configure.ac and changelog: release 4.9

Signed-off-by: Serge Hallyn <serge@hallyn.com>

.github/workflows/main.yml

@@ -0,0 +1,43 @@
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: debug
+      run: |
+        id
+        which bash
+        whoami
+        env
+        ps -ef
+        pwd
+        cat /proc/self/uid_map
+        cat /proc/self/status
+        systemd-detect-virt
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install automake autopoint xsltproc gettext expect byacc libtool
+    - name: configure
+      run: |
+        ./autogen.sh --without-selinux --disable-man
+        grep ENABLE_ config.status
+    - run: make
+    - run: make install DESTDIR=${HOME}/rootfs
+    - run: sudo make install
+    - run: |
+        cd tests
+        sudo ./run_some
+        cat testsuite.log

.gitignore

@@ -48,3 +48,4 @@ Makefile.in
 /shadow.spec
 /shadow-*.tar.*
 /libmisc/getdate.c
+/libsubid/subid.h

.travis.yml

@@ -1,20 +1,52 @@
+dist: bionic
 sudo: false
 
 language: c
 
 compiler:
-  - gcc
-  - clang
+ - gcc
+ - clang
 
-addons:
-  apt:
-    packages:
-      - autopoint
-      - xsltproc
+arch:
+ - amd64
+ - arm64
+ - ppc64le
+ - s390x
 
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get -y install -qq automake autopoint xsltproc libselinux1-dev gettext expect
+  - sudo apt-get -y install -qq byacc libtool
 script:
  - ./autogen.sh --without-selinux --disable-man
  - grep ENABLE_ config.status
  - make
 
+env:
+  global:
+   - secure: "G47VYFrtzqalrVjixTqBG9Qsa8EZRcaqsh1k6fq5JgEyHmMQActpvTUDs9FXf1MEqiY5XX3VDVfBsZgKPHgmHsMzD1bX11xpnpGByB8g7gr8I3u2ZkCREqgi77a5l3LeBh+seWiambe/DYOgvPCNa6pCynLgR9advqtgKhpCruU="
+
+addons:
+  coverity_scan:
+
+    project:
+      name: "shadow-maint/shadow"
+      description: "Upstream shadow utils tree"
+
+    notification_email: christian.brauner@ubuntu.com,serge@hallyn.com
+
+    build_command_prepend: "./autogen.sh --without-selinux --disable-man"
+    build_command: "make -j4"
+    branch_pattern: master
+
+script:
+ - cat /proc/self/uid_map
+ - cat /proc/self/status
+ - systemd-detect-virt
+ - ./autogen.sh --without-selinux --disable-man
+ - grep ENABLE_ config.status
+ - make
+ - sudo make install
+ - (cd tests; sudo ./run_some; cat testsuite.log)
+
 # vim:et:ts=2:sw=2

AUTHORS.md

@@ -0,0 +1,89 @@
+Thanks to at least the following people for sending patches, bug
+reports and various comments. This list may be incomplete, I received
+a lot of mail...
+
+# Maintainers
+Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
+Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
+Serge E. Hallyn <serge@hallyn.com> (2014-now)
+Christian Brauner <christian@brauner.io> (2019-now)
+
+# Authors and contributors
+Adam Rudnicki <adam@v-lo.krakow.pl>
+Alan Curry <pacman@tardis.mars.net>
+Aleksa Sarai <cyphar@cyphar.com>
+Alexander O. Yuriev <alex@bach.cis.temple.edu>
+Algis Rudys <arudys@rice.edu>
+Andreas Jaeger <aj@arthur.rhein-neckar.de>
+Andy Zaugg <andy.zaugg@gmail.com>
+Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
+Anton Gluck <gluc@midway.uchicago.edu>
+Arkadiusz Miskiewicz <misiek@pld.org.pl>
+Ben Collins <bcollins@debian.org>
+Brian R. Gaeke <brg@dgate.org>
+Calle Karlsson <ckn@kash.se>
+Chip Rosenthal <chip@unicom.com>
+Chris Evans <lady0110@sable.ox.ac.uk>
+Chris Lamb <chris@chris-lamb.co.uk>
+Cristian Gafton <gafton@sorosis.ro>
+Dan Walsh <dwalsh@redhat.com>
+Darcy Boese <possum@chardonnay.niagara.com>
+Dave Hagewood <admin@arrowweb.com>
+David A. Holland <dholland@hcs.harvard.edu>
+David Frey <David.Frey@lugs.ch>
+Ed Carp <ecarp@netcom.com>
+Ed Neville <ed@s5h.net>
+Eric W. Biederman" <ebiederm@xmission.com>
+Floody <flood@evcom.net>
+Frank Denis <j@4u.net>
+George Kraft IV <gk4@us.ibm.com>
+Greg Mortensen <loki@world.std.com>
+Guido van Rooij
+Guy Maor <maor@debian.org>
+Hrvoje Dogan <hdogan@bjesomar.srce.hr>
+Iker Pedrosa <ipedrosa@redhat.com>
+Jakub Hrozek <jhrozek@redhat.com>
+Janos Farkas <chexum@bankinf.banki.hu>
+Jason Franklin <jason.franklin@quoininc.com>
+Jay Soffian <jay@lw.net>
+Jesse Thilo <Jesse.Thilo@pobox.com>
+Joey Hess <joey@kite.ml.org>
+John Adelsberger <jja@umr.edu>
+Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
+Jon Lewis <jlewis@lewis.org>
+Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
+Judd Bourgeois <shagboy@bluesky.net>
+Juergen Heinzl <unicorn@noris.net>
+Juha Virtanen <jiivee@iki.fi>
+Julian Pidancet <julian.pidancet@gmail.com>
+Julianne Frances Haugh <julie78787@gmail.com>
+Leonard N. Zubkoff <lnz@dandelion.com>
+Luca Berra <bluca@www.polimi.it>
+Lukáš Kuklínek <lkukline@redhat.com>
+Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
+Marc Ewing <marc@redhat.com>
+Martin Bene <mb@sime.com>
+Martin Mares <mj@gts.cz>
+Michael Meskes <meskes@topsystem.de>
+Michael Talbot-Wilson <mike@calypso.bns.com.au>
+Michael Vetter <jubalh@iodoru.org>
+Mike Frysinger <vapier@gentoo.org>
+Mike Pakovic <mpakovic@users.southeast.net>
+Nicolas François <nicolas.francois@centraliens.net>
+Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
+Pavel Machek <pavel@bug.ucw.cz>
+Peter Vrabec <pvrabec@redhat.com>
+Phillip Street
+Rafał Maszkowski <rzm@icm.edu.pl>
+Rani Chouha <ranibey@smartec.com>
+Sami Kerola <kerolasa@rocketmail.com>
+Scott Garman <scott.a.garman@intel.com>
+Sebastian Rick Rijkers <srrijkers@gmail.com>
+Seraphim Mellos <mellos@ceid.upatras.gr>
+Shane Watts <shane@nexus.mlckew.edu.au>
+Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
+Thorsten Kukuk <kukuk@suse.de>
+Tim Hockin <thockin@eagle.ais.net>
+Timo Karjalainen <timok@iki.fi>
+Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
+Werner Fink <werner@suse.de>

COPYING

@@ -17,7 +17,7 @@ which is held by Julianne Frances Haugh, may be copied, such that the
 copyright holder maintains some semblance of artistic control over the
 development of the package, while giving the users of the package the
 right to use and distribute the Package in a more-or-less customary
-fashion, plus the right to make reasonable modifications. 
+fashion, plus the right to make reasonable modifications.
 
 So there.
 
@@ -28,7 +28,7 @@ Definitions:
 
 A "Package" refers to the collection of files distributed by the
 Copyright Holder, and derivatives of that collection of files created
-through textual modification, or segments thereof. 
+through textual modification, or segments thereof.
 
 "Standard Version" refers to such a Package if it has not been modified,
 or has been modified in accordance with the wishes of the Copyright
@@ -100,12 +100,12 @@ Standard Version.
 d) make other distribution arrangements with the Copyright Holder.
 
 5.  You may charge a reasonable copying fee for any distribution of this
-Package.  You may charge any fee you choose for support of this Package. 
+Package.  You may charge any fee you choose for support of this Package.
 YOU MAY NOT CHARGE A FEE FOR THIS PACKAGE ITSELF.  However, you may
 distribute this Package in aggregate with other (possibly commercial)
 programs as part of a larger (possibly commercial) software distribution
 provided that YOU DO NOT ADVERTISE this package as a product of your
-own. 
+own.
 
 6.  The name of the Copyright Holder may not be used to endorse or
 promote products derived from this software without specific prior

ChangeLog

@@ -1,3 +1,89 @@
+2021-12-19  Serge Hallyn <serge@hallyn.com>
+
+	Note: From this release forward, su from this package should be
+	considered deprecated.  Please replace any users of it with su from
+	util-linux.  Please open an issue if there is a problem with that.
+	We intend to remove it in an upcoming release.
+
+	* libsubid fixes (Xi Ruoyao, Serge Hallyn, Iker Pedrosa, Mike Gilbert,
+	  GalaxyMaster, and Luís Ferreira)
+	* Rename the test program list_subid_ranges to getsubids, write
+	  a manpage, so distros can ship it. (Iker Pedrosa)
+	* Add libeconf dep for new*idmap (Iker Pedrosa)
+	* Allow all group types with usermod -G (Iker Pedrosa)
+	* Avoid useradd generating empty subid range (Iker Pedrosa)
+	* Handle NULL pw_passwd (Jaroslav Jindrak)
+	* Fix default value SHA_get_salt_rounds (Mike Gilbert)
+	* Use https where possible in README (Paul Menzel)
+	* Update content and format of README (Iker Pedrosa)
+	* Translation updates (Balint Reczey, Frans Spiesschaert)
+	* Switch from xml2po to itstool in 'make dist' (Serge Hallyn)
+	* Fix double frees (Michael Vetter)
+	* Add LOG_INIT configurable to useradd (Andy Zaugg)
+	* Add CREATE_MAIL_SPOOL documentation (Andy Zaugg)
+	* Create a security.md
+	* Fix su never being SIGKILLd when trapping TERM (Ruihan li)
+	* Fix wrong SELinux labels in several possible cases (Iker Pedrosa)
+	* Fix missing chmod in chadowtb_move (GalaxyMaster)
+	* Handle malformed hushlogins entries (Tobias Stoeckmann)
+	* Fix groupdel segv when passwd does not exist (François Rigault)
+	* Fix covscan-found newgrp segfault (Iker Pedrosa)
+	* Remove trailing slash on hoedir (Ed Neville)
+	* Fix passwd -l message - it does not change expirey (Ed Neville)
+	* Fix SIGCHLD handling bugs in su and vipw (Tobias Stoeckmann)
+	* Remove special case for "" in usermod (Alejandro Colomar)
+	* Implement usermod -rG to remove a specific group
+	  (Andy Zaugg)
+	* call pam_end() after fork in child path for su and login
+	  (Björn Fischer)
+	* useradd: In absence of /etc/passwd, assume 0 == root
+	  (Ludwig Nussel)
+	* lib: check NULL before freeing data (Iker Pedrosa)
+	* Fix pwck segfault (Iker Pedrosa)
+
+2021-07-22  Serge Hallyn <serge@hallyn.com>
+
+	* Updated translations (Björn Esser, Juergen Hoetzel)
+	* Major salt updates (Björn Esser)
+	* Various coverity and cleanup fixes (Iker Pedrosa)
+	* Consistently use 0 to disable PASS_MIN_DAYS  in man (tzccinct)
+	* Implement NSS support for subids and a libsubid (Serge Hallyn)
+	* setfcap: retain setfcap when mapping uid 0 (Christian Brauner)
+	* login.defs: include HMAC_CRYPTO_ALGO key (Iker Pedrosa)
+	* selinux fixes (Christian Göttsche)
+	* Fix path prefix path handling (Lucas Servén Marín)
+	* Manpage updates (tzccinct, Sevan Janiyan, Iker Pedrosa, Geert Ijewski,
+		谭九鼎, Jamin W. Collins, towerpark, andydna, Frans Spiesschaert)
+	* Treat an empty passwd field as invalid (Haelwenn Monnier)
+	* newxidmap: allow running under alternative gid (Martijn de Gouw)
+	* usermod: check that  shell is executable (Geert Ijewski)
+	* Add yescript support (Rodolphe Bréard)
+	* useradd memleak fixes (whzhe)
+	* useradd: use built-in settings by default (Ludwig Nussel)
+	* getdefs: add foreign (non-shadow-utils) items (Karel Zak)
+	* buffer overflow fixes (Tobias Stoeckmann)
+	* Adding run-parts style for pre and post useradd/del (ed@s5h.net)
+
+2020-01-23  Serge Hallyn <serge@hallyn.com>
+
+	* selinux: inclue stdio (Michael Vetter)
+	* man: don't suggest making groupmems user-writeable (Michael Weiser)
+	* Makefile: bail out on error in for loops (Wolfgang Bumiller)
+	* Adding logging of SSH_ORIGINAL_COMMAND to nologin. (ed@s5h.net)
+	* add new HOME_MODE login.defs option (Duncan Overbruck)
+	* Add tty logging to useradd (ed@s5h.net)
+	* Useradd: make non-executable shell check only a warning (Tomas Mraz)
+	* Update Dutch translation (Frans-Spiesschaert)
+	* user_busy: Do not mistake a regular user process for a namespaced one (Tomas Mraz)
+	* Revert "Honor --sbindir and --bindir for binary installation" Patrick McLean)
+
+2019-12-20  Dave Reisner <dreisner@archlinux.org>
+
+	* Do not auto-enable acct_tools_setuid just because
+	  pam is enabled.  NOTE - any distros which are relying
+	  on this behavior will need to switch to configure
+	  --enable-account-tools-setuid
+
 2019-12-01  Serge Hallyn <serge@hallyn.com>
 
 	* Release 4.8
@@ -242,7 +328,7 @@
 2013-08-15  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/usermod.c: Check early if /etc/subuid (/etc/subgid) exists
-	when option -v/-V (-w/-W) are provided. 
+	when option -v/-V (-w/-W) are provided.
 
 2013-08-15  Nicolas François  <nicolas.francois@centraliens.net>
 
@@ -619,8 +705,8 @@
 
 	* configure.in: Prepare for next point release 4.2.
 	* if using the static char* for pw_dir, strdup it so
-	  pw_free() can be used. (Closes: Debian#691459, alioth#313957) 
-	* Kill the child process group, rather than just the 
+	  pw_free() can be used. (Closes: Debian#691459, alioth#313957)
+	* Kill the child process group, rather than just the
 	  immediate child; this is needed now that su no
 	  longer starts a controlling terminal when not running an
 	  interactive shell (closes: Debian#713979)
@@ -847,7 +933,7 @@
 
 	* po/pt.po: Updated to 557t.
 
-2012-01-19  Holger Wansing  <linux@wansing-online.de> 
+2012-01-19  Holger Wansing  <linux@wansing-online.de>
 
 	* po/de.po: Updated to 557t.
 
@@ -1434,8 +1520,8 @@
 	* NEWS, src/chpasswd.c: Create a shadow entry if the password is
 	set to 'x' in passwd and there are no entry in shadow for the
 	user.
-	* NEWS, src/chgpasswd.c: Create a gshadow entry if the password is 
-	set to 'x' in group and there are no entry in gshadow for the 
+	* NEWS, src/chgpasswd.c: Create a gshadow entry if the password is
+	set to 'x' in group and there are no entry in gshadow for the
 	group.
 
 2011-07-28  Nicolas François  <nicolas.francois@centraliens.net>
@@ -1507,7 +1593,7 @@
 2011-07-22  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Fail in case of
-	invalid configuration. 
+	invalid configuration.
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Updated
 	comments.
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Be more strict
@@ -1744,7 +1830,7 @@
 	  man/login.defs.d/DEFAULT_HOME.xml,
 	  man/login.defs.d/LOGIN_RETRIES.xml,
 	  man/login.defs.d/MD5_CRYPT_ENAB.xml,
-	  man/login.defs.d/PORTTIME_CHECKS_ENAB.xml, 
+	  man/login.defs.d/PORTTIME_CHECKS_ENAB.xml,
 	  man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml:
 	  Fix typos
 	* man/po/de.po: German translation of manpages completed
@@ -1791,7 +1877,7 @@
 
 2011-03-30  YunQiang Su  <wzssyqa@gmail.com>
 
-	* man/po/zh_CN.po: convert Simplified Chinese translation 
+	* man/po/zh_CN.po: convert Simplified Chinese translation
 	  of manpages to gettext
 	* po/zh_CN.po: Simplified Chinese translation completed
 
@@ -1930,7 +2016,7 @@
 	boolean. safe_system last argument is a boolean.
 	* libmisc/system.c: Check return value of dup2.
 	* libmisc/system.c: Do not check *printf/*puts return value.
-	* libmisc/system.c: Do not check execve return value. 
+	* libmisc/system.c: Do not check execve return value.
 	* libmisc/salt.c: Do not check *printf/*puts return value.
 	* libmisc/loginprompt.c: Do not check gethostname return value.
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Do not check
@@ -2083,7 +2169,7 @@
 2010-04-04  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/useradd.c: spool is a constant string.
-	* src/useradd.c: Set the new copy_tree's paramater 'copy_root' to false 
+	* src/useradd.c: Set the new copy_tree's paramater 'copy_root' to false
 
 2010-04-04  Nicolas François  <nicolas.francois@centraliens.net>
 
@@ -4932,7 +5018,7 @@
 	<sgrubb@redhat.com>
 	* src/groupadd.c: Log to audit with type AUDIT_ADD_GROUP instead
 	of AUDIT_USER_CHAUTHTOK.
-	* src/groupdel.c: Log to audit with type AUDIT_DEL_GROUP instead 
+	* src/groupdel.c: Log to audit with type AUDIT_DEL_GROUP instead
 	of AUDIT_USER_CHAUTHTOK.
 	* src/useradd.c: Log to audit with type AUDIT_ADD_USER /
 	AUDIT_ADD_GROUP / AUDIT_USYS_CONFIG instead of
@@ -5188,7 +5274,7 @@
 	* NEWS, src/gpasswd.c: Use getopt_long instead of getopt. Added
 	support for long options --add (-a), --delete (-d),
 	--remove-password (-r), --restrict (-R), --administrators (-A),
-	and --members (-M) 
+	and --members (-M)
 	* man/gpasswd.1.xml: Document the new long options.
 	* src/gpasswd.c: The sgrp structure is only used if SHADOWGRP is
 	defined.
@@ -7377,7 +7463,7 @@
 	to mimic useradd's behavior choices of UID and GID.
 	* src/newusers.c: Reuse the generic find_new_uid() and
 	find_new_gid() functions. This permits to respect the
-	UID_MIN/UID_MAX and GID_MIN/GID_MAX variables, should 
+	UID_MIN/UID_MAX and GID_MIN/GID_MAX variables, should
 	* src/newusers.c: Check if the user or group exist using the
 	external databases (with the libc getpwnam/getgrnam functions).
 	Refuse to update an user which exist in an external database but
@@ -9174,7 +9260,7 @@
 	Debian's patch 202_it_man_uses_gettext. Thanks to Giuseppe
 	Sacco who contributed the Italian translation.
 	* man/de/de.po: (nearly) complete German translation of man pages
-	Imported from Debian's patch 203_de-man-update. Thanks to 
+	Imported from Debian's patch 203_de-man-update. Thanks to
 	Simon Brandmair
 	* src/usermod.c: Clarify the online help of usermod for "-a"
 	Imported from Debian's patch 402-clarify_usermod_usage

Makefile.am

@@ -2,5 +2,14 @@
 
 EXTRA_DIST = NEWS README TODO shadow.spec.in
 
-SUBDIRS = po man libmisc lib src \
-	contrib doc etc
+SUBDIRS = libmisc lib
+
+if ENABLE_SUBIDS
+SUBDIRS += libsubid
+endif
+
+SUBDIRS += src po contrib doc etc
+
+if ENABLE_REGENERATE_MAN
+SUBDIRS += man
+endif

NEWS

@@ -15,7 +15,7 @@ shadow-4.1.5.1 -> shadow-4.2					UNRELEASED
 
 - su
   * When su receives a signal (SIGTERM, or SIGINT/SIGQUIT in non
-    interactive mode), kill the child process group, rather than just the 
+    interactive mode), kill the child process group, rather than just the
     immediate child.
   * Fix segmentation faults for users without a proper home or shell in
     their passwd entries.
@@ -622,7 +622,7 @@ shadow-4.0.18.2 -> shadow-4.1.0						09-12-2007
 - Add support for uClibc with no l64a().
 - userdel, usermod: Fix infinite loop caused by erroneous group file
   containing two entries with the same name. (The fix strategy differs
-  from 
+  from
   (https://bugzilla.redhat.com/show_bug.cgi?id=240915)
 - userdel: Abort if an error is detected while updating the passwd or group
   databases. The passwd or group files will not be written.
@@ -1001,9 +1001,9 @@ shadow-4.0.12 -> shadow-4.0.13						10-10-2005
 shadow-4.0.11.1 -> shadow-4.0.12					22-08-2005
 
 *** general:
-- newgrp, login: remove using login.defs::CLOSE_SESSIONS variable and always 
+- newgrp, login: remove using login.defs::CLOSE_SESSIONS variable and always
   close PAM session,
-- fixed configure.in: really enable shadow group support by default (pointed by 
+- fixed configure.in: really enable shadow group support by default (pointed by
   Greg Schafer <gschafer@zip.com.au> and Peter Vrabec <pvrabec@redhat.com>),
 - login.defs: removed handle QMAIL_DIR variable,
 - login: allow regular user to login on read-only root file system (not only for root)
@@ -1080,7 +1080,7 @@ shadow-4.0.10 -> shadow-4.0.11						18-07-2005
 - S/Key support is back,
 - usermod: added -a option. This flag can only be used in conjunction with the -G
   option. It cause usermod to append user to the current supplementary group list.
-  (patch by Peter Vrabec <pvrabec@redhat.com>) 
+  (patch by Peter Vrabec <pvrabec@redhat.com>)
 - chage: added missing \n in error messages,
 - useradd, groupadd: change -O option to -K and document it in man page,
 - su, sulogin, login: fixed erroneous warning messages when used with PAM about some
@@ -1130,7 +1130,7 @@ shadow-4.0.9 -> shadow-4.0.10						28-06-2005
   http://bugs.debian.org/53570 http://bugs.debian.org/195048 http://bugs.debian.org/211884
 - login: made login's -f option also able to use the username after -- if none
   was passed as it's optarg
-  http://bugs.debian.org/53702 
+  http://bugs.debian.org/53702
 - login: check for hushed login and pass PAM_SILENT if true,
   http://bugs.debian.org/48002
 - login: fixed username on succesful login (was using the normal username,
@@ -1208,7 +1208,7 @@ shadow-4.0.7 -> shadow-4.0.8						26-04-2005
 -- new: chage.1, chpasswd.8, expiry.1, faillog.5, faillog.8, getspnam.3,
    logoutd.8, porttime.5, pwck.8, shadow.3, shadowconfig.8, su.1,
 - passwd(1): fix #160477 Debian bug: improve -S output description,
-- newgrp(1): fix #251926, #166173, #113191 Debian bugs: explain why editing /etc/group   
+- newgrp(1): fix #251926, #166173, #113191 Debian bugs: explain why editing /etc/group
   (without gshadow) doesn't permit to use newgrp,
 - newgrp(1): newgrp uses /bin/sh (not bash),
 - faillog(8): updated after rewritten faillog command for use getopt_long(),
@@ -1238,7 +1238,7 @@ shadow-4.0.6 -> shadow-4.0.7						26-01-2005
 - chpasswd:
 -- switch chpasswd to use getopt_long() and adds a --md5 option
    (by Ian Gulliver <ian@penguinhosting.net>),
--- rewritten chpasswd(8) man page.  
+-- rewritten chpasswd(8) man page.
 
 shadow-4.0.5 -> shadow-4.0.6						08-11-2004
 
@@ -1309,7 +1309,7 @@ shadow-4.0.4 => shadow-4.0.4.1						14-01-2004
 - bug fixes in automake files for generate correct tar ball on "make dist":
   added missing "EXTRA_DIST = $(man_MANS)" in man/*/Makefile.am.
 
-shadow-4.0.3 => shadow-4.0.4						14-01-2004	
+shadow-4.0.3 => shadow-4.0.4						14-01-2004
 
 *** general:
 - added missing information about -f options in groupadd usage message
@@ -1408,7 +1408,7 @@ shadow-4.0.0 => shadow-4.0.1
 - fixes for handle/print correctly 32bit uid/gid (Thorsten Kukuk <kukuk@suse.de>),
 - implemented functions for better reloading the nscd cache (per NSS map)
   (Thorsten Kukuk <kukuk@suse.de>),
-- fixed warnings "not used but defined" on compile using gcc 3.0.x 
+- fixed warnings "not used but defined" on compile using gcc 3.0.x
   (bulletpr00ph <bullet@users.sourceforge.net>),
 - added ja, ko translations found in SuSE,
 - added symlinks: newgrp -> sg, vipw -> vigr,
@@ -1416,7 +1416,7 @@ shadow-4.0.0 => shadow-4.0.1
 - added sg(1) man page as roff .so link to newgrp(1),
 - installed fix for SEGV when using pwck -s on /etc/passwd file with
   empty lines in it.
-  
+
 shadow-20001016 => shadow-4.0.0						 06-01-2002
 
 - fix bug discovered and fixed by Marcel Ritter
@@ -1466,7 +1466,7 @@ shadow-20000902 => shadow-20001012
   overwrite previously existing groups in adduser,
 - added PAM support for chage (bind to "chage" PAM config file) also
   added PAM support for all other small tools like chpasswd, groupadd,
-  groupdel, groupmod, newusers, useradd, userdel, usermod (bind to common 
+  groupdel, groupmod, newusers, useradd, userdel, usermod (bind to common
   "shadow" PAM config file) - this modifications mainly based on
   modifications prepared by Janek Rękojarski <baggins@pld.org.pl>,
 - many small fixes and improvements in automake (mow "make dist"

README

@@ -1,121 +0,0 @@
-Shadow SITES
-============
-
-Homepage
-	http://github.com/shadow-maint/shadow
-
-Issue tracker
-	http://github.com/shadow-maint/shadow/issues
-
-Releases
-	https://github.com/shadow-maint/shadow/releases
-
-Mailing lists
-	for general discuss: pkg-shadow-devel@lists.alioth.debian.org
-	commit list: pkg-shadow-commits@lists.alioth.debian.org
-
-Mailing lists subscription
-	http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-devel
-	http://lists.alioth.debian.org/mailman/listinfo/pkg-shadow-commits
-
-Mailing lists archives:
-	http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/
-	http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/
-
-S/Key support:
-	Shadow can be built with S/Key support using the S/Key package from:
-
-	http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/
-	or
-	http://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2
-
-Authors and contributors
-========================
-
-Thanks to at least the following people for sending patches, bug
-reports and various comments.  This list may be incomplete, I received
-a lot of mail...
-
-
-Adam Rudnicki <adam@v-lo.krakow.pl>
-Alan Curry <pacman@tardis.mars.net>
-Aleksa Sarai <cyphar@cyphar.com>
-Alexander O. Yuriev <alex@bach.cis.temple.edu>
-Algis Rudys <arudys@rice.edu>
-Andreas Jaeger <aj@arthur.rhein-neckar.de>
-Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
-Anton Gluck <gluc@midway.uchicago.edu>
-Arkadiusz Miskiewicz <misiek@pld.org.pl>
-Ben Collins <bcollins@debian.org>
-Brian R. Gaeke <brg@dgate.org>
-Calle Karlsson <ckn@kash.se>
-Chip Rosenthal <chip@unicom.com>
-Chris Evans <lady0110@sable.ox.ac.uk>
-Chris Lamb <chris@chris-lamb.co.uk>
-Cristian Gafton <gafton@sorosis.ro>
-Dan Walsh <dwalsh@redhat.com>
-Darcy Boese <possum@chardonnay.niagara.com>
-Dave Hagewood <admin@arrowweb.com>
-David A. Holland <dholland@hcs.harvard.edu>
-David Frey <David.Frey@lugs.ch>
-Ed Carp <ecarp@netcom.com>
-Eric W. Biederman" <ebiederm@xmission.com>
-Floody <flood@evcom.net>
-Frank Denis <j@4u.net>
-George Kraft IV <gk4@us.ibm.com>
-Greg Mortensen <loki@world.std.com>
-Guido van Rooij
-Guy Maor <maor@debian.org>
-Hrvoje Dogan <hdogan@bjesomar.srce.hr>
-Jakub Hrozek <jhrozek@redhat.com>
-Janos Farkas <chexum@bankinf.banki.hu>
-Jay Soffian <jay@lw.net>
-Jesse Thilo <Jesse.Thilo@pobox.com>
-Joey Hess <joey@kite.ml.org>
-John Adelsberger <jja@umr.edu>
-Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
-Jon Lewis <jlewis@lewis.org>
-Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
-Judd Bourgeois <shagboy@bluesky.net>
-Juergen Heinzl <unicorn@noris.net>
-Juha Virtanen <jiivee@iki.fi>
-Julian Pidancet <julian.pidancet@gmail.com>
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
-Leonard N. Zubkoff <lnz@dandelion.com>
-Luca Berra <bluca@www.polimi.it>
-Lukáš Kuklínek <lkukline@redhat.com>
-Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
-Marc Ewing <marc@redhat.com>
-Martin Bene <mb@sime.com>
-Martin Mares <mj@gts.cz>
-Michael Meskes <meskes@topsystem.de>
-Michael Talbot-Wilson <mike@calypso.bns.com.au>
-Mike Frysinger <vapier@gentoo.org>
-Mike Pakovic <mpakovic@users.southeast.net>
-Nicolas François <nicolas.francois@centraliens.net>
-Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
-Pavel Machek <pavel@bug.ucw.cz>
-Peter Vrabec <pvrabec@redhat.com>
-Phillip Street
-Rafał Maszkowski <rzm@icm.edu.pl>
-Rani Chouha <ranibey@smartec.com>
-Sami Kerola <kerolasa@rocketmail.com>
-Scott Garman <scott.a.garman@intel.com>
-Sebastian Rick Rijkers <srrijkers@gmail.com>
-Seraphim Mellos <mellos@ceid.upatras.gr>
-Shane Watts <shane@nexus.mlckew.edu.au>
-Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
-Thorsten Kukuk <kukuk@suse.de>
-Tim Hockin <thockin@eagle.ais.net>
-Timo Karjalainen <timok@iki.fi>
-Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
-Werner Fink <werner@suse.de>
-
-Maintainers
-===========
-
-Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
-Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
-Serge E. Hallyn <serge@hallyn.com> (2014-now)
-Christian Brauner <christian@brauner.io> (2019-now)
-

README

@@ -0,0 +1 @@
+README.md

README.md

@@ -0,0 +1,36 @@
+# shadow-utils
+
+## Introduction
+The shadow-utils package includes the necessary programs for
+converting UNIX password files to the shadow password format, plus
+programs for managing user and group accounts. The pwconv command
+converts passwords to the shadow password format. The pwunconv command
+unconverts shadow passwords and generates a passwd file (a standard
+UNIX password file). The pwck command checks the integrity of password
+and shadow files. The lastlog command prints out the last login times
+for all users. The useradd, userdel, and usermod commands are used for
+managing user accounts. The groupadd, groupdel, and groupmod commands
+are used for managing group accounts.
+
+## Sites
+* [Homepage](https://github.com/shadow-maint/shadow)
+* [Issue tracker](https://github.com/shadow-maint/shadow/issues)
+* [Releases](https://github.com/shadow-maint/shadow/releases)
+
+## Contacts
+There are several ways to contact us:
+* [the general discussion mailing list](
+  https://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel)
+* the #shadow IRC channel on libera.chat:
+  * irc://irc.libera.chat/shadow
+
+### Mailing archives
+* [the general discussion mailing list archive](
+  https://alioth-lists.debian.net/pipermail/pkg-shadow-devel/)
+* [the commit mailing list archive](
+  https://alioth-lists-archive.debian.net/pipermail/pkg-shadow-commits/),
+  only used for historical purposes
+
+## Authors and maintainers
+Authors and maintainers are listed in [AUTHORS.md](
+https://github.com/shadow-maint/shadow/blob/master/AUTHORS.md).

SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Supported Versions
+
+At the moment only the latest release is supported.
+
+## Reporting a Vulnerability
+
+Security vulnerabilities may be reported to
+* Serge Hallyn <serge@hallyn.com> (B175CFA98F192AF2)
+* Christian Brauner <christian@brauner.io> (4880B8C9BD0E5106FC070F4F7B3C391EFEA93624)

TODO

@@ -1,4 +1,4 @@
- * Create a common usage function that'd take the array of     
+ * Create a common usage function that'd take the array of
    long options and an array of descriptions and output that so things would
    be standardized across the utils.
    Usage strings should be normalized and split first.

autogen.sh

@@ -6,7 +6,7 @@ autoreconf -v -f --install || exit 1
 	CFLAGS="-O2 -Wall" \
 	--enable-man \
 	--enable-maintainer-mode \
-	--disable-shared \
+	--enable-shared \
 	--without-libpam \
 	--with-selinux \
 	"$@"

configure.ac

@@ -1,19 +1,29 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_PREREQ([2.64])
-AC_INIT([shadow], [4.8], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_PREREQ([2.69])
+m4_define([libsubid_abi_major], 4)
+m4_define([libsubid_abi_minor], 0)
+m4_define([libsubid_abi_micro], 0)
+m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
+AC_INIT([shadow], [4.10], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
+AC_CONFIG_MACRO_DIRS([m4])
 AM_SILENT_RULES([yes])
 AC_CONFIG_HEADERS([config.h])
 
+AC_SUBST([LIBSUBID_ABI_MAJOR], [libsubid_abi_major])
+AC_SUBST([LIBSUBID_ABI_MINOR], [libsubid_abi_minor])
+AC_SUBST([LIBSUBID_ABI_MICRO], [libsubid_abi_micro])
+AC_SUBST([LIBSUBID_ABI], [libsubid_abi])
+
 dnl Some hacks...
 test "$prefix" = "NONE" && prefix="/usr"
 test "$prefix" = "/usr" && exec_prefix=""
 
 AC_GNU_SOURCE
 
-AM_DISABLE_SHARED
 AM_ENABLE_STATIC
+AM_ENABLE_SHARED
 
 AM_MAINTAINER_MODE
 
@@ -32,20 +42,21 @@ AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
 AC_HEADER_STDBOOL
 
-AC_CHECK_HEADERS(errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
+AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
 	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
-	utime.h ulimit.h sys/capability.h sys/resource.h gshadow.h lastlog.h \
-	locale.h rpc/key_prot.h netdb.h acl/libacl.h attr/libattr.h \
-	attr/error_context.h)
+	utime.h ulimit.h sys/capability.h sys/random.h sys/resource.h \
+	gshadow.h lastlog.h locale.h rpc/key_prot.h netdb.h acl/libacl.h \
+	attr/libattr.h attr/error_context.h)
 
 dnl shadow now uses the libc's shadow implementation
 AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])
 
-AC_CHECK_FUNCS(l64a fchmod fchown fsync futimes getgroups gethostname getspnam \
-	gettimeofday getusershell getutent initgroups lchown lckpwdf lstat \
-	lutimes memcpy memset setgroups sigaction strchr updwtmp updwtmpx innetgr \
-	getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo \
-	ruserok)
+AC_CHECK_FUNCS(arc4random_buf l64a fchmod fchown fsync futimes getgroups \
+	gethostname getentropy getrandom getspnam gettimeofday getusershell \
+	getutent initgroups lchown lckpwdf lstat lutimes memcpy memset \
+	setgroups sigaction strchr updwtmp updwtmpx innetgr getpwnam_r \
+	getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo ruserok \
+	dlopen)
 AC_SYS_LARGEFILE
 
 dnl Checks for typedefs, structures, and compiler characteristics.
@@ -226,7 +237,7 @@ AC_ARG_ENABLE(account-tools-setuid,
 	   *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
 	   ;;
 	 esac],
-	[enable_acct_tools_setuid="maybe"]
+	[enable_acct_tools_setuid="no"]
 )
 
 AC_ARG_ENABLE(utmpx,
@@ -280,6 +291,9 @@ AC_ARG_WITH(sha-crypt,
 AC_ARG_WITH(bcrypt,
 	[AC_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
 	[with_bcrypt=$withval], [with_bcrypt=no])
+AC_ARG_WITH(yescrypt,
+	[AC_HELP_STRING([--with-yescrypt], [allow the yescrypt password encryption algorithm @<:@default=no@:>@])],
+	[with_yescrypt=$withval], [with_yescrypt=no])
 AC_ARG_WITH(nscd,
 	[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
 	[with_nscd=$withval], [with_nscd=yes])
@@ -307,11 +321,18 @@ if test "$with_sha_crypt" = "yes"; then
 	AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
 fi
 
+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
+
 AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
 if test "$with_bcrypt" = "yes"; then
 	AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
 fi
 
+AM_CONDITIONAL(USE_YESCRYPT, test "x$with_yescrypt" = "xyes")
+if test "$with_yescrypt" = "yes"; then
+	AC_DEFINE(USE_YESCRYPT, 1, [Define to allow the yescrypt password encryption algorithm])
+fi
+
 if test "$with_nscd" = "yes"; then
 	AC_CHECK_FUNC(posix_spawn,
 	              [AC_DEFINE(USE_NSCD, 1, [Define to support flushing of nscd caches])],
@@ -324,7 +345,7 @@ if test "$with_sssd" = "yes"; then
 	              [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
 fi
 
-AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])])
+AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su]))
 AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"])
 
 dnl Check for some functions in libc first, only if not found check for
@@ -392,6 +413,10 @@ AC_SUBST(LIBCRYPT)
 AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
 	[AC_MSG_ERROR([crypt() not found])])
 
+AC_SUBST(LIYESCRYPT)
+AC_CHECK_LIB(crypt, crypt, [LIYESCRYPT=-lcrypt],
+	[AC_MSG_ERROR([crypt() not found])])
+
 AC_SUBST(LIBACL)
 if test "$with_acl" != "no"; then
 	AC_CHECK_HEADERS(acl/libacl.h attr/error_context.h, [acl_header="yes"], [acl_header="no"])
@@ -715,6 +740,8 @@ AC_CONFIG_FILES([
 	man/zh_TW/Makefile
 	libmisc/Makefile
 	lib/Makefile
+	libsubid/Makefile
+	libsubid/subid.h
 	src/Makefile
 	contrib/Makefile
 	etc/Makefile
@@ -741,6 +768,7 @@ echo "	shadow group support:		$enable_shadowgrp"
 echo "	S/Key support:			$with_skey"
 echo "	SHA passwords encryption:	$with_sha_crypt"
 echo "	bcrypt passwords encryption:	$with_bcrypt"
+echo "	yescrypt passwords encryption:	$with_yescrypt"
 echo "	nscd support:			$with_nscd"
 echo "	sssd support:			$with_sssd"
 echo "	subordinate IDs support:	$enable_subids"

contrib/adduser-old.c

@@ -4,14 +4,14 @@
 ** --marekm
 **
 ** 02/26/96
-** modified to call shadow utils (useradd,chage,passwd) on shadowed 
+** modified to call shadow utils (useradd,chage,passwd) on shadowed
 ** systems - Cristian Gafton, gafton@sorosis.ro
 **
 ** 6/27/95
 ** shadow-adduser 1.4:
 **
-** now it copies the /etc/skel dir into the person's dir, 
-** makes the mail folders, changed some defaults and made a 'make 
+** now it copies the /etc/skel dir into the person's dir,
+** makes the mail folders, changed some defaults and made a 'make
 ** install' just for the hell of it.
 **
 ** Greg Gallagher
@@ -19,20 +19,20 @@
 **
 ** 1/28/95
 ** shadow-adduser 1.3:
-** 
-** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart 
+**
+** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart
 ** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
 ** It was such a stupid bug that I would have never seen it myself.
 **
 **                                Brandon
 *****
 ** 01/27/95
-** 
+**
 ** shadow-adduser 1.2:
 ** I took the C source from adduser-shadow (credits are below) and made
 ** it a little more worthwhile.  Many small changes... Here's
 ** the ones I can remember:
-** 
+**
 ** Removed support for non-shadowed systems (if you don't have shadow,
 **     use the original adduser, don't get this shadow version!)
 ** Added support for the correct /etc/shadow fields (Min days before
@@ -56,7 +56,7 @@
 **                               Brandon
 **                                  photon@usis.com
 **
-***** 
+*****
 ** adduser 1.0: add a new user account (For systems not using shadow)
 ** With a nice little interface and a will to do all the work for you.
 **
@@ -119,14 +119,14 @@
 
 void main()
 {
-	char foo[32];			
+	char foo[32];
 	char uname[9],person[32],dir[32],shell[32];
 	unsigned int group,min_pass,max_pass,warn_pass,user_die;
 	/* the group and uid of the new user */
 	int bad=0,done=0,correct=0,gets_warning=0;
 	char cmd[255];
 	struct group *grp;
-	
+
 	/* flags, in order:
 	* bad to see if the username is in /etc/passwd, or if strange stuff has
 	* been typed if the user might be put in group 0
@@ -137,24 +137,24 @@ void main()
 	*/
 
 	/* The real program starts HERE! */
-  
+
 	if(geteuid()!=0)
 	{
 		printf("It seems you don't have access to add a new user.  Try\n");
 		printf("logging in as root or su root to gain super-user access.\n");
 		exit(1);
 	}
-  
+
 	/* Sanity checks
 	*/
-	
+
 	if (!(grp=getgrgid(DEFAULT_GROUP))){
 		printf("Error: the default group %d does not exist on this system!\n",
 				DEFAULT_GROUP);
 		printf("adduser must be recompiled.\n");
 		exit(1);
-	}; 
- 
+	};
+
 	while(!correct) {		/* loop until a "good" uname is chosen */
 		while(!done) {
 			printf("\nLogin to add (^C to quit): ");
@@ -178,19 +178,19 @@ void main()
 			} else
 				done=1;
 		}; /* done, we have a valid new user name */
-		
+
 		/* all set, get the rest of the stuff */
 		printf("\nEditing information for new user [%s]\n",uname);
-  
+
 		printf("\nFull Name [%s]: ",uname);
 		gets(person);
 		if (!strlen(person)) {
 			bzero(person,sizeof(person));
 			strcpy(person,uname);
 		};
-      
+
 		do {
-			bad=0; 
+			bad=0;
 			printf("GID [%d]: ",DEFAULT_GROUP);
 			gets(foo);
 			if (!strlen(foo))
@@ -220,7 +220,7 @@ void main()
 
 
 		fflush(stdin);
-      
+
 		printf("\nIf home dir ends with a / then [%s] will be appended to it\n",uname);
 		printf("Home Directory [%s/%s]: ",DEFAULT_HOME,uname);
 		fflush(stdout);
@@ -237,30 +237,30 @@ void main()
 		gets(shell);
 		if (!strlen(shell))
 			sprintf(shell,"%s",DEFAULT_SHELL);
-      
+
 		printf("\nMin. Password Change Days [0]: ");
 		gets(foo);
 		min_pass=atoi(foo);
-            
+
 		printf("Max. Password Change Days [%d]: ",DEFAULT_MAX_PASS);
 		gets(foo);
 		if (strlen(foo) > 1)
 			max_pass = atoi(foo);
 		else
 			max_pass = DEFAULT_MAX_PASS;
-            
+
 		printf("Password Warning Days [%d]: ",DEFAULT_WARN_PASS);
 		gets(foo);
 		warn_pass = atoi(foo);
 		if (warn_pass==0)
 			warn_pass = DEFAULT_WARN_PASS;
-            
+
 		printf("Days after Password Expiry for Account Locking [%d]: ",DEFAULT_USER_DIE);
 		gets(foo);
 		user_die = atoi(foo);
 		if (user_die == 0)
 			user_die = DEFAULT_USER_DIE;
-      
+
 		printf("\nInformation for new user [%s] [%s]:\n",uname,person);
 		printf("Home directory: [%s] Shell: [%s]\n",dir,shell);
 		printf("GID: [%d]\n",group);
@@ -279,7 +279,7 @@ void main()
 	bzero(cmd,sizeof(cmd));
 	sprintf(cmd,"%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
 			USERADD_PATH,group,dir,shell,person,uname);
-	printf("Calling useradd to add new user:\n%s\n",cmd);  
+	printf("Calling useradd to add new user:\n%s\n",cmd);
 	if(system(cmd)){
 		printf("User add failed!\n");
 		exit(errno);

doc/HOWTO

@@ -1311,7 +1311,7 @@
 
   This means that fred's password is valid, it was last changed on
   03/04/96, it can be changed at any time, it expires after 60 days,
-  fred will not be warned, and and the account won't be disabled when
+  fred will not be warned, and the account won't be disabled when
   the password expires.
 
   This simply means that if fred logs in after the password expires, he
@@ -1487,7 +1487,7 @@
 
   If a user logs into a line that is listed in /etc/dialups, and his
   shell is listed in the file /etc/d_passwd he will be allowed access
-  only by suppling the correct password.
+  only by supplying the correct password.
 
   Another useful purpose for using dial-up passwords might be to setup a
   line that only allows a certain type of connect (perhaps a PPP or UUCP

doc/README.limits

@@ -63,4 +63,3 @@ To completely disable limits for a user, a single dash (-) will do.
 Also, please note that all limit settings are set PER LOGIN.  They are
 not global, nor are they permanent.  Perhaps global limits will come, but
 for now this will have to do ;)
-

doc/README.platforms

@@ -3,7 +3,7 @@
 # This is the current (still incomplete) list of platforms this
 # package has been verified to work on.  Additions (preferably
 # in the format as described below) are welcome.  Thanks!
-# 
+#
 # V: last version reported to work
 # H: host type
 # L: Linux libc version

doc/README.skey

@@ -0,0 +1,4 @@
+# S/Key support
+shadow-utils can be built with S/Key support using the S/Key package from:
+* http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/ or
+* https://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2

doc/WISHLIST

@@ -37,4 +37,3 @@ New ideas to add to this list are welcome, too.  --marekm
   per-user configuration, to be executed with run-parts. Some hooks should
   be executed at package install time for existing users, likewise for
   package removal and possibly modification.  (Debian Bug#36019)
-

docs/index.html

@@ -1,4 +1,4 @@
-<HEAD>
+<head>
 <title>shadow - Welcome</title>
 </head>
 <body>

etc/Makefile.am

@@ -4,8 +4,7 @@
 sysconf_DATA = login.defs
 
 defaultdir = $(sysconfdir)/default
-default_DATA = \
-	useradd
+default_DATA =
 
 nonpam_files = \
 	limits \

etc/login.access

@@ -1,20 +1,20 @@
 # $Id$
 #
 # Login access control table.
-# 
+#
 # When someone logs in, the table is scanned for the first entry that
 # matches the (user, host) combination, or, in case of non-networked
 # logins, the first entry that matches the (user, tty) combination.  The
-# permissions field of that table entry determines whether the login will 
+# permissions field of that table entry determines whether the login will
 # be accepted or refused.
-# 
+#
 # Format of the login access control table is three fields separated by a
 # ":" character:
-# 
+#
 # 	permission : users : origins
-# 
+#
 # The first field should be a "+" (access granted) or "-" (access denied)
-# character. 
+# character.
 #
 # The second field should be a list of one or more login names, group
 # names, or ALL (always matches). A pattern of the form user@host is
@@ -37,7 +37,7 @@
 # listed: the program does not look at a user's primary group id value.
 #
 ##############################################################################
-# 
+#
 # Disallow console logins to all but a few accounts.
 #
 #-:ALL EXCEPT wheel shutdown sync:console

etc/login.defs

@@ -195,12 +195,17 @@ KILLCHAR	025
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
+# home directories if HOME_MODE is not set.
 # 022 is the default value, but 027, or even 077, could be considered
 # for increased privacy. There is no One True Answer here: each sysadmin
 # must make up their mind.
 UMASK		022
 
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE	0700
+
 #
 # Password aging controls:
 #
@@ -290,7 +295,7 @@ CHFN_AUTH		yes
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-# 
+#
 CHFN_RESTRICT		rwh
 
 #
@@ -321,7 +326,9 @@ CHFN_RESTRICT		rwh
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
 # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
 # If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
 # Overrides the MD5_CRYPT_ENAB option
 #
 # Note: If you use PAM, it is recommended to use a value consistent with
@@ -337,7 +344,8 @@ CHFN_RESTRICT		rwh
 # However, more CPU resources will be needed to authenticate users if
 # this value is increased.
 #
-# If not specified, the libc will choose the default number of rounds (5000).
+# If not specified, the libc will choose the default number of rounds (5000),
+# which is orders of magnitude too low for modern hardware.
 # The values must be within the 1000-999999999 range.
 # If only one of the MIN or MAX values is set, then this value will be used.
 # If MIN > MAX, the highest value will be used.
@@ -360,6 +368,19 @@ CHFN_RESTRICT		rwh
 #BCRYPT_MIN_ROUNDS 13
 #BCRYPT_MAX_ROUNDS 13
 
+#
+# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+#
+# Define the YESCRYPT cost factor.
+# With a higher cost factor, it is more difficult to brute-force the password.
+# However, more CPU time and more memory will be needed to authenticate users
+# if this value is increased.
+#
+# If not specified, a cost factor of 5 will be used.
+# The value must be within the 1-11 range.
+#
+#YESCRYPT_COST_FACTOR 5
+
 #
 # List of groups to add to the user's supplementary group set
 # when logging in from the console (as determined by the CONSOLE
@@ -377,6 +398,14 @@ CHFN_RESTRICT		rwh
 #
 DEFAULT_HOME	yes
 
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist.  Some system accounts intentionally do
+# not have a home directory.  Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT	/nonexistent
+
 #
 # If this file exists and is readable, login environment will be
 # read from it.  Every line should be in the form name=value.
@@ -423,3 +452,27 @@ USERGROUPS_ENAB yes
 # missing.
 #
 #FORCE_SHADOW    yes
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+PREVENT_NO_AUTH superuser
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+#HMAC_CRYPTO_ALGO SHA512

etc/useradd

@@ -1,8 +0,0 @@
-# useradd defaults file
-GROUP=1000
-HOME=/home
-INACTIVE=-1
-EXPIRE=
-SHELL=/bin/bash
-SKEL=/etc/skel
-CREATE_MAIL_SPOOL=yes

lib/Makefile.am

@@ -1,16 +1,17 @@
 
 AUTOMAKE_OPTIONS = 1.0 foreign
 
-DEFS = 
+DEFS =
 
 noinst_LTLIBRARIES = libshadow.la
 
-libshadow_la_LDFLAGS = -version-info 0:0:0
 libshadow_la_CPPFLAGS = $(ECONF_CPPFLAGS)
 if HAVE_VENDORDIR
 libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
 endif
 
+libshadow_la_CPPFLAGS += -I$(top_srcdir)
+
 libshadow_la_SOURCES = \
 	commonio.c \
 	commonio.h \
@@ -32,6 +33,7 @@ libshadow_la_SOURCES = \
 	groupio.h \
 	gshadow.c \
 	lockpw.c \
+	nss.c \
 	nscd.c \
 	nscd.h \
 	sssd.c \
@@ -45,6 +47,8 @@ libshadow_la_SOURCES = \
 	pwio.c \
 	pwio.h \
 	pwmem.c \
+	run_part.h \
+	run_part.c \
 	subordinateio.h \
 	subordinateio.c \
 	selinux.c \

lib/commonio.c

@@ -144,7 +144,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
 	if (-1 == fd) {
 		if (log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: %s: %s\n",
 			                Prog, file, strerror (errno));
 		}
@@ -156,8 +156,18 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	len = (ssize_t) strlen (buf) + 1;
 	if (write (fd, buf, (size_t) len) != len) {
 		if (log) {
-			(void) fprintf (stderr,
-			                "%s: %s: %s\n",
+			(void) fprintf (shadow_logfd,
+			                "%s: %s file write error: %s\n",
+			                Prog, file, strerror (errno));
+		}
+		(void) close (fd);
+		unlink (file);
+		return 0;
+	}
+	if (fdatasync (fd) == -1) {
+		if (log) {
+			(void) fprintf (shadow_logfd,
+			                "%s: %s file sync error: %s\n",
 			                Prog, file, strerror (errno));
 		}
 		(void) close (fd);
@@ -169,7 +179,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	if (link (file, lock) == 0) {
 		retval = check_link_count (file);
 		if ((0==retval) && log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: %s: lock file already used\n",
 			                Prog, file);
 		}
@@ -180,7 +190,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	fd = open (lock, O_RDWR);
 	if (-1 == fd) {
 		if (log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: %s: %s\n",
 			                Prog, lock, strerror (errno));
 		}
@@ -192,7 +202,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	close (fd);
 	if (len <= 0) {
 		if (log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: existing lock file %s without a PID\n",
 			                Prog, lock);
 		}
@@ -203,7 +213,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	buf[len] = '\0';
 	if (get_pid (buf, &pid) == 0) {
 		if (log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: existing lock file %s with an invalid PID '%s'\n",
 			                Prog, lock, buf);
 		}
@@ -213,7 +223,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	}
 	if (kill (pid, 0) == 0) {
 		if (log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: lock %s already used by PID %lu\n",
 			                Prog, lock, (unsigned long) pid);
 		}
@@ -223,7 +233,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	}
 	if (unlink (lock) != 0) {
 		if (log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: cannot get lock %s: %s\n",
 			                Prog, lock, strerror (errno));
 		}
@@ -235,13 +245,13 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	if (link (file, lock) == 0) {
 		retval = check_link_count (file);
 		if ((0==retval) && log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: %s: lock file already used\n",
 			                Prog, file);
 		}
 	} else {
 		if (log) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                "%s: cannot get lock %s: %s\n",
 			                Prog, lock, strerror (errno));
 		}
@@ -326,8 +336,12 @@ static int create_backup (const char *backup, FILE * fp)
 		/* FIXME: unlink the backup file? */
 		return -1;
 	}
-	if (   (fsync (fileno (bkfp)) != 0)
-	    || (fclose (bkfp) != 0)) {
+	if (fsync (fileno (bkfp)) != 0) {
+		(void) fclose (bkfp);
+		/* FIXME: unlink the backup file? */
+		return -1;
+	}
+	if (fclose (bkfp) != 0) {
 		/* FIXME: unlink the backup file? */
 		return -1;
 	}
@@ -389,11 +403,11 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 	file_len = strlen(db->filename) + 11;/* %lu max size */
 	lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
 	file = (char*)malloc(file_len);
-	if(file == NULL) {
+	if (file == NULL) {
 		goto cleanup_ENOMEM;
 	}
 	lock = (char*)malloc(lock_file_len);
-	if(lock == NULL) {
+	if (lock == NULL) {
 		goto cleanup_ENOMEM;
 	}
 	snprintf (file, file_len, "%s.%lu",
@@ -405,9 +419,9 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 		err = 1;
 	}
 cleanup_ENOMEM:
-	if(file)
+	if (file)
 		free(file);
-	if(lock)
+	if (lock)
 		free(lock);
 	return err;
 }
@@ -432,7 +446,7 @@ int commonio_lock (struct commonio_db *db)
 		if (0 == lock_count) {
 			if (lckpwdf () == -1) {
 				if (geteuid () != 0) {
-					(void) fprintf (stderr,
+					(void) fprintf (shadow_logfd,
 					                "%s: Permission denied.\n",
 					                Prog);
 				}
@@ -468,7 +482,7 @@ int commonio_lock (struct commonio_db *db)
 		}
 		/* no unnecessary retries on "permission denied" errors */
 		if (geteuid () != 0) {
-			(void) fprintf (stderr, "%s: Permission denied.\n",
+			(void) fprintf (shadow_logfd, "%s: Permission denied.\n",
 			                Prog);
 			return 0;
 		}
@@ -964,7 +978,7 @@ int commonio_close (struct commonio_db *db)
 		snprintf (buf, sizeof buf, "%s-", db->filename);
 
 #ifdef WITH_SELINUX
-		if (set_selinux_file_context (buf) != 0) {
+		if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
 			errors++;
 		}
 #endif
@@ -997,7 +1011,7 @@ int commonio_close (struct commonio_db *db)
 	snprintf (buf, sizeof buf, "%s+", db->filename);
 
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (buf) != 0) {
+	if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
 		errors++;
 	}
 #endif
@@ -1099,7 +1113,7 @@ int commonio_update (struct commonio_db *db, const void *eptr)
 	p = find_entry_by_name (db, db->ops->getname (eptr));
 	if (NULL != p) {
 		if (next_entry_by_name (db, p->next, db->ops->getname (eptr)) != NULL) {
-			fprintf (stderr, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), db->ops->getname (eptr), db->filename);
+			fprintf (shadow_logfd, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), db->ops->getname (eptr), db->filename);
 			db->ops->free (nentry);
 			return 0;
 		}
@@ -1204,7 +1218,7 @@ int commonio_remove (struct commonio_db *db, const char *name)
 		return 0;
 	}
 	if (next_entry_by_name (db, p->next, name) != NULL) {
-		fprintf (stderr, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), name, db->filename);
+		fprintf (shadow_logfd, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), name, db->filename);
 		return 0;
 	}
 

lib/commonio.h

@@ -34,10 +34,6 @@
 #ifndef COMMONIO_H
 #define COMMONIO_H
 
-#ifdef WITH_SELINUX
-#include <selinux/selinux.h>
-#endif
-
 #include "defines.h" /* bool */
 
 /*
@@ -121,7 +117,7 @@ struct commonio_db {
 	/*@dependent@*/ /*@null@*/FILE *fp;
 
 #ifdef WITH_SELINUX
-	/*@null@*/security_context_t scontext;
+	/*@null@*/char *scontext;
 #endif
 	/*
 	 * Default permissions and owner for newly created data file.

lib/defines.h

@@ -4,6 +4,8 @@
 #ifndef _DEFINES_H_
 #define _DEFINES_H_
 
+#include "config.h"
+
 #if HAVE_STDBOOL_H
 # include <stdbool.h>
 #else
@@ -94,6 +96,14 @@ char *strchr (), *strrchr (), *strtok ();
 # include <unistd.h>
 #endif
 
+/*
+ * crypt(3), crypt_gensalt(3), and their
+ * feature test macros may be defined in here.
+ */
+#if HAVE_CRYPT_H
+# include <crypt.h>
+#endif
+
 #if TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>

lib/encrypt.c

@@ -74,6 +74,9 @@
 			case '6':
 				method = "SHA512";
 				break;
+			case 'y':
+				method = "YESCRYPT";
+				break;
 			default:
 			{
 				static char nummethod[4] = "$x$";
@@ -81,7 +84,7 @@
 				method = &nummethod[0];
 			}
 		}
-		(void) fprintf (stderr,
+		(void) fprintf (shadow_logfd,
 		                _("crypt method not supported by libcrypt? (%s)\n"),
 		                method);
 		exit (EXIT_FAILURE);

lib/faillog.h

@@ -45,8 +45,8 @@
 struct faillog {
 	short fail_cnt;		/* failures since last success */
 	short fail_max;		/* failures before turning account off */
-	char fail_line[12];	/* last failure occured here */
-	time_t fail_time;	/* last failure occured then */
+	char fail_line[12];	/* last failure occurred here */
+	time_t fail_time;	/* last failure occurred then */
 	/*
 	 * If nonzero, the account will be re-enabled if there are no
 	 * failures for fail_locktime seconds since last failure.

lib/getdef.c

@@ -61,6 +61,7 @@ struct itemdef {
 	{"ENV_TZ", NULL},			\
 	{"FAILLOG_ENAB", NULL},			\
 	{"FTMP_FILE", NULL},			\
+	{"HMAC_CRYPTO_ALGO", NULL},		\
 	{"ISSUE_FILE", NULL},			\
 	{"LASTLOG_ENAB", NULL},			\
 	{"LOGIN_STRING", NULL},			\
@@ -77,6 +78,16 @@ struct itemdef {
 	{"SU_WHEEL_ONLY", NULL},		\
 	{"ULIMIT", NULL},
 
+/*
+ * Items used in other tools (util-linux, etc.)
+ */
+#define FOREIGNDEFS				\
+	{"ALWAYS_SET_PATH", NULL},		\
+	{"ENV_ROOTPATH", NULL},			\
+	{"LOGIN_KEEP_USERNAME", NULL},		\
+	{"LOGIN_PLAIN_PROMPT", NULL},		\
+	{"MOTD_FIRSTONLY", NULL},		\
+
 
 #define NUMDEFS	(sizeof(def_table)/sizeof(def_table[0]))
 static struct itemdef def_table[] = {
@@ -93,6 +104,7 @@ static struct itemdef def_table[] = {
 	{"FAKE_SHELL", NULL},
 	{"GID_MAX", NULL},
 	{"GID_MIN", NULL},
+	{"HOME_MODE", NULL},
 	{"HUSHLOGIN_FILE", NULL},
 	{"KILLCHAR", NULL},
 	{"LASTLOG_UID_MAX", NULL},
@@ -104,6 +116,7 @@ static struct itemdef def_table[] = {
 	{"MAIL_FILE", NULL},
 	{"MAX_MEMBERS_PER_GROUP", NULL},
 	{"MD5_CRYPT_ENAB", NULL},
+	{"NONEXISTENT", NULL},
 	{"PASS_MAX_DAYS", NULL},
 	{"PASS_MIN_DAYS", NULL},
 	{"PASS_WARN_AGE", NULL},
@@ -114,6 +127,9 @@ static struct itemdef def_table[] = {
 #ifdef USE_BCRYPT
 	{"BCRYPT_MAX_ROUNDS", NULL},
 	{"BCRYPT_MIN_ROUNDS", NULL},
+#endif
+#ifdef USE_YESCRYPT
+	{"YESCRYPT_COST_FACTOR", NULL},
 #endif
 	{"SUB_GID_COUNT", NULL},
 	{"SUB_GID_MAX", NULL},
@@ -148,6 +164,8 @@ static struct itemdef def_table[] = {
 	{"USE_TCB", NULL},
 #endif
 	{"FORCE_SHADOW", NULL},
+	{"GRANT_AUX_GROUP_SUBIDS", NULL},
+	{"PREVENT_NO_AUTH", NULL},
 	{NULL, NULL}
 };
 
@@ -156,6 +174,7 @@ static struct itemdef knowndef_table[] = {
 #ifdef USE_PAM
 	PAMDEFS
 #endif
+	FOREIGNDEFS
 	{NULL, NULL}
 };
 
@@ -248,7 +267,7 @@ int getdef_num (const char *item, int dflt)
 	if (   (getlong (d->value, &val) == 0)
 	    || (val > INT_MAX)
 	    || (val < INT_MIN)) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("configuration error - cannot parse %s value: '%s'"),
 		         item, d->value);
 		return dflt;
@@ -283,7 +302,7 @@ unsigned int getdef_unum (const char *item, unsigned int dflt)
 	if (   (getlong (d->value, &val) == 0)
 	    || (val < 0)
 	    || (val > INT_MAX)) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("configuration error - cannot parse %s value: '%s'"),
 		         item, d->value);
 		return dflt;
@@ -316,7 +335,7 @@ long getdef_long (const char *item, long dflt)
 	}
 
 	if (getlong (d->value, &val) == 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("configuration error - cannot parse %s value: '%s'"),
 		         item, d->value);
 		return dflt;
@@ -349,7 +368,7 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt)
 
 	if (getulong (d->value, &val) == 0) {
 		/* FIXME: we should have a getulong */
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("configuration error - cannot parse %s value: '%s'"),
 		         item, d->value);
 		return dflt;
@@ -387,7 +406,7 @@ int putdef_str (const char *name, const char *value)
 	cp = strdup (value);
 	if (NULL == cp) {
 		(void) fputs (_("Could not allocate space for config info.\n"),
-		              stderr);
+		              shadow_logfd);
 		SYSLOG ((LOG_ERR, "could not allocate space for config info"));
 		return -1;
 	}
@@ -412,7 +431,6 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
 {
 	struct itemdef *ptr;
 
-
 	/*
 	 * Search into the table.
 	 */
@@ -432,7 +450,7 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
 			goto out;
 		}
 	}
-	fprintf (stderr,
+	fprintf (shadow_logfd,
 	         _("configuration error - unknown item '%s' (notify administrator)\n"),
 	         name);
 	SYSLOG ((LOG_CRIT, "unknown configuration item `%s'", name));

lib/groupmem.c

@@ -87,6 +87,18 @@
 	return gr;
 }
 
+void gr_free_members (struct group *grent)
+{
+	if (NULL != grent->gr_mem) {
+		size_t i;
+		for (i = 0; NULL != grent->gr_mem[i]; i++) {
+			free (grent->gr_mem[i]);
+		}
+		free (grent->gr_mem);
+		grent->gr_mem = NULL;
+	}
+}
+
 void gr_free (/*@out@*/ /*@only@*/struct group *grent)
 {
 	free (grent->gr_name);
@@ -94,13 +106,36 @@ void gr_free (/*@out@*/ /*@only@*/struct group *grent)
 		memzero (grent->gr_passwd, strlen (grent->gr_passwd));
 		free (grent->gr_passwd);
 	}
-	if (NULL != grent->gr_mem) {
-		size_t i;
-		for (i = 0; NULL != grent->gr_mem[i]; i++) {
-			free (grent->gr_mem[i]);
-		}
-		free (grent->gr_mem);
-	}
+	gr_free_members(grent);
 	free (grent);
 }
 
+bool gr_append_member(struct group *grp, char *member)
+{
+	int i;
+
+	if (NULL == grp->gr_mem || grp->gr_mem[0] == NULL) {
+		grp->gr_mem = (char **)malloc(2 * sizeof(char *));
+		if (!grp->gr_mem) {
+			return false;
+		}
+		grp->gr_mem[0] = strdup(member);
+		if (!grp->gr_mem[0]) {
+			return false;
+		}
+		grp->gr_mem[1] = NULL;
+		return true;
+	}
+
+	for (i = 0; grp->gr_mem[i]; i++) ;
+	grp->gr_mem = realloc(grp->gr_mem, (i + 2) * sizeof(char *));
+	if (NULL == grp->gr_mem) {
+		return false;
+	}
+	grp->gr_mem[i] = strdup(member);
+	if (NULL == grp->gr_mem[i]) {
+		return false;
+	}
+	grp->gr_mem[i + 1] = NULL;
+	return true;
+}

lib/nscd.c

@@ -25,13 +25,13 @@ int nscd_flush_cache (const char *service)
 
 	if (run_command (cmd, spawnedArgs, spawnedEnv, &status) != 0) {
 		/* run_command writes its own more detailed message. */
-		(void) fprintf (stderr, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog);
+		(void) fprintf (shadow_logfd, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog);
 		return -1;
 	}
 
 	code = WEXITSTATUS (status);
 	if (!WIFEXITED (status)) {
-		(void) fprintf (stderr,
+		(void) fprintf (shadow_logfd,
 		                _("%s: nscd did not terminate normally (signal %d)\n"),
 		                Prog, WTERMSIG (status));
 		return -1;
@@ -43,9 +43,9 @@ int nscd_flush_cache (const char *service)
 		/* nscd is installed, but it isn't active. */
 		return 0;
 	} else if (code != 0) {
-		(void) fprintf (stderr, _("%s: nscd exited with status %d\n"),
+		(void) fprintf (shadow_logfd, _("%s: nscd exited with status %d\n"),
 		                Prog, code);
-		(void) fprintf (stderr, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog);
+		(void) fprintf (shadow_logfd, _(MSG_NSCD_FLUSH_CACHE_FAILED), Prog);
 		return -1;
 	}
 

lib/nss.c

@@ -0,0 +1,149 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <dlfcn.h>
+#include <stdbool.h>
+#include <string.h>
+#include <strings.h>
+#include <ctype.h>
+#include <stdatomic.h>
+#include "prototypes.h"
+#include "../libsubid/subid.h"
+
+#define NSSWITCH "/etc/nsswitch.conf"
+
+// NSS plugin handling for subids
+// If nsswitch has a line like
+//    subid: sssd
+// then sssd will be consulted for subids.  Unlike normal NSS dbs,
+// only one db is supported at a time.  That's open to debate, but
+// the subids are a pretty limited resource, and local files seem
+// bound to step on any other allocations leading to insecure
+// conditions.
+static atomic_flag nss_init_started;
+static atomic_bool nss_init_completed;
+
+static struct subid_nss_ops *subid_nss;
+
+bool nss_is_initialized() {
+	return atomic_load(&nss_init_completed);
+}
+
+void nss_exit() {
+	if (nss_is_initialized() && subid_nss) {
+		dlclose(subid_nss->handle);
+		free(subid_nss);
+		subid_nss = NULL;
+	}
+}
+
+// nsswitch_path is an argument only to support testing.
+void nss_init(char *nsswitch_path) {
+	FILE *nssfp = NULL;
+	char *line = NULL, *p, *token, *saveptr;
+	size_t len = 0;
+
+	if (atomic_flag_test_and_set(&nss_init_started)) {
+		// Another thread has started nss_init, wait for it to complete
+		while (!atomic_load(&nss_init_completed))
+			usleep(100);
+		return;
+	}
+
+	if (!nsswitch_path)
+		nsswitch_path = NSSWITCH;
+
+	// read nsswitch.conf to check for a line like:
+	//   subid:	files
+	nssfp = fopen(nsswitch_path, "r");
+	if (!nssfp) {
+		fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
+		atomic_store(&nss_init_completed, true);
+		return;
+	}
+	while ((getline(&line, &len, nssfp)) != -1) {
+		if (line[0] == '\0' || line[0] == '#')
+			continue;
+		if (strlen(line) < 8)
+			continue;
+		if (strncasecmp(line, "subid:", 6) != 0)
+			continue;
+		p = &line[6];
+		while ((*p) && isspace(*p))
+			p++;
+		if (!*p)
+			continue;
+		for (token = strtok_r(p, " \n\t", &saveptr);
+		     token;
+		     token = strtok_r(NULL, " \n\t", &saveptr)) {
+			char libname[65];
+			void *h;
+			if (strcmp(token, "files") == 0) {
+				subid_nss = NULL;
+				goto done;
+			}
+			if (strlen(token) > 50) {
+				fprintf(shadow_logfd, "Subid NSS module name too long (longer than 50 characters): %s\n", token);
+				fprintf(shadow_logfd, "Using files\n");
+				subid_nss = NULL;
+				goto done;
+			}
+			snprintf(libname, 64,  "libsubid_%s.so", token);
+			h = dlopen(libname, RTLD_LAZY);
+			if (!h) {
+				fprintf(shadow_logfd, "Error opening %s: %s\n", libname, dlerror());
+				fprintf(shadow_logfd, "Using files\n");
+				subid_nss = NULL;
+				goto done;
+			}
+			subid_nss = malloc(sizeof(*subid_nss));
+			if (!subid_nss) {
+				dlclose(h);
+				goto done;
+			}
+			subid_nss->has_range = dlsym(h, "shadow_subid_has_range");
+			if (!subid_nss->has_range) {
+				fprintf(shadow_logfd, "%s did not provide @has_range@\n", libname);
+				dlclose(h);
+				free(subid_nss);
+				subid_nss = NULL;
+				goto done;
+			}
+			subid_nss->list_owner_ranges = dlsym(h, "shadow_subid_list_owner_ranges");
+			if (!subid_nss->list_owner_ranges) {
+				fprintf(shadow_logfd, "%s did not provide @list_owner_ranges@\n", libname);
+				dlclose(h);
+				free(subid_nss);
+				subid_nss = NULL;
+				goto done;
+			}
+			subid_nss->find_subid_owners = dlsym(h, "shadow_subid_find_subid_owners");
+			if (!subid_nss->find_subid_owners) {
+				fprintf(shadow_logfd, "%s did not provide @find_subid_owners@\n", libname);
+				dlclose(h);
+				free(subid_nss);
+				subid_nss = NULL;
+				goto done;
+			}
+			subid_nss->handle = h;
+			goto done;
+		}
+		fprintf(shadow_logfd, "No usable subid NSS module found, using files\n");
+		// subid_nss has to be null here, but to ease reviews:
+		free(subid_nss);
+		subid_nss = NULL;
+		goto done;
+	}
+
+done:
+	atomic_store(&nss_init_completed, true);
+	free(line);
+	if (nssfp) {
+		atexit(nss_exit);
+		fclose(nssfp);
+	}
+}
+
+struct subid_nss_ops *get_subid_nss_handle() {
+	nss_init(NULL);
+	return subid_nss;
+}

lib/prototypes.h

@@ -59,7 +59,8 @@
 #include "defines.h"
 #include "commonio.h"
 
-extern /*@observer@*/ const char *Prog;
+extern /*@observer@*/ const char *Prog; /* Program name showed in error messages */
+extern FILE *shadow_logfd;  /* file descripter to which error messages are printed */
 
 /* addgrps.c */
 #if defined (HAVE_SETGROUPS) && ! defined (USE_PAM)
@@ -161,12 +162,10 @@ extern int find_new_uid (bool sys_user,
 
 #ifdef ENABLE_SUBIDS
 /* find_new_sub_gids.c */
-extern int find_new_sub_gids (const char *owner,
-			      gid_t *range_start, unsigned long *range_count);
+extern int find_new_sub_gids (gid_t *range_start, unsigned long *range_count);
 
 /* find_new_sub_uids.c */
-extern int find_new_sub_uids (const char *owner,
-			      uid_t *range_start, unsigned long *range_count);
+extern int find_new_sub_uids (uid_t *range_start, unsigned long *range_count);
 #endif				/* ENABLE_SUBIDS */
 
 
@@ -208,7 +207,9 @@ extern void __gr_set_changed (void);
 
 /* groupmem.c */
 extern /*@null@*/ /*@only@*/struct group *__gr_dup (const struct group *grent);
+extern void gr_free_members (struct group *grent);
 extern void gr_free (/*@out@*/ /*@only@*/struct group *grent);
+extern bool gr_append_member (struct group *grp, char *member);
 
 /* hushed.c */
 extern bool hushed (const char *username);
@@ -262,6 +263,62 @@ extern void motd (void);
 /* myname.c */
 extern /*@null@*//*@only@*/struct passwd *get_my_pwent (void);
 
+/* nss.c */
+#include <libsubid/subid.h>
+extern void nss_init(char *nsswitch_path);
+extern bool nss_is_initialized();
+
+struct subid_nss_ops {
+	/*
+	 * nss_has_range: does a user own a given subid range
+	 *
+	 * @owner: username
+	 * @start: first subid in queried range
+	 * @count: number of subids in queried range
+	 * @idtype: subuid or subgid
+	 * @result: true if @owner has been allocated the subid range.
+	 *
+	 * returns success if the module was able to determine an answer (true or false),
+	 * else an error status.
+	 */
+	enum subid_status (*has_range)(const char *owner, unsigned long start, unsigned long count, enum subid_type idtype, bool *result);
+
+	/*
+	 * nss_list_owner_ranges: list the subid ranges delegated to a user.
+	 *
+	 * @owner - string representing username being queried
+	 * @id_type - subuid or subgid
+	 * @ranges - pointer to an array of struct subid_range, or NULL.  The
+	 *           returned array must be freed by the caller.
+	 * @count - pointer to an integer into which the number of returned ranges
+	 *          is written.
+
+	 * returns success if the module was able to determine an answer,
+	 * else an error status.
+	 */
+	enum subid_status (*list_owner_ranges)(const char *owner, enum subid_type id_type, struct subid_range **ranges, int *count);
+
+	/*
+	 * nss_find_subid_owners: find uids who own a given subuid or subgid.
+	 *
+	 * @id - the delegated id (subuid or subgid) being queried
+	 * @id_type - subuid or subgid
+	 * @uids - pointer to an array of uids which will be allocated by
+	 *         nss_find_subid_owners()
+	 * @count - number of uids found
+	 *
+	 * returns success if the module was able to determine an answer,
+	 * else an error status.
+	 */
+	enum subid_status (*find_subid_owners)(unsigned long id, enum subid_type id_type, uid_t **uids, int *count);
+
+	/* The dlsym handle to close */
+	void *handle;
+};
+
+extern struct subid_nss_ops *get_subid_nss_handle();
+
+
 /* pam_pass_non_interactive.c */
 #ifdef USE_PAM
 extern int do_pam_passwd_non_interactive (const char *pam_service,
@@ -334,7 +391,8 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
 
 /* selinux.c */
 #ifdef WITH_SELINUX
-extern int set_selinux_file_context (const char *dst_name);
+extern int set_selinux_file_context (const char *dst_name, mode_t mode);
+extern void reset_selinux_handle (void);
 extern int reset_selinux_file_context (void);
 extern int check_selinux_permit (const char *perm_name);
 #endif
@@ -448,6 +506,7 @@ extern bool valid (const char *, const struct passwd *);
 extern /*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/char *xmalloc (size_t size)
   /*@ensures MaxSet(result) == (size - 1); @*/;
 extern /*@maynotreturn@*/ /*@only@*//*@notnull@*/char *xstrdup (const char *);
+extern void xfree(void *ap);
 
 /* xgetpwnam.c */
 extern /*@null@*/ /*@only@*/struct passwd *xgetpwnam (const char *);

lib/pwauth.c

@@ -127,7 +127,7 @@ int pw_auth (const char *cipher,
 #ifdef	SKEY
 	/*
 	 * If the user has an S/KEY entry show them the pertinent info
-	 * and then we can try validating the created cyphertext and the SKEY.
+	 * and then we can try validating the created ciphertext and the SKEY.
 	 * If there is no SKEY information we default to not using SKEY.
 	 */
 

lib/pwmem.c

@@ -93,14 +93,16 @@
 
 void pw_free (/*@out@*/ /*@only@*/struct passwd *pwent)
 {
-	free (pwent->pw_name);
-	if (pwent->pw_passwd) {
-		memzero (pwent->pw_passwd, strlen (pwent->pw_passwd));
-		free (pwent->pw_passwd);
+	if (pwent != NULL) {
+		free (pwent->pw_name);
+		if (pwent->pw_passwd) {
+			memzero (pwent->pw_passwd, strlen (pwent->pw_passwd));
+			free (pwent->pw_passwd);
+		}
+		free (pwent->pw_gecos);
+		free (pwent->pw_dir);
+		free (pwent->pw_shell);
+		free (pwent);
 	}
-	free (pwent->pw_gecos);
-	free (pwent->pw_dir);
-	free (pwent->pw_shell);
-	free (pwent);
 }
 

lib/run_part.c

@@ -0,0 +1,102 @@
+#include <dirent.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <lib/prototypes.h>
+
+int run_part (char *script_path, char *name, char *action)
+{
+	int pid;
+	int wait_status;
+	int pid_status;
+	char *args[] = { script_path, NULL };
+
+	pid=fork();
+	if (pid==-1) {
+		perror ("Could not fork");
+		return 1;
+	}
+	if (pid==0) {
+		setenv ("ACTION",action,1);
+		setenv ("SUBJECT",name,1);
+		execv (script_path,args);
+		perror ("execv");
+		exit(1);
+	}
+
+	pid_status = wait (&wait_status);
+	if (pid_status == pid) {
+		return (wait_status);
+	}
+
+	perror ("waitpid");
+	return (1);
+}
+
+int run_parts (char *directory, char *name, char *action)
+{
+	struct dirent **namelist;
+	int scanlist;
+	int n;
+	int execute_result;
+
+	scanlist = scandir (directory, &namelist, 0, alphasort);
+	if (scanlist<0) {
+		return (0);
+	}
+
+	for (n=0; n<scanlist; n++) {
+		int path_length;
+		struct stat sb;
+
+		path_length=strlen(directory) + strlen(namelist[n]->d_name) + 2;
+		char *s = (char*)malloc(path_length);
+		if (!s) {
+			printf ("could not allocate memory\n");
+			for (; n<scanlist; n++) {
+				free (namelist[n]);
+			}
+			free (namelist);
+			return (1);
+		}
+		snprintf (s, path_length, "%s/%s", directory, namelist[n]->d_name);
+
+		execute_result = 0;
+		if (stat (s, &sb) == -1) {
+			perror ("stat");
+			free (s);
+			for (; n<scanlist; n++) {
+				free (namelist[n]);
+			}
+			free (namelist);
+			return (1);
+		}
+
+		if (S_ISREG (sb.st_mode) || S_ISLNK (sb.st_mode)) {
+			execute_result = run_part (s, name, action);
+		}
+
+		free (s);
+
+		if (execute_result!=0) {
+			fprintf (shadow_logfd,
+				"%s: did not exit cleanly.\n",
+			    namelist[n]->d_name);
+			for (; n<scanlist; n++) {
+				free (namelist[n]);
+			}
+			break;
+		}
+
+		free (namelist[n]);
+	}
+	free (namelist);
+
+	return (execute_result);
+}
+

lib/run_part.h

@@ -0,0 +1,2 @@
+int run_part (char *script_path, char *name, char *action);
+int run_parts (char *directory, char *name, char *action);

lib/selinux.c

@@ -31,15 +31,29 @@
 
 #ifdef WITH_SELINUX
 
+#include <stdio.h>
 #include "defines.h"
 
 #include <selinux/selinux.h>
-#include <selinux/context.h>
+#include <selinux/label.h>
 #include "prototypes.h"
 
-
 static bool selinux_checked = false;
 static bool selinux_enabled;
+static /*@null@*/struct selabel_handle *selabel_hnd = NULL;
+
+static void cleanup(void)
+{
+	if (selabel_hnd) {
+		selabel_close(selabel_hnd);
+		selabel_hnd = NULL;
+	}
+}
+
+void reset_selinux_handle (void)
+{
+    cleanup();
+}
 
 /*
  * set_selinux_file_context - Set the security context before any file or
@@ -51,10 +65,8 @@ static bool selinux_enabled;
  *	Callers may have to Reset SELinux to create files with default
  *	contexts with reset_selinux_file_context
  */
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, mode_t mode)
 {
-	/*@null@*/security_context_t scontext = NULL;
-
 	if (!selinux_checked) {
 		selinux_enabled = is_selinux_enabled () > 0;
 		selinux_checked = true;
@@ -62,18 +74,34 @@ int set_selinux_file_context (const char *dst_name)
 
 	if (selinux_enabled) {
 		/* Get the default security context for this file */
-		if (matchpathcon (dst_name, 0, &scontext) < 0) {
-			if (security_getenforce () != 0) {
-				return 1;
+
+		/*@null@*/char *fcontext_raw = NULL;
+		int r;
+
+		if (selabel_hnd == NULL) {
+			selabel_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+			if (selabel_hnd == NULL) {
+				return security_getenforce () != 0;
 			}
+			(void) atexit(cleanup);
 		}
+
+		r = selabel_lookup_raw(selabel_hnd, &fcontext_raw, dst_name, mode);
+		if (r < 0) {
+			/* No context specified for the searched path */
+			if (errno == ENOENT) {
+				return 0;
+			}
+
+			return security_getenforce () != 0;
+		}
+
 		/* Set the security context for the next created file */
-		if (setfscreatecon (scontext) < 0) {
-			if (security_getenforce () != 0) {
-				return 1;
-			}
+		r = setfscreatecon_raw (fcontext_raw);
+		freecon (fcontext_raw);
+		if (r < 0) {
+			return security_getenforce () != 0;
 		}
-		freecon (scontext);
 	}
 	return 0;
 }
@@ -92,8 +120,8 @@ int reset_selinux_file_context (void)
 		selinux_checked = true;
 	}
 	if (selinux_enabled) {
-		if (setfscreatecon (NULL) != 0) {
-			return 1;
+		if (setfscreatecon_raw (NULL) != 0) {
+			return security_getenforce () != 0;
 		}
 	}
 	return 0;
@@ -131,7 +159,7 @@ static int selinux_log_cb (int type, const char *fmt, ...) {
 			    && (errno != EAFNOSUPPORT)) {
 
 			    (void) fputs (_("Cannot open audit interface.\n"),
-			              stderr);
+			              shadow_logfd);
 			    SYSLOG ((LOG_WARN, "Cannot open audit interface."));
 			}
 		}
@@ -174,7 +202,7 @@ skip_syslog:
  */
 int check_selinux_permit (const char *perm_name)
 {
-	char *user_context_str;
+	char *user_context_raw;
 	int r;
 
 	if (0 == is_selinux_enabled ()) {
@@ -183,8 +211,8 @@ int check_selinux_permit (const char *perm_name)
 
 	selinux_set_callback (SELINUX_CB_LOG, (union selinux_callback) selinux_log_cb);
 
-	if (getprevcon (&user_context_str) != 0) {
-		fprintf (stderr,
+	if (getprevcon_raw (&user_context_raw) != 0) {
+		fprintf (shadow_logfd,
 		    _("%s: can not get previous SELinux process context: %s\n"),
 		    Prog, strerror (errno));
 		SYSLOG ((LOG_WARN,
@@ -193,8 +221,8 @@ int check_selinux_permit (const char *perm_name)
 		return (security_getenforce () != 0);
 	}
 
-	r = selinux_check_access (user_context_str, user_context_str, "passwd", perm_name, NULL);
-	freecon (user_context_str);
+	r = selinux_check_access (user_context_raw, user_context_raw, "passwd", perm_name, NULL);
+	freecon (user_context_raw);
 	return r;
 }
 

lib/semanage.c

@@ -69,7 +69,7 @@ static void semanage_error_callback (unused void *varg,
 	switch (semanage_msg_get_level (handle)) {
 	case SEMANAGE_MSG_ERR:
 	case SEMANAGE_MSG_WARN:
-		fprintf (stderr, _("[libsemanage]: %s\n"), message);
+		fprintf (shadow_logfd, _("[libsemanage]: %s\n"), message);
 		break;
 	case SEMANAGE_MSG_INFO:
 		/* nop */
@@ -87,7 +87,7 @@ static semanage_handle_t *semanage_init (void)
 
 	handle = semanage_handle_create ();
 	if (NULL == handle) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Cannot create SELinux management handle\n"));
 		return NULL;
 	}
@@ -96,26 +96,26 @@ static semanage_handle_t *semanage_init (void)
 
 	ret = semanage_is_managed (handle);
 	if (ret != 1) {
-		fprintf (stderr, _("SELinux policy not managed\n"));
+		fprintf (shadow_logfd, _("SELinux policy not managed\n"));
 		goto fail;
 	}
 
 	ret = semanage_access_check (handle);
 	if (ret < SEMANAGE_CAN_READ) {
-		fprintf (stderr, _("Cannot read SELinux policy store\n"));
+		fprintf (shadow_logfd, _("Cannot read SELinux policy store\n"));
 		goto fail;
 	}
 
 	ret = semanage_connect (handle);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Cannot establish SELinux management connection\n"));
 		goto fail;
 	}
 
 	ret = semanage_begin_transaction (handle);
 	if (ret != 0) {
-		fprintf (stderr, _("Cannot begin SELinux transaction\n"));
+		fprintf (shadow_logfd, _("Cannot begin SELinux transaction\n"));
 		goto fail;
 	}
 
@@ -137,7 +137,7 @@ static int semanage_user_mod (semanage_handle_t *handle,
 
 	semanage_seuser_query (handle, key, &seuser);
 	if (NULL == seuser) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Could not query seuser for %s\n"), login_name);
 		ret = 1;
 		goto done;
@@ -145,7 +145,7 @@ static int semanage_user_mod (semanage_handle_t *handle,
 
 	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Could not set serange for %s\n"), login_name);
 		ret = 1;
 		goto done;
@@ -153,7 +153,7 @@ static int semanage_user_mod (semanage_handle_t *handle,
 
 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Could not set sename for %s\n"),
 		         login_name);
 		ret = 1;
@@ -162,7 +162,7 @@ static int semanage_user_mod (semanage_handle_t *handle,
 
 	ret = semanage_seuser_modify_local (handle, key, seuser);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Could not modify login mapping for %s\n"),
 		         login_name);
 		ret = 1;
@@ -186,7 +186,7 @@ static int semanage_user_add (semanage_handle_t *handle,
 
 	ret = semanage_seuser_create (handle, &seuser);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Cannot create SELinux login mapping for %s\n"),
 		         login_name);
 		ret = 1;
@@ -195,14 +195,14 @@ static int semanage_user_add (semanage_handle_t *handle,
 
 	ret = semanage_seuser_set_name (handle, seuser, login_name);
 	if (ret != 0) {
-		fprintf (stderr, _("Could not set name for %s\n"), login_name);
+		fprintf (shadow_logfd, _("Could not set name for %s\n"), login_name);
 		ret = 1;
 		goto done;
 	}
 
 	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Could not set serange for %s\n"),
 		         login_name);
 		ret = 1;
@@ -211,7 +211,7 @@ static int semanage_user_add (semanage_handle_t *handle,
 
 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Could not set SELinux user for %s\n"),
 		         login_name);
 		ret = 1;
@@ -220,7 +220,7 @@ static int semanage_user_add (semanage_handle_t *handle,
 
 	ret = semanage_seuser_modify_local (handle, key, seuser);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Could not add login mapping for %s\n"),
 		         login_name);
 		ret = 1;
@@ -248,21 +248,21 @@ int set_seuser (const char *login_name, const char *seuser_name)
 
 	handle = semanage_init ();
 	if (NULL == handle) {
-		fprintf (stderr, _("Cannot init SELinux management\n"));
+		fprintf (shadow_logfd, _("Cannot init SELinux management\n"));
 		ret = 1;
 		goto done;
 	}
 
 	ret = semanage_seuser_key_create (handle, login_name, &key);
 	if (ret != 0) {
-		fprintf (stderr, _("Cannot create SELinux user key\n"));
+		fprintf (shadow_logfd, _("Cannot create SELinux user key\n"));
 		ret = 1;
 		goto done;
 	}
 
 	ret = semanage_seuser_exists (handle, key, &seuser_exists);
 	if (ret < 0) {
-		fprintf (stderr, _("Cannot verify the SELinux user\n"));
+		fprintf (shadow_logfd, _("Cannot verify the SELinux user\n"));
 		ret = 1;
 		goto done;
 	}
@@ -270,7 +270,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
 	if (0 != seuser_exists) {
 		ret = semanage_user_mod (handle, key, login_name, seuser_name);
 		if (ret != 0) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("Cannot modify SELinux user mapping\n"));
 			ret = 1;
 			goto done;
@@ -278,7 +278,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
 	} else {
 		ret = semanage_user_add (handle, key, login_name, seuser_name);
 		if (ret != 0) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("Cannot add SELinux user mapping\n"));
 			ret = 1;
 			goto done;
@@ -287,12 +287,13 @@ int set_seuser (const char *login_name, const char *seuser_name)
 
 	ret = semanage_commit (handle);
 	if (ret < 0) {
-		fprintf (stderr, _("Cannot commit SELinux transaction\n"));
+		fprintf (shadow_logfd, _("Cannot commit SELinux transaction\n"));
 		ret = 1;
 		goto done;
 	}
 
 	ret = 0;
+	reset_selinux_handle();
 
 done:
 	semanage_seuser_key_free (key);
@@ -310,28 +311,28 @@ int del_seuser (const char *login_name)
 
 	handle = semanage_init ();
 	if (NULL == handle) {
-		fprintf (stderr, _("Cannot init SELinux management\n"));
+		fprintf (shadow_logfd, _("Cannot init SELinux management\n"));
 		ret = 1;
 		goto done;
 	}
 
 	ret = semanage_seuser_key_create (handle, login_name, &key);
 	if (ret != 0) {
-		fprintf (stderr, _("Cannot create SELinux user key\n"));
+		fprintf (shadow_logfd, _("Cannot create SELinux user key\n"));
 		ret = 1;
 		goto done;
 	}
 
 	ret = semanage_seuser_exists (handle, key, &exists);
 	if (ret < 0) {
-		fprintf (stderr, _("Cannot verify the SELinux user\n"));
+		fprintf (shadow_logfd, _("Cannot verify the SELinux user\n"));
 		ret = 1;
 		goto done;
 	}
 
 	if (0 == exists) {
-		fprintf (stderr,
-		         _("Login mapping for %s is not defined, OK if default mapping was used\n"), 
+		fprintf (shadow_logfd,
+		         _("Login mapping for %s is not defined, OK if default mapping was used\n"),
 		         login_name);
 		ret = 0;  /* probably default mapping */
 		goto done;
@@ -339,14 +340,14 @@ int del_seuser (const char *login_name)
 
 	ret = semanage_seuser_exists_local (handle, key, &exists);
 	if (ret < 0) {
-		fprintf (stderr, _("Cannot verify the SELinux user\n"));
+		fprintf (shadow_logfd, _("Cannot verify the SELinux user\n"));
 		ret = 1;
 		goto done;
 	}
 
 	if (0 == exists) {
-		fprintf (stderr,
-		         _("Login mapping for %s is defined in policy, cannot be deleted\n"), 
+		fprintf (shadow_logfd,
+		         _("Login mapping for %s is defined in policy, cannot be deleted\n"),
 		         login_name);
 		ret = 0; /* Login mapping defined in policy can't be deleted */
 		goto done;
@@ -354,7 +355,7 @@ int del_seuser (const char *login_name)
 
 	ret = semanage_seuser_del_local (handle, key);
 	if (ret != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Could not delete login mapping for %s"),
 		         login_name);
 		ret = 1;
@@ -363,7 +364,7 @@ int del_seuser (const char *login_name)
 
 	ret = semanage_commit (handle);
 	if (ret < 0) {
-		fprintf (stderr, _("Cannot commit SELinux transaction\n"));
+		fprintf (shadow_logfd, _("Cannot commit SELinux transaction\n"));
 		ret = 1;
 		goto done;
 	}

lib/sgetpwent.c

@@ -91,7 +91,7 @@ struct passwd *sgetpwent (const char *buf)
 	}
 
 	/* something at the end, columns over shot */
-	if( cp != NULL ) {
+	if ( cp != NULL ) {
 		return( NULL );
 	}
 

lib/sgetspent.c

@@ -52,7 +52,6 @@ struct spwd *sgetspent (const char *string)
 	static struct spwd spwd;
 	char *fields[FIELDS];
 	char *cp;
-	char *cpp;
 	int i;
 
 	/*

lib/shadow.c

@@ -130,7 +130,6 @@ static struct spwd *my_sgetspent (const char *string)
 	static struct spwd spwd;
 	char *fields[FIELDS];
 	char *cp;
-	char *cpp;
 	int i;
 
 	/*
@@ -389,7 +388,6 @@ struct spwd *getspent (void)
 #ifdef	USE_NIS
 	int nis_1_user = 0;
 	struct spwd *val;
-	char buf[BUFSIZ];
 #endif
 	if (NULL == shadow) {
 		setspent ();
@@ -484,7 +482,6 @@ struct spwd *getspnam (const char *name)
 	struct spwd *sp;
 
 #ifdef	USE_NIS
-	char buf[BUFSIZ];
 	static char save_name[16];
 	bool nis_disabled = false;
 #endif

lib/shadowmem.c

@@ -79,11 +79,13 @@
 
 void spw_free (/*@out@*/ /*@only@*/struct spwd *spent)
 {
-	free (spent->sp_namp);
-	if (NULL != spent->sp_pwdp) {
-		memzero (spent->sp_pwdp, strlen (spent->sp_pwdp));
-		free (spent->sp_pwdp);
+	if (spent != NULL) {
+		free (spent->sp_namp);
+		if (NULL != spent->sp_pwdp) {
+			memzero (spent->sp_pwdp, strlen (spent->sp_pwdp));
+			free (spent->sp_pwdp);
+		}
+		free (spent);
 	}
-	free (spent);
 }
 

lib/spawn.c

@@ -48,7 +48,7 @@ int run_command (const char *cmd, const char *argv[],
 	}
 
 	(void) fflush (stdout);
-	(void) fflush (stderr);
+	(void) fflush (shadow_logfd);
 
 	pid = fork ();
 	if (0 == pid) {
@@ -57,11 +57,11 @@ int run_command (const char *cmd, const char *argv[],
 		if (ENOENT == errno) {
 			exit (E_CMD_NOTFOUND);
 		}
-		fprintf (stderr, "%s: cannot execute %s: %s\n",
+		fprintf (shadow_logfd, "%s: cannot execute %s: %s\n",
 		         Prog, cmd, strerror (errno));
 		exit (E_CMD_NOEXEC);
 	} else if ((pid_t)-1 == pid) {
-		fprintf (stderr, "%s: cannot execute %s: %s\n",
+		fprintf (shadow_logfd, "%s: cannot execute %s: %s\n",
 		         Prog, cmd, strerror (errno));
 		return -1;
 	}
@@ -74,7 +74,7 @@ int run_command (const char *cmd, const char *argv[],
 	         || ((pid_t)-1 != wpid && wpid != pid));
 
 	if ((pid_t)-1 == wpid) {
-		fprintf (stderr, "%s: waitpid (status: %d): %s\n",
+		fprintf (shadow_logfd, "%s: waitpid (status: %d): %s\n",
 		         Prog, *status, strerror (errno));
 		return -1;
 	}

lib/sssd.c

@@ -11,7 +11,7 @@
 #include "prototypes.h"
 #include "sssd.h"
 
-#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache."
 
 int sssd_flush_cache (int dbflags)
 {
@@ -46,24 +46,22 @@ int sssd_flush_cache (int dbflags)
 	free(sss_cache_args);
 	if (rv != 0) {
 		/* run_command writes its own more detailed message. */
-		(void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+		SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
 		return -1;
 	}
 
 	code = WEXITSTATUS (status);
 	if (!WIFEXITED (status)) {
-		(void) fprintf (stderr,
-		                _("%s: sss_cache did not terminate normally (signal %d)\n"),
-		                Prog, WTERMSIG (status));
+		SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)",
+			Prog, WTERMSIG (status)));
 		return -1;
 	} else if (code == E_CMD_NOTFOUND) {
 		/* sss_cache is not installed, or it is installed but uses an
 		   interpreter that is missing.  Probably the former. */
 		return 0;
 	} else if (code != 0) {
-		(void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
-		                Prog, code);
-		(void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+		SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code));
+		SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
 		return -1;
 	}
 

lib/subordinateio.c

@@ -11,16 +11,11 @@
 #include <stdio.h>
 #include "commonio.h"
 #include "subordinateio.h"
+#include "../libsubid/subid.h"
 #include <sys/types.h>
 #include <pwd.h>
-
-struct subordinate_range {
-	const char *owner;
-	unsigned long start;
-	unsigned long count;
-};
-
-#define NFIELDS 3
+#include <ctype.h>
+#include <fcntl.h>
 
 /*
  * subordinate_dup: create a duplicate range
@@ -58,7 +53,7 @@ static /*@null@*/ /*@only@*/void *subordinate_dup (const void *ent)
 static void subordinate_free (/*@out@*/ /*@only@*/void *ent)
 {
 	struct subordinate_range *rangeent = ent;
-	
+
 	free ((void *)(rangeent->owner));
 	free (rangeent);
 }
@@ -78,7 +73,7 @@ static void *subordinate_parse (const char *line)
 	static char rangebuf[1024];
 	int i;
 	char *cp;
-	char *fields[NFIELDS];
+	char *fields[SUBID_NFIELDS];
 
 	/*
 	 * Copy the string to a temporary buffer so the substrings can
@@ -93,7 +88,7 @@ static void *subordinate_parse (const char *line)
 	 * field.  The fields are converted into NUL terminated strings.
 	 */
 
-	for (cp = rangebuf, i = 0; (i < NFIELDS) && (NULL != cp); i++) {
+	for (cp = rangebuf, i = 0; (i < SUBID_NFIELDS) && (NULL != cp); i++) {
 		fields[i] = cp;
 		while (('\0' != *cp) && (':' != *cp)) {
 			cp++;
@@ -108,10 +103,10 @@ static void *subordinate_parse (const char *line)
 	}
 
 	/*
-	 * There must be exactly NFIELDS colon separated fields or
+	 * There must be exactly SUBID_NFIELDS colon separated fields or
 	 * the entry is invalid.  Also, fields must be non-blank.
 	 */
-	if (i != NFIELDS || *fields[0] == '\0' || *fields[1] == '\0' || *fields[2] == '\0')
+	if (i != SUBID_NFIELDS || *fields[0] == '\0' || *fields[1] == '\0' || *fields[2] == '\0')
 		return NULL;
 	range.owner = fields[0];
 	if (getulong (fields[1], &range.start) == 0)
@@ -229,7 +224,7 @@ static const struct subordinate_range *find_range(struct commonio_db *db,
         /* Get UID of the username we are looking for */
         pwd = getpwnam(owner);
         if (NULL == pwd) {
-                /* Username not defined in /etc/passwd, or error occured during lookup */
+                /* Username not defined in /etc/passwd, or error occurred during lookup */
                 return NULL;
         }
         owner_uid = pwd->pw_uid;
@@ -301,7 +296,7 @@ static bool have_range(struct commonio_db *db,
 	end = start + count - 1;
 	range = find_range (db, owner, start);
 	while (range) {
-		unsigned long last; 
+		unsigned long last;
 
 		last = range->start + range->count - 1;
 		if (last >= (start + count - 1))
@@ -314,6 +309,35 @@ static bool have_range(struct commonio_db *db,
 	return false;
 }
 
+static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
+{
+	if (!*ranges) {
+		*ranges = malloc(sizeof(struct subid_range));
+		if (!*ranges)
+			return false;
+	} else {
+		struct subid_range *alloced;
+		alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
+		if (!alloced)
+			return false;
+		*ranges = alloced;
+	}
+	(*ranges)[n].start = new->start;
+	(*ranges)[n].count = new->count;
+	return true;
+}
+
+void free_subordinate_ranges(struct subordinate_range **ranges, int count)
+{
+	int i;
+
+	if (!ranges)
+		return;
+	for (i = 0; i < count; i++)
+		subordinate_free(ranges[i]);
+	free(ranges);
+}
+
 /*
  * subordinate_range_cmp: compare uid ranges
  *
@@ -574,23 +598,37 @@ int sub_uid_open (int mode)
 	return commonio_open (&subordinate_uid_db, mode);
 }
 
-bool sub_uid_assigned(const char *owner)
+bool local_sub_uid_assigned(const char *owner)
 {
 	return range_exists (&subordinate_uid_db, owner);
 }
 
 bool have_sub_uids(const char *owner, uid_t start, unsigned long count)
 {
+	struct subid_nss_ops *h;
+	bool found;
+	enum subid_status status;
+	h = get_subid_nss_handle();
+	if (h) {
+		status = h->has_range(owner, start, count, ID_TYPE_UID, &found);
+		if (status == SUBID_STATUS_SUCCESS && found)
+			return true;
+		return false;
+	}
 	return have_range (&subordinate_uid_db, owner, start, count);
 }
 
 int sub_uid_add (const char *owner, uid_t start, unsigned long count)
 {
+	if (get_subid_nss_handle())
+		return -EOPNOTSUPP;
 	return add_range (&subordinate_uid_db, owner, start, count);
 }
 
 int sub_uid_remove (const char *owner, uid_t start, unsigned long count)
 {
+	if (get_subid_nss_handle())
+		return -EOPNOTSUPP;
 	return remove_range (&subordinate_uid_db, owner, start, count);
 }
 
@@ -658,21 +696,35 @@ int sub_gid_open (int mode)
 
 bool have_sub_gids(const char *owner, gid_t start, unsigned long count)
 {
+	struct subid_nss_ops *h;
+	bool found;
+	enum subid_status status;
+	h = get_subid_nss_handle();
+	if (h) {
+		status = h->has_range(owner, start, count, ID_TYPE_GID, &found);
+		if (status == SUBID_STATUS_SUCCESS && found)
+			return true;
+		return false;
+	}
 	return have_range(&subordinate_gid_db, owner, start, count);
 }
 
-bool sub_gid_assigned(const char *owner)
+bool local_sub_gid_assigned(const char *owner)
 {
 	return range_exists (&subordinate_gid_db, owner);
 }
 
 int sub_gid_add (const char *owner, gid_t start, unsigned long count)
 {
+	if (get_subid_nss_handle())
+		return -EOPNOTSUPP;
 	return add_range (&subordinate_gid_db, owner, start, count);
 }
 
 int sub_gid_remove (const char *owner, gid_t start, unsigned long count)
 {
+	if (get_subid_nss_handle())
+		return -EOPNOTSUPP;
 	return remove_range (&subordinate_gid_db, owner, start, count);
 }
 
@@ -692,6 +744,308 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
 	start = find_free_range (&subordinate_gid_db, min, max, count);
 	return start == ULONG_MAX ? (gid_t) -1 : start;
 }
+
+/*
+ * int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
+ *
+ * @owner: username
+ * @id_type: UID or GUID
+ * @ranges: pointer to array of ranges into which results will be placed.
+ *
+ * Fills in the subuid or subgid ranges which are owned by the specified
+ * user.  Username may be a username or a string representation of a
+ * UID number.  If id_type is UID, then subuids are returned, else
+ * subgids are given.
+
+ * Returns the number of ranges found, or < 0 on error.
+ *
+ * The caller must free the subordinate range list.
+ */
+int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **in_ranges)
+{
+	// TODO - need to handle owner being either uid or username
+	struct subid_range *ranges = NULL;
+	const struct subordinate_range *range;
+	struct commonio_db *db;
+	enum subid_status status;
+	int count = 0;
+	struct subid_nss_ops *h;
+
+	*in_ranges = NULL;
+
+	h = get_subid_nss_handle();
+	if (h) {
+		status = h->list_owner_ranges(owner, id_type, in_ranges, &count);
+		if (status == SUBID_STATUS_SUCCESS)
+			return count;
+		return -1;
+	}
+
+	switch (id_type) {
+	case ID_TYPE_UID:
+		if (!sub_uid_open(O_RDONLY)) {
+			return -1;
+		}
+		db = &subordinate_uid_db;
+		break;
+	case ID_TYPE_GID:
+		if (!sub_gid_open(O_RDONLY)) {
+			return -1;
+		}
+		db = &subordinate_gid_db;
+		break;
+	default:
+		return -1;
+	}
+
+	commonio_rewind(db);
+	while ((range = commonio_next(db)) != NULL) {
+		if (0 == strcmp(range->owner, owner)) {
+			if (!append_range(&ranges, range, count++)) {
+				free(ranges);
+				ranges = NULL;
+				count = -1;
+				goto out;
+			}
+		}
+	}
+
+out:
+	if (id_type == ID_TYPE_UID)
+		sub_uid_close();
+	else
+		sub_gid_close();
+
+	*in_ranges = ranges;
+	return count;
+}
+
+static bool all_digits(const char *str)
+{
+	int i;
+
+	for (i = 0; str[i] != '\0'; i++)
+		if (!isdigit(str[i]))
+			return false;
+	return true;
+}
+
+static int append_uids(uid_t **uids, const char *owner, int n)
+{
+	uid_t owner_uid;
+	uid_t *ret;
+	int i;
+
+	if (all_digits(owner)) {
+		i = sscanf(owner, "%d", &owner_uid);
+		if (i != 1) {
+			// should not happen
+			free(*uids);
+			*uids = NULL;
+			return -1;
+		}
+	} else {
+		struct passwd *pwd = getpwnam(owner);
+		if (NULL == pwd) {
+			/* Username not defined in /etc/passwd, or error occurred during lookup */
+			free(*uids);
+			*uids = NULL;
+			return -1;
+		}
+		owner_uid = pwd->pw_uid;
+	}
+
+	for (i = 0; i < n; i++) {
+		if (owner_uid == (*uids)[i])
+			return n;
+	}
+
+	ret = realloc(*uids, (n + 1) * sizeof(uid_t));
+	if (!ret) {
+		free(*uids);
+		return -1;
+	}
+	ret[n] = owner_uid;
+	*uids = ret;
+	return n+1;
+}
+
+int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids)
+{
+	const struct subordinate_range *range;
+	struct subid_nss_ops *h;
+	enum subid_status status;
+	struct commonio_db *db;
+	int n = 0;
+
+	h = get_subid_nss_handle();
+	if (h) {
+		status = h->find_subid_owners(id, id_type, uids, &n);
+		// Several ways we could handle the error cases here.
+		if (status != SUBID_STATUS_SUCCESS)
+			return -1;
+		return n;
+	}
+
+	switch (id_type) {
+	case ID_TYPE_UID:
+		if (!sub_uid_open(O_RDONLY)) {
+			return -1;
+		}
+		db = &subordinate_uid_db;
+		break;
+	case ID_TYPE_GID:
+		if (!sub_gid_open(O_RDONLY)) {
+			return -1;
+		}
+		db = &subordinate_gid_db;
+		break;
+	default:
+		return -1;
+	}
+
+	*uids = NULL;
+
+	commonio_rewind(db);
+	while ((range = commonio_next(db)) != NULL) {
+		if (id >= range->start && id < range->start + range-> count) {
+			n = append_uids(uids, range->owner, n);
+			if (n < 0)
+				break;
+		}
+	}
+
+	if (id_type == ID_TYPE_UID)
+		sub_uid_close();
+	else
+		sub_gid_close();
+
+	return n;
+}
+
+bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse)
+{
+	struct commonio_db *db;
+	const struct subordinate_range *r;
+	bool ret;
+
+	if (get_subid_nss_handle())
+		return false;
+
+	switch (id_type) {
+	case ID_TYPE_UID:
+		if (!sub_uid_lock()) {
+			printf("Failed loging subuids (errno %d)\n", errno);
+			return false;
+		}
+		if (!sub_uid_open(O_CREAT | O_RDWR)) {
+			printf("Failed opening subuids (errno %d)\n", errno);
+			sub_uid_unlock();
+			return false;
+		}
+		db = &subordinate_uid_db;
+		break;
+	case ID_TYPE_GID:
+		if (!sub_gid_lock()) {
+			printf("Failed loging subgids (errno %d)\n", errno);
+			return false;
+		}
+		if (!sub_gid_open(O_CREAT | O_RDWR)) {
+			printf("Failed opening subgids (errno %d)\n", errno);
+			sub_gid_unlock();
+			return false;
+		}
+		db = &subordinate_gid_db;
+		break;
+	default:
+		return false;
+	}
+
+	commonio_rewind(db);
+	if (reuse) {
+		while ((r = commonio_next(db)) != NULL) {
+			// TODO account for username vs uid_t
+			if (0 != strcmp(r->owner, range->owner))
+				continue;
+			if (r->count >= range->count) {
+				range->count = r->count;
+				range->start = r->start;
+				return true;
+			}
+		}
+	}
+
+	range->start = find_free_range(db, range->start, ULONG_MAX, range->count);
+
+	if (range->start == ULONG_MAX) {
+		ret = false;
+		goto out;
+	}
+
+	ret = add_range(db, range->owner, range->start, range->count) == 1;
+
+out:
+	if (id_type == ID_TYPE_UID) {
+		sub_uid_close();
+		sub_uid_unlock();
+	} else {
+		sub_gid_close();
+		sub_gid_unlock();
+	}
+
+	return ret;
+}
+
+bool release_subid_range(struct subordinate_range *range, enum subid_type id_type)
+{
+	struct commonio_db *db;
+	bool ret;
+
+	if (get_subid_nss_handle())
+		return false;
+
+	switch (id_type) {
+	case ID_TYPE_UID:
+		if (!sub_uid_lock()) {
+			printf("Failed loging subuids (errno %d)\n", errno);
+			return false;
+		}
+		if (!sub_uid_open(O_CREAT | O_RDWR)) {
+			printf("Failed opening subuids (errno %d)\n", errno);
+			sub_uid_unlock();
+			return false;
+		}
+		db = &subordinate_uid_db;
+		break;
+	case ID_TYPE_GID:
+		if (!sub_gid_lock()) {
+			printf("Failed loging subgids (errno %d)\n", errno);
+			return false;
+		}
+		if (!sub_gid_open(O_CREAT | O_RDWR)) {
+			printf("Failed opening subgids (errno %d)\n", errno);
+			sub_gid_unlock();
+			return false;
+		}
+		db = &subordinate_gid_db;
+		break;
+	default:
+		return false;
+	}
+
+	ret = remove_range(db, range->owner, range->start, range->count) == 1;
+
+	if (id_type == ID_TYPE_UID) {
+		sub_uid_close();
+		sub_uid_unlock();
+	} else {
+		sub_gid_close();
+		sub_gid_unlock();
+	}
+
+	return ret;
+}
+
 #else				/* !ENABLE_SUBIDS */
 extern int errno;		/* warning: ANSI C forbids an empty source file */
 #endif				/* !ENABLE_SUBIDS */

lib/subordinateio.h

@@ -11,10 +11,12 @@
 
 #include <sys/types.h>
 
+#include "../libsubid/subid.h"
+
 extern int sub_uid_close(void);
 extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
 extern bool sub_uid_file_present (void);
-extern bool sub_uid_assigned(const char *owner);
+extern bool local_sub_uid_assigned(const char *owner);
 extern int sub_uid_lock (void);
 extern int sub_uid_setdbname (const char *filename);
 extern /*@observer@*/const char *sub_uid_dbname (void);
@@ -23,11 +25,16 @@ extern int sub_uid_unlock (void);
 extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
 extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
 extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
+extern int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges);
+extern bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, bool reuse);
+extern bool release_subid_range(struct subordinate_range *range, enum subid_type id_type);
+extern int find_subid_owners(unsigned long id, enum subid_type id_type, uid_t **uids);
+extern void free_subordinate_ranges(struct subordinate_range **ranges, int count);
 
 extern int sub_gid_close(void);
 extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
 extern bool sub_gid_file_present (void);
-extern bool sub_gid_assigned(const char *owner);
+extern bool local_sub_gid_assigned(const char *owner);
 extern int sub_gid_lock (void);
 extern int sub_gid_setdbname (const char *filename);
 extern /*@observer@*/const char *sub_gid_dbname (void);

lib/tcbfuncs.c

@@ -72,8 +72,8 @@ shadowtcb_status shadowtcb_gain_priv (void)
  * to exit soon.
  */
 #define OUT_OF_MEMORY do { \
-	fprintf (stderr, _("%s: out of memory\n"), Prog); \
-	(void) fflush (stderr); \
+	fprintf (shadow_logfd, _("%s: out of memory\n"), Prog); \
+	(void) fflush (shadow_logfd); \
 } while (false)
 
 /* Returns user's tcb directory path relative to TCB_DIR. */
@@ -116,7 +116,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name)
 		return NULL;
 	}
 	if (lstat (path, &st) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot stat %s: %s\n"),
 		         Prog, path, strerror (errno));
 		free (path);
@@ -132,7 +132,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name)
 		return rval;
 	}
 	if (!S_ISLNK (st.st_mode)) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: %s is neither a directory, nor a symlink.\n"),
 		         Prog, path);
 		free (path);
@@ -140,7 +140,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name)
 	}
 	ret = readlink (path, link, sizeof (link) - 1);
 	if (-1 == ret) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot read symbolic link %s: %s\n"),
 		         Prog, path, strerror (errno));
 		free (path);
@@ -149,7 +149,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name)
 	free (path);
 	if ((size_t)ret >= sizeof(link) - 1) {
 		link[sizeof(link) - 1] = '\0';
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Suspiciously long symlink: %s\n"),
 		         Prog, link);
 		return NULL;
@@ -207,7 +207,7 @@ static shadowtcb_status mkdir_leading (const char *name, uid_t uid)
 	}
 	ptr = path;
 	if (stat (TCB_DIR, &st) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot stat %s: %s\n"),
 		         Prog, TCB_DIR, strerror (errno));
 		goto out_free_path;
@@ -219,19 +219,19 @@ static shadowtcb_status mkdir_leading (const char *name, uid_t uid)
 			return SHADOWTCB_FAILURE;
 		}
 		if ((mkdir (dir, 0700) != 0) && (errno != EEXIST)) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: Cannot create directory %s: %s\n"),
 			         Prog, dir, strerror (errno));
 			goto out_free_dir;
 		}
 		if (chown (dir, 0, st.st_gid) != 0) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: Cannot change owner of %s: %s\n"),
 			         Prog, dir, strerror (errno));
 			goto out_free_dir;
 		}
 		if (chmod (dir, 0711) != 0) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: Cannot change mode of %s: %s\n"),
 			         Prog, dir, strerror (errno));
 			goto out_free_dir;
@@ -261,7 +261,7 @@ static shadowtcb_status unlink_suffs (const char *user)
 			return SHADOWTCB_FAILURE;
 		}
 		if ((unlink (tmp) != 0) && (errno != ENOENT)) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: unlink: %s: %s\n"),
 			         Prog, tmp, strerror (errno));
 			free (tmp);
@@ -286,7 +286,7 @@ static shadowtcb_status rmdir_leading (char *path)
 		}
 		if (rmdir (dir) != 0) {
 			if (errno != ENOTEMPTY) {
-				fprintf (stderr,
+				fprintf (shadow_logfd,
 				         _("%s: Cannot remove directory %s: %s\n"),
 				         Prog, dir, strerror (errno));
 				ret = SHADOWTCB_FAILURE;
@@ -315,7 +315,7 @@ static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid)
 		goto out_free_nomem;
 	}
 	if (stat (olddir, &oldmode) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot stat %s: %s\n"),
 		         Prog, olddir, strerror (errno));
 		goto out_free;
@@ -342,7 +342,7 @@ static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid)
 		goto out_free;
 	}
 	if (rename (real_old_dir, real_new_dir) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot rename %s to %s: %s\n"),
 		         Prog, real_old_dir, real_new_dir, strerror (errno));
 		goto out_free;
@@ -351,7 +351,7 @@ static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid)
 		goto out_free;
 	}
 	if ((unlink (olddir) != 0) && (errno != ENOENT)) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot remove %s: %s\n"),
 		         Prog, olddir, strerror (errno));
 		goto out_free;
@@ -365,7 +365,7 @@ static shadowtcb_status move_dir (const char *user_newname, uid_t user_newid)
 	}
 	if (   (strcmp (real_new_dir, newdir) != 0)
 	    && (symlink (real_new_dir_rel, newdir) != 0)) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot create symbolic link %s: %s\n"),
 		         Prog, real_new_dir_rel, strerror (errno));
 		goto out_free;
@@ -464,37 +464,37 @@ shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_
 		return SHADOWTCB_FAILURE;
 	}
 	if (stat (tcbdir, &dirmode) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot stat %s: %s\n"),
 		         Prog, tcbdir, strerror (errno));
 		goto out_free;
 	}
 	if (chown (tcbdir, 0, 0) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot change owners of %s: %s\n"),
 		         Prog, tcbdir, strerror (errno));
 		goto out_free;
 	}
 	if (chmod (tcbdir, 0700) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot change mode of %s: %s\n"),
 		         Prog, tcbdir, strerror (errno));
 		goto out_free;
 	}
 	if (lstat (shadow, &filemode) != 0) {
 		if (errno != ENOENT) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: Cannot lstat %s: %s\n"),
 			         Prog, shadow, strerror (errno));
 			goto out_free;
 		}
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Warning, user %s has no tcb shadow file.\n"),
 		         Prog, user_newname);
 	} else {
 		if (!S_ISREG (filemode.st_mode) ||
 			filemode.st_nlink != 1) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: Emergency: %s's tcb shadow is not a "
 			           "regular file with st_nlink=1.\n"
 			           "The account is left locked.\n"),
@@ -502,13 +502,13 @@ shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_
 			goto out_free;
 		}
 		if (chown (shadow, user_newid, filemode.st_gid) != 0) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: Cannot change owner of %s: %s\n"),
 			         Prog, shadow, strerror (errno));
 			goto out_free;
 		}
 		if (chmod (shadow, filemode.st_mode & 07777) != 0) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: Cannot change mode of %s: %s\n"),
 			         Prog, shadow, strerror (errno));
 			goto out_free;
@@ -518,11 +518,17 @@ shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_
 		goto out_free;
 	}
 	if (chown (tcbdir, user_newid, dirmode.st_gid) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot change owner of %s: %s\n"),
 		         Prog, tcbdir, strerror (errno));
 		goto out_free;
 	}
+	if (chmod (tcbdir, dirmode.st_mode & 07777) != 0) {
+		fprintf (shadow_logfd,
+		         _("%s: Cannot change mode of %s: %s\n"),
+		         Prog, tcbdir, strerror (errno));
+		goto out_free;
+	}
 	ret = SHADOWTCB_SUCCESS;
 out_free:
 	free (tcbdir);
@@ -543,7 +549,7 @@ shadowtcb_status shadowtcb_create (const char *name, uid_t uid)
 		return SHADOWTCB_SUCCESS;
 	}
 	if (stat (TCB_DIR, &tcbdir_stat) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot stat %s: %s\n"),
 		         Prog, TCB_DIR, strerror (errno));
 		return SHADOWTCB_FAILURE;
@@ -563,39 +569,39 @@ shadowtcb_status shadowtcb_create (const char *name, uid_t uid)
 		return SHADOWTCB_FAILURE;
 	}
 	if (mkdir (dir, 0700) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: mkdir: %s: %s\n"),
 		         Prog, dir, strerror (errno));
 		goto out_free;
 	}
 	fd = open (shadow, O_RDWR | O_CREAT | O_TRUNC, 0600);
 	if (fd < 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot open %s: %s\n"),
 		         Prog, shadow, strerror (errno));
 		goto out_free;
 	}
 	close (fd);
 	if (chown (shadow, 0, authgid) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot change owner of %s: %s\n"),
 		         Prog, shadow, strerror (errno));
 		goto out_free;
 	}
 	if (chmod (shadow, (mode_t) ((authgid == shadowgid) ? 0600 : 0640)) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot change mode of %s: %s\n"),
 		         Prog, shadow, strerror (errno));
 		goto out_free;
 	}
 	if (chown (dir, 0, authgid) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot change owner of %s: %s\n"),
 		         Prog, dir, strerror (errno));
 		goto out_free;
 	}
 	if (chmod (dir, (mode_t) ((authgid == shadowgid) ? 02700 : 02710)) != 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Cannot change mode of %s: %s\n"),
 		         Prog, dir, strerror (errno));
 		goto out_free;

libmisc/Makefile.am

@@ -1,11 +1,11 @@
 
 EXTRA_DIST = .indent.pro xgetXXbyYY.c
 
-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
+AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
 
-noinst_LIBRARIES = libmisc.a
+noinst_LTLIBRARIES = libmisc.la
 
-libmisc_a_SOURCES = \
+libmisc_la_SOURCES = \
 	addgrps.c \
 	age.c \
 	audit_help.c \
@@ -74,6 +74,6 @@ libmisc_a_SOURCES = \
 	yesno.c
 
 if WITH_BTRFS
-libmisc_a_SOURCES += btrfs.c
+libmisc_la_SOURCES += btrfs.c
 endif
 

libmisc/addgrps.c

@@ -57,6 +57,7 @@ int add_groups (const char *list)
 	bool added;
 	char *token;
 	char buf[1024];
+	int ret;
 
 	if (strlen (list) >= sizeof (buf)) {
 		errno = EINVAL;
@@ -93,7 +94,7 @@ int add_groups (const char *list)
 
 		grp = getgrnam (token); /* local, no need for xgetgrnam */
 		if (NULL == grp) {
-			fprintf (stderr, _("Warning: unknown group %s\n"),
+			fprintf (shadow_logfd, _("Warning: unknown group %s\n"),
 				 token);
 			continue;
 		}
@@ -105,7 +106,7 @@ int add_groups (const char *list)
 		}
 
 		if (ngroups >= sysconf (_SC_NGROUPS_MAX)) {
-			fputs (_("Warning: too many groups\n"), stderr);
+			fputs (_("Warning: too many groups\n"), shadow_logfd);
 			break;
 		}
 		tmp = (gid_t *) realloc (grouplist, (size_t)(ngroups + 1) * sizeof (GETGROUPS_T));
@@ -120,9 +121,12 @@ int add_groups (const char *list)
 	}
 
 	if (added) {
-		return setgroups ((size_t)ngroups, grouplist);
+		ret = setgroups ((size_t)ngroups, grouplist);
+		free (grouplist);
+		return ret;
 	}
 
+	free (grouplist);
 	return 0;
 }
 #else				/* HAVE_SETGROUPS && !USE_PAM */

libmisc/audit_help.c

@@ -59,7 +59,7 @@ void audit_help_open (void)
 			return;
 		}
 		(void) fputs (_("Cannot open audit interface - aborting.\n"),
-		              stderr);
+		              shadow_logfd);
 		exit (EXIT_FAILURE);
 	}
 }
@@ -68,7 +68,7 @@ void audit_help_open (void)
  * This function will log a message to the audit system using a predefined
  * message format. Parameter usage is as follows:
  *
- * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account 
+ * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account
  *	  attributes.
  * pgname - program's name
  * op  -  operation. "adding user", "changing finger info", "deleting group"

libmisc/btrfs.c

@@ -7,7 +7,6 @@
 
 static bool path_exists(const char *p)
 {
-	int ret;
 	struct stat sb;
 
 	return stat(p, &sb) == 0;

libmisc/chowntty.c

@@ -62,6 +62,7 @@ void chown_tty (const struct passwd *info)
 	grent = getgr_nam_gid (getdef_str ("TTYGROUP"));
 	if (NULL != grent) {
 		gid = grent->gr_gid;
+		gr_free (grent);
 	} else {
 		gid = info->pw_gid;
 	}
@@ -75,7 +76,7 @@ void chown_tty (const struct passwd *info)
 	    || (fchmod (STDIN_FILENO, (mode_t)getdef_num ("TTYPERM", 0600)) != 0)) {
 		int err = errno;
 
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("Unable to change owner or mode of tty stdin: %s"),
 		         strerror (err));
 		SYSLOG ((LOG_WARN,

libmisc/cleanup_group.c

@@ -203,7 +203,7 @@ void cleanup_report_del_group_gshadow (void *group_name)
 void cleanup_unlock_group (unused void *arg)
 {
 	if (gr_unlock () == 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: failed to unlock %s\n"),
 		         Prog, gr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
@@ -223,7 +223,7 @@ void cleanup_unlock_group (unused void *arg)
 void cleanup_unlock_gshadow (unused void *arg)
 {
 	if (sgr_unlock () == 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: failed to unlock %s\n"),
 		         Prog, sgr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));

libmisc/cleanup_user.c

@@ -120,7 +120,7 @@ void cleanup_report_add_user_shadow (void *user_name)
 void cleanup_unlock_passwd (unused void *arg)
 {
 	if (pw_unlock () == 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: failed to unlock %s\n"),
 		         Prog, pw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
@@ -139,7 +139,7 @@ void cleanup_unlock_passwd (unused void *arg)
 void cleanup_unlock_shadow (unused void *arg)
 {
 	if (spw_unlock () == 0) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: failed to unlock %s\n"),
 		         Prog, spw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));

libmisc/copydir.c

@@ -117,7 +117,7 @@ static void error_acl (struct error_context *ctx, const char *fmt, ...)
 {
 	va_list ap;
 
-	/* ignore the case when destination does not support ACLs 
+	/* ignore the case when destination does not support ACLs
 	 * or extended attributes */
 	if (ENOTSUP == errno) {
 		errno = 0;
@@ -125,11 +125,11 @@ static void error_acl (struct error_context *ctx, const char *fmt, ...)
 	}
 
 	va_start (ap, fmt);
-	(void) fprintf (stderr, _("%s: "), Prog);
-	if (vfprintf (stderr, fmt, ap) != 0) {
-		(void) fputs (_(": "), stderr);
+	(void) fprintf (shadow_logfd, _("%s: "), Prog);
+	if (vfprintf (shadow_logfd, fmt, ap) != 0) {
+		(void) fputs (_(": "), shadow_logfd);
 	}
-	(void) fprintf (stderr, "%s\n", strerror (errno));
+	(void) fprintf (shadow_logfd, "%s\n", strerror (errno));
 	va_end (ap);
 }
 
@@ -248,7 +248,7 @@ int copy_tree (const char *src_root, const char *dst_root,
 		}
 
 		if (!S_ISDIR (sb.st_mode)) {
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         "%s: %s is not a directory",
 			         Prog, src_root);
 			return -1;
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, const char *dst,
 	 */
 
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst) != 0) {
+	if (set_selinux_file_context (dst, S_IFDIR) != 0) {
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src, const char *dst,
 	}
 
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst) != 0) {
+	if (set_selinux_file_context (dst, S_IFLNK) != 0) {
 		free (oldlink);
 		return -1;
 	}
@@ -684,7 +684,7 @@ static int copy_special (const char *src, const char *dst,
 	int err = 0;
 
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst) != 0) {
+	if (set_selinux_file_context (dst, statp->st_mode & S_IFMT) != 0) {
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
@@ -744,7 +744,8 @@ static int copy_file (const char *src, const char *dst,
 		return -1;
 	}
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst) != 0) {
+	if (set_selinux_file_context (dst, S_IFREG) != 0) {
+		(void) close (ifd);
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
@@ -771,12 +772,16 @@ static int copy_file (const char *src, const char *dst,
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
 	   ) {
+		if (ofd >= 0) {
+			(void) close (ofd);
+		}
 		(void) close (ifd);
 		return -1;
 	}
 
 	while ((cnt = read (ifd, buf, sizeof buf)) > 0) {
 		if (write (ofd, buf, (size_t)cnt) != cnt) {
+			(void) close (ofd);
 			(void) close (ifd);
 			return -1;
 		}
@@ -786,6 +791,7 @@ static int copy_file (const char *src, const char *dst,
 
 #ifdef HAVE_FUTIMES
 	if (futimes (ofd, mt) != 0) {
+		(void) close (ofd);
 		return -1;
 	}
 #endif				/* HAVE_FUTIMES */

libmisc/env.c

@@ -171,7 +171,7 @@ void addenv (const char *string, /*@null@*/const char *value)
 			}
 			newenvp = __newenvp;
 		} else {
-			(void) fputs (_("Environment overflow\n"), stderr);
+			(void) fputs (_("Environment overflow\n"), shadow_logfd);
 			newenvc--;
 			free (newenvp[newenvc]);
 		}

libmisc/failure.c

@@ -98,7 +98,7 @@ void failure (uid_t uid, const char *tty, struct faillog *fl)
 		fl->fail_cnt++;
 	}
 
-	strncpy (fl->fail_line, tty, sizeof fl->fail_line);
+	strncpy (fl->fail_line, tty, sizeof (fl->fail_line) - 1);
 	(void) time (&fl->fail_time);
 
 	/*

libmisc/find_new_gid.c

@@ -74,7 +74,7 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
 
 		/* Check that the ranges make sense */
 		if (*max_id < *min_id) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
                             _("%s: Invalid configuration: SYS_GID_MIN (%lu), "
                               "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"),
                             Prog, (unsigned long) *min_id,
@@ -97,7 +97,7 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
 
 		/* Check that the ranges make sense */
 		if (*max_id < *min_id) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 					_("%s: Invalid configuration: GID_MIN (%lu), "
 					  "GID_MAX (%lu)\n"),
 					Prog, (unsigned long) *min_id,
@@ -157,7 +157,7 @@ static int check_gid (const gid_t gid,
  * [GID_MIN:GID_MAX] range.
  * This ID should be higher than all the used GID, but if not possible,
  * the lowest unused ID in the range will be returned.
- * 
+ *
  * Return 0 on success, -1 if no unused GIDs are available.
  */
 int find_new_gid (bool sys_group,
@@ -213,7 +213,7 @@ int find_new_gid (bool sys_group,
 			 * more likely to want to stop and address the
 			 * issue.
 			 */
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 				_("%s: Encountered error attempting to use "
 				  "preferred GID: %s\n"),
 				Prog, strerror (result));
@@ -243,7 +243,7 @@ int find_new_gid (bool sys_group,
 	/* Create an array to hold all of the discovered GIDs */
 	used_gids = malloc (sizeof (bool) * (gid_max +1));
 	if (NULL == used_gids) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("%s: failed to allocate memory: %s\n"),
 			 Prog, strerror (errno));
 		return -1;
@@ -323,7 +323,7 @@ int find_new_gid (bool sys_group,
 				 *
 				 */
 				if (!nospam) {
-					fprintf (stderr,
+					fprintf (shadow_logfd,
 						_("%s: Can't get unique system GID (%s). "
 						  "Suppressing additional messages.\n"),
 						Prog, strerror (result));
@@ -366,7 +366,7 @@ int find_new_gid (bool sys_group,
 					 *
 					 */
 					if (!nospam) {
-						fprintf (stderr,
+						fprintf (shadow_logfd,
 							_("%s: Can't get unique system GID (%s). "
 							  "Suppressing additional messages.\n"),
 							Prog, strerror (result));
@@ -426,7 +426,7 @@ int find_new_gid (bool sys_group,
 				 *
 				 */
 				if (!nospam) {
-					fprintf (stderr,
+					fprintf (shadow_logfd,
 						_("%s: Can't get unique GID (%s). "
 						  "Suppressing additional messages.\n"),
 						Prog, strerror (result));
@@ -469,7 +469,7 @@ int find_new_gid (bool sys_group,
 					 *
 					 */
 					if (!nospam) {
-						fprintf (stderr,
+						fprintf (shadow_logfd,
 							_("%s: Can't get unique GID (%s). "
 							  "Suppressing additional messages.\n"),
 							Prog, strerror (result));
@@ -488,7 +488,7 @@ int find_new_gid (bool sys_group,
 	}
 
 	/* The code reached here and found no available IDs in the range */
-	fprintf (stderr,
+	fprintf (shadow_logfd,
 		_("%s: Can't get unique GID (no more available GIDs)\n"),
 		Prog);
 	SYSLOG ((LOG_WARN, "no more available GIDs on the system"));

libmisc/find_new_sub_gids.c

@@ -43,11 +43,10 @@
  *
  * If successful, find_new_sub_gids provides a range of unused
  * user IDs in the [SUB_GID_MIN:SUB_GID_MAX] range.
- * 
+ *
  * Return 0 on success, -1 if no unused GIDs are available.
  */
-int find_new_sub_gids (const char *owner,
-		       gid_t *range_start, unsigned long *range_count)
+int find_new_sub_gids (gid_t *range_start, unsigned long *range_count)
 {
 	unsigned long min, max;
 	unsigned long count;
@@ -61,7 +60,7 @@ int find_new_sub_gids (const char *owner,
 	count = getdef_ulong ("SUB_GID_COUNT", 65536);
 
 	if (min > max || count >= max || (min + count - 1) > max) {
-		(void) fprintf (stderr,
+		(void) fprintf (shadow_logfd,
 				_("%s: Invalid configuration: SUB_GID_MIN (%lu),"
 				  " SUB_GID_MAX (%lu), SUB_GID_COUNT (%lu)\n"),
 			Prog, min, max, count);
@@ -70,7 +69,7 @@ int find_new_sub_gids (const char *owner,
 
 	start = sub_gid_find_free_range(min, max, count);
 	if (start == (gid_t)-1) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Can't get unique subordinate GID range\n"),
 		         Prog);
 		SYSLOG ((LOG_WARN, "no more available subordinate GIDs on the system"));

libmisc/find_new_sub_uids.c

@@ -43,11 +43,10 @@
  *
  * If successful, find_new_sub_uids provides a range of unused
  * user IDs in the [SUB_UID_MIN:SUB_UID_MAX] range.
- * 
+ *
  * Return 0 on success, -1 if no unused UIDs are available.
  */
-int find_new_sub_uids (const char *owner,
-		       uid_t *range_start, unsigned long *range_count)
+int find_new_sub_uids (uid_t *range_start, unsigned long *range_count)
 {
 	unsigned long min, max;
 	unsigned long count;
@@ -61,7 +60,7 @@ int find_new_sub_uids (const char *owner,
 	count = getdef_ulong ("SUB_UID_COUNT", 65536);
 
 	if (min > max || count >= max || (min + count - 1) > max) {
-		(void) fprintf (stderr,
+		(void) fprintf (shadow_logfd,
 				_("%s: Invalid configuration: SUB_UID_MIN (%lu),"
 				  " SUB_UID_MAX (%lu), SUB_UID_COUNT (%lu)\n"),
 			Prog, min, max, count);
@@ -70,7 +69,7 @@ int find_new_sub_uids (const char *owner,
 
 	start = sub_uid_find_free_range(min, max, count);
 	if (start == (uid_t)-1) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: Can't get unique subordinate UID range\n"),
 		         Prog);
 		SYSLOG ((LOG_WARN, "no more available subordinate UIDs on the system"));

libmisc/find_new_uid.c

@@ -74,7 +74,7 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
 
 		/* Check that the ranges make sense */
 		if (*max_id < *min_id) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
                             _("%s: Invalid configuration: SYS_UID_MIN (%lu), "
                               "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"),
                             Prog, (unsigned long) *min_id,
@@ -97,7 +97,7 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
 
 		/* Check that the ranges make sense */
 		if (*max_id < *min_id) {
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 					_("%s: Invalid configuration: UID_MIN (%lu), "
 					  "UID_MAX (%lu)\n"),
 					Prog, (unsigned long) *min_id,
@@ -157,7 +157,7 @@ static int check_uid(const uid_t uid,
  * [UID_MIN:UID_MAX] range.
  * This ID should be higher than all the used UID, but if not possible,
  * the lowest unused ID in the range will be returned.
- * 
+ *
  * Return 0 on success, -1 if no unused UIDs are available.
  */
 int find_new_uid(bool sys_user,
@@ -213,7 +213,7 @@ int find_new_uid(bool sys_user,
 			 * more likely to want to stop and address the
 			 * issue.
 			 */
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 				_("%s: Encountered error attempting to use "
 				  "preferred UID: %s\n"),
 				Prog, strerror (result));
@@ -243,7 +243,7 @@ int find_new_uid(bool sys_user,
 	/* Create an array to hold all of the discovered UIDs */
 	used_uids = malloc (sizeof (bool) * (uid_max +1));
 	if (NULL == used_uids) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("%s: failed to allocate memory: %s\n"),
 			 Prog, strerror (errno));
 		return -1;
@@ -323,7 +323,7 @@ int find_new_uid(bool sys_user,
 				 *
 				 */
 				if (!nospam) {
-					fprintf (stderr,
+					fprintf (shadow_logfd,
 						_("%s: Can't get unique system UID (%s). "
 						  "Suppressing additional messages.\n"),
 						Prog, strerror (result));
@@ -366,7 +366,7 @@ int find_new_uid(bool sys_user,
 					 *
 					 */
 					if (!nospam) {
-						fprintf (stderr,
+						fprintf (shadow_logfd,
 							_("%s: Can't get unique system UID (%s). "
 							  "Suppressing additional messages.\n"),
 							Prog, strerror (result));
@@ -426,7 +426,7 @@ int find_new_uid(bool sys_user,
 				 *
 				 */
 				if (!nospam) {
-					fprintf (stderr,
+					fprintf (shadow_logfd,
 						_("%s: Can't get unique UID (%s). "
 						  "Suppressing additional messages.\n"),
 						Prog, strerror (result));
@@ -469,7 +469,7 @@ int find_new_uid(bool sys_user,
 					 *
 					 */
 					if (!nospam) {
-						fprintf (stderr,
+						fprintf (shadow_logfd,
 							_("%s: Can't get unique UID (%s). "
 							  "Suppressing additional messages.\n"),
 							Prog, strerror (result));
@@ -488,7 +488,7 @@ int find_new_uid(bool sys_user,
 	}
 
 	/* The code reached here and found no available IDs in the range */
-	fprintf (stderr,
+	fprintf (shadow_logfd,
 		_("%s: Can't get unique UID (no more available UIDs)\n"),
 		Prog);
 	SYSLOG ((LOG_WARN, "no more available UIDs on the system"));

libmisc/gettime.c

@@ -61,23 +61,23 @@
 	epoch = strtoull (source_date_epoch, &endptr, 10);
 	if ((errno == ERANGE && (epoch == ULLONG_MAX || epoch == 0))
 			|| (errno != 0 && epoch == 0)) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("Environment variable $SOURCE_DATE_EPOCH: strtoull: %s\n"),
 			 strerror(errno));
 	} else if (endptr == source_date_epoch) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("Environment variable $SOURCE_DATE_EPOCH: No digits were found: %s\n"),
 			 endptr);
 	} else if (*endptr != '\0') {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("Environment variable $SOURCE_DATE_EPOCH: Trailing garbage: %s\n"),
 			 endptr);
 	} else if (epoch > ULONG_MAX) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to %lu but was found to be: %llu\n"),
 			 ULONG_MAX, epoch);
 	} else if (epoch > fallback) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to the current time (%lu) but was found to be: %llu\n"),
 			 fallback, epoch);
 	} else {

libmisc/hushed.c

@@ -90,7 +90,7 @@ bool hushed (const char *username)
 		return false;
 	}
 	for (found = false; !found && (fgets (buf, (int) sizeof buf, fp) == buf);) {
-		buf[strlen (buf) - 1] = '\0';
+		buf[strcspn (buf, "\n")] = '\0';
 		found = (strcmp (buf, pw->pw_shell) == 0) ||
 		        (strcmp (buf, pw->pw_name) == 0);
 	}

libmisc/idmapping.c

@@ -36,8 +36,8 @@
 #include <stdio.h>
 #include "prototypes.h"
 #include "idmapping.h"
-#include <sys/prctl.h>
 #if HAVE_SYS_CAPABILITY_H
+#include <sys/prctl.h>
 #include <sys/capability.h>
 #endif
 
@@ -47,19 +47,19 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 	int idx, argidx;
 
 	if (ranges < 0 || argc < 0) {
-		fprintf(stderr, "%s: error calculating number of arguments\n", Prog);
+		fprintf(shadow_logfd, "%s: error calculating number of arguments\n", Prog);
 		return NULL;
 	}
 
 	if (ranges != ((argc + 2) / 3)) {
-		fprintf(stderr, "%s: ranges: %u is wrong for argc: %d\n", Prog, ranges, argc);
+		fprintf(shadow_logfd, "%s: ranges: %u is wrong for argc: %d\n", Prog, ranges, argc);
 		return NULL;
 	}
 
 	if ((ranges * 3) > argc) {
-		fprintf(stderr, "ranges: %u argc: %d\n",
+		fprintf(shadow_logfd, "ranges: %u argc: %d\n",
 			ranges, argc);
-		fprintf(stderr,
+		fprintf(shadow_logfd,
 			_( "%s: Not enough arguments to form %u mappings\n"),
 			Prog, ranges);
 		return NULL;
@@ -67,7 +67,7 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 
 	mappings = calloc(ranges, sizeof(*mappings));
 	if (!mappings) {
-		fprintf(stderr, _( "%s: Memory allocation failure\n"),
+		fprintf(shadow_logfd, _( "%s: Memory allocation failure\n"),
 			Prog);
 		exit(EXIT_FAILURE);
 	}
@@ -88,24 +88,24 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 			return NULL;
 		}
 		if (ULONG_MAX - mapping->upper <= mapping->count || ULONG_MAX - mapping->lower <= mapping->count) {
-			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			fprintf(shadow_logfd, _( "%s: subuid overflow detected.\n"), Prog);
 			exit(EXIT_FAILURE);
 		}
 		if (mapping->upper > UINT_MAX ||
 			mapping->lower > UINT_MAX ||
 			mapping->count > UINT_MAX)  {
-			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			fprintf(shadow_logfd, _( "%s: subuid overflow detected.\n"), Prog);
 			exit(EXIT_FAILURE);
 		}
 		if (mapping->lower + mapping->count > UINT_MAX ||
 				mapping->upper + mapping->count > UINT_MAX) {
-			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			fprintf(shadow_logfd, _( "%s: subuid overflow detected.\n"), Prog);
 			exit(EXIT_FAILURE);
 		}
 		if (mapping->lower + mapping->count < mapping->lower ||
 				mapping->upper + mapping->count < mapping->upper) {
 			/* this one really shouldn't be possible given previous checks */
-			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			fprintf(shadow_logfd, _( "%s: subuid overflow detected.\n"), Prog);
 			exit(EXIT_FAILURE);
 		}
 	}
@@ -123,6 +123,25 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
  */
 #define ULONG_DIGITS ((((sizeof(unsigned long) * CHAR_BIT) + 9)/10)*3)
 
+#if HAVE_SYS_CAPABILITY_H
+static inline bool maps_lower_root(int cap, int ranges, struct map_range *mappings)
+{
+	int idx;
+	struct map_range *mapping;
+
+	if (cap != CAP_SETUID)
+		return false;
+
+	mapping = mappings;
+	for (idx = 0; idx < ranges; idx++, mapping++) {
+		if (mapping->lower == 0)
+			return true;
+	}
+
+	return false;
+}
+#endif
+
 /*
  * The ruid refers to the caller's uid and is used to reset the effective uid
  * back to the callers real uid.
@@ -157,19 +176,19 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
 	} else if (strcmp(map_file, "gid_map") == 0) {
 		cap = CAP_SETGID;
 	} else {
-		fprintf(stderr, _("%s: Invalid map file %s specified\n"), Prog, map_file);
+		fprintf(shadow_logfd, _("%s: Invalid map file %s specified\n"), Prog, map_file);
 		exit(EXIT_FAILURE);
 	}
 
 	/* Align setuid- and fscaps-based new{g,u}idmap behavior. */
 	if (geteuid() == 0 && geteuid() != ruid) {
 		if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
-			fprintf(stderr, _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), Prog);
+			fprintf(shadow_logfd, _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), Prog);
 			exit(EXIT_FAILURE);
 		}
 
 		if (seteuid(ruid) < 0) {
-			fprintf(stderr, _("%s: Could not seteuid to %d\n"), Prog, ruid);
+			fprintf(shadow_logfd, _("%s: Could not seteuid to %d\n"), Prog, ruid);
 			exit(EXIT_FAILURE);
 		}
 	}
@@ -177,14 +196,20 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
 	/* Lockdown new{g,u}idmap by dropping all unneeded capabilities. */
 	memset(data, 0, sizeof(data));
 	data[0].effective = CAP_TO_MASK(cap);
+	/*
+	 * When uid 0 from the ancestor userns is supposed to be mapped into
+	 * the child userns we need to retain CAP_SETFCAP.
+	 */
+	if (maps_lower_root(cap, ranges, mappings))
+		data[0].effective |= CAP_TO_MASK(CAP_SETFCAP);
 	data[0].permitted = data[0].effective;
 	if (capset(&hdr, data) < 0) {
-		fprintf(stderr, _("%s: Could not set caps\n"), Prog);
+		fprintf(shadow_logfd, _("%s: Could not set caps\n"), Prog);
 		exit(EXIT_FAILURE);
 	}
 #endif
 
-	bufsize = ranges * ((ULONG_DIGITS  + 1) * 3);
+	bufsize = ranges * ((ULONG_DIGITS + 1) * 3);
 	pos = buf = xmalloc(bufsize);
 
 	/* Build the mapping command */
@@ -197,7 +222,7 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
 			mapping->lower,
 			mapping->count);
 		if ((written <= 0) || (written >= (bufsize - (pos - buf)))) {
-			fprintf(stderr, _("%s: snprintf failed!\n"), Prog);
+			fprintf(shadow_logfd, _("%s: snprintf failed!\n"), Prog);
 			exit(EXIT_FAILURE);
 		}
 		pos += written;
@@ -206,14 +231,15 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
 	/* Write the mapping to the mapping file */
 	fd = openat(proc_dir_fd, map_file, O_WRONLY);
 	if (fd < 0) {
-		fprintf(stderr, _("%s: open of %s failed: %s\n"),
+		fprintf(shadow_logfd, _("%s: open of %s failed: %s\n"),
 			Prog, map_file, strerror(errno));
 		exit(EXIT_FAILURE);
 	}
 	if (write(fd, buf, pos - buf) != (pos - buf)) {
-		fprintf(stderr, _("%s: write to %s failed: %s\n"),
+		fprintf(shadow_logfd, _("%s: write to %s failed: %s\n"),
 			Prog, map_file, strerror(errno));
 		exit(EXIT_FAILURE);
 	}
 	close(fd);
+	free(buf);
 }

libmisc/idmapping.h

@@ -40,5 +40,7 @@ extern struct map_range *get_map_ranges(int ranges, int argc, char **argv);
 extern void write_mapping(int proc_dir_fd, int ranges,
 	struct map_range *mappings, const char *map_file, uid_t ruid);
 
+extern void nss_init(char *nsswitch_path);
+
 #endif /* _ID_MAPPING_H_ */
 

libmisc/limits.c

@@ -202,7 +202,7 @@ static int check_logins (const char *name, const char *maxlogins)
 	return 0;
 }
 
-/* Function setup_user_limits - checks/set limits for the curent login
+/* Function setup_user_limits - checks/set limits for the current login
  * Original idea from Joel Katz's lshell. Ported to shadow-login
  * by Cristian Gafton - gafton@sorosis.ro
  *
@@ -404,7 +404,7 @@ static bool user_in_group (const char *uname, const char *gname)
 {
 	struct group *groupdata;
 
-	if (uname == NULL || gname == NULL){ 
+	if (uname == NULL || gname == NULL) {
 		return false;
 	}
 
@@ -548,7 +548,7 @@ void setup_limits (const struct passwd *info)
 #ifdef LIMITS
 		if (info->pw_uid != 0) {
 			if ((setup_user_limits (info->pw_name) & LOGIN_ERROR_LOGIN) != 0) {
-				(void) fputs (_("Too many logins.\n"), stderr);
+				(void) fputs (_("Too many logins.\n"), shadow_logfd);
 				(void) sleep (2); /* XXX: Should be FAIL_DELAY */
 				exit (EXIT_FAILURE);
 			}

libmisc/list.c

@@ -241,6 +241,7 @@ bool is_on_list (char *const *list, const char *member)
 
 	if ('\0' == *members) {
 		*array = (char *) 0;
+		free (members);
 		return array;
 	}
 

libmisc/log.c

@@ -42,7 +42,7 @@
 #include <lastlog.h>
 #include "prototypes.h"
 
-/* 
+/*
  * dolastlog - create lastlog entry
  *
  *	A "last login" entry is created for the user being logged in.  The
@@ -100,9 +100,9 @@ void dolastlog (
 	ll_time = newlog.ll_time;
 	(void) time (&ll_time);
 	newlog.ll_time = ll_time;
-	strncpy (newlog.ll_line, line, sizeof newlog.ll_line);
+	strncpy (newlog.ll_line, line, sizeof (newlog.ll_line) - 1);
 #if HAVE_LL_HOST
-	strncpy (newlog.ll_host, host, sizeof newlog.ll_host);
+	strncpy (newlog.ll_host, host, sizeof (newlog.ll_host) - 1);
 #endif
 	if (   (lseek (fd, offset, SEEK_SET) != offset)
 	    || (write (fd, (const void *) &newlog, sizeof newlog) != (ssize_t) sizeof newlog)

libmisc/loginprompt.c

@@ -103,7 +103,7 @@ void login_prompt (const char *prompt, char *name, int namesize)
 		(void) fflush (stdout);
 	}
 
-	/* 
+	/*
 	 * Read the user's response.  The trailing newline will be
 	 * removed.
 	 */

libmisc/motd.c

@@ -29,7 +29,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
- 
+
 #include <config.h>
 
 #ident "$Id$"

libmisc/myname.c

@@ -62,6 +62,9 @@
 		if ((NULL != pw) && (pw->pw_uid == ruid)) {
 			return pw;
 		}
+		if (NULL != pw) {
+			pw_free (pw);
+		}
 	}
 
 	return xgetpwuid (ruid);

libmisc/obscure.c

@@ -271,6 +271,9 @@ static /*@observer@*//*@null@*/const char *obscure_msg (
 #endif
 #ifdef USE_BCRYPT
 		    || (strcmp (result, "BCRYPT") == 0)
+#endif
+#ifdef USE_YESCRYPT
+		    || (strcmp (result, "YESCRYPT") == 0)
 #endif
 		    ) {
 			return NULL;

libmisc/pam_pass.c

@@ -59,20 +59,20 @@ void do_pam_passwd (const char *user, bool silent, bool change_expired)
 
 	ret = pam_start ("passwd", user, &conv, &pamh);
 	if (ret != PAM_SUCCESS) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("passwd: pam_start() failed, error %d\n"), ret);
 		exit (10);	/* XXX */
 	}
 
 	ret = pam_chauthtok (pamh, flags);
 	if (ret != PAM_SUCCESS) {
-		fprintf (stderr, _("passwd: %s\n"), pam_strerror (pamh, ret));
-		fputs (_("passwd: password unchanged\n"), stderr);
+		fprintf (shadow_logfd, _("passwd: %s\n"), pam_strerror (pamh, ret));
+		fputs (_("passwd: password unchanged\n"), shadow_logfd);
 		pam_end (pamh, ret);
 		exit (10);	/* XXX */
 	}
 
-	fputs (_("passwd: password updated successfully\n"), stderr);
+	fputs (_("passwd: password updated successfully\n"), shadow_logfd);
 	(void) pam_end (pamh, PAM_SUCCESS);
 }
 #else				/* !USE_PAM */

libmisc/pam_pass_non_interactive.c

@@ -76,7 +76,7 @@ static int ni_conv (int num_msg,
 
 		switch (msg[count]->msg_style) {
 		case PAM_PROMPT_ECHO_ON:
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: PAM modules requesting echoing are not supported.\n"),
 			         Prog);
 			goto failed_conversation;
@@ -88,7 +88,7 @@ static int ni_conv (int num_msg,
 			break;
 		case PAM_ERROR_MSG:
 			if (   (NULL == msg[count]->msg)
-			    || (fprintf (stderr, "%s\n", msg[count]->msg) <0)) {
+			    || (fprintf (shadow_logfd, "%s\n", msg[count]->msg) <0)) {
 				goto failed_conversation;
 			}
 			responses[count].resp = NULL;
@@ -101,7 +101,7 @@ static int ni_conv (int num_msg,
 			responses[count].resp = NULL;
 			break;
 		default:
-			(void) fprintf (stderr,
+			(void) fprintf (shadow_logfd,
 			                _("%s: conversation type %d not supported.\n"),
 			                Prog, msg[count]->msg_style);
 			goto failed_conversation;
@@ -143,7 +143,7 @@ int do_pam_passwd_non_interactive (const char *pam_service,
 
 	ret = pam_start (pam_service, username, &non_interactive_pam_conv, &pamh);
 	if (ret != PAM_SUCCESS) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: (user %s) pam_start failure %d\n"),
 		         Prog, username, ret);
 		return 1;
@@ -152,7 +152,7 @@ int do_pam_passwd_non_interactive (const char *pam_service,
 	non_interactive_password = password;
 	ret = pam_chauthtok (pamh, 0);
 	if (ret != PAM_SUCCESS) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: (user %s) pam_chauthtok() failed, error:\n"
 		           "%s\n"),
 		         Prog, username, pam_strerror (pamh, ret));

libmisc/prefix_flag.c

@@ -74,25 +74,31 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
 	 * Parse the command line options.
 	 */
 	int i;
-	const char *prefix = NULL;
+	const char *prefix = NULL, *val;
 
 	for (i = 0; i < argc; i++) {
+		val = NULL;
 		if (   (strcmp (argv[i], "--prefix") == 0)
+		    || ((strncmp (argv[i], "--prefix=", 9) == 0)
+			&& (val = argv[i] + 9))
 		    || (strcmp (argv[i], short_opt) == 0)) {
 			if (NULL != prefix) {
-				fprintf (stderr,
+				fprintf (shadow_logfd,
 				         _("%s: multiple --prefix options\n"),
 				         Prog);
 				exit (E_BAD_ARG);
 			}
 
-			if (i + 1 == argc) {
-				fprintf (stderr,
+			if (val) {
+				prefix = val;
+			} else if (i + 1 == argc) {
+				fprintf (shadow_logfd,
 				         _("%s: option '%s' requires an argument\n"),
 				         Prog, argv[i]);
 				exit (E_BAD_ARG);
+			} else {
+				prefix = argv[++ i];
 			}
-			prefix = argv[i + 1];
 		}
 	}
 
@@ -103,6 +109,12 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
 			return ""; /* if prefix is "/" then we ignore the flag option */
 		/* should we prevent symbolic link from being used as a prefix? */
 
+		if ( prefix[0] != '/') {
+			fprintf (shadow_logfd,
+				 _("%s: prefix must be an absolute path\n"),
+				 Prog);
+			exit (E_BAD_ARG);
+		}
 		size_t len;
 		len = strlen(prefix) + strlen(PASSWD_FILE) + 2;
 		passwd_db_file = xmalloc(len);
@@ -164,10 +176,10 @@ extern struct group *prefix_getgrnam(const char *name)
 		struct group * grp = NULL;
 
 		fg = fopen(group_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while(grp = fgetgrent(fg)) {
-			if(!strcmp(name, grp->gr_name))
+		while ((grp = fgetgrent(fg)) != NULL) {
+			if (!strcmp(name, grp->gr_name))
 				break;
 		}
 		fclose(fg);
@@ -184,10 +196,10 @@ extern struct group *prefix_getgrgid(gid_t gid)
 		struct group * grp = NULL;
 
 		fg = fopen(group_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while(grp = fgetgrent(fg)) {
-			if(gid == grp->gr_gid)
+		while ((grp = fgetgrent(fg)) != NULL) {
+			if (gid == grp->gr_gid)
 				break;
 		}
 		fclose(fg);
@@ -204,10 +216,10 @@ extern struct passwd *prefix_getpwuid(uid_t uid)
 		struct passwd *pwd = NULL;
 
 		fg = fopen(passwd_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while(pwd = fgetpwent(fg)) {
-			if(uid == pwd->pw_uid)
+		while ((pwd = fgetpwent(fg)) != NULL) {
+			if (uid == pwd->pw_uid)
 				break;
 		}
 		fclose(fg);
@@ -224,10 +236,10 @@ extern struct passwd *prefix_getpwnam(const char* name)
 		struct passwd *pwd = NULL;
 
 		fg = fopen(passwd_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while(pwd = fgetpwent(fg)) {
-			if(!strcmp(name, pwd->pw_name))
+		while ((pwd = fgetpwent(fg)) != NULL) {
+			if (!strcmp(name, pwd->pw_name))
 				break;
 		}
 		fclose(fg);
@@ -244,10 +256,10 @@ extern struct spwd *prefix_getspnam(const char* name)
 		struct spwd *sp = NULL;
 
 		fg = fopen(spw_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while(sp = fgetspent(fg)) {
-			if(!strcmp(name, sp->sp_namp))
+		while ((sp = fgetspent(fg)) != NULL) {
+			if (!strcmp(name, sp->sp_namp))
 				break;
 		}
 		fclose(fg);
@@ -260,7 +272,7 @@ extern struct spwd *prefix_getspnam(const char* name)
 
 extern void prefix_setpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		setpwent();
 		return;
 	}
@@ -268,19 +280,22 @@ extern void prefix_setpwent()
 		fclose (fp_pwent);
 
 	fp_pwent = fopen(passwd_db_file, "rt");
-	if(!fp_pwent)
+	if (!fp_pwent)
 		return;
 }
 extern struct passwd* prefix_getpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		return getpwent();
 	}
+	if (!fp_pwent) {
+		return NULL;
+	}
 	return fgetpwent(fp_pwent);
 }
 extern void prefix_endpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		endpwent();
 		return;
 	}
@@ -291,7 +306,7 @@ extern void prefix_endpwent()
 
 extern void prefix_setgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		setgrent();
 		return;
 	}
@@ -299,19 +314,19 @@ extern void prefix_setgrent()
 		fclose (fp_grent);
 
 	fp_grent = fopen(group_db_file, "rt");
-	if(!fp_grent)
+	if (!fp_grent)
 		return;
 }
 extern struct group* prefix_getgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		return getgrent();
 	}
 	return fgetgrent(fp_grent);
 }
 extern void prefix_endgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		endgrent();
 		return;
 	}

libmisc/pwdcheck.c

@@ -51,7 +51,7 @@ void passwd_check (const char *user, const char *passwd, unused const char *prog
 	if (pw_auth (passwd, user, PW_LOGIN, (char *) 0) != 0) {
 		SYSLOG ((LOG_WARN, "incorrect password for `%s'", user));
 		(void) sleep (1);
-		fprintf (stderr, _("Incorrect password for %s.\n"), user);
+		fprintf (shadow_logfd, _("Incorrect password for %s.\n"), user);
 		exit (EXIT_FAILURE);
 	}
 }

libmisc/root_flag.c

@@ -56,25 +56,31 @@ extern void process_root_flag (const char* short_opt, int argc, char **argv)
 	 * Parse the command line options.
 	 */
 	int i;
-	const char *newroot = NULL;
+	const char *newroot = NULL, *val;
 
 	for (i = 0; i < argc; i++) {
+		val = NULL;
 		if (   (strcmp (argv[i], "--root") == 0)
+		    || ((strncmp (argv[i], "--root=", 7) == 0)
+			&& (val = argv[i] + 7))
 		    || (strcmp (argv[i], short_opt) == 0)) {
 			if (NULL != newroot) {
-				fprintf (stderr,
+				fprintf (shadow_logfd,
 				         _("%s: multiple --root options\n"),
 				         Prog);
 				exit (E_BAD_ARG);
 			}
 
-			if (i + 1 == argc) {
-				fprintf (stderr,
+			if (val) {
+				newroot = val;
+			} else if (i + 1 == argc) {
+				fprintf (shadow_logfd,
 				         _("%s: option '%s' requires an argument\n"),
 				         Prog, argv[i]);
 				exit (E_BAD_ARG);
+			} else {
+				newroot = argv[++ i];
 			}
-			newroot = argv[i + 1];
 		}
 	}
 
@@ -88,34 +94,34 @@ static void change_root (const char* newroot)
 	/* Drop privileges */
 	if (   (setregid (getgid (), getgid ()) != 0)
 	    || (setreuid (getuid (), getuid ()) != 0)) {
-		fprintf (stderr, _("%s: failed to drop privileges (%s)\n"),
+		fprintf (shadow_logfd, _("%s: failed to drop privileges (%s)\n"),
 		         Prog, strerror (errno));
 		exit (EXIT_FAILURE);
 	}
 
 	if ('/' != newroot[0]) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: invalid chroot path '%s'\n"),
 		         Prog, newroot);
 		exit (E_BAD_ARG);
 	}
 
 	if (access (newroot, F_OK) != 0) {
-		fprintf(stderr,
+		fprintf(shadow_logfd,
 		        _("%s: cannot access chroot directory %s: %s\n"),
 		        Prog, newroot, strerror (errno));
 		exit (E_BAD_ARG);
 	}
 
 	if (chdir (newroot) != 0) {
-		fprintf(stderr,
+		fprintf(shadow_logfd,
 				_("%s: cannot chdir to chroot directory %s: %s\n"),
 				Prog, newroot, strerror (errno));
 		exit (E_BAD_ARG);
 	}
 
 	if (chroot (newroot) != 0) {
-		fprintf(stderr,
+		fprintf(shadow_logfd,
 		        _("%s: unable to chroot to directory %s: %s\n"),
 		        Prog, newroot, strerror (errno));
 		exit (E_BAD_ARG);

libmisc/salt.c

@@ -11,30 +11,100 @@
 
 #ident "$Id$"
 
-#include <sys/time.h>
-#include <stdlib.h>
-#include <stdio.h>
 #include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#if HAVE_SYS_RANDOM_H
+#include <sys/random.h>
+#endif
 #include "prototypes.h"
 #include "defines.h"
 #include "getdef.h"
 
+#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \
+     CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY)
+#define USE_XCRYPT_GENSALT 1
+#else
+#define USE_XCRYPT_GENSALT 0
+#endif
+
+/* Add the salt prefix. */
+#define MAGNUM(array,ch)	(array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0'
+
+#ifdef USE_BCRYPT
+/* Use $2b$ as prefix for compatibility with OpenBSD's bcrypt. */
+#define BCRYPTMAGNUM(array)	(array)[0]=(array)[3]='$',(array)[1]='2',(array)[2]='b',(array)[4]='\0'
+#define BCRYPT_SALT_SIZE 22
+/* Default number of rounds if not explicitly specified.  */
+#define B_ROUNDS_DEFAULT 13
+/* Minimum number of rounds.  */
+#define B_ROUNDS_MIN 4
+/* Maximum number of rounds.  */
+#define B_ROUNDS_MAX 31
+#endif /* USE_BCRYPT */
+
+#ifdef USE_SHA_CRYPT
+/* Fixed salt len for sha{256,512}crypt. */
+#define SHA_CRYPT_SALT_SIZE 16
+/* Default number of rounds if not explicitly specified.  */
+#define SHA_ROUNDS_DEFAULT 5000
+/* Minimum number of rounds.  */
+#define SHA_ROUNDS_MIN 1000
+/* Maximum number of rounds.  */
+#define SHA_ROUNDS_MAX 999999999
+#endif
+
+#ifdef USE_YESCRYPT
+/*
+ * Default number of base64 characters used for the salt.
+ * 24 characters gives a 144 bits (18 bytes) salt. Unlike the more
+ * traditional 128 bits (16 bytes) salt, this 144 bits salt is always
+ * represented by the same number of base64 characters without padding
+ * issue, even with a non-standard base64 encoding scheme.
+ */
+#define YESCRYPT_SALT_SIZE 24
+/* Default cost if not explicitly specified.  */
+#define Y_COST_DEFAULT 5
+/* Minimum cost.  */
+#define Y_COST_MIN 1
+/* Maximum cost.  */
+#define Y_COST_MAX 11
+#endif
+
+/* Fixed salt len for md5crypt. */
+#define MD5_CRYPT_SALT_SIZE 8
+
+/* Generate salt of size salt_size. */
+#define MAX_SALT_SIZE 44
+#define MIN_SALT_SIZE 8
+
+/* Maximum size of the generated salt string. */
+#define GENSALT_SETTING_SIZE 100
+
 /* local function prototypes */
-static void seedRNG (void);
+static long read_random_bytes (void);
+#if !USE_XCRYPT_GENSALT
 static /*@observer@*/const char *gensalt (size_t salt_size);
+#endif /* !USE_XCRYPT_GENSALT */
 #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT)
 static long shadow_random (long min, long max);
 #endif /* USE_SHA_CRYPT || USE_BCRYPT */
 #ifdef USE_SHA_CRYPT
-static /*@observer@*/const char *SHA_salt_rounds (/*@null@*/int *prefered_rounds);
+static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds);
+static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds);
 #endif /* USE_SHA_CRYPT */
 #ifdef USE_BCRYPT
-static /*@observer@*/const char *gensalt_bcrypt (void);
-static /*@observer@*/const char *BCRYPT_salt_rounds (/*@null@*/int *prefered_rounds);
+static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds);
+static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds);
 #endif /* USE_BCRYPT */
+#ifdef USE_YESCRYPT
+static /*@observer@*/const unsigned long YESCRYPT_get_salt_cost (/*@null@*/int *prefered_cost);
+static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long cost);
+#endif /* USE_YESCRYPT */
 
-#ifndef HAVE_L64A
-static /*@observer@*/char *l64a(long value)
+#if !USE_XCRYPT_GENSALT && !defined(HAVE_L64A)
+static /*@observer@*/char *l64a (long value)
 {
 	static char buf[8];
 	char *s = buf;
@@ -65,40 +135,58 @@ static /*@observer@*/char *l64a(long value)
 
 	*s = '\0';
 
-	return(buf);
+	return buf;
 }
-#endif /* !HAVE_L64A */
+#endif /* !USE_XCRYPT_GENSALT && !defined(HAVE_L64A) */
 
-static void seedRNG (void)
+/* Read sizeof (long) random bytes from /dev/urandom. */
+static long read_random_bytes (void)
 {
-	struct timeval tv;
-	static int seeded = 0;
+	long randval = 0;
 
-	if (0 == seeded) {
-		(void) gettimeofday (&tv, NULL);
-		srandom (tv.tv_sec ^ tv.tv_usec ^ getpid ());
-		seeded = 1;
+#ifdef HAVE_ARC4RANDOM_BUF
+	/* arc4random_buf, if it exists, can never fail.  */
+	arc4random_buf (&randval, sizeof (randval));
+	goto end;
+
+#elif defined(HAVE_GETENTROPY)
+	/* getentropy may exist but lack kernel support.  */
+	if (getentropy (&randval, sizeof (randval))) {
+		goto fail;
 	}
-}
 
-/*
- * Add the salt prefix.
- */
-#define MAGNUM(array,ch)	(array)[0]=(array)[2]='$',(array)[1]=(ch),(array)[3]='\0'
-#ifdef USE_BCRYPT
-/* 
- * Using the Prefix $2a$ to enable an anti-collision safety measure in musl libc.
- * Negatively affects a subset of passwords containing the '\xff' character,
- * which is not valid UTF-8 (so "unlikely to cause much annoyance").
- */
-#define BCRYPTMAGNUM(array)	(array)[0]=(array)[3]='$',(array)[1]='2',(array)[2]='a',(array)[4]='\0'
-#endif /* USE_BCRYPT */
+	goto end;
+
+#elif defined(HAVE_GETRANDOM)
+	/* Likewise getrandom.  */
+	if ((size_t) getrandom (&randval, sizeof (randval), 0) != sizeof (randval)) {
+		goto fail;
+	}
+
+	goto end;
+
+#else
+	FILE *f = fopen ("/dev/urandom", "r");
+
+	if (fread (&randval, sizeof (randval), 1, f) != 1) {
+		fclose(f);
+		goto fail;
+	}
+
+	fclose(f);
+	goto end;
+#endif
+
+fail:
+	fprintf (shadow_logfd,
+		 _("Unable to obtain random bytes.\n"));
+	exit (1);
+
+end:
+	return randval;
+}
 
 #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT)
-/* It is not clear what is the maximum value of random().
- * We assume 2^31-1.*/
-#define RANDOM_MAX 0x7FFFFFFF
-
 /*
  * Return a random number between min and max (both included).
  *
@@ -108,8 +196,9 @@ static long shadow_random (long min, long max)
 {
 	double drand;
 	long ret;
-	seedRNG ();
-	drand = (double) (max - min + 1) * random () / RANDOM_MAX;
+
+	drand = (double) (read_random_bytes () & RAND_MAX) / (double) RAND_MAX;
+	drand *= (double) (max - min + 1);
 	/* On systems were this is not random() range is lower, we favor
 	 * higher numbers of salt. */
 	ret = (long) (max + 1 - drand);
@@ -122,171 +211,234 @@ static long shadow_random (long min, long max)
 #endif /* USE_SHA_CRYPT || USE_BCRYPT */
 
 #ifdef USE_SHA_CRYPT
-/* Default number of rounds if not explicitly specified.  */
-#define ROUNDS_DEFAULT 5000
-/* Minimum number of rounds.  */
-#define ROUNDS_MIN 1000
-/* Maximum number of rounds.  */
-#define ROUNDS_MAX 999999999
-/*
- * Return a salt prefix specifying the rounds number for the SHA crypt methods.
- */
-static /*@observer@*/const char *SHA_salt_rounds (/*@null@*/int *prefered_rounds)
+/* Return the the rounds number for the SHA crypt methods. */
+static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds)
 {
-	static char rounds_prefix[18]; /* Max size: rounds=999999999$ */
-	long rounds;
+	unsigned long rounds;
 
 	if (NULL == prefered_rounds) {
 		long min_rounds = getdef_long ("SHA_CRYPT_MIN_ROUNDS", -1);
 		long max_rounds = getdef_long ("SHA_CRYPT_MAX_ROUNDS", -1);
 
 		if ((-1 == min_rounds) && (-1 == max_rounds)) {
-			return "";
-		}
-
-		if (-1 == min_rounds) {
-			min_rounds = max_rounds;
-		}
-
-		if (-1 == max_rounds) {
-			max_rounds = min_rounds;
-		}
-
-		if (min_rounds > max_rounds) {
-			max_rounds = min_rounds;
-		}
-
-		rounds = shadow_random (min_rounds, max_rounds);
-	} else if (0 == *prefered_rounds) {
-		return "";
-	} else {
-		rounds = *prefered_rounds;
-	}
-
-	/* Sanity checks. The libc should also check this, but this
-	 * protects against a rounds_prefix overflow. */
-	if (rounds < ROUNDS_MIN) {
-		rounds = ROUNDS_MIN;
-	}
-
-	if (rounds > ROUNDS_MAX) {
-		rounds = ROUNDS_MAX;
-	}
-
-	(void) snprintf (rounds_prefix, sizeof rounds_prefix,
-	                 "rounds=%ld$", rounds);
-
-	return rounds_prefix;
-}
-#endif /* USE_SHA_CRYPT */
-
-#ifdef USE_BCRYPT
-/* Default number of rounds if not explicitly specified.  */
-#define B_ROUNDS_DEFAULT 13
-/* Minimum number of rounds.  */
-#define B_ROUNDS_MIN 4
-/* Maximum number of rounds.  */
-#define B_ROUNDS_MAX 31
-/*
- * Return a salt prefix specifying the rounds number for the BCRYPT method.
- */
-static /*@observer@*/const char *BCRYPT_salt_rounds (/*@null@*/int *prefered_rounds)
-{
-	static char rounds_prefix[4]; /* Max size: 31$ */
-	long rounds;
-
-	if (NULL == prefered_rounds) {
-		long min_rounds = getdef_long ("BCRYPT_MIN_ROUNDS", -1);
-		long max_rounds = getdef_long ("BCRYPT_MAX_ROUNDS", -1);
-
-		if (((-1 == min_rounds) && (-1 == max_rounds)) || (0 == *prefered_rounds)) {
-			rounds = B_ROUNDS_DEFAULT;
+			rounds = SHA_ROUNDS_DEFAULT;
 		}
 		else {
 			if (-1 == min_rounds) {
 				min_rounds = max_rounds;
 			}
-	
+
 			if (-1 == max_rounds) {
 				max_rounds = min_rounds;
 			}
-	
+
 			if (min_rounds > max_rounds) {
 				max_rounds = min_rounds;
 			}
-	
-			rounds = shadow_random (min_rounds, max_rounds);
+
+			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 		}
+	} else if (0 == *prefered_rounds) {
+		rounds = SHA_ROUNDS_DEFAULT;
 	} else {
-		rounds = *prefered_rounds;
+		rounds = (unsigned long) *prefered_rounds;
 	}
 
-	/* 
-	 * Sanity checks. 
-	 * Use 19 as an upper bound for now,
-	 * because musl doesn't allow rounds >= 20.
+	/* Sanity checks. The libc should also check this, but this
+	 * protects against a rounds_prefix overflow. */
+	if (rounds < SHA_ROUNDS_MIN) {
+		rounds = SHA_ROUNDS_MIN;
+	}
+
+	if (rounds > SHA_ROUNDS_MAX) {
+		rounds = SHA_ROUNDS_MAX;
+	}
+
+	return rounds;
+}
+
+/*
+ * Fill a salt prefix specifying the rounds number for the SHA crypt methods
+ * to a buffer.
+ */
+static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds)
+{
+	const size_t buf_begin = strlen (buf);
+
+	/* Nothing to do here if SHA_ROUNDS_DEFAULT is used. */
+	if (rounds == SHA_ROUNDS_DEFAULT) {
+		return;
+	}
+
+	/*
+	 * Check if the result buffer is long enough.
+	 * We are going to write a maximum of 17 bytes,
+	 * plus one byte for the terminator.
+	 *    rounds=XXXXXXXXX$
+	 *    00000000011111111
+	 *    12345678901234567
 	 */
+	assert (GENSALT_SETTING_SIZE > buf_begin + 17);
+
+	(void) snprintf (buf + buf_begin, 18, "rounds=%lu$", rounds);
+}
+#endif /* USE_SHA_CRYPT */
+
+#ifdef USE_BCRYPT
+/* Return the the rounds number for the BCRYPT method. */
+static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds)
+{
+	unsigned long rounds;
+
+	if (NULL == prefered_rounds) {
+		long min_rounds = getdef_long ("BCRYPT_MIN_ROUNDS", -1);
+		long max_rounds = getdef_long ("BCRYPT_MAX_ROUNDS", -1);
+
+		if ((-1 == min_rounds) && (-1 == max_rounds)) {
+			rounds = B_ROUNDS_DEFAULT;
+		} else {
+			if (-1 == min_rounds) {
+				min_rounds = max_rounds;
+			}
+
+			if (-1 == max_rounds) {
+				max_rounds = min_rounds;
+			}
+
+			if (min_rounds > max_rounds) {
+				max_rounds = min_rounds;
+			}
+
+			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
+		}
+	} else if (0 == *prefered_rounds) {
+		rounds = B_ROUNDS_DEFAULT;
+	} else {
+		rounds = (unsigned long) *prefered_rounds;
+	}
+
+	/* Sanity checks. */
 	if (rounds < B_ROUNDS_MIN) {
 		rounds = B_ROUNDS_MIN;
 	}
 
+#if USE_XCRYPT_GENSALT
+	if (rounds > B_ROUNDS_MAX) {
+		rounds = B_ROUNDS_MAX;
+	}
+#else /* USE_XCRYPT_GENSALT */
+	/*
+	 * Use 19 as an upper bound for now,
+	 * because musl doesn't allow rounds >= 20.
+	 */
 	if (rounds > 19) {
 		/* rounds = B_ROUNDS_MAX; */
 		rounds = 19;
 	}
+#endif /* USE_XCRYPT_GENSALT */
 
-	(void) snprintf (rounds_prefix, sizeof rounds_prefix,
-	                 "%2.2ld$", rounds);
-
-	return rounds_prefix;
+	return rounds;
 }
 
-#define BCRYPT_SALT_SIZE 22
 /*
- *  Generate a 22 character salt string for bcrypt.
+ * Fill a salt prefix specifying the rounds number for the BCRYPT method
+ * to a buffer.
  */
-static /*@observer@*/const char *gensalt_bcrypt (void)
+static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds)
 {
-	static char salt[32];
+	const size_t buf_begin = strlen (buf);
 
-	salt[0] = '\0';
+	/*
+	 * Check if the result buffer is long enough.
+	 * We are going to write three bytes,
+	 * plus one byte for the terminator.
+	 *    XX$
+	 *    000
+	 *    123
+	 */
+	assert (GENSALT_SETTING_SIZE > buf_begin + 3);
 
-	seedRNG ();
-	strcat (salt, l64a (random()));
-	do {
-		strcat (salt, l64a (random()));
-	} while (strlen (salt) < BCRYPT_SALT_SIZE);
-
-	salt[BCRYPT_SALT_SIZE] = '\0';
-
-	return salt;
+	(void) snprintf (buf + buf_begin, 4, "%2.2lu$", rounds);
 }
 #endif /* USE_BCRYPT */
 
-/*
- *  Generate salt of size salt_size.
- */
-#define MAX_SALT_SIZE 16
-#define MIN_SALT_SIZE 8
+#ifdef USE_YESCRYPT
+/* Return the the cost number for the YESCRYPT method. */
+static /*@observer@*/const unsigned long YESCRYPT_get_salt_cost (/*@null@*/int *prefered_cost)
+{
+	unsigned long cost;
 
+	if (NULL == prefered_cost) {
+		cost = getdef_num ("YESCRYPT_COST_FACTOR", Y_COST_DEFAULT);
+	} else if (0 == *prefered_cost) {
+		cost = Y_COST_DEFAULT;
+	} else {
+		cost = (unsigned long) *prefered_cost;
+	}
+
+	/* Sanity checks. */
+	if (cost < Y_COST_MIN) {
+		cost = Y_COST_MIN;
+	}
+
+	if (cost > Y_COST_MAX) {
+		cost = Y_COST_MAX;
+	}
+
+	return cost;
+}
+
+/*
+ * Fill a salt prefix specifying the cost for the YESCRYPT method
+ * to a buffer.
+ */
+static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long cost)
+{
+	const size_t buf_begin = strlen (buf);
+
+	/*
+	 * Check if the result buffer is long enough.
+	 * We are going to write four bytes,
+	 * plus one byte for the terminator.
+	 *    jXX$
+	 *    0000
+	 *    1234
+	 */
+	assert (GENSALT_SETTING_SIZE > buf_begin + 4);
+
+	buf[buf_begin + 0] = 'j';
+	if (cost < 3) {
+		buf[buf_begin + 1] = 0x36 + cost;
+	} else if (cost < 6) {
+		buf[buf_begin + 1] = 0x34 + cost;
+	} else {
+		buf[buf_begin + 1] = 0x3b + cost;
+	}
+	buf[buf_begin + 2] = cost >= 3 ? 'T' : '5';
+	buf[buf_begin + 3] = '$';
+	buf[buf_begin + 4] = '\0';
+}
+#endif /* USE_YESCRYPT */
+
+#if !USE_XCRYPT_GENSALT
 static /*@observer@*/const char *gensalt (size_t salt_size)
 {
-	static char salt[32];
+	static char salt[MAX_SALT_SIZE + 6];
 
-	salt[0] = '\0';
+	memset (salt, '\0', MAX_SALT_SIZE + 6);
 
 	assert (salt_size >= MIN_SALT_SIZE &&
 	        salt_size <= MAX_SALT_SIZE);
-	seedRNG ();
-	strcat (salt, l64a (random()));
+	strcat (salt, l64a (read_random_bytes ()));
 	do {
-		strcat (salt, l64a (random()));
+		strcat (salt, l64a (read_random_bytes ()));
 	} while (strlen (salt) < salt_size);
 
 	salt[salt_size] = '\0';
 
 	return salt;
 }
+#endif /* !USE_XCRYPT_GENSALT */
 
 /*
  * Generate 8 base64 ASCII characters of random salt.  If MD5_CRYPT_ENAB
@@ -296,26 +448,23 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
  * Other methods can be set with ENCRYPT_METHOD
  *
  * The method can be forced with the meth parameter.
- * If NULL, the method will be defined according to the MD5_CRYPT_ENAB and
- * ENCRYPT_METHOD login.defs variables.
+ * If NULL, the method will be defined according to the ENCRYPT_METHOD
+ * variable, and if not set according to the MD5_CRYPT_ENAB variable,
+ * which can both be set inside the login.defs file.
  *
  * If meth is specified, an additional parameter can be provided.
  *  * For the SHA256 and SHA512 method, this specifies the number of rounds
  *    (if not NULL).
+ *  * For the YESCRYPT method, this specifies the cost factor (if not NULL).
  */
 /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const char *meth, /*@null@*/void *arg)
 {
-	/* Max result size for the SHA methods:
-	 *  +3		$5$
-	 *  +17		rounds=999999999$
-	 *  +16		salt
-	 *  +1		\0
-	 */
-	static char result[40];
-	size_t salt_len = 8;
+	static char result[GENSALT_SETTING_SIZE];
+	size_t salt_len = MAX_SALT_SIZE;
 	const char *method;
+	unsigned long rounds = 0;
 
-	result[0] = '\0';
+	memset (result, '\0', GENSALT_SETTING_SIZE);
 
 	if (NULL != meth)
 		method = meth;
@@ -328,46 +477,80 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
 
 	if (0 == strcmp (method, "MD5")) {
 		MAGNUM(result, '1');
+		salt_len = MD5_CRYPT_SALT_SIZE;
+		rounds = 0;
 #ifdef USE_BCRYPT
 	} else if (0 == strcmp (method, "BCRYPT")) {
 		BCRYPTMAGNUM(result);
-		strcat(result, BCRYPT_salt_rounds((int *)arg));
+		salt_len = BCRYPT_SALT_SIZE;
+		rounds = BCRYPT_get_salt_rounds ((int *) arg);
+		BCRYPT_salt_rounds_to_buf (result, rounds);
 #endif /* USE_BCRYPT */
+#ifdef USE_YESCRYPT
+	} else if (0 == strcmp (method, "YESCRYPT")) {
+		MAGNUM(result, 'y');
+		salt_len = YESCRYPT_SALT_SIZE;
+		rounds = YESCRYPT_get_salt_cost ((int *) arg);
+		YESCRYPT_salt_cost_to_buf (result, rounds);
+#endif /* USE_YESCRYPT */
 #ifdef USE_SHA_CRYPT
 	} else if (0 == strcmp (method, "SHA256")) {
 		MAGNUM(result, '5');
-		strcat(result, SHA_salt_rounds((int *)arg));
-		salt_len = (size_t) shadow_random (8, 16);
+		salt_len = SHA_CRYPT_SALT_SIZE;
+		rounds = SHA_get_salt_rounds ((int *) arg);
+		SHA_salt_rounds_to_buf (result, rounds);
 	} else if (0 == strcmp (method, "SHA512")) {
 		MAGNUM(result, '6');
-		strcat(result, SHA_salt_rounds((int *)arg));
-		salt_len = (size_t) shadow_random (8, 16);
+		salt_len = SHA_CRYPT_SALT_SIZE;
+		rounds = SHA_get_salt_rounds ((int *) arg);
+		SHA_salt_rounds_to_buf (result, rounds);
 #endif /* USE_SHA_CRYPT */
 	} else if (0 != strcmp (method, "DES")) {
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 			 _("Invalid ENCRYPT_METHOD value: '%s'.\n"
 			   "Defaulting to DES.\n"),
 			 method);
-		result[0] = '\0';
+		salt_len = MAX_SALT_SIZE;
+		rounds = 0;
+		memset (result, '\0', GENSALT_SETTING_SIZE);
 	}
 
+#if USE_XCRYPT_GENSALT
 	/*
-	 * Concatenate a pseudo random salt.
+	 * Prepare DES setting for crypt_gensalt(), if result
+	 * has not been filled with anything previously.
 	 */
-	assert (sizeof (result) > strlen (result) + salt_len);
-#ifdef USE_BCRYPT
-	if (0 == strcmp (method, "BCRYPT")) {
-		strncat (result, gensalt_bcrypt (),
-				 sizeof (result) - strlen (result) - 1);
-		return result;
-	} else {
-#endif /* USE_BCRYPT */	
-		strncat (result, gensalt (salt_len),
-			 sizeof (result) - strlen (result) - 1);
-#ifdef USE_BCRYPT
+	if ('\0' == result[0]) {
+		/* Avoid -Wunused-but-set-variable. */
+		salt_len = GENSALT_SETTING_SIZE - 1;
+		rounds = 0;
+		memset (result, '.', salt_len);
+		result[salt_len] = '\0';
 	}
-#endif /* USE_BCRYPT */	
+
+	char *retval = crypt_gensalt (result, rounds, NULL, 0);
+
+	/* Should not happen, but... */
+	if (NULL == retval) {
+		fprintf (shadow_logfd,
+			 _("Unable to generate a salt from setting "
+			   "\"%s\", check your settings in "
+			   "ENCRYPT_METHOD and the corresponding "
+			   "configuration for your selected hash "
+			   "method.\n"), result);
+
+		exit (1);
+	}
+
+	return retval;
+#else /* USE_XCRYPT_GENSALT */
+	/* Check if the result buffer is long enough. */
+	assert (GENSALT_SETTING_SIZE > strlen (result) + salt_len);
+
+	/* Concatenate a pseudo random salt. */
+	strncat (result, gensalt (salt_len),
+		 GENSALT_SETTING_SIZE - strlen (result) - 1);
 
 	return result;
+#endif /* USE_XCRYPT_GENSALT */
 }
-

libmisc/setupenv.c

@@ -219,7 +219,7 @@ void setup_env (struct passwd *info)
 		static char temp_pw_dir[] = "/";
 
 		if (!getdef_bool ("DEFAULT_HOME") || chdir ("/") == -1) {
-			fprintf (stderr, _("Unable to cd to '%s'\n"),
+			fprintf (shadow_logfd, _("Unable to cd to '%s'\n"),
 				 info->pw_dir);
 			SYSLOG ((LOG_WARN,
 				 "unable to cd to `%s' for user `%s'\n",

libmisc/user_busy.c

@@ -39,6 +39,7 @@
 #include <sys/types.h>
 #include <dirent.h>
 #include <fcntl.h>
+#include <unistd.h>
 #include "defines.h"
 #include "prototypes.h"
 #ifdef ENABLE_SUBIDS
@@ -95,7 +96,7 @@ static int user_busy_utmp (const char *name)
 			continue;
 		}
 
-		fprintf (stderr,
+		fprintf (shadow_logfd,
 		         _("%s: user %s is currently logged in\n"),
 		         Prog, name);
 		return 1;
@@ -106,6 +107,31 @@ static int user_busy_utmp (const char *name)
 #endif				/* !__linux__ */
 
 #ifdef __linux__
+#ifdef ENABLE_SUBIDS
+#define in_parentuid_range(uid) ((uid) >= parentuid && (uid) < parentuid + range)
+static int different_namespace (const char *sname)
+{
+	/* 41: /proc/xxxxxxxxxx/task/xxxxxxxxxx/ns/user + \0 */
+	char path[41];
+	char buf[512], buf2[512];
+	ssize_t llen1, llen2;
+
+	snprintf (path, 41, "/proc/%s/ns/user", sname);
+
+	if ((llen1 = readlink (path, buf, sizeof(buf))) == -1)
+		return 0;
+
+	if ((llen2 = readlink ("/proc/self/ns/user", buf2, sizeof(buf2))) == -1)
+		return 0;
+
+	if (llen1 == llen2 && memcmp (buf, buf2, llen1) == 0)
+		return 0; /* same namespace */
+
+	return 1;
+}
+#endif                          /* ENABLE_SUBIDS */
+
+
 static int check_status (const char *name, const char *sname, uid_t uid)
 {
 	/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
@@ -114,7 +140,6 @@ static int check_status (const char *name, const char *sname, uid_t uid)
 	FILE *sfile;
 
 	snprintf (status, 40, "/proc/%s/status", sname);
-	status[39] = '\0';
 
 	sfile = fopen (status, "r");
 	if (NULL == sfile) {
@@ -123,26 +148,29 @@ static int check_status (const char *name, const char *sname, uid_t uid)
 	while (fgets (line, sizeof (line), sfile) == line) {
 		if (strncmp (line, "Uid:\t", 5) == 0) {
 			unsigned long ruid, euid, suid;
+
 			assert (uid == (unsigned long) uid);
+			(void) fclose (sfile);
 			if (sscanf (line,
 			            "Uid:\t%lu\t%lu\t%lu\n",
 			            &ruid, &euid, &suid) == 3) {
 				if (   (ruid == (unsigned long) uid)
 				    || (euid == (unsigned long) uid)
-				    || (suid == (unsigned long) uid)
-#ifdef ENABLE_SUBIDS
-				    || have_sub_uids(name, ruid, 1)
-				    || have_sub_uids(name, euid, 1)
-				    || have_sub_uids(name, suid, 1)
-#endif				/* ENABLE_SUBIDS */
-				   ) {
-					(void) fclose (sfile);
+				    || (suid == (unsigned long) uid) ) {
 					return 1;
 				}
+#ifdef ENABLE_SUBIDS
+				if (    different_namespace (sname)
+				     && (   have_sub_uids(name, ruid, 1)
+				         || have_sub_uids(name, euid, 1)
+				         || have_sub_uids(name, suid, 1))
+				   ) {
+					return 1;
+				}
+#endif				/* ENABLE_SUBIDS */
 			} else {
 				/* Ignore errors. This is just a best effort. */
 			}
-			(void) fclose (sfile);
 			return 0;
 		}
 	}
@@ -221,7 +249,7 @@ static int user_busy_processes (const char *name, uid_t uid)
 #ifdef ENABLE_SUBIDS
 			sub_uid_close();
 #endif
-			fprintf (stderr,
+			fprintf (shadow_logfd,
 			         _("%s: user %s is currently used by process %d\n"),
 			         Prog, name, pid);
 			return 1;
@@ -241,10 +269,11 @@ static int user_busy_processes (const char *name, uid_t uid)
 				}
 				if (check_status (name, task_path+6, uid) != 0) {
 					(void) closedir (proc);
+					(void) closedir (task_dir);
 #ifdef ENABLE_SUBIDS
 					sub_uid_close();
 #endif
-					fprintf (stderr,
+					fprintf (shadow_logfd,
 					         _("%s: user %s is currently used by process %d\n"),
 					         Prog, name, pid);
 					return 1;

libmisc/utmp.c

@@ -257,25 +257,25 @@ static void updwtmpx (const char *filename, const struct utmpx *utx)
 	utent->ut_type = USER_PROCESS;
 #endif				/* HAVE_STRUCT_UTMP_UT_TYPE */
 	utent->ut_pid = getpid ();
-	strncpy (utent->ut_line, line,      sizeof (utent->ut_line));
+	strncpy (utent->ut_line, line,      sizeof (utent->ut_line) - 1);
 #ifdef HAVE_STRUCT_UTMP_UT_ID
 	if (NULL != ut) {
 		strncpy (utent->ut_id, ut->ut_id, sizeof (utent->ut_id));
 	} else {
 		/* XXX - assumes /dev/tty?? */
-		strncpy (utent->ut_id, line + 3, sizeof (utent->ut_id));
+		strncpy (utent->ut_id, line + 3, sizeof (utent->ut_id) - 1);
 	}
 #endif				/* HAVE_STRUCT_UTMP_UT_ID */
 #ifdef HAVE_STRUCT_UTMP_UT_NAME
 	strncpy (utent->ut_name, name,      sizeof (utent->ut_name));
 #endif				/* HAVE_STRUCT_UTMP_UT_NAME */
 #ifdef HAVE_STRUCT_UTMP_UT_USER
-	strncpy (utent->ut_user, name,      sizeof (utent->ut_user));
+	strncpy (utent->ut_user, name,      sizeof (utent->ut_user) - 1);
 #endif				/* HAVE_STRUCT_UTMP_UT_USER */
 	if (NULL != hostname) {
 		struct addrinfo *info = NULL;
 #ifdef HAVE_STRUCT_UTMP_UT_HOST
-		strncpy (utent->ut_host, hostname, sizeof (utent->ut_host));
+		strncpy (utent->ut_host, hostname, sizeof (utent->ut_host) - 1);
 #endif				/* HAVE_STRUCT_UTMP_UT_HOST */
 #ifdef HAVE_STRUCT_UTMP_UT_SYSLEN
 		utent->ut_syslen = MIN (strlen (hostname),

libmisc/xgetXXbyYY.c

@@ -74,7 +74,7 @@
 
 	result = malloc(sizeof(LOOKUP_TYPE));
 	if (NULL == result) {
-		fprintf (stderr, _("%s: out of memory\n"),
+		fprintf (shadow_logfd, _("%s: out of memory\n"),
 		         "x" STRINGIZE(FUNCTION_NAME));
 		exit (13);
 	}
@@ -84,7 +84,7 @@
 		LOOKUP_TYPE *resbuf = NULL;
 		buffer = (char *)realloc (buffer, length);
 		if (NULL == buffer) {
-			fprintf (stderr, _("%s: out of memory\n"),
+			fprintf (shadow_logfd, _("%s: out of memory\n"),
 			         "x" STRINGIZE(FUNCTION_NAME));
 			exit (13);
 		}
@@ -132,7 +132,7 @@
 	if (result) {
 		result = DUP_FUNCTION(result);
 		if (NULL == result) {
-			fprintf (stderr, _("%s: out of memory\n"),
+			fprintf (shadow_logfd, _("%s: out of memory\n"),
 			         "x" STRINGIZE(FUNCTION_NAME));
 			exit (13);
 		}

libmisc/xmalloc.c

@@ -54,7 +54,7 @@
 
 	ptr = (char *) malloc (size);
 	if (NULL == ptr) {
-		(void) fprintf (stderr,
+		(void) fprintf (shadow_logfd,
 		                _("%s: failed to allocate memory: %s\n"),
 		                Prog, strerror (errno));
 		exit (13);
@@ -66,3 +66,10 @@
 {
 	return strcpy (xmalloc (strlen (str) + 1), str);
 }
+
+void xfree(void *ap)
+{
+	if (ap) {
+		free(ap);
+	}
+}

libsubid/Makefile.am

@@ -0,0 +1,34 @@
+lib_LTLIBRARIES = libsubid.la
+if ENABLE_SHARED
+libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
+	-shared -version-info @LIBSUBID_ABI_MAJOR@
+endif
+libsubid_la_SOURCES = api.c
+libsubid_la_LDFLAGS = -export-symbols-regex '^subid_'
+
+pkginclude_HEADERS = subid.h
+
+MISCLIBS = \
+	$(LIBAUDIT) \
+	$(LIBSELINUX) \
+	$(LIBSEMANAGE) \
+	$(LIBCRACK) \
+	$(LIBCRYPT_NOPAM) \
+	$(LIBSKEY) \
+	$(LIBMD) \
+	$(LIBECONF) \
+	$(LIBCRYPT) \
+	$(LIBACL) \
+	$(LIBATTR) \
+	$(LIBTCB) \
+	$(LIBPAM)
+
+libsubid_la_LIBADD = \
+	$(top_builddir)/lib/libshadow.la \
+	$(top_builddir)/libmisc/libmisc.la \
+	$(MISCLIBS) -ldl
+
+AM_CPPFLAGS = \
+	-I${top_srcdir}/lib \
+	-I${top_srcdir}/libmisc \
+	-DLOCALEDIR=\"$(datadir)/locale\"

libsubid/api.c

@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2020 Serge Hallyn
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the copyright holders or contributors may not be used to
+ *    endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <config.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include "subordinateio.h"
+#include "idmapping.h"
+#include "subid.h"
+
+static const char *Prog = "(libsubid)";
+static FILE *shadow_logfd;
+
+bool subid_init(const char *progname, FILE * logfd)
+{
+	if (progname) {
+		progname = strdup(progname);
+		if (progname)
+			Prog = progname;
+		else
+			return false;
+	}
+
+	if (logfd) {
+		shadow_logfd = logfd;
+		return true;
+	}
+	shadow_logfd = fopen("/dev/null", "w");
+	if (!shadow_logfd) {
+		shadow_logfd = stderr;
+		return false;
+	}
+	return true;
+}
+
+static
+int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_range **ranges)
+{
+	return list_owner_ranges(owner, id_type, ranges);
+}
+
+int subid_get_uid_ranges(const char *owner, struct subid_range **ranges)
+{
+	return get_subid_ranges(owner, ID_TYPE_UID, ranges);
+}
+
+int subid_get_gid_ranges(const char *owner, struct subid_range **ranges)
+{
+	return get_subid_ranges(owner, ID_TYPE_GID, ranges);
+}
+
+static
+int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
+{
+	return find_subid_owners(id, id_type, owner);
+}
+
+int subid_get_uid_owners(uid_t uid, uid_t **owner)
+{
+	return get_subid_owner((unsigned long)uid, ID_TYPE_UID, owner);
+}
+
+int subid_get_gid_owners(gid_t gid, uid_t **owner)
+{
+	return get_subid_owner((unsigned long)gid, ID_TYPE_GID, owner);
+}
+
+static
+bool grant_subid_range(struct subordinate_range *range, bool reuse,
+		       enum subid_type id_type)
+{
+	return new_subid_range(range, id_type, reuse);
+}
+
+bool subid_grant_uid_range(struct subordinate_range *range, bool reuse)
+{
+	return grant_subid_range(range, reuse, ID_TYPE_UID);
+}
+
+bool subid_grant_gid_range(struct subordinate_range *range, bool reuse)
+{
+	return grant_subid_range(range, reuse, ID_TYPE_GID);
+}
+
+static
+bool ungrant_subid_range(struct subordinate_range *range, enum subid_type id_type)
+{
+	return release_subid_range(range, id_type);
+}
+
+bool subid_ungrant_uid_range(struct subordinate_range *range)
+{
+	return ungrant_subid_range(range, ID_TYPE_UID);
+}
+
+bool subid_ungrant_gid_range(struct subordinate_range *range)
+{
+	return ungrant_subid_range(range, ID_TYPE_GID);
+}

libsubid/subid.h.in

@@ -0,0 +1,155 @@
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdbool.h>
+
+#ifndef SUBID_RANGE_DEFINED
+#define SUBID_RANGE_DEFINED 1
+#define SUBID_ABI_VERSION @LIBSUBID_ABI_MAJOR@.@LIBSUBID_ABI_MINOR@.@LIBSUBID_ABI_MICRO@
+#define SUBID_ABI_MAJOR @LIBSUBID_ABI_MAJOR@
+#define SUBID_ABI_MINOR @LIBSUBID_ABI_MINOR@
+#define SUBID_ABI_MICRO @LIBSUBID_ABI_MICRO@
+
+/* subid_range is just a starting point and size of a range */
+struct subid_range {
+	unsigned long start;
+	unsigned long count;
+};
+
+/* subordinage_range is a subid_range plus an owner, representing
+ * a range in /etc/subuid or /etc/subgid */
+struct subordinate_range {
+	const char *owner;
+	unsigned long start;
+	unsigned long count;
+};
+
+enum subid_type {
+	ID_TYPE_UID = 1,
+	ID_TYPE_GID = 2
+};
+
+enum subid_status {
+	SUBID_STATUS_SUCCESS = 0,
+	SUBID_STATUS_UNKNOWN_USER = 1,
+	SUBID_STATUS_ERROR_CONN = 2,
+	SUBID_STATUS_ERROR = 3,
+};
+
+/*
+ * subid_init: initialize libsubid
+ *
+ * @progname: Name to display as program.  If NULL, then "(libsubid)" will be
+ *            shown in error messages.
+ * @logfd:    Open file pointer to pass error messages to.  If NULL, then
+ *            /dev/null will be opened and messages will be sent there.  The
+ *            default if libsubid_init() is not called is stderr (2).
+ *
+ * This function does not need to be called.  If not called, then the defaults
+ * will be used.
+ *
+ * Returns false if an error occurred.
+ */
+bool subid_init(const char *progname, FILE *logfd);
+
+/*
+ * subid_get_uid_ranges: return a list of UID ranges for a user
+ *
+ * @owner: username being queried
+ * @ranges: a pointer to an array of subid_range structs in which the result
+ *          will be returned.
+ *
+ * The caller must free(ranges) when done.
+ *
+ * returns: number of ranges found, ir < 0 on error.
+ */
+int subid_get_uid_ranges(const char *owner, struct subid_range **ranges);
+
+/*
+ * subid_get_gid_ranges: return a list of GID ranges for a user
+ *
+ * @owner: username being queried
+ * @ranges: a pointer to an array of subid_range structs in which the result
+ *          will be returned.
+ *
+ * The caller must free(ranges) when done.
+ *
+ * returns: number of ranges found, ir < 0 on error.
+ */
+int subid_get_gid_ranges(const char *owner, struct subid_range **ranges);
+
+/*
+ * subid_get_uid_owners: return a list of uids to which the given uid has been
+ *                    delegated.
+ *
+ * @uid: The subuid being queried
+ * @owners: a pointer to an array of uids into which the results are placed.
+ *          The returned array must be freed by the caller.
+ *
+ * Returns the number of uids returned, or < 0 on error.
+ */
+int subid_get_uid_owners(uid_t uid, uid_t **owner);
+
+/*
+ * subid_get_gid_owners: return a list of uids to which the given gid has been
+ *                    delegated.
+ *
+ * @uid: The subgid being queried
+ * @owners: a pointer to an array of uids into which the results are placed.
+ *          The returned array must be freed by the caller.
+ *
+ * Returns the number of uids returned, or < 0 on error.
+ */
+int subid_get_gid_owners(gid_t gid, uid_t **owner);
+
+/*
+ * subid_grant_uid_range: assign a subuid range to a user
+ *
+ * @range: pointer to a struct subordinate_range detailing the UID range
+ *         to allocate.  ->owner must be the username, and ->count must be
+ *         filled in.  ->start is ignored, and will contain the start
+ *         of the newly allocated range, upon success.
+ *
+ * Returns true if the delegation succeeded, false otherwise.  If true,
+ * then the range from (range->start, range->start + range->count) will
+ * be delegated to range->owner.
+ */
+bool subid_grant_uid_range(struct subordinate_range *range, bool reuse);
+
+/*
+ * subid_grant_gid_range: assign a subgid range to a user
+ *
+ * @range: pointer to a struct subordinate_range detailing the GID range
+ *         to allocate.  ->owner must be the username, and ->count must be
+ *         filled in.  ->start is ignored, and will contain the start
+ *         of the newly allocated range, upon success.
+ *
+ * Returns true if the delegation succeeded, false otherwise.  If true,
+ * then the range from (range->start, range->start + range->count) will
+ * be delegated to range->owner.
+ */
+bool subid_grant_gid_range(struct subordinate_range *range, bool reuse);
+
+/*
+ * subid_ungrant_uid_range: remove a subuid allocation.
+ *
+ * @range: pointer to a struct subordinate_range detailing the UID allocation
+ *         to remove.
+ *
+ * Returns true if successful, false if it failed, for instance if the
+ * delegation did not exist.
+ */
+bool subid_ungrant_uid_range(struct subordinate_range *range);
+
+/*
+ * subid_ungrant_gid_range: remove a subgid allocation.
+ *
+ * @range: pointer to a struct subordinate_range detailing the GID allocation
+ *         to remove.
+ *
+ * Returns true if successful, false if it failed, for instance if the
+ * delegation did not exist.
+ */
+bool subid_ungrant_gid_range(struct subordinate_range *range);
+
+#define SUBID_NFIELDS 3
+#endif

man/Makefile.am

@@ -62,6 +62,7 @@ man_MANS += $(man_nopam)
 endif
 
 man_subids = \
+	man1/getsubids.1 \
 	man1/newgidmap.1 \
 	man1/newuidmap.1 \
 	man5/subgid.5 \
@@ -80,6 +81,7 @@ man_XMANS = \
 	expiry.1.xml \
 	faillog.5.xml \
 	faillog.8.xml \
+	getsubids.1.xml \
 	gpasswd.1.xml \
 	groupadd.8.xml \
 	groupdel.8.xml \
@@ -136,6 +138,8 @@ login_defs_v = \
 	FAKE_SHELL.xml \
 	FTMP_FILE.xml \
 	GID_MAX.xml \
+	HMAC_CRYPTO_ALGO.xml \
+	HOME_MODE.xml \
 	HUSHLOGIN_FILE.xml \
 	ISSUE_FILE.xml \
 	KILLCHAR.xml \
@@ -152,6 +156,7 @@ login_defs_v = \
 	MD5_CRYPT_ENAB.xml \
 	MOTD_FILE.xml \
 	NOLOGINS_FILE.xml \
+	NONEXISTENT.xml \
 	OBSCURE_CHECKS_ENAB.xml \
 	PASS_ALWAYS_WARN.xml \
 	PASS_CHANGE_TRIES.xml \

man/chage.1.xml

@@ -102,6 +102,9 @@
 	    Set the number of days since January 1st, 1970 when the password
 	    was last changed. The date may also be expressed in the format
 	    YYYY-MM-DD (or the format more commonly used in your area).
+	    If the <replaceable>LAST_DAY</replaceable> is set to
+	    <emphasis>0</emphasis> the user is forced to change his password
+	    on the next log on.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -118,6 +121,13 @@
 	    contact the system administrator before being able to use the
 	    system again.
 	  </para>
+	  <para>
+	    For example the following can be used to set an account to expire
+	    in 180 days:
+	  </para>
+	  <programlisting>
+	    chage -E $(date -d +180days +%Y-%m-%d)
+	  </programlisting>
 	  <para>
 	    Passing the number <emphasis remap='I'>-1</emphasis> as the
 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
@@ -239,6 +249,18 @@
       The <command>chage</command> program requires a shadow password file to
       be available.
     </para>
+    <para>
+      The chage program will report only the information from the shadow
+      password file. This implies that configuration from other sources
+      (e.g. LDAP or empty password hash field from the passwd file) that
+      affect the user's login will not be shown in the chage output.
+    </para>
+    <para>
+      The <command>chage</command> program will also not report any
+      inconsistency between the shadow and passwd files (e.g. missing x in
+      the passwd file). The <command>pwck</command> can be used to check
+      for this kind of inconsistencies.
+    </para>
     <para>The <command>chage</command> command is restricted to the root
       user, except for the <option>-l</option> option, which may be used by
       an unprivileged user to determine when their password or account is due

man/cs/man5/gshadow.5

@@ -1,4 +1,4 @@
-.TH "GSHADOW" "5" "11/05/2005" "File Formats and Conversions" "File Formats and Conversions"
+.TH "GSHADOW" "5" "11/05/2005" "File Formats and Configuration Files" "File Formats and Configuration Files"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)

man/cs/man8/groupmems.8

@@ -46,7 +46,7 @@ Vypíše seznam členů skupiny.
 Příkaz
 \fBgroupmems\fR
 by měl mít nastavena práva
-2770
+2710
 a měl by jej vlastnit uživatel
 \fIroot\fR
 a skupina
@@ -58,7 +58,7 @@ spravovat členství ve skupinách.
 .sp
 .nf
 	$ groupadd \-r groups
-	$ chmod 2770 groupmems
+	$ chmod 2710 groupmems
 	$ chown root.groups groupmems
 	$ groupmems \-g groups \-a gk4
 

man/faillog.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>faillog</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc"> File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc"> File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/getsubids.1.xml

@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+   Copyright (c) 2021 Iker Pedrosa
+   All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. The name of the copyright holders or contributors may not be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- SHADOW-CONFIG-HERE -->
+]>
+
+<refentry id='getsubids.1'>
+  <refentryinfo>
+    <author>
+      <firstname>Iker</firstname>
+      <surname>Pedrosa</surname>
+      <contrib>Creation, 2021</contrib>
+    </author>
+  </refentryinfo>
+  <refmeta>
+    <refentrytitle>getsubids</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo class="sectdesc">User Commands</refmiscinfo>
+    <refmiscinfo class="source">shadow-utils</refmiscinfo>
+    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
+  </refmeta>
+  <refnamediv id='name'>
+    <refname>getsubids</refname>
+    <refpurpose>get the subordinate id ranges for a user</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv id='synopsis'>
+    <cmdsynopsis>
+      <command>getsubids</command>
+      <arg choice='opt'>
+        <replaceable>options</replaceable>
+      </arg>
+      <arg choice='plain'>
+        <replaceable>USER</replaceable>
+      </arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <command>getsubids</command> command lists the subordinate user ID
+      ranges for a given user. The subordinate group IDs can be listed using
+      the <option>-g</option> option.
+    </para>
+  </refsect1>
+
+  <refsect1 id='options'>
+    <title>OPTIONS</title>
+    <para>
+      The options which apply to the <command>getsubids</command> command are:
+    </para>
+    <variablelist remap='IP'>
+      <varlistentry>
+        <term>
+          <option>-g</option>
+        </term>
+        <listitem>
+          <para>
+            List the subordinate group ID ranges.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>-h</option>
+        </term>
+        <listitem>
+          <para>
+            Display help message and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='example'>
+    <title>EXAMPLE</title>
+    <para>
+      For example, to obtain the subordinate UIDs of the testuser:
+    </para>
+    <para>
+<programlisting>
+$ getsubids testuser
+0: testuser 100000 65536
+</programlisting>
+    </para>
+    <para>
+      This command output provides (in order from left to right) the list
+      index, username, UID range start, and number of UIDs in range.
+    </para>
+  </refsect1>
+
+  <refsect1 id='see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+      <citerefentry>
+        <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+    </para>
+  </refsect1>
+</refentry>

man/groupadd.8.xml

@@ -229,6 +229,22 @@
 	  </para>
 	</listitem>
       </varlistentry>
+      <varlistentry>
+	<term>
+	  <option>-U</option>, <option>--users</option>
+	</term>
+	<listitem>
+	  <para>
+	    A list of usernames to add as members of the group.
+	  </para>
+	  <para>
+	    The default behavior (if the <option>-g</option>,
+	    <option>-N</option>, and <option>-U</option> options are not
+	    specified) is defined by the <option>USERGROUPS_ENAB</option>
+	    variable in <filename>/etc/login.defs</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -318,13 +334,13 @@
 	<varlistentry>
 	  <term><replaceable>4</replaceable></term>
 	  <listitem>
-	    <para>GID not unique (when <option>-o</option> not used)</para>
+	    <para>GID is already used (when called without <option>-o</option>)</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term><replaceable>9</replaceable></term>
 	  <listitem>
-	    <para>group name not unique</para>
+	    <para>group name is already used</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>

man/groupdel.8.xml

@@ -91,6 +91,17 @@
       are:
     </para>
     <variablelist remap='IP'>
+      <varlistentry>
+	<term>
+	  <option>-f</option>, <option>--force</option>
+	</term>
+	<listitem>
+	  <para>
+      This option forces the removal of the group, even if there's some user
+      having the group as the primary one.
+	  </para>
+	</listitem>
+      </varlistentry>
       <varlistentry>
 	<term><option>-h</option>, <option>--help</option></term>
 	<listitem>

man/groupmems.8.xml

@@ -180,7 +180,7 @@
     <title>SETUP</title>
     <para>
       The <command>groupmems</command> executable should be in mode
-      <literal>2770</literal> as user <emphasis>root</emphasis> and in group
+      <literal>2710</literal> as user <emphasis>root</emphasis> and in group
       <emphasis>groups</emphasis>. The system administrator can add users to
       group <emphasis>groups</emphasis> to allow or disallow them using the
       <command>groupmems</command> utility to manage their own group
@@ -189,7 +189,7 @@
 
     <programlisting>
 	$ groupadd -r groups
-	$ chmod 2770 groupmems
+	$ chmod 2710 groupmems
 	$ chown root.groups groupmems
 	$ groupmems -g groups -a gk4
     </programlisting>