configure.ac: Release 4.14.8

Signed-off-by: Alejandro Colomar <alx@kernel.org>
lib/csrand.c: Fix the lower part of the domain of csrand_uniform()
2024-06-21 10:59:23 +02:00 · 2024-06-21 10:58:22 +02:00 · 2024-03-26 20:46:18 +01:00 · 2024-03-22 00:19:06 +01:00 · 2024-03-22 00:10:24 +01:00 · 2024-03-13 23:19:51 +01:00
60 changed files with 412 additions and 437 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -4,7 +4,7 @@ m4_define([libsubid_abi_major], 4)
 m4_define([libsubid_abi_minor], 0)
 m4_define([libsubid_abi_micro], 0)
 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
-AC_INIT([shadow], [4.14.2], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_INIT([shadow], [4.14.8], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -32,6 +32,7 @@ AC_PROG_CC
 AC_PROG_LN_S
 AC_PROG_YACC
 LT_INIT
+LT_LIB_DLLOAD

 dnl Checks for libraries.

@@ -48,7 +49,7 @@ AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])
 AC_CHECK_FUNCS(arc4random_buf futimes \
 	getentropy getrandom getspnam getusershell \
 	initgroups lckpwdf lutimes mempcpy \
-	setgroups updwtmp updwtmpx innetgr \
+	setgroups updwtmpx innetgr \
 	getspnam_r \
 	rpmatch \
 	memset_explicit explicit_bzero stpecpy stpeprintf)
@@ -56,17 +57,13 @@ AC_SYS_LARGEFILE

 dnl Checks for typedefs, structures, and compiler characteristics.

-AC_CHECK_MEMBERS([struct utmp.ut_type,
-                  struct utmp.ut_id,
-                  struct utmp.ut_name,
-                  struct utmp.ut_user,
-                  struct utmp.ut_host,
-                  struct utmp.ut_syslen,
-                  struct utmp.ut_addr,
-                  struct utmp.ut_addr_v6,
-                  struct utmp.ut_time,
-                  struct utmp.ut_xtime,
-                  struct utmp.ut_tv],,,[[#include <utmp.h>]])
+AC_CHECK_MEMBERS([struct utmpx.ut_name,
+                  struct utmpx.ut_host,
+                  struct utmpx.ut_syslen,
+                  struct utmpx.ut_addr,
+                  struct utmpx.ut_addr_v6,
+                  struct utmpx.ut_time,
+                  struct utmpx.ut_xtime],,,[[#include <utmpx.h>]])

 dnl Checks for library functions.
 AC_TYPE_GETGROUPS
--- a/etc/pam.d/Makefile.am
+++ b/etc/pam.d/Makefile.am
@@ -2,20 +2,20 @@
 # and also cooperate to make a distribution for `make dist'

 pamd_files = \
+	chpasswd \
 	chfn \
 	chsh \
 	groupmems \
 	login \
+	newusers \
 	passwd

 pamd_acct_tools_files = \
 	chage \
 	chgpasswd \
-	chpasswd \
 	groupadd \
 	groupdel \
 	groupmod \
-	newusers \
 	useradd \
 	userdel \
 	usermod
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -20,6 +20,7 @@ endif

 libshadow_la_CPPFLAGS += -I$(top_srcdir)
 libshadow_la_CFLAGS = $(LIBBSD_CFLAGS) $(LIBCRYPT_PAM) $(LIBSYSTEMD)
+libshadow_la_LIBADD = $(LIBADD_DLOPEN)

 libshadow_la_SOURCES = \
 	addgrps.c \
@@ -52,6 +53,7 @@ libshadow_la_SOURCES = \
 	faillog.h \
 	failure.c \
 	failure.h \
+	fd.c \
 	fields.c \
 	find_new_gid.c \
 	find_new_uid.c \
--- a/lib/age.c
+++ b/lib/age.c
@@ -139,7 +139,7 @@ int expire (const struct passwd *pw, /*@null@*/const struct spwd *sp)

 void agecheck (/*@null@*/const struct spwd *sp)
 {
-	long now = time(NULL) / SCALE;
+	long now = time(NULL) / DAY;
 	long remain;

 	if (NULL == sp) {
@@ -164,7 +164,6 @@ void agecheck (/*@null@*/const struct spwd *sp)

 	remain = sp->sp_lstchg + sp->sp_max - now;
 	if (remain <= sp->sp_warn) {
-		remain /= DAY / SCALE;
 		if (remain > 1) {
 			(void) printf (_("Your password will expire in %ld days.\n"),
 			               remain);
--- a/lib/agetpass.c
+++ b/lib/agetpass.c
@@ -9,7 +9,6 @@

 #include <limits.h>
 #include <readpassphrase.h>
-#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

@@ -23,11 +22,6 @@
 #endif /* WITH_LIBBSD */


-#if !defined(PASS_MAX)
-#define PASS_MAX  BUFSIZ - 1
-#endif
-
-
 /*
 * SYNOPSIS
 *	[[gnu::malloc(erase_pass)]]
--- a/lib/chkname.c
+++ b/lib/chkname.c
@@ -74,12 +74,14 @@ static bool is_valid_name (const char *name)

 bool is_valid_user_name (const char *name)
 {
+	size_t  maxlen;
+
 	/*
 	 * User names length are limited by the kernel
 	 */
-	if (strlen (name) > sysconf(_SC_LOGIN_NAME_MAX)) {
+	maxlen = sysconf(_SC_LOGIN_NAME_MAX);
+	if (strlen(name) >= maxlen)
 		return false;
-	}

 	return is_valid_name (name);
 }
--- a/lib/copydir.c
+++ b/lib/copydir.c
@@ -415,6 +415,7 @@ static int copy_entry (const struct path_info *src, const struct path_info *dst,
 {
 	int err = 0;
 	struct stat sb;
+	struct stat tmp_sb;
 	struct link_name *lp;
 	struct timespec mt[2];

@@ -436,7 +437,7 @@ static int copy_entry (const struct path_info *src, const struct path_info *dst,
 		 * If the destination already exists do nothing.
 		 * This is after the copy_dir above to still iterate into subdirectories.
 		 */
-		if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) {
+		if (fstatat(dst->dirfd, dst->name, &tmp_sb, AT_SYMLINK_NOFOLLOW) != -1) {
 			return 0;
 		}

--- a/lib/csrand.c
+++ b/lib/csrand.c
@@ -22,6 +22,7 @@
 #include "shadowlog.h"


+static uint32_t csrand32(void);
 static uint32_t csrand_uniform32(uint32_t n);
 static unsigned long csrand_uniform_slow(unsigned long n);

@@ -96,6 +97,13 @@ csrand_interval(unsigned long min, unsigned long max)
 }


+static uint32_t
+csrand32(void)
+{
+	return csrand();
+}
+
+
 /*
 * Fast Random Integer Generation in an Interval
 * ACM Transactions on Modeling and Computer Simulation 29 (1), 2019
@@ -108,12 +116,12 @@ csrand_uniform32(uint32_t n)
 	uint64_t  r, mult;

 	if (n == 0)
-		return csrand();
+		return csrand32();

 	bound = -n % n;  // analogous to `2^32 % n`, since `x % y == (x-y) % y`

 	do {
-		r = csrand();
+		r = csrand32();
 		mult = r * n;
 		rem = mult;  // analogous to `mult % 2^32`
 	} while (rem < bound);  // p = (2^32 % n) / 2^32;  W.C.: n=2^31+1, p=0.5
--- a/lib/defines.h
+++ b/lib/defines.h
@@ -25,6 +25,7 @@
    ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2))
 #endif

+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

@@ -153,7 +154,6 @@ static inline void memzero(void *ptr, size_t size)
 *
 * DAY - seconds / day
 * WEEK - seconds / week
- * SCALE - seconds / aging unit
 */

 /* Solaris defines this in shadow.h */
@@ -163,12 +163,6 @@ static inline void memzero(void *ptr, size_t size)

 #define WEEK (7*DAY)

-#ifdef ITI_AGING
-#define SCALE 1
-#else
-#define SCALE DAY
-#endif
-
 #define WIDTHOF(x)   (sizeof(x) * CHAR_BIT)
 #define NITEMS(arr)  (sizeof((arr)) / sizeof((arr)[0]))
 #define STRLEN(s)    (NITEMS(s) - 1)
@@ -247,4 +241,14 @@ static inline void memzero(void *ptr, size_t size)
 #  define shadow_getenv(name) getenv(name)
 #endif

+/*
+ * Maximum password length
+ *
+ * Consider that there is also limit in PAM (PAM_MAX_RESP_SIZE)
+ * currently set to 512.
+ */
+#if !defined(PASS_MAX)
+#define PASS_MAX  BUFSIZ - 1
+#endif
+
 #endif				/* _DEFINES_H_ */
--- a/lib/fd.c
+++ b/lib/fd.c
@@ -0,0 +1,41 @@
+// SPDX-FileCopyrightText: 2024, Skyler Ferrante <sjf5462@rit.edu>
+// SPDX-License-Identifier: BSD-3-Clause
+
+/**
+ * To protect against file descriptor omission attacks, we open the std file
+ * descriptors with /dev/null if they are not already open. Code is based on
+ * fix_fds from sudo.c.
+ */
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "prototypes.h"
+
+static void check_fd(int fd);
+
+void
+check_fds(void)
+{
+	/**
+	 * Make sure stdin, stdout, stderr are open
+	 * If they are closed, set them to /dev/null
+	 */
+	check_fd(STDIN_FILENO);
+	check_fd(STDOUT_FILENO);
+	check_fd(STDERR_FILENO);
+}
+
+static void
+check_fd(int fd)
+{
+	int  devnull;
+
+	if (fcntl(fd, F_GETFL, 0) != -1)
+		return;
+
+	devnull = open("/dev/null", O_RDWR);
+	if (devnull != fd)
+		abort();
+}
--- a/lib/getdate.y
+++ b/lib/getdate.y
@@ -318,7 +318,7 @@ relunit	: tUNUMBER tYEAR_UNIT {
 	    yyRelYear += $1 * $2;
 	}
 	| tYEAR_UNIT {
-	    yyRelYear++;
+	    yyRelYear += $1;
 	}
 	| tUNUMBER tMONTH_UNIT {
 	    yyRelMonth += $1 * $2;
@@ -327,7 +327,7 @@ relunit	: tUNUMBER tYEAR_UNIT {
 	    yyRelMonth += $1 * $2;
 	}
 	| tMONTH_UNIT {
-	    yyRelMonth++;
+	    yyRelMonth += $1;
 	}
 	| tUNUMBER tDAY_UNIT {
 	    yyRelDay += $1 * $2;
@@ -336,7 +336,7 @@ relunit	: tUNUMBER tYEAR_UNIT {
 	    yyRelDay += $1 * $2;
 	}
 	| tDAY_UNIT {
-	    yyRelDay++;
+	    yyRelDay += $1;
 	}
 	| tUNUMBER tHOUR_UNIT {
 	    yyRelHour += $1 * $2;
@@ -345,7 +345,7 @@ relunit	: tUNUMBER tYEAR_UNIT {
 	    yyRelHour += $1 * $2;
 	}
 	| tHOUR_UNIT {
-	    yyRelHour++;
+	    yyRelHour += $1;
 	}
 	| tUNUMBER tMINUTE_UNIT {
 	    yyRelMinutes += $1 * $2;
@@ -354,7 +354,7 @@ relunit	: tUNUMBER tYEAR_UNIT {
 	    yyRelMinutes += $1 * $2;
 	}
 	| tMINUTE_UNIT {
-	    yyRelMinutes++;
+	    yyRelMinutes += $1;
 	}
 	| tUNUMBER tSEC_UNIT {
 	    yyRelSeconds += $1 * $2;
@@ -363,7 +363,7 @@ relunit	: tUNUMBER tYEAR_UNIT {
 	    yyRelSeconds += $1 * $2;
 	}
 	| tSEC_UNIT {
-	    yyRelSeconds++;
+	    yyRelSeconds += $1;
 	}
 	;

--- a/lib/isexpired.c
+++ b/lib/isexpired.c
@@ -40,7 +40,7 @@ int isexpired (const struct passwd *pw, /*@null@*/const struct spwd *sp)
 {
 	long now;

-	now = time(NULL) / SCALE;
+	now = time(NULL) / DAY;

 	if (NULL == sp) {
 		return 0;
@@ -84,7 +84,7 @@ int isexpired (const struct passwd *pw, /*@null@*/const struct spwd *sp)

 	if (   (-1 == sp->sp_lstchg)
 	    || (-1 == sp->sp_max)
-	    || (sp->sp_max >= ((10000L * DAY) / SCALE))) {
+	    || (sp->sp_max >= 10000)) {
 		return 0;
 	}

--- a/lib/log.c
+++ b/lib/log.c
@@ -24,7 +24,7 @@
 *
 *	A "last login" entry is created for the user being logged in.  The
 *	UID is extracted from the global (struct passwd) entry and the
- *	TTY information is gotten from the (struct utmp).
+ *	TTY information is gotten from the (struct utmpx).
 */
 void dolastlog (
 	struct lastlog *ll,
--- a/lib/logind.c
+++ b/lib/logind.c
@@ -35,7 +35,7 @@ done:
    return ret;
 }

-unsigned long active_sessions_count(const char *name, unsigned long unused)
+unsigned long active_sessions_count(const char *name, unsigned long unused(limit))
 {
    struct passwd *pw;
    unsigned long count = 0;
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -127,6 +127,9 @@ extern void initenv (void);
 extern void set_env (int, char *const *);
 extern void sanitize_env (void);

+/* fd.c */
+extern void check_fds (void);
+
 /* fields.c */
 extern void change_field (char *, size_t, const char *);
 extern int valid_field (const char *, const char *);
--- a/lib/pwd2spwd.c
+++ b/lib/pwd2spwd.c
@@ -39,8 +39,8 @@ struct spwd *pwd_to_spwd (const struct passwd *pw)
 		 * Defaults used if there is no pw_age information.
 		 */
 		sp.sp_min = 0;
-		sp.sp_max = (10000L * DAY) / SCALE;
-		sp.sp_lstchg = gettime () / SCALE;
+		sp.sp_max = 10000;
+		sp.sp_lstchg = gettime () / DAY;
 		if (0 == sp.sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change */
--- a/lib/sgetgrent.c
+++ b/lib/sgetgrent.c
@@ -37,8 +37,8 @@
 static char **list (char *s)
 {
 	static char **members = NULL;
-	static int size = 0;	/* max members + 1 */
-	int i;
+	static size_t size = 0;	/* max members + 1 */
+	size_t i;

 	i = 0;
 	for (;;) {
@@ -47,8 +47,10 @@ static char **list (char *s)
 		if (i >= size) {
 			size = i + 100;	/* at least: i + 1 */
 			members = REALLOCF(members, size, char *);
-			if (!members)
+			if (!members) {
+				size = 0;
 				return NULL;
+			}
 		}
 		if (!s || s[0] == '\0')
 			break;
--- a/lib/strtoday.c
+++ b/lib/strtoday.c
@@ -68,10 +68,9 @@ long strtoday (const char *str)
 		return retdate;
 	}

-	t = get_date (str, NULL);
+	t = get_date(str, NULL);
 	if ((time_t) - 1 == t) {
 		return -2;
 	}
-	/* convert seconds to days since 1970-01-01 */
-	return (t + DAY / 2) / DAY;
+	return t / DAY;
 }
--- a/lib/user_busy.c
+++ b/lib/user_busy.c
@@ -49,13 +49,15 @@ int user_busy (const char *name, uid_t uid)
 #endif				/* !__linux__ */
 }

-#ifndef __linux__
-static int user_busy_utmp (const char *name)
-{
-	struct utmp *utent;

-	setutent ();
-	while ((utent = getutent ()) != NULL)
+#ifndef __linux__
+static int
+user_busy_utmp(const char *name)
+{
+	struct utmpx  *utent;
+
+	setutxent();
+	while ((utent = getutxent()) != NULL)
 	{
 		if (utent->ut_type != USER_PROCESS) {
 			continue;
@@ -77,6 +79,7 @@ static int user_busy_utmp (const char *name)
 }
 #endif				/* !__linux__ */

+
 #ifdef __linux__
 #ifdef ENABLE_SUBIDS
 #define in_parentuid_range(uid) ((uid) >= parentuid && (uid) < parentuid + range)
--- a/lib/utmp.c
+++ b/lib/utmp.c
@@ -13,7 +13,7 @@
 #include "prototypes.h"
 #include "getdef.h"

-#include <utmp.h>
+#include <utmpx.h>
 #include <assert.h>
 #include <sys/param.h>
 #include <sys/types.h>
@@ -27,19 +27,23 @@
 #ident "$Id$"


+#define UTX_LINESIZE  NITEMS((struct utmpx){}.ut_line)
+
+
 /*
 * is_my_tty -- determine if "tty" is the same TTY stdin is using
 */
-static bool is_my_tty (const char tty[UT_LINESIZE])
+static bool
+is_my_tty(const char tty[UTX_LINESIZE])
 {
-	char         full_tty[STRLEN("/dev/") + UT_LINESIZE + 1];
+	char         full_tty[STRLEN("/dev/") + UTX_LINESIZE + 1];
 	/* tmptty shall be bigger than full_tty */
 	static char  tmptty[sizeof(full_tty) + 1];

 	full_tty[0] = '\0';
 	if (tty[0] != '/')
 		strcpy (full_tty, "/dev/");
-	strncat (full_tty, tty, UT_LINESIZE);
+	strncat(full_tty, tty, UTX_LINESIZE);

 	if ('\0' == tmptty[0]) {
 		const char *tname = ttyname (STDIN_FILENO);
@@ -55,13 +59,15 @@ static bool is_my_tty (const char tty[UT_LINESIZE])
 	return strcmp (full_tty, tmptty) == 0;
 }

+
 /*
 * failtmp - update the cumulative failure log
 *
- *	failtmp updates the (struct utmp) formatted failure log which
+ *	failtmp updates the (struct utmpx) formatted failure log which
 *	maintains a record of all login failures.
 */
-static void failtmp (const char *username, const struct utmp *failent)
+static void
+failtmp(const char *username, const struct utmpx *failent)
 {
 	const char *ftmp;
 	int fd;
@@ -106,6 +112,7 @@ static void failtmp (const char *username, const struct utmp *failent)
 	}
 }

+
 /*
 * get_current_utmp - return the most probable utmp entry for the current
 *                    session
@@ -114,56 +121,55 @@ static void failtmp (const char *username, const struct utmp *failent)
 *	The line entered by the *getty / telnetd, etc. should also match
 *	the current terminal.
 *
- *	When an entry is returned by get_current_utmp, and if the utmp
+ *	When an entry is returned by get_current_utmp, and if the utmpx
 *	structure has a ut_id field, this field should be used to update
 *	the entry information.
 *
 *	Return NULL if no entries exist in utmp for the current process.
 */
-static
-/*@null@*/ /*@only@*/struct utmp *get_current_utmp (void)
+static /*@null@*/ /*@only@*/struct utmpx *
+get_current_utmp(void)
 {
-	struct utmp *ut;
-	struct utmp *ret = NULL;
+	struct utmpx  *ut;
+	struct utmpx  *ret = NULL;

-	setutent ();
+	setutxent();

 	/* First, try to find a valid utmp entry for this process.  */
-	while ((ut = getutent ()) != NULL) {
+	while ((ut = getutxent()) != NULL) {
 		if (   (ut->ut_pid == getpid ())
-#ifdef HAVE_STRUCT_UTMP_UT_ID
 		    && ('\0' != ut->ut_id[0])
-#endif
-#ifdef HAVE_STRUCT_UTMP_UT_TYPE
 		    && (   (LOGIN_PROCESS == ut->ut_type)
 		        || (USER_PROCESS  == ut->ut_type))
-#endif
 		    /* A process may have failed to close an entry
 		     * Check if this entry refers to the current tty */
-		    && is_my_tty (ut->ut_line)) {
+		    && is_my_tty(ut->ut_line))
+		{
 			break;
 		}
 	}

 	if (NULL != ut) {
-		ret = XMALLOC(1, struct utmp);
+		ret = XMALLOC(1, struct utmpx);
 		memcpy (ret, ut, sizeof (*ret));
 	}

-	endutent ();
+	endutxent();

 	return ret;
 }

-int get_session_host (char **out)
+
+int
+get_session_host(char **out)
 {
-	char *hostname = NULL;
-	struct utmp *ut = NULL;
-	int ret = 0;
+	int           ret = 0;
+	char          *hostname;
+	struct utmpx  *ut;

 	ut = get_current_utmp();

-#ifdef HAVE_STRUCT_UTMP_UT_HOST
+#if defined(HAVE_STRUCT_UTMPX_UT_HOST)
 	if ((ut != NULL) && (ut->ut_host[0] != '\0')) {
 		hostname = XMALLOC(sizeof(ut->ut_host) + 1, char);
 		strncpy (hostname, ut->ut_host, sizeof (ut->ut_host));
@@ -177,18 +183,19 @@ int get_session_host (char **out)
 #else
 	*out = NULL;
 	ret = -2;
-#endif /* HAVE_STRUCT_UTMP_UT_HOST */
+#endif

 	return ret;
 }

-#ifndef USE_PAM
+
+#if !defined(USE_PAM) && !defined(HAVE_UPDWTMPX)
 /*
- * Some systems already have updwtmp() and possibly updwtmpx().  Others
+ * Some systems already have updwtmpx().  Others
 * don't, so we re-implement these functions if necessary.
 */
-#ifndef HAVE_UPDWTMP
-static void updwtmp (const char *filename, const struct utmp *ut)
+static void
+updwtmpx(const char *filename, const struct utmpx *ut)
 {
 	int fd;

@@ -198,9 +205,7 @@ static void updwtmp (const char *filename, const struct utmp *ut)
 		close (fd);
 	}
 }
-#endif				/* ! HAVE_UPDWTMP */
-
-#endif				/* ! USE_PAM */
+#endif


 /*
@@ -221,15 +226,13 @@ static void updwtmp (const char *filename, const struct utmp *ut)
 *
 *	The returned structure shall be freed by the caller.
 */
-static
-/*@only@*/struct utmp *prepare_utmp (const char *name,
-                                     const char *line,
-                                     const char *host,
-                                     /*@null@*/const struct utmp *ut)
+static /*@only@*/struct utmpx *
+prepare_utmp(const char *name, const char *line, const char *host,
+             /*@null@*/const struct utmpx *ut)
 {
-	struct timeval tv;
-	char *hostname = NULL;
-	struct utmp *utent;
+	char            *hostname = NULL;
+	struct utmpx    *utent;
+	struct timeval  tv;

 	assert (NULL != name);
 	assert (NULL != line);
@@ -240,13 +243,13 @@ static
 	    && ('\0' != host[0])) {
 		hostname = XMALLOC(strlen(host) + 1, char);
 		strcpy (hostname, host);
-#ifdef HAVE_STRUCT_UTMP_UT_HOST
+#if defined(HAVE_STRUCT_UTMPX_UT_HOST)
 	} else if (   (NULL != ut)
 	           && ('\0' != ut->ut_host[0])) {
 		hostname = XMALLOC(sizeof(ut->ut_host) + 1, char);
 		strncpy (hostname, ut->ut_host, sizeof (ut->ut_host));
 		hostname[sizeof (ut->ut_host)] = '\0';
-#endif				/* HAVE_STRUCT_UTMP_UT_HOST */
+#endif
 	}

 	if (strncmp(line, "/dev/", 5) == 0) {
@@ -254,38 +257,32 @@ static
 	}


-	utent = XCALLOC (1, struct utmp);
+	utent = XCALLOC(1, struct utmpx);


-#ifdef HAVE_STRUCT_UTMP_UT_TYPE
 	utent->ut_type = USER_PROCESS;
-#endif				/* HAVE_STRUCT_UTMP_UT_TYPE */
 	utent->ut_pid = getpid ();
 	strncpy (utent->ut_line, line,      sizeof (utent->ut_line) - 1);
-#ifdef HAVE_STRUCT_UTMP_UT_ID
 	if (NULL != ut) {
 		strncpy (utent->ut_id, ut->ut_id, sizeof (utent->ut_id));
 	} else {
 		/* XXX - assumes /dev/tty?? */
 		strncpy (utent->ut_id, line + 3, sizeof (utent->ut_id) - 1);
 	}
-#endif				/* HAVE_STRUCT_UTMP_UT_ID */
-#ifdef HAVE_STRUCT_UTMP_UT_NAME
+#if defined(HAVE_STRUCT_UTMPX_UT_NAME)
 	strncpy (utent->ut_name, name,      sizeof (utent->ut_name));
-#endif				/* HAVE_STRUCT_UTMP_UT_NAME */
-#ifdef HAVE_STRUCT_UTMP_UT_USER
+#endif
 	strncpy (utent->ut_user, name,      sizeof (utent->ut_user) - 1);
-#endif				/* HAVE_STRUCT_UTMP_UT_USER */
 	if (NULL != hostname) {
 		struct addrinfo *info = NULL;
-#ifdef HAVE_STRUCT_UTMP_UT_HOST
+#if defined(HAVE_STRUCT_UTMPX_UT_HOST)
 		strncpy (utent->ut_host, hostname, sizeof (utent->ut_host) - 1);
-#endif				/* HAVE_STRUCT_UTMP_UT_HOST */
-#ifdef HAVE_STRUCT_UTMP_UT_SYSLEN
+#endif
+#if defined(HAVE_STRUCT_UTMPX_UT_SYSLEN)
 		utent->ut_syslen = MIN (strlen (hostname),
 		                        sizeof (utent->ut_host));
-#endif				/* HAVE_STRUCT_UTMP_UT_SYSLEN */
-#if defined(HAVE_STRUCT_UTMP_UT_ADDR) || defined(HAVE_STRUCT_UTMP_UT_ADDR_V6)
+#endif
+#if defined(HAVE_STRUCT_UTMPX_UT_ADDR) || defined(HAVE_STRUCT_UTMPX_UT_ADDR_V6)
 		if (getaddrinfo (hostname, NULL, NULL, &info) == 0) {
 			/* getaddrinfo might not be reliable.
 			 * Just try to log what may be useful.
@@ -293,13 +290,13 @@ static
 			if (info->ai_family == AF_INET) {
 				struct sockaddr_in *sa =
 					(struct sockaddr_in *) info->ai_addr;
-#ifdef HAVE_STRUCT_UTMP_UT_ADDR
+# if defined(HAVE_STRUCT_UTMPX_UT_ADDR)
 				memcpy (&(utent->ut_addr),
 				        &(sa->sin_addr),
 				        MIN (sizeof (utent->ut_addr),
 				             sizeof (sa->sin_addr)));
-#endif				/* HAVE_STRUCT_UTMP_UT_ADDR */
-#ifdef HAVE_STRUCT_UTMP_UT_ADDR_V6
+# endif
+# if defined(HAVE_STRUCT_UTMPX_UT_ADDR_V6)
 				memcpy (utent->ut_addr_v6,
 				        &(sa->sin_addr),
 				        MIN (sizeof (utent->ut_addr_v6),
@@ -311,61 +308,61 @@ static
 				        &(sa->sin6_addr),
 				        MIN (sizeof (utent->ut_addr_v6),
 				             sizeof (sa->sin6_addr)));
-#endif				/* HAVE_STRUCT_UTMP_UT_ADDR_V6 */
+# endif
 			}
 			freeaddrinfo (info);
 		}
-#endif		/* HAVE_STRUCT_UTMP_UT_ADDR || HAVE_STRUCT_UTMP_UT_ADDR_V6 */
+#endif
 		free (hostname);
 	}
 	/* ut_exit is only for DEAD_PROCESS */
 	utent->ut_session = getsid (0);
 	if (gettimeofday (&tv, NULL) == 0) {
-#ifdef HAVE_STRUCT_UTMP_UT_TIME
+#if defined(HAVE_STRUCT_UTMPX_UT_TIME)
 		utent->ut_time = tv.tv_sec;
-#endif				/* HAVE_STRUCT_UTMP_UT_TIME */
-#ifdef HAVE_STRUCT_UTMP_UT_XTIME
+#endif
+#if defined(HAVE_STRUCT_UTMPX_UT_XTIME)
 		utent->ut_xtime = tv.tv_usec;
-#endif				/* HAVE_STRUCT_UTMP_UT_XTIME */
-#ifdef HAVE_STRUCT_UTMP_UT_TV
+#endif
 		utent->ut_tv.tv_sec  = tv.tv_sec;
 		utent->ut_tv.tv_usec = tv.tv_usec;
-#endif				/* HAVE_STRUCT_UTMP_UT_TV */
 	}

 	return utent;
 }

+
 /*
 * setutmp - Update an entry in utmp and log an entry in wtmp
 *
 *	Return 1 on failure and 0 on success.
 */
-static int setutmp (struct utmp *ut)
+static int
+setutmp(struct utmpx *ut)
 {
 	int err = 0;

 	assert (NULL != ut);

-	setutent ();
-	if (pututline (ut) == NULL) {
+	setutxent();
+	if (pututxline(ut) == NULL) {
 		err = 1;
 	}
-	endutent ();
+	endutxent();

-#ifndef USE_PAM
+#if !defined(USE_PAM)
 	/* This is done by pam_lastlog */
-	updwtmp (_WTMP_FILE, ut);
-#endif				/* ! USE_PAM */
+	updwtmpx(_WTMP_FILE, ut);
+#endif

 	return err;
 }

-int update_utmp (const char *user,
-                 const char *tty,
-                 const char *host)
+
+int
+update_utmp(const char *user, const char *tty, const char *host)
 {
-	struct utmp *utent, *ut;
+	struct utmpx  *utent, *ut;

 	utent = get_current_utmp ();
 	ut = prepare_utmp  (user, tty, host, utent);
@@ -380,11 +377,11 @@ int update_utmp (const char *user,
 	return 0;
 }

-void record_failure(const char *failent_user,
-                    const char *tty,
-                    const char *hostname)
+
+void
+record_failure(const char *failent_user, const char *tty, const char *hostname)
 {
-	struct utmp *utent, *failent;
+	struct utmpx  *utent, *failent;

 	if (getdef_str ("FTMP_FILE") != NULL) {
 		utent = get_current_utmp ();
@@ -395,13 +392,15 @@ void record_failure(const char *failent_user,
 	}
 }

-unsigned long active_sessions_count(const char *name, unsigned long limit)
-{
-	struct utmp *ut;
-	unsigned long count = 0;

-	setutent ();
-	while ((ut = getutent ()))
+unsigned long
+active_sessions_count(const char *name, unsigned long limit)
+{
+	struct utmpx   *ut;
+	unsigned long  count = 0;
+
+	setutxent();
+	while ((ut = getutxent()))
 	{
 		if (USER_PROCESS != ut->ut_type) {
 			continue;
@@ -417,7 +416,7 @@ unsigned long active_sessions_count(const char *name, unsigned long limit)
 			break;
 		}
 	}
-	endutent ();
+	endutxent();

 	return count;
 }
--- a/man/po/fr.po
+++ b/man/po/fr.po
@@ -2610,7 +2610,7 @@ msgstr ""

 #: useradd.8.xml:641(para)
 msgid "Usernames may only be up to 32 characters long."
-msgstr "Les noms d'utilisateur sont limités à 16 caractères."
+msgstr "Les noms d'utilisateur sont limités à 32 caractères."

 #: useradd.8.xml:30(term) login.defs.5.xml:30(term)
 msgid "<option>CREATE_HOME</option> (boolean)"
--- a/share/containers/debian.dockerfile
+++ b/share/containers/debian.dockerfile
@@ -9,7 +9,7 @@ RUN export DEBIAN_PRIORITY=critical \
 RUN apt-get update -y \
    && apt-get dist-upgrade -y
 RUN apt-get build-dep shadow -y
-RUN apt-get install libbsd-dev pkgconf -y
+RUN apt-get install libltdl-dev libbsd-dev pkgconf -y

 COPY ./ /usr/local/src/shadow/
 WORKDIR /usr/local/src/shadow/
--- a/src/chage.c
+++ b/src/chage.c
@@ -41,7 +41,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "chage";

 static bool
    dflg = false,		/* set last password change date */
@@ -175,10 +175,10 @@ static int new_fields (void)
 		return 0;
 	}

-	if (-1 == lstchgdate || lstchgdate > LONG_MAX / SCALE) {
+	if (-1 == lstchgdate || lstchgdate > LONG_MAX / DAY) {
 		strcpy (buf, "-1");
 	} else {
-		date_to_str (sizeof(buf), buf, lstchgdate * SCALE);
+		date_to_str (sizeof(buf), buf, lstchgdate * DAY);
 	}

 	change_field (buf, sizeof buf, _("Last Password Change (YYYY-MM-DD)"));
@@ -206,10 +206,10 @@ static int new_fields (void)
 		return 0;
 	}

-	if (-1 == expdate || LONG_MAX / SCALE < expdate) {
+	if (-1 == expdate || LONG_MAX / DAY < expdate) {
 		strcpy (buf, "-1");
 	} else {
-		date_to_str (sizeof(buf), buf, expdate * SCALE);
+		date_to_str (sizeof(buf), buf, expdate * DAY);
 	}

 	change_field (buf, sizeof buf,
@@ -258,12 +258,12 @@ static void list_fields (void)
 	 * was last modified. The date is the number of days since 1/1/1970.
 	 */
 	(void) fputs (_("Last password change\t\t\t\t\t: "), stdout);
-	if (lstchgdate < 0 || lstchgdate > LONG_MAX / SCALE) {
+	if (lstchgdate < 0 || lstchgdate > LONG_MAX / DAY) {
 		(void) puts (_("never"));
 	} else if (lstchgdate == 0) {
 		(void) puts (_("password must be changed"));
 	} else {
-		changed = lstchgdate * SCALE;
+		changed = lstchgdate * DAY;
 		print_date (changed);
 	}

@@ -275,12 +275,12 @@ static void list_fields (void)
 	if (lstchgdate == 0) {
 		(void) puts (_("password must be changed"));
 	} else if (   (lstchgdate < 0)
-	           || (maxdays >= (10000 * (DAY / SCALE)))
+	           || (maxdays >= 10000)
 	           || (maxdays < 0)
-	           || ((LONG_MAX - changed) / SCALE < maxdays)) {
+	           || ((LONG_MAX - changed) / DAY < maxdays)) {
 		(void) puts (_("never"));
 	} else {
-		expires = changed + maxdays * SCALE;
+		expires = changed + maxdays * DAY;
 		print_date (expires);
 	}

@@ -295,13 +295,13 @@ static void list_fields (void)
 		(void) puts (_("password must be changed"));
 	} else if (   (lstchgdate < 0)
 	           || (inactdays < 0)
-	           || (maxdays >= (10000 * (DAY / SCALE)))
+	           || (maxdays >= 10000)
 	           || (maxdays < 0)
 	           || (maxdays > LONG_MAX - inactdays)
-	           || ((LONG_MAX - changed) / SCALE < maxdays + inactdays)) {
+	           || ((LONG_MAX - changed) / DAY < maxdays + inactdays)) {
 		(void) puts (_("never"));
 	} else {
-		expires = changed + (maxdays + inactdays) * SCALE;
+		expires = changed + (maxdays + inactdays) * DAY;
 		print_date (expires);
 	}

@@ -310,10 +310,10 @@ static void list_fields (void)
 	 * password expiring or not.
 	 */
 	(void) fputs (_("Account expires\t\t\t\t\t\t: "), stdout);
-	if (expdate < 0 || LONG_MAX / SCALE < expdate) {
+	if (expdate < 0 || LONG_MAX / DAY < expdate) {
 		(void) puts (_("never"));
 	} else {
-		expires = expdate * SCALE;
+		expires = expdate * DAY;
 		print_date (expires);
 	}

@@ -511,7 +511,7 @@ static void check_perms (void)
 		exit (E_NOPERM);
 	}

-	retval = pam_start ("chage", pampw->pw_name, &conv, &pamh);
+	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);

 	if (PAM_SUCCESS == retval) {
 		retval = pam_authenticate (pamh, 0);
@@ -762,14 +762,12 @@ int main (int argc, char **argv)
 	gid_t rgid;
 	const struct passwd *pw;

-	/*
-	 * Get the program name so that error messages can use it.
-	 */
-	Prog = Basename (argv[0]);
+	sanitize_env ();
+	check_fds ();
+
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

-	sanitize_env ();
 	(void) setlocale (LC_ALL, "");
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 	(void) textdomain (PACKAGE);
@@ -780,7 +778,7 @@ int main (int argc, char **argv)
 #ifdef WITH_AUDIT
 	audit_help_open ();
 #endif
-	OPENLOG ("chage");
+	OPENLOG (Prog);

 	ruid = getuid ();
 	rgid = getgid ();
--- a/src/check_subid_range.c
+++ b/src/check_subid_range.c
@@ -18,14 +18,13 @@
 #include "idmapping.h"
 #include "shadowlog.h"

-const char *Prog;
+static const char Prog[] = "check_subid_range";

 int main(int argc, char **argv)
 {
 	char *owner;
 	unsigned long start, count;
 	bool check_uids;
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

--- a/src/chfn.c
+++ b/src/chfn.c
@@ -36,7 +36,7 @@
 /*
 * Global variables.
 */
-const char *Prog;
+static const char Prog[] = "chfn";
 static char fullnm[BUFSIZ];
 static char roomno[BUFSIZ];
 static char workph[BUFSIZ];
@@ -362,7 +362,7 @@ static void check_perms (const struct passwd *pw)
 	 * check if the change is allowed by SELinux policy.
 	 */
 	if ((pw->pw_uid != getuid ())
-	    && (check_selinux_permit ("chfn") != 0)) {
+	    && (check_selinux_permit (Prog) != 0)) {
 		fprintf (stderr, _("%s: Permission denied.\n"), Prog);
 		closelog ();
 		exit (E_NOPERM);
@@ -377,7 +377,7 @@ static void check_perms (const struct passwd *pw)
 	 * --marekm
 	 */
 	if (!amroot && getdef_bool ("CHFN_AUTH")) {
-		passwd_check (pw->pw_name, pw->pw_passwd, "chfn");
+		passwd_check (pw->pw_name, pw->pw_passwd, Prog);
 	}

 #else				/* !USE_PAM */
@@ -389,7 +389,7 @@ static void check_perms (const struct passwd *pw)
 		exit (E_NOPERM);
 	}

-	retval = pam_start ("chfn", pampw->pw_name, &conv, &pamh);
+	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);

 	if (PAM_SUCCESS == retval) {
 		retval = pam_authenticate (pamh, 0);
@@ -616,15 +616,12 @@ int main (int argc, char **argv)
 	char new_gecos[BUFSIZ];	/* buffer for new GECOS fields       */
 	char *user;

-	/*
-	 * Get the program name. The program name is used as a
-	 * prefix to most error messages.
-	 */
-	Prog = Basename (argv[0]);
+	sanitize_env ();
+	check_fds ();
+
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

-	sanitize_env ();
 	(void) setlocale (LC_ALL, "");
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 	(void) textdomain (PACKAGE);
@@ -637,7 +634,7 @@ int main (int argc, char **argv)
 	 */
 	amroot = (getuid () == 0);

-	OPENLOG ("chfn");
+	OPENLOG (Prog);

 	/* parse the command line options */
 	process_flags (argc, argv);
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -36,7 +36,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "chgpasswd";
 static bool eflg   = false;
 static bool md5flg = false;
 #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
@@ -303,7 +303,7 @@ static void check_perms (void)
 		exit (1);
 	}

-	retval = pam_start ("chgpasswd", pampw->pw_name, &conv, &pamh);
+	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);

 	if (PAM_SUCCESS == retval) {
 		retval = pam_authenticate (pamh, 0);
@@ -423,7 +423,6 @@ int main (int argc, char **argv)
 	int errors = 0;
 	int line = 0;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -441,7 +440,7 @@ int main (int argc, char **argv)

 	process_flags (argc, argv);

-	OPENLOG ("chgpasswd");
+	OPENLOG (Prog);

 	check_perms ();

--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -35,7 +35,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "chpasswd";
 static bool eflg   = false;
 static bool md5flg = false;
 #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
@@ -302,7 +302,7 @@ static void check_perms (void)
 		exit (1);
 	}

-	retval = pam_start ("chpasswd", pampw->pw_name, &conv, &pamh);
+	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);

 	if (PAM_SUCCESS == retval) {
 		retval = pam_authenticate (pamh, 0);
@@ -450,7 +450,6 @@ int main (int argc, char **argv)
 	int errors = 0;
 	int line = 0;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -476,7 +475,7 @@ int main (int argc, char **argv)
 	}
 #endif				/* USE_PAM */

-	OPENLOG ("chpasswd");
+	OPENLOG (Prog);

 	check_perms ();

@@ -546,7 +545,7 @@ int main (int argc, char **argv)

 #ifdef USE_PAM
 		if (use_pam) {
-			if (do_pam_passwd_non_interactive ("chpasswd", name, newpwd) != 0) {
+			if (do_pam_passwd_non_interactive (Prog, name, newpwd) != 0) {
 				fprintf (stderr,
 				         _("%s: (line %d, user %s) password not changed\n"),
 				         Prog, line, name);
@@ -621,7 +620,7 @@ int main (int argc, char **argv)
 		if (NULL != sp) {
 			newsp = *sp;
 			newsp.sp_pwdp = cp;
-			newsp.sp_lstchg = gettime () / SCALE;
+			newsp.sp_lstchg = gettime () / DAY;
 			if (0 == newsp.sp_lstchg) {
 				/* Better disable aging than requiring a
 				 * password change */
--- a/src/chsh.c
+++ b/src/chsh.c
@@ -45,7 +45,7 @@
 /*
 * Global variables
 */
-const char *Prog;		/* Program name */
+static const char Prog[] = "chsh";	/* Program name */
 static bool amroot;		/* Real UID is root */
 static char loginsh[BUFSIZ];	/* Name of new login shell */
 /* command line options */
@@ -320,7 +320,7 @@ static void check_perms (const struct passwd *pw)
 	 * check if the change is allowed by SELinux policy.
 	 */
 	if ((pw->pw_uid != getuid ())
-	    && (check_selinux_permit("chsh") != 0)) {
+	    && (check_selinux_permit(Prog) != 0)) {
 		SYSLOG ((LOG_WARN, "can't change shell for '%s'", pw->pw_name));
 		fprintf (stderr,
 		         _("You may not change the shell for '%s'.\n"),
@@ -337,7 +337,7 @@ static void check_perms (const struct passwd *pw)
 	 * chfn/chsh.  --marekm
 	 */
 	if (!amroot && getdef_bool ("CHSH_AUTH")) {
-		passwd_check (pw->pw_name, pw->pw_passwd, "chsh");
+		passwd_check (pw->pw_name, pw->pw_passwd, Prog);
        }

 #else				/* !USE_PAM */
@@ -349,7 +349,7 @@ static void check_perms (const struct passwd *pw)
 		exit (E_NOPERM);
 	}

-	retval = pam_start ("chsh", pampw->pw_name, &conv, &pamh);
+	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);

 	if (PAM_SUCCESS == retval) {
 		retval = pam_authenticate (pamh, 0);
@@ -473,12 +473,8 @@ int main (int argc, char **argv)
 	const struct passwd *pw;	/* Password entry from /etc/passwd   */

 	sanitize_env ();
+	check_fds ();

-	/*
-	 * Get the program name. The program name is used as a prefix to
-	 * most error messages.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -493,7 +489,7 @@ int main (int argc, char **argv)
 	 */
 	amroot = (getuid () == 0);

-	OPENLOG ("chsh");
+	OPENLOG (Prog);

 	/* parse the command line options */
 	process_flags (argc, argv);
--- a/src/expiry.c
+++ b/src/expiry.c
@@ -23,7 +23,7 @@
 #include "shadowlog.h"

 /* Global variables */
-const char *Prog;
+static const char Prog[] = "expiry";
 static bool cflg = false;

 /* local function prototypes */
@@ -123,12 +123,12 @@ int main (int argc, char **argv)
 	struct passwd *pwd;
 	struct spwd *spwd;

-	Prog = Basename (argv[0]);
+	sanitize_env ();
+	check_fds ();
+
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

-	sanitize_env ();
-
 	/*
 	 * Start by disabling all of the keyboard signals.
 	 */
@@ -145,7 +145,7 @@ int main (int argc, char **argv)
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 	(void) textdomain (PACKAGE);

-	OPENLOG ("expiry");
+	OPENLOG (Prog);

 	process_flags (argc, argv);

--- a/src/faillog.c
+++ b/src/faillog.c
@@ -39,7 +39,7 @@ static void reset (void);
 /*
 * Global variables
 */
-const char *Prog;		/* Program name */
+static const char Prog[] = "faillog";	/* Program name */
 static FILE *fail;		/* failure file stream */
 static time_t seconds;		/* that number of days in seconds */
 static unsigned long umin;	/* if uflg and has_umin, only display users with uid >= umin */
@@ -543,11 +543,6 @@ int main (int argc, char **argv)
 	short fail_max = 0; // initialize to silence compiler warning
 	long days = 0;

-	/*
-	 * Get the program name. The program name is used as a prefix to
-	 * most error messages.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

--- a/src/free_subid_range.c
+++ b/src/free_subid_range.c
@@ -9,7 +9,7 @@

 /* Test program for the subid freeing routine */

-const char *Prog;
+static const char Prog[] = "free_subid_range";

 static void usage(void)
 {
@@ -25,7 +25,6 @@ int main(int argc, char *argv[])
 	struct subordinate_range range;
 	bool group = false;   // get subuids by default

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
 	while ((c = getopt(argc, argv, "g")) != EOF) {
--- a/src/get_subid_owners.c
+++ b/src/get_subid_owners.c
@@ -6,7 +6,7 @@
 #include "prototypes.h"
 #include "shadowlog.h"

-const char *Prog;
+static const char Prog[] = "get_subid_owners";

 static void usage(void)
 {
@@ -21,7 +21,6 @@ int main(int argc, char *argv[])
 	int i, n;
 	uid_t *uids;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
 	if (argc < 2) {
--- a/src/getsubids.c
+++ b/src/getsubids.c
@@ -7,7 +7,7 @@
 #include "prototypes.h"
 #include "shadowlog.h"

-const char *Prog;
+static const char Prog[] = "getsubids";

 static void usage(void)
 {
@@ -23,7 +23,6 @@ int main(int argc, char *argv[])
 	struct subid_range *ranges;
 	const char *owner;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
 	if (argc < 2)
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -37,7 +37,7 @@
 * Global variables
 */
 /* The name of this command, as it is invoked */
-const char *Prog;
+static const char Prog[] = "gpasswd";

 #ifdef SHADOWGRP
 /* Indicate if shadow groups are enabled on the system
@@ -956,6 +956,8 @@ int main (int argc, char **argv)
 #endif

 	sanitize_env ();
+	check_fds ();
+
 	(void) setlocale (LC_ALL, "");
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 	(void) textdomain (PACKAGE);
@@ -968,11 +970,10 @@ int main (int argc, char **argv)
 	 * with this command.
 	 */
 	bywho = getuid ();
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

-	OPENLOG ("gpasswd");
+	OPENLOG (Prog);
 	setbuf (stdout, NULL);
 	setbuf (stderr, NULL);

--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -50,7 +50,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "groupadd";

 static /*@null@*/char *group_name;
 static gid_t group_id;
@@ -542,7 +542,7 @@ static void check_perms (void)
 		exit (1);
 	}

-	retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh);
+	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);

 	if (PAM_SUCCESS == retval) {
 		retval = pam_authenticate (pamh, 0);
@@ -571,10 +571,6 @@ static void check_perms (void)
 */
 int main (int argc, char **argv)
 {
-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -585,7 +581,7 @@ int main (int argc, char **argv)
 	process_root_flag ("-R", argc, argv);
 	prefix = process_prefix_flag ("-P", argc, argv);

-	OPENLOG ("groupadd");
+	OPENLOG (Prog);
 #ifdef WITH_AUDIT
 	audit_help_open ();
 #endif
@@ -605,7 +601,7 @@ int main (int argc, char **argv)
 	check_perms ();

 	if (run_parts ("/etc/shadow-maint/groupadd-pre.d", group_name,
-			"groupadd")) {
+			Prog)) {
 		exit(1);
 	}

@@ -628,7 +624,7 @@ int main (int argc, char **argv)
 	grp_update ();
 	close_files ();
 	if (run_parts ("/etc/shadow-maint/groupadd-post.d", group_name,
-			"groupadd")) {
+			Prog)) {
 		exit(1);
 	}

--- a/src/groupdel.c
+++ b/src/groupdel.c
@@ -36,7 +36,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "groupdel";

 static char *group_name;
 static gid_t group_id = -1;
@@ -349,10 +349,6 @@ int main (int argc, char **argv)
 #endif				/* USE_PAM */
 #endif				/* ACCT_TOOLS_SETUID */

-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -363,7 +359,7 @@ int main (int argc, char **argv)
 	process_root_flag ("-R", argc, argv);
 	prefix = process_prefix_flag ("-P", argc, argv);

-	OPENLOG ("groupdel");
+	OPENLOG (Prog);
 #ifdef WITH_AUDIT
 	audit_help_open ();
 #endif
@@ -389,7 +385,7 @@ int main (int argc, char **argv)
 			exit (1);
 		}

-		retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh);
+		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 	}

 	if (PAM_SUCCESS == retval) {
@@ -463,7 +459,7 @@ int main (int argc, char **argv)
 	}

 	if (run_parts ("/etc/shadow-maint/groupdel-pre.d", group_name,
-			"groupdel")) {
+			Prog)) {
 		exit(1);
 	}

@@ -478,7 +474,7 @@ int main (int argc, char **argv)
 	close_files ();

 	if (run_parts ("/etc/shadow-maint/groupdel-post.d", group_name,
-			"groupdel")) {
+			Prog)) {
 		exit(1);
 	}

--- a/src/groupmems.c
+++ b/src/groupmems.c
@@ -44,7 +44,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "groupmems";

 static char *adduser = NULL;
 static char *deluser = NULL;
@@ -443,7 +443,7 @@ static void check_perms (void)
 			fail_exit (1);
 		}

-		retval = pam_start ("groupmems", pampw->pw_name, &conv, &pamh);
+		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);

 		if (PAM_SUCCESS == retval) {
 			retval = pam_authenticate (pamh, 0);
@@ -573,10 +573,6 @@ int main (int argc, char **argv)
 	char *name;
 	const struct group *grp;

-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -586,7 +582,7 @@ int main (int argc, char **argv)

 	process_root_flag ("-R", argc, argv);

-	OPENLOG ("groupmems");
+	OPENLOG (Prog);

 #ifdef SHADOWGRP
 	is_shadowgrp = sgr_file_present ();
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -58,7 +58,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "groupmod";

 #ifdef	SHADOWGRP
 static bool is_shadow_grp;
@@ -750,10 +750,6 @@ int main (int argc, char **argv)
 #endif				/* USE_PAM */
 #endif				/* ACCT_TOOLS_SETUID */

-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -764,7 +760,7 @@ int main (int argc, char **argv)
 	process_root_flag ("-R", argc, argv);
 	prefix = process_prefix_flag ("-P", argc, argv);

-	OPENLOG ("groupmod");
+	OPENLOG (Prog);
 #ifdef WITH_AUDIT
 	audit_help_open ();
 #endif
@@ -790,7 +786,7 @@ int main (int argc, char **argv)
 			exit (E_PAM_USERNAME);
 		}

-		retval = pam_start ("groupmod", pampw->pw_name, &conv, &pamh);
+		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 	}

 	if (PAM_SUCCESS == retval) {
--- a/src/groups.c
+++ b/src/groups.c
@@ -23,7 +23,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "groups";

 /* local function prototypes */
 static void print_groups (const char *member);
@@ -97,10 +97,6 @@ int main (int argc, char **argv)
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 	(void) textdomain (PACKAGE);

-	/*
-	 * Get the program name so that error messages can use it.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

--- a/src/grpck.c
+++ b/src/grpck.c
@@ -43,7 +43,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "grpck";

 static const char *grp_file = GROUP_FILE;
 static bool use_system_grp_file = true;
@@ -816,10 +816,6 @@ int main (int argc, char **argv)
 	int errors = 0;
 	bool changed = false;

-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -829,7 +825,7 @@ int main (int argc, char **argv)

 	process_root_flag ("-R", argc, argv);

-	OPENLOG ("grpck");
+	OPENLOG (Prog);

 	/* Parse the command line arguments */
 	process_flags (argc, argv);
--- a/src/grpconv.c
+++ b/src/grpconv.c
@@ -36,7 +36,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "grpconv";

 static bool gr_locked  = false;
 static bool sgr_locked = false;
@@ -123,7 +123,6 @@ int main (int argc, char **argv)
 	const struct sgrp *sg;
 	struct sgrp sgent;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -133,7 +132,7 @@ int main (int argc, char **argv)

 	process_root_flag ("-R", argc, argv);

-	OPENLOG ("grpconv");
+	OPENLOG (Prog);

 	process_flags (argc, argv);

--- a/src/grpunconv.c
+++ b/src/grpunconv.c
@@ -36,7 +36,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "grpunconv";

 static bool gr_locked  = false;
 static bool sgr_locked = false;
@@ -122,7 +122,6 @@ int main (int argc, char **argv)
 	struct group grent;
 	const struct sgrp *sg;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -132,7 +131,7 @@ int main (int argc, char **argv)

 	process_root_flag ("-R", argc, argv);

-	OPENLOG ("grpunconv");
+	OPENLOG (Prog);

 	process_flags (argc, argv);

--- a/src/lastlog.c
+++ b/src/lastlog.c
@@ -39,7 +39,7 @@
 /*
 * Global variables
 */
-const char *Prog;		/* Program name */
+static const char Prog[] = "lastlog";	/* Program name */
 static FILE *lastlogfile;	/* lastlog file stream */
 static unsigned long umin;	/* if uflg and has_umin, only display users with uid >= umin */
 static bool has_umin = false;
@@ -290,7 +290,6 @@ int main (int argc, char **argv)
 	 * Get the program name. The program name is used as a prefix to
 	 * most error messages.
 	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

--- a/src/login.c
+++ b/src/login.c
@@ -64,7 +64,7 @@ static pam_handle_t *pamh = NULL;
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "login";

 static const char *hostname = "";
 static /*@null@*/ /*@only@*/char *username = NULL;
@@ -520,7 +520,6 @@ int main (int argc, char **argv)
 	initenv ();

 	amroot = (getuid () == 0);
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -572,11 +571,13 @@ int main (int argc, char **argv)
 	}
 #ifdef RLOGIN
 	if (rflg) {
-		size_t max_size = sysconf(_SC_LOGIN_NAME_MAX);
+		size_t  max_size = sysconf(_SC_LOGIN_NAME_MAX);
+
 		assert (NULL == username);
-		username = XMALLOC(max_size + 1, char);
-		username[max_size] = '\0';
-		if (do_rlogin (hostname, username, max_size, term, sizeof term)) {
+		username = XMALLOC(max_size, char);
+		username[max_size - 1] = '\0';
+		if (do_rlogin(hostname, username, max_size, term, sizeof(term)))
+		{
 			preauth_flag = true;
 		} else {
 			free (username);
@@ -585,7 +586,7 @@ int main (int argc, char **argv)
 	}
 #endif				/* RLOGIN */

-	OPENLOG ("login");
+	OPENLOG (Prog);

 	setup_tty ();

@@ -671,7 +672,7 @@ int main (int argc, char **argv)
 	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);

 #ifdef USE_PAM
-	retcode = pam_start ("login", username, &conv, &pamh);
+	retcode = pam_start (Prog, username, &conv, &pamh);
 	if (retcode != PAM_SUCCESS) {
 		fprintf (stderr,
 		         _("login: PAM Failure, aborting: %s\n"),
@@ -885,15 +886,16 @@ int main (int argc, char **argv)

 		failed = false;	/* haven't failed authentication yet */
 		if (NULL == username) {	/* need to get a login id */
-			size_t max_size = sysconf(_SC_LOGIN_NAME_MAX);
+			size_t  max_size = sysconf(_SC_LOGIN_NAME_MAX);
+
 			if (subroot) {
 				closelog ();
 				exit (1);
 			}
 			preauth_flag = false;
-			username = XMALLOC(max_size + 1, char);
-			username[max_size] = '\0';
-			login_prompt (username, max_size);
+			username = XMALLOC(max_size, char);
+			username[max_size - 1] = '\0';
+			login_prompt(username, max_size);

 			if ('\0' == username[0]) {
 				/* Prompt for a new login */
--- a/src/logoutd.c
+++ b/src/logoutd.c
@@ -15,14 +15,14 @@
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <utmp.h>
+#include <utmpx.h>
 #include "defines.h"
 #include "prototypes.h"
 #include "shadowlog.h"
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "logoutd";

 #ifndef DEFAULT_HUP_MESG
 #define DEFAULT_HUP_MESG _("login time exceeded\n\n")
@@ -32,14 +32,17 @@ const char *Prog;
 #define HUP_MESG_FILE "/etc/logoutd.mesg"
 #endif

+
 /* local function prototypes */
-static int check_login (const struct utmp *ut);
+static int check_login (const struct utmpx *ut);
 static void send_mesg_to_tty (int tty_fd);

+
 /*
- * check_login - check if user (struct utmp) allowed to stay logged in
+ * check_login - check if user (struct utmpx) allowed to stay logged in
 */
-static int check_login (const struct utmp *ut)
+static int
+check_login(const struct utmpx *ut)
 {
 	char user[sizeof (ut->ut_user) + 1];
 	time_t now;
@@ -112,16 +115,17 @@ static void send_mesg_to_tty (int tty_fd)
 *	utmp file is periodically scanned and offending users are logged
 *	off from the system.
 */
-int main (int argc, char **argv)
+int
+main(int argc, char **argv)
 {
-	int i;
-	int status;
-	pid_t pid;
+	int    i;
+	int    status;
+	pid_t  pid;

-	struct utmp *ut;
-	char user[sizeof (ut->ut_user) + 1];	/* terminating NUL */
-	char tty_name[sizeof (ut->ut_line) + 6];	/* /dev/ + NUL */
-	int tty_fd;
+	struct utmpx  *ut;
+	char          user[sizeof (ut->ut_user) + 1];	/* terminating NUL */
+	char          tty_name[sizeof (ut->ut_line) + 6];	/* /dev/ + NUL */
+	int           tty_fd;

 	if (1 != argc) {
 		(void) fputs (_("Usage: logoutd\n"), stderr);
@@ -153,11 +157,10 @@ int main (int argc, char **argv)
 	/*
 	 * Start syslogging everything
 	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

-	OPENLOG ("logoutd");
+	OPENLOG (Prog);

 	/*
 	 * Scan the utmp file once per minute looking for users that
@@ -169,14 +172,14 @@ int main (int argc, char **argv)
 		 * Attempt to re-open the utmp file. The file is only
 		 * open while it is being used.
 		 */
-		setutent ();
+		setutxent();

 		/*
 		 * Read all of the entries in the utmp file. The entries
 		 * for login sessions will be checked to see if the user
 		 * is permitted to be signed on at this time.
 		 */
-		while ((ut = getutent ()) != NULL) {
+		while ((ut = getutxent()) != NULL) {
 			if (ut->ut_type != USER_PROCESS) {
 				continue;
 			}
@@ -208,7 +211,7 @@ int main (int argc, char **argv)
 				tty_name[0] = '\0';
 			}

-			strncat (tty_name, ut->ut_line, UT_LINESIZE);
+			strncat(tty_name, ut->ut_line, NITEMS(ut->ut_line));
 #ifndef O_NOCTTY
 #define O_NOCTTY 0
 #endif
@@ -239,7 +242,7 @@ int main (int argc, char **argv)
 			exit (EXIT_SUCCESS);
 		}

-		endutent ();
+		endutxent();

 #ifndef DEBUG
 		sleep (60);
--- a/src/new_subid_range.c
+++ b/src/new_subid_range.c
@@ -9,7 +9,7 @@

 /* Test program for the subid creation routine */

-const char *Prog;
+static const char Prog[] = "new_subid_range";

 static void usage(void)
 {
@@ -28,7 +28,6 @@ int main(int argc, char *argv[])
 	bool group = false;   // get subuids by default
 	bool ok;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
 	while ((c = getopt(argc, argv, "gn")) != EOF) {
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -23,7 +23,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "newgidmap";


 static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
@@ -151,7 +151,6 @@ int main(int argc, char **argv)
 	struct passwd *pw;
 	bool allow_setgroups = false;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

--- a/src/newgrp.c
+++ b/src/newgrp.c
@@ -28,7 +28,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char *Prog;

 extern char **newenvp;

@@ -390,6 +390,9 @@ int main (int argc, char **argv)
 #ifdef WITH_AUDIT
 	audit_help_open ();
 #endif
+
+	check_fds ();
+
 	(void) setlocale (LC_ALL, "");
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 	(void) textdomain (PACKAGE);
--- a/src/newuidmap.c
+++ b/src/newuidmap.c
@@ -23,7 +23,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "newuidmap";

 static bool verify_range(struct passwd *pw, struct map_range *range)
 {
@@ -80,7 +80,6 @@ int main(int argc, char **argv)
 	struct stat st;
 	struct passwd *pw;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

--- a/src/newusers.c
+++ b/src/newusers.c
@@ -54,7 +54,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "newusers";

 static bool rflg = false;	/* create a system account */
 #ifndef USE_PAM
@@ -527,7 +527,7 @@ static int add_passwd (struct passwd *pwd, const char *password)
 			}
 			spent.sp_pwdp = cp;
 		}
-		spent.sp_lstchg = gettime () / SCALE;
+		spent.sp_lstchg = gettime () / DAY;
 		if (0 == spent.sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change */
@@ -584,7 +584,7 @@ static int add_passwd (struct passwd *pwd, const char *password)
 	 */
 	spent.sp_pwdp = "!";
 #endif
-	spent.sp_lstchg = gettime () / SCALE;
+	spent.sp_lstchg = gettime () / DAY;
 	if (0 == spent.sp_lstchg) {
 		/* Better disable aging than requiring a password change */
 		spent.sp_lstchg = -1;
@@ -1056,7 +1056,6 @@ int main (int argc, char **argv)
 	unsigned int nusers = 0;
 #endif				/* USE_PAM */

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

--- a/src/passwd.c
+++ b/src/passwd.c
@@ -45,7 +45,7 @@
 /*
 * Global variables
 */
-const char *Prog;		/* Program name */
+static const char Prog[] = "passwd";	/* Program name */

 static char *name;		/* The name of user whose password is being changed */
 static char *myname;		/* The current user's name */
@@ -192,8 +192,8 @@ static int new_password (const struct passwd *pw)
 	char *cipher;		/* Pointer to cipher text */
 	const char *salt;	/* Pointer to new salt */
 	char *cp;		/* Pointer to agetpass() response */
-	char orig[200];		/* Original password */
-	char pass[200];		/* New password */
+	char orig[PASS_MAX + 1];	/* Original password */
+	char pass[PASS_MAX + 1];	/* New password */
 	int i;			/* Counter for retries */
 	bool warned;
 	int pass_max_len = -1;
@@ -414,9 +414,9 @@ static void check_password (const struct passwd *pw, const struct spwd *sp)
 	 */
 	if (sp->sp_lstchg > 0) {
 		time_t ok;
-		ok = (time_t) sp->sp_lstchg * SCALE;
+		ok = (time_t) sp->sp_lstchg * DAY;
 		if (sp->sp_min > 0) {
-			ok += (time_t) sp->sp_min * SCALE;
+			ok += (time_t) sp->sp_min * DAY;
 		}

 		if (now < ok) {
@@ -451,15 +451,15 @@ static void print_status (const struct passwd *pw)

 	sp = prefix_getspnam (pw->pw_name); /* local, no need for xprefix_getspnam */
 	if (NULL != sp) {
-		date_to_str (sizeof(date), date, sp->sp_lstchg * SCALE),
-		(void) printf ("%s %s %s %lld %lld %lld %lld\n",
+		date_to_str (sizeof(date), date, sp->sp_lstchg * DAY),
+		(void) printf ("%s %s %s %ld %ld %ld %ld\n",
 		               pw->pw_name,
 		               pw_status (sp->sp_pwdp),
 		               date,
-		               ((long long)sp->sp_min * SCALE) / DAY,
-		               ((long long)sp->sp_max * SCALE) / DAY,
-		               ((long long)sp->sp_warn * SCALE) / DAY,
-		               ((long long)sp->sp_inact * SCALE) / DAY);
+		               sp->sp_min,
+		               sp->sp_max,
+		               sp->sp_warn,
+		               sp->sp_inact);
 	} else if (NULL != pw->pw_passwd) {
 		(void) printf ("%s %s\n",
 		               pw->pw_name, pw_status (pw->pw_passwd));
@@ -637,21 +637,21 @@ static void update_shadow (void)
 	}
 	nsp->sp_pwdp = update_crypt_pw (nsp->sp_pwdp);
 	if (xflg) {
-		nsp->sp_max = (age_max * DAY) / SCALE;
+		nsp->sp_max = age_max;
 	}
 	if (nflg) {
-		nsp->sp_min = (age_min * DAY) / SCALE;
+		nsp->sp_min = age_min;
 	}
 	if (wflg) {
-		nsp->sp_warn = (warn * DAY) / SCALE;
+		nsp->sp_warn = warn;
 	}
 	if (iflg) {
-		nsp->sp_inact = (inact * DAY) / SCALE;
+		nsp->sp_inact = inact;
 	}
 	if (!use_pam)
 	{
 		if (do_update_age) {
-			nsp->sp_lstchg = gettime () / SCALE;
+			nsp->sp_lstchg = gettime () / DAY;
 			if (0 == nsp->sp_lstchg) {
 				/* Better disable aging than requiring a password
 				 * change */
@@ -730,12 +730,8 @@ int main (int argc, char **argv)
 	const struct spwd *sp;	/* Shadow file entry for user   */

 	sanitize_env ();
+	check_fds ();

-	/*
-	 * Get the program name. The program name is used as a prefix to
-	 * most error messages.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -757,7 +753,7 @@ int main (int argc, char **argv)
 	 */
 	amroot = (getuid () == 0);

-	OPENLOG ("passwd");
+	OPENLOG (Prog);

 	{
 		/*
@@ -976,7 +972,7 @@ int main (int argc, char **argv)
 #ifdef WITH_SELINUX
 	/* only do this check when getuid()==0 because it's a pre-condition for
 	   changing a password without entering the old one */
-	if (amroot && (check_selinux_permit ("passwd") != 0)) {
+	if (amroot && (check_selinux_permit (Prog) != 0)) {
 		SYSLOG ((LOG_ALERT,
 		         "root is not authorized by SELinux to change the password of %s",
 		         name));
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -47,7 +47,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "pwck";

 static bool use_system_pw_file = true;
 static bool use_system_spw_file = true;
@@ -609,7 +609,7 @@ static void check_pw_file (int *errors, bool *changed)
 					sp.sp_inact  = -1;
 					sp.sp_expire = -1;
 					sp.sp_flag   = SHADOW_SP_FLAG_UNSET;
-					sp.sp_lstchg = gettime () / SCALE;
+					sp.sp_lstchg = gettime () / DAY;
 					if (0 == sp.sp_lstchg) {
 						/* Better disable aging than
 						 * requiring a password change
@@ -816,7 +816,7 @@ static void check_spw_file (int *errors, bool *changed)
 		if (!quiet) {
 			time_t t = time (NULL);
 			if (   (t != 0)
-			    && (spw->sp_lstchg > (long) t / SCALE)) {
+			    && (spw->sp_lstchg > (long) t / DAY)) {
 				printf (_("user %s: last password change in the future\n"),
 			                spw->sp_namp);
 				*errors += 1;
@@ -833,10 +833,6 @@ int main (int argc, char **argv)
 	int errors = 0;
 	bool changed = false;

-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -846,7 +842,7 @@ int main (int argc, char **argv)

 	process_root_flag ("-R", argc, argv);

-	OPENLOG ("pwck");
+	OPENLOG (Prog);

 	/* Parse the command line arguments */
 	process_flags (argc, argv);
--- a/src/pwconv.c
+++ b/src/pwconv.c
@@ -66,7 +66,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "pwconv";

 static bool spw_locked = false;
 static bool pw_locked = false;
@@ -153,7 +153,6 @@ int main (int argc, char **argv)
 	const struct spwd *sp;
 	struct spwd spent;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -163,7 +162,7 @@ int main (int argc, char **argv)

 	process_root_flag ("-R", argc, argv);

-	OPENLOG ("pwconv");
+	OPENLOG (Prog);

 	process_flags (argc, argv);

@@ -247,7 +246,7 @@ int main (int argc, char **argv)
 			spent.sp_flag   = SHADOW_SP_FLAG_UNSET;
 		}
 		spent.sp_pwdp = pw->pw_passwd;
-		spent.sp_lstchg = gettime () / SCALE;
+		spent.sp_lstchg = gettime () / DAY;
 		if (0 == spent.sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change */
--- a/src/pwunconv.c
+++ b/src/pwunconv.c
@@ -30,7 +30,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "pwunconv";

 static bool spw_locked = false;
 static bool pw_locked = false;
@@ -114,7 +114,6 @@ int main (int argc, char **argv)
 	struct passwd pwent;
 	const struct spwd *spwd;

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -124,7 +123,7 @@ int main (int argc, char **argv)

 	process_root_flag ("-R", argc, argv);

-	OPENLOG ("pwunconv");
+	OPENLOG (Prog);

 	process_flags (argc, argv);

--- a/src/su.c
+++ b/src/su.c
@@ -61,7 +61,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "su";
 static /*@observer@*/const char *caller_tty = NULL;	/* Name of tty SU is run from */
 static bool caller_is_root = false;
 static uid_t caller_uid;
@@ -730,11 +730,6 @@ static void save_caller_context (char **argv)
 	const char *password = NULL;
 #endif				/* SU_ACCESS */
 #endif				/* !USE_PAM */
-	/*
-	 * Get the program name. The program name is used as a prefix to
-	 * most error messages.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -1004,20 +999,22 @@ int main (int argc, char **argv)
 	int ret;
 #endif				/* USE_PAM */

+	check_fds ();
+
 	(void) setlocale (LC_ALL, "");
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 	(void) textdomain (PACKAGE);

 	save_caller_context (argv);

-	OPENLOG ("su");
+	OPENLOG (Prog);

 	process_flags (argc, argv);

 	initenv ();

 #ifdef USE_PAM
-	ret = pam_start ("su", name, &conv, &pamh);
+	ret = pam_start (Prog, name, &conv, &pamh);
 	if (PAM_SUCCESS != ret) {
 		SYSLOG ((LOG_ERR, "pam_start: error %d", ret);
 		fprintf (stderr,
--- a/src/sulogin.c
+++ b/src/sulogin.c
@@ -27,7 +27,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "sulogin";

 static char pass[BUFSIZ];

@@ -63,7 +63,6 @@ static void catch_signals (unused int sig)
 	termio.c_lflag |= (ECHO | ECHOE | ECHOK | ICANON | ISIG);
 	tcsetattr (0, TCSANOW, &termio);

-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
 	(void) setlocale (LC_ALL, "");
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -82,7 +82,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "useradd";

 /*
 * These defaults are used if there is no defaults file.
@@ -214,7 +214,6 @@ static struct group * get_local_group (char * grp_name);
 static void usage (int status);
 static void new_pwent (struct passwd *);

-static long scale_age (long);
 static void new_spent (struct spwd *);
 static void grp_update (void);

@@ -1008,15 +1007,6 @@ static void new_pwent (struct passwd *pwent)
 	pwent->pw_shell = (char *) user_shell;
 }

-static long scale_age (long x)
-{
-	if (x <= 0) {
-		return x;
-	}
-
-	return x * (DAY / SCALE);
-}
-
 /*
 * new_spent - initialize the values in a shadow password file entry
 *
@@ -1028,17 +1018,17 @@ static void new_spent (struct spwd *spent)
 	memzero (spent, sizeof *spent);
 	spent->sp_namp = (char *) user_name;
 	spent->sp_pwdp = (char *) user_pass;
-	spent->sp_lstchg = gettime () / SCALE;
+	spent->sp_lstchg = gettime () / DAY;
 	if (0 == spent->sp_lstchg) {
 		/* Better disable aging than requiring a password change */
 		spent->sp_lstchg = -1;
 	}
 	if (!rflg) {
-		spent->sp_min = scale_age (getdef_num ("PASS_MIN_DAYS", -1));
-		spent->sp_max = scale_age (getdef_num ("PASS_MAX_DAYS", -1));
-		spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1));
-		spent->sp_inact = scale_age (def_inactive);
-		spent->sp_expire = scale_age (user_expire);
+		spent->sp_min = getdef_num ("PASS_MIN_DAYS", -1);
+		spent->sp_max = getdef_num ("PASS_MAX_DAYS", -1);
+		spent->sp_warn = getdef_num ("PASS_WARN_AGE", -1);
+		spent->sp_inact = def_inactive;
+		spent->sp_expire = user_expire;
 	} else {
 		spent->sp_min = -1;
 		spent->sp_max = -1;
@@ -2528,10 +2518,6 @@ int main (int argc, char **argv)
 	unsigned long subuid_count = 0;
 	unsigned long subgid_count = 0;

-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -2543,7 +2529,7 @@ int main (int argc, char **argv)

 	prefix = process_prefix_flag("-P", argc, argv);

-	OPENLOG ("useradd");
+	OPENLOG (Prog);
 #ifdef WITH_AUDIT
 	audit_help_open ();
 #endif
@@ -2595,7 +2581,7 @@ int main (int argc, char **argv)
 			fail_exit (1);
 		}

-		retval = pam_start ("useradd", pampw?pampw->pw_name:"root", &conv, &pamh);
+		retval = pam_start (Prog, pampw?pampw->pw_name:"root", &conv, &pamh);
 	}

 	if (PAM_SUCCESS == retval) {
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -70,7 +70,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "userdel";

 static char *user_name;
 static uid_t user_id;
@@ -969,10 +969,6 @@ int main (int argc, char **argv)
 #endif				/* USE_PAM */
 #endif				/* ACCT_TOOLS_SETUID */

-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
 	(void) setlocale (LC_ALL, "");
@@ -982,7 +978,7 @@ int main (int argc, char **argv)
 	process_root_flag ("-R", argc, argv);
 	prefix = process_prefix_flag ("-P", argc, argv);

-	OPENLOG ("userdel");
+	OPENLOG (Prog);
 #ifdef WITH_AUDIT
 	audit_help_open ();
 #endif				/* WITH_AUDIT */
@@ -1066,7 +1062,7 @@ int main (int argc, char **argv)
 			exit (E_PW_UPDATE);
 		}

-		retval = pam_start ("userdel", pampw->pw_name, &conv, &pamh);
+		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 	}

 	if (PAM_SUCCESS == retval) {
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -86,7 +86,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char Prog[] = "usermod";

 static char *user_name;
 static char *user_newname;
@@ -613,7 +613,7 @@ static void new_spent (struct spwd *spent)
 	spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);

 	if (pflg) {
-		spent->sp_lstchg = gettime () / SCALE;
+		spent->sp_lstchg = gettime () / DAY;
 		if (0 == spent->sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change. */
@@ -1059,7 +1059,6 @@ static void process_flags (int argc, char **argv)
 						 Prog, optarg);
 					exit (E_BAD_ARG);
 				}
-				user_newexpire *= DAY / SCALE;
 				eflg = true;
 				break;
 			case 'f':
@@ -1745,7 +1744,7 @@ static void usr_update (void)
 			spent.sp_pwdp   = xstrdup (pwent.pw_passwd);
 			pwent.pw_passwd = xstrdup (SHADOW_PASSWD_STRING);

-			spent.sp_lstchg = gettime () / SCALE;
+			spent.sp_lstchg = gettime () / DAY;
 			if (0 == spent.sp_lstchg) {
 				/* Better disable aging than
 				 * requiring a password change */
@@ -2154,10 +2153,6 @@ int main (int argc, char **argv)
 #endif				/* USE_PAM */
 #endif				/* ACCT_TOOLS_SETUID */

-	/*
-	 * Get my name so that I can use it to report errors.
-	 */
-	Prog = Basename (argv[0]);
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -2168,7 +2163,7 @@ int main (int argc, char **argv)
 	process_root_flag ("-R", argc, argv);
 	prefix = process_prefix_flag ("-P", argc, argv);

-	OPENLOG ("usermod");
+	OPENLOG (Prog);
 #ifdef WITH_AUDIT
 	audit_help_open ();
 #endif
@@ -2214,7 +2209,7 @@ int main (int argc, char **argv)
 			exit (1);
 		}

-		retval = pam_start ("usermod", pampw->pw_name, &conv, &pamh);
+		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 	}

 	if (PAM_SUCCESS == retval) {
--- a/src/vipw.c
+++ b/src/vipw.c
@@ -52,7 +52,7 @@
 /*
 * Global variables
 */
-const char *Prog;
+static const char *Prog;

 static const char *filename, *fileeditname;
 static bool filelocked = false;
@@ -469,10 +469,12 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void))

 int main (int argc, char **argv)
 {
-	bool editshadow = false;
-	bool do_vipw;
+	bool  editshadow = false;
+	bool  do_vigr;

-	Prog = Basename (argv[0]);
+	do_vigr = (strcmp(Basename(argv[0]), "vigr") == 0);
+
+	Prog = do_vigr ? "vigr" : "vipw";
 	log_set_progname(Prog);
 	log_set_logfd(stderr);

@@ -482,9 +484,7 @@ int main (int argc, char **argv)

 	process_root_flag ("-R", argc, argv);

-	do_vipw = (strcmp (Prog, "vigr") != 0);
-
-	OPENLOG (do_vipw ? "vipw" : "vigr");
+	OPENLOG(Prog);

 	{
 		/*
@@ -512,13 +512,13 @@ int main (int argc, char **argv)
 		                         long_options, NULL)) != -1) {
 			switch (c) {
 			case 'g':
-				do_vipw = false;
+				do_vigr = true;
 				break;
 			case 'h':
 				usage (E_SUCCESS);
 				break;
 			case 'p':
-				do_vipw = true;
+				do_vigr = false;
 				break;
 			case 'q':
 				quiet = true;
@@ -543,7 +543,27 @@ int main (int argc, char **argv)
 		}
 	}

-	if (do_vipw) {
+	if (do_vigr) {
+#ifdef SHADOWGRP
+		if (editshadow) {
+			vipwedit (sgr_dbname (), sgr_lock, sgr_unlock);
+			printf (MSG_WARN_EDIT_OTHER_FILE,
+			        sgr_dbname (),
+			        gr_dbname (),
+			        "vigr");
+		} else {
+#endif				/* SHADOWGRP */
+			vipwedit (gr_dbname (), gr_lock, gr_unlock);
+#ifdef SHADOWGRP
+			if (sgr_file_present ()) {
+				printf (MSG_WARN_EDIT_OTHER_FILE,
+				        gr_dbname (),
+				        sgr_dbname (),
+				        "vigr -s");
+			}
+		}
+#endif				/* SHADOWGRP */
+	} else {
 		if (editshadow) {
 #ifdef WITH_TCB
 			if (getdef_bool ("USE_TCB") && (NULL != user)) {
@@ -570,26 +590,6 @@ int main (int argc, char **argv)
 				        "vipw -s");
 			}
 		}
-	} else {
-#ifdef SHADOWGRP
-		if (editshadow) {
-			vipwedit (sgr_dbname (), sgr_lock, sgr_unlock);
-			printf (MSG_WARN_EDIT_OTHER_FILE,
-			        sgr_dbname (),
-			        gr_dbname (),
-			        "vigr");
-		} else {
-#endif				/* SHADOWGRP */
-			vipwedit (gr_dbname (), gr_lock, gr_unlock);
-#ifdef SHADOWGRP
-			if (sgr_file_present ()) {
-				printf (MSG_WARN_EDIT_OTHER_FILE,
-				        gr_dbname (),
-				        sgr_dbname (),
-				        "vigr -s");
-			}
-		}
-#endif				/* SHADOWGRP */
 	}

 	nscd_flush_cache ("passwd");