "You should set a password with usermod -p to unlock this user's password.\n"),
 			         Prog);
 -			return pw_pass;
 +			return NULL;
 		}
 #ifdef WITH_AUDIT
@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
 		              user_newname, (unsigned int) user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
 -		s = pw_pass;
 -		while ('\0' != *s) {
 -			*s = *(s + 1);
 -			s++;
 -		}
 +		memmove (pw_pass, s, strlen (s) + 1);
 	} else if (pflg) {
 +		if (strchr (user_pass, ':') != NULL) {
 +			fprintf (stderr,
 +			         _("%s: The password field cannot contain a colon character.\n"),
 +			         Prog);
 +			return NULL;
 +
 +		}
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
 		              "updating-password",
@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw
 	if (   (!is_shadow_pwd)
 	    || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
 		pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
 +		if (pwent->pw_passwd == NULL)
 +			fail_exit (E_PW_UPDATE);
 	}
 	if (uflg) {
@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen
 	 *  + aging has been requested
 	 */
 	spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
 +	if (spent->sp_pwdp == NULL)
 +		fail_exit(E_PW_UPDATE);
 	if (pflg) {
 		spent->sp_lstchg = (long) gettime () / SCALE;
--- a/shadow-4.2.1-audit-update.patch
+++ b/shadow-4.2.1-audit-update.patch
--- a/shadow-4.6-getenforce.patch
+++ b/shadow-4.6-getenforce.patch
@ -0,0 +1,21 @@
 diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
 --- shadow-4.6/lib/selinux.c.getenforce	2018-05-28 15:10:15.870315221 +0200
 +++ shadow-4.6/lib/selinux.c	2018-05-28 15:10:15.894315731 +0200
@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
 	}
 	return 0;
     error:
 -	if (security_getenforce () != 0) {
 +	if (security_getenforce () > 0) {
 		return 1;
 	}
 	return 0;
@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
 		selinux_checked = true;
 	}
 	if (selinux_enabled) {
 -		if (setfscreatecon (NULL) != 0) {
 +		if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
 			return 1;
 		}
 	}
--- a/shadow-4.6-move-home.patch
+++ b/shadow-4.6-move-home.patch
@ -0,0 +1,15 @@
 diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c
 --- shadow-4.6/src/usermod.c.move-home	2018-05-28 14:59:05.594076665 +0200
 +++ shadow-4.6/src/usermod.c	2018-05-28 15:00:28.479837392 +0200
@@ -1845,6 +1845,11 @@ static void move_home (void)
 			         Prog, prefix_user_home, prefix_user_newhome);
 			fail_exit (E_HOMEDIR);
 		}
 +	} else {
 +		fprintf (stderr,
 +		         _("%s: The previous home directory (%s) does "
 +		           "not exist or is inaccessible. Move cannot be completed.\n"),
 +		         Prog, prefix_user_home);
 	}
 }
--- a/shadow-4.1.5.1-orig-context.patch
+++ b/shadow-4.1.5.1-orig-context.patch
@ -1,7 +1,7 @@
-diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c
+diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
--- shadow-4.1.5.1/lib/commonio.c.orig-context	2012-09-19 20:27:16.000000000 +0200
+--- shadow-4.6/lib/commonio.c.orig-context	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.1.5.1/lib/commonio.c	2013-02-20 15:20:55.064962324 +0100
+++ shadow-4.6/lib/commonio.c	2018-05-28 14:56:37.287929667 +0200
-@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db *
+@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
 		snprintf (buf, sizeof buf, "%s-", db->filename);
 #ifdef WITH_SELINUX
@ -10,7 +10,7 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.
 			errors++;
 		}
 #endif
-@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db *
+@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
 	snprintf (buf, sizeof buf, "%s+", db->filename);
 #ifdef WITH_SELINUX
@ -19,9 +19,9 @@ diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.
 		errors++;
 	}
 #endif
-diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c
+diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
--- shadow-4.1.5.1/libmisc/copydir.c.orig-context	2012-02-13 20:16:32.000000000 +0100
+--- shadow-4.6/libmisc/copydir.c.orig-context	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.1.5.1/libmisc/copydir.c	2013-02-20 15:19:01.495623232 +0100
+++ shadow-4.6/libmisc/copydir.c	2018-05-28 14:56:37.287929667 +0200
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
 	 */
@ -58,10 +58,10 @@ diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/co
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
-diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h
+diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
--- shadow-4.1.5.1/lib/prototypes.h.orig-context	2012-01-08 17:04:29.000000000 +0100
+--- shadow-4.6/lib/prototypes.h.orig-context	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.1.5.1/lib/prototypes.h	2013-02-20 15:24:17.251126575 +0100
+++ shadow-4.6/lib/prototypes.h	2018-05-28 14:56:37.287929667 +0200
-@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m
+@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
 /* selinux.c */
 #ifdef WITH_SELINUX
@ -70,9 +70,9 @@ diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototy
 extern int reset_selinux_file_context (void);
 #endif
-diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c
+diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
--- shadow-4.1.5.1/lib/selinux.c.orig-context	2012-01-08 17:35:44.000000000 +0100
+--- shadow-4.6/lib/selinux.c.orig-context	2018-04-29 18:42:37.000000000 +0200
-+++ shadow-4.1.5.1/lib/selinux.c	2013-02-20 15:16:40.383716877 +0100
+++ shadow-4.6/lib/selinux.c	2018-05-28 14:56:37.287929667 +0200
@@ -50,7 +50,7 @@ static bool selinux_enabled;
  *	Callers may have to Reset SELinux to create files with default
  *	contexts with reset_selinux_file_context
@ -114,15 +114,15 @@ diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c
 }
 /*
-diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c
+diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
--- shadow-4.1.5.1/src/useradd.c.orig-context	2012-09-19 20:23:33.000000000 +0200
+--- shadow-4.6/src/useradd.c.orig-context	2018-05-28 14:56:37.288929688 +0200
-+++ shadow-4.1.5.1/src/useradd.c	2013-02-20 15:19:31.221235459 +0100
+++ shadow-4.6/src/useradd.c	2018-05-28 14:58:02.242730903 +0200
-@@ -1759,7 +1759,7 @@ static void create_home (void)
+@@ -2020,7 +2020,7 @@ static void create_home (void)
 {
- 	if (access (user_home, F_OK) != 0) {
+ 	if (access (prefix_user_home, F_OK) != 0) {
 #ifdef WITH_SELINUX
-		if (set_selinux_file_context (user_home) != 0) {
+-		if (set_selinux_file_context (prefix_user_home) != 0) {
-+		if (set_selinux_file_context (user_home, NULL) != 0) {
+		if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
- 			fail_exit (E_HOMEDIR);
+ 			fprintf (stderr,
- 		}
+ 			         _("%s: cannot set SELinux context for home directory %s\n"),
- #endif
+ 			         Prog, user_home);
--- a/shadow-4.1.5-redhat.patch
+++ b/shadow-4.1.5-redhat.patch
@ -1,8 +1,7 @@
-diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8
+diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
-diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c
+--- shadow-4.6/src/useradd.c.redhat	2018-04-29 18:42:37.000000000 +0200
--- shadow-4.1.5/src/useradd.c.redhat	2011-12-09 23:23:15.000000000 +0100
+++ shadow-4.6/src/useradd.c	2018-05-28 13:37:16.695651258 +0200
-+++ shadow-4.1.5/src/useradd.c	2012-03-19 09:50:05.227588669 +0100
+@@ -98,7 +98,7 @@ const char *Prog;
@@ -93,7 +93,7 @@ const char *Prog;
 static gid_t def_group = 100;
 static const char *def_gname = "other";
 static const char *def_home = "/home";
@ -11,7 +10,7 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c
 static const char *def_template = SKEL_DIR;
 static const char *def_create_mail_spool = "no";
-@@ -103,7 +103,7 @@ static const char *def_expire = "";
+@@ -108,7 +108,7 @@ static const char *def_expire = "";
 #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
 static const char *user_name = "";
@ -20,19 +19,19 @@ diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c
 static uid_t user_id;
 static gid_t user_gid;
 static const char *user_comment = "";
-@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha
+@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
 		};
 		while ((c = getopt_long (argc, argv,
 #ifdef WITH_SELINUX
-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
-+		                         "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:",
+		                         "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:",
 #else				/* !WITH_SELINUX */
-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
-+		                         "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U",
+		                         "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U",
 #endif				/* !WITH_SELINUX */
 		                         long_options, NULL)) != -1) {
 			switch (c) {
-@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha
+@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
 			case 'M':
 				Mflg = true;
 				break;
--- a/shadow-4.6-selinux.patch
+++ b/shadow-4.6-selinux.patch
@ -0,0 +1,115 @@
 diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
 --- shadow-4.6/lib/semanage.c.selinux	2018-04-29 18:42:37.000000000 +0200
 +++ shadow-4.6/lib/semanage.c	2018-05-28 13:38:20.551008911 +0200
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
 	ret = 0;
 +        /* drop obsolete matchpathcon cache */
 +        matchpathcon_fini();
 +
 done:
 	semanage_seuser_key_free (key);
 	semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
 	}
 	ret = 0;
 +
 +        /* drop obsolete matchpathcon cache */
 +        matchpathcon_fini();
 +
 done:
 	semanage_handle_destroy (handle);
 	return ret;
 diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
 --- shadow-4.6/src/useradd.c.selinux	2018-05-28 13:43:30.996748997 +0200
 +++ shadow-4.6/src/useradd.c	2018-05-28 13:44:04.645486199 +0200
@@ -2120,6 +2120,7 @@ static void create_mail (void)
  */
 int main (int argc, char **argv)
 {
 +	int rv = E_SUCCESS;
 #ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
 	usr_update ();
 -	if (mflg) {
 -		create_home ();
 -		if (home_added) {
 -			copy_tree (def_template, prefix_user_home, false, false,
 -			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 -		} else {
 -			fprintf (stderr,
 -			         _("%s: warning: the home directory already exists.\n"
 -			           "Not copying any file from skel directory into it.\n"),
 -			         Prog);
 -		}
 -
 -	}
 -
 -	/* Do not create mail directory for system accounts */
 -	if (!rflg) {
 -		create_mail ();
 -	}
 -
 	close_files ();
 +	nscd_flush_cache ("passwd");
 +	nscd_flush_cache ("group");
 +
 	/*
 	 * tallylog_reset needs to be able to lookup
 	 * a valid existing user name,
@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
 	}
 #ifdef WITH_SELINUX
 -	if (Zflg) {
 -		if (set_seuser (user_name, user_selinux) != 0) {
 +	if (Zflg && *user_selinux) {
 +		if (is_selinux_enabled () > 0) {
 +		    if (set_seuser (user_name, user_selinux) != 0) {
 			fprintf (stderr,
 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 			         Prog, user_name, user_selinux);
@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
 			              "adding SELinux user mapping",
 			              user_name, (unsigned int) user_id, 0);
 #endif				/* WITH_AUDIT */
 -			fail_exit (E_SE_UPDATE);
 +			rv = E_SE_UPDATE;
 +		    }
 		}
 	}
 -#endif				/* WITH_SELINUX */
 +#endif
 -	nscd_flush_cache ("passwd");
 -	nscd_flush_cache ("group");
 +	if (mflg) {
 +		create_home ();
 +		if (home_added) {
 +			copy_tree (def_template, prefix_user_home, false, true,
 +			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 +		} else {
 +			fprintf (stderr,
 +			         _("%s: warning: the home directory already exists.\n"
 +			           "Not copying any file from skel directory into it.\n"),
 +			         Prog);
 +		}
 +
 +	}
 +
 +	/* Do not create mail directory for system accounts */
 +	if (!rflg) {
 +		create_mail ();
 +	}
 -	return E_SUCCESS;
 +	return rv;
 }
--- a/shadow-4.6-usermod-crash.patch
+++ b/shadow-4.6-usermod-crash.patch
@ -0,0 +1,42 @@
 diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
 --- shadow-4.6/libmisc/prefix_flag.c.usermod-crash	2018-04-29 18:42:37.000000000 +0200
 +++ shadow-4.6/libmisc/prefix_flag.c	2018-05-28 15:14:10.642302440 +0200
@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
 {
 	long long int gid;
 	char *endptr;
 +	struct group *g;
 	if (NULL == grname) {
 		return NULL;
@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
 	    	&& (gid == (gid_t)gid)) {
 			return prefix_getgrgid ((gid_t) gid);
 		}
 -		return prefix_getgrnam (grname);
 +		g = prefix_getgrnam (grname);
 +		return g ? __gr_dup(g) : NULL;
 	}
 	else
 		return getgr_nam_gid(grname);
 diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
 --- shadow-4.6/src/usermod.c.usermod-crash	2018-05-28 15:12:37.920332763 +0200
 +++ shadow-4.6/src/usermod.c	2018-05-28 15:15:50.337422470 +0200
@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
 		prefix_user_home = xmalloc(len);
 		wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
 		assert (wlen == (int) len -1);
 +		if (user_newhome) {
 +			len = strlen(prefix) + strlen(user_newhome) + 2;
 +			prefix_user_newhome = xmalloc(len);
 +			wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
 +			assert (wlen == (int) len -1);
 +		}
 -		len = strlen(prefix) + strlen(user_newhome) + 2;
 -		prefix_user_newhome = xmalloc(len);
 -		wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
 -		assert (wlen == (int) len -1);
 	}
 	else {
 		prefix_user_home = user_home;
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,49 +1,55 @@
 # they warn against doing this ...
 %define _disable_source_fetch 0
 %define srcname shadow-utils
 Summary: Utilities for managing accounts and shadow password files
-Name: shadow-utils
+Name: %{srcname}46
-Version: 4.2.1
+Version: 4.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
-Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
+Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
-Source3: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz.sig
+Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
 Source1: shadow-utils.login.defs
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
 Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
-Patch0: shadow-4.1.5-redhat.patch
+Patch0: shadow-4.6-redhat.patch
-Patch1: shadow-4.1.5.1-goodname.patch
+Patch1: shadow-4.5-goodname.patch
 Patch2: shadow-4.1.5.1-info-parent-dir.patch
-Patch3: shadow-4.1.5-uflg.patch
+Patch6: shadow-4.6-selinux.patch
-Patch6: shadow-4.1.5.1-selinux.patch
+Patch10: shadow-4.6-orig-context.patch
 Patch7: shadow-4.1.5-2ndskip.patch
 Patch8: shadow-4.1.5.1-backup-mode.patch
 Patch9: shadow-4.2.1-merge-group.patch
 Patch10: shadow-4.1.5.1-orig-context.patch
 Patch11: shadow-4.1.5.1-logmsg.patch
 Patch12: shadow-4.1.5.1-errmsg.patch
 Patch13: shadow-4.1.5.1-audit-owner.patch
 Patch14: shadow-4.1.5.1-default-range.patch
-Patch15: shadow-4.2.1-manfix.patch
+Patch15: shadow-4.3.1-manfix.patch
 Patch17: shadow-4.1.5.1-userdel-helpfix.patch
 Patch18: shadow-4.1.5.1-id-alloc.patch
 Patch19: shadow-4.2.1-date-parsing.patch
-Patch20: shadow-4.1.5.1-ingroup.patch
+Patch21: shadow-4.6-move-home.patch
-Patch21: shadow-4.1.5.1-move-home.patch
+Patch22: shadow-4.6-audit-update.patch
-Patch22: shadow-4.2.1-audit-update.patch
+Patch23: shadow-4.5-usermod-unlock.patch
 Patch24: shadow-4.2.1-no-lock-dos.patch
 Patch28: shadow-4.3.1-selinux-perms.patch
 Patch29: shadow-4.2.1-null-tm.patch
 Patch31: shadow-4.6-getenforce.patch
 Patch32: shadow-4.5-crypt_h.patch
 Patch33: shadow-4.5-long-entry.patch
 Patch34: shadow-4.6-usermod-crash.patch
 License: BSD and GPLv2+
 Group: System Environment/Base
 BuildRequires: gcc
 BuildRequires: libselinux-devel >= 1.25.2-1
 BuildRequires: audit-libs-devel >= 1.6.5
 BuildRequires: libsemanage-devel
-BuildRequires: libacl-devel libattr-devel
+BuildRequires: libacl-devel, libattr-devel
-BuildRequires: bison flex gnome-doc-utils
+BuildRequires: bison, flex, gnome-doc-utils, docbook-style-xsl, docbook-dtds
-#BuildRequires: autoconf, automake, libtool, gettext-devel
+BuildRequires: autoconf, automake, libtool, gettext-devel
 Requires: libselinux >= 1.25.2-1
 Requires: audit-libs >= 1.6.5
 Requires: setup
 Requires(pre): coreutils
 Requires(post): coreutils
 Requires: %{name}-newxidmap = %{version}-%{release}
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 %description
@ -58,45 +64,40 @@ for all users. The useradd, userdel, and usermod commands are used for
 managing user accounts. The groupadd, groupdel, and groupmod commands
 are used for managing group accounts.
 %package newxidmap
 Summary: only the newuidmapp and newgidmap from shadow-utils
 %description newxidmap
 %{summary}.
 %prep
 %setup -q -n shadow-%{version}
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .goodname
 %patch2 -p1 -b .info-parent-dir
 %patch3 -p1 -b .uflg
 %patch6 -p1 -b .selinux
 %patch7 -p1 -b .2ndskip
 %patch8 -p1 -b .backup-mode
 %patch9 -p1 -b .merge-group
 %patch10 -p1 -b .orig-context
 %patch11 -p1 -b .logmsg
 %patch12 -p1 -b .errmsg
 %patch13 -p1 -b .audit-owner
 %patch14 -p1 -b .default-range
 %patch15 -p1 -b .manfix
 %patch17 -p1 -b .userdel
 %patch18 -p1 -b .id-alloc
 %patch19 -p1 -b .date-parsing
 %patch20 -p1 -b .ingroup
 %patch21 -p1 -b .move-home
 %patch22 -p1 -b .audit-update
 %patch23 -p1 -b .unlock
 %patch24 -p1 -b .no-lock-dos
 %patch28 -p1 -b .selinux-perms
 %patch29 -p1 -b .null-tm
 %patch31 -p1 -b .getenforce
 %patch32 -p1 -b .crypt_h
 %patch33 -p1 -b .long-entry
 %patch34 -p1 -b .usermod-crash
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
 cp -a %{SOURCE4} %{SOURCE5} .
 rm libmisc/getdate.c
 #rm po/*.gmo
 #rm po/stamp-po
 #aclocal
 #libtoolize --force
 #automake -a
 #autoconf
 %build
 %ifarch sparc64
 #sparc64 need big PIE
 export CFLAGS="$RPM_OPT_FLAGS -fPIE"
@ -106,6 +107,11 @@ export CFLAGS="$RPM_OPT_FLAGS -fpie"
 export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
 %endif
 rm aclocal.m4
 aclocal
 libtoolize --force
 autoreconf
 %configure \
        --enable-shadowgrp \
        --enable-man \
@ -116,18 +122,17 @@ export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
        --without-libpam \
        --disable-shared \
        --with-group-name-max-length=32
-make
+%make_build
 %install
 rm -rf $RPM_BUILD_ROOT
-make install DESTDIR=$RPM_BUILD_ROOT gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
+%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
 install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
-install -p -c -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
+install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
 install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
 ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
 #ln -s %{_mandir}/man8/useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
 ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
 for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
        test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
@ -146,7 +151,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/login.access
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/limits
 rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
 rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
 rm $RPM_BUILD_ROOT/%{_sbindir}/chgpasswd
 rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
 rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
 rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
@ -175,8 +179,6 @@ rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
 rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
 rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
 rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
 rm $RPM_BUILD_ROOT/%{_mandir}/man8/chgpasswd.*
 rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/chgpasswd.*
 rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
 rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
 rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
@ -194,11 +196,7 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
    echo "%%lang($lang) $dir/man*/*" >> shadow.lang
 done
 %clean
 rm -rf $RPM_BUILD_ROOT
 %files -f shadow.lang
 %defattr(-,root,root)
 %doc NEWS doc/HOWTO README
 %{!?_licensedir:%global license %%doc}
 %license gpl-2.0.txt shadow-bsd.txt
@ -209,15 +207,14 @@ rm -rf $RPM_BUILD_ROOT
 %attr(4755,root,root) %{_bindir}/gpasswd
 %{_bindir}/lastlog
 %attr(4755,root,root) %{_bindir}/newgrp
 %attr(4755,root,root) %{_bindir}/newgidmap
 %attr(4755,root,root) %{_bindir}/newuidmap
 %{_sbindir}/adduser
-%attr(0750,root,root)   %{_sbindir}/user*
+%attr(0755,root,root)   %{_sbindir}/user*
-%attr(0750,root,root)   %{_sbindir}/group*
+%attr(0755,root,root)   %{_sbindir}/group*
 %{_sbindir}/grpck
 %{_sbindir}/pwck
 %{_sbindir}/*conv
 %{_sbindir}/chpasswd
 %{_sbindir}/chgpasswd
 %{_sbindir}/newusers
 %{_sbindir}/vipw
 %{_sbindir}/vigr
@ -225,8 +222,6 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/gpasswd.1*
 %{_mandir}/man1/sg.1*
 %{_mandir}/man1/newgrp.1*
 %{_mandir}/man1/newgidmap.1*
 %{_mandir}/man1/newuidmap.1*
 %{_mandir}/man3/shadow.3*
 %{_mandir}/man5/shadow.5*
 %{_mandir}/man5/login.defs.5*
@ -239,13 +234,107 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/pwck.8*
 %{_mandir}/man8/grpck.8*
 %{_mandir}/man8/chpasswd.8*
 %{_mandir}/man8/chgpasswd.8*
 %{_mandir}/man8/newusers.8*
 %{_mandir}/man8/*conv.8*
 %{_mandir}/man8/lastlog.8*
 %{_mandir}/man8/vipw.8*
 %{_mandir}/man8/vigr.8*
 %files newxidmap
 %attr(4755,root,root) %{_bindir}/newgidmap
 %attr(4755,root,root) %{_bindir}/newuidmap
 %{_mandir}/man1/newgidmap.1*
 %{_mandir}/man1/newuidmap.1*
 %changelog
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Mon May 28 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-1
 - update to current upstream release 4.6
 * Fri Apr 20 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-10
 - Raise limit for passwd and shadow entry length but also prevent
  writing longer entries (#1422497)
 * Tue Feb 06 2018 Björn Esser <besser82@fedoraproject.org> - 2:4.5-9
 - Add patch to include crypt.h, if present
 - Use %%make_{build,install} macros
 - Refresh other patches for proper alignment
 * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2:4.5-8
 - Rebuilt for switch to libxcrypt
 * Mon Nov  6 2017 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-7
 - fix regression caused by the userdel-chroot patch (#1509978)
 * Thu Nov  2 2017 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-6
 - fix userdel in chroot (#1316168)
 - add useful chage -E example to chage manpage
 * Fri Sep 15 2017 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-5
 - do not allow "." and ".." user names
 * Mon Aug 14 2017 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-4
 - allow switching to secondary group without checking the membership
  explicitly (patch from upstream)
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Fri Jul 21 2017 Tomáš Mráz <tmraz@redhat.com> - 2:4.5-1
 - update to current upstream release 4.5
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.3.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Thu Aug 25 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.3.1-2
 - fix regression in useradd - not processing defaults properly (#1369979)
 * Tue Aug 23 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.3.1-1
 - new upstream release fixing low impact security issue
 * Tue Jun 14 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-11
 - guard for localtime() and gmtime() failure
 * Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-10
 - chpasswd, chgpasswd: open audit when starting
 * Thu May 26 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-9
 - chgpasswd: do not remove it
 - chpasswd, chgpasswd: add selinux_check_access call (#1336902)
 * Thu Mar 17 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-8
 - userdel: fix userdel -f with /etc/subuid present (#1316168)
 * Tue Feb  9 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-7
 - usermod: properly return error during password manipulation
 * Wed Feb  3 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-6
 - add possibility to clear or set lastlog record for user via lastlog
 * Fri Jan  8 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-5
 - do not use obscure permissions for binaries
 - remove unused commands from login.defs(5) cross-reference
 * Fri Nov  6 2015 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-4
 - document that groupmems is not setuid root
 - document that expiration of the password after inactivity period
  locks the user account completely
 * Thu Aug 27 2015 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-3
 - unlock also passwords locked with passwd -l
 - prevent breaking user entry by entering a password containing colon
 - fix possible DoS when locking the database files for update
 - properly use login.defs from the chroot in useradd
 * Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:4.2.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Wed Nov 26 2014 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-1
 - new upstream release with support for subordinate uids and gids
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 2bfafe7d4962682d31b5eba65dba4fc8  shadow-4.2.1.tar.xz
 6752051fb07fc4be58c3d7b929bf2341  shadow-4.2.1.tar.xz.sig
--- a/sources.bak
+++ b/sources.bak
@ -0,0 +1,2 @@
 SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631
 SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed
--- a/tests/sanity/Makefile
+++ b/tests/sanity/Makefile
@ -0,0 +1,77 @@
 # Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material 
 # is made available to anyone wishing to use, modify, copy, or
 # redistribute it subject to the terms and conditions of the GNU General
 # Public License v.2.
 #
 # This program is distributed in the hope that it will be useful, but WITHOUT ANY
 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE. See the GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 #
 # Author: Jakub Hrozek
 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
 # Example Makefile for RHTS                                          #
 # This example is geared towards a test for a specific package       #
 # It does most of the work for you, but may require further coding   #
 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
 # The toplevel namespace within which the test lives.
 TOPLEVEL_NAMESPACE=CoreOS
 # The name of the package under test:
 PACKAGE_NAME=shadow-utils
 # The path of the test below the package:
 RELATIVE_PATH=sanity
 # Version of the Test. Used with make tag.
 export TESTVERSION=1.1
 # The combined namespace of the test.
 export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH)
 # A phony target is one that is not really the name of a file.
 # It is just a name for some commands to be executed when you
 # make an explicit request. There are two reasons to use a
 # phony target: to avoid a conflict with a file of the same
 # name, and to improve performance.
 .PHONY: all install download clean
 # Executables to be built should be added here, they will be generated on the system under test.
 BUILT_FILES= 
 # Data files, .c files, scripts anything needed to either compile the test and/or run it.
 FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh
 run: $(FILES) build
 	./runtest.sh
 build: $(BUILT_FILES)
 	chmod a+x ./sanity_test.py
 	chmod a+x ./runtest.sh
 clean:
 	rm -f *~ *.rpm $(BUILT_FILES)
 # Include Common Makefile
 include /usr/share/rhts/lib/rhts-make.include
 # Generate the testinfo.desc here:
 $(METADATA): Makefile
 	@touch $(METADATA)
 	@echo "Owner:        Jakub Hrozek <jhrozek@redhat.com>" > $(METADATA)
 	@echo "Name:         $(TEST)" >> $(METADATA)
 	@echo "Path:         $(TEST_DIR)" >> $(METADATA)
 	@echo "TestVersion:  $(TESTVERSION)" >> $(METADATA)
 	@echo "License:      GNU GPL" >> $(METADATA)
 	@echo "Description:  Basic sanity test for shadow-utils" >> $(METADATA)
 	@echo "TestTime:     5m" >> $(METADATA)
 	@echo "RunFor:       $(PACKAGE_NAME)" >> $(METADATA)
 	@echo "Requires:     $(PACKAGE_NAME)" >> $(METADATA)
 	@echo "Requires:     python" >> $(METADATA)
 	rhts-lint $(METADATA)
--- a/tests/sanity/PURPOSE
+++ b/tests/sanity/PURPOSE
@ -0,0 +1,10 @@
 This is a basic sanity test for the shadow-utils package. It is implemented
 in python on top of the unittesting.py module.
 Its purpose is to ensure that the binaries in the shadow-utils package behave
 as expected and its switches/options work correctly.
 For the most part, every binary in the shadow-utils package is represented by
 a single class named Test<BinaryName>, i.e. TestUsermod etc. There are some 
 exceptions, like TestUseraddWeirdNameTest though.
--- a/tests/sanity/runtest.sh
+++ b/tests/sanity/runtest.sh
@ -0,0 +1,24 @@
 #!/bin/bash
 . /usr/bin/rhts-environment.sh
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 rlJournalStart
 rlFileBackup --clean /etc/default/useradd- /etc/default/useradd
 setenforce 0
 python sanity_test.py -v
 setenforce 1
 rlFileRestore
 EXIT=$?
 if [[ $EXIT -eq 0 ]]; then
    RESULT="PASS"
 else
    RESULT="FAIL"
 fi
 rlJournalEnd
 echo "Result: $RESULT"
 echo "Exit: $EXIT"
 report_result $TEST $RESULT $EXIT
--- a/tests/sanity/sanity_test.py
+++ b/tests/sanity/sanity_test.py
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,13 @@
 ---
 # This first play always runs on the local staging system
 - hosts: localhost
  roles:
  - role: standard-test-beakerlib
    tags:
    - classic
    - atomic
    tests:
    - sanity
    required_packages:
    - shadow-utils     # sanity test needs shadow-utils
    - python           # sanity test needs python
Author	SHA1	Message	Date
Vincent Batts	3815c0b5ba	change package name so "shadow-utils" won't attempt to update Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2018-10-09 10:15:32 -04:00
Vincent Batts	7f73f07a1a	source file is confusing the lookaside on copr Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2018-10-02 04:49:10 -04:00
Vincent Batts	3544220035	spec: subpackage of newuidmap and newgidmap and have the main package depend on them for consistent experience. Though this may hae the side effect of yum wanting to use the main shadow as an upgrade to the shadow 4.1 that centos/rhel are using ... Built local rpm with: ```shell rpmbuild \ --define "_sourcedir $(pwd)" \ --define "_specdir $(pwd)" \ --define "_builddir $(pwd)" \ --define "_srcrpmdir $(pwd)" \ --define "_rpmdir $(pwd)" \ --nodeps \ -ba \ shadow-utils.spec ``` Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2018-10-02 04:35:53 -04:00
Vincent Batts	6a08374eef	spec: fetch sources from github if needed there is the 'sources' file that fedpkg uses, but for now allow fetching from the source URLs to build. Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2018-10-02 04:14:39 -04:00
Vincent Batts	f0fc249a12	initial build steps for the package on centos7 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>	2018-10-02 04:12:27 -04:00
Fedora Release Engineering	8362f15341	- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2018-07-14 06:02:14 +00:00
Jason Tibbitts	0aa8060034	Remove needless use of %defattr	2018-07-10 01:20:51 -05:00
Tomas Mraz	38a12ac864	update to current upstream release 4.6	2018-05-28 15:25:08 +02:00
Tomas Mraz	4cb5077b68	Raise limit for passwd and shadow entry length - also prevent writing longer entries (#1422497)	2018-04-20 16:23:31 +02:00
Tomas Mraz	8d62f944dd	Add gcc buildrequires	2018-03-01 13:11:34 +01:00
Igor Gnatenko	eb66bf0ca5	Remove %clean section None of currently supported distributions need that. Last one was EL5 which is EOL for a while. Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>	2018-02-14 08:49:44 +01:00
Björn Esser	41955fa9ab	Add patch to include crypt.h, if present Use %%make_{build,install} macros Refresh other patches for proper alignment	2018-02-06 11:33:37 +01:00
Björn Esser	2d4f6e1972	Rebuilt for switch to libxcrypt	2018-01-20 23:08:33 +01:00
esakaiev	a6650f241c	Adding tests to the new_tests branch	2018-01-05 20:39:59 +02:00
Tomas Mraz	95d0ea6880	fix regression caused by the userdel-chroot patch (#1509978 )	2017-11-06 15:31:26 +01:00
Tomas Mraz	8633999acf	fix userdel in chroot (#1316168 ) add useful chage -E example to chage manpage	2017-11-02 11:50:59 +01:00
Tomas Mraz	9659143d38	Remove incorrect hunks from the goodname patch.	2017-09-15 18:00:17 +02:00
Tomas Mraz	b90f1c3912	do not allow "." and ".." user names	2017-09-15 17:54:22 +02:00
Tomas Mraz	2c7fd6de84	allow switching to secondary group without checking the membership (patch from upstream)	2017-08-14 11:03:28 +02:00
Fedora Release Engineering	46349c33e5	- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild	2017-08-03 08:23:19 +00:00
Fedora Release Engineering	3a17ec0f47	- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild	2017-07-27 18:30:31 +00:00
Tomas Mraz	ec99eade4e	update to current upstream release 4.5	2017-07-21 14:04:11 +02:00
Fedora Release Engineering	ba9340caf5	- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild	2017-02-11 13:21:56 +00:00
Tomas Mraz	bb62fd7837	fix regression in useradd - not processing defaults properly (#1369979 )	2016-08-25 11:24:38 +02:00
Tomas Mraz	457acab6b4	Add buildrequires for docbook.	2016-08-23 16:51:22 +02:00
Tomas Mraz	86cbf7e19d	Add proper buildrequires for autotools.	2016-08-23 16:30:57 +02:00
Tomas Mraz	6c18d5356b	Update patches for rebase	2016-08-23 16:06:06 +02:00
Tomas Mraz	f8ab516d30	new upstream release fixing low impact security issue	2016-08-23 16:03:52 +02:00
Tomas Mraz	c50e17082d	guard for localtime() and gmtime() failure	2016-06-14 11:34:10 +02:00
Tomas Mraz	abed79ee4e	chpasswd, chgpasswd: open audit when starting	2016-05-30 11:59:54 +02:00
Tomas Mraz	f884cd4c94	chgpasswd: do not remove it - chpasswd, chgpasswd: add selinux_check_access call (#1336902)	2016-05-26 21:05:16 +02:00
Tomas Mraz	a359c84a6e	userdel: fix userdel -f with /etc/subuid present (#1316168 )	2016-03-17 17:40:43 +01:00
Tomas Mraz	1bf254df98	usermod: properly return error during password manipulation	2016-02-09 11:54:02 +01:00
Tomas Mraz	b1dccbc445	add possibility to clear or set lastlog record for user via lastlog	2016-02-03 14:01:19 +01:00
Tomas Mraz	05ccc5cb0b	Correct changelog date.	2016-01-08 10:02:44 +01:00
Tomas Mraz	904910f545	do not use obscure permissions for binaries - remove unused commands from login.defs(5) cross-reference	2016-01-08 10:02:12 +01:00
Tomas Mraz	4e08f5dd0a	Remove obsolete patch.	2015-12-14 17:57:58 +01:00
Tomas Mraz	c2f1a1c502	document that groupmems is not setuid root - document that expiration of the password after inactivity period locks the user account completely	2015-11-06 14:34:35 +01:00
Tomas Mraz	25899fefb0	Multiple fixes. - unlock also passwords locked with passwd -l - prevent breaking user entry by entering a password containing colon - fix possible DoS when locking the database files for update - properly use login.defs from the chroot in useradd	2015-08-27 15:53:13 +02:00
Dennis Gilmore	283bf24723	- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild	2015-06-19 00:44:03 +00:00
		`@ -1,2 +0,0 @@`
			`2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz`
			`6752051fb07fc4be58c3d7b929bf2341 shadow-4.2.1.tar.xz.sig`
		`@ -0,0 +1,2 @@`
							`SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631`
							`SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed`