dist-git conversion

#2781)

.gitignore

@@ -1,3 +1,3 @@
 shadow-4.0.17-login.defs
 shadow-4.0.18.1-useradd
-shadow-4.1.0.tar.bz2
+shadow-4.1.1.tar.bz2

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: shadow-utils
-# $Id: Makefile,v 1.3 2005/08/05 11:53:21 pvrabec Exp $
-NAME := shadow-utils
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

shadow-4.0.18.1-findNewUidOnce.patch

@@ -1,113 +0,0 @@
---- shadow-4.0.18.1/src/useradd.c.findNewUidOnce	2007-05-16 13:16:51.000000000 +0200
-+++ shadow-4.0.18.1/src/useradd.c	2007-05-16 14:12:52.000000000 +0200
-@@ -847,8 +847,9 @@
-  * find_new_uid - find the next available UID
-  *
-  *	find_new_uid() locates the next highest unused UID in the password
-- *	file, or checks the given user ID against the existing ones for
-- *	uniqueness.
-+ *	file.
-+ *	It doesn't make sense to use find_new_uid(), if UID is specified 
-+ * 	via "-u" option.
-  */
- static void find_new_uid (void)
- {
-@@ -867,12 +868,7 @@
- 		memset (index, 0, sizeof (char) * uid_max + 1);
-         }
- 
--	/*
--	 * Start with some UID value if the user didn't provide us with
--	 * one already.
--	 */
--	if (!uflg)
--		user_id = uid_min;
-+	user_id = uid_min;
- 
- 	/*
- 	 * Search the entire password file, either looking for this
-@@ -886,42 +882,24 @@
- 	setpwent ();
- 	while ((pwd = getpwent ())) {
- #endif
--		if (strcmp (user_name, pwd->pw_name) == 0) {
--			fprintf (stderr, _("%s: name %s is not unique\n"),
--				 Prog, user_name);
--#ifdef WITH_AUDIT
--			audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user",
--				      user_name, user_id, 0);
--#endif
--			exit (E_NAME_IN_USE);
--		}
--		if (!oflg && uflg && user_id == pwd->pw_uid) {
--			fprintf (stderr, _("%s: UID %u is not unique\n"),
--				 Prog, (unsigned int) user_id);
--#ifdef WITH_AUDIT
--			audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user",
--				      user_name, user_id, 0);
--#endif
--			exit (E_UID_IN_USE);
--		}
--		if (!uflg && !rflg && pwd->pw_uid >= user_id) {
-+		if (!rflg && pwd->pw_uid >= user_id) {
- 			if (pwd->pw_uid > uid_max)
- 				continue;
- 			user_id = pwd->pw_uid + 1;
- 		}
- 		/* create index of occupied system accounts UIDs */
--		if (!uflg && rflg && (pwd->pw_uid <= uid_max)) 
-+		if (rflg && (pwd->pw_uid <= uid_max)) 
- 			index[pwd->pw_uid] = 1;
- 		
- 	}
- 
- 	/* find free system account */
--	if(!uflg && rflg) {
-+	if(rflg) {
- 		for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--);
- 		if ( user_id < uid_min ) {
- 			fprintf (stderr, _("%s: can't get unique UID\n"), Prog);
- 			fail_exit (E_UID_IN_USE);
--		}		
-+		}	
- 	}
- 
- 	/*
-@@ -930,7 +908,7 @@
- 	 * free UID starting with UID_MIN (it's O(n*n) but can be avoided
- 	 * by not having users with UID equal to UID_MAX).  --marekm
- 	 */
--	if (!uflg && user_id == uid_max + 1) {
-+	if (user_id == uid_max + 1) {
- 		for (user_id = uid_min; user_id < uid_max; user_id++) {
- #ifdef NO_GETPWENT
- 			pw_rewind ();
-@@ -1590,9 +1568,6 @@
- 	struct passwd pwent;
- 	struct spwd spent;
- 
--	if (!oflg)
--		find_new_uid ();
--
- 	/*
- 	 * Fill in the password structure with any new fields, making
- 	 * copies of strings.
-@@ -1911,7 +1886,17 @@
- 		/* first, seek for a valid uid to use for this user.
- 		 * We do this because later we can use the uid we found as
- 		 * gid too ... --gafton */
--		find_new_uid ();
-+		if (!uflg)
-+			find_new_uid ();
-+		else {
-+			if (getpwuid (user_id)) {
-+	                        fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id);
-+#ifdef WITH_AUDIT
-+        	                audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, user_id, 0);
-+#endif
-+                        	exit (E_UID_IN_USE);
-+			}
-+		}
- 	}
- 
- 	/* do we have to add a group for that user? This is why we need to

shadow-4.0.18.1-mtime.patch

@@ -1,117 +0,0 @@
-diff -up shadow-4.0.18.1/libmisc/copydir.c.utime shadow-4.0.18.1/libmisc/copydir.c
---- shadow-4.0.18.1/libmisc/copydir.c.utime	2007-10-16 11:36:54.000000000 +0200
-+++ shadow-4.0.18.1/libmisc/copydir.c	2007-10-18 11:59:22.000000000 +0200
-@@ -33,6 +33,7 @@
- 
- #include <sys/stat.h>
- #include <sys/types.h>
-+#include <sys/time.h>
- #include <fcntl.h>
- #include <stdio.h>
- #include "prototypes.h"
-@@ -154,6 +155,7 @@ int copy_tree (const char *src_root, con
- 	struct DIRECT *ent;
- 	struct stat sb;
- 	struct link_name *lp;
-+	struct timeval mt[2];
- 	DIR *dir;
- 
- 	/*
-@@ -215,6 +217,18 @@ int copy_tree (const char *src_root, con
- 		if (LSTAT (src_name, &sb) == -1)
- 			continue;
- 
-+#if  defined(_BSD_SOURCE) || defined(_SVID_SOURCE)
-+		mt[0].tv_sec  = sb.st_atim.tv_sec;
-+		mt[0].tv_usec = sb.st_atim.tv_nsec / 1000;
-+		mt[1].tv_sec  = sb.st_mtim.tv_sec;
-+		mt[1].tv_usec = sb.st_mtim.tv_nsec / 1000;
-+#else
-+                mt[0].tv_sec  = sb.st_atime;
-+                mt[0].tv_usec = sb.st_atimensec / 1000;
-+                mt[1].tv_sec  = sb.st_mtime;
-+                mt[1].tv_usec = sb.st_mtimensec / 1000;
-+#endif
-+		
- 		if (S_ISDIR (sb.st_mode)) {
- 
- 			/*
-@@ -230,10 +244,12 @@ int copy_tree (const char *src_root, con
- 				      uid == (uid_t) - 1 ? sb.st_uid : uid,
- 				      gid == (gid_t) - 1 ? sb.st_gid : gid)
- 			    || chmod (dst_name, sb.st_mode)
--			    || copy_tree (src_name, dst_name, uid, gid)) {
-+			    || copy_tree (src_name, dst_name, uid, gid)
-+			    || utimes (dst_name, mt)) {
- 				err++;
- 				break;
- 			}
-+
- 			continue;
- 		}
- #ifdef	S_IFLNK
-@@ -270,13 +286,21 @@ int copy_tree (const char *src_root, con
- #ifdef WITH_SELINUX
- 			selinux_file_context (dst_name);
- #endif
--			if (symlink (oldlink, dst_name) ||
--			    lchown (dst_name,
-+			if (symlink (oldlink, dst_name)
-+			    || lchown (dst_name,
- 				    uid == (uid_t) - 1 ? sb.st_uid : uid,
- 				    gid == (gid_t) - 1 ? sb.st_gid : gid)) {
- 				err++;
- 				break;
- 			}
-+
-+			/* 2007-10-18: We don't care about 
-+			 *  exit status of lutimes because
-+			 *  it returns ENOSYS on many system
-+			 *  - not implemented
-+			 */
-+			lutimes (dst_name, mt);
-+
- 			continue;
- 		}
- #endif
-@@ -314,10 +338,12 @@ int copy_tree (const char *src_root, con
- 			    || chown (dst_name,
- 				      uid == (uid_t) - 1 ? sb.st_uid : uid,
- 				      gid == (gid_t) - 1 ? sb.st_gid : gid)
--			    || chmod (dst_name, sb.st_mode & 07777)) {
-+			    || chmod (dst_name, sb.st_mode & 07777)
-+			    || utimes (dst_name, mt)) {
- 				err++;
- 				break;
- 			}
-+			
- 			continue;
- 		}
- 
-@@ -343,14 +369,25 @@ int copy_tree (const char *src_root, con
- 			err++;
- 			break;
- 		}
-+
- 		while ((cnt = read (ifd, buf, sizeof buf)) > 0) {
- 			if (write (ofd, buf, cnt) != cnt) {
- 				cnt = -1;
- 				break;
- 			}
- 		}
-+
- 		close (ifd);
--		close (ofd);
-+		
-+		if (futimes (ofd, mt) != 0) {
-+		  err++;
-+		  break;
-+		}
-+		
-+		if (close (ofd) != 0) {
-+		  err++;
-+		  break;
-+		}
- 
- 		if (cnt == -1) {
- 			err++;

shadow-4.0.18.1-sysAccount.patch

@@ -1,149 +0,0 @@
---- shadow-4.0.18.1/src/useradd.c.sysAccount	2007-03-12 10:49:14.000000000 +0100
-+++ shadow-4.0.18.1/src/useradd.c	2007-03-12 12:15:57.000000000 +0100
-@@ -854,6 +854,7 @@
- {
- 	const struct passwd *pwd;
- 	uid_t uid_min, uid_max;
-+	char * index;
- 
-         if (!rflg) {
-                 uid_min = getdef_unum ("UID_MIN", 500);
-@@ -862,6 +863,8 @@
-         else {
-                 uid_min = 1;
-                 uid_max = getdef_unum ("UID_MIN", 500) - 1;
-+		index = alloca (sizeof (char) * uid_max +1);
-+		memset (index, 0, sizeof (char) * uid_max + 1);
-         }
- 
- 	/*
-@@ -901,11 +904,24 @@
- #endif
- 			exit (E_UID_IN_USE);
- 		}
--		if (!uflg && pwd->pw_uid >= user_id) {
-+		if (!uflg && !rflg && pwd->pw_uid >= user_id) {
- 			if (pwd->pw_uid > uid_max)
- 				continue;
- 			user_id = pwd->pw_uid + 1;
- 		}
-+		/* create index of occupied system accounts UIDs */
-+		if (!uflg && rflg && (pwd->pw_uid <= uid_max)) 
-+			index[pwd->pw_uid] = 1;
-+		
-+	}
-+
-+	/* find free system account */
-+	if(!uflg && rflg) {
-+		for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--);
-+		if ( user_id < uid_min ) {
-+			fprintf (stderr, _("%s: can't get unique UID\n"), Prog);
-+			fail_exit (E_UID_IN_USE);
-+		}		
- 	}
- 
- 	/*
-@@ -946,6 +962,7 @@
- {
- 	const struct group *grp;
- 	gid_t gid_min, gid_max;
-+	char * index;
- 
-         if (!rflg) {
-                 gid_min = getdef_unum ("GID_MIN", 500);
-@@ -953,7 +970,9 @@
-         } else {
-                 gid_min = 1;
-                 gid_max = getdef_unum ("GID_MIN", 500) - 1;
--        }
-+       		index = alloca (sizeof (char) * gid_max +1);
-+		memset (index, 0, sizeof (char) * gid_max + 1);
-+	}
- 
- 	/*
- 	 * Start with some GID value if the user didn't provide us with
-@@ -978,12 +997,16 @@
- 			user_gid = grp->gr_gid;
- 			return;
- 		}
--		if (grp->gr_gid >= user_gid) {
-+		if (!rflg && grp->gr_gid >= user_gid) {
- 			if (grp->gr_gid > gid_max)
- 				continue;
- 			user_gid = grp->gr_gid + 1;
- 		}
-+		/* create index of occupied system accounts GIDs */
-+		if (rflg && (grp->gr_gid <= gid_max)) 
-+			index[grp->gr_gid] = 1;
- 	}
-+
- #ifndef NO_GETGRENT		/* glibc does have this, so ... */
- 	/* A quick test gets here: if the UID is available
- 	 * as a GID, go ahead and use it */
-@@ -992,6 +1015,18 @@
- 		return;
- 	}
- #endif
-+
-+	/* find free system account */
-+	if(rflg) {
-+		for( user_gid = gid_max; (user_gid >= gid_min) && index[user_gid]; user_gid--);
-+		if ( user_gid < gid_min ) {
-+			fprintf (stderr,
-+				 "%s: can't get unique gid (run out of GIDs)\n",
-+				 Prog);
-+			fail_exit (4);
-+		}
-+	}
-+
- 	if (user_gid == gid_max + 1) {
- 		for (user_gid = gid_min; user_gid < gid_max; user_gid++) {
- #ifdef NO_GETGRENT
---- shadow-4.0.18.1/src/groupadd.c.sysAccount	2007-03-12 10:49:14.000000000 +0100
-+++ shadow-4.0.18.1/src/groupadd.c	2007-03-12 10:49:14.000000000 +0100
-@@ -199,6 +199,7 @@
- {
- 	const struct group *grp;
- 	gid_t gid_min, gid_max;
-+	char * index;
- 
- 	if (!rflg) {
- 		gid_min = getdef_unum ("GID_MIN", 500);
-@@ -206,7 +207,9 @@
-         } else {
-                 gid_min = 1;
-                 gid_max = getdef_unum ("GID_MIN", 500) - 1;
--        }
-+        	index = alloca (sizeof (char) * gid_max +1);
-+		memset (index, 0, sizeof (char) * gid_max + 1);
-+	}
- 
- 	/*
- 	 * Start with some GID value if the user didn't provide us with
-@@ -251,12 +254,25 @@
- 				 Prog, (unsigned int) group_id);
- 			fail_exit (E_GID_IN_USE);
- 		}
--		if (!gflg && grp->gr_gid >= group_id) {
-+		if (!gflg && !rflg && grp->gr_gid >= group_id) {
- 			if (grp->gr_gid > gid_max)
- 				continue;
- 			group_id = grp->gr_gid + 1;
- 		}
-+		/* create index of occupied system accounts UIDs */
-+		if (!gflg && rflg && (grp->gr_gid <= gid_max)) 
-+			index[grp->gr_gid] = 1;
-+	}
-+
-+	/* find free system account */
-+	if(!gflg && rflg) {
-+		for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--);
-+		if ( group_id < gid_min ) {
-+			fprintf (stderr, _("%s: can't get unique GID\n"), Prog);
-+			fail_exit (E_GID_IN_USE);
-+		}	
- 	}
-+
- 	if (!gflg && group_id == gid_max + 1) {
- 		for (group_id = gid_min; group_id < gid_max; group_id++) {
- #ifdef NO_GETGRENT

shadow-4.0.3-noinst.patch

@@ -1,11 +0,0 @@
---- shadow-4.0.7/lib/Makefile.am.noinst	2005-01-18 01:08:48.000000000 +0100
-+++ shadow-4.0.7/lib/Makefile.am	2005-03-01 16:38:38.018234957 +0100
-@@ -3,7 +3,7 @@
- 
- DEFS = 
- 
--lib_LTLIBRARIES = libshadow.la
-+noinst_LTLIBRARIES = libshadow.la
- 
- libshadow_la_LDFLAGS = -version-info 0:0:0
- libshadow_la_LIBADD = $(INTLLIBS) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) $(LIBSELINUX)

shadow-4.1.0-audit-newgrp.patch

@@ -1,150 +0,0 @@
-diff -urp shadow-4.1.0.orig/src/newgrp.c shadow-4.1.0/src/newgrp.c
---- shadow-4.1.0.orig/src/newgrp.c	2007-11-18 18:15:05.000000000 -0500
-+++ shadow-4.1.0/src/newgrp.c	2008-03-06 10:01:17.000000000 -0500
-@@ -122,6 +123,8 @@ int main (int argc, char **argv)
- #endif
- 
- #ifdef WITH_AUDIT
-+	char audit_buf[80];
-+
- 	audit_help_open ();
- #endif
- 	setlocale (LC_ALL, "");
-@@ -164,7 +167,7 @@ int main (int argc, char **argv)
- 	if (!pwd) {
- 		fprintf (stderr, _("unknown UID: %u\n"), getuid ());
- #ifdef WITH_AUDIT
--		audit_logger (AUDIT_USER_START, Prog, "changing", NULL,
-+		audit_logger (AUDIT_CHGRP_ID, Prog, "changing", NULL,
- 			      getuid (), 0);
- #endif
- 		SYSLOG ((LOG_WARN, "unknown UID %u", getuid ()));
-@@ -272,7 +275,13 @@ int main (int argc, char **argv)
- 	if (ngroups < 0) {
- 		perror ("getgroups");
- #ifdef WITH_AUDIT
--		audit_logger (AUDIT_USER_START, Prog,
-+		if (group) {
-+			snprintf (audit_buf, sizeof(audit_buf),
-+				"changing new_group=%s", group);
-+			audit_logger (AUDIT_CHGRP_ID, Prog,
-+				audit_buf, NULL, getuid (), 0);
-+		} else
-+			audit_logger (AUDIT_CHGRP_ID, Prog,
- 			      "changing", NULL, getuid (), 0);
- #endif
- 		exit (1);
-@@ -394,13 +403,26 @@ int main (int argc, char **argv)
- 
- 		if (grp->gr_passwd[0] == '\0' ||
- 		    strcmp (cpasswd, grp->gr_passwd) != 0) {
-+#ifdef WITH_AUDIT
-+			snprintf (audit_buf, sizeof(audit_buf),
-+				"authentication new_gid=%d",
-+				grp->gr_gid);
-+			audit_logger (AUDIT_GRP_AUTH, Prog,
-+				audit_buf, NULL, getuid (), 0);
-+#endif
- 			SYSLOG ((LOG_INFO,
- 				 "Invalid password for group `%s' from `%s'",
- 				 group, name));
- 			sleep (1);
--			fputs (_("Invalid password."), stderr);
-+			fputs (_("Invalid password.\n"), stderr);
- 			goto failure;
- 		}
-+#ifdef WITH_AUDIT
-+		snprintf (audit_buf, sizeof(audit_buf),
-+			"authentication new_gid=%d", grp->gr_gid);
-+		audit_logger (AUDIT_GRP_AUTH, Prog,
-+			audit_buf, NULL, getuid (), 1);
-+#endif
- 	}
- 
- 	/*
-@@ -458,10 +480,16 @@ int main (int argc, char **argv)
- 		child = fork ();
- 		if (child < 0) {
- 			/* error in fork() */
--			fprintf (stderr, _("%s: failure forking: %s"),
-+			fprintf (stderr, _("%s: failure forking: %s\n"),
- 				 is_newgrp ? "newgrp" : "sg", strerror (errno));
- #ifdef WITH_AUDIT
--			audit_logger (AUDIT_USER_START, Prog, "changing",
-+			if (group) {
-+				snprintf (audit_buf, sizeof(audit_buf),
-+					"changing new_group=%s", group);
-+				audit_logger (AUDIT_CHGRP_ID, Prog,
-+					audit_buf, NULL, getuid (), 0);
-+			} else
-+				audit_logger (AUDIT_CHGRP_ID, Prog, "changing",
- 				      NULL, getuid (), 0);
- #endif
- 			exit (1);
-@@ -531,14 +559,24 @@ int main (int argc, char **argv)
- 	 * to the real UID. For root, this also sets the real GID to the
- 	 * new group id.
- 	 */
--	if (setgid (gid))
-+	if (setgid (gid)) {
- 		perror ("setgid");
-+#ifdef WITH_AUDIT
-+		snprintf (audit_buf, sizeof(audit_buf),
-+			"changing new_gid=%d", gid);
-+		audit_logger (AUDIT_CHGRP_ID, Prog,
-+			audit_buf, NULL, getuid (), 0);
-+#endif
-+		exit (1);
-+	}
- 
- 	if (setuid (getuid ())) {
- 		perror ("setuid");
- #ifdef WITH_AUDIT
--		audit_logger (AUDIT_USER_START, Prog, "changing",
--			      NULL, getuid (), 0);
-+		snprintf (audit_buf, sizeof(audit_buf),
-+			"changing new_gid=%d", gid);
-+		audit_logger (AUDIT_CHGRP_ID, Prog,
-+			audit_buf, NULL, getuid (), 0);
- #endif
- 		exit (1);
- 	}
-@@ -551,8 +589,10 @@ int main (int argc, char **argv)
- 		closelog ();
- 		execl ("/bin/sh", "sh", "-c", command, (char *) 0);
- #ifdef WITH_AUDIT
--		audit_logger (AUDIT_USER_START, Prog, "changing",
--			      NULL, getuid (), 0);
-+		snprintf (audit_buf, sizeof(audit_buf),
-+			"changing new_gid=%d", gid);
-+		audit_logger (AUDIT_CHGRP_ID, Prog,
-+			audit_buf, NULL, getuid (), 0);
- #endif
- 		perror ("/bin/sh");
- 		exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
-@@ -618,7 +658,8 @@ int main (int argc, char **argv)
- 	}
- 
- #ifdef WITH_AUDIT
--	audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 1);
-+	snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%d", gid);
-+	audit_logger (AUDIT_CHGRP_ID, Prog, audit_buf, NULL, getuid (), 1);
- #endif
- 	/*
- 	 * Exec the login shell and go away. We are trying to get back to
-@@ -641,7 +682,14 @@ int main (int argc, char **argv)
- 	 */
- 	closelog ();
- #ifdef WITH_AUDIT
--	audit_logger (AUDIT_USER_START, Prog, "changing", NULL, getuid (), 0);
-+	if (group) {
-+		snprintf (audit_buf, sizeof(audit_buf),
-+			"changing new_group=%s", group);
-+		audit_logger (AUDIT_CHGRP_ID, Prog, 
-+			audit_buf, NULL, getuid (), 0);
-+	} else
-+		audit_logger (AUDIT_CHGRP_ID, Prog,
-+			"changing", NULL, getuid (), 0);
- #endif
- 	exit (1);
- }

shadow-4.1.0-fasterReset.patch

@@ -1,19 +0,0 @@
-diff -up shadow-4.1.0/src/faillog.c.fasterReset shadow-4.1.0/src/faillog.c
---- shadow-4.1.0/src/faillog.c.fasterReset	2008-03-04 14:08:55.000000000 +0100
-+++ shadow-4.1.0/src/faillog.c	2008-03-04 14:11:13.000000000 +0100
-@@ -164,8 +164,13 @@ static void reset (void)
- 
- 	if (uflg)
- 		reset_one (user);
--	else
--		for (uid = 0; reset_one (uid); uid++);
-+	else {
-+		struct passwd *pwent;
-+
-+		setpwent ();
-+		while ( pwent = getpwent () )
-+				reset_one (pwent->pw_uid);
-+	}
- }
- 
- static void print (void)

shadow-4.1.0-lOption.patch

@@ -1,66 +0,0 @@
-diff -up shadow-4.1.0/src/useradd.c.lOption shadow-4.1.0/src/useradd.c
---- shadow-4.1.0/src/useradd.c.lOption	2007-12-12 14:03:22.000000000 +0100
-+++ shadow-4.1.0/src/useradd.c	2007-12-12 14:08:43.000000000 +0100
-@@ -124,6 +124,7 @@ static int
-     Gflg = 0,			/* secondary group set for new account */
-     kflg = 0,			/* specify a directory to fill new user directory */
-     mflg = 0,			/* create user's home directory if it doesn't exist */
-+    lflg = 0,      		/* do not add user to lastlog database file */
-     Mflg = 0,                   /* do NOT create user's home directory no matter what */
-     nflg = 0,                   /* do NOT create a group having the same name as the user */
-     oflg = 0,			/* permit non-unique user ID to be specified with -u */
-@@ -634,8 +635,9 @@ static void usage (void)
- 			   "  -K, --key KEY=VALUE           overrides /etc/login.defs defaults\n"
- 			   "  -m, --create-home             create home directory for the new user\n"
- 			   "                                account\n"
--                           "  -M,                       do not create user's home directory(overrides /etc/login.defs)\n"
--                           "  -r,                       create system account\n"
-+                           "  -l,                           do not add user to lastlog database file\n"
-+                           "  -M,                           do not create user's home directory(overrides /etc/login.defs)\n"
-+                           "  -r,                           create system account\n"
- 			   "  -o, --non-unique              allow create user with duplicate\n"
- 			   "                                (non-unique) UID\n"
- 			   "  -p, --password PASSWORD       use encrypted password for the new user\n"
-@@ -1032,7 +1034,7 @@ static void process_flags (int argc, cha
- 			{NULL, 0, NULL, '\0'}
- 		};
- 		while ((c =
--			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mMnrop:s:u:",
-+			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:",
- 				     long_options, NULL)) != -1) {
- 			switch (c) {
- 			case 'b':
-@@ -1169,6 +1171,9 @@ static void process_flags (int argc, cha
- 			case 'm':
- 				mflg++;
- 				break;
-+			case 'l':
-+	                        lflg++;
-+                        	break;
- 			case 'o':
- 				oflg++;
- 				break;
-@@ -1538,7 +1543,7 @@ static void usr_update (void)
- 	 * are left unchanged).  --marekm
- 	 */
- 	/* local, no need for xgetpwuid */
--	if (!getpwuid (user_id)) {
-+	if (!getpwuid (user_id) && !lflg) {
- 		faillog_reset (user_id);
- 		lastlog_reset (user_id);
- 	}
-diff -up shadow-4.1.0/man/useradd.8.lOption shadow-4.1.0/man/useradd.8
---- shadow-4.1.0/man/useradd.8.lOption	2007-12-12 14:03:22.000000000 +0100
-+++ shadow-4.1.0/man/useradd.8	2007-12-12 14:06:31.000000000 +0100
-@@ -53,6 +53,11 @@ option is not used,
- must exist\.
- .RE
- .PP
-+\fB-l\fR
-+.RS 4
-+Do not add the user to the last login log file. This is an option added by Red Hat.
-+.RE
-+.PP
- \fB\-D\fR
- .RS 4
- See below, the subsection "Changing the default values"\.

shadow-4.1.0-redhat.patch

@@ -1,400 +0,0 @@
-diff -up shadow-4.1.0/src/useradd.c.redhat shadow-4.1.0/src/useradd.c
---- shadow-4.1.0/src/useradd.c.redhat	2007-12-09 23:43:09.000000000 +0100
-+++ shadow-4.1.0/src/useradd.c	2007-12-12 12:19:34.000000000 +0100
-@@ -81,7 +81,7 @@
- static gid_t def_group = 100;
- static const char *def_gname = "other";
- static const char *def_home = "/home";
--static const char *def_shell = "";
-+static const char *def_shell = "/sbin/nologin";
- static const char *def_template = SKEL_DIR;
- static const char *def_create_mail_spool = "no";
- 
-@@ -93,7 +93,7 @@ static char def_file[] = USER_DEFAULTS_F
- #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
- 
- static const char *user_name = "";
--static const char *user_pass = "!";
-+static const char *user_pass = "!!";
- static uid_t user_id;
- static gid_t user_gid;
- static const char *user_comment = "";
-@@ -124,8 +124,10 @@ static int
-     Gflg = 0,			/* secondary group set for new account */
-     kflg = 0,			/* specify a directory to fill new user directory */
-     mflg = 0,			/* create user's home directory if it doesn't exist */
--    nflg = 0,			/* create a group having the same name as the user */
-+    Mflg = 0,                   /* do NOT create user's home directory no matter what */
-+    nflg = 0,                   /* do NOT create a group having the same name as the user */
-     oflg = 0,			/* permit non-unique user ID to be specified with -u */
-+    rflg = 0,                   /* create a system account */
-     sflg = 0,			/* shell program for new account */
-     uflg = 0;			/* specify user ID for new account */
- 
-@@ -632,6 +634,8 @@ static void usage (void)
- 			   "  -K, --key KEY=VALUE           overrides /etc/login.defs defaults\n"
- 			   "  -m, --create-home             create home directory for the new user\n"
- 			   "                                account\n"
-+                           "  -M,                       do not create user's home directory(overrides /etc/login.defs)\n"
-+                           "  -r,                       create system account\n"
- 			   "  -o, --non-unique              allow create user with duplicate\n"
- 			   "                                (non-unique) UID\n"
- 			   "  -p, --password PASSWORD       use encrypted password for the new user\n"
-@@ -684,11 +688,20 @@ static void new_spent (struct spwd *spen
- 	spent->sp_namp = (char *) user_name;
- 	spent->sp_pwdp = (char *) user_pass;
- 	spent->sp_lstchg = time ((time_t *) 0) / SCALE;
--	spent->sp_min = scale_age (getdef_num ("PASS_MIN_DAYS", -1));
--	spent->sp_max = scale_age (getdef_num ("PASS_MAX_DAYS", -1));
--	spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1));
--	spent->sp_inact = scale_age (def_inactive);
--	spent->sp_expire = scale_age (user_expire);
-+	if (!rflg) {
-+		spent->sp_min = scale_age (getdef_num ("PASS_MIN_DAYS", -1));
-+		spent->sp_max = scale_age (getdef_num ("PASS_MAX_DAYS", -1));
-+		spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1));
-+		spent->sp_inact = scale_age (def_inactive);
-+		spent->sp_expire = scale_age (user_expire);
-+	}
-+	else {
-+		spent->sp_min = scale_age(-1);
-+                spent->sp_max = scale_age(-1);
-+                spent->sp_warn = scale_age(-1);
-+                spent->sp_inact = scale_age(-1);
-+        	spent->sp_expire = scale_age(-1);
-+	}
- 	spent->sp_flag = -1;
- }
- 
-@@ -821,8 +834,14 @@ static void find_new_uid (void)
- 	const struct passwd *pwd;
- 	uid_t uid_min, uid_max;
- 
--	uid_min = getdef_unum ("UID_MIN", 1000);
--	uid_max = getdef_unum ("UID_MAX", 60000);
-+        if (!rflg) {
-+                uid_min = getdef_unum ("UID_MIN", 500);
-+                uid_max = getdef_unum ("UID_MAX", 60000);
-+        }
-+        else {
-+                uid_min = 1;
-+                uid_max = getdef_unum ("UID_MIN", 500) - 1;
-+        }
- 
- 	/*
- 	 * Start with some UID value if the user didn't provide us with
-@@ -852,7 +871,7 @@ static void find_new_uid (void)
- #endif
- 			exit (E_NAME_IN_USE);
- 		}
--		if (uflg && user_id == pwd->pw_uid) {
-+		if (!oflg && uflg && user_id == pwd->pw_uid) {
- 			fprintf (stderr, _("%s: UID %u is not unique\n"),
- 				 Prog, (unsigned int) user_id);
- #ifdef WITH_AUDIT
-@@ -908,8 +927,13 @@ static void find_new_gid ()
- 	const struct group *grp;
- 	gid_t gid_min, gid_max;
- 
--	gid_min = getdef_num ("GID_MIN", 500);
--	gid_max = getdef_num ("GID_MAX", 60000);
-+        if (!rflg) {
-+                gid_min = getdef_unum ("GID_MIN", 500);
-+                gid_max = getdef_unum ("GID_MAX", 60000);
-+        } else {
-+                gid_min = 1;
-+                gid_max = getdef_unum ("GID_MIN", 500) - 1;
-+        }
- 
- 	/*
- 	 * Start with some GID value if the user didn't provide us with
-@@ -1008,7 +1032,7 @@ static void process_flags (int argc, cha
- 			{NULL, 0, NULL, '\0'}
- 		};
- 		while ((c =
--			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mMop:s:u:",
-+			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mMnrop:s:u:",
- 				     long_options, NULL)) != -1) {
- 			switch (c) {
- 			case 'b':
-@@ -1177,6 +1201,15 @@ static void process_flags (int argc, cha
- 				user_id = get_uid (optarg);
- 				uflg++;
- 				break;
-+                        case 'n':
-+                                nflg++;
-+                                break;
-+                        case 'r':
-+                                rflg++;
-+                                break;
-+                        case 'M':
-+                                Mflg++;
-+                                break;
- 			default:
- 				usage ();
- 			}
-@@ -1184,6 +1217,9 @@ static void process_flags (int argc, cha
- 		}
- 	}
- 
-+        if (mflg && Mflg) /* the admin is not decided .. create or not ? */
-+               usage();
-+
- 	/*
- 	 * Certain options are only valid in combination with others.
- 	 * Check it here so that they can be specified in any order.
-@@ -1698,6 +1734,14 @@ int main (int argc, char **argv)
- 	}
- #endif				/* USE_PAM */
- 
-+        if (!rflg) /* for system accounts defaults are ignored and we
-+                    * do not create a home dir -- gafton */
-+        	if (getdef_bool("CREATE_HOME"))
-+               		mflg = 1;
-+
-+        if (Mflg) /* absolutely sure that we do not create home dirs */
-+        	mflg = 0;
-+
- 	/*
- 	 * See if we are messing with the defaults file, or creating
- 	 * a new user.
-@@ -1728,7 +1772,7 @@ int main (int argc, char **argv)
- 	 * to that group, use useradd -g username username.
- 	 * --bero
- 	 */
--	if (!gflg) {
-+	if ( !(nflg || gflg) ) {
- 		if (getgrnam (user_name)) { /* local, no need for xgetgrnam */
- 			fprintf (stderr,
- 				 _
-@@ -1779,27 +1823,22 @@ int main (int argc, char **argv)
- 				 ("%s: warning: the home directory already exists.\n"
- 				  "Not copying any file from skel directory into it.\n"),
- 				 Prog);
--
--	} else if (getdef_str ("CREATE_HOME")) {
--		/*
--		 * RedHat added the CREATE_HOME option in login.defs in their
--		 * version of shadow-utils (which makes -m the default, with
--		 * new -M option to turn it off). Unfortunately, this
--		 * changes the way useradd works (it can be run by scripts
--		 * expecting some standard behaviour), compared to other
--		 * Unices and other Linux distributions, and also adds a lot
--		 * of confusion :-(.
--		 * So we now recognize CREATE_HOME and give a warning here
--		 * (better than "configuration error ... notify administrator"
--		 * errors in every program that reads /etc/login.defs). -MM
--		 */
--		fprintf (stderr,
--			 _
--			 ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"),
--			 Prog);
- 	}
--
--	create_mail ();
-+        /* Warning removed to protect the innocent. */
-+        /*
-+         * The whole idea about breaking some stupid scripts by creating a new
-+         * variable is crap - I could care less about the scripts. Historically
-+         * adduser type programs have always created the home directories and
-+         * I don't like the idea of providing a script when we can fix the
-+         * binary itself. And if the scripts are using the right options to the
-+         * useradd then they will not break. If not, they depend on unspecified
-+         * behavior and they will break, but they were broken anyway to begin
-+         * with --gafton
-+         */
-+
-+	/* Do not create mail directory for system accounts */
-+	if( !rflg )
-+		create_mail ();
- 
- 	close_files ();
- 
-diff -up shadow-4.1.0/src/groupadd.c.redhat shadow-4.1.0/src/groupadd.c
---- shadow-4.1.0/src/groupadd.c.redhat	2007-11-24 23:41:19.000000000 +0100
-+++ shadow-4.1.0/src/groupadd.c	2007-12-12 12:15:00.000000000 +0100
-@@ -74,6 +74,7 @@ static char *Prog;
- static int oflg = 0;		/* permit non-unique group ID to be specified with -g */
- static int gflg = 0;		/* ID value for the new group */
- static int fflg = 0;		/* if group already exists, do nothing and exit(0) */
-+static int rflg = 0;            /* for adding system accounts (Red Hat) */
- 
- /* local function prototypes */
- static void usage (void);
-@@ -100,6 +101,7 @@ static void usage (void)
- 			   "Options:\n"
- 			   "  -f, --force                   force exit with success status if the\n"
- 			   "                                specified group already exists\n"
-+                           "  -r,                           create system account\n"
- 			   "  -g, --gid GID                 use GID for the new group\n"
- 			   "  -h, --help                    display this help message and exit\n"
- 			   "  -K, --key KEY=VALUE           overrides /etc/login.defs defaults\n"
-@@ -198,8 +200,13 @@ static void find_new_gid (void)
- 	const struct group *grp;
- 	gid_t gid_min, gid_max;
- 
--	gid_min = getdef_unum ("GID_MIN", 1000);
--	gid_max = getdef_unum ("GID_MAX", 60000);
-+	if (!rflg) {
-+		gid_min = getdef_unum ("GID_MIN", 500);
-+                gid_max = getdef_unum ("GID_MAX", 60000);
-+        } else {
-+                gid_min = 1;
-+                gid_max = getdef_unum ("GID_MIN", 500) - 1;
-+        }
- 
- 	/*
- 	 * Start with some GID value if the user didn't provide us with
-@@ -430,7 +437,7 @@ int main (int argc, char **argv)
- 		};
- 
- 		while ((c =
--			getopt_long (argc, argv, "fg:hK:o", long_options,
-+			getopt_long (argc, argv, "frg:hK:o", long_options,
- 				     &option_index)) != -1) {
- 			switch (c) {
- 			case 'f':
-@@ -443,6 +450,12 @@ int main (int argc, char **argv)
- 				 */
- 				fflg++;
- 				break;
-+	                case 'r':
-+	                        /*
-+	                         * create a system group
-+	                         */
-+	                        rflg++;
-+	                        break;
- 			case 'g':
- 				gflg++;
- 				group_id = get_gid (optarg);
-diff -up shadow-4.1.0/man/chpasswd.8.redhat shadow-4.1.0/man/chpasswd.8
-diff -up shadow-4.1.0/man/newusers.8.redhat shadow-4.1.0/man/newusers.8
-diff -up shadow-4.1.0/man/useradd.8.redhat shadow-4.1.0/man/useradd.8
---- shadow-4.1.0/man/useradd.8.redhat	2007-12-10 00:07:10.000000000 +0100
-+++ shadow-4.1.0/man/useradd.8	2007-12-12 12:05:54.000000000 +0100
-@@ -25,9 +25,9 @@ When invoked without the
- \fB\-D\fR
- option, the
- \fBuseradd\fR
--command creates a new user account using the values specified on the command line plus the default values from the system\. Depending on command line options, the
-+command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the 
- \fBuseradd\fR
--command will update system files and may also create the new user\'s home directory and copy initial files\.
-+command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default.
- .SH "OPTIONS"
- .PP
- The options which apply to the
-@@ -84,7 +84,7 @@ The number of days after a password expi
- .PP
- \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR
- .RS 4
--The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. The default group number is 1 or whatever is specified in
-+The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\.
- \fI/etc/default/useradd\fR\.
- .RE
- .PP
-@@ -100,6 +100,13 @@ option\. The default is for the user to 
- Display help message and exit\.
- .RE
- .PP
-+\fB-M\fR
-+.RS 4
-+The user\'s home directory will not be created, even if the system wide settings from 
-+\fI/etc/login.defs\fR 
-+is to create home dirs\.
-+.RE
-+.PP
- \fB\-m\fR, \fB\-\-create\-home\fR
- .RS 4
- The user\'s home directory will be created if it does not exist\. The files contained in
-@@ -119,6 +126,13 @@ option is only valid in conjunction with
- option\. The default is to not create the directory and to not copy any files\.
- .RE
- .PP
-+\fB-n\fR
-+.RS 4
-+A group having the same name as the user being added to the system will be created by default\. This option will turn off this Red Hat Linux specific behavior\. When this option is used, users by default will be placed in whatever group is specified in 
-+\fI/etc/default/useradd\fR\. 
-+If no default group is defined, group 1 will be used.
-+.RE
-+.PP
- \fB\-K\fR, \fB\-\-key\fR \fIKEY\fR=\fIVALUE\fR
- .RS 4
- Overrides /etc/login\.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others)\.
-@@ -150,6 +164,19 @@ The encrypted password, as returned by
- \fBcrypt\fR(3)\. The default is to disable the account\.
- .RE
- .PP
-+\fB-r\fR
-+.RS 4
-+This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in 
-+\fI/etc/login.defs\fR 
-+and whose password does not expire\. Note that 
-+\fBuseradd\fR 
-+will not create a home directory for such an user, regardless of the default setting in 
-+\fI/etc/login.defs\fR\. 
-+You have to specify 
-+\fB-m\fR 
-+option if you want a home directory for a system account to be created\. This is an option added by Red Hat\.
-+.RE
-+.PP
- \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR
- .RS 4
- The name of the user\'s login shell\. The default is to leave this field blank, which causes the system to select the default login shell\.
-@@ -206,6 +233,8 @@ The name of a new user\'s login shell\.
- The system administrator is responsible for placing the default user files in the
- \fI/etc/skel/\fR
- directory\.
-+.br
-+This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\.
- .SH "CAVEATS"
- .PP
- You may not add a user to a NIS or LDAP group\. This must be performed on the corresponding server\.
-@@ -315,6 +344,11 @@ Secure user account information\.
- Group account information\.
- .RE
- .PP
-+\fI/etc/gshadow\fR
-+.RS 4
-+Secure group account information\.
-+.RE
-+.PP
- \fI/etc/default/useradd\fR
- .RS 4
- Default values for account creation\.
-diff -up shadow-4.1.0/man/groupadd.8.redhat shadow-4.1.0/man/groupadd.8
---- shadow-4.1.0/man/groupadd.8.redhat	2007-12-10 00:06:00.000000000 +0100
-+++ shadow-4.1.0/man/groupadd.8	2007-12-12 12:11:23.000000000 +0100
-@@ -14,7 +14,7 @@
- groupadd - create a new group
- .SH "SYNOPSIS"
- .HP 9
--\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR
-+\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR
- .SH "DESCRIPTION"
- .PP
- The
-@@ -34,11 +34,22 @@ This option causes the command to simply
- is turned off)\.
- .RE
- .PP
-+\fB-r\fR
-+.RS 4
-+This flag instructs 
-+\fBgroupadd\fR 
-+to add a system account\.  The first available 
-+\fIgid\fR 
-+lower than 499 will be automatically selected unless the 
-+\fB-g\fR 
-+option is also given on the command line\. This is an option added by Red Hat\.
-+.RE
-+.PP
- \fB\-g\fR \fIGID\fR
- .RS 4
- The numerical value of the group\'s ID\. This value must be unique, unless the
- \fB\-o\fR
--option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 999 and greater than every other group\. Values between 0 and 999 are typically reserved for system accounts\.
-+option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 500 and greater than every other group\. Values between 0 and 499 are typically reserved for system accounts\.
- .RE
- .PP
- \fB\-h\fR, \fB\-\-help\fR

shadow-4.1.0-segfault.patch

@@ -1,12 +0,0 @@
-diff -up shadow-4.1.0/src/groupmems.c.segfault shadow-4.1.0/src/groupmems.c
---- shadow-4.1.0/src/groupmems.c.segfault	2008-02-19 12:39:23.000000000 +0100
-+++ shadow-4.1.0/src/groupmems.c	2008-02-19 12:55:06.000000000 +0100
-@@ -106,7 +106,7 @@ static void addtogroup (char *user, char
- 		}
- 	}
- 
--	members = (char **) realloc (members, sizeof (char *) * i);
-+	members = (char **) realloc (members, sizeof (char *) * (i + 2));
- 	members[i] = user;
- 	members[i + 1] = NULL;
- }

shadow-4.1.0-selinux.patch

@@ -1,675 +0,0 @@
-diff -upb shadow-4.1.0/libmisc/system.c.selinux shadow-4.1.0/libmisc/system.c
---- shadow-4.1.0/libmisc/system.c.selinux	2008-03-03 14:18:17.000000000 +0100
-+++ shadow-4.1.0/libmisc/system.c	2008-03-03 14:18:17.000000000 +0100
-@@ -0,0 +1,37 @@
-+#include <config.h>
-+
-+#ident "$Id: shell.c,v 1.13 2006/01/18 19:38:27 kloczek Exp $"
-+
-+#include <stdio.h>
-+#include <sys/wait.h>
-+#include <fcntl.h>
-+#include "prototypes.h"
-+#include "defines.h"
-+
-+int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr)
-+{
-+	int status = -1;
-+	int fd;
-+	pid_t pid;
-+	
-+	pid = fork();
-+	if (pid < 0) 
-+		return -1;
-+
-+	if (pid) {       /* Parent */
-+		waitpid(pid, &status, 0);
-+		return status;
-+	}
-+
-+	fd = open("/dev/null", O_RDWR);
-+	/* Child */
-+	dup2(fd,0);	// Close Stdin
-+	if (ignore_stderr)
-+		dup2(fd,2);	// Close Stderr
-+	
-+	execve(command, (char *const *) argv, (char *const *) env);
-+	fprintf (stderr,
-+		 _("Failed to exec '%s'\n"), argv[0]);
-+	exit (-1);
-+}
-+
-diff -upb shadow-4.1.0/libmisc/Makefile.am.selinux shadow-4.1.0/libmisc/Makefile.am
---- shadow-4.1.0/libmisc/Makefile.am.selinux	2007-11-23 10:15:48.000000000 +0100
-+++ shadow-4.1.0/libmisc/Makefile.am	2008-03-03 14:18:17.000000000 +0100
-@@ -42,6 +42,7 @@ libmisc_a_SOURCES = \
- 	setugid.c \
- 	setupenv.c \
- 	shell.c \
-+	system.c \
- 	strtoday.c \
- 	sub.c \
- 	sulog.c \
-diff -upb shadow-4.1.0/libmisc/copydir.c.selinux shadow-4.1.0/libmisc/copydir.c
---- shadow-4.1.0/libmisc/copydir.c.selinux	2007-11-11 00:45:59.000000000 +0100
-+++ shadow-4.1.0/libmisc/copydir.c	2008-03-03 14:19:01.000000000 +0100
-@@ -54,7 +54,7 @@ struct link_name {
- static struct link_name *links;
- 
- #ifdef WITH_SELINUX
--static int selinux_file_context (const char *dst_name)
-+int selinux_file_context (const char *dst_name)
- {
- 	security_context_t scontext = NULL;
- 
-@@ -199,7 +199,7 @@ int copy_tree (const char *src_root, con
- 		if (strlen (src_root) + strlen (ent->d_name) + 2 >
- 		    sizeof src_name) {
- 			err++;
--			break;
-+			break;
- 		}
- 		snprintf (src_name, sizeof src_name, "%s/%s", src_root,
- 			  ent->d_name);
-@@ -207,7 +207,7 @@ int copy_tree (const char *src_root, con
- 		if (strlen (dst_root) + strlen (ent->d_name) + 2 >
- 		    sizeof dst_name) {
- 			err++;
--			break;
-+			break;
- 		}
- 		snprintf (dst_name, sizeof dst_name, "%s/%s", dst_root,
- 			  ent->d_name);
-@@ -313,7 +313,7 @@ int copy_tree (const char *src_root, con
- 			if (mknod (dst_name, sb.st_mode & ~07777, sb.st_rdev)
- 			    || chown (dst_name,
- 				      uid == (uid_t) - 1 ? sb.st_uid : uid,
--				      gid == (gid_t) - 1 ? sb.st_gid : gid)
-+				      gid == (gid_t) - 1 ? sb.st_gid : gid)
- 			    || chmod (dst_name, sb.st_mode & 07777)) {
- 				err++;
- 				break;
-@@ -363,6 +363,10 @@ int copy_tree (const char *src_root, con
- 		src_orig = 0;
- 		dst_orig = 0;
- 	}
-+#ifdef WITH_SELINUX
-+	/* Reset SELinux to create files with default contexts */
-+	setfscreatecon (NULL);
-+#endif
- 	return err ? -1 : 0;
- }
- 
-diff -upb shadow-4.1.0/man/usermod.8.xml.selinux shadow-4.1.0/man/usermod.8.xml
---- shadow-4.1.0/man/usermod.8.xml.selinux	2007-12-09 00:24:36.000000000 +0100
-+++ shadow-4.1.0/man/usermod.8.xml	2008-03-03 14:18:17.000000000 +0100
-@@ -245,6 +245,19 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
-+       <varlistentry>
-+        <term>
-+         <option>-Z</option>, <option>--selinux-user</option>
-+         <replaceable>SEUSER</replaceable>
-+       </term>
-+       <listitem>
-+         <para>
-+           The SELinux user for the user's login. The default is to leave this
-+           field the blank, which causes the system to select the default
-+           SELinux user.
-+         </para>
-+       </listitem>
-+      </varlistentry>
-     </variablelist>
-   </refsect1>
- 
-diff -upb shadow-4.1.0/man/useradd.8.selinux shadow-4.1.0/man/useradd.8
---- shadow-4.1.0/man/useradd.8.selinux	2008-03-03 14:14:45.000000000 +0100
-+++ shadow-4.1.0/man/useradd.8	2008-03-03 14:18:17.000000000 +0100
-@@ -163,6 +163,11 @@ doesn\'t work yet\.
- Allow the creation of a user account with a duplicate (non\-unique) UID\.
- .RE
- .PP
-+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
-+.RS 4
-+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\.
-+.RE
-+.PP
- \fB\-p\fR, \fB\-\-password\fR \fIPASSWORD\fR
- .RS 4
- The encrypted password, as returned by
-diff -upb shadow-4.1.0/man/usermod.8.selinux shadow-4.1.0/man/usermod.8
---- shadow-4.1.0/man/usermod.8.selinux	2007-12-10 00:07:16.000000000 +0100
-+++ shadow-4.1.0/man/usermod.8	2008-03-03 14:18:17.000000000 +0100
-@@ -133,6 +133,11 @@ Note: if you wish to unlock the account 
- value from
- \fI/etc/default/useradd\fR)\.
- .RE
-+.PP
-+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
-+.RS 4
-+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user.
-+.RE
- .SH "CAVEATS"
- .PP
- 
-diff -upb shadow-4.1.0/man/useradd.8.xml.selinux shadow-4.1.0/man/useradd.8.xml
---- shadow-4.1.0/man/useradd.8.xml.selinux	2007-12-09 00:24:36.000000000 +0100
-+++ shadow-4.1.0/man/useradd.8.xml	2008-03-03 14:18:17.000000000 +0100
-@@ -273,6 +273,19 @@
- 	    between 0 and 999 are typically reserved for system accounts.
- 	  </para>
- 	</listitem>
-+      </varlistentry>
-+      <varlistentry>
-+	<term>
-+	  <option>-Z</option>, <option>--selinux-user</option>
-+	  <replaceable>SEUSER</replaceable>
-+	</term>
-+	<listitem>
-+	  <para>
-+	    The SELinux user for the user's login. The default is to leave this
-+	    field blank, which causes the system to select the default SELinux
-+            user.
-+	  </para>
-+	</listitem>
-       </varlistentry>
-     </variablelist>
- 
-@@ -346,7 +359,7 @@
- 	    </para>
- 	  </listitem>
- 	</varlistentry>
--      </variablelist>
-+      </variablelist>
- 
-     </refsect2>
-   </refsect1>
-@@ -399,7 +412,7 @@
- 
-   <refsect1 id='files'>
-     <title>FILES</title>
--    <variablelist>
-+    <variablelist>
-       <varlistentry>
- 	<term><filename>/etc/passwd</filename></term>
- 	<listitem>
-diff -upb shadow-4.1.0/lib/prototypes.h.selinux shadow-4.1.0/lib/prototypes.h
---- shadow-4.1.0/lib/prototypes.h.selinux	2007-11-23 21:10:52.000000000 +0100
-+++ shadow-4.1.0/lib/prototypes.h	2008-03-03 14:18:17.000000000 +0100
-@@ -53,6 +53,9 @@ extern int is_listed (const char *, cons
- /* copydir.c */
- extern int copy_tree (const char *, const char *, uid_t, gid_t);
- extern int remove_tree (const char *);
-+#ifdef WITH_SELINUX
-+extern int selinux_file_context (const char *dst_name);
-+#endif
- 
- /* encrypt.c */
- extern char *pw_encrypt (const char *, const char *);
-@@ -151,6 +154,9 @@ extern void setup_env (struct passwd *);
- /* shell.c */
- extern int shell (const char *, const char *, char *const *);
- 
-+/* system.c */
-+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr);
-+
- /* strtoday.c */
- extern long strtoday (const char *);
- 
-diff -upb shadow-4.1.0/lib/defines.h.selinux shadow-4.1.0/lib/defines.h
---- shadow-4.1.0/lib/defines.h.selinux	2007-11-24 12:18:35.000000000 +0100
-+++ shadow-4.1.0/lib/defines.h	2008-03-03 14:18:17.000000000 +0100
-@@ -342,4 +342,7 @@ extern char *strerror ();
- #include <libaudit.h>
- #endif
- 
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#endif
- #endif				/* _DEFINES_H_ */
-diff -upb shadow-4.1.0/src/userdel.c.selinux shadow-4.1.0/src/userdel.c
---- shadow-4.1.0/src/userdel.c.selinux	2007-11-24 23:41:19.000000000 +0100
-+++ shadow-4.1.0/src/userdel.c	2008-03-03 14:18:17.000000000 +0100
-@@ -809,6 +809,17 @@ int main (int argc, char **argv)
- #endif
- 	}
- 
-+#ifdef WITH_SELINUX
-+	if (is_selinux_enabled() > 0) { 
-+		const char *argv[5];
-+		argv[0] = "/usr/sbin/semanage";
-+		argv[1] = "login";
-+		argv[2] = "-d";
-+		argv[3] = user_name;
-+		argv[4] = NULL;
-+                safe_system(argv[0], argv, NULL, 1);
-+        }
-+#endif        
- 	/*
- 	 * Cancel any crontabs or at jobs. Have to do this before we remove
- 	 * the entry from /etc/passwd.
-diff -upb shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c
---- shadow-4.1.0/src/usermod.c.selinux	2007-11-24 23:41:19.000000000 +0100
-+++ shadow-4.1.0/src/usermod.c	2008-03-03 14:18:17.000000000 +0100
-@@ -90,6 +90,7 @@ static char *user_comment;
- static char *user_home;
- static char *user_newhome;
- static char *user_shell;
-+static const char *user_selinux = "";
- static long user_expire;
- static long user_inactive;
- static long sys_ngroups;
-@@ -139,6 +140,7 @@ static int sgr_locked = 0;
- static int get_groups (char *);
- static void usage (void);
- static void new_pwent (struct passwd *);
-+static void selinux_update_mapping (void);
- 
- static void new_spent (struct spwd *);
- static void fail_exit (int);
-@@ -250,12 +252,12 @@ static int get_groups (char *list)
- #endif
- 
- 		if (ngroups == sys_ngroups) {
--			fprintf (stderr,
-+			fprintf (stderr,
- 				 _
- 				 ("%s: too many groups specified (max %d).\n"),
- 				 Prog, ngroups);
- 			break;
--		}
-+		}
- 
- 		/*
- 		 * Add the group name to the user's list of groups.
-@@ -302,6 +304,9 @@ static void usage (void)
- 			   "  -s, --shell SHELL             new login shell for the user account\n"
- 			   "  -u, --uid UID                 new UID for the user account\n"
- 			   "  -U, --unlock                  unlock the user account\n"
-+#ifdef WITH_SELINUX
-+                           "  -Z, --selinux-user            new selinux user mapping for the user account\n"
-+#endif
- 			   "\n"));
- 	exit (E_USAGE);
- }
-@@ -332,7 +337,7 @@ static char *new_pw_passwd (char *pw_pas
- 				   "You should set a password with usermod -p to unlock this user account.\n"),
- 				 Prog);
- 			return pw_pass;
--		}
-+		}
- 
- #ifdef WITH_AUDIT
- 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password",
-@@ -405,7 +410,7 @@ static void new_pwent (struct passwd *pw
- #else
- 		pwent->pw_gecos = user_comment;
- #endif
--	}
-+	}
- 
- 	if (dflg) {
- #ifdef WITH_AUDIT
-@@ -826,7 +831,7 @@ static void process_flags (int argc, cha
- 		user_comment = xstrdup (pwd->pw_gecos);
- 		user_home = xstrdup (pwd->pw_dir);
- 		user_shell = xstrdup (pwd->pw_shell);
--	}
-+	}
- #ifdef WITH_AUDIT
- 	user_newname = user_name;
- 	user_newid = user_id;
-@@ -888,13 +893,20 @@ static void process_flags (int argc, cha
- 			{"move-home", no_argument, NULL, 'm'},
- 			{"non-unique", no_argument, NULL, 'o'},
- 			{"password", required_argument, NULL, 'p'},
-+#ifdef WITH_SELINUX
-+			{"selinux-user", required_argument, NULL, 'Z'},
-+#endif
- 			{"shell", required_argument, NULL, 's'},
- 			{"uid", required_argument, NULL, 'u'},
- 			{"unlock", no_argument, NULL, 'U'},
- 			{NULL, 0, NULL, '\0'}
- 		};
- 		while ((c =
-+#ifdef WITH_SELINUX
-+			getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:",
-+#else
- 			getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U",
-+#endif
- 				     long_options, NULL)) != -1) {
- 			switch (c) {
- 			case 'a':
-@@ -966,7 +978,7 @@ static void process_flags (int argc, cha
- 					fprintf (stderr,
- 						 _("%s: unknown group %s\n"),
- 						 Prog, optarg);
--					exit (E_NOTFOUND);
-+					exit (E_NOTFOUND);
- 				}
- 				user_newgid = grp->gr_gid;
- 				gflg++;
-@@ -1028,6 +1040,16 @@ static void process_flags (int argc, cha
- 			case 'U':
- 				Uflg++;
- 				break;
-+#ifdef WITH_SELINUX
-+                        case 'Z':
-+				if (is_selinux_enabled() > 0)
-+					user_selinux = optarg;
-+				else {
-+					fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog);
-+					exit (E_BAD_ARG);
-+				}
-+                                break;
-+#endif
- 			default:
- 				usage ();
- 			}
-@@ -1040,7 +1062,7 @@ static void process_flags (int argc, cha
- 		exit (E_USAGE);
- 	}
- 	if (!is_shadow_pwd && (eflg || fflg)) {
--		fprintf (stderr,
-+		fprintf (stderr,
- 			 _
- 			 ("%s: shadow passwords required for -e and -f\n"),
- 			 Prog);
-@@ -1575,6 +1597,8 @@ int main (int argc, char **argv)
- 	nscd_flush_cache ("passwd");
- 	nscd_flush_cache ("group");
- 
-+	selinux_update_mapping();
-+
- 	if (mflg)
- 		move_home ();
- 
-@@ -1603,3 +1627,62 @@ int main (int argc, char **argv)
- 	exit (E_SUCCESS);
- 	/* NOT REACHED */
- }
-+
-+static void selinux_update_mapping () {
-+#ifdef WITH_SELINUX
-+	const char *argv[7];
-+
-+	if (is_selinux_enabled() <= 0) return;
-+
-+        if (*user_selinux) { 
-+		argv[0] = "/usr/sbin/semanage";
-+		argv[1] = "login";
-+		argv[2] = "-m";
-+		argv[3] = "-s";
-+		argv[4] = user_selinux;
-+		argv[5] = user_name;
-+		argv[6] = NULL;
-+                if (safe_system(argv[0], argv, NULL, 1)) {
-+			argv[2] = "-a";
-+			if (safe_system(argv[0], argv, NULL, 0)) {
-+				fprintf (stderr,
-+					 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
-+					 Prog, user_name, user_selinux);
-+#ifdef WITH_AUDIT
-+				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-+					      "modifying User mapping ", user_name, user_id, 0);
-+#endif        
-+			}
-+		}
-+        }
-+        
-+	if (dflg || *user_selinux) {
-+		argv[0] = "/usr/sbin/genhomedircon";
-+		argv[1] = NULL;
-+		if(safe_system(argv[0], argv, NULL,0)) {
-+			fprintf (stderr,
-+				 _("%s: warning: unable to relabel the homedir %s for %s.\n"),
-+				 Prog, user_home, user_name);
-+#ifdef WITH_AUDIT
-+			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-+			      "relabeling home directory", user_name, user_id, 0);
-+#endif
-+		}
-+
-+		argv[0] = "/sbin/restorecon";
-+		argv[1] = "-F";
-+		argv[2] = "-R";
-+		argv[3] = user_home;
-+		argv[4] = NULL;
-+                if (safe_system(argv[0], argv, NULL, 0)) {
-+			fprintf (stderr,
-+				 _("%s: warning: unable to relabel the homedir %s for %s.\n"),
-+				 Prog, user_home, user_name);
-+#ifdef WITH_AUDIT
-+			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-+				      "relabeling home directory", user_name, user_id, 0);
-+#endif        
-+		}
-+	}
-+#endif
-+}
-diff -upb shadow-4.1.0/src/useradd.c.selinux shadow-4.1.0/src/useradd.c
---- shadow-4.1.0/src/useradd.c.selinux	2008-03-03 14:14:45.000000000 +0100
-+++ shadow-4.1.0/src/useradd.c	2008-03-03 14:19:01.000000000 +0100
-@@ -100,6 +100,7 @@ static const char *user_comment = "";
- static const char *user_home = "";
- static const char *user_shell = "";
- static const char *create_mail_spool = "";
-+static const char *user_selinux = "";
- 
- static long user_expire = -1;
- static int is_shadow_pwd;
-@@ -170,6 +171,7 @@ static int set_defaults (void);
- static int get_groups (char *);
- static void usage (void);
- static void new_pwent (struct passwd *);
-+static void selinux_update_mapping (void);
- 
- static long scale_age (long);
- static void new_spent (struct spwd *);
-@@ -356,6 +358,7 @@ static void get_defaults (void)
- 			def_create_mail_spool = xstrdup (cp);
- 		}
- 	}
-+	fclose(fp);
- }
- 
- /*
-@@ -586,7 +589,7 @@ static int get_groups (char *list)
- #endif
- 
- 		if (ngroups == sys_ngroups) {
--			fprintf (stderr,
-+			fprintf (stderr,
- 				 _
- 				 ("%s: too many groups specified (max %d).\n"),
- 				 Prog, ngroups);
-@@ -644,6 +647,10 @@ static void usage (void)
- 			   "                                account\n"
- 			   "  -s, --shell SHELL             the login shell for the new user account\n"
- 			   "  -u, --uid UID                 force use the UID for the new user account\n"
-+#ifdef WITH_SELINUX
-+                           "  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping\n"
-+#endif
-+
- 			   "\n"));
- 	exit (E_USAGE);
- }
-@@ -696,7 +703,7 @@ static void new_spent (struct spwd *spen
- 		spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1));
- 		spent->sp_inact = scale_age (def_inactive);
- 		spent->sp_expire = scale_age (user_expire);
--	}
-+	}
- 	else {
- 		spent->sp_min = scale_age(-1);
-                 spent->sp_max = scale_age(-1);
-@@ -1030,32 +1037,39 @@ static void process_flags (int argc, cha
- 			{"non-unique", no_argument, NULL, 'o'},
- 			{"password", required_argument, NULL, 'p'},
- 			{"shell", required_argument, NULL, 's'},
-+#ifdef WITH_SELINUX
-+			{"selinux-user", required_argument, NULL, 'Z'},
-+#endif
- 			{"uid", required_argument, NULL, 'u'},
- 			{NULL, 0, NULL, '\0'}
- 		};
- 		while ((c =
-+#ifdef WITH_SELINUX
-+			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:",
-+#else
- 			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:",
-+#endif
- 				     long_options, NULL)) != -1) {
- 			switch (c) {
- 			case 'b':
- 				if (!VALID (optarg)
- 				    || optarg[0] != '/') {
--					fprintf (stderr,
-+					fprintf (stderr,
- 						 _
- 						 ("%s: invalid base directory '%s'\n"),
- 						 Prog, optarg);
--					exit (E_BAD_ARG);
-+					exit (E_BAD_ARG);
- 				}
- 				def_home = optarg;
- 				bflg++;
- 				break;
- 			case 'c':
- 				if (!VALID (optarg)) {
--					fprintf (stderr,
-+					fprintf (stderr,
- 						 _
- 						 ("%s: invalid comment '%s'\n"),
- 						 Prog, optarg);
--					exit (E_BAD_ARG);
-+					exit (E_BAD_ARG);
- 				}
- 				user_comment = optarg;
- 				cflg++;
-@@ -1063,11 +1077,11 @@ static void process_flags (int argc, cha
- 			case 'd':
- 				if (!VALID (optarg)
- 				    || optarg[0] != '/') {
--					fprintf (stderr,
-+					fprintf (stderr,
- 						 _
- 						 ("%s: invalid home directory '%s'\n"),
- 						 Prog, optarg);
--					exit (E_BAD_ARG);
-+					exit (E_BAD_ARG);
- 				}
- 				user_home = optarg;
- 				dflg++;
-@@ -1161,7 +1175,7 @@ static void process_flags (int argc, cha
- 						 _
- 						 ("%s: -K requires KEY=VALUE\n"),
- 						 Prog);
--					exit (E_BAD_ARG);
-+					exit (E_BAD_ARG);
- 				}
- 				/* terminate name, point to value */
- 				*cp++ = '\0';
-@@ -1215,6 +1229,17 @@ static void process_flags (int argc, cha
-                         case 'M':
-                                 Mflg++;
-                                 break;
-+#ifdef WITH_SELINUX
-+                        case 'Z':
-+				if (is_selinux_enabled() > 0)
-+					user_selinux = optarg;
-+				else {
-+					fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog);
-+
-+					exit (E_BAD_ARG);
-+				}
-+                                break;
-+#endif
- 			default:
- 				usage ();
- 			}
-@@ -1238,7 +1263,7 @@ static void process_flags (int argc, cha
- 	 */
- 	if (Dflg) {
- 		if (optind != argc)
--			usage ();
-+			usage ();
- 
- 		if (uflg || oflg || Gflg || dflg || cflg || mflg)
- 			usage ();
-@@ -1253,7 +1278,7 @@ static void process_flags (int argc, cha
- 				 ("%s: invalid user name '%s'\n"),
- 				 Prog, user_name);
- #ifdef WITH_AUDIT
--			audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user",
-+			audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user",
- 				      user_name, -1, 0);
- #endif
- 			exit (E_BAD_ARG);
-@@ -1583,6 +1608,33 @@ static void usr_update (void)
- 		grp_update ();
- }
- 
-+static void selinux_update_mapping () {
-+
-+#ifdef WITH_SELINUX
-+	if (is_selinux_enabled() <= 0) return;
-+
-+        if (*user_selinux) { /* must be done after passwd write() */
-+		const char *argv[7];
-+		argv[0] = "/usr/sbin/semanage";
-+		argv[1] = "login";
-+		argv[2] = "-a";
-+		argv[3] = "-s";
-+		argv[4] = user_selinux;
-+		argv[5] = user_name;
-+		argv[6] = NULL;
-+                if (safe_system(argv[0], argv, NULL, 0)) {
-+			fprintf (stderr,
-+				 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
-+				 Prog, user_name, user_selinux);
-+#ifdef WITH_AUDIT
-+			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-+				      "adding SELinux user mapping", user_name, user_id, 0);
-+#endif        
-+		}
-+	}
-+#endif
-+
-+}
- /*
-  * create_home - create the user's home directory
-  *
-@@ -1592,7 +1644,11 @@ static void usr_update (void)
-  */
- static void create_home (void)
- {
-+
- 	if (access (user_home, F_OK)) {
-+#ifdef WITH_SELINUX
-+		selinux_file_context (user_home);
-+#endif
- 		/* XXX - create missing parent directories.  --marekm */
- 		if (mkdir (user_home, 0)) {
- 			fprintf (stderr,
-@@ -1614,6 +1670,10 @@ static void create_home (void)
- 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- 			      "adding home directory", user_name, user_id, 1);
- #endif
-+#ifdef WITH_SELINUX
-+	/* Reset SELinux to create files with default contexts */
-+		setfscreatecon (NULL);
-+#endif
- 	}
- }
- 
-@@ -1847,6 +1907,8 @@ int main (int argc, char **argv)
- 
- 	close_files ();
- 
-+	selinux_update_mapping();
-+
- 	nscd_flush_cache ("passwd");
- 	nscd_flush_cache ("group");
- 

shadow-4.1.1-audit.patch

@@ -0,0 +1,26 @@
+diff -up shadow-4.1.1/src/newgrp.c.audit shadow-4.1.1/src/newgrp.c
+--- shadow-4.1.1/src/newgrp.c.audit	2008-04-03 15:20:25.000000000 +0200
++++ shadow-4.1.1/src/newgrp.c	2008-04-03 15:22:00.000000000 +0200
+@@ -53,6 +53,10 @@ static GETGROUPS_T *grouplist;
+ static char *Prog;
+ static int is_newgrp;
+ 
++#ifdef WITH_AUDIT
++	char audit_buf[80];
++#endif
++
+ /* local function prototypes */
+ static void usage (void);
+ static void check_perms (const struct group *grp,
+@@ -349,10 +353,9 @@ int main (int argc, char **argv)
+ #endif
+ 
+ #ifdef WITH_AUDIT
+-	char audit_buf[80];
+-
+ 	audit_help_open ();
+ #endif
++
+ 	setlocale (LC_ALL, "");
+ 	bindtextdomain (PACKAGE, LOCALEDIR);
+ 	textdomain (PACKAGE);

shadow-4.1.1-redhat.patch

@@ -0,0 +1,272 @@
+diff -up shadow-4.1.1/libmisc/find_new_ids.c.redhat shadow-4.1.1/libmisc/find_new_ids.c
+--- shadow-4.1.1/libmisc/find_new_ids.c.redhat	2008-04-03 12:18:51.000000000 +0200
++++ shadow-4.1.1/libmisc/find_new_ids.c	2008-04-03 13:30:44.000000000 +0200
+@@ -26,11 +26,11 @@ int find_new_uid (int sys_user, uid_t *u
+ 	assert (uid != NULL);
+ 
+ 	if (sys_user == 0) {
+-		uid_min = getdef_unum ("UID_MIN", 1000);
++		uid_min = getdef_unum ("UID_MIN", 500);
+ 		uid_max = getdef_unum ("UID_MAX", 60000);
+ 	} else {
+ 		uid_min = getdef_unum ("SYS_UID_MIN", 1);
+-		uid_max = getdef_unum ("UID_MIN", 1000) - 1;
++		uid_max = getdef_unum ("UID_MIN", 500) - 1;
+ 		uid_max = getdef_unum ("SYS_UID_MAX", uid_max);
+ 	}
+ 
+@@ -108,11 +108,11 @@ int find_new_gid (int sys_group, gid_t *
+ 	assert (gid != NULL);
+ 
+ 	if (sys_group == 0) {
+-		gid_min = getdef_unum ("GID_MIN", 1000);
++		gid_min = getdef_unum ("GID_MIN", 500);
+ 		gid_max = getdef_unum ("GID_MAX", 60000);
+ 	} else {
+ 		gid_min = getdef_unum ("SYS_GID_MIN", 1);
+-		gid_max = getdef_unum ("GID_MIN", 1000) - 1;
++		gid_max = getdef_unum ("GID_MIN", 500) - 1;
+ 		gid_max = getdef_unum ("SYS_GID_MAX", gid_max);
+ 	}
+ 
+diff -up shadow-4.1.1/src/useradd.c.redhat shadow-4.1.1/src/useradd.c
+--- shadow-4.1.1/src/useradd.c.redhat	2008-03-08 23:42:05.000000000 +0100
++++ shadow-4.1.1/src/useradd.c	2008-04-03 14:07:32.000000000 +0200
+@@ -82,7 +82,7 @@
+ static gid_t def_group = 100;
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";
+-static const char *def_shell = "";
++static const char *def_shell = "/sbin/nologin";
+ static const char *def_template = SKEL_DIR;
+ static const char *def_create_mail_spool = "no";
+ 
+@@ -94,7 +94,7 @@ static char def_file[] = USER_DEFAULTS_F
+ #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
+ 
+ static const char *user_name = "";
+-static const char *user_pass = "!";
++static const char *user_pass = "!!";
+ static uid_t user_id;
+ static gid_t user_gid;
+ static const char *user_comment = "";
+@@ -130,6 +130,7 @@ static int
+     kflg = 0,			/* specify a directory to fill new user directory */
+     lflg = 0,			/* do not add user to lastlog database file */
+     mflg = 0,			/* create user's home directory if it doesn't exist */
++    Mflg = 0,                   /* do NOT create user's home directory no matter what */
+     Nflg = 0,			/* do not create a group having the same name as the user, but add the user to def_group (or the group specified with -g) */
+     oflg = 0,			/* permit non-unique user ID to be specified with -u */
+     rflg = 0,			/* create a system account */
+@@ -653,6 +654,7 @@ static void usage (void)
+ 	         "                                faillog databases\n"
+ 	         "  -m, --create-home             create home directory for the new user\n"
+ 	         "                                account\n"
++		 "  -M, 	                  do not create user's home directory(overrides /etc/login.defs)\n"		
+ 	         "  -N, --no-user-group           do not create a group with the same name as\n"
+ 	         "                                the user\n"
+ 	         "  -o, --non-unique              allow create user with duplicate\n"
+@@ -883,7 +885,7 @@ static void process_flags (int argc, cha
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 		while ((c =
+-			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U",
++			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U",
+ 				     long_options, NULL)) != -1) {
+ 			switch (c) {
+ 			case 'b':
+@@ -1023,6 +1025,10 @@ static void process_flags (int argc, cha
+ 			case 'm':
+ 				mflg++;
+ 				break;
++                        case 'M':
++                                Mflg++;
++                                break;
++       			case 'n':
+ 			case 'N':
+ 				Nflg++;
+ 				break;
+@@ -1076,6 +1082,9 @@ static void process_flags (int argc, cha
+ 		Uflg = getdef_bool ("USERGROUPS_ENAB");
+ 	}
+ 
++        if (mflg && Mflg) /* the admin is not decided .. create or not ? */
++               usage();
++
+ 	/*
+ 	 * Certain options are only valid in combination with others.
+ 	 * Check it here so that they can be specified in any order.
+@@ -1625,6 +1634,14 @@ int main (int argc, char **argv)
+ 	}
+ #endif				/* USE_PAM */
+ 
++        if (!rflg) /* for system accounts defaults are ignored and we
++                    * do not create a home dir -- gafton */
++        	if (getdef_bool("CREATE_HOME"))
++               		mflg = 1;
++
++        if (Mflg) /* absolutely sure that we do not create home dirs */
++        	mflg = 0;
++
+ 	/*
+ 	 * See if we are messing with the defaults file, or creating
+ 	 * a new user.
+@@ -1724,27 +1741,22 @@ int main (int argc, char **argv)
+ 				 ("%s: warning: the home directory already exists.\n"
+ 				  "Not copying any file from skel directory into it.\n"),
+ 				 Prog);
+-
+-	} else if (getdef_str ("CREATE_HOME")) {
+-		/*
+-		 * RedHat added the CREATE_HOME option in login.defs in their
+-		 * version of shadow-utils (which makes -m the default, with
+-		 * new -M option to turn it off). Unfortunately, this
+-		 * changes the way useradd works (it can be run by scripts
+-		 * expecting some standard behaviour), compared to other
+-		 * Unices and other Linux distributions, and also adds a lot
+-		 * of confusion :-(.
+-		 * So we now recognize CREATE_HOME and give a warning here
+-		 * (better than "configuration error ... notify administrator"
+-		 * errors in every program that reads /etc/login.defs). -MM
+-		 */
+-		fprintf (stderr,
+-			 _
+-			 ("%s: warning: CREATE_HOME not supported, please use -m instead.\n"),
+-			 Prog);
+ 	}
+-
+-	create_mail ();
++        /* Warning removed to protect the innocent. */
++        /*
++         * The whole idea about breaking some stupid scripts by creating a new
++         * variable is crap - I could care less about the scripts. Historically
++         * adduser type programs have always created the home directories and
++         * I don't like the idea of providing a script when we can fix the
++         * binary itself. And if the scripts are using the right options to the
++         * useradd then they will not break. If not, they depend on unspecified
++         * behavior and they will break, but they were broken anyway to begin
++         * with --gafton
++         */
++
++	/* Do not create mail directory for system accounts */
++	if( !rflg )
++		create_mail ();
+ 
+ 	close_files ();
+ 
+diff -up shadow-4.1.1/src/groupadd.c.redhat shadow-4.1.1/src/groupadd.c
+diff -up shadow-4.1.1/man/useradd.8.redhat shadow-4.1.1/man/useradd.8
+--- shadow-4.1.1/man/useradd.8.redhat	2008-04-03 00:43:14.000000000 +0200
++++ shadow-4.1.1/man/useradd.8	2008-04-03 14:20:23.000000000 +0200
+@@ -25,9 +25,9 @@ When invoked without the
+ \fB\-D\fR
+ option, the
+ \fBuseradd\fR
+-command creates a new user account using the values specified on the command line plus the default values from the system\. Depending on command line options, the
++command creates a new user account using the values specified on the command line and the default values from the system. Depending on command line options, the 
+ \fBuseradd\fR
+-command will update system files and may also create the new user\'s home directory and copy initial files\.
++command will update system files and may also create the new user's home directory and copy initial files. The version provided with Red Hat Linux will create a group for each user added to the system by default.
+ .SH "OPTIONS"
+ .PP
+ The options which apply to the
+@@ -84,7 +84,7 @@ The number of days after a password expi
+ .PP
+ \fB\-g\fR, \fB\-\-gid\fR \fIGROUP\fR
+ .RS 4
+-The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\. The default group number is 1 or whatever is specified in
++The group name or number of the user\'s initial login group\. The group name must exist\. A group number must refer to an already existing group\.
+ \fI/etc/default/useradd\fR\.
+ .RE
+ .PP
+@@ -100,6 +100,13 @@ option\. The default is for the user to 
+ Display help message and exit\.
+ .RE
+ .PP
++\fB-M\fR
++.RS 4
++The user\'s home directory will not be created, even if the system wide settings from 
++\fI/etc/login.defs\fR 
++is to create home dirs\.
++.RE
++.PP
+ \fB\-m\fR, \fB\-\-create\-home\fR
+ .RS 4
+ The user\'s home directory will be created if it does not exist\. The files contained in
+@@ -174,6 +181,19 @@ The encrypted password, as returned by
+ \fBcrypt\fR(3)\. The default is to disable the account\.
+ .RE
+ .PP
++\fB-r\fR
++.RS 4
++This flag is used to create a system account\. That is, a user with a UID lower than the value of UID_MIN defined in 
++\fI/etc/login.defs\fR 
++and whose password does not expire\. Note that 
++\fBuseradd\fR 
++will not create a home directory for such an user, regardless of the default setting in 
++\fI/etc/login.defs\fR\. 
++You have to specify 
++\fB-m\fR 
++option if you want a home directory for a system account to be created\. This is an option added by Red Hat\.
++.RE
++.PP
+ \fB\-s\fR, \fB\-\-shell\fR \fISHELL\fR
+ .RS 4
+ The name of the user\'s login shell\. The default is to leave this field blank, which causes the system to select the default login shell\.
+@@ -244,6 +264,8 @@ The name of a new user\'s login shell\.
+ The system administrator is responsible for placing the default user files in the
+ \fI/etc/skel/\fR
+ directory\.
++.br
++This version of useradd was modified by Red Hat to suit Red Hat user/group conventions\.
+ .SH "CAVEATS"
+ .PP
+ You may not add a user to a NIS or LDAP group\. This must be performed on the corresponding server\.
+@@ -381,6 +403,11 @@ Secure user account information\.
+ Group account information\.
+ .RE
+ .PP
++\fI/etc/gshadow\fR
++.RS 4
++Secure group account information\.
++.RE
++.PP
+ \fI/etc/default/useradd\fR
+ .RS 4
+ Default values for account creation\.
+diff -up shadow-4.1.1/man/groupadd.8.redhat shadow-4.1.1/man/groupadd.8
+--- shadow-4.1.1/man/groupadd.8.redhat	2008-04-03 00:42:54.000000000 +0200
++++ shadow-4.1.1/man/groupadd.8	2008-04-03 14:27:04.000000000 +0200
+@@ -14,7 +14,7 @@
+ groupadd \- create a new group
+ .SH "SYNOPSIS"
+ .HP 9
+-\fBgroupadd\fR [\-g\ \fIGID\fR\ [\-o]] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR
++\fBgroupadd\fR [\-g\ \fIgid\fR\ [\-o]] [\-r] [\-f] [\-K\ \fIKEY\fR=\fIVALUE\fR] \fIgroup\fR
+ .SH "DESCRIPTION"
+ .PP
+ The
+@@ -34,11 +34,22 @@ This option causes the command to simply
+ is turned off)\.
+ .RE
+ .PP
++\fB-r\fR
++.RS 4
++This flag instructs
++\fBgroupadd\fR
++to add a system account\.  The first available
++\fIgid\fR
++lower than 499 will be automatically selected unless the
++\fB-g\fR
++option is also given on the command line\. This is an option added by Red Hat\.
++.RE
++.PP
+ \fB\-g\fR, \fB\-\-gid\fR \fIGID\fR
+ .RS 4
+ The numerical value of the group\'s ID\. This value must be unique, unless the
+ \fB\-o\fR
+-option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 999 and greater than every other group\. Values between 0 and 999 are typically reserved for system accounts\.
++option is used\. The value must be non\-negative\. The default is to use the smallest ID value greater than 499 and greater than every other group\. Values between 0 and 500 are typically reserved for system accounts\.
+ .RE
+ .PP
+ \fB\-h\fR, \fB\-\-help\fR

shadow-4.1.1-saltSize.patch

@@ -0,0 +1,17 @@
+diff -up shadow-4.1.1/libmisc/salt.c.saltSize shadow-4.1.1/libmisc/salt.c
+--- shadow-4.1.1/libmisc/salt.c.saltSize	2008-05-20 13:36:06.000000000 +0200
++++ shadow-4.1.1/libmisc/salt.c	2008-05-20 13:39:30.000000000 +0200
+@@ -90,9 +90,10 @@ static void seedRNG (void)
+  */
+ static unsigned int SHA_salt_size (void)
+ {
+-	double rand_rounds = 9 * random ();
+-	rand_rounds /= RAND_MAX;
+-	return 8 + rand_rounds;
++        unsigned int rand_rounds;
++        seedRNG ();
++        rand_rounds = random () % 9;
++        return 8 + rand_rounds;
+ }
+ 
+ /* ! Arguments evaluated twice ! */

shadow-4.1.1-selinux.patch

@@ -0,0 +1,490 @@
+diff -up /dev/null shadow-4.1.1/libmisc/system.c
+--- /dev/null	2008-03-19 11:34:26.687502959 +0100
++++ shadow-4.1.1/libmisc/system.c	2008-04-05 14:55:29.000000000 +0200
+@@ -0,0 +1,37 @@
++#include <config.h>
++
++#ident "$Id: shadow-4.1.1-selinux.patch,v 1.1 2008/04/05 13:17:48 pvrabec Exp $"
++
++#include <stdio.h>
++#include <sys/wait.h>
++#include <fcntl.h>
++#include "prototypes.h"
++#include "defines.h"
++
++int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr)
++{
++	int status = -1;
++	int fd;
++	pid_t pid;
++	
++	pid = fork();
++	if (pid < 0) 
++		return -1;
++
++	if (pid) {       /* Parent */
++		waitpid(pid, &status, 0);
++		return status;
++	}
++
++	fd = open("/dev/null", O_RDWR);
++	/* Child */
++	dup2(fd,0);	// Close Stdin
++	if (ignore_stderr)
++		dup2(fd,2);	// Close Stderr
++	
++	execve(command, (char *const *) argv, (char *const *) env);
++	fprintf (stderr,
++		 _("Failed to exec '%s'\n"), argv[0]);
++	exit (-1);
++}
++
+diff -up shadow-4.1.1/libmisc/copydir.c.selinux shadow-4.1.1/libmisc/copydir.c
+--- shadow-4.1.1/libmisc/copydir.c.selinux	2008-01-06 13:02:04.000000000 +0100
++++ shadow-4.1.1/libmisc/copydir.c	2008-04-05 14:55:29.000000000 +0200
+@@ -82,7 +82,7 @@ static int copy_file (const char *src, c
+  *	symlink, directory, ...
+  *
+  */
+-static int selinux_file_context (const char *dst_name)
++int selinux_file_context (const char *dst_name)
+ {
+ 	security_context_t scontext = NULL;
+ 
+@@ -253,6 +253,12 @@ int copy_tree (const char *src_root, con
+ 		src_orig = 0;
+ 		dst_orig = 0;
+ 	}
++
++#ifdef WITH_SELINUX
++        /* Reset SELinux to create files with default contexts */
++        setfscreatecon (NULL);
++#endif
++
+ 	return err;
+ }
+ 
+diff -up shadow-4.1.1/libmisc/Makefile.am.selinux shadow-4.1.1/libmisc/Makefile.am
+--- shadow-4.1.1/libmisc/Makefile.am.selinux	2008-01-27 15:21:48.000000000 +0100
++++ shadow-4.1.1/libmisc/Makefile.am	2008-04-05 14:55:29.000000000 +0200
+@@ -43,6 +43,7 @@ libmisc_a_SOURCES = \
+ 	setugid.c \
+ 	setupenv.c \
+ 	shell.c \
++	system.c \
+ 	strtoday.c \
+ 	sub.c \
+ 	sulog.c \
+diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c
+--- shadow-4.1.1/src/useradd.c.selinux	2008-04-05 14:55:29.000000000 +0200
++++ shadow-4.1.1/src/useradd.c	2008-04-05 14:55:29.000000000 +0200
+@@ -101,6 +101,7 @@ static const char *user_comment = "";
+ static const char *user_home = "";
+ static const char *user_shell = "";
+ static const char *create_mail_spool = "";
++static const char *user_selinux = "";
+ 
+ static long user_expire = -1;
+ static int is_shadow_pwd;
+@@ -173,6 +174,7 @@ static int set_defaults (void);
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
++static void selinux_update_mapping (void);
+ 
+ static long scale_age (long);
+ static void new_spent (struct spwd *);
+@@ -373,6 +375,7 @@ static void get_defaults (void)
+ 			def_create_mail_spool = xstrdup (cp);
+ 		}
+ 	}
++	fclose(fp);
+ }
+ 
+ /*
+@@ -665,6 +668,9 @@ static void usage (void)
+ 	         "  -s, --shell SHELL             the login shell for the new user account\n"
+ 	         "  -u, --uid UID                 force use the UID for the new user account\n"
+ 	         "  -U, --user-group              create a group with the same name as the user\n"
++#ifdef WITH_SELINUX
++                 "  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping\n"
++#endif
+ 	         "\n"), stderr);
+ 	exit (E_USAGE);
+ }
+@@ -880,12 +886,19 @@ static void process_flags (int argc, cha
+ 			{"password", required_argument, NULL, 'p'},
+ 			{"system", no_argument, NULL, 'r'},
+ 			{"shell", required_argument, NULL, 's'},
++#ifdef WITH_SELINUX
++                        {"selinux-user", required_argument, NULL, 'Z'},
++#endif
+ 			{"uid", required_argument, NULL, 'u'},
+ 			{"user-group", no_argument, NULL, 'U'},
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 		while ((c =
++#ifdef WITH_SELINUX
++ 			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:",
++#else
+ 			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U",
++#endif
+ 				     long_options, NULL)) != -1) {
+ 			switch (c) {
+ 			case 'b':
+@@ -1070,6 +1083,17 @@ static void process_flags (int argc, cha
+ 			case 'U':
+ 				Uflg++;
+ 				break;
++#ifdef WITH_SELINUX
++                         case 'Z':
++                                if (is_selinux_enabled() > 0)
++                                        user_selinux = optarg;
++                                else {
++                                        fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog);
++
++                                        exit (E_BAD_ARG);
++                                }
++                                break;
++#endif
+ 			default:
+ 				usage ();
+ 			}
+@@ -1476,6 +1500,33 @@ static void usr_update (void)
+ 		grp_update ();
+ }
+ 
++static void selinux_update_mapping () {
++
++#ifdef WITH_SELINUX
++	if (is_selinux_enabled() <= 0) return;
++
++        if (*user_selinux) { /* must be done after passwd write() */
++		const char *argv[7];
++		argv[0] = "/usr/sbin/semanage";
++		argv[1] = "login";
++		argv[2] = "-a";
++		argv[3] = "-s";
++		argv[4] = user_selinux;
++		argv[5] = user_name;
++		argv[6] = NULL;
++                if (safe_system(argv[0], argv, NULL, 0)) {
++			fprintf (stderr,
++				 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++				 Prog, user_name, user_selinux);
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++				      "adding SELinux user mapping", user_name, user_id, 0);
++#endif        
++		}
++	}
++#endif
++
++}
+ /*
+  * create_home - create the user's home directory
+  *
+@@ -1485,7 +1536,11 @@ static void usr_update (void)
+  */
+ static void create_home (void)
+ {
++
+ 	if (access (user_home, F_OK)) {
++#ifdef WITH_SELINUX
++		selinux_file_context (user_home);
++#endif
+ 		/* XXX - create missing parent directories.  --marekm */
+ 		if (mkdir (user_home, 0)) {
+ 			fprintf (stderr,
+@@ -1507,6 +1562,10 @@ static void create_home (void)
+ 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ 			      "adding home directory", user_name, user_id, 1);
+ #endif
++#ifdef WITH_SELINUX
++	/* Reset SELinux to create files with default contexts */
++		setfscreatecon (NULL);
++#endif
+ 	}
+ }
+ 
+@@ -1760,6 +1819,8 @@ int main (int argc, char **argv)
+ 
+ 	close_files ();
+ 
++	selinux_update_mapping();
++
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
+ 
+diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c
+--- shadow-4.1.1/src/usermod.c.selinux	2008-02-24 13:35:13.000000000 +0100
++++ shadow-4.1.1/src/usermod.c	2008-04-05 14:55:29.000000000 +0200
+@@ -91,6 +91,7 @@ static char *user_newcomment;
+ static char *user_home;
+ static char *user_newhome;
+ static char *user_shell;
++static const char *user_selinux = "";
+ static char *user_newshell;
+ static long user_expire;
+ static long user_newexpire;
+@@ -138,6 +139,7 @@ static void date_to_str (char *buf, size
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
++static void selinux_update_mapping (void);
+ 
+ static void new_spent (struct spwd *);
+ static void fail_exit (int);
+@@ -320,6 +322,9 @@ static void usage (void)
+ 	         "  -s, --shell SHELL             new login shell for the user account\n"
+ 	         "  -u, --uid UID                 new UID for the user account\n"
+ 	         "  -U, --unlock                  unlock the user account\n"
++#ifdef WITH_SELINUX
++                 "  -Z, --selinux-user            new selinux user mapping for the user account\n"
++#endif
+ 	         "\n"), stderr);
+ 	exit (E_USAGE);
+ }
+@@ -846,13 +851,20 @@ static void process_flags (int argc, cha
+ 			{"move-home", no_argument, NULL, 'm'},
+ 			{"non-unique", no_argument, NULL, 'o'},
+ 			{"password", required_argument, NULL, 'p'},
++#ifdef WITH_SELINUX
++                        {"selinux-user", required_argument, NULL, 'Z'},
++#endif
+ 			{"shell", required_argument, NULL, 's'},
+ 			{"uid", required_argument, NULL, 'u'},
+ 			{"unlock", no_argument, NULL, 'U'},
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 		while ((c =
+-			getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U",
++#ifdef WITH_SELINUX
++                        getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:",
++#else
++                        getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U",
++#endif
+ 				     long_options, NULL)) != -1) {
+ 			switch (c) {
+ 			case 'a':
+@@ -953,6 +965,16 @@ static void process_flags (int argc, cha
+ 			case 'U':
+ 				Uflg++;
+ 				break;
++#ifdef WITH_SELINUX
++                         case 'Z':
++                                if (is_selinux_enabled() > 0)
++                                        user_selinux = optarg;
++                                else {
++                                        fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog);
++                                        exit (E_BAD_ARG);
++                                }
++                                break;
++#endif
+ 			default:
+ 				usage ();
+ 			}
+@@ -1530,6 +1552,8 @@ int main (int argc, char **argv)
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
+ 
++	selinux_update_mapping();
++
+ 	if (mflg)
+ 		move_home ();
+ 
+@@ -1558,3 +1582,62 @@ int main (int argc, char **argv)
+ 	exit (E_SUCCESS);
+ 	/* NOT REACHED */
+ }
++
++static void selinux_update_mapping () {
++#ifdef WITH_SELINUX
++	const char *argv[7];
++
++	if (is_selinux_enabled() <= 0) return;
++
++        if (*user_selinux) { 
++		argv[0] = "/usr/sbin/semanage";
++		argv[1] = "login";
++		argv[2] = "-m";
++		argv[3] = "-s";
++		argv[4] = user_selinux;
++		argv[5] = user_name;
++		argv[6] = NULL;
++                if (safe_system(argv[0], argv, NULL, 1)) {
++			argv[2] = "-a";
++			if (safe_system(argv[0], argv, NULL, 0)) {
++				fprintf (stderr,
++					 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++					 Prog, user_name, user_selinux);
++#ifdef WITH_AUDIT
++				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++					      "modifying User mapping ", user_name, user_id, 0);
++#endif        
++			}
++		}
++        }
++        
++	if (dflg || *user_selinux) {
++		argv[0] = "/usr/sbin/genhomedircon";
++		argv[1] = NULL;
++		if(safe_system(argv[0], argv, NULL,0)) {
++			fprintf (stderr,
++				 _("%s: warning: unable to relabel the homedir %s for %s.\n"),
++				 Prog, user_home, user_name);
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++			      "relabeling home directory", user_name, user_id, 0);
++#endif
++		}
++
++		argv[0] = "/sbin/restorecon";
++		argv[1] = "-F";
++		argv[2] = "-R";
++		argv[3] = user_home;
++		argv[4] = NULL;
++                if (safe_system(argv[0], argv, NULL, 0)) {
++			fprintf (stderr,
++				 _("%s: warning: unable to relabel the homedir %s for %s.\n"),
++				 Prog, user_home, user_name);
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++				      "relabeling home directory", user_name, user_id, 0);
++#endif        
++		}
++	}
++#endif
++}
+diff -up shadow-4.1.1/src/userdel.c.selinux shadow-4.1.1/src/userdel.c
+--- shadow-4.1.1/src/userdel.c.selinux	2008-03-08 21:48:26.000000000 +0100
++++ shadow-4.1.1/src/userdel.c	2008-04-05 14:55:29.000000000 +0200
+@@ -809,6 +809,17 @@ int main (int argc, char **argv)
+ #endif
+ 	}
+ 
++#ifdef WITH_SELINUX
++	if (is_selinux_enabled() > 0) { 
++		const char *argv[5];
++		argv[0] = "/usr/sbin/semanage";
++		argv[1] = "login";
++		argv[2] = "-d";
++		argv[3] = user_name;
++		argv[4] = NULL;
++                safe_system(argv[0], argv, NULL, 1);
++        }
++#endif        
+ 	/*
+ 	 * Cancel any crontabs or at jobs. Have to do this before we remove
+ 	 * the entry from /etc/passwd.
+diff -up shadow-4.1.1/man/useradd.8.selinux shadow-4.1.1/man/useradd.8
+--- shadow-4.1.1/man/useradd.8.selinux	2008-04-05 14:55:29.000000000 +0200
++++ shadow-4.1.1/man/useradd.8	2008-04-05 15:00:03.000000000 +0200
+@@ -219,6 +219,11 @@ options are not specified) is defined by
+ variable in
+ \fIlogin\.defs\fR\.
+ .RE
++.PP
++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
++.RS 4
++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\.
++.RE
+ .SS "Changing the default values"
+ .PP
+ When invoked with only the
+diff -up shadow-4.1.1/man/usermod.8.xml.selinux shadow-4.1.1/man/usermod.8.xml
+--- shadow-4.1.1/man/usermod.8.xml.selinux	2007-12-31 17:48:34.000000000 +0100
++++ shadow-4.1.1/man/usermod.8.xml	2008-04-05 14:55:29.000000000 +0200
+@@ -245,6 +245,19 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
++       <varlistentry>
++        <term>
++         <option>-Z</option>, <option>--selinux-user</option>
++         <replaceable>SEUSER</replaceable>
++       </term>
++       <listitem>
++         <para>
++           The SELinux user for the user's login. The default is to leave this
++           field the blank, which causes the system to select the default
++           SELinux user.
++         </para>
++       </listitem>
++      </varlistentry>
+     </variablelist>
+   </refsect1>
+ 
+diff -up shadow-4.1.1/man/usermod.8.selinux shadow-4.1.1/man/usermod.8
+--- shadow-4.1.1/man/usermod.8.selinux	2008-04-03 00:43:16.000000000 +0200
++++ shadow-4.1.1/man/usermod.8	2008-04-05 14:55:29.000000000 +0200
+@@ -133,6 +133,11 @@ Note: if you wish to unlock the account 
+ value from
+ \fI/etc/default/useradd\fR)\.
+ .RE
++.PP
++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
++.RS 4
++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user.
++.RE
+ .SH "CAVEATS"
+ .PP
+ 
+diff -up shadow-4.1.1/man/useradd.8.xml.selinux shadow-4.1.1/man/useradd.8.xml
+--- shadow-4.1.1/man/useradd.8.xml.selinux	2008-02-25 22:01:23.000000000 +0100
++++ shadow-4.1.1/man/useradd.8.xml	2008-04-05 14:55:29.000000000 +0200
+@@ -326,6 +326,19 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-Z</option>, <option>--selinux-user</option>
++	  <replaceable>SEUSER</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    The SELinux user for the user's login. The default is to leave this
++	    field blank, which causes the system to select the default SELinux
++            user.
++	  </para>
++	</listitem>
++      </varlistentry>
+     </variablelist>
+ 
+     <refsect2 id='changing_the_default_values'>
+diff -up shadow-4.1.1/lib/defines.h.selinux shadow-4.1.1/lib/defines.h
+--- shadow-4.1.1/lib/defines.h.selinux	2008-02-03 18:52:52.000000000 +0100
++++ shadow-4.1.1/lib/defines.h	2008-04-05 14:55:29.000000000 +0200
+@@ -321,4 +321,7 @@ extern char *strerror ();
+ # define unused
+ #endif
+ 
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif
+ #endif				/* _DEFINES_H_ */
+diff -up shadow-4.1.1/lib/prototypes.h.selinux shadow-4.1.1/lib/prototypes.h
+--- shadow-4.1.1/lib/prototypes.h.selinux	2008-03-18 00:01:32.000000000 +0100
++++ shadow-4.1.1/lib/prototypes.h	2008-04-05 15:03:41.000000000 +0200
+@@ -51,6 +51,10 @@ extern int copy_tree (const char *src_ro
+                       long int uid, long int gid);
+ extern int remove_tree (const char *root);
+ 
++#ifdef WITH_SELINUX
++extern int selinux_file_context (const char *dst_name);
++#endif
++
+ /* encrypt.c */
+ extern char *pw_encrypt (const char *, const char *);
+ 
+@@ -194,6 +198,9 @@ extern struct spwd *__spw_dup (const str
+ /* shell.c */
+ extern int shell (const char *, const char *, char *const *);
+ 
++/* system.c */
++extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr);
++
+ /* strtoday.c */
+ extern long strtoday (const char *);
+ 

shadow-4.1.1-sysAccountDownhill.patch

@@ -0,0 +1,94 @@
+diff -up shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill shadow-4.1.1/libmisc/find_new_ids.c
+--- shadow-4.1.1/libmisc/find_new_ids.c.sysAccountDownhill	2008-04-04 21:46:08.000000000 +0200
++++ shadow-4.1.1/libmisc/find_new_ids.c	2008-04-04 21:50:04.000000000 +0200
+@@ -22,6 +22,7 @@ int find_new_uid (int sys_user, uid_t *u
+ {
+ 	const struct passwd *pwd;
+ 	uid_t uid_min, uid_max, user_id;
++	char * index;
+ 
+ 	assert (uid != NULL);
+ 
+@@ -32,6 +33,8 @@ int find_new_uid (int sys_user, uid_t *u
+ 		uid_min = getdef_unum ("SYS_UID_MIN", 1);
+ 		uid_max = getdef_unum ("UID_MIN", 500) - 1;
+ 		uid_max = getdef_unum ("SYS_UID_MAX", uid_max);
++                index = alloca (sizeof (char) * uid_max +1);
++                memset (index, 0, sizeof (char) * uid_max + 1);
+ 	}
+ 
+ 	if (   (NULL != preferred_uid)
+@@ -61,8 +64,24 @@ int find_new_uid (int sys_user, uid_t *u
+ 	pw_rewind ();
+ 	while (   ((pwd = getpwent ()) != NULL)
+ 	       || ((pwd = pw_next ()) != NULL)) {
+-		if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
+-			user_id = pwd->pw_uid + 1;
++		if (sys_user == 0) {
++			if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
++				user_id = pwd->pw_uid + 1;
++			}
++		}
++		else {
++			/* create index of occupied system accounts UIDs */
++ 	 		if (pwd->pw_uid <= uid_max)
++				index[pwd->pw_uid] = 1;
++		}
++	}
++
++	/* find free system account */
++        if(sys_user) {
++                for( user_id = uid_max; (user_id >= uid_min) && index[user_id]; user_id--);
++                if ( user_id < uid_min ) {
++               		fputs (_("Can't get unique UID (no more available UIDs)\n"), stderr);
++			return -1;
+ 		}
+ 	}
+ 
+@@ -104,6 +123,7 @@ int find_new_gid (int sys_group, gid_t *
+ {
+ 	const struct group *grp;
+ 	gid_t gid_min, gid_max, group_id;
++        char * index;
+ 
+ 	assert (gid != NULL);
+ 
+@@ -114,6 +134,8 @@ int find_new_gid (int sys_group, gid_t *
+ 		gid_min = getdef_unum ("SYS_GID_MIN", 1);
+ 		gid_max = getdef_unum ("GID_MIN", 500) - 1;
+ 		gid_max = getdef_unum ("SYS_GID_MAX", gid_max);
++                index = alloca (sizeof (char) * gid_max +1);
++                memset (index, 0, sizeof (char) * gid_max + 1);
+ 	}
+ 
+ 	if (   (NULL != preferred_gid)
+@@ -142,11 +164,27 @@ int find_new_gid (int sys_group, gid_t *
+ 	gr_rewind ();
+ 	while (   ((grp = getgrent ()) != NULL)
+ 	       || ((grp = gr_next ()) != NULL)) {
+-		if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
+-			group_id = grp->gr_gid + 1;
++		if (sys_group == 0) {
++			if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
++				group_id = grp->gr_gid + 1;
++			}
++		}
++		else {
++ 	                /* create index of occupied system accounts GIDs */
++			if (grp->gr_gid <= gid_max)
++ 				index[grp->gr_gid] = 1;
+ 		}
+ 	}
+ 
++        /* find free system account */
++        if(sys_group) {
++                for( group_id = gid_max; (group_id >= gid_min) && index[group_id]; group_id--);
++                if ( group_id < gid_min ) {
++       			fputs (_("Can't get unique GID (no more available GIDs)\n"), stderr);
++			return -1;
++       		}
++        }
++
+ 	/*
+ 	 * If a group with GID equal to GID_MAX exists, the above algorithm
+ 	 * will give us GID_MAX+1 even if not unique. Search for the first

shadow-4.1.2-gmSEGV.patch

@@ -0,0 +1,30 @@
+diff -up shadow-4.1.2/src/groupmems.c.gmSEGV shadow-4.1.2/src/groupmems.c
+--- shadow-4.1.2/src/groupmems.c.gmSEGV	2008-04-22 22:05:11.000000000 +0200
++++ shadow-4.1.2/src/groupmems.c	2008-09-02 08:30:52.000000000 +0200
+@@ -95,7 +95,7 @@ static char *whoami (void)
+ 	}
+ }
+ 
+-static void addtogroup (char *user, char **members)
++static char **addtogroup (char *user, char **members)
+ {
+ 	int i;
+ 
+@@ -109,6 +109,8 @@ static void addtogroup (char *user, char
+ 	members = (char **) realloc (members, sizeof (char *) * (i+2));
+ 	members[i] = user;
+ 	members[i + 1] = NULL;
++
++	return members;
+ }
+ 
+ static void rmfromgroup (char *user, char **members)
+@@ -285,7 +287,7 @@ int main (int argc, char **argv) 
+ 	grp = (struct group *) gr_locate (name);
+ 
+ 	if (NULL != adduser) {
+-		addtogroup (adduser, grp->gr_mem);
++		grp->gr_mem = addtogroup (adduser, grp->gr_mem);
+ 		gr_update (grp);
+ 	} else if (NULL != deluser) {
+ 		rmfromgroup (deluser, grp->gr_mem);

shadow-utils.spec

@@ -4,34 +4,30 @@
 
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
-Version: 4.1.0
-Release: 5%{?dist}
+Version: 4.1.1
+Release: 4%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
 Source1: shadow-4.0.17-login.defs
 Source2: shadow-4.0.18.1-useradd
 
-Patch0: shadow-4.1.0-redhat.patch
-Patch1: shadow-4.0.3-noinst.patch
-Patch2: shadow-4.1.0-goodname.patch
-Patch3: shadow-4.1.0-lOption.patch
-Patch4: shadow-4.1.0-selinux.patch
-Patch5: shadow-4.0.18.1-sysAccount.patch
-Patch6: shadow-4.0.18.1-findNewUidOnce.patch
-Patch7: shadow-4.0.18.1-mtime.patch
-Patch8: shadow-4.1.0-audit-newgrp.patch
-Patch9: shadow-4.1.0-segfault.patch
-Patch10: shadow-4.1.0-fasterReset.patch
+Patch0: shadow-4.1.1-redhat.patch
+Patch1: shadow-4.1.1-audit.patch
+Patch3: shadow-4.1.0-goodname.patch
+Patch4: shadow-4.1.1-selinux.patch
+Patch5: shadow-4.1.1-sysAccountDownhill.patch
+Patch6: shadow-4.1.1-saltSize.patch
+Patch7: shadow-4.1.2-gmSEGV.patch
 
 License: BSD
 Group: System Environment/Base
 BuildRequires: autoconf, automake, libtool, gettext-devel
 BuildRequires: libselinux-devel >= 1.25.2-1
-BuildRequires: audit-libs-devel >= 1.0.10
-Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: audit-libs-devel >= 1.6.5
 Requires: libselinux >= 1.25.2-1
-Requires: audit-libs >= 1.0.10
+Requires: audit-libs >= 1.6.5
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
 The shadow-utils package includes the necessary programs for
@@ -48,16 +44,13 @@ are used for managing group accounts.
 %prep
 %setup -q -n shadow-%{version}
 %patch0 -p1 -b .redhat
-%patch1 -p1 -b .noinst
-%patch2 -p1 -b .goodname
-%patch3 -p1 -b .lOption
+%patch1 -p1 -b .audit
+%patch3 -p1 -b .goodname
 %patch4 -p1 -b .selinux
-%patch5 -p1 -b .sysAccount
-%patch6 -p1 -b .findNewUidOnce
-%patch7 -p1 -b .mtime
-%patch8 -p1 -b .auditNewgrp
-%patch9 -p1 -b .segfault
-%patch10 -p1 -b .fasterReset
+%patch5 -p1 -b .sysAccountDownhill
+%patch6 -p1 -b .saltSize
+%patch7 -p1 -b .gmSEGV
+
 
 rm po/*.gmo
 rm po/stamp-po
@@ -69,16 +62,15 @@ autoconf
 
 %build
 %configure \
-	--disable-desrpc \
 	--enable-shadowgrp \
-	--without-libcrack \
-	--with-libcrypt \
+	--with-audit \
+	--with-sha-crypt \
 %if %{WITH_SELINUX}
 	--with-selinux \
 %endif
+	--without-libcrack \
 	--without-libpam \
-	--disable-shared \
-	--with-libaudit
+	--disable-shared
 make 
 
 %install
@@ -197,6 +189,18 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Thu Sep 02 2008 Peter Vrabec <pvrabec@redhat.com> 2:4.1.1-4
+- fix groupmems issues (#459825)
+
+* Mon Jul 28 2008 Peter Vrabec <pvrabec@redhat.com> 2:4.1.1-3
+- fix configure options (#456748)
+
+* Tue May 20 2008 Peter Vrabec <pvrabec@redhat.com> 2:4.1.1-2
+- fix salt size problem (#447136)
+
+* Mon Apr 07 2008 Peter Vrabec <pvrabec@redhat.com> 2:4.1.1-1
+- upgrade
+
 * Fri Mar 07 2008 Peter Vrabec <pvrabec@redhat.com> 2:4.1.0-5
 - improve newgrp audit patch
 

sources

@@ -1,3 +1,3 @@
 e91727c55dbafc9915250e31535f13bb  shadow-4.0.17-login.defs
 ebdf46b79f9b414353c9ae8aba4d55cc  shadow-4.0.18.1-useradd
-dd6ca3ac424b447962d7a7af923b7bda  shadow-4.1.0.tar.bz2
+b1aa30abb3cce16a37b53e45e1ec70a4  shadow-4.1.1.tar.bz2