Update changelog for 1:4.13+dfsg1-1+deb12u2 release

Closes: #1122913

AUTHORS.md

@@ -0,0 +1,89 @@
+Thanks to at least the following people for sending patches, bug
+reports and various comments. This list may be incomplete, I received
+a lot of mail...
+
+# Maintainers
+* Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
+* Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
+* Serge E. Hallyn <serge@hallyn.com> (2014-now)
+* Christian Brauner <christian@brauner.io> (2019-now)
+* Iker Pedrosa <ipedrosa@redhat.com> (2022-now)
+
+# Authors and contributors
+* Adam Rudnicki <adam@v-lo.krakow.pl>
+* Alan Curry <pacman@tardis.mars.net>
+* Aleksa Sarai <cyphar@cyphar.com>
+* Alexander O. Yuriev <alex@bach.cis.temple.edu>
+* Algis Rudys <arudys@rice.edu>
+* Andreas Jaeger <aj@arthur.rhein-neckar.de>
+* Andy Zaugg <andy.zaugg@gmail.com>
+* Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
+* Anton Gluck <gluc@midway.uchicago.edu>
+* Arkadiusz Miskiewicz <misiek@pld.org.pl>
+* Ben Collins <bcollins@debian.org>
+* Brian R. Gaeke <brg@dgate.org>
+* Calle Karlsson <ckn@kash.se>
+* Chip Rosenthal <chip@unicom.com>
+* Chris Evans <lady0110@sable.ox.ac.uk>
+* Chris Lamb <chris@chris-lamb.co.uk>
+* Cristian Gafton <gafton@sorosis.ro>
+* Dan Walsh <dwalsh@redhat.com>
+* Darcy Boese <possum@chardonnay.niagara.com>
+* Dave Hagewood <admin@arrowweb.com>
+* David A. Holland <dholland@hcs.harvard.edu>
+* David Frey <David.Frey@lugs.ch>
+* Ed Carp <ecarp@netcom.com>
+* Ed Neville <ed@s5h.net>
+* Eric W. Biederman" <ebiederm@xmission.com>
+* Floody <flood@evcom.net>
+* Frank Denis <j@4u.net>
+* George Kraft IV <gk4@us.ibm.com>
+* Greg Mortensen <loki@world.std.com>
+* Guido van Rooij
+* Guy Maor <maor@debian.org>
+* Hrvoje Dogan <hdogan@bjesomar.srce.hr>
+* Jakub Hrozek <jhrozek@redhat.com>
+* Janos Farkas <chexum@bankinf.banki.hu>
+* Jason Franklin <jason.franklin@quoininc.com>
+* Jay Soffian <jay@lw.net>
+* Jesse Thilo <Jesse.Thilo@pobox.com>
+* Joey Hess <joey@kite.ml.org>
+* John Adelsberger <jja@umr.edu>
+* Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
+* Jon Lewis <jlewis@lewis.org>
+* Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
+* Judd Bourgeois <shagboy@bluesky.net>
+* Juergen Heinzl <unicorn@noris.net>
+* Juha Virtanen <jiivee@iki.fi>
+* Julian Pidancet <julian.pidancet@gmail.com>
+* Julianne Frances Haugh <julie78787@gmail.com>
+* Leonard N. Zubkoff <lnz@dandelion.com>
+* Luca Berra <bluca@www.polimi.it>
+* Lukáš Kuklínek <lkukline@redhat.com>
+* Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
+* Marc Ewing <marc@redhat.com>
+* Martin Bene <mb@sime.com>
+* Martin Mares <mj@gts.cz>
+* Michael Meskes <meskes@topsystem.de>
+* Michael Talbot-Wilson <mike@calypso.bns.com.au>
+* Michael Vetter <jubalh@iodoru.org>
+* Mike Frysinger <vapier@gentoo.org>
+* Mike Pakovic <mpakovic@users.southeast.net>
+* Nicolas François <nicolas.francois@centraliens.net>
+* Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
+* Pavel Machek <pavel@bug.ucw.cz>
+* Peter Vrabec <pvrabec@redhat.com>
+* Phillip Street
+* Rafał Maszkowski <rzm@icm.edu.pl>
+* Rani Chouha <ranibey@smartec.com>
+* Sami Kerola <kerolasa@rocketmail.com>
+* Scott Garman <scott.a.garman@intel.com>
+* Sebastian Rick Rijkers <srrijkers@gmail.com>
+* Seraphim Mellos <mellos@ceid.upatras.gr>
+* Shane Watts <shane@nexus.mlckew.edu.au>
+* Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
+* Thorsten Kukuk <kukuk@suse.de>
+* Tim Hockin <thockin@eagle.ais.net>
+* Timo Karjalainen <timok@iki.fi>
+* Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
+* Werner Fink <werner@suse.de>

ChangeLog

@@ -1,3 +1,101 @@
+2022-11-08  Serge Hallyn <serge@hallyn.com>
+
+	* useradd.8: fix default group ID (Tim Biermann)
+	* Revert drop of subid_init() (Serge Hallyn)
+	* Georgian translation (NorwayFun)
+	* useradd: Avoid taking unneeded space: do not reset non-existent data
+	  in lastlog (David Kalnischkies)
+	* relax username restrictions (Alexander Kanavin)
+	* selinux: check MLS enabled before setting serange (genBTC)
+	* copy_tree: use fchmodat instead of chmod (Samanta Navarro)
+	* copy_tree: don't block on FIFOs (Samanta Navarro)
+	* add shell linter (Jan Macku)
+	* copy_tree: carefully treat permissions (Samanta Navarro)
+	* lib/commonio: make lock failures more detailed (Luca BRUNO)
+	* lib: use strzero and memzero where applicable (Christian Göttsche)
+	* Update Dutch translation (Frans Spiesschaert)
+	* Don't test for NULL before calling free (Alex Colomar)
+	* Use libc MAX() and MIN() (Alejandro Colomar)
+	* chage: Fix regression in print_date (Xiami)
+	* usermod: report error if homedir does not exist (Iker Pedrosa)
+	* libmisc: minimum id check for system accounts (Iker Pedrosa)
+	* fix usermod -rG x y wrongly adding a group (xyz)
+	* man: add missing space in useradd.8.xml (Iker Pedrosa)
+	* lastlog: check for localtime() return value (Iker Pedrosa)
+	* Raise limit for passwd and shadow entry length (Iker Pedrosa)
+	* Remove adduser-old.c (Alejandro Colomar)
+	* useradd: Fix buffer overflow when using a prefix (David Michael)
+	* Don't warn when failed to open /etc/nsswitch.conf (Serge Hallyn)
+
+2022-08-15  Serge Hallyn <serge@hallyn.com>
+
+	* Address CVE-2013-4235 (TOCTTOU when copying directories)
+	  (Christian Göttsche)
+
+2022-08-15  Serge Hallyn <serge@hallyn.com>
+
+	* Fix uk manpages
+
+2022-08-08  Serge Hallyn <serge@hallyn.com>
+
+	* Add absolute path hint to --root (Celeste Liu)
+	* Various cleanups (Christian Göttsche)
+	* Fix Ubuntu release used in CI tests (Jeremy Whiting)
+	* add -F options to useradd (and tests) (Masatake YAMATO)
+	* useradd manpage updates (Masatake YAMATO and Alexander Zhang))
+	* Check for ownerid (not just username) in subid ranges (Iker Pedrosa)
+
+2022-07-04  Serge Hallyn <serge@hallyn.com>
+
+	* Declare file local functions static (Christian Göttsche)
+	* Use strict prototypes (Christian Göttsche)
+	* Do not drop const qualifier for Basename (Christian Göttsche)
+	* Constify various pointers (Christian Göttsche)
+	* Don't return uninitialized memory (Christian Göttsche)
+	* Don't let compiler optimize away memory cleaning (Christian Göttsche)
+	* Remove many obsolete compatibility checks  and defines (Alejandro Colomar)
+	* Modify ID range check in useradd (Iker Pedrosa)
+	* Use "extern "C"" to make libsubid easier to use from C++ (Alois Wohlschlager)
+	* French translation updates (bubu)
+	* Fix s/with-pam/with-libpam/ (serge)
+	* Spanish translation updates (Fernando)
+	* French translation fixes (Balint Reczey)
+	* Default max group name length to 32 (Jami Kettunen)
+	* Fix PAM service files without-selinux (Ali Riza KESKIN)
+	* Improve manpages (Markus Hiereth)
+	  - groupadd, useradd, usermod
+	  - groups and id
+	  - pwck
+	* Add fedora to CI builds (Iker Pedrosa)
+	* Fix condition under which pw_dir check happens (Ed Neville)
+	* logoutd: switch to strncat (Steve Grubb)
+	* AUTHORS: improve markdown output (Iker Pedrosa)
+	* Handle ERANGE errors correctly (Niko)
+	* Check for fopen NULL return (juyin)
+	* Split get_salt() into its own fn juyin)
+	* Get salt before chroot to ensure /dev/urandom. (juyin)
+	* Chpasswd code cleanup (juyin)
+	* Work around git safe.directory enforcement (serge)
+	* Alphabetize order in usermod help (Matheus Marques)
+	* Erase password copy on error branches (Christian Göttsche)
+	* Suggest using --badname if needed (Iker Pedrosa)
+	* Update translation files (Iker Pedrosa)
+	* Correct badnames option to badname (Iker Pedrosa)
+	* configure: replace obsolete autoconf macros (Christian Göttsche)
+	* tests: replace egrep with grep -E (Sam James)
+	* Update Ukrainian translations (Yuri Chornoivan)
+	* Cleanups (Iker Pedrosa)
+	  - Remove redeclared variable
+	  - Remove commented out code and FIXMEs
+	  - Add header guards
+	  - Initialize local variables
+	* CI updates (Iker Pedrosa)
+	  - Create github workflow to install dependencies
+	  - Enable CodeQL
+	  - Update actions version
+	* libmisc: use /dev/urandom as fallback if other methods fail (Xi Ruoyao)
+
+
 2022-01-02  Serge Hallyn <serge@hallyn.com>
 
 	* build: include lib/shadowlog_internal.h in dist tarballs (Sam James)

Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -92,13 +92,14 @@ host_triplet = @host@
 subdir = .
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
-	$(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
-	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
-	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
-	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
-	$(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \
@@ -144,8 +145,8 @@ am__recursive_targets = \
   $(am__extra_recursive_targets)
 AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
 	cscope distdir distdir-am dist dist-all distcheck
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \
-	$(LISP)config.h.in
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) \
+	config.h.in
 # Read a list of newline-separated strings from the standard input,
 # and print each of them once, without duplicates.  Input order is
 # *not* preserved.
@@ -162,15 +163,12 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-CSCOPE = cscope
 DIST_SUBDIRS = libmisc lib libsubid src po contrib doc etc man
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
 	$(srcdir)/shadow.spec.in $(top_srcdir)/man/po/Makefile.in \
-	ABOUT-NLS COPYING ChangeLog NEWS README TODO compile \
-	config.guess config.rpath config.sub install-sh ltmain.sh \
-	missing
+	ABOUT-NLS AUTHORS.md COPYING ChangeLog NEWS README TODO \
+	compile config.guess config.rpath config.sub install-sh \
+	ltmain.sh missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -209,6 +207,8 @@ am__relativize = \
 DIST_ARCHIVES = $(distdir).tar.gz $(distdir).tar.xz
 GZIP_ENV = --best
 DIST_TARGETS = dist-xz dist-gzip
+# Exists only to be overridden by the user if desired.
+AM_DISTCHECK_DVI_TARGET = dvi
 distuninstallcheck_listfiles = find . -type f -print
 am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
   | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
@@ -226,6 +226,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -237,8 +239,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
@@ -312,6 +316,7 @@ VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
@@ -545,7 +550,6 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 	-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
@@ -628,6 +632,10 @@ dist-xz: distdir
 	tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
 	$(am__post_remove_distdir)
 
+dist-zstd: distdir
+	tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst
+	$(am__post_remove_distdir)
+
 dist-tarZ: distdir
 	@echo WARNING: "Support for distribution archives compressed with" \
 		       "legacy program 'compress' is deprecated." >&2
@@ -670,6 +678,8 @@ distcheck: dist
 	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
+	*.tar.zst*) \
+	  zstd -dc $(distdir).tar.zst | $(am__untar) ;;\
 	esac
 	chmod -R a-w $(distdir)
 	chmod u+w $(distdir)
@@ -685,7 +695,7 @@ distcheck: dist
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	    --srcdir=../.. --prefix="$$dc_install_base" \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
-	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
+	  && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \
 	  && $(MAKE) $(AM_MAKEFLAGS) check \
 	  && $(MAKE) $(AM_MAKEFLAGS) install \
 	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
@@ -847,18 +857,18 @@ uninstall-am:
 	am--refresh check check-am clean clean-cscope clean-generic \
 	clean-libtool cscope cscopelist-am ctags ctags-am dist \
 	dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
-	dist-xz dist-zip distcheck distclean distclean-generic \
-	distclean-hdr distclean-libtool distclean-tags distcleancheck \
-	distdir distuninstallcheck dvi dvi-am html html-am info \
-	info-am install install-am install-data install-data-am \
-	install-dvi install-dvi-am install-exec install-exec-am \
-	install-html install-html-am install-info install-info-am \
-	install-man install-pdf install-pdf-am install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs installdirs-am maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-generic \
-	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
-	uninstall-am
+	dist-xz dist-zip dist-zstd distcheck distclean \
+	distclean-generic distclean-hdr distclean-libtool \
+	distclean-tags distcleancheck distdir distuninstallcheck dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am
 
 .PRECIOUS: Makefile
 

acinclude.m4

@@ -6,7 +6,7 @@ AC_DEFUN([JH_PATH_XML_CATALOG],
 [
   # check for the presence of the XML catalog
   AC_ARG_WITH([xml-catalog],
-              AC_HELP_STRING([--with-xml-catalog=CATALOG],
+              AS_HELP_STRING([--with-xml-catalog=CATALOG],
                              [path to xml catalog to use]),,
               [with_xml_catalog=/etc/xml/catalog])
   jh_found_xmlcatalog=true

aclocal.m4

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.5 -*- Autoconf -*-
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2021 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -14,13 +14,13 @@
 m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],,
-[m4_warning([this file was generated for autoconf 2.69.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.71],,
+[m4_warning([this file was generated for autoconf 2.71.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically 'autoreconf'.])])
 
-# Copyright (C) 2002-2018 Free Software Foundation, Inc.
+# Copyright (C) 2002-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.16'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.16.1], [],
+m4_if([$1], [1.16.5], [],
       [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
 
@@ -51,14 +51,14 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.16.1])dnl
+[AM_AUTOMAKE_VERSION([1.16.5])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
 
 # AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
 
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -110,7 +110,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd`
 
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
+# Copyright (C) 1997-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -141,7 +141,7 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])
 
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -332,7 +332,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl
 
 # Generate code to set up dependency tracking.              -*- Autoconf -*-
 
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -371,7 +371,9 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
   done
   if test $am_rc -ne 0; then
     AC_MSG_FAILURE([Something went wrong bootstrapping makefile fragments
-    for automatic dependency tracking.  Try re-running configure with the
+    for automatic dependency tracking.  If GNU make was not used, consider
+    re-running the configure script with MAKE="gmake" (or whatever is
+    necessary).  You can also try re-running configure with the
     '--disable-dependency-tracking' option to at least be able to build
     the package (albeit without support for automatic dependency tracking).])
   fi
@@ -398,7 +400,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
 
 # Do all the work for Automake.                             -*- Autoconf -*-
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -426,6 +428,10 @@ m4_defn([AC_PROG_CC])
 # release and drop the old call support.
 AC_DEFUN([AM_INIT_AUTOMAKE],
 [AC_PREREQ([2.65])dnl
+m4_ifdef([_$0_ALREADY_INIT],
+  [m4_fatal([$0 expanded multiple times
+]m4_defn([_$0_ALREADY_INIT]))],
+  [m4_define([_$0_ALREADY_INIT], m4_expansion_stack)])dnl
 dnl Autoconf wants to disallow AM_ names.  We explicitly allow
 dnl the ones we care about.
 m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl
@@ -462,7 +468,7 @@ m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl
 [_AM_SET_OPTIONS([$1])dnl
 dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT.
 m4_if(
-  m4_ifdef([AC_PACKAGE_NAME], [ok]):m4_ifdef([AC_PACKAGE_VERSION], [ok]),
+  m4_ifset([AC_PACKAGE_NAME], [ok]):m4_ifset([AC_PACKAGE_VERSION], [ok]),
   [ok:ok],,
   [m4_fatal([AC_INIT should be called with package and version arguments])])dnl
  AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl
@@ -514,6 +520,20 @@ AC_PROVIDE_IFELSE([AC_PROG_OBJCXX],
 		  [m4_define([AC_PROG_OBJCXX],
 			     m4_defn([AC_PROG_OBJCXX])[_AM_DEPENDENCIES([OBJCXX])])])dnl
 ])
+# Variables for tags utilities; see am/tags.am
+if test -z "$CTAGS"; then
+  CTAGS=ctags
+fi
+AC_SUBST([CTAGS])
+if test -z "$ETAGS"; then
+  ETAGS=etags
+fi
+AC_SUBST([ETAGS])
+if test -z "$CSCOPE"; then
+  CSCOPE=cscope
+fi
+AC_SUBST([CSCOPE])
+
 AC_REQUIRE([AM_SILENT_RULES])dnl
 dnl The testsuite driver may need to know about EXEEXT, so add the
 dnl 'am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen.  This
@@ -595,7 +615,7 @@ for _am_header in $config_headers :; do
 done
 echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
 
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -616,7 +636,7 @@ if test x"${install_sh+set}" != xset; then
 fi
 AC_SUBST([install_sh])])
 
-# Copyright (C) 2003-2018 Free Software Foundation, Inc.
+# Copyright (C) 2003-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -638,7 +658,7 @@ AC_SUBST([am__leading_dot])])
 # Add --enable-maintainer-mode option to configure.         -*- Autoconf -*-
 # From Jim Meyering
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -673,7 +693,7 @@ AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
 
 # Check to see how 'make' treats includes.	            -*- Autoconf -*-
 
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -716,7 +736,7 @@ AC_SUBST([am__quote])])
 
 # Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
 
-# Copyright (C) 1997-2018 Free Software Foundation, Inc.
+# Copyright (C) 1997-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -737,12 +757,7 @@ AC_DEFUN([AM_MISSING_HAS_RUN],
 [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
 AC_REQUIRE_AUX_FILE([missing])dnl
 if test x"${MISSING+set}" != xset; then
-  case $am_aux_dir in
-  *\ * | *\	*)
-    MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;;
-  *)
-    MISSING="\${SHELL} $am_aux_dir/missing" ;;
-  esac
+  MISSING="\${SHELL} '$am_aux_dir/missing'"
 fi
 # Use eval to expand $SHELL
 if eval "$MISSING --is-lightweight"; then
@@ -753,41 +768,9 @@ else
 fi
 ])
 
-# Copyright (C) 2003-2018 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_PROG_MKDIR_P
-# ---------------
-# Check for 'mkdir -p'.
-AC_DEFUN([AM_PROG_MKDIR_P],
-[AC_PREREQ([2.60])dnl
-AC_REQUIRE([AC_PROG_MKDIR_P])dnl
-dnl FIXME we are no longer going to remove this! adjust warning
-dnl FIXME message accordingly.
-AC_DIAGNOSE([obsolete],
-[$0: this macro is deprecated, and will soon be removed.
-You should use the Autoconf-provided 'AC][_PROG_MKDIR_P' macro instead,
-and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.])
-dnl Automake 1.8 to 1.9.6 used to define mkdir_p.  We now use MKDIR_P,
-dnl while keeping a definition of mkdir_p for backward compatibility.
-dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile.
-dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of
-dnl Makefile.ins that do not define MKDIR_P, so we do our own
-dnl adjustment using top_builddir (which is defined more often than
-dnl MKDIR_P).
-AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl
-case $mkdir_p in
-  [[\\/$]]* | ?:[[\\/]]*) ;;
-  */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
-esac
-])
-
 # Helper functions for option handling.                     -*- Autoconf -*-
 
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -816,7 +799,7 @@ AC_DEFUN([_AM_SET_OPTIONS],
 AC_DEFUN([_AM_IF_OPTION],
 [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
 
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -863,7 +846,7 @@ AC_LANG_POP([C])])
 # For backward compatibility.
 AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
 
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -882,7 +865,7 @@ AC_DEFUN([AM_RUN_LOG],
 
 # Check to make sure that the build environment is sane.    -*- Autoconf -*-
 
-# Copyright (C) 1996-2018 Free Software Foundation, Inc.
+# Copyright (C) 1996-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -963,7 +946,7 @@ AC_CONFIG_COMMANDS_PRE(
 rm -f conftest.file
 ])
 
-# Copyright (C) 2009-2018 Free Software Foundation, Inc.
+# Copyright (C) 2009-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -1023,7 +1006,7 @@ AC_SUBST([AM_BACKSLASH])dnl
 _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl
 ])
 
-# Copyright (C) 2001-2018 Free Software Foundation, Inc.
+# Copyright (C) 2001-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -1051,7 +1034,7 @@ fi
 INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
 AC_SUBST([INSTALL_STRIP_PROGRAM])])
 
-# Copyright (C) 2006-2018 Free Software Foundation, Inc.
+# Copyright (C) 2006-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -1070,7 +1053,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
 
 # Check how to create a tarball.                            -*- Autoconf -*-
 
-# Copyright (C) 2004-2018 Free Software Foundation, Inc.
+# Copyright (C) 2004-2021 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -1203,6 +1186,7 @@ AC_SUBST([am__untar])
 
 m4_include([m4/gettext.m4])
 m4_include([m4/iconv.m4])
+m4_include([m4/intlmacosx.m4])
 m4_include([m4/lib-ld.m4])
 m4_include([m4/lib-link.m4])
 m4_include([m4/lib-prefix.m4])

compile

@@ -3,7 +3,7 @@
 
 scriptversion=2018-03-07.03; # UTC
 
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2021 Free Software Foundation, Inc.
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
 # This program is free software; you can redistribute it and/or modify
@@ -53,7 +53,7 @@ func_file_conv ()
 	  MINGW*)
 	    file_conv=mingw
 	    ;;
-	  CYGWIN*)
+	  CYGWIN* | MSYS*)
 	    file_conv=cygwin
 	    ;;
 	  *)
@@ -67,7 +67,7 @@ func_file_conv ()
 	mingw/*)
 	  file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
 	  ;;
-	cygwin/*)
+	cygwin/* | msys/*)
 	  file=`cygpath -m "$file" || echo "$file"`
 	  ;;
 	wine/*)

config.h.in

@@ -39,11 +39,11 @@
 /* Define to 1 if you have the <attr/libattr.h> header file. */
 #undef HAVE_ATTR_LIBATTR_H
 
-/* Define to 1 if you have the MacOS X function CFLocaleCopyCurrent in the
+/* Define to 1 if you have the Mac OS X function CFLocaleCopyCurrent in the
    CoreFoundation framework. */
 #undef HAVE_CFLOCALECOPYCURRENT
 
-/* Define to 1 if you have the MacOS X function CFPreferencesCopyAppValue in
+/* Define to 1 if you have the Mac OS X function CFPreferencesCopyAppValue in
    the CoreFoundation framework. */
 #undef HAVE_CFPREFERENCESCOPYAPPVALUE
 
@@ -70,19 +70,15 @@
    if you don't. */
 #undef HAVE_DECL_PAM_NEW_AUTHTOK_REQD
 
-/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
-   */
-#undef HAVE_DIRENT_H
-
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 
-/* Define to 1 if you have the `dlopen' function. */
-#undef HAVE_DLOPEN
-
 /* Define to 1 if you have the <errno.h> header file. */
 #undef HAVE_ERRNO_H
 
+/* Define to 1 if you have the `explicit_bzero' function. */
+#undef HAVE_EXPLICIT_BZERO
+
 /* Define to 1 if you have the `fchmod' function. */
 #undef HAVE_FCHMOD
 
@@ -98,9 +94,6 @@
 /* Define to 1 if you have the `futimes' function. */
 #undef HAVE_FUTIMES
 
-/* Define to 1 if you have the `getaddrinfo' function. */
-#undef HAVE_GETADDRINFO
-
 /* Define to 1 if you have the `getentropy' function. */
 #undef HAVE_GETENTROPY
 
@@ -110,9 +103,6 @@
 /* Define to 1 if you have the `getgrnam_r' function. */
 #undef HAVE_GETGRNAM_R
 
-/* Define to 1 if you have the `gethostname' function. */
-#undef HAVE_GETHOSTNAME
-
 /* Define to 1 if you have the `getpwnam_r' function. */
 #undef HAVE_GETPWNAM_R
 
@@ -131,9 +121,6 @@
 /* Define if the GNU gettext() function is already present or preinstalled. */
 #undef HAVE_GETTEXT
 
-/* Define to 1 if you have the `gettimeofday' function. */
-#undef HAVE_GETTIMEOFDAY
-
 /* Define to 1 if you have the `getusershell' function. */
 #undef HAVE_GETUSERSHELL
 
@@ -143,7 +130,7 @@
 /* Define to 1 if you have the <gshadow.h> header file. */
 #undef HAVE_GSHADOW_H
 
-/* Define if you have the iconv() function. */
+/* Define if you have the iconv() function and it works. */
 #undef HAVE_ICONV
 
 /* Define to 1 if you have the `initgroups' function. */
@@ -161,9 +148,6 @@
 /* Define to 1 if you have the <lastlog.h> header file. */
 #undef HAVE_LASTLOG_H
 
-/* Define to 1 if you have the `lchown' function. */
-#undef HAVE_LCHOWN
-
 /* Define to 1 if you have the `lckpwdf' function. */
 #undef HAVE_LCKPWDF
 
@@ -191,21 +175,18 @@
 /* Define to 1 if you have the <locale.h> header file. */
 #undef HAVE_LOCALE_H
 
-/* Define to 1 if you have the `lstat' function. */
-#undef HAVE_LSTAT
-
 /* Define to 1 if you have the `lutimes' function. */
 #undef HAVE_LUTIMES
 
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
+/* Define to 1 if you have the `memset_s' function. */
+#undef HAVE_MEMSET_S
+
+/* Define to 1 if you have the <minix/config.h> header file. */
+#undef HAVE_MINIX_CONFIG_H
 
 /* Define to 1 if you have the `mkdir' function. */
 #undef HAVE_MKDIR
 
-/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
-#undef HAVE_NDIR_H
-
 /* Define to 1 if you have the <netdb.h> header file. */
 #undef HAVE_NETDB_H
 
@@ -230,9 +211,6 @@
 /* Define to 1 if you have the <rpc/key_prot.h> header file. */
 #undef HAVE_RPC_KEY_PROT_H
 
-/* Define to 1 if you have the `ruserok' function. */
-#undef HAVE_RUSEROK
-
 /* Define to 1 if you have the <security/openpam.h> header file. */
 #undef HAVE_SECURITY_OPENPAM_H
 
@@ -263,9 +241,6 @@
 /* Have working shadow group support in libc */
 #undef HAVE_SHADOWGRP
 
-/* Define to 1 if you have the `sigaction' function. */
-#undef HAVE_SIGACTION
-
 /* Define to 1 if you have the `snprintf' function. */
 #undef HAVE_SNPRINTF
 
@@ -275,15 +250,15 @@
 /* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H
 
+/* Define to 1 if you have the <stdio.h> header file. */
+#undef HAVE_STDIO_H
+
 /* Define to 1 if you have the <stdlib.h> header file. */
 #undef HAVE_STDLIB_H
 
 /* Define to 1 if you have the `strcasecmp' function. */
 #undef HAVE_STRCASECMP
 
-/* Define to 1 if you have the `strchr' function. */
-#undef HAVE_STRCHR
-
 /* Define to 1 if you have the `strdup' function. */
 #undef HAVE_STRDUP
 
@@ -311,9 +286,6 @@
 /* Define to 1 if `st_mtimensec' is a member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_MTIMENSEC
 
-/* Define to 1 if `st_rdev' is a member of `struct stat'. */
-#undef HAVE_STRUCT_STAT_ST_RDEV
-
 /* Define to 1 if `ut_addr' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_ADDR
 
@@ -374,17 +346,9 @@
 /* Define to 1 if you have the <sys/capability.h> header file. */
 #undef HAVE_SYS_CAPABILITY_H
 
-/* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'.
-   */
-#undef HAVE_SYS_DIR_H
-
 /* Define to 1 if you have the <sys/ioctl.h> header file. */
 #undef HAVE_SYS_IOCTL_H
 
-/* Define to 1 if you have the <sys/ndir.h> header file, and it defines `DIR'.
-   */
-#undef HAVE_SYS_NDIR_H
-
 /* Define to 1 if you have the <sys/random.h> header file. */
 #undef HAVE_SYS_RANDOM_H
 
@@ -403,9 +367,6 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
-/* Define to 1 if you have <sys/wait.h> that is POSIX.1 compatible. */
-#undef HAVE_SYS_WAIT_H
-
 /* Define to 1 if you have the <tcb.h> header file. */
 #undef HAVE_TCB_H
 
@@ -439,6 +400,9 @@
 /* Define to 1 if you have the <utmp.h> header file. */
 #undef HAVE_UTMP_H
 
+/* Define to 1 if you have the <wchar.h> header file. */
+#undef HAVE_WCHAR_H
+
 /* Define to 1 if the system has the type `_Bool'. */
 #undef HAVE__BOOL
 
@@ -478,9 +442,6 @@
 /* Path to passwd program. */
 #undef PASSWD_PROGRAM
 
-/* Define as the return type of signal handlers (`int' or `void'). */
-#undef RETSIGTYPE
-
 /* Define if login should support the -r flag for rlogind. */
 #undef RLOGIN
 
@@ -508,18 +469,14 @@
 /* Define to support newer BSD S/Key API */
 #undef SKEY_BSD_STYLE
 
-/* Define to 1 if the `S_IS*' macros in <sys/stat.h> do not work properly. */
-#undef STAT_MACROS_BROKEN
-
-/* Define to 1 if you have the ANSI C header files. */
+/* Define to 1 if all of the C90 standard headers exist (not just the ones
+   required in a freestanding environment). This macro is provided for
+   backward compatibility; new code need not use it. */
 #undef STDC_HEADERS
 
 /* Define to support /etc/suauth su access control. */
 #undef SU_ACCESS
 
-/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
-#undef TIME_WITH_SYS_TIME
-
 /* Define to 1 if your <sys/time.h> declares `struct tm'. */
 #undef TM_IN_SYS_TIME
 
@@ -545,21 +502,87 @@
 #ifndef _ALL_SOURCE
 # undef _ALL_SOURCE
 #endif
+/* Enable general extensions on macOS.  */
+#ifndef _DARWIN_C_SOURCE
+# undef _DARWIN_C_SOURCE
+#endif
+/* Enable general extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
+#endif
 /* Enable GNU extensions on systems that have them.  */
 #ifndef _GNU_SOURCE
 # undef _GNU_SOURCE
 #endif
-/* Enable threading extensions on Solaris.  */
+/* Enable X/Open compliant socket functions that do not require linking
+   with -lxnet on HP-UX 11.11.  */
+#ifndef _HPUX_ALT_XOPEN_SOCKET_API
+# undef _HPUX_ALT_XOPEN_SOCKET_API
+#endif
+/* Identify the host operating system as Minix.
+   This macro does not affect the system headers' behavior.
+   A future release of Autoconf may stop defining this macro.  */
+#ifndef _MINIX
+# undef _MINIX
+#endif
+/* Enable general extensions on NetBSD.
+   Enable NetBSD compatibility extensions on Minix.  */
+#ifndef _NETBSD_SOURCE
+# undef _NETBSD_SOURCE
+#endif
+/* Enable OpenBSD compatibility extensions on NetBSD.
+   Oddly enough, this does nothing on OpenBSD.  */
+#ifndef _OPENBSD_SOURCE
+# undef _OPENBSD_SOURCE
+#endif
+/* Define to 1 if needed for POSIX-compatible behavior.  */
+#ifndef _POSIX_SOURCE
+# undef _POSIX_SOURCE
+#endif
+/* Define to 2 if needed for POSIX-compatible behavior.  */
+#ifndef _POSIX_1_SOURCE
+# undef _POSIX_1_SOURCE
+#endif
+/* Enable POSIX-compatible threading on Solaris.  */
 #ifndef _POSIX_PTHREAD_SEMANTICS
 # undef _POSIX_PTHREAD_SEMANTICS
 #endif
+/* Enable extensions specified by ISO/IEC TS 18661-5:2014.  */
+#ifndef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
+# undef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-1:2014.  */
+#ifndef __STDC_WANT_IEC_60559_BFP_EXT__
+# undef __STDC_WANT_IEC_60559_BFP_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-2:2015.  */
+#ifndef __STDC_WANT_IEC_60559_DFP_EXT__
+# undef __STDC_WANT_IEC_60559_DFP_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-4:2015.  */
+#ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__
+# undef __STDC_WANT_IEC_60559_FUNCS_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TS 18661-3:2015.  */
+#ifndef __STDC_WANT_IEC_60559_TYPES_EXT__
+# undef __STDC_WANT_IEC_60559_TYPES_EXT__
+#endif
+/* Enable extensions specified by ISO/IEC TR 24731-2:2010.  */
+#ifndef __STDC_WANT_LIB_EXT2__
+# undef __STDC_WANT_LIB_EXT2__
+#endif
+/* Enable extensions specified by ISO/IEC 24747:2009.  */
+#ifndef __STDC_WANT_MATH_SPEC_FUNCS__
+# undef __STDC_WANT_MATH_SPEC_FUNCS__
+#endif
 /* Enable extensions on HP NonStop.  */
 #ifndef _TANDEM_SOURCE
 # undef _TANDEM_SOURCE
 #endif
-/* Enable general extensions on Solaris.  */
-#ifndef __EXTENSIONS__
-# undef __EXTENSIONS__
+/* Enable X/Open extensions.  Define to 500 only if necessary
+   to make mbstate_t available.  */
+#ifndef _XOPEN_SOURCE
+# undef _XOPEN_SOURCE
 #endif
 
 
@@ -593,47 +616,20 @@
 /* Build shadow with tcb support (incomplete) */
 #undef WITH_TCB
 
-/* Enable large inode numbers on Mac OS X 10.5.  */
-#ifndef _DARWIN_USE_64_BIT_INODE
-# define _DARWIN_USE_64_BIT_INODE 1
-#endif
-
 /* Number of bits in a file offset, on hosts where this is settable. */
 #undef _FILE_OFFSET_BITS
 
 /* Define for large files, on AIX-style hosts. */
 #undef _LARGE_FILES
 
-/* Define to 1 if on MINIX. */
-#undef _MINIX
-
-/* Define to 2 if the system does not provide POSIX.1 features except with
-   this defined. */
-#undef _POSIX_1_SOURCE
-
-/* Define to 1 if you need to in order for `stat' and other things to work. */
-#undef _POSIX_SOURCE
-
 /* Path for utmp file. */
 #undef _UTMP_FILE
 
 /* Path for wtmp file. */
 #undef _WTMP_FILE
 
-/* Define to empty if `const' does not conform to ANSI C. */
-#undef const
-
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef gid_t
 
-/* Define to `int' if <sys/types.h> does not define. */
-#undef mode_t
-
-/* Define to `long int' if <sys/types.h> does not define. */
-#undef off_t
-
-/* Define to `int' if <sys/types.h> does not define. */
-#undef pid_t
-
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef uid_t

config.rpath

@@ -2,7 +2,7 @@
 # Output a system dependent set of variables, describing how to set the
 # run time search path of shared libraries in an executable.
 #
-#   Copyright 1996-2006 Free Software Foundation, Inc.
+#   Copyright 1996-2014 Free Software Foundation, Inc.
 #   Taken from GNU libtool, 2001
 #   Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 #
@@ -25,7 +25,7 @@
 #   known workaround is to choose shorter directory names for the build
 #   directory and/or the installation directory.
 
-# All known linkers require a `.a' archive for static linking (except MSVC,
+# All known linkers require a '.a' archive for static linking (except MSVC,
 # which needs '.lib').
 libext=a
 shrext=.so
@@ -47,7 +47,7 @@ for cc_temp in $CC""; do
 done
 cc_basename=`echo "$cc_temp" | sed -e 's%^.*/%%'`
 
-# Code taken from libtool.m4's AC_LIBTOOL_PROG_COMPILER_PIC.
+# Code taken from libtool.m4's _LT_COMPILER_PIC.
 
 wl=
 if test "$GCC" = yes; then
@@ -57,14 +57,7 @@ else
     aix*)
       wl='-Wl,'
       ;;
-    darwin*)
-      case $cc_basename in
-        xlc*)
-          wl='-Wl,'
-          ;;
-      esac
-      ;;
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2* | cegcc*)
       ;;
     hpux9* | hpux10* | hpux11*)
       wl='-Wl,'
@@ -72,24 +65,37 @@ else
     irix5* | irix6* | nonstopux*)
       wl='-Wl,'
       ;;
-    newsos6)
-      ;;
-    linux*)
+    linux* | k*bsd*-gnu | kopensolaris*-gnu)
       case $cc_basename in
-        icc* | ecc*)
+        ecc*)
           wl='-Wl,'
           ;;
-        pgcc | pgf77 | pgf90)
+        icc* | ifort*)
+          wl='-Wl,'
+          ;;
+        lf95*)
+          wl='-Wl,'
+          ;;
+        nagfor*)
+          wl='-Wl,-Wl,,'
+          ;;
+        pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
           wl='-Wl,'
           ;;
         ccc*)
           wl='-Wl,'
           ;;
+        xl* | bgxl* | bgf* | mpixl*)
+          wl='-Wl,'
+          ;;
         como)
           wl='-lopt='
           ;;
         *)
           case `$CC -V 2>&1 | sed 5q` in
+            *Sun\ F* | *Sun*Fortran*)
+              wl=
+              ;;
             *Sun\ C*)
               wl='-Wl,'
               ;;
@@ -97,22 +103,36 @@ else
           ;;
       esac
       ;;
+    newsos6)
+      ;;
+    *nto* | *qnx*)
+      ;;
     osf3* | osf4* | osf5*)
       wl='-Wl,'
       ;;
-    sco3.2v5*)
+    rdos*)
       ;;
     solaris*)
-      wl='-Wl,'
+      case $cc_basename in
+        f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
+          wl='-Qoption ld '
+          ;;
+        *)
+          wl='-Wl,'
+          ;;
+      esac
       ;;
     sunos4*)
       wl='-Qoption ld '
       ;;
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+    sysv4 | sysv4.2uw2* | sysv4.3*)
       wl='-Wl,'
       ;;
     sysv4*MP*)
       ;;
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      wl='-Wl,'
+      ;;
     unicos*)
       wl='-Wl,'
       ;;
@@ -121,7 +141,7 @@ else
   esac
 fi
 
-# Code taken from libtool.m4's AC_LIBTOOL_PROG_LD_SHLIBS.
+# Code taken from libtool.m4's _LT_LINKER_SHLIBS.
 
 hardcode_libdir_flag_spec=
 hardcode_libdir_separator=
@@ -129,7 +149,7 @@ hardcode_direct=no
 hardcode_minus_L=no
 
 case "$host_os" in
-  cygwin* | mingw* | pw32*)
+  cygwin* | mingw* | pw32* | cegcc*)
     # FIXME: the MSVC++ port hasn't been tested in a loooong time
     # When not using gcc, we currently assume that we are using
     # Microsoft Visual C++.
@@ -155,22 +175,21 @@ if test "$with_gnu_ld" = yes; then
   # option of GNU ld is called -rpath, not --rpath.
   hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
   case "$host_os" in
-    aix3* | aix4* | aix5*)
+    aix[3-9]*)
       # On AIX/PPC, the GNU linker is very broken
       if test "$host_cpu" != ia64; then
         ld_shlibs=no
       fi
       ;;
     amigaos*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we cannot use
-      # them.
-      ld_shlibs=no
+      case "$host_cpu" in
+        powerpc)
+          ;;
+        m68k)
+          hardcode_libdir_flag_spec='-L$libdir'
+          hardcode_minus_L=yes
+          ;;
+      esac
       ;;
     beos*)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
@@ -179,7 +198,7 @@ if test "$with_gnu_ld" = yes; then
         ld_shlibs=no
       fi
       ;;
-    cygwin* | mingw* | pw32*)
+    cygwin* | mingw* | pw32* | cegcc*)
       # hardcode_libdir_flag_spec is actually meaningless, as there is
       # no search path for DLLs.
       hardcode_libdir_flag_spec='-L$libdir'
@@ -189,11 +208,13 @@ if test "$with_gnu_ld" = yes; then
         ld_shlibs=no
       fi
       ;;
-    interix3*)
+    haiku*)
+      ;;
+    interix[3-9]*)
       hardcode_direct=no
       hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
       ;;
-    linux*)
+    gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
         :
       else
@@ -251,7 +272,7 @@ else
         hardcode_direct=unsupported
       fi
       ;;
-    aix4* | aix5*)
+    aix[4-9]*)
       if test "$host_cpu" = ia64; then
         # On IA64, the linker does run time linking by default, so we don't
         # have to do anything special.
@@ -261,7 +282,7 @@ else
         # Test if we are trying to use run time linking or normal
         # AIX style linking. If -brtl is somewhere in LDFLAGS, we
         # need to do runtime linking.
-        case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+        case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
           for ld_flag in $LDFLAGS; do
             if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
               aix_use_runtimelinking=yes
@@ -280,7 +301,7 @@ else
             strings "$collect2name" | grep resolve_lib_name >/dev/null
           then
             # We have reworked collect2
-            hardcode_direct=yes
+            :
           else
             # We have old collect2
             hardcode_direct=unsupported
@@ -316,14 +337,18 @@ else
       fi
       ;;
     amigaos*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs=no
+      case "$host_cpu" in
+        powerpc)
+          ;;
+        m68k)
+          hardcode_libdir_flag_spec='-L$libdir'
+          hardcode_minus_L=yes
+          ;;
+      esac
       ;;
     bsdi[45]*)
       ;;
-    cygwin* | mingw* | pw32*)
+    cygwin* | mingw* | pw32* | cegcc*)
       # When not using gcc, we currently assume that we are using
       # Microsoft Visual C++.
       # hardcode_libdir_flag_spec is actually meaningless, as there is
@@ -333,24 +358,15 @@ else
       ;;
     darwin* | rhapsody*)
       hardcode_direct=no
-      if test "$GCC" = yes ; then
+      if { case $cc_basename in ifort*) true;; *) test "$GCC" = yes;; esac; }; then
         :
       else
-        case $cc_basename in
-          xlc*)
-            ;;
-          *)
-            ld_shlibs=no
-            ;;
-        esac
+        ld_shlibs=no
       fi
       ;;
     dgux*)
       hardcode_libdir_flag_spec='-L$libdir'
       ;;
-    freebsd1*)
-      ld_shlibs=no
-      ;;
     freebsd2.2*)
       hardcode_libdir_flag_spec='-R$libdir'
       hardcode_direct=yes
@@ -359,7 +375,7 @@ else
       hardcode_direct=yes
       hardcode_minus_L=yes
       ;;
-    freebsd* | kfreebsd*-gnu | dragonfly*)
+    freebsd* | dragonfly*)
       hardcode_libdir_flag_spec='-R$libdir'
       hardcode_direct=yes
       ;;
@@ -411,19 +427,25 @@ else
       hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
       hardcode_libdir_separator=:
       ;;
+    *nto* | *qnx*)
+      ;;
     openbsd*)
-      hardcode_direct=yes
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-        hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+      if test -f /usr/libexec/ld.so; then
+        hardcode_direct=yes
+        if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+          hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+        else
+          case "$host_os" in
+            openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+              hardcode_libdir_flag_spec='-R$libdir'
+              ;;
+            *)
+              hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+              ;;
+          esac
+        fi
       else
-        case "$host_os" in
-          openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-            hardcode_libdir_flag_spec='-R$libdir'
-            ;;
-          *)
-            hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-            ;;
-        esac
+        ld_shlibs=no
       fi
       ;;
     os2*)
@@ -471,7 +493,7 @@ else
         ld_shlibs=yes
       fi
       ;;
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
       ;;
     sysv5* | sco3.2v5* | sco5v6*)
       hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
@@ -487,34 +509,58 @@ else
 fi
 
 # Check dynamic linker characteristics
-# Code taken from libtool.m4's AC_LIBTOOL_SYS_DYNAMIC_LINKER.
+# Code taken from libtool.m4's _LT_SYS_DYNAMIC_LINKER.
+# Unlike libtool.m4, here we don't care about _all_ names of the library, but
+# only about the one the linker finds when passed -lNAME. This is the last
+# element of library_names_spec in libtool.m4, or possibly two of them if the
+# linker has special search rules.
+library_names_spec=      # the last element of library_names_spec in libtool.m4
 libname_spec='lib$name'
 case "$host_os" in
   aix3*)
+    library_names_spec='$libname.a'
     ;;
-  aix4* | aix5*)
+  aix[4-9]*)
+    library_names_spec='$libname$shrext'
     ;;
   amigaos*)
+    case "$host_cpu" in
+      powerpc*)
+        library_names_spec='$libname$shrext' ;;
+      m68k)
+        library_names_spec='$libname.a' ;;
+    esac
     ;;
   beos*)
+    library_names_spec='$libname$shrext'
     ;;
   bsdi[45]*)
+    library_names_spec='$libname$shrext'
     ;;
-  cygwin* | mingw* | pw32*)
+  cygwin* | mingw* | pw32* | cegcc*)
     shrext=.dll
+    library_names_spec='$libname.dll.a $libname.lib'
     ;;
   darwin* | rhapsody*)
     shrext=.dylib
+    library_names_spec='$libname$shrext'
     ;;
   dgux*)
-    ;;
-  freebsd1*)
-    ;;
-  kfreebsd*-gnu)
+    library_names_spec='$libname$shrext'
     ;;
   freebsd* | dragonfly*)
+    case "$host_os" in
+      freebsd[123]*)
+        library_names_spec='$libname$shrext$versuffix' ;;
+      *)
+        library_names_spec='$libname$shrext' ;;
+    esac
     ;;
   gnu*)
+    library_names_spec='$libname$shrext'
+    ;;
+  haiku*)
+    library_names_spec='$libname$shrext'
     ;;
   hpux9* | hpux10* | hpux11*)
     case $host_cpu in
@@ -528,10 +574,13 @@ case "$host_os" in
         shrext=.sl
         ;;
     esac
+    library_names_spec='$libname$shrext'
     ;;
-  interix3*)
+  interix[3-9]*)
+    library_names_spec='$libname$shrext'
     ;;
   irix5* | irix6* | nonstopux*)
+    library_names_spec='$libname$shrext'
     case "$host_os" in
       irix5* | nonstopux*)
         libsuff= shlibsuff=
@@ -548,41 +597,62 @@ case "$host_os" in
     ;;
   linux*oldld* | linux*aout* | linux*coff*)
     ;;
-  linux*)
+  linux* | k*bsd*-gnu | kopensolaris*-gnu)
+    library_names_spec='$libname$shrext'
     ;;
   knetbsd*-gnu)
+    library_names_spec='$libname$shrext'
     ;;
   netbsd*)
+    library_names_spec='$libname$shrext'
     ;;
   newsos6)
+    library_names_spec='$libname$shrext'
     ;;
-  nto-qnx*)
+  *nto* | *qnx*)
+    library_names_spec='$libname$shrext'
     ;;
   openbsd*)
+    library_names_spec='$libname$shrext$versuffix'
     ;;
   os2*)
     libname_spec='$name'
     shrext=.dll
+    library_names_spec='$libname.a'
     ;;
   osf3* | osf4* | osf5*)
+    library_names_spec='$libname$shrext'
+    ;;
+  rdos*)
     ;;
   solaris*)
+    library_names_spec='$libname$shrext'
     ;;
   sunos4*)
+    library_names_spec='$libname$shrext$versuffix'
     ;;
   sysv4 | sysv4.3*)
+    library_names_spec='$libname$shrext'
     ;;
   sysv4*MP*)
+    library_names_spec='$libname$shrext'
     ;;
   sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+    library_names_spec='$libname$shrext'
+    ;;
+  tpf*)
+    library_names_spec='$libname$shrext'
     ;;
   uts4*)
+    library_names_spec='$libname$shrext'
     ;;
 esac
 
 sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
 escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"`
 shlibext=`echo "$shrext" | sed -e 's,^\.,,'`
+escaped_libname_spec=`echo "X$libname_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
+escaped_library_names_spec=`echo "X$library_names_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
 escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
 
 LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <<EOF
@@ -596,6 +666,12 @@ libext="$libext"
 # Shared library suffix (normally "so").
 shlibext="$shlibext"
 
+# Format of library name prefix.
+libname_spec="$escaped_libname_spec"
+
+# Library names that the linker finds when passed -lNAME.
+library_names_spec="$escaped_library_names_spec"
+
 # Flag to hardcode \$libdir into a binary during linking.
 # This must work even if \$libdir does not exist.
 hardcode_libdir_flag_spec="$escaped_hardcode_libdir_flag_spec"

configure.ac

@@ -4,7 +4,7 @@ m4_define([libsubid_abi_major], 4)
 m4_define([libsubid_abi_minor], 0)
 m4_define([libsubid_abi_micro], 0)
 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
-AC_INIT([shadow], [4.11.1], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_INIT([shadow], [4.13], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -20,26 +20,22 @@ dnl Some hacks...
 test "$prefix" = "NONE" && prefix="/usr"
 test "$prefix" = "/usr" && exec_prefix=""
 
-AC_GNU_SOURCE
+AC_USE_SYSTEM_EXTENSIONS
 
-AM_ENABLE_STATIC
-AM_ENABLE_SHARED
+AC_ENABLE_STATIC
+AC_ENABLE_SHARED
 
 AM_MAINTAINER_MODE
 
 dnl Checks for programs.
 AC_PROG_CC
-AC_ISC_POSIX
 AC_PROG_LN_S
 AC_PROG_YACC
-AM_PROG_LIBTOOL
+LT_INIT
 
 dnl Checks for libraries.
 
 dnl Checks for header files.
-AC_HEADER_DIRENT
-AC_HEADER_STDC
-AC_HEADER_SYS_WAIT
 AC_HEADER_STDBOOL
 
 AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
@@ -52,26 +48,18 @@ dnl shadow now uses the libc's shadow implementation
 AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])
 
 AC_CHECK_FUNCS(arc4random_buf l64a fchmod fchown fsync futimes \
-	gethostname getentropy getrandom getspnam gettimeofday getusershell \
-	getutent initgroups lchown lckpwdf lstat lutimes \
-	setgroups sigaction strchr updwtmp updwtmpx innetgr getpwnam_r \
-	getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo ruserok \
-	dlopen)
+	getentropy getrandom getspnam getusershell \
+	getutent initgroups lckpwdf lutimes \
+	setgroups updwtmp updwtmpx innetgr getpwnam_r \
+	getpwuid_r getgrnam_r getgrgid_r getspnam_r \
+	memset_s explicit_bzero)
 AC_SYS_LARGEFILE
 
 dnl Checks for typedefs, structures, and compiler characteristics.
-AC_C_CONST
-AC_TYPE_UID_T
-AC_TYPE_OFF_T
-AC_TYPE_PID_T
-AC_TYPE_MODE_T
-AC_HEADER_STAT
-AC_CHECK_MEMBERS([struct stat.st_rdev])
 AC_CHECK_MEMBERS([struct stat.st_atim])
 AC_CHECK_MEMBERS([struct stat.st_atimensec])
 AC_CHECK_MEMBERS([struct stat.st_mtim])
 AC_CHECK_MEMBERS([struct stat.st_mtimensec])
-AC_HEADER_TIME
 AC_STRUCT_TM
 
 AC_CHECK_MEMBERS([struct utmp.ut_type,
@@ -113,7 +101,6 @@ fi
 
 dnl Checks for library functions.
 AC_TYPE_GETGROUPS
-AC_TYPE_SIGNAL
 AC_FUNC_UTIME_NULL
 AC_REPLACE_FUNCS(mkdir putgrent putpwent putspent rename rmdir)
 AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
@@ -211,7 +198,7 @@ if test "$ac_cv_func_ruserok" = "yes"; then
 fi
 
 AC_ARG_ENABLE(shadowgrp,
-	[AC_HELP_STRING([--enable-shadowgrp], [enable shadow group support @<:@default=yes@:>@])],
+	[AS_HELP_STRING([--enable-shadowgrp], [enable shadow group support @<:@default=yes@:>@])],
 	[case "${enableval}" in
 	 yes) enable_shadowgrp="yes" ;;
 	  no) enable_shadowgrp="no" ;;
@@ -221,15 +208,15 @@ AC_ARG_ENABLE(shadowgrp,
 )
 
 AC_ARG_ENABLE(man,
-	[AC_HELP_STRING([--enable-man],
+	[AS_HELP_STRING([--enable-man],
 		[regenerate roff man pages from Docbook @<:@default=no@:>@])],
 	[enable_man="${enableval}"],
 	[enable_man="no"]
 )
 
 AC_ARG_ENABLE(account-tools-setuid,
-	[AC_HELP_STRING([--enable-account-tools-setuid],
-		[Install the user and group management tools setuid and authenticate the callers. This requires --with-pam.])],
+	[AS_HELP_STRING([--enable-account-tools-setuid],
+		[Install the user and group management tools setuid and authenticate the callers. This requires --with-libpam.])],
 	[case "${enableval}" in
 	 yes) enable_acct_tools_setuid="yes" ;;
 	  no) enable_acct_tools_setuid="no" ;;
@@ -240,7 +227,7 @@ AC_ARG_ENABLE(account-tools-setuid,
 )
 
 AC_ARG_ENABLE(utmpx,
-	[AC_HELP_STRING([--enable-utmpx],
+	[AS_HELP_STRING([--enable-utmpx],
 	                [enable loggin in utmpx / wtmpx @<:@default=no@:>@])],
 	[case "${enableval}" in
 	 yes) enable_utmpx="yes" ;;
@@ -251,65 +238,65 @@ AC_ARG_ENABLE(utmpx,
 )
 
 AC_ARG_ENABLE(subordinate-ids,
-	[AC_HELP_STRING([--enable-subordinate-ids],
+	[AS_HELP_STRING([--enable-subordinate-ids],
 		[support subordinate ids @<:@default=yes@:>@])],
 	[enable_subids="${enableval}"],
 	[enable_subids="maybe"]
 )
 
 AC_ARG_WITH(audit,
-	[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
+	[AS_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
 	[with_audit=$withval], [with_audit=maybe])
 AC_ARG_WITH(libpam,
-	[AC_HELP_STRING([--with-libpam], [use libpam for PAM support @<:@default=yes if found@:>@])],
+	[AS_HELP_STRING([--with-libpam], [use libpam for PAM support @<:@default=yes if found@:>@])],
 	[with_libpam=$withval], [with_libpam=maybe])
 AC_ARG_WITH(btrfs,
-	[AC_HELP_STRING([--with-btrfs], [add BtrFS support @<:@default=yes if found@:>@])],
+	[AS_HELP_STRING([--with-btrfs], [add BtrFS support @<:@default=yes if found@:>@])],
 	[with_btrfs=$withval], [with_btrfs=maybe])
 AC_ARG_WITH(selinux,
-	[AC_HELP_STRING([--with-selinux], [use SELinux support @<:@default=yes if found@:>@])],
+	[AS_HELP_STRING([--with-selinux], [use SELinux support @<:@default=yes if found@:>@])],
 	[with_selinux=$withval], [with_selinux=maybe])
 AC_ARG_WITH(acl,
-	[AC_HELP_STRING([--with-acl], [use ACL support @<:@default=yes if found@:>@])],
+	[AS_HELP_STRING([--with-acl], [use ACL support @<:@default=yes if found@:>@])],
 	[with_acl=$withval], [with_acl=maybe])
 AC_ARG_WITH(attr,
-	[AC_HELP_STRING([--with-attr], [use Extended Attribute support @<:@default=yes if found@:>@])],
+	[AS_HELP_STRING([--with-attr], [use Extended Attribute support @<:@default=yes if found@:>@])],
 	[with_attr=$withval], [with_attr=maybe])
 AC_ARG_WITH(skey,
-	[AC_HELP_STRING([--with-skey], [use S/Key support @<:@default=no@:>@])],
+	[AS_HELP_STRING([--with-skey], [use S/Key support @<:@default=no@:>@])],
 	[with_skey=$withval], [with_skey=no])
 AC_ARG_WITH(tcb,
-	[AC_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
+	[AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
 	[with_tcb=$withval], [with_tcb=maybe])
 AC_ARG_WITH(libcrack,
-	[AC_HELP_STRING([--with-libcrack], [use libcrack @<:@default=no@:>@])],
+	[AS_HELP_STRING([--with-libcrack], [use libcrack @<:@default=no@:>@])],
 	[with_libcrack=$withval], [with_libcrack=no])
 AC_ARG_WITH(sha-crypt,
-	[AC_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
+	[AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
 	[with_sha_crypt=$withval], [with_sha_crypt=yes])
 AC_ARG_WITH(bcrypt,
-	[AC_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
+	[AS_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
 	[with_bcrypt=$withval], [with_bcrypt=no])
 AC_ARG_WITH(yescrypt,
-	[AC_HELP_STRING([--with-yescrypt], [allow the yescrypt password encryption algorithm @<:@default=no@:>@])],
+	[AS_HELP_STRING([--with-yescrypt], [allow the yescrypt password encryption algorithm @<:@default=no@:>@])],
 	[with_yescrypt=$withval], [with_yescrypt=no])
 AC_ARG_WITH(nscd,
-	[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
+	[AS_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
 	[with_nscd=$withval], [with_nscd=yes])
 AC_ARG_WITH(sssd,
-	[AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
+	[AS_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
 	[with_sssd=$withval], [with_sssd=yes])
 AC_ARG_WITH(group-name-max-length,
-	[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
+	[AS_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=32@:>@])],
 	[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
 AC_ARG_WITH(su,
-	[AC_HELP_STRING([--with-su], [build and install su program and man page @<:@default=yes@:>@])],
+	[AS_HELP_STRING([--with-su], [build and install su program and man page @<:@default=yes@:>@])],
 	[with_su=$withval], [with_su=yes])
 
 if test "$with_group_name_max_length" = "no" ; then
 	with_group_name_max_length=0
 elif test "$with_group_name_max_length" = "yes" ; then
-	with_group_name_max_length=16
+	with_group_name_max_length=32
 fi
 AC_DEFINE_UNQUOTED(GROUP_NAME_MAX_LENGTH, $with_group_name_max_length, [max group name length])
 AC_SUBST(GROUP_NAME_MAX_LENGTH)
@@ -669,7 +656,7 @@ AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
 
 
 AC_ARG_WITH(fcaps,
-	[AC_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
+	[AS_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
 	[with_fcaps=$withval], [with_fcaps=no])
 AM_CONDITIONAL(FCAPS, test "x$with_fcaps" = "xyes")
 
@@ -687,12 +674,12 @@ if test "$with_skey" = "yes"; then
 	AC_CHECK_LIB(skey, skeychallenge, [LIBSKEY=-lskey],
 		[AC_MSG_ERROR([liskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2])])
 	AC_DEFINE(SKEY, 1, [Define to support S/Key logins.])
-	AC_TRY_COMPILE([
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 		#include <stdio.h>
 		#include <skey.h>
-	],[
+	]], [[
 		skeychallenge((void*)0, (void*)0, (void*)0, 0);
-	],[AC_DEFINE(SKEY_BSD_STYLE, 1, [Define to support newer BSD S/Key API])])
+	]])],[AC_DEFINE(SKEY_BSD_STYLE, 1, [Define to support newer BSD S/Key API])],[])
 fi
 
 if test "$enable_utmpx" = "yes"; then
@@ -706,7 +693,7 @@ fi
 
 AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])
 
-AM_GNU_GETTEXT_VERSION(0.16)
+AM_GNU_GETTEXT_VERSION([0.19])
 AM_GNU_GETTEXT([external], [need-ngettext])
 AM_CONDITIONAL(USE_NLS, test "x$USE_NLS" = "xyes")
 
@@ -733,6 +720,7 @@ AC_CONFIG_FILES([
 	man/ru/Makefile
 	man/sv/Makefile
 	man/tr/Makefile
+	man/uk/Makefile
 	man/zh_CN/Makefile
 	man/zh_TW/Makefile
 	libmisc/Makefile

contrib/Makefile.am

@@ -1,6 +1,6 @@
 # This is a dummy Makefile.am to get automake work flawlessly,
 # and also cooperate to make a distribution for `make dist'
 
-EXTRA_DIST = README adduser.c adduser-old.c adduser.sh adduser2.sh \
+EXTRA_DIST = README adduser.c adduser.sh adduser2.sh \
  atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
  udbachk.tgz

contrib/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -93,13 +93,14 @@ host_triplet = @host@
 subdir = contrib
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
-	$(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
-	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
-	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
-	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
-	$(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
@@ -142,6 +143,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -153,8 +156,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
@@ -228,6 +233,7 @@ VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
@@ -287,7 +293,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-EXTRA_DIST = README adduser.c adduser-old.c adduser.sh adduser2.sh \
+EXTRA_DIST = README adduser.c adduser.sh adduser2.sh \
  atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
  udbachk.tgz
 
@@ -335,7 +341,6 @@ ctags CTAGS:
 
 cscope cscopelist:
 
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

contrib/adduser-old.c

@@ -1,300 +0,0 @@
-/****
-** 03/17/96
-** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
-** --marekm
-**
-** 02/26/96
-** modified to call shadow utils (useradd,chage,passwd) on shadowed
-** systems - Cristian Gafton, gafton@sorosis.ro
-**
-** 6/27/95
-** shadow-adduser 1.4:
-**
-** now it copies the /etc/skel dir into the person's dir,
-** makes the mail folders, changed some defaults and made a 'make
-** install' just for the hell of it.
-**
-** Greg Gallagher
-** CIN.Net
-**
-** 1/28/95
-** shadow-adduser 1.3:
-**
-** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart
-** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
-** It was such a stupid bug that I would have never seen it myself.
-**
-**                                Brandon
-*****
-** 01/27/95
-**
-** shadow-adduser 1.2:
-** I took the C source from adduser-shadow (credits are below) and made
-** it a little more worthwhile.  Many small changes... Here's
-** the ones I can remember:
-**
-** Removed support for non-shadowed systems (if you don't have shadow,
-**     use the original adduser, don't get this shadow version!)
-** Added support for the correct /etc/shadow fields (Min days before
-**     password change, max days before password change, Warning days,
-**     and how many days from expiry date does the account go invalid)
-**     The previous version just left all of those fields blank.
-**     There is still one field left (expiry date for the account, period)
-**     which I have left blank because I do not use it and didn't want to
-**     spend any more time on this.  I'm sure someone will put it in and
-**     tack another plethora of credits on here. :)
-** Added in the password date field, which should always reflect the last
-**     date the password was changed, for expiry purposes.  "passwd" always
-**     updates this field, so the adduser program should set it up right
-**     initially (or a user could keep thier initial password forever ;)
-**     The number is in days since Jan 1st, 1970.
-**
-**                       Have fun with it, and someone please make
-**                       a real version(this is still just a hack)
-**                       for us all to use (and Email it to me???)
-**
-**                               Brandon
-**                                  photon@usis.com
-**
-*****
-** adduser 1.0: add a new user account (For systems not using shadow)
-** With a nice little interface and a will to do all the work for you.
-**
-** Craig Hagan
-** hagan@opine.cs.umass.edu
-**
-** Modified to really work, look clean, and find unused uid by Chris Cappuccio
-** chris@slinky.cs.umass.edu
-**
-*****
-**
-** 01/19/95
-**
-** FURTHER modifications to enable shadow passwd support (kludged, but
-** no more so than the original)  by Dan Crowson - dcrowson@mo.net
-**
-** Search on DAN for all changes...
-**
-*****
-**
-** cc -O -o adduser adduser.c
-** Use gcc if you have it... (political reasons beyond my control) (chris)
-**
-** I've gotten this program to work with success under Linux (without
-** shadow) and SunOS 4.1.3. I would assume it should work pretty well
-** on any system that uses no shadow. (chris)
-**
-** If you have no crypt() then try
-** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
-** I'm not sure how login operates with no crypt()... I guess
-** the same way we're doing it here.
-*/
-
-#include <pwd.h>
-#include <grp.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-#include <sys/types.h>
-#include <sys/timeb.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-
-#define DEFAULT_SHELL	"/bin/bash"  /* because BASH is your friend */
-#define DEFAULT_HOME	"/home"
-#define USERADD_PATH	"/usr/sbin/useradd"
-#define CHAGE_PATH	"/usr/sbin/chage"
-#define PASSWD_PATH	"/usr/bin/passwd"
-#define DEFAULT_GROUP	100
-
-#define DEFAULT_MAX_PASS 60
-#define DEFAULT_WARN_PASS 10
-/* if you use this feature, you will get a lot of complaints from users
-   who rarely use their accounts :)  (something like 3 months would be
-   more reasonable)  --marekm */
-#define DEFAULT_USER_DIE /* 10 */ 0
-
-void main()
-{
-	char foo[32];
-	char uname[9],person[32],dir[32],shell[32];
-	unsigned int group,min_pass,max_pass,warn_pass,user_die;
-	/* the group and uid of the new user */
-	int bad=0,done=0,correct=0,gets_warning=0;
-	char cmd[255];
-	struct group *grp;
-
-	/* flags, in order:
-	* bad to see if the username is in /etc/passwd, or if strange stuff has
-	* been typed if the user might be put in group 0
-	* done allows the program to exit when a user has been added
-	* correct loops until a password is found that isn't in /etc/passwd
-	* gets_warning allows the fflush to be skipped for the first gets
-	* so that output is still legible
-	*/
-
-	/* The real program starts HERE! */
-
-	if(geteuid()!=0)
-	{
-		printf("It seems you don't have access to add a new user.  Try\n");
-		printf("logging in as root or su root to gain super-user access.\n");
-		exit(1);
-	}
-
-	/* Sanity checks
-	*/
-
-	if (!(grp=getgrgid(DEFAULT_GROUP))){
-		printf("Error: the default group %d does not exist on this system!\n",
-				DEFAULT_GROUP);
-		printf("adduser must be recompiled.\n");
-		exit(1);
-	};
-
-	while(!correct) {		/* loop until a "good" uname is chosen */
-		while(!done) {
-			printf("\nLogin to add (^C to quit): ");
-			if(gets_warning)	/* if the warning was already shown */
-				fflush(stdout);	/* fflush stdout, otherwise set the flag */
-			else
-				gets_warning=1;
-
-			gets(uname);
-			if(!strlen(uname)) {
-				printf("Empty input.\n");
-				done=0;
-				continue;
-			};
-
-			/* what I saw here before made me think maybe I was running DOS */
-			/* might this be a solution? (chris) */
-			if (getpwnam(uname) != NULL) {
-				printf("That name is in use, choose another.\n");
-				done=0;
-			} else
-				done=1;
-		}; /* done, we have a valid new user name */
-
-		/* all set, get the rest of the stuff */
-		printf("\nEditing information for new user [%s]\n",uname);
-
-		printf("\nFull Name [%s]: ",uname);
-		gets(person);
-		if (!strlen(person)) {
-			bzero(person,sizeof(person));
-			strcpy(person,uname);
-		};
-
-		do {
-			bad=0;
-			printf("GID [%d]: ",DEFAULT_GROUP);
-			gets(foo);
-			if (!strlen(foo))
-				group=DEFAULT_GROUP;
-			else
-				if (isdigit (*foo)) {
-					group = atoi(foo);
-					if (! (grp = getgrgid (group))) {
-						printf("unknown gid %s\n",foo);
-						group=DEFAULT_GROUP;
-						bad=1;
-					};
-			} else
-				if ((grp = getgrnam (foo)))
-					group = grp->gr_gid;
-				else {
-					printf("unknown group %s\n",foo);
-					group=DEFAULT_GROUP;
-					bad=1;
-				}
-			if (group==0){	/* You're not allowed to make root group users! */
-				printf("Creation of root group users not allowed (must be done by hand)\n");
-				group=DEFAULT_GROUP;
-				bad=1;
-			};
-		} while(bad);
-
-
-		fflush(stdin);
-
-		printf("\nIf home dir ends with a / then [%s] will be appended to it\n",uname);
-		printf("Home Directory [%s/%s]: ",DEFAULT_HOME,uname);
-		fflush(stdout);
-		gets(dir);
-		if (!strlen(dir)) { /* hit return */
-			sprintf(dir,"%s/%s",DEFAULT_HOME,uname);
-			fflush(stdin);
-		} else
-			if (dir[strlen(dir)-1]=='/')
-				sprintf(dir+strlen(dir),"%s",uname);
-
-		printf("\nShell [%s]: ",DEFAULT_SHELL);
-		fflush(stdout);
-		gets(shell);
-		if (!strlen(shell))
-			sprintf(shell,"%s",DEFAULT_SHELL);
-
-		printf("\nMin. Password Change Days [0]: ");
-		gets(foo);
-		min_pass=atoi(foo);
-
-		printf("Max. Password Change Days [%d]: ",DEFAULT_MAX_PASS);
-		gets(foo);
-		if (strlen(foo) > 1)
-			max_pass = atoi(foo);
-		else
-			max_pass = DEFAULT_MAX_PASS;
-
-		printf("Password Warning Days [%d]: ",DEFAULT_WARN_PASS);
-		gets(foo);
-		warn_pass = atoi(foo);
-		if (warn_pass==0)
-			warn_pass = DEFAULT_WARN_PASS;
-
-		printf("Days after Password Expiry for Account Locking [%d]: ",DEFAULT_USER_DIE);
-		gets(foo);
-		user_die = atoi(foo);
-		if (user_die == 0)
-			user_die = DEFAULT_USER_DIE;
-
-		printf("\nInformation for new user [%s] [%s]:\n",uname,person);
-		printf("Home directory: [%s] Shell: [%s]\n",dir,shell);
-		printf("GID: [%d]\n",group);
-		printf("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
-				min_pass,max_pass,warn_pass,user_die);
-		printf("\nIs this correct? [y/N]: ");
-		fflush(stdout);
-		gets(foo);
-
-		done=bad=correct=(foo[0]=='y'||foo[0]=='Y');
-
-		if(bad!=1)
-			printf("\nUser [%s] not added\n",uname);
-    }
-
-	bzero(cmd,sizeof(cmd));
-	sprintf(cmd,"%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
-			USERADD_PATH,group,dir,shell,person,uname);
-	printf("Calling useradd to add new user:\n%s\n",cmd);
-	if(system(cmd)){
-		printf("User add failed!\n");
-		exit(errno);
-	};
-	bzero(cmd,sizeof(cmd));
-	sprintf(cmd,"%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
-			min_pass,max_pass,warn_pass,user_die,uname);
-	printf("%s\n",cmd);
-	if(system(cmd)){
-		printf("There was an error setting password expire values\n");
-		exit(errno);
-	};
-	bzero(cmd,sizeof(cmd));
-	sprintf(cmd,"%s %s",PASSWD_PATH,uname);
-	system(cmd);
-	printf("\nDone.\n");
-}
-

debian/changelog

@@ -1,3 +1,77 @@
+shadow (1:4.13+dfsg1-1+deb12u2) bookworm; urgency=medium
+
+  * Apply upstream patch to fix groupmod -U "" segfault (Closes: #1122913)
+
+ -- Chris Hofstaedtler <zeha@debian.org>  Sun, 14 Dec 2025 15:00:01 +0100
+
+shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
+
+  [ Balint Reczey ]
+  * Cherry-pick upstream patch to fix gpasswd passwd leak (Closes: #1051062)
+    CVE-2023-4641
+  * Cherry-pick upstream patch to fix chfn vulnerability (Closes: #1034482)
+    CVE-2023-29383
+  * Fix valid_field() that regressed in upstream's chfn fix
+
+  [ Chris Hofstaedtler ]
+  * Update Uploaders: field from unstable
+
+ -- Chris Hofstaedtler <zeha@debian.org>  Mon, 07 Apr 2025 12:38:46 +0200
+
+shadow (1:4.13+dfsg1-1) unstable; urgency=medium
+
+  [ Balint Reczey ]
+  * debian/watch: Make watch file work with new GitHub UI
+  * debian/control: Mark libsubid-dev as Multi-Arch: same
+  * New upstream version 4.13
+    - fix typo in useradd(8) (Closes: #1021380)
+  * Refresh patches
+
+  [ Debian Janitor ]
+  * Remove constraints unnecessary since buster (oldstable)
+    * login: Drop versioned constraint on util-linux in Breaks.
+    Changes-By: deb-scrub-obsolete
+
+ -- Balint Reczey <balint@balintreczey.hu>  Fri, 11 Nov 2022 09:28:15 +0100
+
+shadow (1:4.12.3+dfsg1-3) unstable; urgency=medium
+
+  [ Debian Janitor ]
+  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse.
+
+  [ Balint Reczey ]
+  * Fix tree copying regressions introduced in 4.12.2. (Closes: #1023132)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Sat, 05 Nov 2022 14:47:01 +0100
+
+shadow (1:4.12.3+dfsg1-2) unstable; urgency=medium
+
+  * Cherry-pick upstream patch to fix regression in expiration date handling
+    (Closes: #1021697)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Sat, 22 Oct 2022 20:23:10 +0200
+
+shadow (1:4.12.3+dfsg1-1) unstable; urgency=medium
+
+  [ Balint Reczey ]
+  * New upstream release (Closes: #1004242, #1006848)
+  * Refresh patches
+  * debian/patches: Reorder patches in series to make it look sane
+  * Fix Lintian elevated-privileges tag rename
+
+  [ Johannes Schauer Marin Rodrigues ]
+  * debian/shadowconfig: Support DPKG_ROOT without using chroot()
+    (Closes:  #1007758)
+  * useradd: cherry-pick patch from upstream to avoid creating several GB worth
+    of sparse lastlog and faillog files for users with high uid values
+    (Closes: #1019245)
+
+  [ Debian Janitor ]
+  * Update renamed lintian tag names in lintian overrides.
+  * Update standards version to 4.6.1, no changes needed.
+
+ -- Balint Reczey <balint@balintreczey.hu>  Tue, 04 Oct 2022 22:09:04 +0200
+
 shadow (1:4.11.1+dfsg1-2) unstable; urgency=medium
 
   [ Balint Reczey ]

debian/control

@@ -1,7 +1,8 @@
 Source: shadow
 Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Uploaders: Balint Reczey <balint@balintreczey.hu>,
-           Serge Hallyn <serge@hallyn.com>
+Uploaders:
+ Serge Hallyn <serge@hallyn.com>,
+ Chris Hofstaedtler <zeha@debian.org>
 Section: admin
 Priority: required
 Build-Depends: debhelper-compat (= 13),
@@ -18,7 +19,7 @@ Build-Depends: debhelper-compat (= 13),
                itstool,
                bison,
                libaudit-dev [linux-any]
-Standards-Version: 4.5.1
+Standards-Version: 4.6.1
 Vcs-Git: https://salsa.debian.org/debian/shadow.git -b master
 Vcs-Browser: https://salsa.debian.org/debian/shadow
 Homepage: https://github.com/shadow-maint/shadow
@@ -45,8 +46,7 @@ Pre-Depends: ${shlibs:Depends},
              ${misc:Depends},
              libpam-runtime,
              libpam-modules
-Breaks: hurd (<< 20140206~) [hurd-any],
-        util-linux (<< 2.32-0.2~)
+Breaks: hurd (<< 20140206~) [hurd-any]
 Conflicts: python-4suite (<< 0.99cvs20060405-1)
 Replaces: hurd (<< 20140206~) [hurd-any]
 Description: system login tools
@@ -80,6 +80,7 @@ Package: libsubid-dev
 Section: libdevel
 Priority: optional
 Architecture: any
+Multi-Arch: same
 Depends: ${misc:Depends}, libsubid4 (= ${binary:Version})
 Description: subordinate id handling library -- shared library
  The library provides an interface for querying, granding and ungranting

debian/login.lintian-overrides

@@ -1 +1 @@
-login: setuid-binary usr/bin/newgrp 4755 root/root
+login: elevated-privileges 4755 root/root [usr/bin/newgrp]

debian/passwd.lintian-overrides

@@ -1,6 +1,6 @@
-passwd: setgid-binary usr/bin/chage 2755 root/shadow
-passwd: setuid-binary usr/bin/chfn 4755 root/root
-passwd: setuid-binary usr/bin/chsh 4755 root/root
-passwd: setgid-binary usr/bin/expiry 2755 root/shadow
-passwd: setuid-binary usr/bin/gpasswd 4755 root/root
-passwd: setuid-binary usr/bin/passwd 4755 root/root
+passwd: elevated-privileges 2755 root/shadow [usr/bin/chage]
+passwd: elevated-privileges 4755 root/root [usr/bin/chfn]
+passwd: elevated-privileges 4755 root/root [usr/bin/chsh]
+passwd: elevated-privileges 2755 root/shadow [usr/bin/expiry]
+passwd: elevated-privileges 4755 root/root [usr/bin/gpasswd]
+passwd: elevated-privileges 4755 root/root [usr/bin/passwd]

debian/patches/0001-gpasswd-1-Fix-password-leak.patch

@@ -0,0 +1,137 @@
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -896,6 +896,7 @@
+ 		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 

debian/patches/0002-Added-control-character-check.patch

@@ -0,0 +1,45 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ 	}
+ 
+ 	if (0 == err) {
+-		/* Search if there are some non-printable characters */
++		/* Search if there are non-printable or control characters */
+ 		for (cp = field; '\0' != *cp; cp++) {
+ 			if (!isprint (*cp)) {
+ 				err = 1;
++			}
++			if (!iscntrl (*cp)) {
++				err = -1;
+ 				break;
+ 			}
+ 		}
+-- 
+2.34.1
+

debian/patches/0003-Overhaul-valid_field.patch

@@ -0,0 +1,61 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are non-printable or control characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-			}
+-			if (!iscntrl (*cp)) {
+-				err = -1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 
+-- 
+2.34.1
+

debian/patches/008_login_log_failure_in_FTMP

@@ -6,7 +6,7 @@ Notes:
 
 --- a/src/login.c
 +++ b/src/login.c
-@@ -829,6 +829,24 @@
+@@ -827,6 +827,24 @@
  			(void) puts ("");
  			(void) puts (_("Login incorrect"));
  

debian/patches/429_login_FAILLOG_ENAB

@@ -20,7 +20,7 @@ Note: It could be removed if pam_tally could report the number of failures
  static void bad_time_notify (void);
  static void check_nologin (bool login_to_root);
  #else
-@@ -789,6 +789,9 @@
+@@ -787,6 +787,9 @@
  				SYSLOG ((LOG_NOTICE,
  				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
  				         failcount, fromhost, failent_user));
@@ -30,7 +30,7 @@ Note: It could be removed if pam_tally could report the number of failures
  				fprintf (stderr,
  				         _("Maximum number of tries exceeded (%u)\n"),
  				         failcount);
-@@ -806,6 +809,14 @@
+@@ -804,6 +807,14 @@
  				         pam_strerror (pamh, retcode)));
  				failed = true;
  			}
@@ -45,7 +45,7 @@ Note: It could be removed if pam_tally could report the number of failures
  
  			if (!failed) {
  				break;
-@@ -829,6 +840,10 @@
+@@ -827,6 +838,10 @@
  			(void) puts ("");
  			(void) puts (_("Login incorrect"));
  
@@ -56,7 +56,7 @@ Note: It could be removed if pam_tally could report the number of failures
  			if (getdef_str("FTMP_FILE") != NULL) {
  #ifdef USE_UTMPX
  				struct utmpx *failent =
-@@ -1299,6 +1314,7 @@
+@@ -1295,6 +1310,7 @@
  		 */
  #ifndef USE_PAM
  		motd ();	/* print the message of the day */
@@ -64,7 +64,7 @@ Note: It could be removed if pam_tally could report the number of failures
  		if (   getdef_bool ("FAILLOG_ENAB")
  		    && (0 != faillog.fail_cnt)) {
  			failprint (&faillog);
-@@ -1311,6 +1327,7 @@
+@@ -1307,6 +1323,7 @@
  				         username, (int) faillog.fail_cnt));
  			}
  		}

debian/patches/463_login_delay_obeys_to_PAM

@@ -9,7 +9,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
 
 --- a/src/login.c
 +++ b/src/login.c
-@@ -514,7 +514,6 @@
+@@ -512,7 +512,6 @@
  #if !defined(USE_PAM)
  	char ptime[80];
  #endif
@@ -17,7 +17,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	unsigned int retries;
  	bool subroot = false;
  #ifndef USE_PAM
-@@ -539,6 +538,7 @@
+@@ -537,6 +536,7 @@
  	pid_t child;
  	char *pam_user = NULL;
  #else
@@ -25,7 +25,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	struct spwd *spwd = NULL;
  #endif
  	/*
-@@ -703,7 +703,6 @@
+@@ -701,7 +701,6 @@
  	}
  
  	environ = newenvp;	/* make new environment active */
@@ -33,7 +33,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
  
  #ifdef USE_PAM
-@@ -719,8 +718,7 @@
+@@ -717,8 +716,7 @@
  
  	/*
  	 * hostname & tty are either set to NULL or their correct values,
@@ -43,7 +43,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	 *
  	 * PAM_RHOST and PAM_TTY are used for authentication, only use
  	 * information coming from login or from the caller (e.g. no utmp)
-@@ -729,10 +727,6 @@
+@@ -727,10 +725,6 @@
  	PAM_FAIL_CHECK;
  	retcode = pam_set_item (pamh, PAM_TTY, tty);
  	PAM_FAIL_CHECK;
@@ -54,7 +54,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  	/* if fflg, then the user has already been authenticated */
  	if (!fflg) {
  		unsigned int failcount = 0;
-@@ -773,12 +767,6 @@
+@@ -771,12 +765,6 @@
  			bool failed = false;
  
  			failcount++;
@@ -67,7 +67,7 @@ Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
  
  			retcode = pam_authenticate (pamh, 0);
  
-@@ -1114,14 +1102,17 @@
+@@ -1110,14 +1098,17 @@
  		free (username);
  		username = NULL;
  

debian/patches/501_commonio_group_shadow

@@ -12,7 +12,7 @@ Fixes: #166793
  #include "nscd.h"
  #include "sssd.h"
  #ifdef WITH_TCB
-@@ -978,12 +979,23 @@
+@@ -970,12 +971,23 @@
  			goto fail;
  		}
  	} else {
@@ -49,7 +49,7 @@ Fixes: #166793
  	NULL,			/* head */
 --- a/lib/shadowio.c
 +++ b/lib/shadowio.c
-@@ -82,7 +82,7 @@
+@@ -84,7 +84,7 @@
  #ifdef WITH_SELINUX
  	NULL,			/* scontext */
  #endif				/* WITH_SELINUX */

debian/patches/502_debian_useradd_defaults

@@ -26,3 +26,16 @@ Forwarded: not-needed
  static const char *def_log_init = "yes";
  
  static long def_inactive = -1;
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index af02a23f..c7f95b47 100644
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -248,7 +248,7 @@
+ 	    command line), useradd will set the primary group of the new
+ 	    user to the value specified by the <option>GROUP</option>
+ 	    variable in <filename>/etc/default/useradd</filename>, or
+-	    1000 by default.
++	    100 by default.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>

debian/patches/506_relaxed_usernames

@@ -17,20 +17,28 @@ Details:
 
 --- a/libmisc/chkname.c
 +++ b/libmisc/chkname.c
-@@ -31,6 +31,7 @@
- 		return true;
+@@ -32,44 +32,26 @@
  	}
  
-+#if 0
  	/*
- 	 * User/group names must match [a-z_][a-z0-9_-]*[$]
- 	 */
-@@ -50,6 +51,26 @@
- 			return false;
- 		}
- 	}
-+#endif
-+	/*
+-         * User/group names must match gnu e-regex:
+-         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+-         *
+-         * as a non-POSIX, extension, allow "$" as the last char for
+-         * sake of Samba 3.x "add machine script"
+-         *
+-         * Also do not allow fully numeric names or just "." or "..".
+-         */
+-	int numeric;
+-
+-	if ('\0' == *name ||
+-	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+-			      '\0' == name[1])) ||
+-	    !((*name >= 'a' && *name <= 'z') ||
+-	      (*name >= 'A' && *name <= 'Z') ||
+-	      (*name >= '0' && *name <= '9') ||
+-	      *name == '_' ||
+-	      *name == '.')) {
 +	 * POSIX indicate that usernames are composed of characters from the
 +	 * portable filename character set [A-Za-z0-9._-], and that the hyphen
 +	 * should not be used as the first character of a portable user name.
@@ -41,28 +49,38 @@ Details:
 +	    || ('-'  == *name)
 +	    || ('~'  == *name)
 +	    || ('+'  == *name)) {
-+		return false;
-+	}
+ 		return false;
+ 	}
+-
+-	numeric = isdigit(*name);
+-
+-	while ('\0' != *++name) {
+-		if (!((*name >= 'a' && *name <= 'z') ||
+-		      (*name >= 'A' && *name <= 'Z') ||
+-		      (*name >= '0' && *name <= '9') ||
+-		      *name == '_' ||
+-		      *name == '.' ||
+-		      *name == '-' ||
+-		      (*name == '$' && name[1] == '\0')
+-		     )) {
 +	do {
 +		if ((':' == *name) || (',' == *name) || isspace(*name)) {
-+			return false;
-+		}
+ 			return false;
+ 		}
+-		numeric &= isdigit(*name);
+-	}
 +		name++;
 +	} while ('\0' != *name);
  
- 	return true;
+-	return !numeric;
++	return true;
  }
+ 
+ bool is_valid_user_name (const char *name)
 --- a/man/useradd.8.xml
 +++ b/man/useradd.8.xml
-@@ -651,12 +651,20 @@
-     </para>
- 
-     <para>
--      Usernames must start with a lower case letter or an underscore,
-+      It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
-       followed by lower case letters, digits, underscores, or dashes.
-       They can end with a dollar sign.
-       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+@@ -708,6 +708,14 @@
+       the <command>ls</command> output.
      </para>
      <para>
 +      On Debian, the only constraints are that usernames must neither start
@@ -78,15 +96,8 @@ Details:
    </refsect1>
 --- a/man/groupadd.8.xml
 +++ b/man/groupadd.8.xml
-@@ -265,12 +265,18 @@
-    <refsect1 id='caveats'>
-      <title>CAVEATS</title>
-      <para>
--       Groupnames must start with a lower case letter or an underscore,
-+       It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
-        followed by lower case letters, digits, underscores, or dashes.
-        They can end with a dollar sign.
-        In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+@@ -72,6 +72,12 @@
+        also disallowed.
       </para>
       <para>
 +       On Debian, the only constraints are that groupnames must neither start
@@ -97,4 +108,4 @@ Details:
 +     <para>
         Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
       </para>
-      <para>
+   </refsect1>

debian/patches/542_useradd-O_option

@@ -7,9 +7,9 @@ Status wrt upstream: not included as this is just specific
 
 --- a/man/useradd.8.xml
 +++ b/man/useradd.8.xml
-@@ -302,6 +302,11 @@
- 	    <option>-K</option>&nbsp;<replaceable>UID_MIN</replaceable>=<replaceable>100</replaceable>&nbsp;
- 	    <option>-K</option>&nbsp;<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
+@@ -326,6 +326,11 @@
+ 	    =<replaceable>100</replaceable>&nbsp;<option>-K</option>&nbsp;
+ 	    <replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
  	  </para>
 +          <para>
 +            For the compatibility with previous Debian's
@@ -21,19 +21,16 @@ Status wrt upstream: not included as this is just specific
  	    doesn't work yet.
 --- a/src/useradd.c
 +++ b/src/useradd.c
-@@ -1219,9 +1219,9 @@
+@@ -1227,7 +1227,7 @@
+ 			{NULL, 0, NULL, '\0'}
  		};
  		while ((c = getopt_long (argc, argv,
+-					 "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U"
++					 "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:U"
  #ifdef WITH_SELINUX
--		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
-+		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:UZ:",
- #else				/* !WITH_SELINUX */
--		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
-+		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:U",
- #endif				/* !WITH_SELINUX */
- 		                         long_options, NULL)) != -1) {
- 			switch (c) {
-@@ -1350,6 +1350,7 @@
+ 		                         "Z:"
+ #endif				/* WITH_SELINUX */
+@@ -1367,6 +1367,7 @@
  				kflg = true;
  				break;
  			case 'K':

debian/patches/series

@@ -1,16 +1,26 @@
+# Debian #1122913
+upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch
+
+# CVE-2023-4641
+0001-gpasswd-1-Fix-password-leak.patch
+
+# CVE-2023-29383
+0002-Added-control-character-check.patch
+0003-Overhaul-valid_field.patch
+
 # These patches are only for the testsuite:
 #900_testsuite_groupmems
 #901_testsuite_gcov
 
-502_debian_useradd_defaults
-503_shadowconfig.8
 008_login_log_failure_in_FTMP
-429_login_FAILLOG_ENAB
 401_cppw_src.dpatch
 # 402 should be merged in 401, but should be reviewed by SE Linux experts first
 402_cppw_selinux
+429_login_FAILLOG_ENAB
+463_login_delay_obeys_to_PAM
+501_commonio_group_shadow
+502_debian_useradd_defaults
+503_shadowconfig.8
+505_useradd_recommend_adduser
 506_relaxed_usernames
 542_useradd-O_option
-463_login_delay_obeys_to_PAM
-505_useradd_recommend_adduser
-501_commonio_group_shadow

debian/patches/upstream/10429edc14673fbb8c78b25f1872c34e88e5f07f.patch

@@ -0,0 +1,54 @@
+From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001
+From: lixinyun <li.xinyun@h3c.com>
+Date: Wed, 29 May 2024 06:53:02 +0800
+Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double
+ free
+
+Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n.
+Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation :
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1
+Segmentation fault
+
+This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again.
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -U u1,u2 g1
+Segmentation fault
+
+The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again.
+
+So the first free is unnecessary, maybe we can drop it.
+
+Fixes: 342c934a3590 ("add -U option to groupadd and groupmod")
+Closes: <https://github.com/shadow-maint/shadow/issues/1013>
+Link: <https://github.com/shadow-maint/shadow/pull/1007>
+Link: <https://github.com/shadow-maint/shadow/pull/271>
+Link: <https://github.com/shadow-maint/shadow/issues/265>
+Cc: "Serge E. Hallyn" <serge@hallyn.com>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: lixinyun <li.xinyun@h3c.com>
+---
+ src/groupmod.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git i/src/groupmod.c w/src/groupmod.c
+index 006eca1c..7eae4c6f 100644
+--- i/src/groupmod.c
++++ w/src/groupmod.c
+@@ -244,8 +244,6 @@ static void grp_update (void)
+ 
+ 		if (!aflg) {
+ 			// requested to replace the existing groups
+-			if (NULL != grp.gr_mem[0])
+-				gr_free_members(&grp);
+ 			grp.gr_mem = (char **)xmalloc(sizeof(char *));
+ 			grp.gr_mem[0] = (char *)0;
+ 		} else {

debian/shadowconfig

@@ -5,14 +5,35 @@ set -e
 
 shadowon () {
     set -e
-    pwck -q -r
-    grpck -r
-    pwconv
-    grpconv
-    chown root:root /etc/passwd /etc/group
-    chmod 644 /etc/passwd /etc/group
-    chown root:shadow /etc/shadow /etc/gshadow
-    chmod 640 /etc/shadow /etc/gshadow
+
+    if [ -n "$DPKG_ROOT" ] \
+        && cmp "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/usr/share/base-passwd/passwd.master" 2>/dev/null \
+        && cmp "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/usr/share/base-passwd/group.master" 2>/dev/null; then
+        # If dpkg is run with --force-script-chrootless and if /etc/passwd
+        # and /etc/group are unchanged, we avoid the chroot() call by manually
+        # processing the files. This produces bit-by-bit identical results
+        # compared to the normal case as shown by the CI setup at
+        # https://salsa.debian.org/helmutg/dpkg-root-demo/-/jobs
+        for f in passwd group; do
+            cp -a "${DPKG_ROOT}/etc/$f" "${DPKG_ROOT}/etc/$f-"
+        done
+        chmod 600 "${DPKG_ROOT}/etc/passwd-"
+        sed -i 's/^\([^:]\+\):\*:/\1:x:/' "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/etc/passwd"
+        [ -n "$SOURCE_DATE_EPOCH" ] && epoch=$SOURCE_DATE_EPOCH || epoch=$(date +%s)
+        sed "s/^\([^:]\+\):.*/\1:*:$((epoch/60/60/24)):0:99999:7:::/" "${DPKG_ROOT}/etc/passwd" > "${DPKG_ROOT}/etc/shadow"
+        sed "s/^\([^:]\+\):.*/\1:*::/" "${DPKG_ROOT}/etc/group" > "${DPKG_ROOT}/etc/gshadow"
+        touch "${DPKG_ROOT}/etc/.pwd.lock"
+        chmod 600 "${DPKG_ROOT}/etc/.pwd.lock"
+    else
+        pwck -q -r
+        grpck -r
+        pwconv
+        grpconv
+    fi
+    chown root:root "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+    chmod 644 "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+    chown root:shadow "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
+    chmod 640 "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
 }
 
 shadowoff () {

debian/uidmap.lintian-overrides

@@ -1,2 +1,2 @@
-uidmap: setuid-binary usr/bin/newgidmap 4755 root/root
-uidmap: setuid-binary usr/bin/newuidmap 4755 root/root
+uidmap: elevated-privileges 4755 root/root [usr/bin/newgidmap]
+uidmap: elevated-privileges 4755 root/root [usr/bin/newuidmap]

debian/upstream/metadata

@@ -0,0 +1,4 @@
+---
+Bug-Database: https://github.com/shadow-maint/shadow/issues
+Bug-Submit: https://github.com/shadow-maint/shadow/issues/new
+Repository-Browse: https://github.com/shadow-maint/shadow

debian/watch

@@ -1,4 +1,6 @@
 version=4
-opts="pgpsigurlmangle=s/$/.asc/,dversionmangle=s/\+dfsg\d*$//,repacksuffix=+dfsg1" \
-   https://github.com/shadow-maint/shadow/releases \
-   (?:.*?/)?shadow-(\d[\d.]*)\.tar\.xz debian uupdate
+opts=downloadurlmangle=s/archive\/refs\/tags\/(.*)\.tar\.gz/releases\/download\/$1\/@PACKAGE@-$1\.tar\.xz/,\
+    pgpsigurlmangle=s/$/.asc/,\
+    dversionmangle=s/\+dfsg1//,repacksuffix=+dfsg1 \
+    https://github.com/shadow-maint/@PACKAGE@/tags \
+    /shadow-maint/@PACKAGE@/archive/refs/tags/([^v].*)\.tar\.gz

depcomp

@@ -3,7 +3,7 @@
 
 scriptversion=2018-03-07.03; # UTC
 
-# Copyright (C) 1999-2018 Free Software Foundation, Inc.
+# Copyright (C) 1999-2021 Free Software Foundation, Inc.
 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

doc/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -93,13 +93,14 @@ host_triplet = @host@
 subdir = doc
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
-	$(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
-	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
-	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
-	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
-	$(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
@@ -142,6 +143,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -153,8 +156,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
@@ -228,6 +233,7 @@ VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
@@ -334,7 +340,6 @@ ctags CTAGS:
 
 cscope cscopelist:
 
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

etc/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -94,13 +94,14 @@ host_triplet = @host@
 subdir = etc
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
-	$(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
-	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
-	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
-	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
-	$(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
@@ -190,8 +191,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -233,6 +232,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -244,8 +245,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
@@ -319,6 +322,7 @@ VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
@@ -593,7 +597,6 @@ cscopelist-am: $(am__tagged_files)
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

etc/pam.d/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -96,13 +96,14 @@ host_triplet = @host@
 subdir = etc/pam.d
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
-	$(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
-	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
-	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
-	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
-	$(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
@@ -174,6 +175,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -185,8 +188,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
@@ -260,6 +265,7 @@ VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
@@ -400,7 +406,6 @@ ctags CTAGS:
 
 cscope cscopelist:
 
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

etc/pam.d/login

@@ -4,8 +4,8 @@ auth		include		system-auth
 account		required	pam_nologin.so
 account		include		system-auth
 password	include		system-auth
-session		required	pam_selinux.so close
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 session		include		system-auth
 session		required	pam_loginuid.so
 session		optional	pam_console.so
-session		required	pam_selinux.so open
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

etc/pam.d/su

@@ -7,7 +7,7 @@ auth		required	pam_wheel.so use_uid
 auth		include		system-auth
 account		include		system-auth
 password	include		system-auth
-session		required	pam_selinux.so close
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 session		include		system-auth
-session		required	pam_selinux.so open multiple
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 session		optional	pam_xauth.so

install-sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
 
-scriptversion=2018-03-11.20; # UTC
+scriptversion=2020-11-14.01; # UTC
 
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -69,6 +69,11 @@ posix_mkdir=
 # Desired mode of installed file.
 mode=0755
 
+# Create dirs (including intermediate dirs) using mode 755.
+# This is like GNU 'install' as of coreutils 8.32 (2020).
+mkdir_umask=22
+
+backupsuffix=
 chgrpcmd=
 chmodcmd=$chmodprog
 chowncmd=
@@ -99,18 +104,28 @@ Options:
      --version  display version info and exit.
 
   -c            (ignored)
-  -C            install only if different (preserve the last data modification time)
+  -C            install only if different (preserve data modification time)
   -d            create directories instead of installing files.
   -g GROUP      $chgrpprog installed files to GROUP.
   -m MODE       $chmodprog installed files to MODE.
   -o USER       $chownprog installed files to USER.
+  -p            pass -p to $cpprog.
   -s            $stripprog installed files.
+  -S SUFFIX     attempt to back up existing files, with suffix SUFFIX.
   -t DIRECTORY  install into DIRECTORY.
   -T            report an error if DSTFILE is a directory.
 
 Environment variables override the default commands:
   CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
   RMPROG STRIPPROG
+
+By default, rm is invoked with -f; when overridden with RMPROG,
+it's up to you to specify -f if you want it.
+
+If -S is not specified, no backups are attempted.
+
+Email bug reports to bug-automake@gnu.org.
+Automake home page: https://www.gnu.org/software/automake/
 "
 
 while test $# -ne 0; do
@@ -137,8 +152,13 @@ while test $# -ne 0; do
     -o) chowncmd="$chownprog $2"
         shift;;
 
+    -p) cpprog="$cpprog -p";;
+
     -s) stripcmd=$stripprog;;
 
+    -S) backupsuffix="$2"
+        shift;;
+
     -t)
         is_target_a_directory=always
         dst_arg=$2
@@ -255,6 +275,10 @@ do
     dstdir=$dst
     test -d "$dstdir"
     dstdir_status=$?
+    # Don't chown directories that already exist.
+    if test $dstdir_status = 0; then
+      chowncmd=""
+    fi
   else
 
     # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
@@ -301,22 +325,6 @@ do
   if test $dstdir_status != 0; then
     case $posix_mkdir in
       '')
-        # Create intermediate dirs using mode 755 as modified by the umask.
-        # This is like FreeBSD 'install' as of 1997-10-28.
-        umask=`umask`
-        case $stripcmd.$umask in
-          # Optimize common cases.
-          *[2367][2367]) mkdir_umask=$umask;;
-          .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
-
-          *[0-7])
-            mkdir_umask=`expr $umask + 22 \
-              - $umask % 100 % 40 + $umask % 20 \
-              - $umask % 10 % 4 + $umask % 2
-            `;;
-          *) mkdir_umask=$umask,go-w;;
-        esac
-
         # With -d, create the new directory with the user-specified mode.
         # Otherwise, rely on $mkdir_umask.
         if test -n "$dir_arg"; then
@@ -326,52 +334,49 @@ do
         fi
 
         posix_mkdir=false
-        case $umask in
-          *[123567][0-7][0-7])
-            # POSIX mkdir -p sets u+wx bits regardless of umask, which
-            # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
-            ;;
-          *)
-            # Note that $RANDOM variable is not portable (e.g. dash);  Use it
-            # here however when possible just to lower collision chance.
-            tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
+	# The $RANDOM variable is not portable (e.g., dash).  Use it
+	# here however when possible just to lower collision chance.
+	tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
 
-            trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
+	trap '
+	  ret=$?
+	  rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null
+	  exit $ret
+	' 0
 
-            # Because "mkdir -p" follows existing symlinks and we likely work
-            # directly in world-writeable /tmp, make sure that the '$tmpdir'
-            # directory is successfully created first before we actually test
-            # 'mkdir -p' feature.
-            if (umask $mkdir_umask &&
-                $mkdirprog $mkdir_mode "$tmpdir" &&
-                exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
-            then
-              if test -z "$dir_arg" || {
-                   # Check for POSIX incompatibilities with -m.
-                   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
-                   # other-writable bit of parent directory when it shouldn't.
-                   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
-                   test_tmpdir="$tmpdir/a"
-                   ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
-                   case $ls_ld_tmpdir in
-                     d????-?r-*) different_mode=700;;
-                     d????-?--*) different_mode=755;;
-                     *) false;;
-                   esac &&
-                   $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
-                     ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
-                     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
-                   }
-                 }
-              then posix_mkdir=:
-              fi
-              rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
-            else
-              # Remove any dirs left behind by ancient mkdir implementations.
-              rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
-            fi
-            trap '' 0;;
-        esac;;
+	# Because "mkdir -p" follows existing symlinks and we likely work
+	# directly in world-writeable /tmp, make sure that the '$tmpdir'
+	# directory is successfully created first before we actually test
+	# 'mkdir -p'.
+	if (umask $mkdir_umask &&
+	    $mkdirprog $mkdir_mode "$tmpdir" &&
+	    exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
+	then
+	  if test -z "$dir_arg" || {
+	       # Check for POSIX incompatibilities with -m.
+	       # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+	       # other-writable bit of parent directory when it shouldn't.
+	       # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+	       test_tmpdir="$tmpdir/a"
+	       ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
+	       case $ls_ld_tmpdir in
+		 d????-?r-*) different_mode=700;;
+		 d????-?--*) different_mode=755;;
+		 *) false;;
+	       esac &&
+	       $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
+		 ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
+		 test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
+	       }
+	     }
+	  then posix_mkdir=:
+	  fi
+	  rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
+	else
+	  # Remove any dirs left behind by ancient mkdir implementations.
+	  rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
+	fi
+	trap '' 0;;
     esac
 
     if
@@ -382,7 +387,7 @@ do
     then :
     else
 
-      # The umask is ridiculous, or mkdir does not conform to POSIX,
+      # mkdir does not conform to POSIX,
       # or it failed possibly due to a race condition.  Create the
       # directory the slow way, step by step, checking for races as we go.
 
@@ -411,7 +416,7 @@ do
           prefixes=
         else
           if $posix_mkdir; then
-            (umask=$mkdir_umask &&
+            (umask $mkdir_umask &&
              $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
             # Don't fail if two instances are running concurrently.
             test -d "$prefix" || exit 1
@@ -451,7 +456,18 @@ do
     trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
 
     # Copy the file name to the temp name.
-    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
+    (umask $cp_umask &&
+     { test -z "$stripcmd" || {
+	 # Create $dsttmp read-write so that cp doesn't create it read-only,
+	 # which would cause strip to fail.
+	 if test -z "$doit"; then
+	   : >"$dsttmp" # No need to fork-exec 'touch'.
+	 else
+	   $doit touch "$dsttmp"
+	 fi
+       }
+     } &&
+     $doit_exec $cpprog "$src" "$dsttmp") &&
 
     # and set any options; do chmod last to preserve setuid bits.
     #
@@ -477,6 +493,13 @@ do
     then
       rm -f "$dsttmp"
     else
+      # If $backupsuffix is set, and the file being installed
+      # already exists, attempt a backup.  Don't worry if it fails,
+      # e.g., if mv doesn't support -f.
+      if test -n "$backupsuffix" && test -f "$dst"; then
+        $doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null
+      fi
+
       # Rename the file to the real destination.
       $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
 
@@ -491,9 +514,9 @@ do
         # file should still install successfully.
         {
           test ! -f "$dst" ||
-          $doit $rmcmd -f "$dst" 2>/dev/null ||
+          $doit $rmcmd "$dst" 2>/dev/null ||
           { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
-            { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
+            { $doit $rmcmd "$rmtmp" 2>/dev/null; :; }
           } ||
           { echo "$0: cannot unlink or rename $dst" >&2
             (exit 1); exit 1

lib/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -93,13 +93,14 @@ host_triplet = @host@
 subdir = lib
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
-	$(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
-	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
-	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
-	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
-	$(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
@@ -237,8 +238,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
@@ -254,6 +253,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = 
 DEPDIR = @DEPDIR@
@@ -265,8 +266,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
@@ -340,6 +343,7 @@ VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
@@ -849,7 +853,6 @@ cscopelist-am: $(am__tagged_files)
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

lib/commonio.c

@@ -32,7 +32,7 @@
 
 /* local function prototypes */
 static int lrename (const char *, const char *);
-static int check_link_count (const char *file);
+static int check_link_count (const char *file, bool log);
 static int do_lock_file (const char *file, const char *lock, bool log);
 static /*@null@*/ /*@dependent@*/FILE *fopen_set_perms (
 	const char *name,
@@ -65,7 +65,6 @@ int lrename (const char *old, const char *new)
 	int res;
 	char *r = NULL;
 
-#if defined(S_ISLNK)
 #ifndef __GLIBC__
 	char resolved_path[PATH_MAX];
 #endif				/* !__GLIBC__ */
@@ -82,28 +81,35 @@ int lrename (const char *old, const char *new)
 			new = r;
 		}
 	}
-#endif				/* S_ISLNK */
 
 	res = rename (old, new);
 
 #ifdef __GLIBC__
-	if (NULL != r) {
-		free (r);
-	}
+	free (r);
 #endif				/* __GLIBC__ */
 
 	return res;
 }
 
-static int check_link_count (const char *file)
+static int check_link_count (const char *file, bool log)
 {
 	struct stat sb;
 
 	if (stat (file, &sb) != 0) {
+		if (log) {
+			(void) fprintf (shadow_logfd,
+			                "%s: %s file stat error: %s\n",
+			                shadow_progname, file, strerror (errno));
+		}
 		return 0;
 	}
 
 	if (sb.st_nlink != 2) {
+		if (log) {
+			(void) fprintf (shadow_logfd,
+			                "%s: %s: lock file already used (nlink: %u)\n",
+			                shadow_progname, file, sb.st_nlink);
+		}
 		return 0;
 	}
 
@@ -155,12 +161,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 	close (fd);
 
 	if (link (file, lock) == 0) {
-		retval = check_link_count (file);
-		if ((0==retval) && log) {
-			(void) fprintf (shadow_logfd,
-			                "%s: %s: lock file already used\n",
-			                shadow_progname, file);
-		}
+		retval = check_link_count (file, log);
 		unlink (file);
 		return retval;
 	}
@@ -221,12 +222,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 
 	retval = 0;
 	if (link (file, lock) == 0) {
-		retval = check_link_count (file);
-		if ((0==retval) && log) {
-			(void) fprintf (shadow_logfd,
-			                "%s: %s: lock file already used\n",
-			                shadow_progname, file);
-		}
+		retval = check_link_count (file, log);
 	} else {
 		if (log) {
 			(void) fprintf (shadow_logfd,
@@ -339,9 +335,7 @@ static void free_linked_list (struct commonio_db *db)
 		p = db->head;
 		db->head = p->next;
 
-		if (NULL != p->line) {
-			free (p->line);
-		}
+		free (p->line);
 
 		if (NULL != p->eptr) {
 			db->ops->free (p->eptr);
@@ -397,10 +391,8 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 		err = 1;
 	}
 cleanup_ENOMEM:
-	if (file)
-		free(file);
-	if (lock)
-		free(lock);
+	free(file);
+	free(lock);
 	return err;
 }
 
@@ -1202,9 +1194,7 @@ int commonio_remove (struct commonio_db *db, const char *name)
 
 	commonio_del_entry (db, p);
 
-	if (NULL != p->line) {
-		free (p->line);
-	}
+	free (p->line);
 
 	if (NULL != p->eptr) {
 		db->ops->free (p->eptr);

lib/defines.h

@@ -22,8 +22,6 @@ typedef unsigned char _Bool;
 # define __bool_true_false_are_defined 1
 #endif
 
-#define ISDIGIT_LOCALE(c) (IN_CTYPE_DOMAIN (c) && isdigit (c))
-
 /* Take care of NLS matters.  */
 #ifdef S_SPLINT_S
 extern char *setlocale(int categories, const char *locale);
@@ -61,16 +59,8 @@ extern char * textdomain (const char * domainname);
 #endif
 #endif
 
-#if STDC_HEADERS
-# include <stdlib.h>
-# include <string.h>
-#else				/* not STDC_HEADERS */
-# ifndef HAVE_STRCHR
-#  define strchr index
-#  define strrchr rindex
-# endif
-char *strchr (), *strrchr (), *strtok ();
-#endif				/* not STDC_HEADERS */
+#include <stdlib.h>
+#include <string.h>
 
 #if HAVE_ERRNO_H
 # include <errno.h>
@@ -78,15 +68,7 @@ char *strchr (), *strrchr (), *strtok ();
 
 #include <sys/stat.h>
 #include <sys/types.h>
-#if HAVE_SYS_WAIT_H
-# include <sys/wait.h>
-#endif
-#ifndef WEXITSTATUS
-# define WEXITSTATUS(stat_val) ((unsigned)(stat_val) >> 8)
-#endif
-#ifndef WIFEXITED
-# define WIFEXITED(stat_val) (((stat_val) & 255) == 0)
-#endif
+#include <sys/wait.h>
 
 #if HAVE_UNISTD_H
 # include <unistd.h>
@@ -100,35 +82,26 @@ char *strchr (), *strrchr (), *strtok ();
 # include <crypt.h>
 #endif
 
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else				/* not TIME_WITH_SYS_TIME */
-# if HAVE_SYS_TIME_H
-#  include <sys/time.h>
-# else
-#  include <time.h>
-# endif
-#endif				/* not TIME_WITH_SYS_TIME */
+#include <sys/time.h>
+#include <time.h>
+
+#ifdef HAVE_MEMSET_S
+# define memzero(ptr, size) memset_s((ptr), 0, (size))
+#elif defined HAVE_EXPLICIT_BZERO	/* !HAVE_MEMSET_S */
+# define memzero(ptr, size) explicit_bzero((ptr), (size))
+#else					/* !HAVE_MEMSET_S && HAVE_EXPLICIT_BZERO */
+static inline void memzero(void *ptr, size_t size)
+{
+	volatile unsigned char * volatile p = ptr;
+	while (size--) {
+		*p++ = '\0';
+	}
+}
+#endif					/* !HAVE_MEMSET_S && !HAVE_EXPLICIT_BZERO */
 
-#define memzero(ptr, size) memset((void *)(ptr), 0, (size))
 #define strzero(s) memzero(s, strlen(s))	/* warning: evaluates twice */
 
-#ifdef HAVE_DIRENT_H		/* DIR_SYSV */
-# include <dirent.h>
-# define DIRECT dirent
-#else
-# ifdef HAVE_SYS_NDIR_H		/* DIR_XENIX */
-#  include <sys/ndir.h>
-# endif
-# ifdef HAVE_SYS_DIR_H		/* DIR_??? */
-#  include <sys/dir.h>
-# endif
-# ifdef HAVE_NDIR_H		/* DIR_BSD */
-#  include <ndir.h>
-# endif
-# define DIRECT direct
-#endif
+#include <dirent.h>
 
 /*
  * Possible cases:
@@ -232,30 +205,6 @@ char *strchr (), *strrchr (), *strtok ();
 # define SEEK_END 2
 #endif
 
-#ifdef STAT_MACROS_BROKEN
-# define S_ISDIR(x) ((x) & S_IFMT) == S_IFDIR)
-# define S_ISREG(x) ((x) & S_IFMT) == S_IFREG)
-# ifdef S_IFLNK
-#  define S_ISLNK(x) ((x) & S_IFMT) == S_IFLNK)
-# endif
-#endif
-
-#ifndef S_ISLNK
-#define S_ISLNK(x) (0)
-#endif
-
-#if HAVE_LCHOWN
-#define LCHOWN lchown
-#else
-#define LCHOWN chown
-#endif
-
-#if HAVE_LSTAT
-#define LSTAT lstat
-#else
-#define LSTAT stat
-#endif
-
 #if HAVE_TERMIOS_H
 # include <termios.h>
 # define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio)
@@ -355,16 +304,10 @@ extern char *strerror ();
 /* To be used for verified unused parameters */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 # define unused __attribute__((unused))
+# define format_attr(type, index, check) __attribute__((format (type, index, check)))
 #else
 # define unused
-#endif
-
-/* ! Arguments evaluated twice ! */
-#ifndef MIN
-#define MIN(a,b) (((a) < (b)) ? (a) : (b))
-#endif
-#ifndef MAX
-#define MAX(x,y) (((x) > (y)) ? (x) : (y))
+# define format_attr(type, index, check)
 #endif
 
 /* Maximum length of usernames */
@@ -384,6 +327,9 @@ extern char *strerror ();
 # endif
 #endif
 
+/* Maximum length of passwd entry */
+#define PASSWD_ENTRY_MAX_LENGTH 32768
+
 #ifdef HAVE_SECURE_GETENV
 #  define shadow_getenv(name) secure_getenv(name)
 # else

lib/getdef.c

@@ -345,7 +345,6 @@ unsigned long getdef_ulong (const char *item, unsigned long dflt)
 	}
 
 	if (getulong (d->value, &val) == 0) {
-		/* FIXME: we should have a getulong */
 		fprintf (shadow_logfd,
 		         _("configuration error - cannot parse %s value: '%s'"),
 		         item, d->value);
@@ -389,10 +388,7 @@ int putdef_str (const char *name, const char *value)
 		return -1;
 	}
 
-	if (NULL != d->value) {
-		free (d->value);
-	}
-
+	free (d->value);
 	d->value = cp;
 	return 0;
 }

lib/groupio.c

@@ -418,9 +418,7 @@ static int split_groups (unsigned int max_members)
 		/* Shift all the members */
 		/* The number of members in new_gptr will be check later */
 		for (i = 0; NULL != new_gptr->gr_mem[i + max_members]; i++) {
-			if (NULL != new_gptr->gr_mem[i]) {
-				free (new_gptr->gr_mem[i]);
-			}
+			free (new_gptr->gr_mem[i]);
 			new_gptr->gr_mem[i] = new_gptr->gr_mem[i + max_members];
 			new_gptr->gr_mem[i + max_members] = NULL;
 		}

lib/groupmem.c

@@ -80,7 +80,7 @@ void gr_free (/*@out@*/ /*@only@*/struct group *grent)
 {
 	free (grent->gr_name);
 	if (NULL != grent->gr_passwd) {
-		memzero (grent->gr_passwd, strlen (grent->gr_passwd));
+		strzero (grent->gr_passwd);
 		free (grent->gr_passwd);
 	}
 	gr_free_members(grent);

lib/nss.c

@@ -9,6 +9,7 @@
 #include "prototypes.h"
 #include "../libsubid/subid.h"
 #include "shadowlog_internal.h"
+#include "shadowlog.h"
 
 #define NSSWITCH "/etc/nsswitch.conf"
 
@@ -29,7 +30,7 @@ bool nss_is_initialized() {
 	return atomic_load(&nss_init_completed);
 }
 
-void nss_exit() {
+static void nss_exit(void) {
 	if (nss_is_initialized() && subid_nss) {
 		dlclose(subid_nss->handle);
 		free(subid_nss);
@@ -38,10 +39,11 @@ void nss_exit() {
 }
 
 // nsswitch_path is an argument only to support testing.
-void nss_init(char *nsswitch_path) {
+void nss_init(const char *nsswitch_path) {
 	FILE *nssfp = NULL;
 	char *line = NULL, *p, *token, *saveptr;
 	size_t len = 0;
+	FILE *shadow_logfd = log_get_logfd();
 
 	if (atomic_flag_test_and_set(&nss_init_started)) {
 		// Another thread has started nss_init, wait for it to complete
@@ -57,7 +59,6 @@ void nss_init(char *nsswitch_path) {
 	//   subid:	files
 	nssfp = fopen(nsswitch_path, "r");
 	if (!nssfp) {
-		fprintf(shadow_logfd, "Failed opening %s: %m", nsswitch_path);
 		atomic_store(&nss_init_completed, true);
 		return;
 	}

lib/prototypes.h

@@ -159,12 +159,12 @@ extern int getlong (const char *numstr, /*@out@*/long int *result);
 extern int get_pid (const char *pidstr, pid_t *pid);
 
 /* getrange */
-extern int getrange (char *range,
+extern int getrange (const char *range,
                      unsigned long *min, bool *has_min,
                      unsigned long *max, bool *has_max);
 
 /* gettime.c */
-extern time_t gettime ();
+extern time_t gettime (void);
 
 /* get_uid.c */
 extern int get_uid (const char *uidstr, uid_t *uid);
@@ -242,8 +242,8 @@ extern /*@null@*//*@only@*/struct passwd *get_my_pwent (void);
 
 /* nss.c */
 #include <libsubid/subid.h>
-extern void nss_init(char *nsswitch_path);
-extern bool nss_is_initialized();
+extern void nss_init(const char *nsswitch_path);
+extern bool nss_is_initialized(void);
 
 struct subid_nss_ops {
 	/*
@@ -293,7 +293,7 @@ struct subid_nss_ops {
 	void *handle;
 };
 
-extern struct subid_nss_ops *get_subid_nss_handle();
+extern struct subid_nss_ops *get_subid_nss_handle(void);
 
 
 /* pam_pass_non_interactive.c */
@@ -324,12 +324,12 @@ extern struct passwd *prefix_getpwuid(uid_t uid);
 extern struct passwd *prefix_getpwnam(const char* name);
 extern struct spwd *prefix_getspnam(const char* name);
 extern struct group *prefix_getgr_nam_gid(const char *grname);
-extern void prefix_setpwent();
-extern struct passwd* prefix_getpwent();
-extern void prefix_endpwent();
-extern void prefix_setgrent();
-extern struct group* prefix_getgrent();
-extern void prefix_endgrent();
+extern void prefix_setpwent(void);
+extern struct passwd* prefix_getpwent(void);
+extern void prefix_endpwent(void);
+extern void prefix_setgrent(void);
+extern struct group* prefix_getgrent(void);
+extern void prefix_endgrent(void);
 
 /* pwd2spwd.c */
 #ifndef USE_PAM
@@ -480,10 +480,9 @@ extern int setutmpx (struct utmpx *utx);
 extern bool valid (const char *, const struct passwd *);
 
 /* xmalloc.c */
-extern /*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/char *xmalloc (size_t size)
+extern /*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/void *xmalloc (size_t size)
   /*@ensures MaxSet(result) == (size - 1); @*/;
 extern /*@maynotreturn@*/ /*@only@*//*@notnull@*/char *xstrdup (const char *);
-extern void xfree(void *ap);
 
 /* xgetpwnam.c */
 extern /*@null@*/ /*@only@*/struct passwd *xgetpwnam (const char *);

lib/pwauth.h

@@ -11,6 +11,9 @@
  *	$Id$
  */
 
+#ifndef _PWAUTH_H
+#define _PWAUTH_H
+
 #ifndef USE_PAM
 int pw_auth (const char *cipher,
              const char *user,
@@ -41,3 +44,5 @@ int pw_auth (const char *cipher,
 #define	PW_RLOGIN	202
 #define	PW_FTP		203
 #define	PW_REXEC	204
+
+#endif /* _PWAUTH_H */

lib/pwio.c

@@ -56,7 +56,10 @@ static int passwd_put (const void *ent, FILE * file)
 	    || (pw->pw_gid == (gid_t)-1)
 	    || (valid_field (pw->pw_gecos, ":\n") == -1)
 	    || (valid_field (pw->pw_dir, ":\n") == -1)
-	    || (valid_field (pw->pw_shell, ":\n") == -1)) {
+	    || (valid_field (pw->pw_shell, ":\n") == -1)
+	    || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
+	        strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
+	        strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
 		return -1;
 	}
 

lib/pwmem.c

@@ -73,7 +73,7 @@ void pw_free (/*@out@*/ /*@only@*/struct passwd *pwent)
 	if (pwent != NULL) {
 		free (pwent->pw_name);
 		if (pwent->pw_passwd) {
-			memzero (pwent->pw_passwd, strlen (pwent->pw_passwd));
+			strzero (pwent->pw_passwd);
 			free (pwent->pw_passwd);
 		}
 		free (pwent->pw_gecos);

lib/run_part.c

@@ -8,9 +8,10 @@
 #include <sys/wait.h>
 #include <unistd.h>
 #include <lib/prototypes.h>
+#include "run_part.h"
 #include "shadowlog_internal.h"
 
-int run_part (char *script_path, char *name, char *action)
+int run_part (char *script_path, const char *name, const char *action)
 {
 	int pid;
 	int wait_status;
@@ -39,15 +40,15 @@ int run_part (char *script_path, char *name, char *action)
 	return (1);
 }
 
-int run_parts (char *directory, char *name, char *action)
+int run_parts (const char *directory, const char *name, const char *action)
 {
 	struct dirent **namelist;
 	int scanlist;
 	int n;
-	int execute_result;
+	int execute_result = 0;
 
 	scanlist = scandir (directory, &namelist, 0, alphasort);
-	if (scanlist<0) {
+	if (scanlist<=0) {
 		return (0);
 	}
 

lib/run_part.h

@@ -1,2 +1,7 @@
-int run_part (char *script_path, char *name, char *action);
-int run_parts (char *directory, char *name, char *action);
+#ifndef _RUN_PART_H
+#define _RUN_PART_H
+
+int run_part (char *script_path, const char *name, const char *action);
+int run_parts (const char *directory, const char *name, const char *action);
+
+#endif /* _RUN_PART_H */

lib/selinux.c

@@ -109,7 +109,7 @@ int reset_selinux_file_context (void)
 /*
  *  Log callback for libselinux internal error reporting.
  */
-__attribute__((__format__ (printf, 2, 3)))
+format_attr(printf, 2, 3)
 static int selinux_log_cb (int type, const char *fmt, ...) {
 	va_list ap;
 	char *buf;

lib/semanage.c

@@ -27,6 +27,7 @@
 #endif
 
 
+format_attr(printf, 3, 4)
 static void semanage_error_callback (unused void *varg,
                                      semanage_handle_t *handle,
                                      const char *fmt, ...)
@@ -121,12 +122,14 @@ static int semanage_user_mod (semanage_handle_t *handle,
 		goto done;
 	}
 
-	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
-	if (ret != 0) {
-		fprintf (shadow_logfd,
-		         _("Could not set serange for %s\n"), login_name);
-		ret = 1;
-		goto done;
+	if (semanage_mls_enabled(handle)) {
+		ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+		if (ret != 0) {
+			fprintf (shadow_logfd,
+			         _("Could not set serange for %s\n"), login_name);
+			ret = 1;
+			goto done;
+		}
 	}
 
 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
@@ -178,13 +181,14 @@ static int semanage_user_add (semanage_handle_t *handle,
 		goto done;
 	}
 
-	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
-	if (ret != 0) {
-		fprintf (shadow_logfd,
-		         _("Could not set serange for %s\n"),
-		         login_name);
-		ret = 1;
-		goto done;
+	if (semanage_mls_enabled(handle)) {
+		ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+		if (ret != 0) {
+			fprintf (shadow_logfd,
+			         _("Could not set serange for %s\n"), login_name);
+			ret = 1;
+			goto done;
+		}
 	}
 
 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);

lib/sgetgrent.c

@@ -54,8 +54,7 @@ static char **list (char *s)
 				rbuf = malloc (size * sizeof (char *));
 			}
 			if (!rbuf) {
-				if (members)
-					free (members);
+				free (members);
 				members = 0;
 				size = 0;
 				return (char **) 0;
@@ -89,8 +88,7 @@ struct group *sgetgrent (const char *buf)
 	if (strlen (buf) + 1 > size) {
 		/* no need to use realloc() here - just free it and
 		   allocate a larger block */
-		if (grpbuf)
-			free (grpbuf);
+		free (grpbuf);
 		size = strlen (buf) + 1000;	/* at least: strlen(buf) + 1 */
 		grpbuf = malloc (size);
 		if (!grpbuf) {

lib/sgetpwent.c

@@ -16,6 +16,7 @@
 #include <stdio.h>
 #include <pwd.h>
 #include "prototypes.h"
+#include "shadowlog_internal.h"
 
 #define	NFIELDS	7
 
@@ -34,9 +35,9 @@
 struct passwd *sgetpwent (const char *buf)
 {
 	static struct passwd pwent;
-	static char pwdbuf[1024];
-	register int i;
-	register char *cp;
+	static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
+	int i;
+	char *cp;
 	char *fields[NFIELDS];
 
 	/*
@@ -44,8 +45,12 @@ struct passwd *sgetpwent (const char *buf)
 	 * the password structure remain valid.
 	 */
 
-	if (strlen (buf) >= sizeof pwdbuf)
+	if (strlen (buf) >= sizeof pwdbuf) {
+		fprintf (shadow_logfd,
+		         "%s: Too long passwd entry encountered, file corruption?\n",
+		         shadow_progname);
 		return 0;	/* fail if too long */
+	}
 	strcpy (pwdbuf, buf);
 
 	/*

lib/sgetspent.c

@@ -16,6 +16,7 @@
 
 #include <sys/types.h>
 #include "prototypes.h"
+#include "shadowlog_internal.h"
 #include "defines.h"
 #include <stdio.h>
 #define	FIELDS	9
@@ -25,7 +26,7 @@
  */
 struct spwd *sgetspent (const char *string)
 {
-	static char spwbuf[1024];
+	static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
 	static struct spwd spwd;
 	char *fields[FIELDS];
 	char *cp;
@@ -37,6 +38,9 @@ struct spwd *sgetspent (const char *string)
 	 */
 
 	if (strlen (string) >= sizeof spwbuf) {
+		fprintf (shadow_logfd,
+		         "%s: Too long passwd entry encountered, file corruption?\n",
+		         shadow_progname);
 		return 0;	/* fail if too long */
 	}
 	strcpy (spwbuf, string);
@@ -171,8 +175,7 @@ struct spwd *sgetspent (const char *string)
 
 	if (fields[8][0] == '\0') {
 		spwd.sp_flag = SHADOW_SP_FLAG_UNSET;
-	} else if (getlong (fields[8], &spwd.sp_flag) == 0) {
-		/* FIXME: add a getulong function */
+	} else if (getulong (fields[8], &spwd.sp_flag) == 0) {
 		return 0;
 	}
 

lib/sgroupio.c

@@ -128,7 +128,7 @@ void sgr_free (/*@out@*/ /*@only@*/struct sgrp *sgent)
 	size_t i;
 	free (sgent->sg_name);
 	if (NULL != sgent->sg_passwd) {
-		memzero (sgent->sg_passwd, strlen (sgent->sg_passwd));
+		strzero (sgent->sg_passwd);
 		free (sgent->sg_passwd);
 	}
 	for (i = 0; NULL != sgent->sg_adm[i]; i++) {

lib/shadow.c

@@ -305,8 +305,7 @@ static struct spwd *my_sgetspent (const char *string)
 	if (fields[8][0] == '\0') {
 		spwd.sp_flag = SHADOW_SP_FLAG_UNSET;
 	} else {
-		if (getlong (fields[8], &spwd.sp_flag) == 0) {
-			/* FIXME: add a getulong function */
+		if (getulong (fields[8], &spwd.sp_flag) == 0) {
 #ifdef	USE_NIS
 			if (nis_used) {
 				spwd.sp_flag = SHADOW_SP_FLAG_UNSET;

lib/shadowio.c

@@ -56,7 +56,9 @@ static int shadow_put (const void *ent, FILE * file)
 
 	if (   (NULL == sp)
 	    || (valid_field (sp->sp_namp, ":\n") == -1)
-	    || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
+	    || (valid_field (sp->sp_pwdp, ":\n") == -1)
+	    || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
+	        1000 > PASSWD_ENTRY_MAX_LENGTH)) {
 		return -1;
 	}
 

lib/shadowlog.h

@@ -36,6 +36,5 @@ extern void log_set_progname(const char *);
 extern const char *log_get_progname(void);
 extern void log_set_logfd(FILE *fd);
 extern FILE *log_get_logfd(void);
-extern void log_dolog(char *, ...);
 
 #endif

lib/shadowlog_internal.h

@@ -1,2 +1,7 @@
+#ifndef _SHADOWLOG_INTERNAL_H
+#define _SHADOWLOG_INTERNAL_H
+
 extern const char *shadow_progname; /* Program name showed in error messages */
 extern FILE *shadow_logfd;  /* file descripter to which error messages are printed */
+
+#endif /* _SHADOWLOG_INTERNAL_H */

lib/shadowmem.c

@@ -59,7 +59,7 @@ void spw_free (/*@out@*/ /*@only@*/struct spwd *spent)
 	if (spent != NULL) {
 		free (spent->sp_namp);
 		if (NULL != spent->sp_pwdp) {
-			memzero (spent->sp_pwdp, strlen (spent->sp_pwdp));
+			strzero (spent->sp_pwdp);
 			free (spent->sp_pwdp);
 		}
 		free (spent);

lib/subordinateio.c

@@ -17,6 +17,8 @@
 #include <ctype.h>
 #include <fcntl.h>
 
+#define ID_SIZE 31
+
 /*
  * subordinate_dup: create a duplicate range
  *
@@ -155,7 +157,7 @@ static struct commonio_ops subordinate_ops = {
  *
  * Returns true if @owner owns any subuid ranges, false otherwise.
  */
-static const bool range_exists(struct commonio_db *db, const char *owner)
+static bool range_exists(struct commonio_db *db, const char *owner)
 {
 	const struct subordinate_range *range;
 	commonio_rewind(db);
@@ -745,6 +747,40 @@ gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
 	return start == ULONG_MAX ? (gid_t) -1 : start;
 }
 
+static bool get_owner_id(const char *owner, enum subid_type id_type, char *id)
+{
+	struct passwd *pw;
+	struct group *gr;
+	int ret = 0;
+
+	switch (id_type) {
+	case ID_TYPE_UID:
+		pw = getpwnam(owner);
+		if (pw == NULL) {
+			return false;
+		}
+		ret = snprintf(id, ID_SIZE, "%u", pw->pw_uid);
+		if (ret < 0 || ret >= ID_SIZE) {
+			return false;
+		}
+		break;
+	case ID_TYPE_GID:
+		gr = getgrnam(owner);
+		if (gr == NULL) {
+			return false;
+		}
+		ret = snprintf(id, ID_SIZE, "%u", gr->gr_gid);
+		if (ret < 0 || ret >= ID_SIZE) {
+			return false;
+		}
+		break;
+	default:
+		return false;
+	}
+
+	return true;
+}
+
 /*
  * int list_owner_ranges(const char *owner, enum subid_type id_type, struct subordinate_range ***ranges)
  *
@@ -770,6 +806,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
 	enum subid_status status;
 	int count = 0;
 	struct subid_nss_ops *h;
+	char id[ID_SIZE];
+	bool have_owner_id;
 
 	*in_ranges = NULL;
 
@@ -798,6 +836,8 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
 		return -1;
 	}
 
+	have_owner_id = get_owner_id(owner, id_type, id);
+
 	commonio_rewind(db);
 	while ((range = commonio_next(db)) != NULL) {
 		if (0 == strcmp(range->owner, owner)) {
@@ -808,6 +848,16 @@ int list_owner_ranges(const char *owner, enum subid_type id_type, struct subid_r
 				goto out;
 			}
 		}
+
+		// Let's also compare with the ID
+		if (have_owner_id == true && 0 == strcmp(range->owner, id)) {
+			if (!append_range(&ranges, range, count++)) {
+				free(ranges);
+				ranges = NULL;
+				count = -1;
+				goto out;
+			}
+		}
 	}
 
 out:

lib/tcbfuncs.c

@@ -380,9 +380,7 @@ shadowtcb_status shadowtcb_set_user (const char* name)
 		return SHADOWTCB_SUCCESS;
 	}
 
-	if (NULL != stored_tcb_user) {
-		free (stored_tcb_user);
-	}
+	free (stored_tcb_user);
 
 	stored_tcb_user = strdup (name);
 	if (NULL == stored_tcb_user) {

libmisc/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -92,13 +92,14 @@ host_triplet = @host@
 subdir = libmisc
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
-	$(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
-	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
-	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
-	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
-	$(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
@@ -245,8 +246,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \
 	$(top_srcdir)/ylwrap getdate.c
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -263,6 +262,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -274,8 +275,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
@@ -349,6 +352,7 @@ VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
@@ -632,7 +636,6 @@ cscopelist-am: $(am__tagged_files)
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

libmisc/btrfs.c

@@ -14,7 +14,7 @@ static bool path_exists(const char *p)
 
 static const char *btrfs_cmd(void)
 {
-	const char *btrfs_paths[] = {"/sbin/btrfs",
+	const char *const btrfs_paths[] = {"/sbin/btrfs",
 		"/bin/btrfs", "/usr/sbin/btrfs", "/usr/bin/btrfs", NULL};
 	const char *p;
 	int i;

libmisc/chkname.c

@@ -32,26 +32,44 @@ static bool is_valid_name (const char *name)
 	}
 
 	/*
-	 * User/group names must match [a-z_][a-z0-9_-]*[$]
-	 */
+         * User/group names must match gnu e-regex:
+         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+         *
+         * as a non-POSIX, extension, allow "$" as the last char for
+         * sake of Samba 3.x "add machine script"
+         *
+         * Also do not allow fully numeric names or just "." or "..".
+         */
+	int numeric;
 
-	if (('\0' == *name) ||
-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
+	if ('\0' == *name ||
+	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+			      '\0' == name[1])) ||
+	    !((*name >= 'a' && *name <= 'z') ||
+	      (*name >= 'A' && *name <= 'Z') ||
+	      (*name >= '0' && *name <= '9') ||
+	      *name == '_' ||
+	      *name == '.')) {
 		return false;
 	}
 
+	numeric = isdigit(*name);
+
 	while ('\0' != *++name) {
-		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
-		      ( ('0' <= *name) && ('9' >= *name) ) ||
-		      ('_' == *name) ||
-		      ('-' == *name) ||
-		      ( ('$' == *name) && ('\0' == *(name + 1)) )
+		if (!((*name >= 'a' && *name <= 'z') ||
+		      (*name >= 'A' && *name <= 'Z') ||
+		      (*name >= '0' && *name <= '9') ||
+		      *name == '_' ||
+		      *name == '.' ||
+		      *name == '-' ||
+		      (*name == '$' && name[1] == '\0')
 		     )) {
 			return false;
 		}
+		numeric &= isdigit(*name);
 	}
 
-	return true;
+	return !numeric;
 }
 
 bool is_valid_user_name (const char *name)

libmisc/chowndir.c

@@ -17,6 +17,112 @@
 #include "defines.h"
 #include <fcntl.h>
 #include <stdio.h>
+#include <unistd.h>
+
+static int chown_tree_at (int at_fd,
+                const char *path,
+                uid_t old_uid,
+                uid_t new_uid,
+                gid_t old_gid,
+                gid_t new_gid)
+{
+	DIR *dir;
+	const struct dirent *ent;
+	struct stat dir_sb;
+	int dir_fd, rc = 0;
+
+	dir_fd = openat (at_fd, path, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
+	if (dir_fd < 0) {
+		return -1;
+	}
+
+	dir = fdopendir (dir_fd);
+	if (!dir) {
+		(void) close (dir_fd);
+		return -1;
+	}
+
+	/*
+	 * Open the directory and read each entry.  Every entry is tested
+	 * to see if it is a directory, and if so this routine is called
+	 * recursively.  If not, it is checked to see if an ownership
+	 * shall be changed.
+	 */
+	while ((ent = readdir (dir))) {
+		uid_t tmpuid = (uid_t) -1;
+		gid_t tmpgid = (gid_t) -1;
+		struct stat ent_sb;
+
+		/*
+		 * Skip the "." and ".." entries
+		 */
+		if (   (strcmp (ent->d_name, ".") == 0)
+		    || (strcmp (ent->d_name, "..") == 0)) {
+			continue;
+		}
+
+		rc = fstatat (dirfd(dir), ent->d_name, &ent_sb, AT_SYMLINK_NOFOLLOW);
+		if (rc < 0) {
+			break;
+		}
+
+		if (S_ISDIR (ent_sb.st_mode)) {
+			/*
+			 * Do the entire subdirectory.
+			 */
+			rc = chown_tree_at (dirfd(dir), ent->d_name, old_uid, new_uid, old_gid, new_gid);
+			if (0 != rc) {
+				break;
+			}
+		}
+
+		/*
+		 * By default, the IDs are not changed (-1).
+		 *
+		 * If the file is not owned by the user, the owner is not
+		 * changed.
+		 *
+		 * If the file is not group-owned by the group, the
+		 * group-owner is not changed.
+		 */
+		if (((uid_t) -1 == old_uid) || (ent_sb.st_uid == old_uid)) {
+			tmpuid = new_uid;
+		}
+		if (((gid_t) -1 == old_gid) || (ent_sb.st_gid == old_gid)) {
+			tmpgid = new_gid;
+		}
+		if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
+			rc = fchownat (dirfd(dir), ent->d_name, tmpuid, tmpgid, AT_SYMLINK_NOFOLLOW);
+			if (0 != rc) {
+				break;
+			}
+		}
+	}
+
+	/*
+	 * Now do the root of the tree
+	 */
+	if ((0 == rc) && (fstat (dirfd(dir), &dir_sb) == 0)) {
+		uid_t tmpuid = (uid_t) -1;
+		gid_t tmpgid = (gid_t) -1;
+		if (((uid_t) -1 == old_uid) || (dir_sb.st_uid == old_uid)) {
+			tmpuid = new_uid;
+		}
+		if (((gid_t) -1 == old_gid) || (dir_sb.st_gid == old_gid)) {
+			tmpgid = new_gid;
+		}
+		if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
+			rc = fchown (dirfd(dir), tmpuid, tmpgid);
+		}
+	} else {
+		rc = -1;
+	}
+
+	(void) closedir (dir);
+
+	return rc;
+}
+
 /*
  * chown_tree - change ownership of files in a directory tree
  *
@@ -36,143 +142,5 @@ int chown_tree (const char *root,
                 gid_t old_gid,
                 gid_t new_gid)
 {
-	char *new_name;
-	size_t new_name_len;
-	int rc = 0;
-	struct DIRECT *ent;
-	struct stat sb;
-	DIR *dir;
-
-	new_name = malloc (1024);
-	if (NULL == new_name) {
-		return -1;
-	}
-	new_name_len = 1024;
-
-	/*
-	 * Make certain the directory exists.  This routine is called
-	 * directly by the invoker, or recursively.
-	 */
-
-	if (access (root, F_OK) != 0) {
-		free (new_name);
-		return -1;
-	}
-
-	/*
-	 * Open the directory and read each entry.  Every entry is tested
-	 * to see if it is a directory, and if so this routine is called
-	 * recursively.  If not, it is checked to see if an ownership
-	 * shall be changed.
-	 */
-
-	dir = opendir (root);
-	if (NULL == dir) {
-		free (new_name);
-		return -1;
-	}
-
-	while ((ent = readdir (dir))) {
-		size_t ent_name_len;
-		uid_t tmpuid = (uid_t) -1;
-		gid_t tmpgid = (gid_t) -1;
-
-		/*
-		 * Skip the "." and ".." entries
-		 */
-
-		if (   (strcmp (ent->d_name, ".") == 0)
-		    || (strcmp (ent->d_name, "..") == 0)) {
-			continue;
-		}
-
-		/*
-		 * Make the filename for both the source and the
-		 * destination files.
-		 */
-
-		ent_name_len = strlen (root) + strlen (ent->d_name) + 2;
-		if (ent_name_len > new_name_len) {
-			/*@only@*/char *tmp = realloc (new_name, ent_name_len);
-			if (NULL == tmp) {
-				rc = -1;
-				break;
-			}
-			new_name = tmp;
-			new_name_len = ent_name_len;
-		}
-
-		(void) snprintf (new_name, new_name_len, "%s/%s", root, ent->d_name);
-
-		/* Don't follow symbolic links! */
-		if (LSTAT (new_name, &sb) == -1) {
-			continue;
-		}
-
-		if (S_ISDIR (sb.st_mode) && !S_ISLNK (sb.st_mode)) {
-
-			/*
-			 * Do the entire subdirectory.
-			 */
-
-			rc = chown_tree (new_name, old_uid, new_uid,
-			                 old_gid, new_gid);
-			if (0 != rc) {
-				break;
-			}
-		}
-#ifndef HAVE_LCHOWN
-		/* don't use chown (follows symbolic links!) */
-		if (S_ISLNK (sb.st_mode)) {
-			continue;
-		}
-#endif
-		/*
-		 * By default, the IDs are not changed (-1).
-		 *
-		 * If the file is not owned by the user, the owner is not
-		 * changed.
-		 *
-		 * If the file is not group-owned by the group, the
-		 * group-owner is not changed.
-		 */
-		if (((uid_t) -1 == old_uid) || (sb.st_uid == old_uid)) {
-			tmpuid = new_uid;
-		}
-		if (((gid_t) -1 == old_gid) || (sb.st_gid == old_gid)) {
-			tmpgid = new_gid;
-		}
-		if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
-			rc = LCHOWN (new_name, tmpuid, tmpgid);
-			if (0 != rc) {
-				break;
-			}
-		}
-	}
-
-	free (new_name);
-	(void) closedir (dir);
-
-	/*
-	 * Now do the root of the tree
-	 */
-
-	if ((0 == rc) && (stat (root, &sb) == 0)) {
-		uid_t tmpuid = (uid_t) -1;
-		gid_t tmpgid = (gid_t) -1;
-		if (((uid_t) -1 == old_uid) || (sb.st_uid == old_uid)) {
-			tmpuid = new_uid;
-		}
-		if (((gid_t) -1 == old_gid) || (sb.st_gid == old_gid)) {
-			tmpgid = new_gid;
-		}
-		if (((uid_t) -1 != tmpuid) || ((gid_t) -1 != tmpgid)) {
-			rc = LCHOWN (root, tmpuid, tmpgid);
-		}
-	} else {
-		rc = -1;
-	}
-
-	return rc;
+	return chown_tree_at (AT_FDCWD, root, old_uid, new_uid, old_gid, new_gid);
 }
-

libmisc/console.c

@@ -16,9 +16,6 @@
 
 #ident "$Id$"
 
-/* local function prototypes */
-static bool is_listed (const char *cfgin, const char *tty, bool def);
-
 /*
  * This is now rather generic function which decides if "tty" is listed
  * under "cfgin" in config (directly or indirectly). Fallback to default if

libmisc/copydir.c

@@ -47,42 +47,43 @@ struct link_name {
 };
 static /*@exposed@*/struct link_name *links;
 
-static int copy_entry (const char *src, const char *dst,
+struct path_info {
+	const char *full_path;
+	int dirfd;
+	const char *name;
+};
+
+static int copy_entry (const struct path_info *src, const struct path_info *dst,
                        bool reset_selinux,
                        uid_t old_uid, uid_t new_uid,
                        gid_t old_gid, gid_t new_gid);
-static int copy_dir (const char *src, const char *dst,
+static int copy_dir (const struct path_info *src, const struct path_info *dst,
                      bool reset_selinux,
-                     const struct stat *statp, const struct timeval mt[],
+                     const struct stat *statp, const struct timespec mt[],
                      uid_t old_uid, uid_t new_uid,
                      gid_t old_gid, gid_t new_gid);
-#ifdef	S_IFLNK
 static /*@null@*/char *readlink_malloc (const char *filename);
-static int copy_symlink (const char *src, const char *dst,
+static int copy_symlink (const struct path_info *src, const struct path_info *dst,
                          unused bool reset_selinux,
-                         const struct stat *statp, const struct timeval mt[],
+                         const struct stat *statp, const struct timespec mt[],
                          uid_t old_uid, uid_t new_uid,
                          gid_t old_gid, gid_t new_gid);
-#endif				/* S_IFLNK */
-static int copy_hardlink (const char *dst,
+static int copy_hardlink (const struct path_info *dst,
                           unused bool reset_selinux,
                           struct link_name *lp);
-static int copy_special (const char *src, const char *dst,
+static int copy_special (const struct path_info *src, const struct path_info *dst,
                          bool reset_selinux,
-                         const struct stat *statp, const struct timeval mt[],
+                         const struct stat *statp, const struct timespec mt[],
                          uid_t old_uid, uid_t new_uid,
                          gid_t old_gid, gid_t new_gid);
-static int copy_file (const char *src, const char *dst,
+static int copy_file (const struct path_info *src, const struct path_info *dst,
                       bool reset_selinux,
-                      const struct stat *statp, const struct timeval mt[],
+                      const struct stat *statp, const struct timespec mt[],
                       uid_t old_uid, uid_t new_uid,
                       gid_t old_gid, gid_t new_gid);
-static int chown_if_needed (const char *dst, const struct stat *statp,
+static int chownat_if_needed (const struct path_info *dst, const struct stat *statp,
                             uid_t old_uid, uid_t new_uid,
                             gid_t old_gid, gid_t new_gid);
-static int lchown_if_needed (const char *dst, const struct stat *statp,
-                             uid_t old_uid, uid_t new_uid,
-                             gid_t old_gid, gid_t new_gid);
 static int fchown_if_needed (int fdst, const struct stat *statp,
                              uid_t old_uid, uid_t new_uid,
                              gid_t old_gid, gid_t new_gid);
@@ -91,7 +92,8 @@ static int fchown_if_needed (int fdst, const struct stat *statp,
 /*
  * error_acl - format the error messages for the ACL and EQ libraries.
  */
-static void error_acl (struct error_context *ctx, const char *fmt, ...)
+format_attr(printf, 2, 3)
+static void error_acl (unused struct error_context *ctx, const char *fmt, ...)
 {
 	va_list ap;
 	FILE *shadow_logfd = log_get_logfd();
@@ -113,10 +115,61 @@ static void error_acl (struct error_context *ctx, const char *fmt, ...)
 }
 
 static struct error_context ctx = {
-	error_acl
+	error_acl, NULL, NULL
 };
 #endif				/* WITH_ACL || WITH_ATTR */
 
+#ifdef WITH_ACL
+static int perm_copy_path(const struct path_info *src,
+						  const struct path_info *dst,
+						  struct error_context *errctx)
+{
+	int src_fd, dst_fd, ret;
+
+	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
+	if (src_fd < 0) {
+		return -1;
+	}
+
+	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
+	if (dst_fd < 0) {
+		(void) close (src_fd);
+		return -1;
+	}
+
+	ret = perm_copy_fd(src->full_path, src_fd, dst->full_path, dst_fd, errctx);
+	(void) close (src_fd);
+	(void) close (dst_fd);
+	return ret;
+}
+#endif				/* WITH_ACL */
+
+#ifdef WITH_ATTR
+static int attr_copy_path(const struct path_info *src,
+						  const struct path_info *dst,
+						  int (*callback) (const char *, struct error_context *),
+						  struct error_context *errctx)
+{
+	int src_fd, dst_fd, ret;
+
+	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
+	if (src_fd < 0) {
+		return -1;
+	}
+
+	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
+	if (dst_fd < 0) {
+		(void) close (src_fd);
+		return -1;
+	}
+
+	ret = attr_copy_fd(src->full_path, src_fd, dst->full_path, dst_fd, callback, errctx);
+	(void) close (src_fd);
+	(void) close (dst_fd);
+	return ret;
+}
+#endif				/* WITH_ATTR */
+
 /*
  * remove_link - delete a link from the linked list
  */
@@ -189,51 +242,36 @@ static /*@exposed@*/ /*@null@*/struct link_name *check_link (const char *name, c
 	return NULL;
 }
 
-/*
- * copy_tree - copy files in a directory tree
- *
- *	copy_tree() walks a directory tree and copies ordinary files
- *	as it goes.
- *
- *	When reset_selinux is enabled, extended attributes (and thus
- *	SELinux attributes) are not copied.
- *
- *	old_uid and new_uid are used to set the ownership of the copied
- *	files. Unless old_uid is set to -1, only the files owned by
- *	old_uid have their ownership changed to new_uid. In addition, if
- *	new_uid is set to -1, no ownership will be changed.
- *
- *	The same logic applies for the group-ownership and
- *	old_gid/new_gid.
- */
-int copy_tree (const char *src_root, const char *dst_root,
+static int copy_tree_impl (const struct path_info *src, const struct path_info *dst,
                bool copy_root, bool reset_selinux,
                uid_t old_uid, uid_t new_uid,
                gid_t old_gid, gid_t new_gid)
 {
-	int err = 0;
+	int dst_fd, src_fd, err = 0;
 	bool set_orig = false;
-	struct DIRECT *ent;
+	const struct dirent *ent;
 	DIR *dir;
 
 	if (copy_root) {
 		struct stat sb;
-		if (access (dst_root, F_OK) == 0) {
+
+		if (   fstatat (dst->dirfd, dst->name, &sb, 0) == 0
+		    || errno != ENOENT) {
 			return -1;
 		}
 
-		if (LSTAT (src_root, &sb) == -1) {
+		if (fstatat (src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
 			return -1;
 		}
 
 		if (!S_ISDIR (sb.st_mode)) {
 			fprintf (log_get_logfd(),
 			         "%s: %s is not a directory",
-			         log_get_progname(), src_root);
+			         log_get_progname(), src->full_path);
 			return -1;
 		}
 
-		return copy_entry (src_root, dst_root, reset_selinux,
+		return copy_entry (src, dst, reset_selinux,
 		                   old_uid, new_uid, old_gid, new_gid);
 	}
 
@@ -243,8 +281,14 @@ int copy_tree (const char *src_root, const char *dst_root,
 	 * target is created.  It assumes the target directory exists.
 	 */
 
-	if (   (access (src_root, F_OK) != 0)
-	    || (access (dst_root, F_OK) != 0)) {
+	src_fd = openat (src->dirfd, src->name, O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+	if (src_fd < 0) {
+		return -1;
+	}
+
+	dst_fd = openat (dst->dirfd, dst->name, O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+	if (dst_fd < 0) {
+		(void) close (src_fd);
 		return -1;
 	}
 
@@ -255,14 +299,16 @@ int copy_tree (const char *src_root, const char *dst_root,
 	 * regular files (and directories ...) are copied, and no file
 	 * is made set-ID.
 	 */
-	dir = opendir (src_root);
+	dir = fdopendir (src_fd);
 	if (NULL == dir) {
+		(void) close (src_fd);
+		(void) close (dst_fd);
 		return -1;
 	}
 
 	if (src_orig == NULL) {
-		src_orig = src_root;
-		dst_orig = dst_root;
+		src_orig = src->full_path;
+		dst_orig = dst->full_path;
 		set_orig = true;
 	}
 	while ((0 == err) && (ent = readdir (dir)) != NULL) {
@@ -275,8 +321,8 @@ int copy_tree (const char *src_root, const char *dst_root,
 			char *dst_name;
 			size_t src_len = strlen (ent->d_name) + 2;
 			size_t dst_len = strlen (ent->d_name) + 2;
-			src_len += strlen (src_root);
-			dst_len += strlen (dst_root);
+			src_len += strlen (src->full_path);
+			dst_len += strlen (dst->full_path);
 
 			src_name = (char *) malloc (src_len);
 			dst_name = (char *) malloc (dst_len);
@@ -288,25 +334,32 @@ int copy_tree (const char *src_root, const char *dst_root,
 				 * Build the filename for both the source and
 				 * the destination files.
 				 */
-				(void) snprintf (src_name, src_len, "%s/%s",
-				                 src_root, ent->d_name);
-				(void) snprintf (dst_name, dst_len, "%s/%s",
-				                 dst_root, ent->d_name);
+				struct path_info src_entry, dst_entry;
 
-				err = copy_entry (src_name, dst_name,
+				(void) snprintf (src_name, src_len, "%s/%s",
+				                 src->full_path, ent->d_name);
+				(void) snprintf (dst_name, dst_len, "%s/%s",
+				                 dst->full_path, ent->d_name);
+
+				src_entry.full_path = src_name;
+				src_entry.dirfd = dirfd(dir);
+				src_entry.name = ent->d_name;
+
+				dst_entry.full_path = dst_name;
+				dst_entry.dirfd = dst_fd;
+				dst_entry.name = ent->d_name;
+
+				err = copy_entry (&src_entry, &dst_entry,
 				                  reset_selinux,
 				                  old_uid, new_uid,
 				                  old_gid, new_gid);
 			}
-			if (NULL != src_name) {
-				free (src_name);
-			}
-			if (NULL != dst_name) {
-				free (dst_name);
-			}
+			free (src_name);
+			free (dst_name);
 		}
 	}
 	(void) closedir (dir);
+	(void) close (dst_fd);
 
 	if (set_orig) {
 		src_orig = NULL;
@@ -353,7 +406,7 @@ int copy_tree (const char *src_root, const char *dst_root,
  *	old_gid) will be modified, unless old_uid (resp. old_gid) is set
  *	to -1.
  */
-static int copy_entry (const char *src, const char *dst,
+static int copy_entry (const struct path_info *src, const struct path_info *dst,
                        bool reset_selinux,
                        uid_t old_uid, uid_t new_uid,
                        gid_t old_gid, gid_t new_gid)
@@ -361,32 +414,32 @@ static int copy_entry (const char *src, const char *dst,
 	int err = 0;
 	struct stat sb;
 	struct link_name *lp;
-	struct timeval mt[2];
+	struct timespec mt[2];
 
-	if (LSTAT (src, &sb) == -1) {
+	if (fstatat(src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
 		/* If we cannot stat the file, do not care. */
 	} else {
 #ifdef HAVE_STRUCT_STAT_ST_ATIM
 		mt[0].tv_sec  = sb.st_atim.tv_sec;
-		mt[0].tv_usec = sb.st_atim.tv_nsec / 1000;
+		mt[0].tv_nsec = sb.st_atim.tv_nsec;
 #else				/* !HAVE_STRUCT_STAT_ST_ATIM */
 		mt[0].tv_sec  = sb.st_atime;
 # ifdef HAVE_STRUCT_STAT_ST_ATIMENSEC
-		mt[0].tv_usec = sb.st_atimensec / 1000;
+		mt[0].tv_nsec = sb.st_atimensec;
 # else				/* !HAVE_STRUCT_STAT_ST_ATIMENSEC */
-		mt[0].tv_usec = 0;
+		mt[0].tv_nsec = 0;
 # endif				/* !HAVE_STRUCT_STAT_ST_ATIMENSEC */
 #endif				/* !HAVE_STRUCT_STAT_ST_ATIM */
 
 #ifdef HAVE_STRUCT_STAT_ST_MTIM
 		mt[1].tv_sec  = sb.st_mtim.tv_sec;
-		mt[1].tv_usec = sb.st_mtim.tv_nsec / 1000;
+		mt[1].tv_nsec = sb.st_mtim.tv_nsec;
 #else				/* !HAVE_STRUCT_STAT_ST_MTIM */
 		mt[1].tv_sec  = sb.st_mtime;
 # ifdef HAVE_STRUCT_STAT_ST_MTIMENSEC
-		mt[1].tv_usec = sb.st_mtimensec / 1000;
+		mt[1].tv_nsec = sb.st_mtimensec;
 # else				/* !HAVE_STRUCT_STAT_ST_MTIMENSEC */
-		mt[1].tv_usec = 0;
+		mt[1].tv_nsec = 0;
 # endif				/* !HAVE_STRUCT_STAT_ST_MTIMENSEC */
 #endif				/* !HAVE_STRUCT_STAT_ST_MTIM */
 
@@ -395,7 +448,6 @@ static int copy_entry (const char *src, const char *dst,
 			                old_uid, new_uid, old_gid, new_gid);
 		}
 
-#ifdef	S_IFLNK
 		/*
 		 * Copy any symbolic links
 		 */
@@ -404,13 +456,12 @@ static int copy_entry (const char *src, const char *dst,
 			err = copy_symlink (src, dst, reset_selinux, &sb, mt,
 			                    old_uid, new_uid, old_gid, new_gid);
 		}
-#endif				/* S_IFLNK */
 
 		/*
 		 * See if this is a previously copied link
 		 */
 
-		else if ((lp = check_link (src, &sb)) != NULL) {
+		else if ((lp = check_link (src->full_path, &sb)) != NULL) {
 			err = copy_hardlink (dst, reset_selinux, lp);
 		}
 
@@ -449,9 +500,9 @@ static int copy_entry (const char *src, const char *dst,
  *
  *	Return 0 on success, -1 on error.
  */
-static int copy_dir (const char *src, const char *dst,
+static int copy_dir (const struct path_info *src, const struct path_info *dst,
                      bool reset_selinux,
-                     const struct stat *statp, const struct timeval mt[],
+                     const struct stat *statp, const struct timespec mt[],
                      uid_t old_uid, uid_t new_uid,
                      gid_t old_gid, gid_t new_gid)
 {
@@ -463,19 +514,18 @@ static int copy_dir (const char *src, const char *dst,
 	 */
 
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst, S_IFDIR) != 0) {
+	if (set_selinux_file_context (dst->full_path, S_IFDIR) != 0) {
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
-	if (   (mkdir (dst, statp->st_mode) != 0)
-	    || (chown_if_needed (dst, statp,
+	if (   (mkdirat (dst->dirfd, dst->name, 0700) != 0)
+	    || (chownat_if_needed (dst, statp,
 	                         old_uid, new_uid, old_gid, new_gid) != 0)
+	    || (fchmodat (dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) != 0)
 #ifdef WITH_ACL
-	    || (   (perm_copy_file (src, dst, &ctx) != 0)
+	    || (   (perm_copy_path (src, dst, &ctx) != 0)
 	        && (errno != 0))
-#else				/* !WITH_ACL */
-	    || (chmod (dst, statp->st_mode) != 0)
-#endif				/* !WITH_ACL */
+#endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 	/*
 	 * If the third parameter is NULL, all extended attributes
@@ -485,19 +535,18 @@ static int copy_dir (const char *src, const char *dst,
 	 * additional logic so that no unexpected permissions result.
 	 */
 	    || (   !reset_selinux
-	        && (attr_copy_file (src, dst, NULL, &ctx) != 0)
+	        && (attr_copy_path (src, dst, NULL, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
-	    || (copy_tree (src, dst, false, reset_selinux,
+	    || (copy_tree_impl (src, dst, false, reset_selinux,
 	                   old_uid, new_uid, old_gid, new_gid) != 0)
-	    || (utimes (dst, mt) != 0)) {
+	    || (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0)) {
 		err = -1;
 	}
 
 	return err;
 }
 
-#ifdef	S_IFLNK
 /*
  * readlink_malloc - wrapper for readlink
  *
@@ -544,9 +593,9 @@ static /*@null@*/char *readlink_malloc (const char *filename)
  *
  *	Return 0 on success, -1 on error.
  */
-static int copy_symlink (const char *src, const char *dst,
+static int copy_symlink (const struct path_info *src, const struct path_info *dst,
                          unused bool reset_selinux,
-                         const struct stat *statp, const struct timeval mt[],
+                         const struct stat *statp, const struct timespec mt[],
                          uid_t old_uid, uid_t new_uid,
                          gid_t old_gid, gid_t new_gid)
 {
@@ -564,7 +613,7 @@ static int copy_symlink (const char *src, const char *dst,
 	 * destination directory name.
 	 */
 
-	oldlink = readlink_malloc (src);
+	oldlink = readlink_malloc (src->full_path);
 	if (NULL == oldlink) {
 		return -1;
 	}
@@ -584,13 +633,13 @@ static int copy_symlink (const char *src, const char *dst,
 	}
 
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst, S_IFLNK) != 0) {
+	if (set_selinux_file_context (dst->full_path, S_IFLNK) != 0) {
 		free (oldlink);
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
-	if (   (symlink (oldlink, dst) != 0)
-	    || (lchown_if_needed (dst, statp,
+	if (   (symlinkat (oldlink, dst->dirfd, dst->name) != 0)
+	    || (chownat_if_needed (dst, statp,
 	                          old_uid, new_uid, old_gid, new_gid) != 0)) {
 		/* FIXME: there are no modes on symlinks, right?
 		 *        ACL could be copied, but this would be much more
@@ -604,18 +653,12 @@ static int copy_symlink (const char *src, const char *dst,
 	}
 	free (oldlink);
 
-#ifdef HAVE_LUTIMES
-	/* 2007-10-18: We don't care about
-	 *  exit status of lutimes because
-	 *  it returns ENOSYS on many system
-	 *  - not implemented
-	 */
-	(void) lutimes (dst, mt);
-#endif				/* HAVE_LUTIMES */
+	if (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0) {
+		return -1;
+	}
 
 	return 0;
 }
-#endif				/* S_IFLNK */
 
 /*
  * copy_hardlink - copy a hardlink
@@ -624,13 +667,13 @@ static int copy_symlink (const char *src, const char *dst,
  *
  *	Return 0 on success, -1 on error.
  */
-static int copy_hardlink (const char *dst,
+static int copy_hardlink (const struct path_info *dst,
                           unused bool reset_selinux,
                           struct link_name *lp)
 {
 	/* FIXME: selinux, ACL, Extended Attributes needed? */
 
-	if (link (lp->ln_name, dst) != 0) {
+	if (linkat (AT_FDCWD, lp->ln_name, dst->dirfd, dst->name, 0) != 0) {
 		return -1;
 	}
 
@@ -654,29 +697,28 @@ static int copy_hardlink (const char *dst,
  *
  *	Return 0 on success, -1 on error.
  */
-static int copy_special (const char *src, const char *dst,
+static int copy_special (const struct path_info *src, const struct path_info *dst,
                          bool reset_selinux,
-                         const struct stat *statp, const struct timeval mt[],
+                         const struct stat *statp, const struct timespec mt[],
                          uid_t old_uid, uid_t new_uid,
                          gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;
 
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst, statp->st_mode & S_IFMT) != 0) {
+	if (set_selinux_file_context (dst->full_path, statp->st_mode & S_IFMT) != 0) {
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
 
-	if (   (mknod (dst, statp->st_mode & ~07777, statp->st_rdev) != 0)
-	    || (chown_if_needed (dst, statp,
+	if (   (mknodat (dst->dirfd, dst->name, statp->st_mode & ~07777U, statp->st_rdev) != 0)
+	    || (chownat_if_needed (dst, statp,
 	                         old_uid, new_uid, old_gid, new_gid) != 0)
+	    || (fchmodat (dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) != 0)
 #ifdef WITH_ACL
-	    || (   (perm_copy_file (src, dst, &ctx) != 0)
+	    || (   (perm_copy_path (src, dst, &ctx) != 0)
 	        && (errno != 0))
-#else				/* !WITH_ACL */
-	    || (chmod (dst, statp->st_mode & 07777) != 0)
-#endif				/* !WITH_ACL */
+#endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 	/*
 	 * If the third parameter is NULL, all extended attributes
@@ -686,16 +728,52 @@ static int copy_special (const char *src, const char *dst,
 	 * additional logic so that no unexpected permissions result.
 	 */
 	    || (   !reset_selinux
-	        && (attr_copy_file (src, dst, NULL, &ctx) != 0)
+	        && (attr_copy_path (src, dst, NULL, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
-	    || (utimes (dst, mt) != 0)) {
+		|| (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0)) {
 		err = -1;
 	}
 
 	return err;
 }
 
+/*
+ * full_write - write entire buffer
+ *
+ * Write up to count bytes from the buffer starting at buf to the
+ * file referred to by the file descriptor fd.
+ * Retry in case of a short write.
+ *
+ * Returns the number of bytes written on success, -1 on error.
+ */
+static ssize_t full_write(int fd, const void *buf, size_t count) {
+	ssize_t written = 0;
+
+	while (count > 0) {
+		ssize_t res;
+
+		res = write(fd, buf, count);
+		if (res < 0) {
+			if (errno == EINTR) {
+				continue;
+			}
+
+			return res;
+		}
+
+		if (res == 0) {
+			break;
+		}
+
+		written += res;
+		buf = (const unsigned char*)buf + res;
+		count -= (size_t)res;
+	}
+
+	return written;
+}
+
 /*
  * copy_file - copy a file
  *
@@ -706,38 +784,35 @@ static int copy_special (const char *src, const char *dst,
  *
  *	Return 0 on success, -1 on error.
  */
-static int copy_file (const char *src, const char *dst,
+static int copy_file (const struct path_info *src, const struct path_info *dst,
                       bool reset_selinux,
-                      const struct stat *statp, const struct timeval mt[],
+                      const struct stat *statp, const struct timespec mt[],
                       uid_t old_uid, uid_t new_uid,
                       gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;
 	int ifd;
 	int ofd;
-	char buf[1024];
-	ssize_t cnt;
 
-	ifd = open (src, O_RDONLY|O_NOFOLLOW);
+	ifd = openat (src->dirfd, src->name, O_RDONLY|O_NOFOLLOW|O_CLOEXEC);
 	if (ifd < 0) {
 		return -1;
 	}
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (dst, S_IFREG) != 0) {
+	if (set_selinux_file_context (dst->full_path, S_IFREG) != 0) {
 		(void) close (ifd);
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
-	ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW, statp->st_mode & 07777);
+	ofd = openat (dst->dirfd, dst->name, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC | O_NOFOLLOW | O_CLOEXEC, 0600);
 	if (   (ofd < 0)
 	    || (fchown_if_needed (ofd, statp,
 	                          old_uid, new_uid, old_gid, new_gid) != 0)
-#ifdef WITH_ACL
-	    || (   (perm_copy_fd (src, ifd, dst, ofd, &ctx) != 0)
-	        && (errno != 0))
-#else				/* !WITH_ACL */
 	    || (fchmod (ofd, statp->st_mode & 07777) != 0)
-#endif				/* !WITH_ACL */
+#ifdef WITH_ACL
+	    || (   (perm_copy_fd (src->full_path, ifd, dst->full_path, ofd, &ctx) != 0)
+	        && (errno != 0))
+#endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 	/*
 	 * If the third parameter is NULL, all extended attributes
@@ -747,7 +822,7 @@ static int copy_file (const char *src, const char *dst,
 	 * additional logic so that no unexpected permissions result.
 	 */
 	    || (   !reset_selinux
-	        && (attr_copy_fd (src, ifd, dst, ofd, NULL, &ctx) != 0)
+	        && (attr_copy_fd (src->full_path, ifd, dst->full_path, ofd, NULL, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
 	   ) {
@@ -758,8 +833,24 @@ static int copy_file (const char *src, const char *dst,
 		return -1;
 	}
 
-	while ((cnt = read (ifd, buf, sizeof buf)) > 0) {
-		if (write (ofd, buf, (size_t)cnt) != cnt) {
+	while (true) {
+		char buf[8192];
+		ssize_t cnt;
+
+		cnt = read (ifd, buf, sizeof buf);
+		if (cnt < 0) {
+			if (errno == EINTR) {
+				continue;
+			}
+			(void) close (ofd);
+			(void) close (ifd);
+			return -1;
+		}
+		if (cnt == 0) {
+			break;
+		}
+
+		if (full_write (ofd, buf, (size_t)cnt) < 0) {
 			(void) close (ofd);
 			(void) close (ifd);
 			return -1;
@@ -767,23 +858,13 @@ static int copy_file (const char *src, const char *dst,
 	}
 
 	(void) close (ifd);
-
-#ifdef HAVE_FUTIMES
-	if (futimes (ofd, mt) != 0) {
-		(void) close (ofd);
-		return -1;
-	}
-#endif				/* HAVE_FUTIMES */
-
 	if (close (ofd) != 0) {
 		return -1;
 	}
 
-#ifndef HAVE_FUTIMES
-	if (utimes(dst, mt) != 0) {
+	if (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0) {
 		return -1;
 	}
-#endif				/* !HAVE_FUTIMES */
 
 	return err;
 }
@@ -818,7 +899,70 @@ static int chown_function ## _if_needed (type_dst dst,                 \
 	return chown_function (dst, tmpuid, tmpgid);                   \
 }
 
-def_chown_if_needed (chown, const char *)
-def_chown_if_needed (lchown, const char *)
 def_chown_if_needed (fchown, int)
 
+static int chownat_if_needed (const struct path_info *dst,
+							  const struct stat *statp,
+                              uid_t old_uid, uid_t new_uid,
+                              gid_t old_gid, gid_t new_gid)
+{
+	uid_t tmpuid = (uid_t) -1;
+	gid_t tmpgid = (gid_t) -1;
+
+	/* Use new_uid if old_uid is set to -1 or if the file was
+	 * owned by the user. */
+	if (((uid_t) -1 == old_uid) || (statp->st_uid == old_uid)) {
+		tmpuid = new_uid;
+	}
+	/* Otherwise, or if new_uid was set to -1, we keep the same
+	 * owner. */
+	if ((uid_t) -1 == tmpuid) {
+		tmpuid = statp->st_uid;
+	}
+
+	if (((gid_t) -1 == old_gid) || (statp->st_gid == old_gid)) {
+		tmpgid = new_gid;
+	}
+	if ((gid_t) -1 == tmpgid) {
+		tmpgid = statp->st_gid;
+	}
+
+	return fchownat (dst->dirfd, dst->name, tmpuid, tmpgid, AT_SYMLINK_NOFOLLOW);
+}
+
+/*
+ * copy_tree - copy files in a directory tree
+ *
+ *	copy_tree() walks a directory tree and copies ordinary files
+ *	as it goes.
+ *
+ *	When reset_selinux is enabled, extended attributes (and thus
+ *	SELinux attributes) are not copied.
+ *
+ *	old_uid and new_uid are used to set the ownership of the copied
+ *	files. Unless old_uid is set to -1, only the files owned by
+ *	old_uid have their ownership changed to new_uid. In addition, if
+ *	new_uid is set to -1, no ownership will be changed.
+ *
+ *	The same logic applies for the group-ownership and
+ *	old_gid/new_gid.
+ */
+int copy_tree (const char *src_root, const char *dst_root,
+               bool copy_root, bool reset_selinux,
+               uid_t old_uid, uid_t new_uid,
+               gid_t old_gid, gid_t new_gid)
+{
+	const struct path_info src = {
+		.full_path = src_root,
+		.dirfd = AT_FDCWD,
+		.name = src_root
+	};
+	const struct path_info dst = {
+		.full_path = dst_root,
+		.dirfd = AT_FDCWD,
+		.name = dst_root
+	};
+
+	return copy_tree_impl(&src, &dst, copy_root, reset_selinux,
+						  old_uid, new_uid, old_gid, new_gid);
+}

libmisc/env.c

@@ -28,7 +28,7 @@ size_t newenvc = 0;
 /*@null@*/char **newenvp = NULL;
 extern char **environ;
 
-static const char *forbid[] = {
+static const char *const forbid[] = {
 	"_RLD_=",
 	"BASH_ENV=",		/* GNU creeping featurism strikes again... */
 	"ENV=",
@@ -47,7 +47,7 @@ static const char *forbid[] = {
 
 /* these are allowed, but with no slashes inside
    (to work around security problems in GNU gettext) */
-static const char *noslash[] = {
+static const char *const noslash[] = {
 	"LANG=",
 	"LANGUAGE=",
 	"LC_",			/* anything with the LC_ prefix */
@@ -185,7 +185,7 @@ void set_env (int argc, char *const *argv)
 			noname++;
 			addenv (variable, *argv);
 		} else {
-			const char **p;
+			const char *const *p;
 
 			for (p = forbid; NULL != *p; p++) {
 				if (strncmp (*argv, *p, strlen (*p)) == 0) {
@@ -218,7 +218,7 @@ void set_env (int argc, char *const *argv)
 void sanitize_env (void)
 {
 	char **envp = environ;
-	const char **bad;
+	const char *const *bad;
 	char **cur;
 	char **move;
 

libmisc/find_new_gid.c

@@ -60,6 +60,13 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
                             (unsigned long) *max_id);
 			return EINVAL;
 		}
+		/*
+		 * Zero is reserved for root and the allocation algorithm does not
+		 * work right with it.
+		 */
+		if (*min_id == 0) {
+			*min_id = (gid_t) 1;
+		}
 	} else {
 		/* Non-system groups */
 
@@ -98,7 +105,7 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
 static int check_gid (const gid_t gid,
 		      const gid_t gid_min,
 		      const gid_t gid_max,
-		      bool *used_gids)
+		      const bool *used_gids)
 {
 	/* First test that the preferred ID is in the range */
 	if (gid < gid_min || gid > gid_max) {

libmisc/find_new_uid.c

@@ -60,6 +60,13 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
                             (unsigned long) *max_id);
 			return EINVAL;
 		}
+		/*
+		 * Zero is reserved for root and the allocation algorithm does not
+		 * work right with it.
+		 */
+		if (*min_id == 0) {
+			*min_id = (uid_t) 1;
+		}
 	} else {
 		/* Non-system users */
 
@@ -98,7 +105,7 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
 static int check_uid(const uid_t uid,
 		     const uid_t uid_min,
 		     const uid_t uid_max,
-		     bool *used_uids)
+		     const bool *used_uids)
 {
 	/* First test that the preferred ID is in the range */
 	if (uid < uid_min || uid > uid_max) {

libmisc/getdate.y

@@ -31,32 +31,9 @@
 #include <ctype.h>
 #include <time.h>
 
-#if defined (STDC_HEADERS) || (!defined (isascii) && !defined (HAVE_ISASCII))
-# define IN_CTYPE_DOMAIN(c) 1
-#else
-# define IN_CTYPE_DOMAIN(c) isascii(c)
-#endif
-
-#define ISSPACE(c) (IN_CTYPE_DOMAIN (c) && isspace (c))
-#define ISALPHA(c) (IN_CTYPE_DOMAIN (c) && isalpha (c))
-#define ISUPPER(c) (IN_CTYPE_DOMAIN (c) && isupper (c))
-#define ISDIGIT_LOCALE(c) (IN_CTYPE_DOMAIN (c) && isdigit (c))
-
-/* ISDIGIT differs from ISDIGIT_LOCALE, as follows:
-   - Its arg may be any int or unsigned int; it need not be an unsigned char.
-   - It's guaranteed to evaluate its argument exactly once.
-   - It's typically faster.
-   Posix 1003.2-1992 section 2.5.2.1 page 50 lines 1556-1558 says that
-   only '0' through '9' are digits.  Prefer ISDIGIT to ISDIGIT_LOCALE unless
-   it's important to use the locale's definition of `digit' even when the
-   host does not conform to Posix.  */
-#define ISDIGIT(c) ((unsigned) (c) - '0' <= 9)
-
 #include "getdate.h"
 
-#if defined (STDC_HEADERS)
-# include <string.h>
-#endif
+#include <string.h>
 
 /* Some old versions of bison generate parsers that use bcopy.
    That loses on systems that don't provide the function, so we have
@@ -651,7 +628,7 @@ static int LookupWord (char *buff)
 
   /* Make it lowercase. */
   for (p = buff; '\0' != *p; p++)
-    if (ISUPPER (*p))
+    if (isupper (*p))
       *p = tolower (*p);
 
   if (strcmp (buff, "am") == 0 || strcmp (buff, "a.m.") == 0)
@@ -732,7 +709,7 @@ static int LookupWord (char *buff)
       }
 
   /* Military timezones. */
-  if (buff[1] == '\0' && ISALPHA (*buff))
+  if (buff[1] == '\0' && isalpha (*buff))
     {
       for (tp = MilitaryTable; tp->name; tp++)
 	if (strcmp (buff, tp->name) == 0)
@@ -771,30 +748,30 @@ yylex (void)
 
   for (;;)
     {
-      while (ISSPACE (*yyInput))
+      while (isspace (*yyInput))
 	yyInput++;
 
-      if (ISDIGIT (c = *yyInput) || c == '-' || c == '+')
+      if (isdigit (c = *yyInput) || c == '-' || c == '+')
 	{
 	  if (c == '-' || c == '+')
 	    {
 	      sign = c == '-' ? -1 : 1;
-	      if (!ISDIGIT (*++yyInput))
+	      if (!isdigit (*++yyInput))
 		/* skip the '-' sign */
 		continue;
 	    }
 	  else
 	    sign = 0;
-	  for (yylval.Number = 0; ISDIGIT (c = *yyInput++);)
+	  for (yylval.Number = 0; isdigit (c = *yyInput++);)
 	    yylval.Number = 10 * yylval.Number + c - '0';
 	  yyInput--;
 	  if (sign < 0)
 	    yylval.Number = -yylval.Number;
 	  return (0 != sign) ? tSNUMBER : tUNUMBER;
 	}
-      if (ISALPHA (c))
+      if (isalpha (c))
 	{
-	  for (p = buff; (c = *yyInput++, ISALPHA (c)) || c == '.';)
+	  for (p = buff; (c = *yyInput++, isalpha (c)) || c == '.';)
 	    if (p < &buff[sizeof buff - 1])
 	      *p++ = c;
 	  *p = '\0';

libmisc/getrange.c

@@ -25,7 +25,7 @@
  * If the range is valid, getrange returns 1.
  * If the range is not valid, getrange returns 0.
  */
-int getrange (char *range,
+int getrange (const char *range,
               unsigned long *min, bool *has_min,
               unsigned long *max, bool *has_max)
 {

libmisc/idmapping.c

@@ -102,10 +102,10 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 #define ULONG_DIGITS ((((sizeof(unsigned long) * CHAR_BIT) + 9)/10)*3)
 
 #if HAVE_SYS_CAPABILITY_H
-static inline bool maps_lower_root(int cap, int ranges, struct map_range *mappings)
+static inline bool maps_lower_root(int cap, int ranges, const struct map_range *mappings)
 {
 	int idx;
-	struct map_range *mapping;
+	const struct map_range *mapping;
 
 	if (cap != CAP_SETUID)
 		return false;
@@ -135,11 +135,11 @@ static inline bool maps_lower_root(int cap, int ranges, struct map_range *mappin
  * when the root user calls the new{g,u}idmap binary for an unprivileged user.
  * If this is wanted: use file capabilities!
  */
-void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
+void write_mapping(int proc_dir_fd, int ranges, const struct map_range *mappings,
 	const char *map_file, uid_t ruid)
 {
 	int idx;
-	struct map_range *mapping;
+	const struct map_range *mapping;
 	size_t bufsize;
 	char *buf, *pos;
 	int fd;

libmisc/idmapping.h

@@ -7,6 +7,8 @@
 #ifndef _IDMAPPING_H_
 #define _IDMAPPING_H_
 
+#include <sys/types.h>
+
 struct map_range {
 	unsigned long upper; /* first ID inside the namespace */
 	unsigned long lower; /* first ID outside the namespace */
@@ -15,9 +17,7 @@ struct map_range {
 
 extern struct map_range *get_map_ranges(int ranges, int argc, char **argv);
 extern void write_mapping(int proc_dir_fd, int ranges,
-	struct map_range *mappings, const char *map_file, uid_t ruid);
-
-extern void nss_init(char *nsswitch_path);
+	const struct map_range *mappings, const char *map_file, uid_t ruid);
 
 #endif /* _ID_MAPPING_H_ */
 

libmisc/loginprompt.c

@@ -41,9 +41,9 @@ void login_prompt (const char *prompt, char *name, int namesize)
 	int i;
 	FILE *fp;
 
-	RETSIGTYPE (*sigquit) (int);
+	sighandler_t sigquit;
 #ifdef	SIGTSTP
-	RETSIGTYPE (*sigtstp) (int);
+	sighandler_t sigtstp;
 #endif
 
 	/*

libmisc/motd.c

@@ -28,7 +28,7 @@ void motd (void)
 	char *motdlist;
 	const char *motdfile;
 	char *mb;
-	register int c;
+	int c;
 
 	motdfile = getdef_str ("MOTD_FILE");
 	if (NULL == motdfile) {

libmisc/pam_pass_non_interactive.c

@@ -22,7 +22,7 @@ static int ni_conv (int num_msg,
                     const struct pam_message **msg,
                     struct pam_response **resp,
                     unused void *appdata_ptr);
-static struct pam_conv non_interactive_pam_conv = {
+static const struct pam_conv non_interactive_pam_conv = {
 	ni_conv,
 	NULL
 };

libmisc/prefix_flag.c

@@ -248,7 +248,7 @@ extern struct spwd *prefix_getspnam(const char* name)
 	}
 }
 
-extern void prefix_setpwent()
+extern void prefix_setpwent(void)
 {
 	if (!passwd_db_file) {
 		setpwent();
@@ -261,7 +261,7 @@ extern void prefix_setpwent()
 	if (!fp_pwent)
 		return;
 }
-extern struct passwd* prefix_getpwent()
+extern struct passwd* prefix_getpwent(void)
 {
 	if (!passwd_db_file) {
 		return getpwent();
@@ -271,7 +271,7 @@ extern struct passwd* prefix_getpwent()
 	}
 	return fgetpwent(fp_pwent);
 }
-extern void prefix_endpwent()
+extern void prefix_endpwent(void)
 {
 	if (!passwd_db_file) {
 		endpwent();
@@ -282,7 +282,7 @@ extern void prefix_endpwent()
 	fp_pwent = NULL;
 }
 
-extern void prefix_setgrent()
+extern void prefix_setgrent(void)
 {
 	if (!group_db_file) {
 		setgrent();
@@ -295,14 +295,14 @@ extern void prefix_setgrent()
 	if (!fp_grent)
 		return;
 }
-extern struct group* prefix_getgrent()
+extern struct group* prefix_getgrent(void)
 {
 	if (!group_db_file) {
 		return getgrent();
 	}
 	return fgetgrent(fp_grent);
 }
-extern void prefix_endgrent()
+extern void prefix_endgrent(void)
 {
 	if (!group_db_file) {
 		endgrent();

libmisc/remove_tree.c

@@ -11,6 +11,7 @@
 
 #ident "$Id$"
 
+#include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -21,6 +22,72 @@
 #include "prototypes.h"
 #include "defines.h"
 
+static int remove_tree_at (int at_fd, const char *path, bool remove_root)
+{
+	DIR *dir;
+	const struct dirent *ent;
+	int dir_fd, rc = 0;
+
+	dir_fd = openat (at_fd, path, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
+	if (dir_fd < 0) {
+		return -1;
+	}
+
+	dir = fdopendir (dir_fd);
+	if (!dir) {
+		(void) close (dir_fd);
+		return -1;
+	}
+
+	/*
+	 * Open the source directory and delete each entry.
+	 */
+	while ((ent = readdir (dir))) {
+		struct stat ent_sb;
+
+		/*
+		 * Skip the "." and ".." entries
+		 */
+		if (strcmp (ent->d_name, ".") == 0 ||
+		    strcmp (ent->d_name, "..") == 0) {
+			continue;
+		}
+
+		rc = fstatat (dirfd(dir), ent->d_name, &ent_sb, AT_SYMLINK_NOFOLLOW);
+		if (rc < 0) {
+			break;
+		}
+
+		if (S_ISDIR (ent_sb.st_mode)) {
+			/*
+			 * Recursively delete this directory.
+			 */
+			if (remove_tree_at (dirfd(dir), ent->d_name, true) != 0) {
+				rc = -1;
+				break;
+			}
+		} else {
+			/*
+			 * Delete the file.
+			 */
+			if (unlinkat (dirfd(dir), ent->d_name, 0) != 0) {
+				rc = -1;
+				break;
+			}
+		}
+	}
+
+	(void) closedir (dir);
+
+	if (remove_root && (0 == rc)) {
+		if (unlinkat (at_fd, path, AT_REMOVEDIR) != 0) {
+			rc = -1;
+		}
+	}
+
+	return rc;
+}
+
 /*
  * remove_tree - delete a directory tree
  *
@@ -28,83 +95,7 @@
  *	and directories.
  *	At the end, it deletes the root directory itself.
  */
-
 int remove_tree (const char *root, bool remove_root)
 {
-	char *new_name = NULL;
-	int err = 0;
-	struct DIRECT *ent;
-	struct stat sb;
-	DIR *dir;
-
-	/*
-	 * Open the source directory and read each entry.  Every file
-	 * entry in the directory is copied with the UID and GID set
-	 * to the provided values.  As an added security feature only
-	 * regular files (and directories ...) are copied, and no file
-	 * is made set-ID.
-	 */
-	dir = opendir (root);
-	if (NULL == dir) {
-		return -1;
-	}
-
-	while ((ent = readdir (dir))) {
-		size_t new_len = strlen (root) + strlen (ent->d_name) + 2;
-
-		/*
-		 * Skip the "." and ".." entries
-		 */
-
-		if (strcmp (ent->d_name, ".") == 0 ||
-		    strcmp (ent->d_name, "..") == 0) {
-			continue;
-		}
-
-		/*
-		 * Make the filename for the current entry.
-		 */
-
-		free (new_name);
-		new_name = (char *) malloc (new_len);
-		if (NULL == new_name) {
-			err = -1;
-			break;
-		}
-		(void) snprintf (new_name, new_len, "%s/%s", root, ent->d_name);
-		if (LSTAT (new_name, &sb) == -1) {
-			continue;
-		}
-
-		if (S_ISDIR (sb.st_mode)) {
-			/*
-			 * Recursively delete this directory.
-			 */
-			if (remove_tree (new_name, true) != 0) {
-				err = -1;
-				break;
-			}
-		} else {
-			/*
-			 * Delete the file.
-			 */
-			if (unlink (new_name) != 0) {
-				err = -1;
-				break;
-			}
-		}
-	}
-	if (NULL != new_name) {
-		free (new_name);
-	}
-	(void) closedir (dir);
-
-	if (remove_root && (0 == err)) {
-		if (rmdir (root) != 0) {
-			err = -1;
-		}
-	}
-
-	return err;
+	return remove_tree_at (AT_FDCWD, root, remove_root);
 }
-

libmisc/root_flag.c

@@ -79,7 +79,7 @@ static void change_root (const char* newroot)
 
 	if ('/' != newroot[0]) {
 		fprintf (log_get_logfd(),
-		         _("%s: invalid chroot path '%s'\n"),
+		         _("%s: invalid chroot path '%s', only absolute paths are supported.\n"),
 		         log_get_progname(), newroot);
 		exit (E_BAD_ARG);
 	}

libmisc/salt.c

@@ -99,15 +99,15 @@ static /*@observer@*/const char *gensalt (size_t salt_size);
 static long shadow_random (long min, long max);
 #endif /* USE_SHA_CRYPT || USE_BCRYPT */
 #ifdef USE_SHA_CRYPT
-static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds);
+static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds);
 static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds);
 #endif /* USE_SHA_CRYPT */
 #ifdef USE_BCRYPT
-static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds);
+static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds);
 static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds);
 #endif /* USE_BCRYPT */
 #ifdef USE_YESCRYPT
-static /*@observer@*/const unsigned long YESCRYPT_get_salt_cost (/*@null@*/int *prefered_cost);
+static /*@observer@*/unsigned long YESCRYPT_get_salt_cost (/*@null@*/const int *prefered_cost);
 static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long cost);
 #endif /* USE_YESCRYPT */
 
@@ -156,26 +156,28 @@ static long read_random_bytes (void)
 	/* arc4random_buf, if it exists, can never fail.  */
 	arc4random_buf (&randval, sizeof (randval));
 	goto end;
+#endif
 
-#elif defined(HAVE_GETENTROPY)
+#ifdef HAVE_GETENTROPY
 	/* getentropy may exist but lack kernel support.  */
-	if (getentropy (&randval, sizeof (randval))) {
-		goto fail;
+	if (getentropy (&randval, sizeof (randval)) == 0) {
+		goto end;
 	}
+#endif
 
-	goto end;
-
-#elif defined(HAVE_GETRANDOM)
+#ifdef HAVE_GETRANDOM
 	/* Likewise getrandom.  */
-	if ((size_t) getrandom (&randval, sizeof (randval), 0) != sizeof (randval)) {
+	if ((size_t) getrandom (&randval, sizeof (randval), 0) == sizeof (randval)) {
+		goto end;
+	}
+#endif
+
+	/* Use /dev/urandom as a last resort.  */
+	FILE *f = fopen ("/dev/urandom", "r");
+	if (NULL == f) {
 		goto fail;
 	}
 
-	goto end;
-
-#else
-	FILE *f = fopen ("/dev/urandom", "r");
-
 	if (fread (&randval, sizeof (randval), 1, f) != 1) {
 		fclose(f);
 		goto fail;
@@ -183,7 +185,6 @@ static long read_random_bytes (void)
 
 	fclose(f);
 	goto end;
-#endif
 
 fail:
 	fprintf (log_get_logfd(),
@@ -220,7 +221,7 @@ static long shadow_random (long min, long max)
 
 #ifdef USE_SHA_CRYPT
 /* Return the the rounds number for the SHA crypt methods. */
-static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *prefered_rounds)
+static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds)
 {
 	unsigned long rounds;
 
@@ -294,7 +295,7 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long round
 
 #ifdef USE_BCRYPT
 /* Return the the rounds number for the BCRYPT method. */
-static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *prefered_rounds)
+static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds)
 {
 	unsigned long rounds;
 
@@ -338,9 +339,10 @@ static /*@observer@*/const unsigned long BCRYPT_get_salt_rounds (/*@null@*/int *
 	/*
 	 * Use 19 as an upper bound for now,
 	 * because musl doesn't allow rounds >= 20.
+	 * If musl ever supports > 20 rounds,
+	 * rounds should be set to B_ROUNDS_MAX.
 	 */
 	if (rounds > 19) {
-		/* rounds = B_ROUNDS_MAX; */
 		rounds = 19;
 	}
 #endif /* USE_XCRYPT_GENSALT */
@@ -372,7 +374,7 @@ static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long ro
 
 #ifdef USE_YESCRYPT
 /* Return the the cost number for the YESCRYPT method. */
-static /*@observer@*/const unsigned long YESCRYPT_get_salt_cost (/*@null@*/int *prefered_cost)
+static /*@observer@*/unsigned long YESCRYPT_get_salt_cost (/*@null@*/const int *prefered_cost)
 {
 	unsigned long cost;
 

libmisc/shell.c

@@ -45,7 +45,7 @@ int shell (const char *file, /*@null@*/const char *arg, char *const envp[])
 	 * don't want to tell us what it is themselves.
 	 */
 	if (arg == (char *) 0) {
-		(void) snprintf (arg0, sizeof arg0, "-%s", Basename ((char *) file));
+		(void) snprintf (arg0, sizeof arg0, "-%s", Basename (file));
 		arg0[sizeof arg0 - 1] = '\0';
 		arg = arg0;
 	}

libmisc/strtoday.c

@@ -96,7 +96,7 @@ long strtoday (const char *str)
  * for now we allow just one format, but we can define more later
  * (we try them all until one succeeds).  --marekm
  */
-static char *date_formats[] = {
+static const char *const date_formats[] = {
 	"%Y-%m-%d",
 	(char *) 0
 };
@@ -106,12 +106,12 @@ static char *date_formats[] = {
  * current month, and the cumulative number of days in the preceding
  * months.  they are declared so that january is 1, not 0.
  */
-static short days[13] = { 0,
+static const short days[13] = { 0,
 	31, 28, 31, 30, 31, 30,	/* JAN - JUN */
 	31, 31, 30, 31, 30, 31
 };				/* JUL - DEC */
 
-static short juldays[13] = { 0,
+static const short juldays[13] = { 0,
 	0, 31, 59, 90, 120, 151,	/* JAN - JUN */
 	181, 212, 243, 273, 304, 334
 };				/* JUL - DEC */
@@ -129,7 +129,7 @@ long strtoday (const char *str)
 {
 #ifdef HAVE_STRPTIME
 	struct tm tp;
-	char *const *fmt;
+	const char *const *fmt;
 	char *cp;
 	time_t result;
 

libmisc/utmp.c

@@ -19,6 +19,7 @@
 #endif
 
 #include <assert.h>
+#include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>

libmisc/xgetXXbyYY.c

@@ -66,7 +66,6 @@
 			         "x" STRINGIZE(FUNCTION_NAME));
 			exit (13);
 		}
-		errno = 0;
 		status = REENTRANT_NAME(ARG_NAME, result, buffer,
 		                        length, &resbuf);
 		if ((0 == status) && (resbuf == result)) {
@@ -78,7 +77,7 @@
 			return ret_result;
 		}
 
-		if (ERANGE != errno) {
+		if (ERANGE != status) {
 			free (buffer);
 			free (result);
 			return NULL;

libmisc/xmalloc.c

@@ -26,11 +26,11 @@
 #include "prototypes.h"
 #include "shadowlog.h"
 
-/*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/char *xmalloc (size_t size)
+/*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/void *xmalloc (size_t size)
 {
-	char *ptr;
+	void *ptr;
 
-	ptr = (char *) malloc (size);
+	ptr = malloc (size);
 	if (NULL == ptr) {
 		(void) fprintf (log_get_logfd(),
 		                _("%s: failed to allocate memory: %s\n"),
@@ -44,10 +44,3 @@
 {
 	return strcpy (xmalloc (strlen (str) + 1), str);
 }
-
-void xfree(void *ap)
-{
-	if (ap) {
-		free(ap);
-	}
-}

libsubid/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -92,13 +92,14 @@ host_triplet = @host@
 subdir = libsubid
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
-	$(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
-	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
-	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
-	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
-	$(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(pkginclude_HEADERS) \
@@ -214,8 +215,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/subid.h.in \
 	$(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -232,6 +231,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -243,8 +244,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
@@ -318,6 +321,7 @@ VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
@@ -593,7 +597,6 @@ cscopelist-am: $(am__tagged_files)
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

libsubid/subid.h

@@ -35,6 +35,10 @@ enum subid_status {
 	SUBID_STATUS_ERROR = 3,
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /*
  * subid_init: initialize libsubid
  *
@@ -151,5 +155,9 @@ bool subid_ungrant_uid_range(struct subordinate_range *range);
  */
 bool subid_ungrant_gid_range(struct subordinate_range *range);
 
+#ifdef __cplusplus
+}
+#endif
+
 #define SUBID_NFIELDS 3
 #endif

libsubid/subid.h.in

@@ -35,6 +35,10 @@ enum subid_status {
 	SUBID_STATUS_ERROR = 3,
 };
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /*
  * subid_init: initialize libsubid
  *
@@ -151,5 +155,9 @@ bool subid_ungrant_uid_range(struct subordinate_range *range);
  */
 bool subid_ungrant_gid_range(struct subordinate_range *range);
 
+#ifdef __cplusplus
+}
+#endif
+
 #define SUBID_NFIELDS 3
 #endif

ltmain.sh

@@ -31,7 +31,7 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION="2.4.6 Debian-2.4.6-14"
+VERSION="2.4.6 Debian-2.4.6-15build2"
 package_revision=2.4.6
 
 
@@ -2141,7 +2141,7 @@ include the following information:
        compiler:       $LTCC
        compiler flags: $LTCFLAGS
        linker:         $LD (gnu? $with_gnu_ld)
-       version:        $progname $scriptversion Debian-2.4.6-14
+       version:        $progname $scriptversion Debian-2.4.6-15build2
        automake:       `($AUTOMAKE --version) 2>/dev/null |$SED 1q`
        autoconf:       `($AUTOCONF --version) 2>/dev/null |$SED 1q`
 

m4/gettext.m4

@@ -1,5 +1,5 @@
-# gettext.m4 serial 58 (gettext-0.16)
-dnl Copyright (C) 1995-2006 Free Software Foundation, Inc.
+# gettext.m4 serial 66 (gettext-0.18.2)
+dnl Copyright (C) 1995-2014 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
@@ -15,7 +15,7 @@ dnl They are *not* in the public domain.
 
 dnl Authors:
 dnl   Ulrich Drepper <drepper@cygnus.com>, 1995-2000.
-dnl   Bruno Haible <haible@clisp.cons.org>, 2000-2006.
+dnl   Bruno Haible <haible@clisp.cons.org>, 2000-2006, 2008-2010.
 
 dnl Macro to add for using GNU gettext.
 
@@ -35,7 +35,7 @@ dnl    will be ignored.  If NEEDSYMBOL is specified and is
 dnl    'need-formatstring-macros', then GNU gettext implementations that don't
 dnl    support the ISO C 99 <inttypes.h> formatstring macros will be ignored.
 dnl INTLDIR is used to find the intl libraries.  If empty,
-dnl    the value `$(top_builddir)/intl/' is used.
+dnl    the value '$(top_builddir)/intl/' is used.
 dnl
 dnl The result of the configuration is one of three cases:
 dnl 1) GNU gettext, as included in the intl subdirectory, will be compiled
@@ -60,6 +60,8 @@ AC_DEFUN([AM_GNU_GETTEXT],
   ifelse([$1], [], , [ifelse([$1], [external], , [ifelse([$1], [no-libtool], , [ifelse([$1], [use-libtool], ,
     [errprint([ERROR: invalid first argument to AM_GNU_GETTEXT
 ])])])])])
+  ifelse(ifelse([$1], [], [old])[]ifelse([$1], [no-libtool], [old]), [old],
+    [AC_DIAGNOSE([obsolete], [Use of AM_GNU_GETTEXT without [external] argument is deprecated.])])
   ifelse([$2], [], , [ifelse([$2], [need-ngettext], , [ifelse([$2], [need-formatstring-macros], ,
     [errprint([ERROR: invalid second argument to AM_GNU_GETTEXT
 ])])])])
@@ -95,7 +97,7 @@ AC_DEFUN([AM_GNU_GETTEXT],
     AC_REQUIRE([AM_ICONV_LINKFLAGS_BODY])
   ])
 
-  dnl Sometimes, on MacOS X, libintl requires linking with CoreFoundation.
+  dnl Sometimes, on Mac OS X, libintl requires linking with CoreFoundation.
   gt_INTL_MACOSX
 
   dnl Set USE_NLS.
@@ -123,11 +125,11 @@ AC_DEFUN([AM_GNU_GETTEXT],
     gt_use_preinstalled_gnugettext=no
     ifelse(gt_included_intl, yes, [
       AC_MSG_CHECKING([whether included gettext is requested])
-      AC_ARG_WITH(included-gettext,
+      AC_ARG_WITH([included-gettext],
         [  --with-included-gettext use the GNU gettext library included here],
         nls_cv_force_use_gnu_gettext=$withval,
         nls_cv_force_use_gnu_gettext=no)
-      AC_MSG_RESULT($nls_cv_force_use_gnu_gettext)
+      AC_MSG_RESULT([$nls_cv_force_use_gnu_gettext])
 
       nls_cv_use_gnu_gettext="$nls_cv_force_use_gnu_gettext"
       if test "$nls_cv_force_use_gnu_gettext" != "yes"; then
@@ -137,12 +139,14 @@ AC_DEFUN([AM_GNU_GETTEXT],
         dnl to fall back to GNU NLS library.
 
         if test $gt_api_version -ge 3; then
-          gt_revision_test_code='[[
+          gt_revision_test_code='
 #ifndef __GNU_GETTEXT_SUPPORTED_REVISION
 #define __GNU_GETTEXT_SUPPORTED_REVISION(major) ((major) == 0 ? 0 : -1)
 #endif
+changequote(,)dnl
 typedef int array [2 * (__GNU_GETTEXT_SUPPORTED_REVISION(0) >= 1) - 1];
-]]'
+changequote([,])dnl
+'
         else
           gt_revision_test_code=
         fi
@@ -153,12 +157,18 @@ typedef int array [2 * (__GNU_GETTEXT_SUPPORTED_REVISION(0) >= 1) - 1];
         fi
 
         AC_CACHE_CHECK([for GNU gettext in libc], [$gt_func_gnugettext_libc],
-         [AC_TRY_LINK([#include <libintl.h>
+         [AC_LINK_IFELSE(
+            [AC_LANG_PROGRAM(
+               [[
+#include <libintl.h>
 $gt_revision_test_code
 extern int _nl_msg_cat_cntr;
-extern int *_nl_domain_bindings;],
-            [bindtextdomain ("", "");
-return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_domain_bindings],
+extern int *_nl_domain_bindings;
+               ]],
+               [[
+bindtextdomain ("", "");
+return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_domain_bindings
+               ]])],
             [eval "$gt_func_gnugettext_libc=yes"],
             [eval "$gt_func_gnugettext_libc=no"])])
 
@@ -179,35 +189,47 @@ return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_domain_b
             gt_save_LIBS="$LIBS"
             LIBS="$LIBS $LIBINTL"
             dnl Now see whether libintl exists and does not depend on libiconv.
-            AC_TRY_LINK([#include <libintl.h>
+            AC_LINK_IFELSE(
+              [AC_LANG_PROGRAM(
+                 [[
+#include <libintl.h>
 $gt_revision_test_code
 extern int _nl_msg_cat_cntr;
 extern
 #ifdef __cplusplus
 "C"
 #endif
-const char *_nl_expand_alias (const char *);],
-              [bindtextdomain ("", "");
-return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_expand_alias ("")],
+const char *_nl_expand_alias (const char *);
+                 ]],
+                 [[
+bindtextdomain ("", "");
+return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_expand_alias ("")
+                 ]])],
               [eval "$gt_func_gnugettext_libintl=yes"],
               [eval "$gt_func_gnugettext_libintl=no"])
             dnl Now see whether libintl exists and depends on libiconv.
             if { eval "gt_val=\$$gt_func_gnugettext_libintl"; test "$gt_val" != yes; } && test -n "$LIBICONV"; then
               LIBS="$LIBS $LIBICONV"
-              AC_TRY_LINK([#include <libintl.h>
+              AC_LINK_IFELSE(
+                [AC_LANG_PROGRAM(
+                   [[
+#include <libintl.h>
 $gt_revision_test_code
 extern int _nl_msg_cat_cntr;
 extern
 #ifdef __cplusplus
 "C"
 #endif
-const char *_nl_expand_alias (const char *);],
-                [bindtextdomain ("", "");
-return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_expand_alias ("")],
-               [LIBINTL="$LIBINTL $LIBICONV"
-                LTLIBINTL="$LTLIBINTL $LTLIBICONV"
-                eval "$gt_func_gnugettext_libintl=yes"
-               ])
+const char *_nl_expand_alias (const char *);
+                   ]],
+                   [[
+bindtextdomain ("", "");
+return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_expand_alias ("")
+                   ]])],
+                [LIBINTL="$LIBINTL $LIBICONV"
+                 LTLIBINTL="$LTLIBINTL $LTLIBICONV"
+                 eval "$gt_func_gnugettext_libintl=yes"
+                ])
             fi
             CPPFLAGS="$gt_save_CPPFLAGS"
             LIBS="$gt_save_LIBS"])
@@ -265,7 +287,7 @@ return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_expand_a
 
     if test "$gt_use_preinstalled_gnugettext" = "yes" \
        || test "$nls_cv_use_gnu_gettext" = "yes"; then
-      AC_DEFINE(ENABLE_NLS, 1,
+      AC_DEFINE([ENABLE_NLS], [1],
         [Define to 1 if translation of program messages to the user's native language
    is requested.])
     else
@@ -299,9 +321,9 @@ return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_expand_a
       fi
 
       dnl For backward compatibility. Some packages may be using this.
-      AC_DEFINE(HAVE_GETTEXT, 1,
+      AC_DEFINE([HAVE_GETTEXT], [1],
        [Define if the GNU gettext() function is already present or preinstalled.])
-      AC_DEFINE(HAVE_DCGETTEXT, 1,
+      AC_DEFINE([HAVE_DCGETTEXT], [1],
        [Define if the GNU dcgettext() function is already present or preinstalled.])
     fi
 
@@ -317,9 +339,9 @@ return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_expand_a
     fi
 
     dnl Make all variables we use known to autoconf.
-    AC_SUBST(BUILD_INCLUDED_LIBINTL)
-    AC_SUBST(USE_INCLUDED_LIBINTL)
-    AC_SUBST(CATOBJEXT)
+    AC_SUBST([BUILD_INCLUDED_LIBINTL])
+    AC_SUBST([USE_INCLUDED_LIBINTL])
+    AC_SUBST([CATOBJEXT])
 
     dnl For backward compatibility. Some configure.ins may be using this.
     nls_cv_header_intl=
@@ -327,74 +349,36 @@ return * gettext ("")$gt_expression_test_code + _nl_msg_cat_cntr + *_nl_expand_a
 
     dnl For backward compatibility. Some Makefiles may be using this.
     DATADIRNAME=share
-    AC_SUBST(DATADIRNAME)
+    AC_SUBST([DATADIRNAME])
 
     dnl For backward compatibility. Some Makefiles may be using this.
     INSTOBJEXT=.mo
-    AC_SUBST(INSTOBJEXT)
+    AC_SUBST([INSTOBJEXT])
 
     dnl For backward compatibility. Some Makefiles may be using this.
     GENCAT=gencat
-    AC_SUBST(GENCAT)
+    AC_SUBST([GENCAT])
 
     dnl For backward compatibility. Some Makefiles may be using this.
     INTLOBJS=
     if test "$USE_INCLUDED_LIBINTL" = yes; then
       INTLOBJS="\$(GETTOBJS)"
     fi
-    AC_SUBST(INTLOBJS)
+    AC_SUBST([INTLOBJS])
 
     dnl Enable libtool support if the surrounding package wishes it.
     INTL_LIBTOOL_SUFFIX_PREFIX=gt_libtool_suffix_prefix
-    AC_SUBST(INTL_LIBTOOL_SUFFIX_PREFIX)
+    AC_SUBST([INTL_LIBTOOL_SUFFIX_PREFIX])
   ])
 
   dnl For backward compatibility. Some Makefiles may be using this.
   INTLLIBS="$LIBINTL"
-  AC_SUBST(INTLLIBS)
+  AC_SUBST([INTLLIBS])
 
   dnl Make all documented variables known to autoconf.
-  AC_SUBST(LIBINTL)
-  AC_SUBST(LTLIBINTL)
-  AC_SUBST(POSUB)
-])
-
-
-dnl Checks for special options needed on MacOS X.
-dnl Defines INTL_MACOSX_LIBS.
-AC_DEFUN([gt_INTL_MACOSX],
-[
-  dnl Check for API introduced in MacOS X 10.2.
-  AC_CACHE_CHECK([for CFPreferencesCopyAppValue],
-    gt_cv_func_CFPreferencesCopyAppValue,
-    [gt_save_LIBS="$LIBS"
-     LIBS="$LIBS -Wl,-framework -Wl,CoreFoundation"
-     AC_TRY_LINK([#include <CoreFoundation/CFPreferences.h>],
-       [CFPreferencesCopyAppValue(NULL, NULL)],
-       [gt_cv_func_CFPreferencesCopyAppValue=yes],
-       [gt_cv_func_CFPreferencesCopyAppValue=no])
-     LIBS="$gt_save_LIBS"])
-  if test $gt_cv_func_CFPreferencesCopyAppValue = yes; then
-    AC_DEFINE([HAVE_CFPREFERENCESCOPYAPPVALUE], 1,
-      [Define to 1 if you have the MacOS X function CFPreferencesCopyAppValue in the CoreFoundation framework.])
-  fi
-  dnl Check for API introduced in MacOS X 10.3.
-  AC_CACHE_CHECK([for CFLocaleCopyCurrent], gt_cv_func_CFLocaleCopyCurrent,
-    [gt_save_LIBS="$LIBS"
-     LIBS="$LIBS -Wl,-framework -Wl,CoreFoundation"
-     AC_TRY_LINK([#include <CoreFoundation/CFLocale.h>], [CFLocaleCopyCurrent();],
-       [gt_cv_func_CFLocaleCopyCurrent=yes],
-       [gt_cv_func_CFLocaleCopyCurrent=no])
-     LIBS="$gt_save_LIBS"])
-  if test $gt_cv_func_CFLocaleCopyCurrent = yes; then
-    AC_DEFINE([HAVE_CFLOCALECOPYCURRENT], 1,
-      [Define to 1 if you have the MacOS X function CFLocaleCopyCurrent in the CoreFoundation framework.])
-  fi
-  INTL_MACOSX_LIBS=
-  if test $gt_cv_func_CFPreferencesCopyAppValue = yes || test $gt_cv_func_CFLocaleCopyCurrent = yes; then
-    INTL_MACOSX_LIBS="-Wl,-framework -Wl,CoreFoundation"
-  fi
-  AC_SUBST([INTL_MACOSX_LIBS])
+  AC_SUBST([LIBINTL])
+  AC_SUBST([LTLIBINTL])
+  AC_SUBST([POSUB])
 ])