change package name so "shadow-utils" won't attempt to update

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

.cvsignore

@@ -1 +0,0 @@
-shadow-20000902.tar.bz2

.gitignore

@@ -0,0 +1,12 @@
+shadow-4.1.4.2.tar.bz2
+/shadow-4.1.4.3.tar.bz2
+/shadow-4.1.5.tar.bz2
+/shadow-4.1.5.1.tar.bz2
+/shadow-4.1.5.1.tar.bz2.sig
+/shadow-4.2.1.tar.xz
+/shadow-4.2.1.tar.xz.sig
+/shadow-4.3.1.tar.gz
+/shadow-4.5.tar.xz
+/shadow-4.5.tar.xz.asc
+/shadow-4.6.tar.xz
+/shadow-4.6.tar.xz.asc

Makefile

@@ -1,6 +0,0 @@
-# Makefile for source rpm: shadow-utils
-# $Id$
-NAME := shadow-utils
-SPECFILE = $(firstword $(wildcard *.spec))
-
-include ../common/Makefile.common

gpl-2.0.txt

@@ -0,0 +1,339 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

shadow-4.1.5.1-default-range.patch

@@ -0,0 +1,36 @@
+Index: shadow-4.5/lib/semanage.c
+===================================================================
+--- shadow-4.5.orig/lib/semanage.c
++++ shadow-4.5/lib/semanage.c
+@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
+ 		goto done;
+ 	}
+ 
++#if 0
+ 	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+ 	if (ret != 0) {
+ 		fprintf (stderr,
+@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
+ 		ret = 1;
+ 		goto done;
+ 	}
++#endif
+ 
+ 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
+ 	if (ret != 0) {
+@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h
+ 		goto done;
+ 	}
+ 
++#if 0
+ 	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+ 	if (ret != 0) {
+ 		fprintf (stderr,
+@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
+ 		ret = 1;
+ 		goto done;
+ 	}
++#endif
+ 
+ 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
+ 	if (ret != 0) {

shadow-4.1.5.1-info-parent-dir.patch

@@ -0,0 +1,21 @@
+Index: shadow-4.5/man/newusers.8.xml
+===================================================================
+--- shadow-4.5.orig/man/newusers.8.xml
++++ shadow-4.5/man/newusers.8.xml
+@@ -218,7 +218,15 @@
+ 	  <para>
+ 	    If this field does not specify an existing directory, the
+ 	    specified directory is created, with ownership set to the
+-	    user being created or updated and its primary group.
++	    user being created or updated and its primary group. Note 
++            that newusers does not create parent directories of the new 
++            user's home directory. The newusers command will fail to 
++            create the home directory if the parent directories do not 
++            exist, and will send a message to stderr informing the user 
++            of the failure. The newusers command will not halt or return 
++            a failure to the calling shell if it fails to create the home 
++            directory, it will continue to process the batch of new users 
++            specified.
+ 	  </para>
+ 	  <para>
+ 	    If the home directory of an existing user is changed,

shadow-4.1.5.1-logmsg.patch

@@ -0,0 +1,13 @@
+Index: shadow-4.5/src/useradd.c
+===================================================================
+--- shadow-4.5.orig/src/useradd.c
++++ shadow-4.5/src/useradd.c
+@@ -323,7 +323,7 @@ static void fail_exit (int code)
+ 	              user_name, AUDIT_NO_ID,
+ 	              SHADOW_AUDIT_FAILURE);
+ #endif
+-	SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
++	SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
+ 	exit (code);
+ }
+ 

shadow-4.1.5.1-userdel-helpfix.patch

@@ -0,0 +1,16 @@
+Index: shadow-4.5/src/userdel.c
+===================================================================
+--- shadow-4.5.orig/src/userdel.c
++++ shadow-4.5/src/userdel.c
+@@ -143,8 +143,9 @@ static void usage (int status)
+ 	                  "\n"
+ 	                  "Options:\n"),
+ 	                Prog);
+-	(void) fputs (_("  -f, --force                   force removal of files,\n"
+-	                "                                even if not owned by user\n"),
++	(void) fputs (_("  -f, --force                   force some actions that would fail otherwise\n"
++			"                                e.g. removal of user still logged in\n"
++			"                                or files, even if not owned by the user\n"),
+ 	              usageout);
+ 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -r, --remove                  remove home directory and mail spool\n"), usageout);

shadow-4.2.1-date-parsing.patch

@@ -0,0 +1,69 @@
+Index: shadow-4.5/libmisc/getdate.y
+===================================================================
+--- shadow-4.5.orig/libmisc/getdate.y
++++ shadow-4.5/libmisc/getdate.y
+@@ -152,6 +152,7 @@ static int	yyHaveDay;
+ static int	yyHaveRel;
+ static int	yyHaveTime;
+ static int	yyHaveZone;
++static int      yyHaveYear;
+ static int	yyTimezone;
+ static int	yyDay;
+ static int	yyHour;
+@@ -293,18 +294,21 @@ date	: tUNUMBER '/' tUNUMBER {
+ 	      yyDay = $3;
+ 	      yyYear = $5;
+ 	    }
++	    yyHaveYear++;
+ 	}
+ 	| tUNUMBER tSNUMBER tSNUMBER {
+ 	    /* ISO 8601 format.  yyyy-mm-dd.  */
+ 	    yyYear = $1;
+ 	    yyMonth = -$2;
+ 	    yyDay = -$3;
++	    yyHaveYear++;
+ 	}
+ 	| tUNUMBER tMONTH tSNUMBER {
+ 	    /* e.g. 17-JUN-1992.  */
+ 	    yyDay = $1;
+ 	    yyMonth = $2;
+ 	    yyYear = -$3;
++	    yyHaveYear++;
+ 	}
+ 	| tMONTH tUNUMBER {
+ 	    yyMonth = $1;
+@@ -314,6 +318,7 @@ date	: tUNUMBER '/' tUNUMBER {
+ 	    yyMonth = $1;
+ 	    yyDay = $2;
+ 	    yyYear = $4;
++	    yyHaveYear++;
+ 	}
+ 	| tUNUMBER tMONTH {
+ 	    yyMonth = $2;
+@@ -323,6 +328,7 @@ date	: tUNUMBER '/' tUNUMBER {
+ 	    yyMonth = $2;
+ 	    yyDay = $1;
+ 	    yyYear = $3;
++	    yyHaveYear++;
+ 	}
+ 	;
+ 
+@@ -395,7 +401,8 @@ relunit	: tUNUMBER tYEAR_UNIT {
+ 
+ number	: tUNUMBER
+           {
+-	    if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0))
++	    if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear
++		&& (yyHaveDate != 0) && (yyHaveRel == 0))
+ 	      yyYear = $1;
+ 	    else
+ 	      {
+@@ -802,7 +809,7 @@ yylex (void)
+ 	  return LookupWord (buff);
+ 	}
+       if (c != '(')
+-	return *yyInput++;
++	return (unsigned char)*yyInput++;
+       Count = 0;
+       do
+ 	{

shadow-4.2.1-no-lock-dos.patch

@@ -0,0 +1,16 @@
+Index: shadow-4.5/lib/commonio.c
+===================================================================
+--- shadow-4.5.orig/lib/commonio.c
++++ shadow-4.5/lib/commonio.c
+@@ -140,7 +140,10 @@ static int do_lock_file (const char *fil
+ 	int retval;
+ 	char buf[32];
+ 
+-	fd = open (file, O_CREAT | O_EXCL | O_WRONLY, 0600);
++	/* We depend here on the fact, that the file name is pid-specific.
++	 * So no O_EXCL here and no DoS.
++	 */
++	fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+ 	if (-1 == fd) {
+ 		if (log) {
+ 			(void) fprintf (stderr,

shadow-4.2.1-null-tm.patch

@@ -0,0 +1,91 @@
+Index: shadow-4.5/src/faillog.c
+===================================================================
+--- shadow-4.5.orig/src/faillog.c
++++ shadow-4.5/src/faillog.c
+@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
+ 	}
+ 
+ 	tm = localtime (&fl.fail_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
++		cp = ptime;
+ #endif
++	}
+ 	printf ("%-9s   %5d    %5d   ",
+ 	        pw->pw_name, fl.fail_cnt, fl.fail_max);
+ 	/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
+Index: shadow-4.5/src/chage.c
+===================================================================
+--- shadow-4.5.orig/src/chage.c
++++ shadow-4.5/src/chage.c
+@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
+ 	struct tm *tp;
+ 
+ 	tp = gmtime (&date);
++	if (tp == NULL) {
++		(void) snprintf (buf, maxsize, "(unknown)");
++		return;
++	}
+ #ifdef HAVE_STRFTIME
+ 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
+ #else
+Index: shadow-4.5/src/lastlog.c
+===================================================================
+--- shadow-4.5.orig/src/lastlog.c
++++ shadow-4.5/src/lastlog.c
+@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
+ 
+ 	ll_time = ll.ll_time;
+ 	tm = localtime (&ll_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
++		cp = ptime;
+ #else
+-	cp = asctime (tm);
+-	cp[24] = '\0';
++		cp = asctime (tm);
++		cp[24] = '\0';
+ #endif
++	}
+ 
+ 	if (ll.ll_time == (time_t) 0) {
+ 		cp = _("**Never logged in**\0");
+Index: shadow-4.5/src/passwd.c
+===================================================================
+--- shadow-4.5.orig/src/passwd.c
++++ shadow-4.5/src/passwd.c
+@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
+ 	struct tm *tm;
+ 
+ 	tm = gmtime (&t);
++	if (tm == NULL) {
++		return "(unknown)";
++	}
+ #ifdef HAVE_STRFTIME
+ 	(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
+ #else				/* !HAVE_STRFTIME */
+Index: shadow-4.5/src/usermod.c
+===================================================================
+--- shadow-4.5.orig/src/usermod.c
++++ shadow-4.5/src/usermod.c
+@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
+ 	} else {
+ 		time_t t = (time_t) date;
+ 		tp = gmtime (&t);
++		if (tp == NULL) {
++			strncpy (buf, "unknown", maxsize);
++			return;
++		}
+ #ifdef HAVE_STRFTIME
+ 		strftime (buf, maxsize, "%Y-%m-%d", tp);
+ #else

shadow-4.3.1-manfix.patch

@@ -0,0 +1,266 @@
+Index: shadow-4.5/man/groupmems.8.xml
+===================================================================
+--- shadow-4.5.orig/man/groupmems.8.xml
++++ shadow-4.5/man/groupmems.8.xml
+@@ -179,20 +179,10 @@
+   <refsect1 id='setup'>
+     <title>SETUP</title>
+     <para>
+-      The <command>groupmems</command> executable should be in mode
+-      <literal>2770</literal> as user <emphasis>root</emphasis> and in group
+-      <emphasis>groups</emphasis>. The system administrator can add users to
+-      group <emphasis>groups</emphasis> to allow or disallow them using the
+-      <command>groupmems</command> utility to manage their own group
+-      membership list.
++      In this operating system the <command>groupmems</command> executable
++      is not setuid and regular users cannot use it to manipulate
++      the membership of their own group.
+     </para>
+-
+-    <programlisting>
+-	$ groupadd -r groups
+-	$ chmod 2770 groupmems
+-	$ chown root.groups groupmems
+-	$ groupmems -g groups -a gk4
+-    </programlisting>
+   </refsect1>
+ 
+   <refsect1 id='configuration'>
+Index: shadow-4.5/man/chage.1.xml
+===================================================================
+--- shadow-4.5.orig/man/chage.1.xml
++++ shadow-4.5/man/chage.1.xml
+@@ -102,6 +102,9 @@
+ 	    Set the number of days since January 1st, 1970 when the password
+ 	    was last changed. The date may also be expressed in the format
+ 	    YYYY-MM-DD (or the format more commonly used in your area).
++	    If the <replaceable>LAST_DAY</replaceable> is set to
++	    <emphasis>0</emphasis> the user is forced to change his password
++	    on the next log on.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -119,6 +122,13 @@
+ 	    system again.
+ 	  </para>
+ 	  <para>
++	    For example the following can be used to set an account to expire
++	    in 180 days:
++	  </para>
++	  <programlisting>
++	    chage -E $(date -d +180days +%Y-%m-%d)
++	  </programlisting>
++	  <para>
+ 	    Passing the number <emphasis remap='I'>-1</emphasis> as the
+ 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
+ 	    expiration date.
+Index: shadow-4.5/man/ja/man5/login.defs.5
+===================================================================
+--- shadow-4.5.orig/man/ja/man5/login.defs.5
++++ shadow-4.5/man/ja/man5/login.defs.5
+@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_
+ shadow パスワード機能のどのプログラムが
+ どのパラメータを使用するかを示したものである。
+ .na
+-.IP chfn 12
+-CHFN_AUTH CHFN_RESTRICT
+-.IP chsh 12
+-CHFN_AUTH
+ .IP groupadd 12
+ GID_MAX GID_MIN
+ .IP newusers 12
+Index: shadow-4.5/man/login.defs.5.xml
+===================================================================
+--- shadow-4.5.orig/man/login.defs.5.xml
++++ shadow-4.5/man/login.defs.5.xml
+@@ -162,6 +162,17 @@
+       long numeric parameters is machine-dependent.
+     </para>
+ 
++    <para>
++      Please note that the parameters in this configuration file control the
++      behavior of the tools from the shadow-utils component. None of these
++      tools uses the PAM mechanism, and the utilities that use PAM (such as the
++      passwd command) should be configured elsewhere. The only values that
++      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
++      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
++      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
++      pam(8) for more information.
++    </para>
++
+     <para>The following configuration items are provided:</para>
+ 
+     <variablelist remap='IP'>
+@@ -252,16 +263,6 @@
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+-	<term>chfn</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CHFN_AUTH</phrase>
+-	    CHFN_RESTRICT
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+ 	<term>chgpasswd</term>
+ 	<listitem>
+ 	  <para>
+@@ -282,14 +283,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry condition="no_pam">
+-	<term>chsh</term>
+-	<listitem>
+-	  <para>
+-	    CHSH_AUTH LOGIN_STRING
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
+       <!-- faillog: no variables -->
+       <varlistentry>
+@@ -350,34 +343,6 @@
+       </varlistentry>
+       <!-- id: no variables -->
+       <!-- lastlog: no variables -->
+-      <varlistentry>
+-	<term>login</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+-	    ENV_TZ ENVIRON_FILE</phrase>
+-	    ERASECHAR FAIL_DELAY
+-	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+-	    FAKE_SHELL
+-	    <phrase condition="no_pam">FTMP_FILE</phrase>
+-	    HUSHLOGIN_FILE
+-	    <phrase condition="no_pam">ISSUE_FILE</phrase>
+-	    KILLCHAR
+-	    <phrase condition="no_pam">LASTLOG_ENAB</phrase>
+-	    LOGIN_RETRIES
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+-	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+-	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+-	    QUOTAS_ENAB</phrase>
+-	    TTYGROUP TTYPERM TTYTYPE_FILE
+-	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
+-	    USERGROUPS_ENAB
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- logoutd: no variables -->
+       <varlistentry>
+ 	<term>newgrp / sg</term>
+@@ -405,17 +370,6 @@
+ 	</listitem>
+       </varlistentry>
+       <!-- nologin: no variables -->
+-      <varlistentry condition="no_pam">
+-	<term>passwd</term>
+-	<listitem>
+-	  <para>
+-	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
+-	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
+-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>pwck</term>
+ 	<listitem>
+@@ -442,32 +396,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>su</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+-	    ENV_PATH ENV_SUPATH
+-	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+-	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+-	    SULOG_FILE SU_NAME
+-	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+-	    SYSLOG_SU_ENAB
+-	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>sulogin</term>
+-	<listitem>
+-	  <para>
+-	    ENV_HZ
+-	    <phrase condition="no_pam">ENV_TZ</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>useradd</term>
+ 	<listitem>
+Index: shadow-4.5/man/shadow.5.xml
+===================================================================
+--- shadow-4.5.orig/man/shadow.5.xml
++++ shadow-4.5/man/shadow.5.xml
+@@ -208,8 +208,8 @@
+ 	  </para>
+ 	  <para>
+ 	    After expiration of the password and this expiration period is
+-	    elapsed, no login is possible using the current user's
+-	    password.  The user should contact her administrator.
++	    elapsed, no login is possible for the user.
++	    The user should contact her administrator.
+ 	  </para>
+ 	  <para>
+ 	    An empty field means that there are no enforcement of an
+Index: shadow-4.5/man/useradd.8.xml
+===================================================================
+--- shadow-4.5.orig/man/useradd.8.xml
++++ shadow-4.5/man/useradd.8.xml
+@@ -347,6 +347,11 @@
+ 	    <option>CREATE_HOME</option> is not enabled, no home
+ 	    directories are created.
+ 	  </para>
++	  <para>
++	    The directory where the user's home directory is created must
++	    exist and have proper SELinux context and permissions. Otherwise
++	    the user's home directory cannot be created or accessed.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+Index: shadow-4.5/man/usermod.8.xml
+===================================================================
+--- shadow-4.5.orig/man/usermod.8.xml
++++ shadow-4.5/man/usermod.8.xml
+@@ -132,7 +132,8 @@
+ 	    If the <option>-m</option>
+ 	    option is given, the contents of the current home directory will
+ 	    be moved to the new home directory, which is created if it does
+-	    not already exist.
++	    not already exist. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -256,7 +257,8 @@
+ 	<listitem>
+ 	  <para>
+ 	    Move the content of the user's home directory to the new
+-	    location.
++	    location. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	  <para>
+ 	    This option is only valid in combination with the

shadow-4.3.1-selinux-perms.patch

@@ -0,0 +1,277 @@
+Index: shadow-4.5/src/chgpasswd.c
+===================================================================
+--- shadow-4.5.orig/src/chgpasswd.c
++++ shadow-4.5/src/chgpasswd.c
+@@ -39,6 +39,13 @@
+ #include <pwd.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/avc.h>
++#endif
++#ifdef WITH_LIBAUDIT
++#include <libaudit.h>
++#endif
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ #include "pam_defs.h"
+@@ -76,6 +83,9 @@ static bool sgr_locked = false;
+ #endif
+ static bool gr_locked = false;
+ 
++/* The name of the caller */
++static char *myname = NULL;
++
+ /* local function prototypes */
+ static void fail_exit (int code);
+ static /*@noreturn@*/void usage (int status);
+@@ -300,6 +310,63 @@ static void check_perms (void)
+ #endif				/* ACCT_TOOLS_SETUID */
+ }
+ 
++#ifdef WITH_SELINUX
++static int
++log_callback (int type, const char *fmt, ...)
++{
++    int audit_fd;
++    va_list ap;
++
++    va_start(ap, fmt);
++#ifdef WITH_AUDIT
++    audit_fd = audit_open();
++
++    if (audit_fd >= 0) {
++	char *buf;
++
++	if (vasprintf (&buf, fmt, ap) < 0)
++		goto ret;
++	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
++				   NULL, 0);
++	audit_close(audit_fd);
++	free(buf);
++	goto ret;
++    }
++
++#endif
++    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
++ret:
++    va_end(ap);
++    return 0;
++}
++
++static void
++selinux_check_root (void)
++{
++    int status = -1;
++    security_context_t user_context;
++    union selinux_callback old_callback;
++
++    if (is_selinux_enabled() < 1)
++	return;
++
++    old_callback = selinux_get_callback(SELINUX_CB_LOG);
++    /* setup callbacks */
++    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
++    if ((status = getprevcon(&user_context)) < 0) {
++	selinux_set_callback(SELINUX_CB_LOG, old_callback);
++	exit(1);
++    }
++
++    status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
++
++    selinux_set_callback(SELINUX_CB_LOG, old_callback);
++    freecon(user_context);
++    if (status != 0 && security_getenforce() != 0)
++	exit(1);
++}
++#endif
++
+ /*
+  * open_files - lock and open the group databases
+  */
+@@ -393,6 +460,7 @@ int main (int argc, char **argv)
+ 
+ 	const struct group *gr;
+ 	struct group newgr;
++	struct passwd *pw = NULL;
+ 	int errors = 0;
+ 	int line = 0;
+ 
+@@ -408,8 +476,33 @@ int main (int argc, char **argv)
+ 
+ 	OPENLOG ("chgpasswd");
+ 
++#ifdef WITH_AUDIT
++	audit_help_open ();
++#endif
++
++	/*
++	 * Determine the name of the user that invoked this command. This
++	 * is really hit or miss because there are so many ways that command
++	 * can be executed and so many ways to trip up the routines that
++	 * report the user name.
++	 */
++	pw = get_my_pwent ();
++	if (NULL == pw) {
++		fprintf (stderr, _("%s: Cannot determine your user name.\n"),
++		         Prog);
++		SYSLOG ((LOG_WARN,
++		         "Cannot determine the user name of the caller (UID %lu)",
++		         (unsigned long) getuid ()));
++		exit (E_NOPERM);
++	}
++	myname = xstrdup (pw->pw_name);
++
+ 	check_perms ();
+ 
++#ifdef WITH_SELINUX
++	selinux_check_root ();
++#endif
++
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+@@ -536,6 +629,15 @@ int main (int argc, char **argv)
+ 			newgr.gr_passwd = cp;
+ 		}
+ 
++#ifdef WITH_AUDIT
++		{
++
++			audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
++		              "change-password",
++		              myname, AUDIT_NO_ID, gr->gr_name,
++		              SHADOW_AUDIT_SUCCESS);
++		}
++#endif
+ 		/* 
+ 		 * The updated group file entry is then put back and will
+ 		 * be written to the group file later, after all the
+Index: shadow-4.5/src/chpasswd.c
+===================================================================
+--- shadow-4.5.orig/src/chpasswd.c
++++ shadow-4.5/src/chpasswd.c
+@@ -39,6 +39,13 @@
+ #include <pwd.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/avc.h>
++#endif
++#ifdef WITH_LIBAUDIT
++#include <libaudit.h>
++#endif
+ #ifdef USE_PAM
+ #include "pam_defs.h"
+ #endif				/* USE_PAM */
+@@ -297,6 +304,63 @@ static void check_perms (void)
+ #endif				/* USE_PAM */
+ }
+ 
++#ifdef WITH_SELINUX
++static int
++log_callback (int type, const char *fmt, ...)
++{
++    int audit_fd;
++    va_list ap;
++
++    va_start(ap, fmt);
++#ifdef WITH_AUDIT
++    audit_fd = audit_open();
++
++    if (audit_fd >= 0) {
++	char *buf;
++
++	if (vasprintf (&buf, fmt, ap) < 0)
++		goto ret;
++	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
++				   NULL, 0);
++	audit_close(audit_fd);
++	free(buf);
++	goto ret;
++    }
++
++#endif
++    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
++ret:
++    va_end(ap);
++    return 0;
++}
++
++static void
++selinux_check_root (void)
++{
++    int status = -1;
++    security_context_t user_context;
++    union selinux_callback old_callback;
++
++    if (is_selinux_enabled() < 1)
++	return;
++
++    old_callback = selinux_get_callback(SELINUX_CB_LOG);
++    /* setup callbacks */
++    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
++    if ((status = getprevcon(&user_context)) < 0) {
++	selinux_set_callback(SELINUX_CB_LOG, old_callback);
++	exit(1);
++    }
++
++    status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
++
++    selinux_set_callback(SELINUX_CB_LOG, old_callback);
++    freecon(user_context);
++    if (status != 0 && security_getenforce() != 0)
++	exit(1);
++}
++#endif
++
+ /*
+  * open_files - lock and open the password databases
+  */
+@@ -405,8 +469,16 @@ int main (int argc, char **argv)
+ 
+ 	OPENLOG ("chpasswd");
+ 
++#ifdef WITH_AUDIT
++	audit_help_open ();
++#endif
++
+ 	check_perms ();
+ 
++#ifdef WITH_SELINUX
++	selinux_check_root ();
++#endif
++
+ #ifdef USE_PAM
+ 	if (!use_pam)
+ #endif				/* USE_PAM */
+@@ -566,6 +638,11 @@ int main (int argc, char **argv)
+ 			newpw.pw_passwd = cp;
+ 		}
+ 
++#ifdef WITH_AUDIT
++		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++		              "updating-password",
++		              pw->pw_name, (unsigned int) pw->pw_uid, 1);
++#endif
+ 		/* 
+ 		 * The updated password file entry is then put back and will
+ 		 * be written to the password file later, after all the
+Index: shadow-4.5/src/Makefile.am
+===================================================================
+--- shadow-4.5.orig/src/Makefile.am
++++ shadow-4.5/src/Makefile.am
+@@ -87,9 +87,9 @@ chage_LDADD    = $(LDADD) $(LIBPAM_SUID)
+ newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+ newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)

shadow-4.5-crypt_h.patch

@@ -0,0 +1,41 @@
+Index: shadow-4.5/configure.ac
+===================================================================
+--- shadow-4.5.orig/configure.ac
++++ shadow-4.5/configure.ac
+@@ -32,9 +32,9 @@ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+ AC_HEADER_STDBOOL
+ 
+-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
+-	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
+-	utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
++AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h \
++	utmp.h utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h \
++	paths.h utime.h ulimit.h sys/resource.h gshadow.h lastlog.h \
+ 	locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
+ 	attr/error_context.h)
+ 
+Index: shadow-4.5/lib/defines.h
+===================================================================
+--- shadow-4.5.orig/lib/defines.h
++++ shadow-4.5/lib/defines.h
+@@ -4,6 +4,8 @@
+ #ifndef _DEFINES_H_
+ #define _DEFINES_H_
+ 
++#include "config.h"
++
+ #if HAVE_STDBOOL_H
+ # include <stdbool.h>
+ #else
+@@ -94,6 +96,10 @@ char *strchr (), *strrchr (), *strtok ()
+ # include <unistd.h>
+ #endif
+ 
++#if HAVE_CRYPT_H
++# include <crypt.h>		/* crypt(3) may be defined in here */
++#endif
++
+ #if TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>

shadow-4.5-goodname.patch

@@ -0,0 +1,96 @@
+Index: shadow-4.5/libmisc/chkname.c
+===================================================================
+--- shadow-4.5.orig/libmisc/chkname.c
++++ shadow-4.5/libmisc/chkname.c
+@@ -47,27 +47,46 @@
+ #include "chkname.h"
+ 
+ static bool is_valid_name (const char *name)
+-{
++{      
+ 	/*
+-	 * User/group names must match [a-z_][a-z0-9_-]*[$]
+-	 */
+-	if (('\0' == *name) ||
+-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
++         * User/group names must match gnu e-regex:
++         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
++         *
++         * as a non-POSIX, extension, allow "$" as the last char for
++         * sake of Samba 3.x "add machine script"
++         *
++         * Also do not allow fully numeric names or just "." or "..".
++         */
++	int numeric;
++
++	if ('\0' == *name ||
++	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
++			      '\0' == name[1])) ||
++	    !((*name >= 'a' && *name <= 'z') ||
++	      (*name >= 'A' && *name <= 'Z') ||
++	      (*name >= '0' && *name <= '9') ||
++	      *name == '_' ||
++	      *name == '.')) {
+ 		return false;
+ 	}
+ 
++	numeric = isdigit(*name);
++
+ 	while ('\0' != *++name) {
+-		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
+-		      ( ('0' <= *name) && ('9' >= *name) ) ||
+-		      ('_' == *name) ||
+-		      ('-' == *name) ||
+-		      ( ('$' == *name) && ('\0' == *(name + 1)) )
++		if (!((*name >= 'a' && *name <= 'z') ||
++		      (*name >= 'A' && *name <= 'Z') ||
++		      (*name >= '0' && *name <= '9') ||
++		      *name == '_' ||
++		      *name == '.' ||
++		      *name == '-' ||
++		      (*name == '$' && name[1] == '\0')
+ 		     )) {
+ 			return false;
+ 		}
++		numeric &= isdigit(*name);
+ 	}
+ 
+-	return true;
++	return !numeric;
+ }
+ 
+ bool is_valid_user_name (const char *name)
+Index: shadow-4.5/man/groupadd.8.xml
+===================================================================
+--- shadow-4.5.orig/man/groupadd.8.xml
++++ shadow-4.5/man/groupadd.8.xml
+@@ -256,12 +256,6 @@
+    <refsect1 id='caveats'>
+      <title>CAVEATS</title>
+      <para>
+-       Groupnames must start with a lower case letter or an underscore,
+-       followed by lower case letters, digits, underscores, or dashes.
+-       They can end with a dollar sign.
+-       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+-     </para>
+-     <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+      </para>
+      <para>
+Index: shadow-4.5/man/useradd.8.xml
+===================================================================
+--- shadow-4.5.orig/man/useradd.8.xml
++++ shadow-4.5/man/useradd.8.xml
+@@ -633,12 +633,6 @@
+     </para>
+ 
+     <para>
+-      Usernames must start with a lower case letter or an underscore,
+-      followed by lower case letters, digits, underscores, or dashes.
+-      They can end with a dollar sign.
+-      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+-    </para>
+-    <para>
+       Usernames may only be up to 32 characters long.
+     </para>
+   </refsect1>

shadow-4.5-long-entry.patch

@@ -0,0 +1,84 @@
+diff -up shadow-4.5/lib/defines.h.long-entry shadow-4.5/lib/defines.h
+--- shadow-4.5/lib/defines.h.long-entry	2014-09-01 16:36:40.000000000 +0200
++++ shadow-4.5/lib/defines.h	2018-04-20 11:53:07.419308212 +0200
+@@ -382,4 +382,7 @@ extern char *strerror ();
+ # endif
+ #endif
+ 
++/* Maximum length of passwd entry */
++#define PASSWD_ENTRY_MAX_LENGTH 32768
++
+ #endif				/* _DEFINES_H_ */
+diff -up shadow-4.5/lib/pwio.c.long-entry shadow-4.5/lib/pwio.c
+--- shadow-4.5/lib/pwio.c.long-entry	2015-11-17 17:45:15.000000000 +0100
++++ shadow-4.5/lib/pwio.c	2018-04-20 12:10:24.400837235 +0200
+@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
+ 	    || (pw->pw_gid == (gid_t)-1)
+ 	    || (valid_field (pw->pw_gecos, ":\n") == -1)
+ 	    || (valid_field (pw->pw_dir, ":\n") == -1)
+-	    || (valid_field (pw->pw_shell, ":\n") == -1)) {
++	    || (valid_field (pw->pw_shell, ":\n") == -1)
++	    || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
++	        strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
++	        strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
+ 		return -1;
+ 	}
+ 
+diff -up shadow-4.5/lib/sgetpwent.c.long-entry shadow-4.5/lib/sgetpwent.c
+--- shadow-4.5/lib/sgetpwent.c.long-entry	2014-09-01 16:36:40.000000000 +0200
++++ shadow-4.5/lib/sgetpwent.c	2018-04-20 12:16:31.911513808 +0200
+@@ -57,7 +57,7 @@
+ struct passwd *sgetpwent (const char *buf)
+ {
+ 	static struct passwd pwent;
+-	static char pwdbuf[1024];
++	static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
+ 	register int i;
+ 	register char *cp;
+ 	char *fields[NFIELDS];
+@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
+ 	 * the password structure remain valid.
+ 	 */
+ 
+-	if (strlen (buf) >= sizeof pwdbuf)
++	if (strlen (buf) >= sizeof pwdbuf) {
++		fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
+ 		return 0;	/* fail if too long */
++	}
+ 	strcpy (pwdbuf, buf);
+ 
+ 	/*
+diff -up shadow-4.5/lib/sgetspent.c.long-entry shadow-4.5/lib/sgetspent.c
+--- shadow-4.5/lib/sgetspent.c.long-entry	2014-09-01 16:36:40.000000000 +0200
++++ shadow-4.5/lib/sgetspent.c	2018-04-20 12:16:54.505056257 +0200
+@@ -48,7 +48,7 @@
+  */
+ struct spwd *sgetspent (const char *string)
+ {
+-	static char spwbuf[1024];
++	static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
+ 	static struct spwd spwd;
+ 	char *fields[FIELDS];
+ 	char *cp;
+@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
+ 	 */
+ 
+ 	if (strlen (string) >= sizeof spwbuf) {
++		fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
+ 		return 0;	/* fail if too long */
+ 	}
+ 	strcpy (spwbuf, string);
+diff -up shadow-4.5/lib/shadowio.c.long-entry shadow-4.5/lib/shadowio.c
+--- shadow-4.5/lib/shadowio.c.long-entry	2016-12-07 06:30:41.000000001 +0100
++++ shadow-4.5/lib/shadowio.c	2018-04-20 12:12:03.292171667 +0200
+@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
+ 
+ 	if (   (NULL == sp)
+ 	    || (valid_field (sp->sp_namp, ":\n") == -1)
+-	    || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
++	    || (valid_field (sp->sp_pwdp, ":\n") == -1)
++	    || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
++	        1000 > PASSWD_ENTRY_MAX_LENGTH)) {
+ 		return -1;
+ 	}
+ 

shadow-4.5-usermod-unlock.patch

@@ -0,0 +1,64 @@
+Index: shadow-4.5/src/usermod.c
+===================================================================
+--- shadow-4.5.orig/src/usermod.c
++++ shadow-4.5/src/usermod.c
+@@ -455,14 +455,17 @@ static char *new_pw_passwd (char *pw_pas
+ 		strcat (buf, pw_pass);
+ 		pw_pass = buf;
+ 	} else if (Uflg && pw_pass[0] == '!') {
+-		char *s;
++		char *s = pw_pass;
+ 
+-		if (pw_pass[1] == '\0') {
++		while ('!' == *s)
++			++s;
++
++		if (*s == '\0') {
+ 			fprintf (stderr,
+ 			         _("%s: unlocking the user's password would result in a passwordless account.\n"
+ 			           "You should set a password with usermod -p to unlock this user's password.\n"),
+ 			         Prog);
+-			return pw_pass;
++			return NULL;
+ 		}
+ 
+ #ifdef WITH_AUDIT
+@@ -471,12 +474,15 @@ static char *new_pw_passwd (char *pw_pas
+ 		              user_newname, (unsigned int) user_newid, 1);
+ #endif
+ 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
+-		s = pw_pass;
+-		while ('\0' != *s) {
+-			*s = *(s + 1);
+-			s++;
+-		}
++		memmove (pw_pass, s, strlen (s) + 1);
+ 	} else if (pflg) {
++		if (strchr (user_pass, ':') != NULL) {
++			fprintf (stderr,
++			         _("%s: The password field cannot contain a colon character.\n"),
++			         Prog);
++			return NULL;
++
++		}
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ 		              "updating-password",
+@@ -525,6 +531,8 @@ static void new_pwent (struct passwd *pw
+ 	if (   (!is_shadow_pwd)
+ 	    || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
+ 		pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
++		if (pwent->pw_passwd == NULL)
++			fail_exit (E_PW_UPDATE);
+ 	}
+ 
+ 	if (uflg) {
+@@ -639,6 +647,8 @@ static void new_spent (struct spwd *spen
+ 	 *  + aging has been requested
+ 	 */
+ 	spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
++	if (spent->sp_pwdp == NULL)
++		fail_exit(E_PW_UPDATE);
+ 
+ 	if (pflg) {
+ 		spent->sp_lstchg = (long) gettime () / SCALE;

shadow-4.6-getenforce.patch

@@ -0,0 +1,21 @@
+diff -up shadow-4.6/lib/selinux.c.getenforce shadow-4.6/lib/selinux.c
+--- shadow-4.6/lib/selinux.c.getenforce	2018-05-28 15:10:15.870315221 +0200
++++ shadow-4.6/lib/selinux.c	2018-05-28 15:10:15.894315731 +0200
+@@ -75,7 +75,7 @@ int set_selinux_file_context (const char
+ 	}
+ 	return 0;
+     error:
+-	if (security_getenforce () != 0) {
++	if (security_getenforce () > 0) {
+ 		return 1;
+ 	}
+ 	return 0;
+@@ -95,7 +95,7 @@ int reset_selinux_file_context (void)
+ 		selinux_checked = true;
+ 	}
+ 	if (selinux_enabled) {
+-		if (setfscreatecon (NULL) != 0) {
++		if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) {
+ 			return 1;
+ 		}
+ 	}

shadow-4.6-move-home.patch

@@ -0,0 +1,15 @@
+diff -up shadow-4.6/src/usermod.c.move-home shadow-4.6/src/usermod.c
+--- shadow-4.6/src/usermod.c.move-home	2018-05-28 14:59:05.594076665 +0200
++++ shadow-4.6/src/usermod.c	2018-05-28 15:00:28.479837392 +0200
+@@ -1845,6 +1845,11 @@ static void move_home (void)
+ 			         Prog, prefix_user_home, prefix_user_newhome);
+ 			fail_exit (E_HOMEDIR);
+ 		}
++	} else {
++		fprintf (stderr,
++		         _("%s: The previous home directory (%s) does "
++		           "not exist or is inaccessible. Move cannot be completed.\n"),
++		         Prog, prefix_user_home);
+ 	}
+ }
+ 

shadow-4.6-orig-context.patch

@@ -0,0 +1,128 @@
+diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
+--- shadow-4.6/lib/commonio.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/commonio.c	2018-05-28 14:56:37.287929667 +0200
+@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
+ 		snprintf (buf, sizeof buf, "%s-", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (buf) != 0) {
++		if (set_selinux_file_context (buf, db->filename) != 0) {
+ 			errors++;
+ 		}
+ #endif
+@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (buf) != 0) {
++	if (set_selinux_file_context (buf, db->filename) != 0) {
+ 		errors++;
+ 	}
+ #endif
+diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
+--- shadow-4.6/libmisc/copydir.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/libmisc/copydir.c	2018-05-28 14:56:37.287929667 +0200
+@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
+ 	 */
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		free (oldlink);
+ 		return -1;
+ 	}
+@@ -684,7 +684,7 @@ static int copy_special (const char *src
+ 	int err = 0;
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
+ 		return -1;
+ 	}
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
+--- shadow-4.6/lib/prototypes.h.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/prototypes.h	2018-05-28 14:56:37.287929667 +0200
+@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
+ 
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+-extern int set_selinux_file_context (const char *dst_name);
++extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
+ extern int reset_selinux_file_context (void);
+ #endif
+ 
+diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
+--- shadow-4.6/lib/selinux.c.orig-context	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/selinux.c	2018-05-28 14:56:37.287929667 +0200
+@@ -50,7 +50,7 @@ static bool selinux_enabled;
+  *	Callers may have to Reset SELinux to create files with default
+  *	contexts with reset_selinux_file_context
+  */
+-int set_selinux_file_context (const char *dst_name)
++int set_selinux_file_context (const char *dst_name, const char *orig_name)
+ {
+ 	/*@null@*/security_context_t scontext = NULL;
+ 
+@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
+ 	if (selinux_enabled) {
+ 		/* Get the default security context for this file */
+ 		if (matchpathcon (dst_name, 0, &scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
++			/* We could not get the default, copy the original */
++			if (orig_name == NULL)
++				goto error;
++			if (getfilecon (orig_name, &scontext) < 0)
++				goto error;
+ 		}
+ 		/* Set the security context for the next created file */
+-		if (setfscreatecon (scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
+-		}
++		if (setfscreatecon (scontext) < 0)
++			goto error;
+ 		freecon (scontext);
+ 	}
+ 	return 0;
++    error:
++	if (security_getenforce () != 0) {
++		return 1;
++	}
++	return 0;
+ }
+ 
+ /*
+diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.orig-context	2018-05-28 14:56:37.288929688 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 14:58:02.242730903 +0200
+@@ -2020,7 +2020,7 @@ static void create_home (void)
+ {
+ 	if (access (prefix_user_home, F_OK) != 0) {
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (prefix_user_home) != 0) {
++		if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
+ 			fprintf (stderr,
+ 			         _("%s: cannot set SELinux context for home directory %s\n"),
+ 			         Prog, user_home);

shadow-4.6-redhat.patch

@@ -0,0 +1,41 @@
+diff -up shadow-4.6/src/useradd.c.redhat shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.redhat	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 13:37:16.695651258 +0200
+@@ -98,7 +98,7 @@ const char *Prog;
+ static gid_t def_group = 100;
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";
+-static const char *def_shell = "";
++static const char *def_shell = "/sbin/nologin";
+ static const char *def_template = SKEL_DIR;
+ static const char *def_create_mail_spool = "no";
+ 
+@@ -108,7 +108,7 @@ static const char *def_expire = "";
+ #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
+ 
+ static const char *user_name = "";
+-static const char *user_pass = "!";
++static const char *user_pass = "!!";
+ static uid_t user_id;
+ static gid_t user_gid;
+ static const char *user_comment = "";
+@@ -1114,9 +1114,9 @@ static void process_flags (int argc, cha
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
++		                         "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:UZ:",
+ #else				/* !WITH_SELINUX */
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
++		                         "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:P:s:u:U",
+ #endif				/* !WITH_SELINUX */
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
+@@ -1267,6 +1267,7 @@ static void process_flags (int argc, cha
+ 			case 'M':
+ 				Mflg = true;
+ 				break;
++			case 'n':
+ 			case 'N':
+ 				Nflg = true;
+ 				break;

shadow-4.6-selinux.patch

@@ -0,0 +1,115 @@
+diff -up shadow-4.6/lib/semanage.c.selinux shadow-4.6/lib/semanage.c
+--- shadow-4.6/lib/semanage.c.selinux	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/lib/semanage.c	2018-05-28 13:38:20.551008911 +0200
+@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
+ 
+ 	ret = 0;
+ 
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_seuser_key_free (key);
+ 	semanage_handle_destroy (handle);
+@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
+ 	}
+ 
+ 	ret = 0;
++
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+diff -up shadow-4.6/src/useradd.c.selinux shadow-4.6/src/useradd.c
+--- shadow-4.6/src/useradd.c.selinux	2018-05-28 13:43:30.996748997 +0200
++++ shadow-4.6/src/useradd.c	2018-05-28 13:44:04.645486199 +0200
+@@ -2120,6 +2120,7 @@ static void create_mail (void)
+  */
+ int main (int argc, char **argv)
+ {
++	int rv = E_SUCCESS;
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ 	pam_handle_t *pamh = NULL;
+@@ -2342,27 +2343,11 @@ int main (int argc, char **argv)
+ 
+ 	usr_update ();
+ 
+-	if (mflg) {
+-		create_home ();
+-		if (home_added) {
+-			copy_tree (def_template, prefix_user_home, false, false,
+-			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
+-		} else {
+-			fprintf (stderr,
+-			         _("%s: warning: the home directory already exists.\n"
+-			           "Not copying any file from skel directory into it.\n"),
+-			         Prog);
+-		}
+-
+-	}
+-
+-	/* Do not create mail directory for system accounts */
+-	if (!rflg) {
+-		create_mail ();
+-	}
+-
+ 	close_files ();
+ 
++	nscd_flush_cache ("passwd");
++	nscd_flush_cache ("group");
++
+ 	/*
+ 	 * tallylog_reset needs to be able to lookup
+ 	 * a valid existing user name,
+@@ -2373,8 +2358,9 @@ int main (int argc, char **argv)
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (Zflg) {
+-		if (set_seuser (user_name, user_selinux) != 0) {
++	if (Zflg && *user_selinux) {
++		if (is_selinux_enabled () > 0) {
++		    if (set_seuser (user_name, user_selinux) != 0) {
+ 			fprintf (stderr,
+ 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ 			         Prog, user_name, user_selinux);
+@@ -2383,14 +2369,31 @@ int main (int argc, char **argv)
+ 			              "adding SELinux user mapping",
+ 			              user_name, (unsigned int) user_id, 0);
+ #endif				/* WITH_AUDIT */
+-			fail_exit (E_SE_UPDATE);
++			rv = E_SE_UPDATE;
++		    }
+ 		}
+ 	}
+-#endif				/* WITH_SELINUX */
++#endif
+ 
+-	nscd_flush_cache ("passwd");
+-	nscd_flush_cache ("group");
++	if (mflg) {
++		create_home ();
++		if (home_added) {
++			copy_tree (def_template, prefix_user_home, false, true,
++			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
++		} else {
++			fprintf (stderr,
++			         _("%s: warning: the home directory already exists.\n"
++			           "Not copying any file from skel directory into it.\n"),
++			         Prog);
++		}
++
++	}
++
++	/* Do not create mail directory for system accounts */
++	if (!rflg) {
++		create_mail ();
++	}
+ 
+-	return E_SUCCESS;
++	return rv;
+ }
+ 

shadow-4.6-usermod-crash.patch

@@ -0,0 +1,42 @@
+diff -up shadow-4.6/libmisc/prefix_flag.c.usermod-crash shadow-4.6/libmisc/prefix_flag.c
+--- shadow-4.6/libmisc/prefix_flag.c.usermod-crash	2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/libmisc/prefix_flag.c	2018-05-28 15:14:10.642302440 +0200
+@@ -319,6 +319,7 @@ extern struct group *prefix_getgr_nam_gi
+ {
+ 	long long int gid;
+ 	char *endptr;
++	struct group *g;
+ 
+ 	if (NULL == grname) {
+ 		return NULL;
+@@ -333,7 +334,8 @@ extern struct group *prefix_getgr_nam_gi
+ 	    	&& (gid == (gid_t)gid)) {
+ 			return prefix_getgrgid ((gid_t) gid);
+ 		}
+-		return prefix_getgrnam (grname);
++		g = prefix_getgrnam (grname);
++		return g ? __gr_dup(g) : NULL;
+ 	}
+ 	else
+ 		return getgr_nam_gid(grname);
+diff -up shadow-4.6/src/usermod.c.usermod-crash shadow-4.6/src/usermod.c
+--- shadow-4.6/src/usermod.c.usermod-crash	2018-05-28 15:12:37.920332763 +0200
++++ shadow-4.6/src/usermod.c	2018-05-28 15:15:50.337422470 +0200
+@@ -1276,11 +1276,13 @@ static void process_flags (int argc, cha
+ 		prefix_user_home = xmalloc(len);
+ 		wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
+ 		assert (wlen == (int) len -1);
++		if (user_newhome) {
++			len = strlen(prefix) + strlen(user_newhome) + 2;
++			prefix_user_newhome = xmalloc(len);
++			wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
++			assert (wlen == (int) len -1);
++		}
+ 
+-		len = strlen(prefix) + strlen(user_newhome) + 2;
+-		prefix_user_newhome = xmalloc(len);
+-		wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
+-		assert (wlen == (int) len -1);
+ 	}
+ 	else {
+ 		prefix_user_home = user_home;

shadow-bsd.txt

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 1990 - 1994, Julianne Frances Haugh
+ * Copyright (c) 1996 - 2000, Marek Michałkiewicz
+ * Copyright (c) 2000 - 2006, Tomasz Kłoczko
+ * Copyright (c) 2007 - 2011, Nicolas François
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the copyright holders or contributors may not be used to
+ *    endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+

shadow-utils.login.defs

@@ -0,0 +1,72 @@
+#
+# Please note that the parameters in this configuration file control the
+# behavior of the tools from the shadow-utils component. None of these
+# tools uses the PAM mechanism, and the utilities that use PAM (such as the
+# passwd command) should therefore be configured elsewhere. Refer to
+# /etc/pam.d/system-auth for more information.
+#
+
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#   QMAIL_DIR is for Qmail
+#
+#QMAIL_DIR	Maildir
+MAIL_DIR	/var/spool/mail
+#MAIL_FILE	.mail
+
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_MIN_LEN	Minimum acceptable password length.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_MIN_LEN	5
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN                  1000
+UID_MAX                 60000
+# System accounts
+SYS_UID_MIN               201
+SYS_UID_MAX               999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN                  1000
+GID_MAX                 60000
+# System accounts
+SYS_GID_MIN               201
+SYS_GID_MAX               999
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If useradd should create home directories for users by default
+# On RH systems, we do. This option is overridden with the -m flag on
+# useradd command line.
+#
+CREATE_HOME	yes
+
+# The permission mask is initialized to this value. If not specified, 
+# the permission mask will be initialized to 022.
+UMASK           077
+
+# This enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+# Use SHA512 to encrypt password.
+ENCRYPT_METHOD SHA512 
+

shadow-utils.useradd

@@ -0,0 +1,9 @@
+# useradd defaults file
+GROUP=100
+HOME=/home
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
+CREATE_MAIL_SPOOL=yes
+

sources

@@ -1 +0,0 @@
-4800ba505509f08c00f2942581b983a8  shadow-20000902.tar.bz2

sources.bak

@@ -0,0 +1,2 @@
+SHA512 (shadow-4.6.tar.xz) = e8eee52c649d9973f724bc2d5aeee71fa2e6a2e41ec3487cd6cf6d47af70c32e0cdf304df29b32eae2b6eb6f9066866b5f2c891add0ec87ba583bea3207b3631
+SHA512 (shadow-4.6.tar.xz.asc) = 8728bff5544db6ea123f758cce5bd5c2d346489570c33092e4e97db35c274d7aba01580018f120e4ad80b8f79cfe296a33bccbe9bf68df51bf9b2004c6bfffed

tests/sanity/Makefile

@@ -0,0 +1,77 @@
+# Copyright (c) 2006 Red Hat, Inc. All rights reserved. This copyrighted material 
+# is made available to anyone wishing to use, modify, copy, or
+# redistribute it subject to the terms and conditions of the GNU General
+# Public License v.2.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# Author: Jakub Hrozek
+
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
+# Example Makefile for RHTS                                          #
+# This example is geared towards a test for a specific package       #
+# It does most of the work for you, but may require further coding   #
+#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
+
+# The toplevel namespace within which the test lives.
+TOPLEVEL_NAMESPACE=CoreOS
+
+# The name of the package under test:
+PACKAGE_NAME=shadow-utils
+
+# The path of the test below the package:
+RELATIVE_PATH=sanity
+
+# Version of the Test. Used with make tag.
+export TESTVERSION=1.1
+
+# The combined namespace of the test.
+export TEST=/$(TOPLEVEL_NAMESPACE)/$(PACKAGE_NAME)/$(RELATIVE_PATH)
+
+# A phony target is one that is not really the name of a file.
+# It is just a name for some commands to be executed when you
+# make an explicit request. There are two reasons to use a
+# phony target: to avoid a conflict with a file of the same
+# name, and to improve performance.
+.PHONY: all install download clean
+
+# Executables to be built should be added here, they will be generated on the system under test.
+BUILT_FILES= 
+
+# Data files, .c files, scripts anything needed to either compile the test and/or run it.
+FILES=$(METADATA) Makefile PURPOSE sanity_test.py runtest.sh
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x ./sanity_test.py
+	chmod a+x ./runtest.sh
+
+clean:
+	rm -f *~ *.rpm $(BUILT_FILES)
+
+# Include Common Makefile
+include /usr/share/rhts/lib/rhts-make.include
+
+# Generate the testinfo.desc here:
+$(METADATA): Makefile
+	@touch $(METADATA)
+	@echo "Owner:        Jakub Hrozek <jhrozek@redhat.com>" > $(METADATA)
+	@echo "Name:         $(TEST)" >> $(METADATA)
+	@echo "Path:         $(TEST_DIR)" >> $(METADATA)
+	@echo "TestVersion:  $(TESTVERSION)" >> $(METADATA)
+	@echo "License:      GNU GPL" >> $(METADATA)
+	@echo "Description:  Basic sanity test for shadow-utils" >> $(METADATA)
+	@echo "TestTime:     5m" >> $(METADATA)
+	@echo "RunFor:       $(PACKAGE_NAME)" >> $(METADATA)
+	@echo "Requires:     $(PACKAGE_NAME)" >> $(METADATA)
+	@echo "Requires:     python" >> $(METADATA)
+	rhts-lint $(METADATA)
+

tests/sanity/PURPOSE

@@ -0,0 +1,10 @@
+This is a basic sanity test for the shadow-utils package. It is implemented
+in python on top of the unittesting.py module.
+
+Its purpose is to ensure that the binaries in the shadow-utils package behave
+as expected and its switches/options work correctly.
+
+For the most part, every binary in the shadow-utils package is represented by
+a single class named Test<BinaryName>, i.e. TestUsermod etc. There are some 
+exceptions, like TestUseraddWeirdNameTest though.
+

tests/sanity/runtest.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+rlFileBackup --clean /etc/default/useradd- /etc/default/useradd
+setenforce 0
+python sanity_test.py -v
+setenforce 1
+rlFileRestore
+
+EXIT=$?
+if [[ $EXIT -eq 0 ]]; then
+    RESULT="PASS"
+else
+    RESULT="FAIL"
+fi
+
+
+rlJournalEnd
+
+echo "Result: $RESULT"
+echo "Exit: $EXIT"
+report_result $TEST $RESULT $EXIT

tests/tests.yml

@@ -0,0 +1,13 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    - atomic
+    tests:
+    - sanity
+    required_packages:
+    - shadow-utils     # sanity test needs shadow-utils
+    - python           # sanity test needs python