105_zn_CN was just applied to upstream repository.

Tag 104_man-sv, 101_ja, and 103_man-de as going to be fixed in 4.0.18.2.
2007-10-27 12:51:13 +00:00
commit 39beb1da3a
230 changed files with 38593 additions and 0 deletions
@@ -0,0 +1,168 @@
+Introduction
+============
+As reported in #276419, su in the login Debian package doesn't permit to
+specify options to the invoked shell and doesn't respect quoted arguments.
+We plan to revert this behavior and follow su's documentation and other
+implementations.
+
+
+Short details
+=============
+Packages passing a command in argument to su must use su's -c option
+and must quote the command if it contains a space.
+For example:
+  su - root -c "ls -l /"
+
+The following commands won't work anymore:
+  su - root -c ls -l /
+  su - root "ls -l /"
+  su - root ls -l /
+
+There will be no problems for backports. -c can be used and arguments
+quoted, with the past and future versions.
+
+Needed adaptations
+==================
+We tried to find the packages that will be affected by this transition.
+We did not audit the full archive, but focused on [1]:
+ * maintainer scripts [2]
+ * packages with an init.d script (based on a sid Contents-i386)
+ * packages with an cron script (based on a sid Contents-i386)
+ * native packages (on sid i386)
+(In general, archives embedded in source packages were not checked)
+
+Package needing changes
+-----------------------
+Micah Anderson <micah@riseup.net>
+        backupninja-0.9.2/handlers/pgsql
+        backupninja-0.9.2/handlers/mysql
+        backupninja-0.9.2/examples/example.rdiff
+Raphael Bossek <bossekr@debian.org>
+        python-4suite-0.99cvs20051115/debian/python-4suite-server.init.d
+Arnaud Kyheng <Arnaud.Kyheng@free.fr>
+        gnunet-0.7.0b/contrib/init_gnunet_ubuntu
+Brian May <bam@debian.org>
+        amavisd-new-2.3.3/debian/amavisd-new.cron.daily
+Peter Palfrader <weasel@debian.org>
+        echolot-2.1.8/debian/echolot.init
+   Fixed in 2.1.8-4
+Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
+        samhain-2.0.10a/init/samhain.start.in
+   Not in Debian
+
+To be checked
+-------------
+Roderick Schertler <roderick@argon.org>
+        debget-1.5/debget
+(It should be OK. According to the code, it works with GNU su)
+
+maybe
+-----
+Stefan Hornburg (Racke) <racke@linuxia.de>
+        courier-0.52.1/courier.lpspec(.in)? (maybe not used on Debian)
+        courier-0.52.1/courier.spec(.in)? (maybe not used on Debian)
+Kenneth J. Pronovici <pronovic@debian.org>
+        cedar-backup2-2.7.2/CedarBackup2/peer.py (depends on executeCommand)
+Arnaud Quette <aquette@debian.org>
+        nut-2.0.2/scripts/HP-UX/nut-drvctl.sh (maybe not used on Debian)
+        nut-2.0.2/scripts/HP-UX/nut-upsd.sh (maybe not used on Debian)
+Taku YASUI <tach@debian.or.jp>
+        murasaki-0.8.11/scripts/printer (su $USER -c $CMD, $CMD may have a space)
+Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>
+        usermin-1.160/cron/config-aix (maybe not used on Debian)
+        usermin-1.160/web-lib-funcs.pl
+        usermin-1.160/shell/index.cgi
+        usermin-1.160/fetchmail/check.pl
+        usermin-1.160/commands/run.cgi
+        usermin-1.160/postgresql/postgresql-lib.pl
+        webmin-1.230/web-lib-funcs.pl
+        webmin-1.230/cron/config-aix
+        webmin-1.230/custom/run.cgi
+
+In comments or documentation
+----------------------------
+Clint Adams <schizo@debian.org>
+        bricolage-1.8.8/bin/bric_ftpd
+Joel Aelwyn <fenton@debian.org>
+        debpool-0.2.2/debian/README.User
+Phil Brooke <pjb@debian.org>
+        yiff-2.14.2/configure
+Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
+        kdenetwork-3.5.0/kopete/protocols/meanwhile/README
+Henrique de Moraes Holschuh <hmh@debian.org>
+        cyrus21-imapd-2.1.18/debian/cyrus21-common.postinst
+Robert Jordens <jordens@debian.org>
+        remstats-1.0.13a/INSTALL
+        remstats-1.0.13a/docs/book.tex (and other formats)
+        remstats-1.0.13a/docs/install-user.pod
+        remstats-1.0.13a/docs/install.pod
+        remstats-1.0.13a/docs/install.txt
+Matthias Klose <doko@debian.org>
+        sqlrelay-0.36.4/doc/gettingstarted/interbase.html
+Guus Sliepen <guus@debian.org>
+        dhis-client-5.3/README
+Craig Small <csmall@debian.org>
+        lprng-3.8.28/DOCS/LPRng-Reference.html
+        lprng-3.8.28/DOCS/LPRng-Reference.sgml
+        lprng-3.8.28/DOCS/LPRng-Reference-Multipart/x9198.htm
+Jonas Smedegaard <dr@jones.dk>
+        pop-before-smtp-1.36/contrib/README.rootless-install
+
+Transition plan
+===============
+Date: 1 month after the announcement
+
+The SU_NO_SHELL_ARGS environment variable will restore the previous
+behavior. The support for this variable should be dropped after Etch.
+
+login will conflict with the package of the first category. When fixed,
+these packages do not need a versionned dependency on login.
+
+
+Recommandation
+==============
+You should follow the following synopsis for your su commands.
+(This will give you more chance to be portable and to work on
+POSIXLY_CORRECT environments)
+
+    su [options] [-] [username [args]]
+
+[args] are arguments passed to the shell
+
+Specifically:
+ * It is preferable to provide -c in [args] rather than in [options].
+ * su - root -p doesn't work if the POSIXLY_CORRECT environment
+   variable is set.
+
+The following packages don't follow these rules:
+Stefan Hornburg (Racke) <racke@linuxia.de>
+        interchange-5.3.2/debian/interchange.cron.daily
+        interchange-5.3.2/scripts/restart.PL
+Michael Biebl <biebl@teco.edu>
+        powersave-0.9.25/scripts/wm_shutdown
+        powersave-0.9.25/scripts/do_screen_saver
+        powersave-0.9.25/scripts/wm_logout
+        powersave-0.9.25/scripts/x_helper_functions
+Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>
+        popularity-contest-1.31/debian/cron.weekly
+        popularity-contest-1.31/FAQ
+Robert Luberda <robert@debian.org>
+        dwww-1.9.26/dwww-format-man
+Andreas Metzler <ametzler@debian.org>
+        findutils-4.2.26/locate/updatedb.sh
+Paul Waite <paul@catalyst.net.nz>
+        axyl-2.1.9/db/postgres/install-db.sh
+Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>
+        usermin-1.160/web-lib-funcs.pl
+        usermin-1.160/commands/run.cgi
+        webmin: ditto
+
+
+
+[1] The rationale is that we consider there is a greater chance to find
+    problems on Debian specific packages/scripts since it would have fail
+    on other OS (on RedHat, Gentoo, Mandriva, SunOS).
+    Probably 10% of the archive was audited.
+
+[2] Thanks to Bill Allombert 
+    http://lists.debian.org/debian-devel/2005/11/msg01215.html
@@ -0,0 +1,4 @@
+PKG=shadow
+SITE=ftp://ftp.pld.org.pl/software/shadow/
+
+include /usr/share/quilt/quilt.debbuild.mk
@@ -0,0 +1,32 @@
+Things that should be done:
+ * the patches directory can be cleaned
+   + It would be nice to have the program and man page correction in the
+     same patch
+ * other queries on debian-devel:
+   + should PAM session be closed as root?
+ * Verify the files left in debian/tmp
+   + e.g. /etc/default/adduser should be installed
+ * Check the build system: rebuilding the package twoce in the same tree
+   doubles the size of the diff.gz file
+
+Other points (not related to the release of a syncronized shadow):
+ * compare the source with the usages and man pages
+   + probably add a sentence to chsh/chfn's manpages about authentication
+     required for ordinary users
+ * do something (a tool) for the variables in login.defs
+   In Debian, some tools are not compiled with the PAM support, so upstream
+   getdef.c won't be OK.
+   It should be nice to see in each man page the set of variables used.
+   The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
+   with the debugging informations. This may be used to extract the set of
+   variables used in Debian/for each tools.
+ * verify all the patches around (I've found patches for at least RedHat,
+   OWL, LFS, Mandriva, Gentoo; are they already applied?)
+ * make a testsuite
+   + all options could be tested
+   + by reading the man page and writing some small tests for each
+     functionnality (and testing the limit cases, we can probably find
+     a lot of small/documentation bugs)
+     e.g. test chage with some fields set to 0
+          test chage with a date argument instead of a number of days
+
@@ -0,0 +1,25 @@
+This described the usertags used by the team.
+
+For usertags documentation, see
+http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
+
+All bugs tagged by team members must be tagged with 
+"user pkg-shadow-devel@lists.alioth.debian.org"
+
+Tags list
+---------
+
+toclose:         This bug has been announced to be closed in case no more news
+                 or information is received from the bug submitter or someone
+                 else until the delay specified in the limits_YYYYMMDD tag
+
+limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
+                 bugs can be closed without other action in case no news 
+                 is received
+
+manpages-replace A bug reported angainst a manpages-xx package to indicate
+                 conflicting man pages. This tag can be used to tune the
+                 Replaces fields.
+
+su-transition:   This bug is related to the su transition (#276419)
+
@@ -0,0 +1,36 @@
+shadow (1:4.0.15-5) unstable; urgency=low
+
+  * commands passed in argument to su must use su's -c option and must quote
+    the command if it contains a space, as in:
+        su - root -c "ls -l /"
+    The following commands won't work anymore:
+        su - root -c ls -l /
+        su - root "ls -l /"
+        su - root ls -l /
+
+ -- Christian Perrier <bubulle@debian.org>  Sat,  8 Apr 2006 20:11:38 +0200
+
+shadow (1:4.0.14-1) unstable; urgency=low
+
+  * passwd does not support the -f, -s, and -g options anymore. You should use
+    the chfn, chsh and gpasswd utilities instead.
+  * login now distributes the nologin utility, which can be used as a shell
+    to politely refuse a login
+
+ -- Christian Perrier <bubulle@debian.org>  Thu,  5 Jan 2006 08:47:44 +0100
+
+shadow (1:4.0.12-1) unstable; urgency=low
+
+  CLOSE_SESSIONS and other variables are not used anymore in
+  /etc/login/defs.
+  As shadow utilities which use this file now warn about unknown
+  entries there, administrators should remove such unknown entries.
+  The supplied login.defs file does not include them anymore.
+
+  dpasswd is no more distributed by upstream. Login do not support
+  dialup password anymore.  Re-introducing this functionality in
+  upstream is not trivial.
+
+
+ -- Christian Perrier <bubulle@debian.org>  Thu, 25 Aug 2005 08:38:47 +0200
+
@@ -0,0 +1,62 @@
+Read this file first for a brief overview of the new versions of login
+and passwd.
+
+
+---Shadow passwords
+
+The command `shadowconfig on' will turn on shadow password support.
+`shadowconfig off' will turn it back off.  If you turn on shadow
+password support, you'll gain the ability to set password ages and
+expirations with chage(1).
+
+NOTE: If you use the nscd package, you may have problems with a
+slight delay in updating the password information. You may notice
+this during upgrades of certain packages that try to add a system
+user and then access the users information immediately afterwards.
+To avoid this, it is suggested that you stop the nscd daemon before
+upgrades, then restart it again.
+
+---General configuration
+
+Most of the configuration for the shadow utilities is in
+/etc/login.defs.  See login.defs(5).  The defaults are quite
+reasonable.
+
+Also see the /etc/pam.d/* files for each program to configure the PAM
+support. PAM documentation is available in several formats in the
+libpam-doc package.
+
+
+---MD5 Encryption
+
+This is enabled now using the /etc/pam.d/* files. Examples are given.
+
+
+---Adding users and groups
+
+Though you may add users and groups with the SysV type commands,
+useradd and groupadd, I recommend you add them with Debian adduser
+version 3+.  adduser gives you more configuration and conforms to the
+Debian UID and GID allocation.
+
+Editing user and group parameters can be done with usermod and
+groupmod.  Removing users and groups can be done with userdel and
+groupdel.
+
+
+--- Group administration
+
+Local group allocation is much easier.  With gpasswd(1) you can
+designate users to administer groups.  They can then securely add or
+remove users from the group.
+
+
+--- What to read next?
+
+Read the manpages, the other files in this directory, and the Shadow
+Password HOWTO (included in the doc-linux package).  A large portion
+of these files deals with getting shadow installed.  You can, of
+course, ignore those parts.
+
+Also, the libpam-doc package will go a long way to allowing you to take
+full advantage of the PAM authentication scheme.
@@ -0,0 +1 @@
+5
@@ -0,0 +1,37 @@
+Source: shadow
+Section: admin
+Priority: required
+Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Standards-Version: 3.7.2.0
+Uploaders: Christian Perrier <bubulle@debian.org>, Martin Quinson <mquinson@debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
+Build-Depends: autoconf, automake1.9, libtool, gettext, libpam0g-dev, debhelper (>= 5.0.0), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64], gnome-doc-utils (>= 0.4.3-1)
+XS-X-Vcs-Svn: svn://svn.debian.org/svn/pkg-shadow/trunk
+
+Package: passwd
+Architecture: any
+Depends: ${shlibs:Depends}, ${loginpam}, debianutils (>= 2.15.2)
+Replaces: manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3), manpages-tr, manpages-zh
+Section: admin
+Priority: required
+Description: change and administer password and group data
+ This package includes passwd, chsh, chfn, and many other programs to
+ maintain password and group data.
+ .
+ Shadow passwords are supported.  See /usr/share/doc/passwd/README.Debian
+
+Package: login
+Architecture: any
+Pre-Depends: ${shlibs:Depends}, libpam-runtime (>= 0.76-14)
+Depends: libpam-modules (>= 0.72-5)
+Conflicts: gnunet (<< 0.7.0c-2), amavisd-new (<<2.3.3-8), python-4suite (<< 0.99cvs20060405-1), backupninja (<< 0.9.3-5), echolot (<< 2.1.8-4)
+Replaces: manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-2), manpages-ko (<< 20050219-2), manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15), manpages-tr, manpages-zh
+Essential: yes
+Section: admin
+Priority: required
+Description: system login tools
+ These tools are required to be able to login and use your system. The
+ login program invokes your user shell and enables command execution. The
+ newgrp program is used to change your effective group ID (useful for
+ workgroup type situations). The su program allows changing your effective
+ user ID (useful being able to execute commands as another user).
+
@@ -0,0 +1,103 @@
+This is Debian GNU/Linux's prepackaged version of the shadow utilities.
+
+It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>. 
+As of May 2007, this site is no longer available.
+
+Copyright:
+
+Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
+All rights reserved.
+
+Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
+All rights reserved.
+
+Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
+All rights reserved.
+
+Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of Julianne F. Haugh nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+This source code is currently archived on ftp.uu.net in the
+comp.sources.misc portion of the USENET archives.  You may also contact
+the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
+any questions regarding this package.
+
+THIS SOFTWARE IS BEING DISTRIBUTED AS-IS.  THE AUTHORS DISCLAIM ALL
+LIABILITY FOR ANY CONSEQUENCES OF USE.  THE USER IS SOLELY RESPONSIBLE
+FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE.  THE AUTHORS ARE UNDER NO
+OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS.  THE USER IS
+ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
+LOSS OF INFORMATION OR MACHINE RESOURCES.
+
+Special thanks are due to Chip Rosenthal for his fine testing efforts;
+to Steve Simmons for his work in porting this code to BSD; and to Bill
+Kennedy for his contributions of LaserJet printer time and energies.
+Also, thanks for Dennis L. Mumaugh for the initial shadow password
+information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
+V Release 4 changes.  Effort in porting to SunOS has been contributed
+by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
+(mke@kaberd.rain.com).  Effort in porting to AT&T UNIX System V Release
+4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
+Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
+for taking over the Linux port of this software.
+
+Source files: login_access.c, login_desrpc.c, login_krb.c are derived
+from the logdaemon-5.0 package, which is under the following license:
+
+/************************************************************************
+* Copyright 1995 by Wietse Venema.  All rights reserved. Individual files
+* may be covered by other copyrights (as noted in the file itself.)
+*
+* This material was originally written and compiled by Wietse Venema at
+* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+* 1992, 1993, 1994 and 1995.
+*
+* Redistribution and use in source and binary forms are permitted
+* provided that this entire copyright notice is duplicated in all such
+* copies.  
+*
+* This software is provided "as is" and without any expressed or implied
+* warranties, including, without limitation, the implied warranties of
+* merchantibility and fitness for any particular purpose.
+************************************************************************/
+
+Some parts substantially in src/su.c derived from an ancestor of
+su for GNU.  Run a shell with substitute user and group IDs.
+Copyright (C) 1992-2003 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   On Debian GNU/Linux systems, the complete text of the GNU General Public
+   License can be found in '/usr/share/common-licenses/GPL'
@@ -0,0 +1 @@
+.so man8/cppw.8
@@ -0,0 +1,27 @@
+.TH CPPW 8 "7 Apr 2005"
+.SH NAME
+cppw, cpgr \- copy with locking the given file to the password or group file
+.SH SYNOPSIS
+\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
+.br
+\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
+
+.SH DESCRIPTION
+.BR cppw " and " cpgr
+will copy, with locking, the given file to
+.IR /etc/passwd " and " /etc/group ", respectively."
+With the \fB\-s\fR flag, they will edit the shadow versions of those files,
+.IR /etc/shadow " and " /etc/gshadow ", respectively."
+
+With the \fB\-h\fR flag, the commands display a short help message and exit
+silently.
+.SH "SEE ALSO"
+.BR vipw (8),
+.BR vigr (8),
+.BR group (5),
+.BR passwd (5),
+.BR shadow (5),
+.BR gshadow (5)
+.SH AUTHOR
+\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
+\fBvipw\fR and \fBvigr\fR written by Guy Maor.
@@ -0,0 +1,315 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed.  All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux.  --marekm
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+# This option conflicts with the pam_tally PAM module.
+#
+FAILLOG_ENAB		yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable. 
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE	/var/log/btmp
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing 
+# the "mesg y" command.
+
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#	UMASK		Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# 
+# UMASK usage is discouraged because it catches only some classes of user
+# entries to system, in fact only those made through login(1), while setting
+# umask in shell rc file will catch also logins through su, cron, ssh etc.
+#
+# At the same time, using shell rc to set umask won't catch entries which use
+# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp"
+# user and alike.
+#
+# Therefore the use of pam_umask is recommended (Debian package libpam-umask)
+# as the solution which catches all these cases on PAM-enabled systems.
+# 
+# This avoids the confusion created by having the umask set
+# in two different places -- in login.defs and shell rc files (i.e.
+# /etc/profile).
+#
+# For discussion, see #314539 and #248150 as well as the thread starting at
+# http://lists.debian.org/debian-devel/2005/06/msg01598.html
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+# 022 is the "historical" value in Debian for UMASK when it was used
+# 027, or even 077, could be considered better for privacy
+# There is no One True Answer here : each sysadmin must make up his/her
+# mind.
+#UMASK		022
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			  100
+GID_MAX			60000
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# This enables userdel to remove user groups if no members exist.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, thus in Debian
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE	/etc/consoles
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm.  Default is "no".
+#
+# This variable is used by chpasswd, gpasswd and newusers.
+#
+#MD5_CRYPT_ENAB	no
+
+################# OBSOLETED BY PAM ##############
+#						#
+# These options are now handled by PAM. Please	#
+# edit the appropriate file in /etc/pam.d/ to	#
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+#						  #
+# These options are no more handled by shadow.    #
+#                                                 #
+# Shadow utilities will display a warning if they #
+# still appear.                                   #
+#                                                 #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR
+
+
+
@@ -0,0 +1,2 @@
+usr/share/lintian/overrides
+usr/share/linda/overrides
@@ -0,0 +1,25 @@
+usr/share/locale/*/LC_MESSAGES/shadow.mo
+usr/share/man/*/man1/login.1
+usr/share/man/*/man1/newgrp.1
+usr/share/man/*/man1/sg.1
+usr/share/man/*/man1/su.1
+usr/share/man/*/man5/faillog.5
+usr/share/man/*/man5/login.defs.5
+usr/share/man/*/man8/faillog.8
+usr/share/man/*/man8/lastlog.8
+usr/share/man/*/man8/nologin.8
+usr/share/man/man1/login.1
+usr/share/man/man1/newgrp.1
+usr/share/man/man1/sg.1
+usr/share/man/man1/su.1
+usr/share/man/man5/faillog.5
+usr/share/man/man5/login.defs.5
+usr/share/man/man8/faillog.8
+usr/share/man/man8/lastlog.8
+usr/share/man/man8/nologin.8
+usr/sbin/nologin
+usr/bin/faillog
+usr/bin/lastlog
+usr/bin/newgrp
+bin/login
+bin/su
@@ -0,0 +1,4 @@
+Tag: incorrect-file-perms
+Data: (/bin/su|/usr/bin/newgrp)
+Tag: whatis-parse-failed-on-manpage
+Data: /usr/share/man/(ko|ru|tr)/
@@ -0,0 +1 @@
+usr/bin/newgrp usr/bin/sg
@@ -0,0 +1,3 @@
+login: setuid-binary usr/bin/newgrp 4755 root/root
+login: setuid-binary bin/su 4755 root/root
+login: possible-missing-colon-in-closes l667:closes bug 336321
@@ -0,0 +1,77 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+auth       requisite  pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session    optional   pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context.
+# Uncomment the following line to enable SELinux
+# session required pam_selinux.so multiple
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+
+if test "$1" = configure
+then
+	if test -f /etc/init.d/logoutd
+	then 
+		if test "$(md5sum /etc/init.d/logoutd)" = "9080f92783dd53f6f2108e698c06bd53  /etc/init.d/logoutd"
+		then	
+			echo "removing logoutd cruft"
+			rm /etc/init.d/logoutd
+			update-rc.d logoutd remove
+		fi
+	fi
+fi
+rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
+
+if [ ! -f /var/log/faillog ] ; then
+    touch /var/log/faillog
+    chown root:root /var/log/faillog
+    chmod 644 /var/log/faillog
+fi
+
+#DEBHELPER#
+
+exit 0
@@ -0,0 +1,52 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
+		fi
+	    fi
+	    
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
@@ -0,0 +1,62 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "root" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+
+# Sets up user limits, please uncomment and read /etc/security/limits.conf
+# to enable this functionality.
+# (Replaces the use of /etc/limits in old login)
+# session    required   pam_limits.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'chage' service
+#
+
+# This allows root to change password aging being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,16 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows root to change user infomation without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'chpasswd' service
+#
+
+# This allows root to use chpasswd without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,20 @@
+#
+# The PAM configuration file for the Shadow `chsh' service
+#
+
+# This will not allow a user to change their shell unless
+# their current one is listed in /etc/shells. This keeps
+# accounts with special shells from changing them.
+auth       required   pam_shells.so
+
+# This allows root to change user shell without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
@@ -0,0 +1,3 @@
+usr/share/lintian/overrides
+usr/share/linda/overrides
+etc/default
@@ -0,0 +1 @@
+debian/passwd.expire.cron
@@ -0,0 +1,57 @@
+#!/usr/bin/perl
+#
+# passwd.expire.cron: sample expiry notification script for use as a cronjob
+#
+# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
+# for use, distribution, modification, etc.
+#
+# Usage:
+#	edit the listed options, including the actual email, then rename to
+#	/etc/cron.daily/passwd
+#
+#	If your users don't have a valid login shell (ie. they are ftp or mail
+#	users only), they will need some other way to change their password
+#	(telnet will work since login will handle password aging, or a poppasswd
+#	program, if they are mail users).
+
+# <CONFIG> #
+
+# should be same as /etc/adduser.conf
+$LOW_UID=1000;
+$HIGH_UID=29999;
+
+# this let's the MTA handle the domain,
+# set it manually if you want. Make sure
+# you also add the @ like "\@domain.com"
+$MAIL_DOM="";
+
+# </CONFIG> #
+
+# Set the current day reference
+$curdays = int(time() / (60 * 60 * 24));
+
+# Now go through the list
+
+open(SH, "< /etc/shadow");
+while (<SH>) {
+    @shent = split(':', $_);
+    @userent = getpwnam($shent[0]);
+    if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
+	if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
+		$shent[4] != -1 && $shent[4] != 0 &&
+		$shent[5] != -1 && $shent[5] != 0) {
+	    $daysleft = ($shent[2] + $shent[4]) - $curdays;
+	    if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
+            if ($daysleft < 0) { next; }
+	    open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
+	    print MAIL <<EOF;
+Your account will expire in $daysleft $days. Please change your password before
+then or your account will expire
+EOF
+	    close (MAIL);
+	    # This makes sure we also get a list of almost expired users
+	    print "$shent[0]'s account will expire in $daysleft days\n";
+	}
+    }
+    @userent = getpwent();
+}
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupadd' service
+#
+
+# This allows root to add groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupmod' service
+#
+
+# This allows root to modify groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,74 @@
+usr/bin/chage
+usr/bin/chfn
+usr/bin/chsh
+usr/bin/expiry
+usr/bin/gpasswd
+usr/bin/passwd
+usr/sbin/chpasswd
+usr/sbin/chgpasswd
+usr/sbin/cppw
+usr/sbin/groupadd
+usr/sbin/groupdel
+usr/sbin/groupmod
+usr/sbin/grpck
+usr/sbin/grpconv
+usr/sbin/grpunconv
+usr/sbin/newusers
+usr/sbin/pwck
+usr/sbin/pwconv
+usr/sbin/pwunconv
+usr/sbin/useradd
+usr/sbin/userdel
+usr/sbin/usermod
+usr/sbin/vipw
+usr/share/man/*/man1/chage.1
+usr/share/man/*/man1/chfn.1
+usr/share/man/*/man1/chsh.1
+usr/share/man/*/man1/expiry.1
+usr/share/man/*/man1/gpasswd.1
+usr/share/man/*/man1/passwd.1
+usr/share/man/*/man5/passwd.5
+usr/share/man/*/man5/shadow.5
+usr/share/man/*/man5/gshadow.5
+usr/share/man/*/man8/chpasswd.8
+usr/share/man/*/man8/groupadd.8
+usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/grpck.8
+usr/share/man/*/man8/grpconv.8
+usr/share/man/*/man8/grpunconv.8
+usr/share/man/*/man8/newusers.8
+usr/share/man/*/man8/pwck.8
+usr/share/man/*/man8/pwconv.8
+usr/share/man/*/man8/pwunconv.8
+usr/share/man/*/man8/useradd.8
+usr/share/man/*/man8/userdel.8
+usr/share/man/*/man8/usermod.8
+usr/share/man/*/man8/vigr.8
+usr/share/man/*/man8/vipw.8
+usr/share/man/man1/chage.1
+usr/share/man/man1/chfn.1
+usr/share/man/man1/chsh.1
+usr/share/man/man1/expiry.1
+usr/share/man/man1/gpasswd.1
+usr/share/man/man1/passwd.1
+usr/share/man/man5/passwd.5
+usr/share/man/man5/shadow.5
+usr/share/man/man5/gshadow.5
+usr/share/man/man8/chgpasswd.8
+usr/share/man/man8/chpasswd.8
+usr/share/man/man8/groupadd.8
+usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmod.8
+usr/share/man/man8/grpck.8
+usr/share/man/man8/grpconv.8
+usr/share/man/man8/grpunconv.8
+usr/share/man/man8/newusers.8
+usr/share/man/man8/pwck.8
+usr/share/man/man8/pwconv.8
+usr/share/man/man8/pwunconv.8
+usr/share/man/man8/useradd.8
+usr/share/man/man8/userdel.8
+usr/share/man/man8/usermod.8
+usr/share/man/man8/vigr.8
+usr/share/man/man8/vipw.8
@@ -0,0 +1,4 @@
+Tag: incorrect-file-perms
+Data: /usr/bin/(chage|chfn|chsh|expiry|gpasswd|passwd)
+Tag: whatis-parse-failed-on-manpage
+Data: /usr/share/man/(id|ja|ko|ru|tr|zh_CN|zh_TW)/
@@ -0,0 +1,2 @@
+usr/sbin/vipw usr/sbin/vigr
+usr/sbin/cppw usr/sbin/cpgr
@@ -0,0 +1,20 @@
+passwd: setgid-binary usr/bin/chage 2755 root/shadow
+passwd: setuid-binary usr/bin/chfn 4755 root/root
+passwd: setuid-binary usr/bin/chsh 4755 root/root
+passwd: setgid-binary usr/bin/expiry 2755 root/shadow
+passwd: setuid-binary usr/bin/gpasswd 4755 root/root
+passwd: setuid-binary usr/bin/passwd 4755 root/root
+
+# passwd.config in a no-op (exit 0) when debconf is not installed. 
+# debconf is "important", and passwd is "required". A dependency would be *bad*
+passwd: seen-flag-requires-versioned-depends config
+passwd: missing-debconf-dependency
+
+# passwd.config uses adduser but does not strictly depend on it
+# as it fallbacks to useradd
+passwd: maintainer-script-needs-depends-on-adduser config
+
+# Wrong warning from lintian for untranslatable stuff
+passwd: malformed-prompt-in-templates passwd/root-password-crypted
+passwd: malformed-prompt-in-templates passwd/user-password-crypted
+passwd: malformed-prompt-in-templates passwd/user-uid
@@ -0,0 +1,9 @@
+# The PAM configuration file for the Shadow 'newusers' service
+#
+
+# This allows root to add users with a batch file without being 
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+
+@include common-password
+
@@ -0,0 +1,42 @@
+#!/bin/sh -e
+
+case "$1" in
+configure)
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+
+    rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
+	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
+	then
+		groupadd -g 42 shadow || (
+    			cat <<EOF
+Group ID 42 has been allocated for the shadow group.  You have either
+used 42 yourself or created a shadow group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+    			exit 1
+		)
+	fi
+    ;;
+esac
+
+# Run shadowconfig only on new installs
+[ -z "$2" ] && shadowconfig on
+
+#DEBHELPER#
+
+exit 0
@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+#DEBHELPER#
@@ -0,0 +1,51 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#]*[ \t]*password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/passwd 23a5d1465bbc1e39ca6e0c32f22a75c9
+	    fi
+	fi
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'useradd' service
+#
+
+# This allows root to add users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'userdel' service
+#
+
+# This allows root to remove users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
@@ -0,0 +1,51 @@
+Goal: Log login failures to the btmp file
+
+Notes:
+ * I'm not sure login should add an entry in the FTMP file when PAM is used.
+   (but nothing in /etc/login.defs indicates that the failure is not logged)
+
+Index: shadow-4.0.18.1/src/login.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/login.c	2006-09-17 12:17:54.336008314 +0200
+++ shadow-4.0.18.1/src/login.c	2006-09-17 12:17:54.972013371 +0200
+@@ -716,6 +716,20 @@
+ #endif				/* WITH_AUDIT */
+ 
+ 			  fprintf(stderr,"\nLogin incorrect\n");
+			  if (getdef_str("FTMP_FILE") != NULL) {
+#if HAVE_UTMPX_H
+			    failent = utxent;
+			    gettimeofday(&(failent.ut_tv), NULL);
+#else
+			    failent = utent;
+			    time(&failent.ut_time);
+#endif
+			    strncpy(failent.ut_user, failent_user, sizeof(failent.ut_user));
+#ifdef USER_PROCESS
+			    failent.ut_type = USER_PROCESS;
+#endif
+			    failtmp(&failent);
+			  }
+ 
+ 			  /* Let's give it another go around */
+ 			  pam_set_item(pamh,PAM_USER,NULL);
+Index: shadow-4.0.18.1/lib/getdef.c
+===================================================================
+--- shadow-4.0.18.1.orig/lib/getdef.c	2006-06-24 15:17:18.000000000 +0200
+++ shadow-4.0.18.1/lib/getdef.c	2006-09-17 12:17:54.992013530 +0200
+@@ -57,6 +57,7 @@
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
+ 	{"FAKE_SHELL", NULL},
+	{"FTMP_FILE", NULL},
+ 	{"GID_MAX", NULL},
+ 	{"GID_MIN", NULL},
+ 	{"HUSHLOGIN_FILE", NULL},
+@@ -88,7 +89,6 @@
+ 	{"ENVIRON_FILE", NULL},
+ 	{"ENV_TZ", NULL},
+ 	{"FAILLOG_ENAB", NULL},
+-	{"FTMP_FILE", NULL},
+ 	{"ISSUE_FILE", NULL},
+ 	{"LASTLOG_ENAB", NULL},
+ 	{"LOGIN_STRING", NULL},
@@ -0,0 +1,34 @@
+Goal: ???
+
+Notes:
+ * It still needs more investigation.
+   I don't know what this patch is used for. IMO, the user name is
+   already known before calling pam_get_item(pamh, PAM_USER, ...)
+
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2006-09-17 12:17:52.483993589 +0200
+++ shadow-4.0.18.1/src/su.c	2006-09-17 12:17:53.099998487 +0200
+@@ -287,6 +287,7 @@
+ 	struct passwd *pw = 0;
+ 	char **envp = environ;
+ 	char *shellstr = 0, *command = 0;
+	char *tmp_name;
+ 
+ #ifdef USE_PAM
+ 	char **envcp;
+@@ -652,6 +653,14 @@
+ 			su_failure (tty);
+ 		}
+ 	}
+	ret = pam_get_item(pamh, PAM_USER, (const void **) &tmp_name);
+	if (ret != PAM_SUCCESS) {
+		SYSLOG((LOG_ERR, "pam_get_item: internal PAM error\n"));
+		fprintf(stderr, "%s: Internal PAM error retrieving username\n", Prog);
+		pam_end(pamh, ret);
+		su_failure(tty);
+	}
+	strncpy(name, tmp_name, sizeof(name) - 1);
+ #else				/* !USE_PAM */
+ 	/*
+ 	 * Set up a signal handler in case the user types QUIT.
@@ -0,0 +1,13 @@
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2006-09-17 12:17:47.383953038 +0200
+++ shadow-4.0.18.1/src/su.c	2006-09-17 12:17:52.483993589 +0200
+@@ -304,7 +304,7 @@
+ #endif
+ #endif				/* !USE_PAM */
+ 
+-	sanitize_env ();
+	/* sanitize_env (); */
+ 
+ 	setlocale (LC_ALL, "");
+ 	bindtextdomain (PACKAGE, LOCALEDIR);
@@ -0,0 +1,29 @@
+Goal: Fix the traslation of Sorry in German
+
+Fixes: #383045
+
+Status wrt upstream: Forwarded. Waiting for apply to remove from trunk
+                     Not to be removed in etch
+
+Index: shadow-4.0.18.1/po/de.po
+===================================================================
+--- shadow-4.0.18.1.orig/po/de.po	2006-07-26 22:31:43.000000000 +0200
+++ shadow-4.0.18.1/po/de.po	2006-09-17 12:18:19.448207978 +0200
+@@ -1204,7 +1204,7 @@
+ msgstr "Unbekannte GID: %lu\n"
+ 
+ msgid "Sorry.\n"
+-msgstr "Entschuldigung.\n"
+msgstr " \n"
+ 
+ #, c-format
+ msgid "too many groups\n"
+@@ -1471,7 +1471,7 @@
+ msgstr "Bitte geben Sie Ihr EIGENES Kennwort als Authentifizierung ein.\n"
+ 
+ msgid "Sorry."
+-msgstr "Entschuldigung."
+msgstr " "
+ 
+ #, c-format
+ msgid "%s: %s\n"
@@ -0,0 +1,275 @@
+Goal: Fix Swedish manpages's PO file encoding.
+
+Fixes: #403210
+
+Status wrt upstream: Applied in CVS. Will be fixed in 4.0.18.2
+
+Index: shadow-4.0.18.1/man/sv/sv.po
+===================================================================
+--- shadow-4.0.18.1.orig/man/sv/sv.po	2007-02-25 16:36:02.000000000 +0100
+++ shadow-4.0.18.1/man/sv/sv.po	2007-02-25 16:36:19.000000000 +0100
+@@ -2,7 +2,7 @@
+ msgstr ""
+ "Project-Id-Version: man pages for shadow 4.0.18\n"
+ "POT-Creation-Date: 2006-07-24 07:49+0200\n"
+-"PO-Revision-Date: 2006-07-20 15:34+0100\n"
+"PO-Revision-Date: 2007-02-25 16:34+0100\n"
+ "Last-Translator: Daniel Nylander <po@danielnylander.se>\n"
+ "Language-Team: Swedish <debian-l10n-swedish@lists.debian.org>\n"
+ "MIME-Version: 1.0\n"
+@@ -98,7 +98,7 @@
+ "respektive. Med flaggan <option>-s</option>, kommer de att redigera "
+ "skuggversionerna av dessa filer, <filename>/etc/shadow</filename> och "
+ "<filename>/etc/gshadow</filename>, respektive. Programmen kommer att ställa "
+-"in de lämpliga lås som behövs för att förhindra att filerna skadas. NÃ¤r de "
+"in de lämpliga lås som behövs för att förhindra att filerna skadas. När de "
+ "letar efter en redigerare kommer programmen att första försöka med "
+ "miljövariabeln <envar>$VISUAL</envar>, sedan miljövariabeln <envar>$EDITOR</"
+ "envar> och till sist standardredigeraren, <citerefentry><refentrytitle>vi</"
+@@ -819,7 +819,7 @@
+ #: useradd.8.xml:11(refpurpose)
+ msgid "create a new user or update default new user information"
+ msgstr ""
+-"skapa en ny användare eller uppdatera standardinformation för nya anvÃ¤ndare"
+"skapa en ny användare eller uppdatera standardinformation för nya användare"
+ 
+ #: useradd.8.xml:23(arg) useradd.8.xml:27(arg)
+ msgid "-D"
+@@ -1054,7 +1054,7 @@
+ "lower case letters, underscores, dashes, and dollar signs may follow. In "
+ "regular expression terms: [a-z_][a-z0-9_-]*[$]"
+ msgstr ""
+-"Användarnamn måste börja med en gemen bokstav eller ett understreck och fÃ¥r "
+"Användarnamn måste börja med en gemen bokstav eller ett understreck och får "
+ "endast innehålla gemener, understreck, minustecken och på slutet ett dollar-"
+ "tecken. I reguljära uttryckstermer: [a-z_][a-z0-9_-]*[$]"
+ 
+@@ -1242,8 +1242,8 @@
+ "delimited by \",\" or the words <emphasis>ALL EXCEPT</emphasis> followed by "
+ "a list of usernames delimited by \",\""
+ msgstr ""
+-"Där till-id är antingen ordet <emphasis>ALL</emphasis>, en lista med anvÃ"
+-"¤ndarnamn separerade med \",\" eller orden <emphasis>ALL EXCEPT</emphasis> "
+"Där till-id är antingen ordet <emphasis>ALL</emphasis>, en lista med "
+"användarnamn separerade med \",\" eller orden <emphasis>ALL EXCEPT</emphasis> "
+ "följt av en lista med användarnamn separerade med \",\""
+ 
+ #: suauth.5.xml:53(para)
+@@ -1416,8 +1416,8 @@
+ "user logged in directly."
+ msgstr ""
+ "<command>su</command> används för att bli en annan användare under en "
+-"inloggningssession. Om det startas utan <option>användarnamn</option>, vÃ"
+-"¤ljer <command>su</command> superanvändaren. Det valfria argumentet <option>-"
+"inloggningssession. Om det startas utan <option>användarnamn</option>, "
+"väljer <command>su</command> superanvändaren. Det valfria argumentet <option>-"
+ "</option> kan användas för att tillhandahålla en miljö som liknar den som "
+ "användaren skulle förvänta sig om användaren hade loggat in direkt."
+ 
+@@ -1532,8 +1532,8 @@
+ "<filename>/bin/sh</filename> if a shell could not be found by any above "
+ "method."
+ msgstr ""
+-"<filename>/bin/sh</filename> om ett skal inte kunde hittas med någon ovanstÃ"
+-"¥ende metod."
+"<filename>/bin/sh</filename> om ett skal inte kunde hittas med någon "
+"ovanstående metod."
+ 
+ #: su.1.xml:114(para)
+ msgid ""
+@@ -1566,8 +1566,8 @@
+ "If the target user has a restricted shell, this option has no effect (unless "
+ "<command>su</command> is called by root)."
+ msgstr ""
+-"Om målanvändaren har ett begränsat skal har denna flagga ingen effekt (sÃ"
+-"¥vida inte <command>su</command> har startats av root)."
+"Om målanvändaren har ett begränsat skal har denna flagga ingen effekt "
+"(såvida inte <command>su</command> har startats av root)."
+ 
+ #: su.1.xml:169(para)
+ msgid ""
+@@ -1757,7 +1757,7 @@
+ "This file must not be readable by regular users if password security is to "
+ "be maintained."
+ msgstr ""
+-"Denna fil får inte vara läsbar av vanliga användare om lösenordssÃ¤kerheten "
+"Denna fil får inte vara läsbar av vanliga användare om lösenordssäkerheten "
+ "ska upprätthållas."
+ 
+ #: shadow.5.xml:124(para)
+@@ -2321,7 +2321,7 @@
+ "emphasis> och <emphasis>oper</emphasis> på <filename>/dev/console</filename> "
+ "när som helst. Detta illustrerar hur filen <filename>/etc/porttime</"
+ "filename> är en ordnad lista för åtkomsttider. Alla andra användare skulle "
+-"matcha den andra poster, vilken inte tillåter någon Ã¥tkomst oavsett tid."
+"matcha den andra poster, vilken inte tillåter någon åtkomst oavsett tid."
+ 
+ #: porttime.5.xml:62(programlisting)
+ #, no-wrap
+@@ -2373,7 +2373,7 @@
+ "<filename>/etc/passwd</filename> contains one line for each user account, "
+ "with seven fields delimited by colons (<quote>:</quote>). These fields are:"
+ msgstr ""
+-"<filename>/etc/passwd</filename> innehåller en rad för varje anvÃ¤ndarkonto "
+"<filename>/etc/passwd</filename> innehåller en rad för varje användarkonto "
+ "men sju fält separerade med kolontecken (<quote>:</quote>). Dessa fält är:"
+ 
+ #: passwd.5.xml:27(para)
+@@ -2492,9 +2492,9 @@
+ "login shell, or his/her password expiry date and interval."
+ msgstr ""
+ "<command>passwd</command> ändrar lösenord för användarkonton. En vanlig "
+-"användare kan endast ändra lösenordet för sitt egna konto men superanvÃ"
+-"¤ndaren kan ändra lösenord för alla konton. <command>passwd</command> Ã"
+-"¤ndrar även kontoinformation, såsom det fullständiga namnet för anvÃ¤ndaren, "
+"användare kan endast ändra lösenordet för sitt egna konto men "
+"superanvändaren kan ändra lösenord för alla konton. <command>passwd</command> "
+"ändrar även kontoinformation, såsom det fullständiga namnet för användaren, "
+ "användarens inloggningsskal eller hans/hennes utgångsdatum för lösenordet "
+ "och intervall."
+ 
+@@ -2509,8 +2509,8 @@
+ "user has only one chance to enter the correct password. The super user is "
+ "permitted to bypass this step so that forgotten passwords may be changed."
+ msgstr ""
+-"Användaren frågas först efter hans/hennes gamla lösenord, om det finns nÃ"
+-"¥got. Detta lösenord krypteras sedan och jämförs mot det lagrade lösenordet. "
+"Användaren frågas först efter hans/hennes gamla lösenord, om det finns "
+"något. Detta lösenord krypteras sedan och jämförs mot det lagrade lösenordet. "
+ "Användaren har endast en chans att ange det korrekta lösenordet. "
+ "Superanvändaren tillåts kringgå detta steg så att bortglömda lösenord kan "
+ "ändras."
+@@ -2521,8 +2521,8 @@
+ "to see if the user is permitted to change the password at this time. If not, "
+ "<command>passwd</command> refuses to change the password and exits."
+ msgstr ""
+-"Efter att lösenordet har matats in kontrolleras lösenordets Ã"
+-"¥ldringsinformation för att se om användaren tillåts att ändra lösenord för "
+"Efter att lösenordet har matats in kontrolleras lösenordets "
+"åldringsinformation för att se om användaren tillåts att ändra lösenord för "
+ "tillfället. Om inte, nekar <command>passwd</command> att ändra lösenordet "
+ "och avslutas."
+ 
+@@ -2582,7 +2582,7 @@
+ msgstr ""
+ "Säkerhet i ett lösenord beror på styrkan på krypteringsalgoritmen och "
+ "nyckellängden. Krypteringsmetoden för <emphasis>UNIX-system</emphasis> är "
+-"baserad på NBS DES-algoritmen och är mycket säker. Längden på nyckeln Ã¤r "
+"baserad på NBS DES-algoritmen och är mycket säker. Längden på nyckeln är "
+ "beroende på slumpmässigheten för det valda lösenordet."
+ 
+ #: passwd.1.xml:96(para)
+@@ -2607,7 +2607,7 @@
+ "For example, Pass%word."
+ msgstr ""
+ "Ditt lösenord måste vara lätt att komma ihåg så att du inte behöver skriva "
+-"ner det på en papperslapp. Detta kan göras genom att lägga till tvÃ¥ små ord "
+"ner det på en papperslapp. Detta kan göras genom att lägga till två små ord "
+ "tillsammans och separera dem med ett specialtecken eller siffra. Till "
+ "exempel, Pass%word."
+ 
+@@ -2668,7 +2668,7 @@
+ "Delete a user's password (make it empty). This is a quick way to disable a "
+ "password for an account. It will set the named account passwordless."
+ msgstr ""
+-"Ta bort en användares lösenord (gör det blankt). Detta är ett snabbt sÃ¤tt "
+"Ta bort en användares lösenord (gör det blankt). Detta är ett snabbt sätt "
+ "att inaktivera ett lösenord för ett konto. Det kommer att ta bort det "
+ "angivna kontots lösenord."
+ 
+@@ -2701,7 +2701,7 @@
+ msgstr ""
+ "Denna flagga används för att inaktivera ett konto efter att lösenordet har "
+ "varit utgånget i ett antal dagar. Efter att ett användarkonto har haft ett "
+-"utgånget lösenord i <replaceable>INAKTIV</replaceable> dagar får anvÃ¤ndaren "
+"utgånget lösenord i <replaceable>INAKTIV</replaceable> dagar får användaren "
+ "inte längre logga in med detta konto."
+ 
+ #: passwd.1.xml:199(term)
+@@ -2728,7 +2728,7 @@
+ "password to a value which matches no possible encrypted value."
+ msgstr ""
+ "Lås angivet konto. Denna flagga inaktiverar ett konto genom att ändra "
+-"lösenordet till ett värde som inte matchar något möjligt krypterat vÃ¤rde."
+"lösenordet till ett värde som inte matchar något möjligt krypterat värde."
+ 
+ #: passwd.1.xml:222(term) chage.1.xml:109(term)
+ msgid ""
+@@ -2777,7 +2777,7 @@
+ "Första fältet är användarens inloggningsnamn. Det andra fältet indikerar om "
+ "användarkontot är låst (L), saknar lösenord (NP) eller har ett användbart "
+ "lösenord (P). Det tredje fältet anger datumet för senaste "
+-"lösenordsändringen. De nästa fyra fälten är minimal ålder, maximal Ã¥lder, "
+"lösenordsändringen. De nästa fyra fälten är minimal ålder, maximal ålder, "
+ "varningsperiod och inaktivitetsperiod för lösenordet. Dessa åldrar anges i "
+ "dagar."
+ 
+@@ -2791,8 +2791,8 @@
+ "password back to its previous value (to value before using <option>-l</"
+ "option> option)."
+ msgstr ""
+-"Lås upp angivet konto. Denna flagga återaktiverar ett konto genom att Ã¤ndra "
+-"tillbaka lösenordet till dess tidigare värde (till värdet före anvÃ¤ndning "
+"Lås upp angivet konto. Denna flagga återaktiverar ett konto genom att ändra "
+"tillbaka lösenordet till dess tidigare värde (till värdet före användning "
+ "av flaggan <option>-l</option>)."
+ 
+ #: passwd.1.xml:283(term)
+@@ -2811,7 +2811,7 @@
+ "about to expire."
+ msgstr ""
+ "Sätter antalet dagar för varning före ett lösenord behöver ändras. Flaggan "
+-"<replaceable>VARN_DAGAR</replaceable> är antalet dagar före anvÃ¤ndaren "
+"<replaceable>VARN_DAGAR</replaceable> är antalet dagar före användaren "
+ "varnas om att lösenordet är på väg att bli utgånget."
+ 
+ #: passwd.1.xml:296(term)
+@@ -2840,7 +2840,7 @@
+ "Inte alla flaggor kanske stöds. Kontroll av lösenordskomplexiteten kan "
+ "variera mellan olika system. Användare rekommenderas att välja ett lösenord "
+ "som är så komplext som han eller hon känner sig komfortabel med. Användare "
+-"kanske inte kan ändra sina lösenord på ett system om NIS Ã¤r aktiverat och "
+"kanske inte kan ändra sina lösenord på ett system om NIS är aktiverat och "
+ "de inte är inloggade mot NIS-servern."
+ 
+ #: passwd.1.xml:353(para) chage.1.xml:212(para)
+@@ -2900,8 +2900,8 @@
+ "available and exits non-zero. It is intended as a replacement shell field "
+ "for accounts that have been disabled."
+ msgstr ""
+-"<command>nologin</command> visar ett meddelande om att kontot inte är tillgÃ"
+-"¤ngligt och avslutas med icke-noll-status. Det är tänkt som ett ersÃ¤ttande "
+"<command>nologin</command> visar ett meddelande om att kontot inte är "
+"tillgängligt och avslutas med icke-noll-status. Det är tänkt som ett ersättande "
+ "skalfält för konton som har inaktiverats."
+ 
+ #: nologin.8.xml:27(para)
+@@ -4451,7 +4451,7 @@
+ "You may not remove the primary group of any existing user. You must remove "
+ "the user before you remove the group."
+ msgstr ""
+-"Du får inte ta bort den primära gruppen för någon existerande anvÃ¤ndare. Du "
+"Du får inte ta bort den primära gruppen för någon existerande användare. Du "
+ "måste ta bort användaren innan du tar bort gruppen."
+ 
+ #: groupdel.8.xml:80(para)
+@@ -5039,7 +5039,7 @@
+ "Remember to set permissions or umask to prevent readability of unencrypted "
+ "files by other users."
+ msgstr ""
+-"Kom ihåg att ställa in rättigheter eller umask för att förhindra lÃ¤sning av "
+"Kom ihåg att ställa in rättigheter eller umask för att förhindra läsning av "
+ "okrypterade filer för andra användare."
+ 
+ #: chpasswd.8.xml:86(para)
+@@ -5072,8 +5072,8 @@
+ "groups. Each line is of the format:"
+ msgstr ""
+ "<command>chgpasswd</command> läser en lista på gruppnamn och lösenordspar "
+-"från standard in och använder denna information för att uppdatera en uppsÃ"
+-"¤ttning redan existerande grupper. Varje rad är i formatet:"
+"från standard in och använder denna information för att uppdatera en "
+"uppsättning redan existerande grupper. Varje rad är i formatet:"
+ 
+ #: chgpasswd.8.xml:30(para)
+ msgid ""
@@ -0,0 +1,364 @@
+Goal: Complete the Simplified Chinese translation
+
+Fixes: #431287
+
+Status wrt upstream: Will be fixed in 4.0.18.2
+
+Index: shadow-4.0.18.1/po/zh_CN.po
+===================================================================
+--- shadow-4.0.18.1.orig/po/zh_CN.po	2007-07-01 22:51:55.575379963 +0200
+++ shadow-4.0.18.1/po/zh_CN.po	2007-07-01 22:52:28.073791000 +0200
+@@ -1,7 +1,7 @@
+ # Simplified Chinese translation to shadow
+ # This file is distributed under the same license as the shadow package.
+ # Copyright:
+-# Ming Hua <minghua@rice.edu>, 2005.
+# Ming Hua <minghua@ubuntu.com>, 2005,2006,2007.
+ # Carlos Z.F. Liu <carlosliu@users.sourceforge.net>, 2004,2006.
+ #
+ msgid ""
+@@ -9,8 +9,8 @@
+ "Project-Id-Version: shadow 4.0.15\n"
+ "Report-Msgid-Bugs-To: kloczek@pld.org.pl\n"
+ "POT-Creation-Date: 2006-07-26 22:30+0200\n"
+-"PO-Revision-Date: 2006-03-11 00:35+1300\n"
+-"Last-Translator: Carlos Z.F. Liu <carlosliu@users.sourceforge.net>\n"
+"PO-Revision-Date: 2007-07-01 06:36-0500\n"
+"Last-Translator: Ming Hua <minghua@ubuntu.com>\n"
+ "Language-Team: Debian Chinese [GB] <debian-chinese-gb@lists.debian.org>\n"
+ "MIME-Version: 1.0\n"
+ "Content-Type: text/plain; charset=UTF-8\n"
+@@ -139,9 +139,9 @@
+ msgid "Incorrect password for %s.\n"
+ msgstr "%s 的密码不正确。\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "Unable to cd to '%s'\n"
+-msgstr "无法进入“%s”目录\n"
+msgstr "无法 cd 进入“%s”\n"
+ 
+ msgid "No directory, logging in with HOME=/"
+ msgstr "没有目录，将以 HOME=/ 登录"
+@@ -150,11 +150,11 @@
+ msgid "Cannot execute %s"
+ msgstr "无法执行 %s"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "Invalid root directory '%s'\n"
+ msgstr "无效的根目录“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "Can't change root directory to '%s'\n"
+ msgstr "无法将根目录改变为“%s”\n"
+ 
+@@ -373,11 +373,11 @@
+ msgid "%s: Cannot determine your user name.\n"
+ msgstr "%s：无法确定您的用户名。\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: cannot change user '%s' on NIS client.\n"
+ msgstr "%s：不能在 NIS 客户端上修改用户“%s”。\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: '%s' is the NIS master for this client.\n"
+ msgstr "%s：“%s”是此客户端的 NIS 管理员。\n"
+ 
+@@ -385,23 +385,23 @@
+ msgid "Changing the user information for %s\n"
+ msgstr "正在改变 %s 的用户信息\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid name: '%s'\n"
+ msgstr "%s：无效的名称：“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid room number: '%s'\n"
+ msgstr "%s：无效的房间号码：“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid work phone: '%s'\n"
+ msgstr "%s：无效的工作电话：“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid home phone: '%s'\n"
+ msgstr "%s：无效的家庭电话：“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: '%s' contains illegal characters\n"
+ msgstr "%s：“%s”包含非法字符\n"
+ 
+@@ -540,6 +540,11 @@
+ "  -s, --shell SHELL\t\t\tnew login shell for the user account\n"
+ "\n"
+ msgstr ""
+"用法：chsh [选项] [LOGIN]\n"
+"\n"
+"选项：\n"
+"  -h, --help\t\t\t\t显示此帮助信息并退出\n"
+"  -s, --shell SHELL\t\t\t该用户帐号的新登录 shell\n"
+ 
+ msgid "Login Shell"
+ msgstr "登录 Shell"
+@@ -779,7 +784,7 @@
+ msgid "%s: unable to open shadow group file\n"
+ msgstr "%s：无法打开影子组文件\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid numeric argument '%s'\n"
+ msgstr "%s：无效的数字参数“%s”\n"
+ 
+@@ -821,19 +826,19 @@
+ 
+ #, c-format
+ msgid "Member already exists\n"
+-msgstr ""
+msgstr "成员已经存在\n"
+ 
+ #, c-format
+ msgid "Member to remove could not be found\n"
+-msgstr ""
+msgstr "没有找到要删除的成员\n"
+ 
+ #, c-format
+ msgid "Usage: groupmems -a username | -d username | -D | -l [-g groupname]\n"
+-msgstr ""
+msgstr "用法：groupmems -a 用户名 | -d 用户名 | -D | -l [-g 组名]\n"
+ 
+ #, c-format
+ msgid "Only root can add members to different groups\n"
+-msgstr ""
+msgstr "只有 root 能向不同的组里添加成员\n"
+ 
+ #, c-format
+ msgid "Group access is required\n"
+@@ -843,21 +848,21 @@
+ msgid "Not primary owner of current group\n"
+ msgstr ""
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "PAM authentication failed for\n"
+-msgstr "%s：PAM 验证失败\n"
+msgstr "PAM 验证失败于\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "Unable to lock group file\n"
+-msgstr "%s：无法锁定组文件\n"
+msgstr "无法锁定组文件\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "Unable to open group file\n"
+-msgstr "%s：无法打开组文件\n"
+msgstr "无法打开组文件\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "Cannot close group file\n"
+-msgstr "%s：无法打开组文件\n"
+msgstr "无法关闭组文件\n"
+ 
+ #, fuzzy, c-format
+ msgid ""
+@@ -920,15 +925,15 @@
+ msgid "invalid group file entry\n"
+ msgstr "无效的组文件条目\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "delete line '%s'? "
+-msgstr "删除“%s”行？"
+msgstr "删除“%s”一行？"
+ 
+ #, c-format
+ msgid "duplicate group entry\n"
+ msgstr "复制组条目\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "invalid group name '%s'\n"
+ msgstr "无效的组名“%s”\n"
+ 
+@@ -936,13 +941,13 @@
+ msgid "group %s: no user %s\n"
+ msgstr "%s 组：无用户 %s\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "delete member '%s'? "
+-msgstr "删除用户成员“%s”吗？"
+msgstr "删除成员“%s”吗？"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "no matching group file entry in %s\n"
+-msgstr "没有找到匹配的组文件条目\n"
+msgstr "在 %s 中没有找到匹配的组文件条目\n"
+ 
+ #, fuzzy, c-format
+ msgid "add group '%s' in %s ?"
+@@ -1378,13 +1383,13 @@
+ msgid "user %s: program %s does not exist\n"
+ msgstr "用户 %s：程序 %s 不存在\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "no matching password file entry in %s\n"
+-msgstr "无匹配的密码文件项\n"
+msgstr "在 %s 中没有匹配的密码文件项\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "add user '%s' in %s? "
+-msgstr "%s 影子组：无用户 %s\n"
+msgstr ""
+ 
+ #, c-format
+ msgid "%s: can't update passwd entry for %s\n"
+@@ -1545,7 +1550,7 @@
+ msgid "%s: rename: %s"
+ msgstr "%s：改名：%s"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: group '%s' is a NIS group.\n"
+ msgstr "%s：“%s”组是一个 NIS 组。\n"
+ 
+@@ -1616,17 +1621,17 @@
+ msgid "%s: invalid base directory '%s'\n"
+ msgstr "%s：无效的主目录“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid comment '%s'\n"
+-msgstr "%s：无效注释“%s”\n"
+msgstr "%s：无效的注释“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid home directory '%s'\n"
+-msgstr "%s：无效的主目录“%s”\n"
+msgstr "%s：无效的家目录“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid date '%s'\n"
+-msgstr "%s：无效日期“%s”\n"
+msgstr "%s：无效的日期“%s”\n"
+ 
+ #, c-format
+ msgid "%s: shadow passwords required for -e\n"
+@@ -1636,17 +1641,17 @@
+ msgid "%s: shadow passwords required for -f\n"
+ msgstr "%s：-f 参数需要有影子密码\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid field '%s'\n"
+-msgstr "%s：无效字段 “%s”\n"
+msgstr "%s：无效的字段“%s”\n"
+ 
+-#, fuzzy, c-format
+#, c-format
+ msgid "%s: invalid shell '%s'\n"
+-msgstr "%s：无效 shell“%s”\n"
+msgstr "%s：无效的 shell“%s”\n"
+ 
+ #, c-format
+ msgid "%s: invalid user name '%s'\n"
+-msgstr "%s：无效用户名“%s”\n"
+msgstr "%s：无效的用户名“%s”\n"
+ 
+ #, c-format
+ msgid "%s: cannot rewrite password file\n"
+@@ -1701,15 +1706,15 @@
+ msgstr "%s：无法创建目录 %s\n"
+ 
+ msgid "Creating mailbox file"
+-msgstr ""
+msgstr "正在创建信箱文件"
+ 
+ #, c-format
+ msgid ""
+ "Group 'mail' not found. Creating the user mailbox file with 0600 mode.\n"
+-msgstr ""
+msgstr "没有找到“mail”组。以 0600 权限模式创建用户的信箱文件。\n"
+ 
+ msgid "Setting mailbox file permissions"
+-msgstr ""
+msgstr "正在设置信箱文件访问权限"
+ 
+ #, c-format
+ msgid "%s: user %s exists\n"
+@@ -1947,3 +1952,59 @@
+ #, c-format
+ msgid "%s: can't restore %s: %s (your changes are in %s)\n"
+ msgstr "%s：无法恢复 %s：%s (您的修改在 %s 中)\n"
+
+#~ msgid "Usage: %s [-s shell] [name]\n"
+#~ msgstr "用法：%s [-s shell] [名称]\n"
+
+#~ msgid "%s: invalid group %s\n"
+#~ msgstr "%s：无效组名 %s\n"
+
+#~ msgid "Usage: groupmod [-g gid [-o]] [-n name] group\n"
+#~ msgstr "用法：groupmod [-g gid [-o]] [-n 名称] 组\n"
+
+#~ msgid ""
+#~ "No group named \"mail\" exists, creating mail spool with mode 0600.\n"
+#~ msgstr "不存在叫做“mail”的组，将以 0600 的文件权限创建邮件 spool。\n"
+
+#~ msgid "Can't create mail spool for user %s.\n"
+#~ msgstr "不能为用户 %s 创建邮件 spool。\n"
+
+#~ msgid "Usage: %s [-r] name\n"
+#~ msgstr "用法：%s [-r] 名称\n"
+
+#~ msgid ""
+#~ "\n"
+#~ "Login incorrect\n"
+#~ msgstr ""
+#~ "\n"
+#~ "登录错误\n"
+
+#, fuzzy
+#~ msgid ""
+#~ "Usage:\n"
+#~ "`vipw' edits /etc/passwd        `vipw -s' edits /etc/shadow\n"
+#~ "`vigr' edits /etc/group         `vigr -s' edits /etc/gshadow\n"
+#~ "`{vipw|vigr} -q' quiet mode\n"
+#~ msgstr ""
+#~ "用法：\n"
+#~ "“vipw” 编辑 /etc/passwd      “vipw -s” 编辑 /etc/shadow\n"
+#~ "“vigr” 编辑 /etc/group       “vigr -s” 编辑 /etc/gshadow\n"
+
+#~ msgid "%s: PAM chauthtok failed\n"
+#~ msgstr "%s：PAM chauthtok 失败\n"
+
+#~ msgid "%s: Cannot execute %s"
+#~ msgstr "%s：无法执行 %s"
+
+#, fuzzy
+#~ msgid "Usage: %s\t[-u uid [-o]] [-g group] [[-G group,...] [-a]] \n"
+#~ msgstr "用法：%s\t[-u uid [-o]] [-g 组] [-G 组,...] \n"
+
+#~ msgid "\t\t[-d home [-m]] [-s shell] [-c comment] [-l new_name]\n"
+#~ msgstr "\t\t[-d 主目录 [-m]] [-s shell] [-c 注释] [-l 新名称]\n"
+
+#~ msgid "[-f inactive] [-e expire] "
+#~ msgstr "[-f 失效日] [-e 过期日] "
+
+#~ msgid "[-p passwd] [-L|-U] name\n"
+#~ msgstr "[-p 密码] [-L|-U] 名称\n"
@@ -0,0 +1,23 @@
+Goal: Fix translation error in su(1)
+
+Fixes: 
+
+Note: Noticed by nekral and bubulle at Debconf7
+
+Status wrt upstream: should be forwarded
+
+Index: shadow-4.0.18.1/man/fr/fr.po
+===================================================================
+--- shadow-4.0.18.1.orig/man/fr/fr.po	2007-06-18 18:17:21.328221144 +0200
+++ shadow-4.0.18.1/man/fr/fr.po	2007-06-18 18:18:36.324402669 +0200
+@@ -1764,8 +1764,8 @@
+ "Si l'utilisateur cible possède un interpréteur de commande restreint (par "
+ "exemple, le champ de l'interpréteur de commande dans <filename>/etc/passwd</"
+ "filename> n'est pas renseigné dans <filename>/etc/shell</filename>), alors, "
+-"l'option <option>--shell</option> de la variable d'environnement <envar>"
+-"$SHELL</envar> ne sera pas prise en compte à moins que <command>su</command> "
+"ni l'option <option>--shell</option> ni la variable d'environnement <envar>"
+"$SHELL</envar> ne seront prises en compte à moins que <command>su</command> "
+ "ne soit appelé par le superutilisateur."
+ 
+ #: su.1.xml:152(term)
@@ -0,0 +1,19 @@
+Goal: fix a typo in passwd.1
+
+Fixes: #383216
+
+Status wrt upstream: Fix in CVS. Patch added only for etch branch
+
+Index: shadow-4.0.18.1/man/passwd.1.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/passwd.1.xml	2006-09-17 12:25:23.823581651 +0200
+++ shadow-4.0.18.1/man/passwd.1.xml	2006-09-17 12:25:29.707628421 +0200
+@@ -201,7 +201,7 @@
+ 	</term>
+ 	<listitem>
+ 	  <para>
+-	    Indicate change password should be performed only for expired
+	    Indicate password change should be performed only for expired
+ 	    authentication tokens (passwords). The user wishes to keep their
+ 	    non-expired tokens as before.
+ 	  </para>
@@ -0,0 +1,22 @@
+Goal: Mention sg(1) in su(1)
+
+Fixes: #396690
+
+Note: 
+
+Status wrt upstream: Applied in CVS
+
+Index: shadow-4.0.18.1/man/su.1.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/su.1.xml	2007-06-17 07:30:14.492480422 +0200
+++ shadow-4.0.18.1/man/su.1.xml	2007-06-17 07:31:15.989379347 +0200
+@@ -199,6 +199,9 @@
+ 	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+	<refentrytitle>sg</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+ 	<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
+       </citerefentry>
+     </para>
@@ -0,0 +1,88 @@
+Goal: Fix some wording in su(1)
+
+Fixes: 
+
+Note: 
+
+Status wrt upstream: Applied in CVS
+
+Index: shadow-4.0.18.1/man/su.1.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/su.1.xml	2007-06-17 07:30:14.492480422 +0200
+++ shadow-4.0.18.1/man/su.1.xml	2007-06-17 07:31:15.989379347 +0200
+@@ -1,6 +1,6 @@
+ <?xml version="1.0" encoding="UTF-8"?>
+ <refentry id='su.1'>
+-  <!--  $Id: su.1.xml,v 1.26 2006/07/18 17:02:01 kloczek Exp $ -->
+  <!--  $Id: su.1.xml,v 1.30 2006/11/12 19:20:34 kloczek Exp $ -->
+   <refmeta>
+     <refentrytitle>su</refentrytitle>
+     <manvolnum>1</manvolnum>
+@@ -8,7 +8,7 @@
+   </refmeta>
+   <refnamediv id='name'>
+     <refname>su</refname>
+-    <refpurpose>change user ID or become super-user</refpurpose>
+    <refpurpose>change user ID or become superuser</refpurpose>
+   </refnamediv>
+   <refsynopsisdiv id='synopsis'>
+     <cmdsynopsis>
+@@ -27,10 +27,10 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
+-      <command>su</command> is used to become another user during a login
+-      session. Invoked without a <option>username</option>, 
+      The <command>su</command> command is used to become another user during
+      a login session. Invoked without a <option>username</option>, 
+       <command>su</command> defaults to
+-      becoming the super user. The optional argument <option>-</option> may
+      becoming the superuser. The optional argument <option>-</option> may
+       be used to provide an environment similar to what the user would
+       expect had the user logged in directly.
+     </para>
+@@ -58,7 +58,7 @@
+       The current environment is passed to the new shell. The value of
+       <envar>$PATH</envar> is reset to <filename>/bin:/usr/bin</filename>
+       for normal users, or <filename>/sbin:/bin:/usr/sbin:/usr/bin</filename>
+-      for the super user. This may be changed with the
+      for the superuser. This may be changed with the
+       <emphasis>ENV_PATH</emphasis> and <emphasis>ENV_SUPATH</emphasis>
+       definitions in <filename>/etc/login.defs</filename>.
+     </para>
+@@ -78,7 +78,7 @@
+       <varlistentry>
+ 	<term>
+ 	  <option>-c</option>, <option>--command</option>
+-	  <replaceable>SHELL</replaceable>
+	  <replaceable>COMMAND</replaceable>
+ 	</term>
+ 	<listitem>
+ 	  <para>
+@@ -112,10 +112,10 @@
+ 	<listitem>
+ 	  <para>The shell that will be invoked.</para>
+ 	  <para>
+-	    The invoked shell is choosen among (higest priority first):
+	    The invoked shell is chosen from (highest priority first):
+ 	    <itemizedlist>
+ 	      <listitem>
+-		<para>The shell specified with --shell</para>
+		<para>The shell specified with --shell.</para>
+ 	      </listitem>
+ 	      <listitem>
+ 		<para>
+@@ -141,10 +141,10 @@
+ 	  <para>
+ 	    If the target user has a restricted shell (i.e. the shell field of
+ 	    this user's entry in <filename>/etc/passwd</filename> is not
+-	    specified in <filename>/etc/shell</filename>), then the
+	    listed in <filename>/etc/shell</filename>), then the
+ 	    <option>--shell</option> option or the <envar>$SHELL</envar>
+-	    environment variable won't be taken into account unless
+-	    <command>su</command> is called by the root.
+	    environment variable won't be taken into account, unless
+	    <command>su</command> is called by root.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
@@ -0,0 +1,43 @@
+Goal: allow non numerical group identifier to be specified with useradd's
+      and usermod's -g options
+
+Fixes: #381394, #381399, #381404, #381408, #381448
+
+Status wrt upstream: Applied in CVS
+
+Index: shadow-4.0.18.1/src/useradd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/useradd.c	2006-09-17 12:25:16.499523435 +0200
+++ shadow-4.0.18.1/src/useradd.c	2006-09-17 12:25:28.379617865 +0200
+@@ -206,11 +206,8 @@
+ 	char *errptr;
+ 
+ 	gid = strtol (grname, &errptr, 10);
+-	if (*errptr || errno == ERANGE || gid < 0) {
+-		fprintf (stderr,
+-			 _("%s: invalid numeric argument '%s'\n"), Prog, grname);
+-		exit (E_BAD_ARG);
+-	}
+	if (*grname != '\0' && *errptr == '\0' && errno != ERANGE && gid >= 0)
+		return getgrgid (gid);
+ 	return getgrnam (grname);
+ }
+ 
+Index: shadow-4.0.18.1/src/usermod.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/usermod.c	2006-09-17 12:25:24.475586833 +0200
+++ shadow-4.0.18.1/src/usermod.c	2006-09-17 12:25:28.383617897 +0200
+@@ -167,11 +167,8 @@
+ 	char *errptr;
+ 
+ 	val = strtol (grname, &errptr, 10);
+-	if (*errptr || errno == ERANGE || val < 0) {
+-		fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog,
+-			 grname);
+-		exit (E_BAD_ARG);
+-	}
+	if (*grname != '\0' && *errptr == '\0' && errno != ERANGE && val >= 0)
+		return getgrgid (val);
+ 	return getgrnam (grname);
+ }
+ 
@@ -0,0 +1,242 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 401_cppw_src.dpatch by  Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add cppw / cpgr
+
+@DPATCH@
+Index: shadow-4.0.18.1/src/cppw.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ shadow-4.0.18.1/src/cppw.c	2006-10-21 13:45:56.000000000 +0200
+@@ -0,0 +1,198 @@
+/*
+  cppw, cpgr  copy with locking given file over the password or group file
+  with -s will copy with locking given file over shadow or gshadow file
+ 
+  Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
+
+  Based on vipw, vigr by:
+  Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+  */
+
+#include <config.h>
+#include "defines.h"
+
+#include <errno.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <utime.h>
+#include "prototypes.h"
+#include "pwio.h"
+#include "shadowio.h"
+#include "groupio.h"
+#include "sgroupio.h"
+
+
+static const char *progname, *filename, *filenewname;
+static int filelocked = 0;
+static int (*unlock)();
+
+/* local function prototypes */
+static int create_backup_file (FILE *, const char *, struct stat *);
+static void cppwexit (const char *, int, int);
+static void cppwcopy (const char *, const char *, int (*) (void), int (*) (void));
+int main (int, char **);
+
+static int
+create_backup_file(FILE *fp, const char *backup, struct stat *sb)
+{
+  struct utimbuf ub;
+  FILE *bkfp;
+  int c;
+  mode_t mask;
+
+  mask = umask(077);
+  bkfp = fopen(backup, "w");
+  umask(mask);
+  if (!bkfp) return -1;
+
+  rewind(fp);
+  while ((c = getc(fp)) != EOF) {
+    if (putc(c, bkfp) == EOF) break;
+  }
+
+  if (c != EOF || fflush(bkfp)) {
+    fclose(bkfp);
+    unlink(backup);
+    return -1;
+  }
+  if (fclose(bkfp)) {
+    unlink(backup);
+    return -1;
+  }
+
+  ub.actime = sb->st_atime;
+  ub.modtime = sb->st_mtime;
+  if (utime(backup, &ub) ||
+      chmod(backup, sb->st_mode) ||
+      chown(backup, sb->st_uid, sb->st_gid)) {
+    unlink(backup);
+    return -1;
+  }
+  return 0;
+}
+
+static void
+cppwexit(const char *msg, int syserr, int ret)
+{
+  int err = errno;
+  if (filelocked) (*unlock)();
+  if (msg) fprintf(stderr, "%s: %s", progname, msg);
+  if (syserr) fprintf(stderr, ": %s", strerror(err));
+  fprintf(stderr, "\n%s: %s is unchanged\n", progname, filename);
+  exit(ret);
+}
+
+static void
+cppwcopy(const char *file, const char *in_file, int (*file_lock) (void), int (*file_unlock) (void))
+{
+  struct stat st1;
+  FILE *f;
+  char filenew[1024];
+
+  snprintf(filenew, sizeof filenew, "%s.new", file);
+  unlock = file_unlock;
+  filename = file;
+  filenewname = filenew;
+  
+  if (access(file, F_OK)) cppwexit(file, 1, 1);
+  if (!file_lock()) cppwexit("Couldn't lock file", errno, 5);
+  filelocked = 1;
+
+  /* file to copy has same owners, perm */
+  if (stat(file, &st1)) cppwexit(file, 1, 1);
+  if (!(f = fopen(in_file, "r"))) cppwexit(file, 1, 1);
+  if (create_backup_file(f, filenew, &st1))
+    cppwexit("Couldn't make backup", errno, 1);
+  
+  /* XXX - here we should check filenew for errors; if there are any,
+     fail w/ an appropriate error code and let the user manually fix
+     it. Use pwck or grpck to do the check.  - Stephen (Shamelessly
+     stolen from '--marekm's comment) */
+
+  if (rename(filenew, file) == -1) {
+    fprintf(stderr, "%s: can't copy %s: %s)\n",
+	    progname, filenew, strerror(errno));
+    cppwexit(0,0,1);
+  }
+
+  (*file_unlock)();
+}
+
+
+int
+main(int argc, char **argv)
+{
+  int flag;
+  int cpshadow = 0;
+  char *in_file;
+  char *c;
+  int e = 1;
+  int do_cppw;
+
+  progname = ((c = strrchr(*argv, '/')) ? c+1 : *argv);
+  do_cppw = (strcmp(progname, "cpgr") != 0);
+
+  while ((flag = getopt(argc, argv, "ghps")) != EOF) {
+    switch (flag) {
+    case 'p':
+      do_cppw = 1;
+      break;
+    case 'g':
+      do_cppw = 0;
+      break;
+    case 's':
+      cpshadow = 1;
+      break;
+    case 'h':
+      e = 0;
+    default:
+      printf("Usage:\n\
+`cppw <file>' copys over /etc/passwd   `cppw -s <file>' copys over /etc/shadow\n\
+`cpgr <file>' copys over /etc/group    `cpgr -s <file>' copys over /etc/gshadow\n\
+");
+      exit(e);
+    }
+  }
+
+  if (optind >= argc) {
+    cppwexit ("missing file argument, -h for usage",0,1);
+  }
+
+  in_file = argv[argc - 1];
+
+  if (do_cppw) {
+    if (cpshadow)
+      cppwcopy(SHADOW_FILE, in_file, spw_lock, spw_unlock);
+    else
+      cppwcopy(PASSWD_FILE, in_file, pw_lock, pw_unlock);
+  }
+  else {
+#ifdef SHADOWGRP
+    if (cpshadow)
+      cppwcopy(SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
+    else
+#endif
+      cppwcopy(GROUP_FILE, in_file, gr_lock, gr_unlock);
+  }
+
+  return 0;
+}
+Index: shadow-4.0.18.1/src/Makefile.am
+===================================================================
+--- shadow-4.0.18.1.orig/src/Makefile.am	2006-10-21 13:45:26.000000000 +0200
+++ shadow-4.0.18.1/src/Makefile.am	2006-10-21 13:45:40.000000000 +0200
+@@ -24,6 +24,7 @@
+ sbin_PROGRAMS  = nologin
+ ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+ usbin_PROGRAMS = \
+	cppw \
+ 	chgpasswd \
+ 	chpasswd \
+ 	groupadd \
+@@ -58,6 +59,7 @@
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX)
+cppw_LDADD     = $(LDADD) $(LIBSELINUX)
+ gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX)
+ groupadd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+Index: shadow-4.0.18.1/po/POTFILES.in
+===================================================================
+--- shadow-4.0.18.1.orig/po/POTFILES.in	2006-10-21 13:45:26.000000000 +0200
+++ shadow-4.0.18.1/po/POTFILES.in	2006-10-21 13:45:40.000000000 +0200
+@@ -61,6 +61,7 @@
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
+src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c
@@ -0,0 +1,31 @@
+Goal: Clarify the online help of usermod
+
+Fix: #363033
+
+Author: Christian Perrier <bubulle@debian.org>
+
+Status wrt upstream: forwarded but not applied yet
+
+Index: shadow-4.0.18.1/src/usermod.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/usermod.c	2006-09-17 12:17:58.256039482 +0200
+++ shadow-4.0.18.1/src/usermod.c	2006-09-17 12:18:11.400143989 +0200
+@@ -279,8 +279,6 @@
+ 	fprintf (stderr, _("Usage: usermod [options] LOGIN\n"
+ 			   "\n"
+ 			   "Options:\n"
+-			   "  -a, --append			append the user to the supplemental GROUPS\n"
+-			   "				(use only with -G)\n"
+ 			   "  -c, --comment COMMENT		new value of the GECOS field\n"
+ 			   "  -d, --home HOME_DIR		new home directory for the user account\n"
+ 			   "  -e, --expiredate EXPIRE_DATE	set account expiration date to EXPIRE_DATE\n"
+@@ -288,6 +286,9 @@
+ 			   "				to INACTIVE\n"
+ 			   "  -g, --gid GROUP		force use GROUP as new primary group\n"
+ 			   "  -G, --groups GROUPS		new list of supplementary GROUPS\n"
+			   "  -a, --append		append the user to the supplemental GROUPS\n"
+			   "				mentioned by the -G option without removing\n"
+			   "				him/her from other groups\n"
+ 			   "  -h, --help			display this help message and exit\n"
+ 			   "  -l, --login NEW_LOGIN		new value of the login name\n"
+ 			   "  -L, --lock			lock the user account\n"
@@ -0,0 +1,46 @@
+Goal: Fix FTBFS on Hurd because PATH-MAX is undefined
+
+Fix: #372155
+
+Author: Michael Banck  <mbanck@debian.org>
+
+Status wrt upstream: should be forwarded
+
+Index: shadow-4.0.18.1/lib/commonio.c
+===================================================================
+--- shadow-4.0.18.1/lib/commonio.c.orig	2006-12-07 06:57:01.000000000 +0000
+++ shadow-4.0.18.1/lib/commonio.c	2006-12-07 06:57:40.000000000 +0000
+@@ -46,17 +47,31 @@
+ int lrename (const char *old, const char *new)
+ {
+ 
+#ifdef PATH_MAX
+ 	char resolved_path[PATH_MAX];
+#endif
+	char *r;
+ 	int res;
+ 
+ #if defined(S_ISLNK)
+ 	struct stat sb = { 0 };
+ 	if (lstat (new, &sb) == 0 && S_ISLNK (sb.st_mode)) {
+-		if (realpath (new, resolved_path) == NULL) {
+#ifndef PATH_MAX
+		r = realpath (new, NULL);
+#else
+		r = realpath (new, resolved_path);
+#endif
+		if (r == NULL) {
+#ifndef PATH_MAX
+			free (r);
+#endif
+ 			perror ("realpath in lrename()");
+ 		} else {
+-			new = resolved_path;
+			new = r;
+ 		}
+#ifndef PATH_MAX
+	free (r);
+#endif
+ 	}
+ #endif
+ 	res = rename (old, new);
@@ -0,0 +1,19 @@
+Goal: Fix an error in the passwd.1 French translation
+
+Fixes: #395537
+
+Status wrt upstream: Should be forwarded
+
+Index: shadow-4.0.18.1/man/fr/fr.po
+===================================================================
+--- shadow-4.0.18.1.orig/man/fr/fr.po	2006-10-28 07:23:12.651916379 +0200
+++ shadow-4.0.18.1/man/fr/fr.po	2006-10-28 07:23:41.768138592 +0200
+@@ -3333,7 +3333,7 @@
+ #: passwd.1.xml:377(para)
+ msgid "<filename>passwd</filename> file busy, try again"
+ msgstr ""
+-"fichier <filename>passwdw/filename> en cours d'utilisation, veuillez "
+"fichier <filename>passwd</filename> en cours d'utilisation, veuillez "
+ "réessayer plus tard"
+ 
+ #: passwd.1.xml:341(para)
@@ -0,0 +1,29 @@
+Goal: Avoid terminating the PAM library in the forked child. This is done
+      later in the parent after closing the PAM session.
+
+Note: OR'ing the status with PAM_DATA_SILENT should be sufficient, but it
+is not supported by some modules, and the pam_end is not strictly needed
+anyway.
+
+Fixes: #412061
+
+Status wrt upstream: not reported yet.
+
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2007-02-25 14:22:54.000000000 +0100
+++ shadow-4.0.18.1/src/su.c	2007-02-25 14:29:01.000000000 +0100
+@@ -197,7 +197,12 @@
+ 
+ 	child = fork ();
+ 	if (child == 0) {	/* child shell */
+-		pam_end (pamh, PAM_SUCCESS);
+		/*
+		 * PAM_DATA_SILENT is not supported by some modules, and
+		 * there is no strong need to clean up the process space's
+		 * memory since we will either call exec or exit.
+		pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+		 */
+ 
+ 		if (doshell)
+ 			(void) shell (shellstr, (char *) args[0], envp);
@@ -0,0 +1,21 @@
+Goal: Resume properly after ^Z
+
+Fix: #414542
+
+Author: dean gaudet <dean@arctic.org>
+
+Status wrt upstream: should be forwarded
+
+Index: shadow-4.0.18.1/src/vipw.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/vipw.c	2007-04-15 14:10:37.522147236 +0200
+++ shadow-4.0.18.1/src/vipw.c	2007-04-15 14:11:09.146401712 +0200
+@@ -208,7 +208,7 @@
+ 		pid = waitpid (pid, &status, WUNTRACED);
+ 		if (WIFSTOPPED (status)) {
+ 			kill (getpid (), SIGSTOP);
+-			kill (getpid (), SIGCONT);
+			kill (pid, SIGCONT);
+ 		} else
+ 			break;
+ 	}
@@ -0,0 +1,78 @@
+Goal: Document the creation of primary user groups.
+      Add the -n option to disable this behavior.
+
+Fixes: #416835
+
+Status wrt upstream: not reported yet.
+
+Notes:
+  * The nflg variable already existed, but was never set.
+
+  * This could also be done by just specifying that the -g's argument is
+    optional. As -n is already implemented in RedHat, it may be better
+    for compatibility to keep it.
+
+  * The debian/useradd.default file had to be updated to reflect these
+    changes.
+
+Index: shadow-4.0.18.1/man/useradd.8.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/useradd.8.xml	2007-04-15 16:16:36.000000000 +0200
+++ shadow-4.0.18.1/man/useradd.8.xml	2007-04-15 16:49:17.000000000 +0200
+@@ -134,8 +134,7 @@
+ 	  <para>
+ 	    The group name or number of the user's initial login group. The
+ 	    group name must exist. A group number must refer to an already
+-	    existing group. The default group number is 1 or whatever is
+-	    specified in <filename>/etc/default/useradd</filename>.
+	    existing group.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -184,6 +183,23 @@
+       </varlistentry>
+       <varlistentry>
+ 	<term>
+	  <option>-n</option>
+	</term>
+	<listitem>
+	  <para>
+	    A group having the same name as the user being added to the
+	    system will be created by default (when <option>-g</option> is
+	    not specified). This option will turn off this behavior. When
+	    this option is used, users by default will be placed in
+	    whatever group is specified in the
+	    <replaceable>GROUP</replaceable> variable of
+	    <filename>/etc/default/useradd</filename>. If no default group
+	    is defined, group 100 (users) will be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+      <varlistentry>
+	<term>
+ 	  <option>-K</option>, <option>--key</option>
+ 	  <replaceable>KEY</replaceable>=<replaceable>VALUE</replaceable>
+ 	</term>
+Index: shadow-4.0.18.1/src/useradd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/useradd.c	2007-04-15 16:15:22.000000000 +0200
+++ shadow-4.0.18.1/src/useradd.c	2007-04-15 16:16:11.000000000 +0200
+@@ -1036,7 +1036,7 @@
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 		while ((c =
+-			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:O:K:mMop:rs:u:",
+			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:O:K:mMnop:rs:u:",
+ 				     long_options, NULL)) != -1) {
+ 			switch (c) {
+ 			case 'b':
+@@ -1177,6 +1177,9 @@
+ 			case 'm':
+ 				mflg++;
+ 				break;
+			case 'n':
+				nflg++;
+				break;
+ 			case 'o':
+ 				oflg++;
+ 				break;
@@ -0,0 +1,24 @@
+Goal: Check the passwd arguments and fail with the usage message if there
+      are more than one non option arguments (i.e. usernames).
+
+Fixes: #410268
+
+Status wrt upstream: not reported yet.
+
+Index: shadow-4.0.18.1/src/passwd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/passwd.c	2007-04-15 17:49:31.000000000 +0200
+++ shadow-4.0.18.1/src/passwd.c	2007-04-15 17:52:38.000000000 +0200
+@@ -740,6 +740,12 @@
+ 		name = myname;
+ 
+ 	/*
+	 * Make sure that at most one username was specified.
+	 */
+	if (argc > optind+1)
+		usage (E_USAGE);
+
+	/*
+ 	 * The -a flag requires -S, no other flags, no username, and
+ 	 * you must be root.  --marekm
+ 	 */
@@ -0,0 +1,239 @@
+Goal: Build the translated man pages at build time.
+
+Note: Translators must list the manpages which are translated in the
+man_MANS (and man_nopam) variables.
+
+Status wrt upstream: not reported yet.
+
+Index: shadow-4.0.18.1/man/Makefile.am
+===================================================================
+--- shadow-4.0.18.1.orig/man/Makefile.am	2007-05-17 13:50:42.000000000 +0200
+++ shadow-4.0.18.1/man/Makefile.am	2007-05-17 13:50:43.000000000 +0200
+@@ -114,141 +114,20 @@
+ 
+ if ENABLE_REGENERATE_MAN
+ 
+-chage.1: chage.1.xml
+%: %.xml
+ 	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+ 
+-chfn.1: chfn.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-chgpasswd.8: chgpasswd.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-chpasswd.8: chpasswd.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-chsh.1: chsh.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-expiry.1: expiry.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-faillog.5: faillog.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-faillog.8: faillog.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-gpasswd.1: gpasswd.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-groupadd.8: groupadd.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-groupdel.8: groupdel.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-groupmems.8: groupmems.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-groupmod.8: groupmod.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-groups.1: groups.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-grpck.8: grpck.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-gshadow.5: gshadow.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-id.1: id.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-lastlog.8: lastlog.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-limits.5: limits.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+grpconv.8 grpunconv.8 pwunconv.8: pwconv.8
+ 
+-login.1: login.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+getspnam.3: shadow.3
+ 
+-login.access.5: login.access.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+vigr.8: vipw.8
+ 
+-login.defs.5: login.defs.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-logoutd.8: logoutd.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-newgrp.1: newgrp.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-newusers.8: newusers.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-nologin.8: nologin.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-passwd.1: passwd.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-passwd.5: passwd.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-porttime.5: porttime.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-pwck.8: pwck.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-grpconv.8 grpunconv.8 pwconv.8 pwunconv.8: pwconv.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-shadow.3 getspnam.3: shadow.3.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-shadow.5: shadow.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-sg.1: sg.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-su.1: su.1.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-sulogin.8: sulogin.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-suauth.5: suauth.5.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-useradd.8: useradd.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-userdel.8: userdel.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-usermod.8: usermod.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-vigr.8 vipw.8: vipw.8.xml
+-	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+-
+-CLEANFILES = $(man_MANS) $(ALL_TRANSLATED_XMLS)
+CLEANFILES = $(man_MANS)
+ 
+ POFILES = $(foreach lang, $(LINGUAS), $(lang)/$(lang).po)
+-ALL_TRANSLATED_XMLS = $(foreach dir, $(LINGUAS), $(foreach xmlfile, $(man_XMANS), $(dir)/$(xmlfile)))
+-
+-all: $(POFILES) $(ALL_TRANSLATED_XMLS)
+-
+-gen-xmls: $(ALL_TRANSLATED_XMLS)
+ 
+-$(ALL_TRANSLATED_XMLS): $(man_XMANS)
+-	xml2po -l $(strip $(subst /,, $(dir $@))) -p $(strip $(subst /,, $(dir $@)))/$(strip $(subst /,, $(dir $@))).po -o $@ $(notdir $@)
+-	sed -i 's:\(^<refentry .*\)>:\1 lang="$(strip $(subst /,, $(dir $@)))">:' $@
+all: $(POFILES)
+ 
+ $(POFILES): shadow-man-pages.pot
+ 
+Index: shadow-4.0.18.1/man/de/Makefile.am
+===================================================================
+--- shadow-4.0.18.1.orig/man/de/Makefile.am	2006-08-03 12:00:56.000000000 +0200
+++ shadow-4.0.18.1/man/de/Makefile.am	2007-05-17 13:50:43.000000000 +0200
+@@ -13,3 +13,6 @@
+ 	vipw.8
+ 
+ EXTRA_DIST = $(man_MANS)
+
+include ../generate_translations.mak
+
+Index: shadow-4.0.18.1/man/fr/Makefile.am
+===================================================================
+--- shadow-4.0.18.1.orig/man/fr/Makefile.am	2006-08-03 12:25:46.000000000 +0200
+++ shadow-4.0.18.1/man/fr/Makefile.am	2007-05-17 15:43:17.000000000 +0200
+@@ -53,3 +53,6 @@
+ EXTRA_DIST = \
+ 	$(man_MANS) \
+ 	$(man_nopam)
+
+include ../generate_translations.mak
+
+Index: shadow-4.0.18.1/man/generate_translations.mak
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ shadow-4.0.18.1/man/generate_translations.mak	2007-05-17 15:44:34.000000000 +0200
+@@ -0,0 +1,20 @@
+if ENABLE_REGENERATE_MAN
+
+LANG=$(notdir $(CURDIR))
+
+%.xml: ../%.xml $(LANG).po
+	xml2po -l $(LANG) -p $(LANG).po -o $@ ../$@
+	sed -i 's:\(^<refentry .*\)>:\1 lang="$(LANG)">:' $@
+
+%: %.xml
+	$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+
+grpconv.8 grpunconv.8 pwunconv.8: pwconv.8
+
+getspnam.3: shadow.3
+
+vigr.8: vipw.8
+
+CLEANFILES = .xml2po.mo $(man_MANS) $(addsuffix .xml,$(man_MANS))
+
+endif
+Index: shadow-4.0.18.1/man/pl/Makefile.am
+===================================================================
+--- shadow-4.0.18.1.orig/man/pl/Makefile.am	2006-08-03 12:08:58.000000000 +0200
+++ shadow-4.0.18.1/man/pl/Makefile.am	2007-05-17 13:50:43.000000000 +0200
+@@ -53,3 +53,6 @@
+ 	id.1 \
+ 	shadow.3 \
+ 	sulogin.8
+
+include ../generate_translations.mak
+
+Index: shadow-4.0.18.1/man/ru/Makefile.am
+===================================================================
+--- shadow-4.0.18.1.orig/man/ru/Makefile.am	2006-08-03 12:09:45.000000000 +0200
+++ shadow-4.0.18.1/man/ru/Makefile.am	2007-05-17 13:50:43.000000000 +0200
+@@ -58,3 +58,6 @@
+ 	$(man_nopam) \
+ 	id.1 \
+ 	sulogin.8
+
+include ../generate_translations.mak
+
+Index: shadow-4.0.18.1/man/sv/Makefile.am
+===================================================================
+--- shadow-4.0.18.1.orig/man/sv/Makefile.am	2007-05-17 13:50:41.000000000 +0200
+++ shadow-4.0.18.1/man/sv/Makefile.am	2007-05-17 13:50:43.000000000 +0200
+@@ -55,3 +55,6 @@
+ EXTRA_DIST = \
+ 	$(man_MANS) \
+ 	$(man_nopam)
+
+include ../generate_translations.mak
+
@@ -0,0 +1,23 @@
+Goal: Mention sg(1) in newgrp(1)
+
+Fixes: #396690
+
+Note: 
+
+Status wrt upstream: not applied yet. Tomasz applied the same for
+                     su(1) but not for newgrp(1)
+
+Index: shadow-4.0.18.1/man/newgrp.1.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/newgrp.1.xml	2007-06-17 07:37:04.471806587 +0200
+++ shadow-4.0.18.1/man/newgrp.1.xml	2007-06-17 07:37:32.970369504 +0200
+@@ -93,6 +93,9 @@
+ 	<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+	<refentrytitle>sg</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+ 	<refentrytitle>gpasswd</refentrytitle><manvolnum>1</manvolnum>
+       </citerefentry>,
+       <citerefentry>
@@ -0,0 +1,26 @@
+Goal: Document that chpasswd foes not use PAM.
+Fixes: #396726
+
+Status wrt upstream: Not reported yet.
+
+Note: Even when PAM support is activated in chpasswd, this patch is valid. The
+PAM support is only for the authentication of the caller.
+
+Index: shadow-4.0.18.1/man/chpasswd.8.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/chpasswd.8.xml	2007-06-19 11:43:16.000000000 +0100
+++ shadow-4.0.18.1/man/chpasswd.8.xml	2007-06-19 11:47:10.000000000 +0100
+@@ -79,6 +79,13 @@
+       Remember to set permissions or umask to prevent readability of
+       unencrypted files by other users.
+     </para>
+    <para>
+      <command>chpasswd</command> does not use PAM to update the passwords.
+      Thus, It only updates the passwords from the
+      <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
+      databases, and does not support the various checks provided by PAM
+      modules.
+    </para>
+   </refsect1>
+ 
+   <refsect1 id='see_also'>
@@ -0,0 +1,153 @@
+Goal: Sipport numerical UID and ranges in lastlog -u
+Fixes: #259494
+
+Status wrt upstream: not reported yet.
+
+Note: It also allows to mix -u and -t
+
+Index: shadow-4.0.18.1/man/lastlog.8.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/lastlog.8.xml	2007-06-19 13:23:42.000000000 +0100
+++ shadow-4.0.18.1/man/lastlog.8.xml	2007-06-19 14:35:26.000000000 +0100
+@@ -71,22 +71,20 @@
+       <varlistentry>
+ 	<term>
+ 	  <option>-u</option>, <option>--user</option>
+-	  <replaceable>LOGIN</replaceable>
+	  <replaceable>LOGIN</replaceable>|<replaceable>RANGE</replaceable>
+ 	</term>
+ 	<listitem>
+ 	  <para>Print the lastlog record for user with specified
+ 	    <emphasis remap='I'>LOGIN</emphasis> only.
+ 	  </para>
+-	</listitem>
+-      </varlistentry>
+-    </variablelist>
+-    <variablelist remap='TP'>
+-      <varlistentry>
+-	<term>
+-	  The <option>-t</option> flag overrides the use of <option>-u</option>.
+-	</term>
+-	<listitem>
+-	  <para></para>
+	  <para>Instead of a login name, <command>lastlog</command> also
+	  accepts a numerical user ID or a <replaceable>RANGE</replaceable> of
+	  users. This <replaceable>RANGE</replaceable> of users can be
+	  specified with a min and max values
+	  (<replaceable>UID_MIN-UID_MAX</replaceable>), a max value
+	  (<replaceable>-UID_MAX</replaceable>) or a min value
+	  (<replaceable>UID_MIN-</replaceable>).
+	  </para>
+ 	</listitem>
+       </varlistentry>
+     </variablelist>
+Index: shadow-4.0.18.1/src/lastlog.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/lastlog.c	2007-06-19 13:23:35.000000000 +0100
+++ shadow-4.0.18.1/src/lastlog.c	2007-06-19 14:22:21.000000000 +0100
+@@ -51,6 +51,8 @@
+  */
+ static FILE *lastlogfile;	/* lastlog file stream */
+ static off_t user;		/* one single user, specified on command line */
+static long umin;		/* one single user, specified on command line */
+static long umax;		/* one single user, specified on command line */
+ static int days;		/* number of days to consider for print command */
+ static time_t seconds;		/* that number of days in seconds */
+ static int inverse_days;	/* number of days to consider for print command */
+@@ -58,6 +60,7 @@
+ 
+ 
+ static int uflg = 0;		/* set if user is a valid user id */
+static int urange = 0;		/* set if user is a valid user id range */
+ static int tflg = 0;		/* print is restricted to most recent days */
+ static int bflg = 0;		/* print excludes most recent days */
+ static struct lastlog lastlog;	/* scratch structure to play with ... */
+@@ -127,26 +130,16 @@
+ {
+ 	off_t offset;
+ 
+-	if (uflg) {
+-		offset = user * sizeof lastlog;
+-
+-		if (fstat (fileno (lastlogfile), &statbuf)) {
+-			perror (LASTLOG_FILE);
+-			return;
+-		}
+-		if (offset >= statbuf.st_size)
+-			return;
+-
+-		fseeko (lastlogfile, offset, SEEK_SET);
+-		if (fread ((char *) &lastlog, sizeof lastlog, 1,
+-			   lastlogfile) == 1)
+-			print_one (pwent);
+-		else
+-			perror (LASTLOG_FILE);
+-	} else {
+	{
+ 		setpwent ();
+ 		while ((pwent = getpwent ())) {
+			if (uflg && user != pwent->pw_uid)
+				continue;
+ 			user = pwent->pw_uid;
+			if (urange &&
+			    ((umin != -1 && user < umin) ||
+			     (umax != -1 && user > umax)))
+				continue;
+ 			offset = user * sizeof lastlog;
+ 
+ 			fseeko (lastlogfile, offset, SEEK_SET);
+@@ -199,15 +192,47 @@
+ 				bflg++;
+ 				break;
+ 			case 'u':
+				/*
+				 * The user can be:
+				 *  - a login name
+				 *  - numerical
+				 *  - a numerical login ID
+				 *  - a range (-x, x-, x-y)
+				 */
+ 				pwent = getpwnam (optarg);
+-				if (!pwent) {
+-					fprintf (stderr,
+-						 _("Unknown User: %s\n"),
+-						 optarg);
+-					exit (1);
+				if (pwent) {
+					uflg = 1;
+					user = pwent->pw_uid;
+				} else {
+					char *endptr = NULL;
+					user = strtol(optarg, &endptr, 10);
+					if (*optarg != '\0' && *endptr == '\0') {
+						if (user < 0) {
+							/* -<userid> */
+							urange = 1;
+							umin = -1;
+							umax = -user;
+						} else {
+							/* <userid> */
+							uflg = 1;
+						}
+					} else if (endptr[0] == '-' && endptr[1] == '\0') {
+						/* <userid>- */
+						urange = 1;
+						umin = user;
+						umax = -1;
+					} else if (*endptr == '-') {
+						/* <userid>-<userid> */
+						urange = 1;
+						umin = user;
+						umax = atol(endptr+1);
+					} else {
+						fprintf (stderr,
+							 _("Unknown user or range: %s\n"),
+							 optarg);
+						exit (1);
+					}
+ 				}
+-				uflg++;
+-				user = pwent->pw_uid;
+ 				break;
+ 			default:
+ 				usage ();
@@ -0,0 +1,53 @@
+Goal: No longer print "sorry" and apologize to users
+Fixes: #384164
+
+Status wrt upstream: not reported yet.
+
+Note: 
+
+Index: shadow-4.0.18.1/src/newgrp.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/newgrp.c	2007-06-21 01:51:59.071588730 +0200
+++ shadow-4.0.18.1/src/newgrp.c	2007-06-21 01:54:18.564486366 +0200
+@@ -403,7 +403,7 @@
+ 			 * there is no password, print out "Sorry" and give up
+ 			 */
+ 			sleep (1);
+-			fputs (_("Sorry.\n"), stderr);
+			fputs (_("No password.\n"), stderr);
+ 			goto failure;
+ 		}
+ 
+@@ -412,7 +412,6 @@
+ 				 "Invalid password for group `%s' from `%s'",
+ 				 group, name));
+ 			sleep (1);
+-			fputs (_("Sorry.\n"), stderr);
+ 			goto failure;
+ 		}
+ 	}
+Index: shadow-4.0.18.1/src/passwd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/passwd.c	2007-06-21 01:49:56.577825572 +0200
+++ shadow-4.0.18.1/src/passwd.c	2007-06-21 01:50:57.074745336 +0200
+@@ -350,7 +350,7 @@
+ 	if (now < ok) {
+ 		fprintf (stderr,
+ 			 _
+-			 ("Sorry, the password for %s cannot be changed yet.\n"),
+			 ("The password for %s cannot be changed yet.\n"),
+ 			 pw->pw_name);
+ 		SYSLOG ((LOG_WARN, "now < minimum age for `%s'", pw->pw_name));
+ 		closelog ();
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2007-06-21 01:51:35.072810642 +0200
+++ shadow-4.0.18.1/src/su.c	2007-06-21 01:51:50.572021491 +0200
+@@ -171,7 +171,6 @@
+ 			 oldname[0] ? oldname : "???", name[0] ? name : "???"));
+ 	closelog ();
+ #endif
+-	puts (_("Sorry."));
+ 	exit (1);
+ }
+ 
@@ -0,0 +1,48 @@
+Goal: Remove quite unwise password choice advices in passwd manpage
+Fixes: #386818
+
+Status wrt upstream: Forwarded without patch but ignored up to now
+
+Note: 
+
+Index: shadow-4.0.18.1/man/passwd.1.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/passwd.1.xml	2007-06-21 02:06:42.026632551 +0200
+++ shadow-4.0.18.1/man/passwd.1.xml	2007-06-21 02:04:59.531851133 +0200
+@@ -104,35 +104,9 @@
+ 
+       <para>
+ 	Your password must be easily remembered so that you will not be forced
+-	to write it on a piece of paper. This can be accomplished by
+-	appending two small words together and separating each with a
+-	special character or digit. For example, Pass%word.
+	to write it on a piece of paper.
+       </para>
+ 
+-      <para>
+-	Other methods of construction involve selecting an easily remembered
+-	phrase from literature and selecting the first or last letter from
+-	each word. An example of this is:
+-      </para>
+-
+-      <itemizedlist mark='bullet'>
+-	<listitem>
+-	  <para>Ask not for whom the bell tolls</para>
+-	</listitem>
+-	<listitem>
+-	  <para>which produces</para>
+-	</listitem>
+-	<listitem>
+-	  <para>An4wtbt</para>
+-	</listitem>
+-      </itemizedlist>
+-
+-      <para>
+-	You may be reasonably sure few crackers will have included this in
+-	their dictionaries. You should, however, select your own methods for
+-	constructing passwords and not rely exclusively on the methods given
+-	here.
+-      </para>
+     </refsect2>
+   </refsect1>
+ 
@@ -0,0 +1,29 @@
+Goal: Re-activate ECHOCTL in login
+
+Fixes: #429758
+
+Status wrt upstream: Not reported yet. 
+
+Note: Was removed by upstream in 4.0.8 with "remove dead code" comment
+
+Index: shadow-4.0.18.1/src/login.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/login.c	2007-06-22 19:14:00.712717643 +0200
+++ shadow-4.0.18.1/src/login.c	2007-06-22 19:17:24.702331390 +0200
+@@ -175,6 +175,16 @@
+ 	termio.c_lflag |= ISIG | ICANON | ECHO | ECHOE;
+ 	termio.c_iflag |= ICRNL;
+ 
+#if defined(ECHOKE) && defined(ECHOCTL)
+	termio.c_lflag |= ECHOKE | ECHOCTL;
+#endif
+#if defined(ECHOPRT) && defined(NOFLSH) && defined(TOSTOP)
+	termio.c_lflag &= ~(ECHOPRT | NOFLSH | TOSTOP);
+#endif
+#ifdef ONLCR
+	termio.c_oflag |= ONLCR;
+#endif
+
+ 	/* leave these values unchanged if not specified in login.defs */
+ 	termio.c_cc[VERASE] = getdef_num ("ERASECHAR", termio.c_cc[VERASE]);
+ 	termio.c_cc[VKILL] = getdef_num ("KILLCHAR", termio.c_cc[VKILL]);
@@ -0,0 +1,28 @@
+Goal: Fix a typo in the newgrp man page.
+
+Fixes: #439090
+
+Staus wrt upstream: not forwarded
+
+Index: shadow-4.0.18.1/man/fr/fr.po
+===================================================================
+--- shadow-4.0.18.1.orig/man/fr/fr.po	2007-08-26 15:19:59.000000000 +0200
+++ shadow-4.0.18.1/man/fr/fr.po	2007-08-26 15:20:15.000000000 +0200
+@@ -16,7 +16,7 @@
+ msgstr ""
+ "Project-Id-Version: shadow-man-pages 4.0.18\n"
+ "POT-Creation-Date: 2006-07-24 07:49+0200\n"
+-"PO-Revision-Date: 2006-07-30 08:23+0200\n"
+"PO-Revision-Date: 2007-08-26 15:20+0200\n"
+ "Last-Translator: Jean-Luc Coulon (f5ibh) <jean-luc.coulon@wanadoo.fr>\n"
+ "Language-Team: Debian French Team <debian-l10n-french@lists.debian.org>\n"
+ "MIME-Version: 1.0\n"
+@@ -3566,7 +3566,7 @@
+ "passwd</filename> si aucun nom de groupe n'est fourni. <command>Newgrp</"
+ "command> essaiera également d'ajouter le groupe à l'ensemble des groupes de "
+ "l'utilisateur. Si l'utilisateur n'est pas superutilisateur, un mot de passe "
+-"sera lui demandé s'il n'utilise pas de mot de passe (dans <filename>/etc/"
+"lui sera demandé s'il n'utilise pas de mot de passe (dans <filename>/etc/"
+ "shadow</filename>, si cet utilisateur a une entrée dans le fichier des mots "
+ "de passe cachés, ou dans <filename>/etc/passwd</filename> sinon), mais que "
+ "le groupe en a un, ou si l'utilisateur n'est pas dans la liste des membres "
@@ -0,0 +1,21 @@
+Goal: Use "warndays as long option for "-w" and not "warning"
+
+Fixes: #445481
+
+Status wrt upstream: Not reported yet. Should be applied
+
+Note: 
+
+Index: shadow-4.0.18.1/src/passwd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/passwd.c
+++ shadow-4.0.18.1/src/passwd.c
+@@ -655,7 +655,7 @@
+ 			{"repository", required_argument, NULL, 'r'},
+ 			{"status", no_argument, NULL, 'S'},
+ 			{"unlock", no_argument, NULL, 'u'},
+-			{"warning", required_argument, NULL, 'w'},
+			{"warndays", required_argument, NULL, 'w'},
+ 			{"maxdays", required_argument, NULL, 'x'},
+ 			{NULL, 0, NULL, '\0'}
+ 		};
@@ -0,0 +1,202 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 319_time_structures.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: I didn't find a related bug in the BTS.
+## DP: It must be related to the 1:4.0.3-22 changelog:
+## DP:   Don't assume that lastlog.ll_time or utmp.ut_time or utmpx.ut_tv are
+## DP:   made up of time_ts and timevals, because they aren't on x86-64.
+## DP:   Dismaying but true.
+## DP:   -- Karl Ramm <kcr@debian.org>  Sun, 14 Mar 2004
+## DP: 
+## DP: Some parts of this patch have been applied upstream. The other parts
+## DP: should be checked.
+
+@DPATCH@
+Index: shadow-4.0.3/libmisc/log.c
+===================================================================
+--- shadow-4.0.3.orig/libmisc/log.c	1998-04-16 21:57:44.000000000 +0200
+++ shadow-4.0.3/libmisc/log.c	2005-05-12 14:05:29.976542831 +0200
+@@ -88,7 +88,7 @@ dolastlog(struct lastlog *ll, const stru
+ 	if (ll)
+ 		*ll = newlog;
+ 
+-	time(&newlog.ll_time);
+	newlog.ll_time = time(0);
+ 	strncpy(newlog.ll_line, line, sizeof newlog.ll_line);
+ #if HAVE_LL_HOST
+ 	strncpy(newlog.ll_host, host, sizeof newlog.ll_host);
+Index: shadow-4.0.3/libmisc/utmp.c
+===================================================================
+--- shadow-4.0.3.orig/libmisc/utmp.c	2002-03-08 05:30:30.000000000 +0100
+++ shadow-4.0.3/libmisc/utmp.c	2005-05-12 14:05:29.994540142 +0200
+@@ -111,7 +111,7 @@ checkutmp(int picky)
+ 		/* XXX - assumes /dev/tty?? */
+ 		strncpy(utent.ut_id, utent.ut_line + 3, sizeof utent.ut_id);
+ 		strcpy(utent.ut_user, "LOGIN");
+-		time(&utent.ut_time);
+		utent.ut_time = time(0);
+ 	}
+ }
+ 
+@@ -195,7 +195,7 @@ checkutmp(int picky)
+ 		strcpy(utent.ut_user, "LOGIN");
+ 		utent.ut_pid = getpid();
+ 		utent.ut_type = LOGIN_PROCESS;
+-		time(&utent.ut_time);
+		utent.ut_time = time(0);
+ #if HAVE_UTMPX_H
+ 		strncpy(utxent.ut_line, line, sizeof utxent.ut_line);
+ 		if ((utx = getutxline(&utxent)))
+@@ -204,7 +204,15 @@ checkutmp(int picky)
+ 		strcpy(utxent.ut_user, "LOGIN");
+ 		utxent.ut_pid = utent.ut_pid;
+ 		utxent.ut_type = utent.ut_type;
+-		gettimeofday((struct timeval *) &utxent.ut_tv, NULL);
+		/* don't assume that utmpx.ut_tv is a struct timeval */
+		{
+		    struct timeval tv;
+
+		    gettimeofday(&tv, NULL);
+
+		    utxent.ut_tv.tv_sec = tv.tv_sec;
+		    utxent.ut_tv.tv_usec = tv.tv_usec;
+		}
+ 		utent.ut_time = utxent.ut_tv.tv_sec;
+ #endif
+ 	}
+@@ -230,7 +238,7 @@ checkutmp(int picky)
+ 		line += 5;
+ 
+ 	(void) strncpy (utent.ut_line, line, sizeof utent.ut_line);
+-	(void) time (&utent.ut_time);
+	utent.ut_time = time(0);
+ }
+ 
+ #endif	/* !USG */
+@@ -286,7 +294,7 @@ setutmp(const char *name, const char *li
+ {
+ 	utent.ut_type = USER_PROCESS;
+ 	strncpy(utent.ut_user, name, sizeof utent.ut_user);
+-	time(&utent.ut_time);
+	utent.ut_time = time(0);
+ 	/* other fields already filled in by checkutmp above */
+ 	setutent();
+ 	pututline(&utent);
+@@ -375,7 +383,14 @@ setutmp(const char *name, const char *li
+ 
+ 	utline.ut_type = utxline.ut_type = USER_PROCESS;
+ 
+-	gettimeofday(&utxline.ut_tv, NULL);
+	/* don't assume that utmpx.ut_tv is a struct timeval */
+	{
+	    struct timeval tv;
+
+	    gettimeofday(&tv, NULL);
+	    utxline.ut_tv.tv_sec = tv.tv_sec;
+	    utxline.ut_tv.tv_usec = tv.tv_usec;
+	}
+ 	utline.ut_time = utxline.ut_tv.tv_sec;
+ 
+ 	strncpy(utxline.ut_host, host ? host : "", sizeof utxline.ut_host);
+@@ -435,7 +450,7 @@ setutmp(const char *name, const char *li
+ 	 * Put in the current time (common to everyone)
+ 	 */
+ 
+-	(void) time (&utmp.ut_time);
+	utmp.ut_time = time(0);
+ 
+ #ifdef UT_HOST
+ 	/*
+Index: shadow-4.0.3/src/lastlog.c
+===================================================================
+--- shadow-4.0.3.orig/src/lastlog.c	2005-05-12 14:05:24.511359400 +0200
+++ shadow-4.0.3/src/lastlog.c	2005-05-12 14:05:29.994540142 +0200
+@@ -184,7 +184,13 @@ static void print_one (const struct pass
+ #endif
+ 		once++;
+ 	}
+-	tm = localtime (&lastlog.ll_time);
+	/* don't assume lastlog.ll_time is a time_t */
+	{
+	    time_t when;
+
+	    when = lastlog.ll_time;
+	    tm = localtime (&when);
+	}
+ #ifdef HAVE_STRFTIME
+ 	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+ 	cp = ptime;
+@@ -193,7 +199,7 @@ static void print_one (const struct pass
+ 	cp[24] = '\0';
+ #endif
+ 
+-	if (lastlog.ll_time == (time_t) 0)
+	if (lastlog.ll_time == 0)
+ 		cp = _("**Never logged in**\0");
+ 
+ #ifdef HAVE_LL_HOST
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c	2005-05-12 14:04:27.490878998 +0200
+++ shadow-4.0.3/src/login.c	2005-05-12 14:05:29.995539993 +0200
+@@ -849,10 +849,18 @@ int main (int argc, char **argv)
+ 			  if (getdef_str("FTMP_FILE") != NULL) {
+ #if HAVE_UTMPX_H
+ 			    failent = utxent;
+-			    gettimeofday(&(failent.ut_tv), NULL);
+			    /* don't assume that utmpx.ut_tv is a struct
+			       timeval */
+			    {
+				struct timeval tv;
+
+				gettimeofday(&tv, NULL);
+				failent.ut_tv.tv_sec = tv.tv_sec;
+				failent.ut_tv.tv_usec = tv.tv_usec;
+			    }
+ #else
+ 			    failent = utent;
+-			    time(&failent.ut_time);
+			    failent.ut_time = time(0);
+ #endif
+ 			    strncpy(failent.ut_user, failent_user, sizeof(failent.ut_user));
+ #ifdef USER_PROCESS
+@@ -1093,10 +1101,17 @@ int main (int argc, char **argv)
+ 
+ #if HAVE_UTMPX_H
+ 			failent = utxent;
+-			gettimeofday (&(failent.ut_tv), NULL);
+			/* don't assume that utmpx.ut_tv is a struct timeval */
+			{
+			    struct timeval tv;
+			    
+			    gettimeofday(&tv, NULL);
+			    failent.ut_tv.tv_sec = tv.tv_sec;
+			    failent.ut_tv.tv_usec = tv.tv_usec;
+			}
+ #else
+ 			failent = utent;
+-			time (&failent.ut_time);
+			failent.ut_time = time(0);
+ #endif
+ 			if (pwd) {
+ 				failent_user = pwent.pw_name;
+@@ -1378,15 +1393,16 @@ int main (int argc, char **argv)
+ 		}
+ 		if (getdef_bool ("LASTLOG_ENAB")
+ 		    && lastlog.ll_time != 0) {
+		        time_t when = lastlog.ll_time; /* may not be a time_t */
+ #ifdef HAVE_STRFTIME
+ 			strftime (ptime, sizeof (ptime),
+ 				  "%a %b %e %H:%M:%S %z %Y",
+-				  localtime (&lastlog.ll_time));
+				  localtime (&when));
+ 			printf (_("Last login: %s on %s"),
+ 				ptime, lastlog.ll_line);
+ #else
+ 			printf (_("Last login: %.19s on %s"),
+-				ctime (&lastlog.ll_time),
+				ctime (&when),
+ 				lastlog.ll_line);
+ #endif
+ #ifdef HAVE_LL_HOST		/* SVR4 || __linux__ || SUN4 */
@@ -0,0 +1,53 @@
+Goal: grpck now has an (otherwise undocumented) -p option, so that
+      shadowconfig can clean up the results of the above, so the config
+      script will fail randomly less often.
+Fixes: #103385
+
+Status wrt upstream: It could certainly be submitted to upstream.
+
+Index: shadow-4.0.18.1/src/grpck.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/grpck.c	2006-05-07 19:44:39.000000000 +0200
+++ shadow-4.0.18.1/src/grpck.c	2006-09-17 12:17:53.712003353 +0200
+@@ -139,6 +139,7 @@
+ 	int errors = 0;
+ 	int changed = 0;
+ 	int i;
+	int prune = 0;
+ 	struct commonio_entry *gre, *tgre;
+ 	struct group *grp;
+ 	int sort_mode = 0;
+@@ -163,7 +164,7 @@
+ 	/*
+ 	 * Parse the command line arguments
+ 	 */
+-	while ((arg = getopt (argc, argv, "qrs")) != EOF) {
+	while ((arg = getopt (argc, argv, "qprs")) != EOF) {
+ 		switch (arg) {
+ 		case 'q':
+ 			/* quiet - ignored for now */
+@@ -174,6 +175,9 @@
+ 		case 's':
+ 			sort_mode = 1;
+ 			break;
+		case 'p':
+			prune = 1;
+			break;
+ 		default:
+ 			usage ();
+ 		}
+@@ -296,8 +300,13 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (!yes_or_no ())
+			if (!prune) {
+			        if (!yes_or_no ())
+				        continue;
+			} else {
+			        puts (_("Yes"));
+ 				continue;
+			}
+ 
+ 			/*
+ 			 * All group file deletions wind up here. This code
@@ -0,0 +1,95 @@
+Goal: Re-enable logging and displaying failures on login when login is
+      compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
+      faillog file if it does not exist on postinst (as on Woody).
+Depends: 008_login_more_LOG_UNKFAIL_ENAB
+Fixes: #192849
+
+Note: It could be removed if pam_tally could report the number of failures
+      preceding a successful login.
+
+Index: shadow-4.0.18.1/src/login.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/login.c	2006-09-17 12:17:54.972013371 +0200
+++ shadow-4.0.18.1/src/login.c	2006-09-17 12:17:55.628018587 +0200
+@@ -130,11 +130,11 @@
+ static void setup_tty (void);
+ static void check_flags (int, char *const *);
+ 
+static struct faillog faillog;
+
+ #ifndef USE_PAM
+ extern int login_access (const char *, const char *);
+ 
+-static struct faillog faillog;
+-
+ static void bad_time_notify (void);
+ static void check_nologin (void);
+ #endif
+@@ -668,6 +668,8 @@
+ 			    SYSLOG ((LOG_NOTICE,
+ 				    "TOO MANY LOGIN TRIES (%d)%s FOR `%s'",
+ 				    failcount, fromhost, failent_user));
+			    if (pwd && getdef_bool("FAILLOG_ENAB"))
+			      failure (pwent.pw_uid, tty, &faillog);
+ 			    fprintf(stderr,
+ 				    _("Maximum number of tries exceeded (%d)\n"),
+ 				    failcount);
+@@ -685,6 +687,13 @@
+ 				   pam_strerror (pamh, retcode)));
+ 			    failed = 1;
+ 			  }
+			  if (pwd && getdef_bool("FAILLOG_ENAB") &&
+			      ! failcheck (pwent.pw_uid, &faillog, failed)) {
+			    SYSLOG((LOG_CRIT,
+			           "exceeded failure limit for `%s' %s",
+			           failent_user, fromhost));
+			    failed = 1;
+			  }
+ 
+ 			  if (!failed)
+ 			    break;
+@@ -716,6 +725,8 @@
+ #endif				/* WITH_AUDIT */
+ 
+ 			  fprintf(stderr,"\nLogin incorrect\n");
+			  if (pwd && getdef_bool("FAILLOG_ENAB"))
+			    failure (pwent.pw_uid, tty, &faillog);
+ 			  if (getdef_str("FTMP_FILE") != NULL) {
+ #if HAVE_UTMPX_H
+ 			    failent = utxent;
+@@ -1075,6 +1086,7 @@
+ 		 */
+ #ifndef USE_PAM
+ 		motd ();	/* print the message of the day */
+#endif
+ 		if (getdef_bool ("FAILLOG_ENAB")
+ 		    && faillog.fail_cnt != 0) {
+ 			failprint (&faillog);
+@@ -1088,6 +1100,7 @@
+ 					 username, (int) faillog.fail_cnt));
+ 			}
+ 		}
+#ifndef USE_PAM
+ 		if (getdef_bool ("LASTLOG_ENAB")
+ 		    && lastlog.ll_time != 0) {
+ 			time_t ll_time = lastlog.ll_time;
+Index: shadow-4.0.18.1/lib/getdef.c
+===================================================================
+--- shadow-4.0.18.1.orig/lib/getdef.c	2006-09-17 12:17:54.992013530 +0200
+++ shadow-4.0.18.1/lib/getdef.c	2006-09-17 12:17:55.628018587 +0200
+@@ -56,6 +56,7 @@
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
+	{"FAILLOG_ENAB", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"FTMP_FILE", NULL},
+ 	{"GID_MAX", NULL},
+@@ -88,7 +89,6 @@
+ 	{"ENV_HZ", NULL},
+ 	{"ENVIRON_FILE", NULL},
+ 	{"ENV_TZ", NULL},
+-	{"FAILLOG_ENAB", NULL},
+ 	{"ISSUE_FILE", NULL},
+ 	{"LASTLOG_ENAB", NULL},
+ 	{"LOGIN_STRING", NULL},
@@ -0,0 +1,28 @@
+Goal: don't assume uid 0 == "root", use getpwuid to fetch it
+Fixes: #81924
+
+Status wrt upstream: It was submitted upstream upstream (3 Jun 2005).
+                     Some modification may be needed before its inclusion
+                     upstream (multiple uid 0 accounts).
+http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2005-June/001287.html
+
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2006-08-01 12:30:02.000000000 +0200
+++ shadow-4.0.18.1/src/su.c	2006-09-17 12:17:47.383953038 +0200
+@@ -427,7 +427,14 @@
+ 			optind++;
+ 	}
+ 	if (!name[0])		/* use default user ID */
+-		(void) strcpy (name, "root");
+	{
+		struct passwd *root_pw = getpwuid(0);
+		if (root_pw == NULL) {
+			SYSLOG((LOG_CRIT, "There is no UID 0 user."));
+			su_failure(tty);
+		}
+		strcpy(name, root_pw->pw_name);
+	}
+ 
+ 	doshell = argc == optind;	/* any arguments remaining? */
+ 	if (command)
@@ -0,0 +1,18 @@
+Goal: fix typo
+Fixes:
+
+Status wrt upstream: Forwarded but not applied yet
+
+Index: shadow-4.0.18.1/man/shadow.5.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/shadow.5.xml	2006-07-24 07:48:36.000000000 +0200
+++ shadow-4.0.18.1/man/shadow.5.xml	2006-09-17 12:17:56.912028796 +0200
+@@ -50,7 +50,7 @@
+ 
+     <para>
+       The password field must be filled. The encrypted password consists of
+-      13 to 24 characters from the 64 characters alphabet a thru z, A thru
+      13 to 24 characters from the 64 character alphabet a thru z, A thru
+       Z, 0 thru 9, \. and /. Optionally it can start with a "$" character.
+       This means the encrypted password was generated using another (not
+       DES) algorithm. For example if it starts with "$1$" it means the
@@ -0,0 +1,20 @@
+Goal: terminate argument validation in login when it hits a '--'.
+Fixes: #66368
+
+Status wrt upstream: It could certainly be submitted to upstream.
+                     Upstream comment: "Better will be rewrite login
+                     for use getopt_long()."
+
+Index: shadow-4.0.18.1/src/login.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/login.c	2006-07-10 06:11:32.000000000 +0200
+++ shadow-4.0.18.1/src/login.c	2006-09-17 12:17:54.336008314 +0200
+@@ -253,6 +253,8 @@
+ 	for (arg = 1; arg < argc; arg++) {
+ 		if (argv[arg][0] == '-' && strlen (argv[arg]) > 2)
+ 			usage ();
+		if (!strcmp(argv[arg], "--"))
+			break; /* stop checking on a "--" */
+ 	}
+ }
+ 
@@ -0,0 +1,35 @@
+Goal: Be up front on the origin of our su.
+Fixes: #244297
+
+Status wrt upstream: It must be forwarded upstream.
+                     Upstream also uses some bits from the GNU shellutils.
+
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2006-09-17 12:17:53.099998487 +0200
+++ shadow-4.0.18.1/src/su.c	2006-09-17 12:17:56.308023993 +0200
+@@ -26,6 +26,24 @@
+  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+  * SUCH DAMAGE.
+  */
+/* Some parts substantially derived from an ancestor of: */
+/* su for GNU.  Run a shell with substitute user and group IDs.
+   Copyright (C) 1992-2003 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software Foundation,
+   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */
+
+ 
+ #include <config.h>
+ 
@@ -0,0 +1,36 @@
+Goal: set PATH according to ENV_SUPATH and ENV_PATH (for login), as for
+      su.
+Fixes: #330803
+
+Status wrt upstream:
+
+Index: shadow-4.0.18.1/libmisc/setupenv.c
+===================================================================
+--- shadow-4.0.18.1.orig/libmisc/setupenv.c	2006-05-13 01:13:10.000000000 +0200
+++ shadow-4.0.18.1/libmisc/setupenv.c	2006-09-17 12:18:01.768067405 +0200
+@@ -186,8 +186,8 @@
+ {
+ #ifndef USE_PAM
+ 	char *envf;
+-	char *cp;
+ #endif
+	char *cp;
+ 
+ 	/*
+ 	 * Change the current working directory to be the home directory
+@@ -242,7 +242,6 @@
+ 	addenv ("USER", info->pw_name);
+ 	addenv ("LOGNAME", info->pw_name);
+ 
+-#ifndef USE_PAM
+ 	/*
+ 	 * Create the PATH environmental variable and export it.
+ 	 */
+@@ -259,6 +258,7 @@
+ 		/* only value specified without "PATH=" */
+ 		addenv ("PATH", cp);
+ 	}
+#ifndef USE_PAM
+ 
+ 	/*
+ 	 * Create the MAIL environmental variable and export it.  login.defs
@@ -0,0 +1,21 @@
+Goal: do not use MAIL_FILE in userdel:
+      When MAIL_FILE is used, the mail spool is in the home directory, so
+      it do not need to be removed (in addition to the user's home
+      directory)
+
+Note: usermod should be checked also. Maybe MAIL_FILE can be removed from
+      login.defs
+
+Index: shadow-4.0.18.1/src/userdel.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/userdel.c	2006-09-17 12:17:58.256039482 +0200
+++ shadow-4.0.18.1/src/userdel.c	2006-09-17 12:18:02.408072494 +0200
+@@ -550,7 +550,7 @@
+ 
+ 	maildir = getdef_str ("MAIL_DIR");
+ #ifdef MAIL_SPOOL_DIR
+-	if (!maildir && !getdef_str ("MAIL_FILE"))
+	if (!maildir)
+ 		maildir = MAIL_SPOOL_DIR;
+ #endif
+ 	if (!maildir)
@@ -0,0 +1,68 @@
+Goal: Warn about possible need to edit shadow files when editing the 
+      master files with vipw
+
+Fixes: #62821
+
+Status wrt upstream: Forwarded but not applied yet
+
+Index: shadow-4.0.18.1/src/vipw.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/vipw.c	2006-06-20 22:00:04.000000000 +0200
+++ shadow-4.0.18.1/src/vipw.c	2006-09-17 12:18:03.644082321 +0200
+@@ -41,6 +41,12 @@
+ #include "pwio.h"
+ #include "sgroupio.h"
+ #include "shadowio.h"
+
+#define MSG_WARN_EDIT_OTHER_FILE _( \
+	"You have modified %s.\n"\
+	"You may need to modify %s for consistency.\n"\
+	"Please use the command `%s' to do so.\n")
+
+ /*
+  * Global variables
+  */
+@@ -285,17 +291,39 @@
+ 	}
+ 
+ 	if (do_vipw) {
+-		if (editshadow)
+		if (editshadow) {
+ 			vipwedit (SHADOW_FILE, spw_lock, spw_unlock);
+-		else
+			printf (MSG_WARN_EDIT_OTHER_FILE,
+			        SHADOW_FILE,
+			        PASSWD_FILE,
+			        "vipw");
+		} else {
+ 			vipwedit (PASSWD_FILE, pw_lock, pw_unlock);
+			if (spw_file_present ())
+				printf (MSG_WARN_EDIT_OTHER_FILE,
+				        PASSWD_FILE,
+				        SHADOW_FILE,
+				        "vipw -s");
+		}
+ 	} else {
+ #ifdef SHADOWGRP
+-		if (editshadow)
+		if (editshadow) {
+ 			vipwedit (SGROUP_FILE, sgr_lock, sgr_unlock);
+-		else
+			printf (MSG_WARN_EDIT_OTHER_FILE,
+			        SGROUP_FILE,
+			        GROUP_FILE,
+			        "vigr");
+		} else {
+ #endif
+ 			vipwedit (GROUP_FILE, gr_lock, gr_unlock);
+#ifdef SHADOWGRP
+			if (sgr_file_present ())
+				printf (MSG_WARN_EDIT_OTHER_FILE,
+				        GROUP_FILE,
+				        SGROUP_FILE,
+				        "vigr -s");
+#endif
+		}
+ 	}
+ 
+ 	nscd_flush_cache ("passwd");
@@ -0,0 +1,102 @@
+Goal: Do not hardcode pam_fail_delay and let pam_unix do its
+      job to set a delay...or not
+
+Fixes: #87648
+
+Status wrt upstream: Forwarded but not applied yet
+
+Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+
+Index: shadow-4.0.18.1/src/login.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/login.c	2006-09-17 12:17:55.628018587 +0200
+++ shadow-4.0.18.1/src/login.c	2006-09-17 12:18:04.272087315 +0200
+@@ -331,7 +331,6 @@
+ 	char ptime[80];
+ #endif
+ 	int reason = PW_LOGIN;
+-	int delay;
+ 	int retries;
+ 	int failed;
+ 	int flag;
+@@ -351,6 +350,7 @@
+ 	pid_t child;
+ 	char *pam_user;
+ #else
+	int delay;
+ 	struct spwd *spwd = NULL;
+ #endif
+ 	/*
+@@ -573,7 +573,6 @@
+ 			alarm (timeout);
+ 
+ 		environ = newenvp;	/* make new environment active */
+-		delay = getdef_num ("FAIL_DELAY", 1);
+ 		retries = getdef_num ("LOGIN_RETRIES", RETRIES);
+ 
+ #ifdef USE_PAM
+@@ -589,17 +588,12 @@
+ 
+ 		/*
+ 		 * hostname & tty are either set to NULL or their correct values,
+-		 * depending on how much we know. We also set PAM's fail delay to
+-		 * ours.
+		 * depending on how much we know.
+ 		 */
+ 		retcode = pam_set_item (pamh, PAM_RHOST, hostname);
+ 		PAM_FAIL_CHECK;
+ 		retcode = pam_set_item (pamh, PAM_TTY, tty);
+ 		PAM_FAIL_CHECK;
+-#ifdef HAVE_PAM_FAIL_DELAY
+-		retcode = pam_fail_delay (pamh, 1000000 * delay);
+-		PAM_FAIL_CHECK;
+-#endif
+ 		/* if fflg == 1, then the user has already been authenticated */
+ 		if (!fflg || (getuid () != 0)) {
+ 			int failcount = 0;
+@@ -640,8 +634,6 @@
+ 			  failed = 0;
+ 
+ 			  failcount++;
+-			  if (delay > 0)
+-			    retcode = pam_fail_delay(pamh, 1000000*delay);
+ 
+ 			  retcode = pam_authenticate (pamh, 0);
+ 
+@@ -934,13 +926,16 @@
+ 		if (pwent.pw_passwd[0] == '\0')
+ 			pw_auth ("!", username, reason, (char *) 0);
+ 
+#ifndef USE_PAM
+ 		/*
+ 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
+ 		 * to login the user again. If the earlier alarm occurs
+ 		 * before the sleep() below completes, login will exit.
+ 		 */
+		delay = getdef_num ("FAIL_DELAY", 1);
+ 		if (delay > 0)
+ 			sleep (delay);
+#endif
+ 
+ 		puts (_("Login incorrect"));
+ 
+Index: shadow-4.0.18.1/lib/getdef.c
+===================================================================
+--- shadow-4.0.18.1.orig/lib/getdef.c	2006-09-17 12:17:58.260039514 +0200
+++ shadow-4.0.18.1/lib/getdef.c	2006-09-17 12:18:04.276087346 +0200
+@@ -55,7 +55,6 @@
+ 	{"ENV_PATH", NULL},
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+-	{"FAIL_DELAY", NULL},
+ 	{"FAILLOG_ENAB", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"FTMP_FILE", NULL},
+@@ -92,6 +91,7 @@
+ 	{"ENV_HZ", NULL},
+ 	{"ENVIRON_FILE", NULL},
+ 	{"ENV_TZ", NULL},
+	{"FAIL_DELAY", NULL},
+ 	{"ISSUE_FILE", NULL},
+ 	{"LASTLOG_ENAB", NULL},
+ 	{"LOGIN_STRING", NULL},
@@ -0,0 +1,314 @@
+Goal: Fflush all prompts supposedly presented to a user, because we may
+      conversate with a script (over pipe) instead. See bug #333138.
+
+Status wrt upstream: may appear in 4.0.14
+      
+Index: shadow-4.0.18.1/libmisc/Makefile.am
+===================================================================
+--- shadow-4.0.18.1.orig/libmisc/Makefile.am	2005-09-05 18:21:37.000000000 +0200
+++ shadow-4.0.18.1/libmisc/Makefile.am	2006-09-17 12:18:05.616098001 +0200
+@@ -49,4 +49,5 @@
+ 	ulimit.c \
+ 	utmp.c \
+ 	valid.c \
+-	xmalloc.c
+	xmalloc.c \
+	yesno.c
+Index: shadow-4.0.18.1/libmisc/fields.c
+===================================================================
+--- shadow-4.0.18.1.orig/libmisc/fields.c	2005-08-31 19:24:57.000000000 +0200
+++ shadow-4.0.18.1/libmisc/fields.c	2006-09-17 12:18:05.620098032 +0200
+@@ -71,6 +71,7 @@
+ 		maxsize = sizeof (newf);
+ 
+ 	printf ("\t%s [%s]: ", prompt, buf);
+	fflush (stdout);
+ 	if (fgets (newf, maxsize, stdin) != newf)
+ 		return;
+ 
+Index: shadow-4.0.18.1/libmisc/yesno.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ shadow-4.0.18.1/libmisc/yesno.c	2006-09-17 12:18:05.620098032 +0200
+@@ -0,0 +1,41 @@
+/*
+ * Common code for yes/no prompting
+ *
+ * Used by pwck.c and grpck.c
+ */
+
+#include <config.h>	/* configuration parameters like e.g. ENABLE_NLS */
+
+#ident "$Id$"
+
+#include <stdio.h>	/* printf(), fflush() & fgets() */
+#include "defines.h"	/* _() macro */
+
+/*
+ * yes_or_no - get answer to question from the user
+ */
+int yes_or_no (int read_only)
+{
+	char buf[80];
+
+	/*
+	 * In read-only mode all questions are answered "no".
+	 */
+	if (read_only) {
+		printf (_("No\n"));
+		return 0;
+	}
+
+	/*
+	 * Typically, there's a prompt on stdout, sometimes unflushed.
+	 */
+	fflush (stdout);
+
+	/*
+	 * Get a line and see what the first character is.
+	 */
+	if (fgets (buf, sizeof buf, stdin))
+		return buf[0] == 'y' || buf[0] == 'Y';
+
+	return 0;
+}
+Index: shadow-4.0.18.1/src/grpck.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/grpck.c	2006-09-17 12:17:53.712003353 +0200
+++ shadow-4.0.18.1/src/grpck.c	2006-09-17 12:18:05.620098032 +0200
+@@ -50,6 +50,8 @@
+ extern struct commonio_entry *__sgr_get_head (void);
+ #endif
+ 
+extern int yes_or_no (int);
+
+ /*
+  * Exit codes
+  */
+@@ -74,7 +76,6 @@
+ 
+ /* local function prototypes */
+ static void usage (void);
+-static int yes_or_no (void);
+ static void delete_member (char **, const char *);
+ 
+ /*
+@@ -91,30 +92,6 @@
+ }
+ 
+ /*
+- * yes_or_no - get answer to question from the user
+- */
+-static int yes_or_no (void)
+-{
+-	char buf[80];
+-
+-	/*
+-	 * In read-only mode all questions are answered "no".
+-	 */
+-	if (read_only) {
+-		printf (_("No\n"));
+-		return 0;
+-	}
+-
+-	/*
+-	 * Get a line and see what the first character is.
+-	 */
+-	if (fgets (buf, sizeof buf, stdin))
+-		return buf[0] == 'y' || buf[0] == 'Y';
+-
+-	return 0;
+-}
+-
+-/*
+  * delete_member - delete an entry in a list of members
+  */
+ static void delete_member (char **list, const char *member)
+@@ -301,7 +278,7 @@
+ 			 * prompt the user to delete the entry or not
+ 			 */
+ 			if (!prune) {
+-			        if (!yes_or_no ())
+			        if (!yes_or_no (read_only))
+ 				        continue;
+ 			} else {
+ 			        puts (_("Yes"));
+@@ -361,7 +338,7 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (yes_or_no ())
+			if (yes_or_no (read_only))
+ 				goto delete_gr;
+ 		}
+ 
+@@ -397,7 +374,7 @@
+ 				grp->gr_name, grp->gr_mem[i]);
+ 			printf (_("delete member '%s'? "), grp->gr_mem[i]);
+ 
+-			if (!yes_or_no ())
+			if (!yes_or_no (read_only))
+ 				continue;
+ 
+ 			SYSLOG ((LOG_INFO, "delete member '%s' group '%s'",
+@@ -422,7 +399,7 @@
+ 				printf (_("add group '%s' in %s ?"),
+ 					grp->gr_name, sgr_file);
+ 				errors++;
+-				if (yes_or_no ()) {
+				if (yes_or_no (read_only)) {
+ 					struct sgrp sg;
+ 					struct group gr;
+ 					static char *empty = NULL;
+@@ -509,7 +486,7 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (!yes_or_no ())
+			if (!yes_or_no (read_only))
+ 				continue;
+ 
+ 			/*
+@@ -565,7 +542,7 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (yes_or_no ())
+			if (yes_or_no (read_only))
+ 				goto delete_sg;
+ 		}
+ 
+@@ -578,7 +555,7 @@
+ 				grp_file);
+ 			printf (_("delete line '%s'? "), sge->line);
+ 			errors++;
+-			if (yes_or_no ())
+			if (yes_or_no (read_only))
+ 				goto delete_sg;
+ 		} else {
+ 			/**
+@@ -619,7 +596,7 @@
+ 			printf (_("delete administrative member '%s'? "),
+ 				sgr->sg_adm[i]);
+ 
+-			if (!yes_or_no ())
+			if (!yes_or_no (read_only))
+ 				continue;
+ 
+ 			SYSLOG ((LOG_INFO,
+@@ -646,7 +623,7 @@
+ 				sgr->sg_name, sgr->sg_mem[i]);
+ 			printf (_("delete member '%s'? "), sgr->sg_mem[i]);
+ 
+-			if (!yes_or_no ())
+			if (!yes_or_no (read_only))
+ 				continue;
+ 
+ 			SYSLOG ((LOG_INFO,
+Index: shadow-4.0.18.1/src/pwck.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/pwck.c	2006-05-07 19:44:39.000000000 +0200
+++ shadow-4.0.18.1/src/pwck.c	2006-10-21 16:26:23.000000000 +0200
+@@ -49,6 +49,8 @@
+ extern void __spw_del_entry (const struct commonio_entry *);
+ extern struct commonio_entry *__spw_get_head (void);
+ 
+extern int yes_or_no (int);
+
+ /*
+  * Exit codes
+  */
+@@ -73,7 +75,6 @@
+ 
+ /* local function prototypes */
+ static void usage (void);
+-static int yes_or_no (void);
+ 
+ /*
+  * usage - print syntax message and exit
+@@ -86,31 +87,6 @@
+ }
+ 
+ /*
+- * yes_or_no - get answer to question from the user
+- */
+-static int yes_or_no (void)
+-{
+-	char buf[80];
+-
+-	/*
+-	 * In read-only mode all questions are answered "no".
+-	 */
+-
+-	if (read_only) {
+-		printf (_("No\n"));
+-		return 0;
+-	}
+-
+-	/*
+-	 * Get a line and see what the first character is.
+-	 */
+-	if (fgets (buf, sizeof buf, stdin))
+-		return buf[0] == 'y' || buf[0] == 'Y';
+-
+-	return 0;
+-}
+-
+-/*
+  * pwck - verify password file integrity
+  */
+ int main (int argc, char **argv)
+@@ -261,7 +237,7 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (!yes_or_no ())
+			if (!yes_or_no (read_only))
+ 				continue;
+ 
+ 			/*
+@@ -316,7 +292,7 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (yes_or_no ())
+			if (yes_or_no (read_only))
+ 				goto delete_pw;
+ 		}
+ 
+@@ -382,7 +358,7 @@
+ 				printf (_("add user '%s' in %s? "),
+ 					pwd->pw_name, spw_file);
+ 				errors++;
+-				if (yes_or_no ()) {
+				if (yes_or_no (read_only)) {
+ 					struct spwd sp;
+ 					struct passwd pw;
+ 
+@@ -462,7 +438,7 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (!yes_or_no ())
+			if (!yes_or_no (read_only))
+ 				continue;
+ 
+ 			/*
+@@ -517,7 +493,7 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (yes_or_no ())
+			if (yes_or_no (read_only))
+ 				goto delete_spw;
+ 		}
+ 
+@@ -538,7 +514,7 @@
+ 			/*
+ 			 * prompt the user to delete the entry or not
+ 			 */
+-			if (yes_or_no ())
+			if (yes_or_no (read_only))
+ 				goto delete_spw;
+ 		}
+ 
@@ -0,0 +1,140 @@
+Goal: Add a "-r" option to useradd
+
+Fixes: #333706
+
+Status wrt upstream: Forwarded but not applied yet. Not sure that upstream
+                     is really ready to apply it. We apply it anyway because 
+                     LSB compliance is important for Debian
+
+Index: shadow-4.0.18.1/src/useradd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/useradd.c	2006-09-17 12:18:01.140062412 +0200
+++ shadow-4.0.18.1/src/useradd.c	2006-09-17 12:18:05.004093135 +0200
+@@ -127,6 +127,7 @@
+     mflg = 0,			/* create user's home directory if it doesn't exist */
+     nflg = 0,			/* create a group having the same name as the user */
+     oflg = 0,			/* permit non-unique user ID to be specified with -u */
+    rflg = 0,			/* create a system account (LSB compliance) */
+     sflg = 0,			/* shell program for new account */
+     uflg = 0;			/* specify user ID for new account */
+ 
+@@ -638,6 +639,7 @@
+ 			   "				(non-unique) UID\n"
+ 			   "  -p, --password PASSWORD	use encrypted password for the new user\n"
+ 			   "				account\n"
+			   "  -r, --system			create a system account\n"
+ 			   "  -s, --shell SHELL		the login shell for the new user account\n"
+ 			   "  -u, --uid UID			force use the UID for the new user account\n"
+ 			   "\n"));
+@@ -686,11 +688,19 @@
+ 	spent->sp_namp = (char *) user_name;
+ 	spent->sp_pwdp = (char *) user_pass;
+ 	spent->sp_lstchg = time ((time_t *) 0) / SCALE;
+-	spent->sp_min = scale_age (getdef_num ("PASS_MIN_DAYS", -1));
+-	spent->sp_max = scale_age (getdef_num ("PASS_MAX_DAYS", -1));
+-	spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1));
+-	spent->sp_inact = scale_age (def_inactive);
+-	spent->sp_expire = scale_age (user_expire);
+	if (!rflg) {
+		spent->sp_min = scale_age (getdef_num ("PASS_MIN_DAYS", -1));
+		spent->sp_max = scale_age (getdef_num ("PASS_MAX_DAYS", -1));
+		spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1));
+		spent->sp_inact = scale_age (def_inactive);
+		spent->sp_expire = scale_age (user_expire);
+        } else {
+		spent->sp_min = scale_age(-1);
+		spent->sp_max = scale_age(-1);
+		spent->sp_warn = scale_age(-1);
+		spent->sp_inact = scale_age(-1);
+		spent->sp_expire = scale_age(-1);
+	}
+ 	spent->sp_flag = -1;
+ }
+ 
+@@ -838,8 +848,13 @@
+ 	const struct passwd *pwd;
+ 	uid_t uid_min, uid_max;
+ 
+-	uid_min = getdef_unum ("UID_MIN", 1000);
+-	uid_max = getdef_unum ("UID_MAX", 60000);
+	if (!rflg) {
+		uid_min = getdef_unum ("UID_MIN", 1000);
+		uid_max = getdef_unum ("UID_MAX", 60000);
+	} else {
+		uid_min = 1;
+		uid_max = getdef_unum ("UID_MIN", 1000) - 1;
+	}
+ 
+ 	/*
+ 	 * Start with some UID value if the user didn't provide us with
+@@ -1018,12 +1033,13 @@
+ 			{"create-home", no_argument, NULL, 'm'},
+ 			{"non-unique", no_argument, NULL, 'o'},
+ 			{"password", required_argument, NULL, 'p'},
+			{"system", no_argument, NULL, 'r'},
+ 			{"shell", required_argument, NULL, 's'},
+ 			{"uid", required_argument, NULL, 'u'},
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 		while ((c =
+-			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:O:K:mMop:s:u:",
+			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:O:K:mMop:rs:u:",
+ 				     long_options, NULL)) != -1) {
+ 			switch (c) {
+ 			case 'b':
+@@ -1177,6 +1193,9 @@
+ 				}
+ 				user_pass = optarg;
+ 				break;
+			case 'r':
+				rflg++;
+				break;
+ 			case 's':
+ 				if (!VALID (optarg)
+ 				    || (optarg[0]
+@@ -1569,24 +1588,27 @@
+  */
+ static void create_home (void)
+ {
+-	if (access (user_home, F_OK)) {
+-		/* XXX - create missing parent directories.  --marekm */
+-		if (mkdir (user_home, 0)) {
+-			fprintf (stderr,
+-				 _
+-				 ("%s: cannot create directory %s\n"),
+-				 Prog, user_home);
+-			fail_exit (E_HOMEDIR);
+-		}
+-		chown (user_home, user_id, user_gid);
+-		chmod (user_home,
+-		       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+-		home_added++;
+-#ifdef WITH_AUDIT
+-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+-			      "adding home directory", user_name, user_id, 1);
+-#endif
+-	}
+  if (!rflg) { /* for system accounts defaults are ignored and we
+		    * do not create a home dir -- gafton */
+		if (access (user_home, F_OK)) {
+			/* XXX - create missing parent directories.  --marekm */
+			if (mkdir (user_home, 0)) {
+				fprintf (stderr,
+					 _
+				 	("%s: cannot create directory %s\n"),
+				 	Prog, user_home);
+				fail_exit (E_HOMEDIR);
+			}
+			chown (user_home, user_id, user_gid);
+			chmod (user_home,
+			       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+			home_added++;
+  #ifdef WITH_AUDIT
+			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+  			      "adding home directory", user_name, user_id, 1);
+  #endif
+		}
+  }
+ }
+ 
+ /*
@@ -0,0 +1,61 @@
+Goal:
+   The getpwnam man page specifies:
+
+       The getpwnam() and getpwuid() functions return a pointer  to  a  passwd
+       structure,  or  NULL  if  the  matching  entry is not found or an error
+       occurs.  If an error occurs, errno is set appropriately.  If one  wants
+       to  check  errno  after  the  call, it should be set to zero before the
+       call.
+
+       The return value may point to static area, and may  be  overwritten  by
+       subsequent calls to getpwent(), getpwnam(), or getpwuid().
+
+   There is no garranty that a PAM module will not use one of these
+   functions.  (This is the case of pam_unix in PAM 0.76)
+   So the structure must be duplicated before being used (there are call
+   to PAM between the call to getpwnam and the usage of the passwd
+   structure).
+
+   In the GNU libc, only a call to the same function (getpwent(),
+   getpwnam(), or getpwuid()) overrides the static area.
+
+   This patch should fix this kind of issues for the GNU libc. However,
+   getpwuid is often called after the call to getpwnam in shaow. I did not
+   checked if there may be an issue for non-GNU libc.
+
+Fixes: #341230
+
+Status wrt upstream: 
+
+Index: shadow-4.0.18.1/src/chfn.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/chfn.c	2006-05-07 19:44:39.000000000 +0200
+++ shadow-4.0.18.1/src/chfn.c	2006-09-17 12:18:06.364103948 +0200
+@@ -334,6 +334,11 @@
+ 		}
+ 		user = xstrdup (pw->pw_name);
+ 	}
+	pw = __pw_dup(pw);
+	if (!pw) {
+		fprintf (stderr, _("%s: out of memory\n"), Prog);
+		exit (E_NOPERM);
+	}
+ 
+ #ifdef	USE_NIS
+ 	/*
+Index: shadow-4.0.18.1/src/chsh.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/chsh.c	2006-07-13 23:26:35.000000000 +0200
+++ shadow-4.0.18.1/src/chsh.c	2006-09-17 12:18:06.368103980 +0200
+@@ -265,6 +265,11 @@
+ 		}
+ 		user = xstrdup (pw->pw_name);
+ 	}
+	pw = __pw_dup(pw);
+	if (!pw) {
+		fprintf (stderr, _("%s: out of memory\n"), Prog);
+		exit (1);
+	}
+ 
+ #ifdef	USE_NIS
+ 	/*
@@ -0,0 +1,62 @@
+Goal: Provide more info when chown_tty() phase of login fails (see #332198).
+
+Related: #332198 (helps to debug)
+
+Status wrt upstream: Not forwarded (dunno if there's any point in this).
+
+This patch increases verbosity of is_my_tty() routine which is called
+from chown_tty() which in turn is part of login sequence. Submitter of
+the bug #332198 sometimes gets telnet session refused, but message in
+syslog is not at all helpful:
+> ... login[453]: unable to determine TTY name, got /dev/pts/1
+and in fact it's misleading, because tty name is detected OK, it's
+is_my_tty() which is failing for a reason yet unknown (I suspect
+corruption of utmp file).
+
+Index: shadow-4.0.18.1/libmisc/chowntty.c
+===================================================================
+--- shadow-4.0.18.1.orig/libmisc/chowntty.c	2005-08-31 19:24:57.000000000 +0200
+++ shadow-4.0.18.1/libmisc/chowntty.c	2006-09-17 12:18:08.256118991 +0200
+@@ -40,6 +40,7 @@
+ #include "defines.h"
+ #include <pwd.h>
+ #include "getdef.h"
+#include <sys/sysmacros.h>
+ /*
+  * is_my_tty -- determine if "tty" is the same as TTY stdin is using
+  */
+@@ -47,12 +48,31 @@
+ {
+ 	struct stat by_name, by_fd;
+ 
+-	if (stat (tty, &by_name) || fstat (0, &by_fd))
+	if (stat (tty, &by_name)) {
+		/* Can use neither strerror() nor "%m" sequence -- first
+		 * is locale-dependent (while SYSLOG isn't) and for second
+		 * the SYSLOG macro isn't errno-transparent.  --xrgtn */
+		int e = errno;
+		SYSLOG ((LOG_WARN, "can't stat(`%s'): errno %i\n", tty, e));
+ 		return 0;
+	}
+ 
+-	if (by_name.st_rdev != by_fd.st_rdev)
+	if (fstat (0, &by_fd)) {
+		int e = errno;
+		SYSLOG ((LOG_WARN, "can't fstat(stdin): errno %i\n", e));
+ 		return 0;
+-	else
+	}
+
+	if (by_name.st_rdev != by_fd.st_rdev) {
+		SYSLOG ((LOG_WARN,
+			 "`%s'.st_rdev(%u,%u) != stdin.st_rdev(%u,%u)\n",
+			 tty,
+			 /* XXX: dev_t is 64bit, gnu_dev_mXXor are used
+			  * which are GNU extn */
+			 major(by_name.st_rdev), minor(by_name.st_rdev),
+			 major(by_fd.st_rdev), minor(by_fd.st_rdev)));
+		return 0;
+	} else
+ 		return 1;
+ }
+ 
@@ -0,0 +1,54 @@
+Goal: Allow SU options to be passed after - or the username
+
+Fixes: #331438 or #346445 in popularity-contest
+
+Note: The man page is clear about su usage:
+su [options] [-] [username [args]]
+but too many package are using this feature
+
+GNU su should also allow that.
+
+The only drawback I can see is (for upstream) that "su -x" (whish should
+start a shell in debug mode) won't work (su -- -x) will have to be used
+instead.
+This was a problem when -c was not an su option, but it is no more the
+case (a -- would have to be added for all the su -c "command"
+invocations).
+
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2006-09-17 12:18:07.616113902 +0200
+++ shadow-4.0.18.1/src/su.c	2006-09-17 12:18:08.884123984 +0200
+@@ -374,19 +374,9 @@
+ 		};
+ 
+ 		while ((c =
+-			getopt_long (argc, argv, "-c:hlmps:", long_options,
+			getopt_long (argc, argv, "c:hlmps:", long_options,
+ 				     &option_index)) != -1) {
+ 			switch (c) {
+-			case 1:
+-				/* this is not an su option */
+-				/* The next arguments are either '-', the
+-				 * target name, or arguments to be passed
+-				 * to the shell.
+-				 */
+-				/* rewind the (not yet handled) option */
+-				optind--;
+-				goto end_su_options;
+-				break;	/* NOT REACHED */
+ 			case 'c':
+ 				command = optarg;
+ 				break;
+@@ -408,10 +398,9 @@
+ 				shellstr = optarg;
+ 				break;
+ 			default:
+-				usage ();	/* NOT REACHED */
+				usage ();
+ 			}
+ 		}
+-	      end_su_options:
+ 		if (optind < argc && !strcmp (argv[optind], "-")) {
+ 			fakelogin = 1;
+ 			optind++;
@@ -0,0 +1,17 @@
+Goal: shell's name must be -su when a su fakes a login
+
+Status wrt upstream: not reported yet
+
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2006-09-17 12:18:08.884123984 +0200
+++ shadow-4.0.18.1/src/su.c	2006-09-17 12:18:09.492128818 +0200
+@@ -916,7 +916,7 @@
+ 		 * Use the shell and create an argv
+ 		 * with the rest of the command line included.
+ 		 */
+-		argv[-1] = shellstr;
+		argv[-1] = cp;
+ #ifndef USE_PAM
+ 		(void) execve (shellstr, &argv[-1], environ);
+ 		err = errno;
@@ -0,0 +1,20 @@
+Goal: Be more verbose and indicate that the password was not changed when
+      pam_chauthtok fails (in addition to the PAM error, which may not be
+      comprehensible for the users)
+
+Fixes: #352137
+
+Status wrt upstream: not forwarded yet
+
+Index: shadow-4.0.18.1/libmisc/pam_pass.c
+===================================================================
+--- shadow-4.0.18.1.orig/libmisc/pam_pass.c	2005-10-19 17:21:07.000000000 +0200
+++ shadow-4.0.18.1/libmisc/pam_pass.c	2006-09-17 12:18:12.028148982 +0200
+@@ -38,6 +38,7 @@
+ 	ret = pam_chauthtok (pamh, flags);
+ 	if (ret != PAM_SUCCESS) {
+ 		fprintf (stderr, _("passwd: %s\n"), pam_strerror (pamh, ret));
+		fprintf (stderr, _("passwd: password unchanged\n"));
+ 		pam_end (pamh, ret);
+ 		exit (10);	/* XXX */
+ 	}
@@ -0,0 +1,50 @@
+Goal: detect that SE Linux is not present without failing if
+      --without-selinux or --with-selinux is not specified.
+
+Fix: FTBFS on kfreebsd (and probably The Hurd)
+
+Author: Mike Frysinger <vapier@gentoo.org>
+
+Status wrt upstream: reported by Mike, not applied yet
+
+Index: shadow-4.0.18.1/configure.in
+===================================================================
+--- shadow-4.0.18.1.orig/configure.in	2006-08-03 12:17:21.000000000 +0200
+++ shadow-4.0.18.1/configure.in	2006-09-17 12:18:10.116133780 +0200
+@@ -220,7 +220,7 @@
+ 	[with_libpam=$withval], [with_libpam=yes])
+ AC_ARG_WITH(selinux,
+ 	[AC_HELP_STRING([--with-selinux], [use SELinux support @<:@default=autodetect@:>@])],
+-	[with_selinux=$withval], [with_selinux=yes])
+	[with_selinux=$withval], [with_selinux=maybe])
+ AC_ARG_WITH(skey,
+ 	[AC_HELP_STRING([--with-skey], [use S/Key support @<:@default=no@:>@])],
+ 	[with_skey=$withval], [with_skey=no])
+@@ -282,15 +282,22 @@
+ 		AC_DEFINE(HAVE_LIBCRACK_PW, 1, [Defined if it includes *Pw functions.]))
+ fi
+ 
+-if test "$with_selinux" = "yes"; then
+if test "$with_selinux" != "no"; then
+	have_selinux="yes"
+ 	AC_CHECK_LIB(selinux, is_selinux_enabled,
+ 		[LIBSELINUX="-lselinux"
+		],
+		[have_selinux="no"])
+	if test "x$have_selinux$with_selinux" = "xnoyes" ; then
+		AC_MSG_ERROR([libselinux not found])
+	elif test "x$have_selinux" = "xyes" ; then
+ 		AC_SUBST(LIBSELINUX)
+-		AC_CHECK_HEADERS(selinux/selinux.h, [],
+-			[AC_MSG_ERROR([selinux/selinux.h is missing])])
+		with_selinux="yes"
+		AC_CHECK_HEADERS(selinux/selinux.h, [], [selinux/selinux.h is missing])
+ 		AC_DEFINE(WITH_SELINUX, 1, [Build shadow with SELinux support])
+-		],
+-		[AC_MSG_ERROR([libselinux not found])])
+	else
+		with_selinux="no"
+	fi
+ fi
+ 
+ AC_SUBST(LIBPAM)
@@ -0,0 +1,26 @@
+Goal: SHADOWPWD is now assumed (no more defined).
+
+Fixes: pwck do not detect missing users in /etc/shadow.
+
+Status wrt upstream: Not proposed to upstream yet.
+
+Index: shadow-4.0.18.1/src/pwck.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/pwck.c	2006-10-21 13:33:12.000000000 +0200
+++ shadow-4.0.18.1/src/pwck.c	2006-10-21 13:36:29.000000000 +0200
+@@ -344,7 +344,6 @@
+ 				pwd->pw_name, pwd->pw_shell);
+ 			errors++;
+ 		}
+-#ifdef SHADOWPWD
+ 		/*
+ 		 * Make sure this entry exists in the /etc/gshadow file.
+ 		 */
+@@ -397,7 +396,6 @@
+ 				}
+ 			}
+ 		}
+-#endif
+ 	}
+ 
+ 	if (!is_shadow)
@@ -0,0 +1,45 @@
+Index: shadow-4.0.18.1/man/passwd.1.xml
+===================================================================
+--- shadow-4.0.18.1.orig/man/passwd.1.xml	2007-06-21 02:04:59.531851133 +0200
+++ shadow-4.0.18.1/man/passwd.1.xml	2007-06-21 02:28:19.460572933 +0200
+@@ -188,7 +188,8 @@
+ 	<listitem>
+ 	  <para>
+ 	    Lock the named account. This option disables an account by changing
+-	    the password to a value which matches no possible encrypted value.
+	    the password to a value which matches no possible encrypted value,
+	    and by setting the account expiry field to 1.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -249,7 +250,8 @@
+ 	  <para>
+ 	    Unlock the named account. This option re-enables an account by
+ 	    changing the password back to its previous value (to value before
+-	    using <option>-l</option> option).
+	    using <option>-l</option> option), and by resetting the account
+	    expiry field.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+Index: shadow-4.0.18.1/src/passwd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/passwd.c	2007-06-21 02:05:36.029992809 +0200
+++ shadow-4.0.18.1/src/passwd.c	2007-06-21 02:28:19.460572933 +0200
+@@ -531,6 +531,16 @@
+ 		nsp->sp_inact = (inact * DAY) / SCALE;
+ 	if (do_update_age)
+ 		nsp->sp_lstchg = time ((time_t *) 0) / SCALE;
+	if (lflg)
+	{
+		/* Set the account expiry field to 1.
+		 * Some PAM implementation consider zero as a non expired
+		 * account.
+		 */
+		nsp->sp_expire = 1;
+	}
+	if (uflg)
+		nsp->sp_expire = -1;
+ 
+ 	/*
+ 	 * Force change on next login, like SunOS 4.x passwd -e or Solaris
@@ -0,0 +1,87 @@
+Goal: Do not break chpasswd/chgpasswd if compiled with
+      SSP (the -fstack-protector option in gcc 4.1) by fixing an
+      overflow in the 'salt' array
+
+Fix: #377825
+
+Author: Colin Watson <cjwatson@debian.org>
+
+Status wrt upstream: reported, not applied yet
+
+Index: shadow-4.0.18.1/libmisc/salt.c
+===================================================================
+--- shadow-4.0.18.1.orig/libmisc/salt.c	2006-09-17 12:17:58.260039514 +0200
+++ shadow-4.0.18.1/libmisc/salt.c	2006-09-17 12:18:13.948164248 +0200
+@@ -25,11 +25,13 @@
+ {
+ 	struct timeval tv;
+ 	static char result[40];
+	int max_salt_len = 8;
+ 
+ 	result[0] = '\0';
+ #ifndef USE_PAM
+ 	if (getdef_bool ("MD5_CRYPT_ENAB")) {
+ 		strcpy (result, "$1$");	/* magic for the new MD5 crypt() */
+		max_salt_len += 3;
+ 	}
+ #endif
+ 
+@@ -40,8 +42,8 @@
+ 	strcat (result, l64a (tv.tv_usec));
+ 	strcat (result, l64a (tv.tv_sec + getpid () + clock ()));
+ 
+-	if (strlen (result) > 3 + 8)	/* magic+salt */
+-		result[11] = '\0';
+	if (strlen (result) > max_salt_len)
+		result[max_salt_len] = '\0';
+ 
+ 	return result;
+ }
+Index: shadow-4.0.18.1/src/chgpasswd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/chgpasswd.c	2006-09-17 12:17:58.260039514 +0200
+++ shadow-4.0.18.1/src/chgpasswd.c	2006-09-17 12:18:13.952164280 +0200
+@@ -244,10 +244,16 @@
+ 		newpwd = cp;
+ 		if (!eflg) {
+ 			if (md5flg) {
+-				char salt[12] = "$1$";
+				char md5salt[12] = "$1$";
+				char *salt = crypt_make_salt ();
+ 
+-				strcat (salt, crypt_make_salt ());
+-				cp = pw_encrypt (newpwd, salt);
+				if (strncmp (salt, "$1$", 3) == 0) {
+					strncat (md5salt, salt, 11);
+				} else {
+					strcat (md5salt, "$1$");
+					strncat (md5salt, salt, 8);
+				}
+				cp = pw_encrypt (newpwd, md5salt);
+ 			} else
+ 				cp = pw_encrypt (newpwd, crypt_make_salt ());
+ 		}
+Index: shadow-4.0.18.1/src/chpasswd.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/chpasswd.c	2006-09-17 12:17:58.228039259 +0200
+++ shadow-4.0.18.1/src/chpasswd.c	2006-09-17 12:18:13.972164439 +0200
+@@ -240,10 +240,16 @@
+ 		newpwd = cp;
+ 		if (!eflg) {
+ 			if (md5flg) {
+-				char salt[12] = "$1$";
+				char md5salt[12] = "";
+				char *salt = crypt_make_salt ();
+ 
+-				strcat (salt, crypt_make_salt ());
+-				cp = pw_encrypt (newpwd, salt);
+				if (strncmp (salt, "$1$", 3) == 0) {
+					strncat (md5salt, salt, 11);
+				} else {
+					strcat (md5salt, "$1$");
+					strncat (md5salt, salt, 8);
+				}
+				cp = pw_encrypt (newpwd, md5salt);
+ 			} else
+ 				cp = pw_encrypt (newpwd, crypt_make_salt ());
+ 		}
@@ -0,0 +1,60 @@
+Goal: Make login initialize a session to allow ^C and ^Z to work when
+      booting with init=/bin/login
+      Only do this if we are init (getppid() == 1) (see #380522)
+
+Fix: #374547
+
+Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+Status wrt upstream: reported, not applied yet
+
+Index: shadow-4.0.18.1/src/login.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/login.c	2006-09-17 12:18:04.272087315 +0200
+++ shadow-4.0.18.1/src/login.c	2006-09-17 12:18:14.632169686 +0200
+@@ -41,6 +41,7 @@
+ #include <signal.h>
+ #include <stdio.h>
+ #include <sys/stat.h>
+#include <sys/ioctl.h>
+ #include "defines.h"
+ #include "faillog.h"
+ #include "failure.h"
+@@ -1046,6 +1047,12 @@
+ 	}
+ 	/* child */
+ #endif
+	/* If we were init, we need to start the session */
+	if (getppid() == 1) {
+		setsid();
+		if (ioctl(0, TIOCSCTTY, 1))
+			fprintf(stderr,_("TIOCSCTTY failed on %s"),tty);
+	}
+ 
+ 	/* We call set_groups() above because this clobbers pam_groups.so */
+ #ifndef USE_PAM
+Index: shadow-4.0.18.1/src/sulogin.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/sulogin.c	2006-05-13 01:13:10.000000000 +0200
+++ shadow-4.0.18.1/src/sulogin.c	2006-09-17 12:18:14.632169686 +0200
+@@ -35,6 +35,7 @@
+ #include <pwd.h>
+ #include <signal.h>
+ #include <stdio.h>
+#include <sys/ioctl.h>
+ #include "defines.h"
+ #include "getdef.h"
+ #include "prototypes.h"
+@@ -142,6 +143,12 @@
+ #endif
+ 		exit (1);	/* must be a terminal */
+ 	}
+	/* If we were init, we need to start the session */
+	if (getppid() == 1) {
+		setsid();
+		if (ioctl(0, TIOCSCTTY, 1))
+			fprintf(stderr,_("TIOCSCTTY failed"));
+	}
+ 	while (*envp)		/* add inherited environment, */
+ 		addenv (*envp++, NULL);	/* some variables change later */
+ 
@@ -0,0 +1,24 @@
+Goal: Do not request a password when a user uses newgrp to switch to her
+      primary group.
+
+Fixes: #396691
+
+Status wrt upstream: not forwarded yet.
+
+Index: shadow-4.0.18.1/src/newgrp.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/newgrp.c	2007-04-15 15:25:01.000000000 +0200
+++ shadow-4.0.18.1/src/newgrp.c	2007-04-15 15:34:01.000000000 +0200
+@@ -357,6 +357,12 @@
+ 		needspasswd = 1;
+ 
+ 	/*
+	 * If it's her primary group, do not request a password.
+	 */
+	if (grp->gr_gid == pwd->pw_gid)
+		needspasswd = 0;
+
+	/*
+ 	 * If she does not have either a shadowed password, or a regular
+ 	 * password, and the group has a password, she needs to give the
+ 	 * group password.
--- a/Show More
+++ b/Show More