New upstream version 4.17.4

2025-03-29 13:24:20 +01:00
475 changed files with 1693 additions and 12093 deletions
--- a/config.h.in
+++ b/config.h.in
@@ -466,8 +466,5 @@
 /* Define for large files, on AIX-style hosts. */
 #undef _LARGE_FILES

-/* Path for utmp file. */
-#undef _UTMP_FILE
-
 /* Path for wtmp file. */
 #undef _WTMP_FILE
--- a/58
+++ b/58
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for shadow 4.17.3.
+# Generated by GNU Autoconf 2.71 for shadow 4.17.4.
 #
 # Report bugs to <pkg-shadow-devel@lists.alioth.debian.org>.
 #
@@ -621,8 +621,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='shadow'
 PACKAGE_TARNAME='shadow'
-PACKAGE_VERSION='4.17.3'
-PACKAGE_STRING='shadow 4.17.3'
+PACKAGE_VERSION='4.17.4'
+PACKAGE_STRING='shadow 4.17.4'
 PACKAGE_BUGREPORT='pkg-shadow-devel@lists.alioth.debian.org'
 PACKAGE_URL='https://github.com/shadow-maint/shadow'

@@ -1488,7 +1488,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures shadow 4.17.3 to adapt to many kinds of systems.
+\`configure' configures shadow 4.17.4 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@@ -1559,7 +1559,7 @@ fi

 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of shadow 4.17.3:";;
+     short | recursive ) echo "Configuration of shadow 4.17.4:";;
   esac
  cat <<\_ACEOF

@@ -1738,7 +1738,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-shadow configure 4.17.3
+shadow configure 4.17.4
 generated by GNU Autoconf 2.71

 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2338,7 +2338,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.

-It was created by shadow $as_me 4.17.3, which was
+It was created by shadow $as_me 4.17.4, which was
 generated by GNU Autoconf 2.71.  Invocation command line was

  $ $0$ac_configure_args_raw
@@ -3611,7 +3611,7 @@ fi

 # Define the identity of the package.
 PACKAGE='shadow'
- VERSION='4.17.3'
+ VERSION='4.17.4'


 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -15267,28 +15267,6 @@ printf "%s\n" "#define MAIL_SPOOL_FILE \"$shadow_cv_mailfile\"" >>confdefs.h

 fi

-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking location of utmp" >&5
-printf %s "checking location of utmp... " >&6; }
-if test ${shadow_cv_utmpdir+y}
-then :
-  printf %s "(cached) " >&6
-else $as_nop
-  for shadow_cv_utmpdir in /var/run /var/adm /usr/adm /etc none; do
-	if test -f $shadow_cv_utmpdir/utmp; then
-		break
-	fi
-done
-fi
-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $shadow_cv_utmpdir" >&5
-printf "%s\n" "$shadow_cv_utmpdir" >&6; }
-if test "$shadow_cv_utmpdir" = "none"; then
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: utmp file not found" >&5
-printf "%s\n" "$as_me: WARNING: utmp file not found" >&2;}
-fi
-
-printf "%s\n" "#define _UTMP_FILE \"$shadow_cv_utmpdir/utmp\"" >>confdefs.h
-
-
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking location of faillog/lastlog/wtmp" >&5
 printf %s "checking location of faillog/lastlog/wtmp... " >&6; }
 if test ${shadow_cv_logdir+y}
@@ -15313,22 +15291,8 @@ printf "%s\n" "#define LASTLOG_FILE \"$shadow_cv_logdir/lastlog\"" >>confdefs.h
 printf "%s\n" "#define FAILLOG_FILE \"$shadow_cv_logdir/faillog\"" >>confdefs.h


-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking location of the passwd program" >&5
-printf %s "checking location of the passwd program... " >&6; }
-if test ${shadow_cv_passwd_dir+y}
-then :
-  printf %s "(cached) " >&6
-else $as_nop
-  if test -f /usr/bin/passwd; then
-	shadow_cv_passwd_dir=/usr/bin
-else
-	shadow_cv_passwd_dir=/bin
-fi
-fi
-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $shadow_cv_passwd_dir" >&5
-printf "%s\n" "$shadow_cv_passwd_dir" >&6; }

-printf "%s\n" "#define PASSWD_PROGRAM \"$shadow_cv_passwd_dir/passwd\"" >>confdefs.h
+printf "%s\n" "#define PASSWD_PROGRAM \"$exec_prefix/bin/passwd\"" >>confdefs.h


 # Check whether --enable-shadowgrp was given.
@@ -20597,7 +20561,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by shadow $as_me 4.17.3, which was
+This file was extended by shadow $as_me 4.17.4, which was
 generated by GNU Autoconf 2.71.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
@@ -20666,7 +20630,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-shadow config.status 4.17.3
+shadow config.status 4.17.4
 configured by $0, generated by GNU Autoconf 2.71,
  with options \\"\$ac_cs_config\\"

--- a/configure.ac
+++ b/configure.ac
@@ -4,7 +4,7 @@ m4_define([libsubid_abi_major], 5)
 m4_define([libsubid_abi_minor], 0)
 m4_define([libsubid_abi_micro], 0)
 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
-AC_INIT([shadow], [4.17.3], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_INIT([shadow], [4.17.4], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz subdir-objects tar-pax])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -90,18 +90,6 @@ if test $shadow_cv_mailfile != none; then
 		[Name of user's mail spool file if stored in user's home directory.])
 fi

-AC_CACHE_CHECK([location of utmp], shadow_cv_utmpdir,
-[for shadow_cv_utmpdir in /var/run /var/adm /usr/adm /etc none; do
-	if test -f $shadow_cv_utmpdir/utmp; then
-		break
-	fi
-done])
-if test "$shadow_cv_utmpdir" = "none"; then
-	AC_MSG_WARN(utmp file not found)
-fi
-AC_DEFINE_UNQUOTED(_UTMP_FILE, "$shadow_cv_utmpdir/utmp",
-	[Path for utmp file.])
-
 AC_CACHE_CHECK([location of faillog/lastlog/wtmp], shadow_cv_logdir,
 [for shadow_cv_logdir in /var/log /var/adm /usr/adm /etc; do
 	if test -d $shadow_cv_logdir; then
@@ -115,13 +103,7 @@ AC_DEFINE_UNQUOTED(LASTLOG_FILE, "$shadow_cv_logdir/lastlog",
 AC_DEFINE_UNQUOTED(FAILLOG_FILE, "$shadow_cv_logdir/faillog",
 	[Path for faillog file.])

-AC_CACHE_CHECK([location of the passwd program], shadow_cv_passwd_dir,
-[if test -f /usr/bin/passwd; then
-	shadow_cv_passwd_dir=/usr/bin
-else
-	shadow_cv_passwd_dir=/bin
-fi])
-AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd",
+AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$exec_prefix/bin/passwd",
 	[Path to passwd program.])

 AC_ARG_ENABLE(shadowgrp,
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,78 +0,0 @@
-shadow (1:4.17.0~rc1-1) unstable; urgency=medium
-
-  Username checking now once again follows the upstream rules, for
-  an ecosystem-wide ruleset and security.
-
- -- Chris Hofstaedtler <zeha@debian.org>  Sun, 22 Dec 2024 20:12:35 +0100
-
-shadow (1:4.16.0-5) unstable; urgency=medium
-
-  /var/log/faillog and the programs to read it are no longer part since
-  1:4.15.2-2.
-  The file isn't cleaned up automatically, which should be done manually,
-  unless it is still needed for special reasons.
-
- -- Chris Hofstaedtler <zeha@debian.org>  Sat, 16 Nov 2024 15:48:35 +0100
-
-shadow (1:4.13+dfsg1-2) unstable; urgency=medium
-
-  The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
-  affects authentication.  The historical default of letting all users with
-  empty password field in without authentication is still in effect.
-
- -- Balint Reczey <balint@balintreczey.hu>  Mon, 25 Sep 2023 17:04:09 +0200
-
-shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
-
-  Login now prevents an empty password field to be interpreted as
-  "no authentication required" for UID 0 (root account).
-  The historical default of letting all users with empty password field
-  in without authentication can be restored in /etc/login.defs setting
-  PREVENT_NO_AUTH to "no".
-
- -- Balint Reczey <balint@balintreczey.hu>  Sun, 07 Nov 2021 21:51:46 +0100
-
-shadow (1:4.7-1) unstable; urgency=medium
-
-  * /etc/securetty is no longer shipped by this package and it is no longer
-    honored in login's PAM configuration by default. Please see #731656 for the
-    details.
-
- -- Balint Reczey <rbalint@ubuntu.com>  Thu, 20 Jun 2019 13:46:52 +0200
-
-shadow (1:4.0.15-5) unstable; urgency=low
-
-  * commands passed in argument to su must use su's -c option and must quote
-    the command if it contains a space, as in:
-        su - root -c "ls -l /"
-    The following commands won't work anymore:
-        su - root -c ls -l /
-        su - root "ls -l /"
-        su - root ls -l /
-
- -- Christian Perrier <bubulle@debian.org>  Sat,  8 Apr 2006 20:11:38 +0200
-
-shadow (1:4.0.14-1) unstable; urgency=low
-
-  * passwd does not support the -f, -s, and -g options anymore. You should use
-    the chfn, chsh and gpasswd utilities instead.
-  * login now distributes the nologin utility, which can be used as a shell
-    to politely refuse a login
-
- -- Christian Perrier <bubulle@debian.org>  Thu,  5 Jan 2006 08:47:44 +0100
-
-shadow (1:4.0.12-1) unstable; urgency=low
-
-  CLOSE_SESSIONS and other variables are not used anymore in
-  /etc/login/defs.
-  As shadow utilities which use this file now warn about unknown
-  entries there, administrators should remove such unknown entries.
-  The supplied login.defs file does not include them anymore.
-
-  dpasswd is no more distributed by upstream. Login do not support
-  dialup password anymore.  Re-introducing this functionality in
-  upstream is not trivial.
-
-
- -- Christian Perrier <bubulle@debian.org>  Thu, 25 Aug 2005 08:38:47 +0200
-
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -1,63 +0,0 @@
-Read this file first for a brief overview of the current version
-of passwd.
-
-
---Shadow passwords
-
-The command `shadowconfig on' will turn on shadow password support.
-This is the default. Turning off shadow passwords is not supported
-anymore.
-Together with shadow passwords, you get the ability to set password ages
-and expirations with chage(1).
-
-NOTE: If you use the nscd package, you may have problems with a
-slight delay in updating the password information. You may notice
-this during upgrades of certain packages that try to add a system
-user and then access the users information immediately afterwards.
-To avoid this, it is suggested that you stop the nscd daemon before
-upgrades, then restart it again.
-
---General configuration
-
-Most of the configuration for the shadow utilities is in
-/etc/login.defs.  See login.defs(5).  The defaults are quite
-reasonable.
-
-Also see the /etc/pam.d/* files for each program to configure the PAM
-support. PAM documentation is available in several formats in the
-libpam-doc package.
-
-
---Encryption
-
-This is enabled now using the /etc/pam.d/* files. Examples are given.
-
-
---Adding users and groups
-
-Though you may add users and groups with the SysV type commands,
-useradd and groupadd, I recommend you add them with Debian adduser
-version 3+.  adduser gives you more configuration and conforms to the
-Debian UID and GID allocation.
-
-Editing user and group parameters can be done with usermod and
-groupmod.  Removing users and groups can be done with userdel and
-groupdel.
-
-
--- Group administration
-
-Local group allocation is much easier.  With gpasswd(1) you can
-designate users to administer groups.  They can then securely add or
-remove users from the group.
-
-
--- What to read next?
-
-Read the manpages, the other files in this directory, and the Shadow
-Password HOWTO (included in the doc-linux package).  A large portion
-of these files deals with getting shadow installed.  You can, of
-course, ignore those parts.
-
-Also, the libpam-doc package will go a long way to allowing you to take
-full advantage of the PAM authentication scheme.
--- a/debian/README.source
+++ b/debian/README.source
@@ -1,8 +0,0 @@
-If you update the translation of upsteam files (thank you for that!) please
-submit a pull request upstream instead of filing a bug in the Debian BTS
-to get it reviewed and accepted faster.
-
-A testsuite is also available. Instruction on how to run this testsuite
-are available in tests/README
-
- -- Balint Reczey <balint@balintreczey.hu>, Mon, 31 Jan 2022 14:07:11 +0100
--- a/debian/TODO
+++ b/debian/TODO
@@ -1,19 +0,0 @@
-Things that should be done:
- * Verify the files left in debian/tmp
-   + e.g. /etc/default/adduser should be installed
- * Check the build system: rebuilding the package twoce in the same tree
-   doubles the size of the diff.gz file
-
-Other points (not related to the release of a syncronized shadow):
- * compare the source with the usages and man pages
-   + probably add a sentence to chsh/chfn's manpages about authentication
-     required for ordinary users
- * do something (a tool) for the variables in login.defs
-   In Debian, some tools are not compiled with the PAM support, so upstream
-   getdef.c won't be OK.
-   It should be nice to see in each man page the set of variables used.
-   The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
-   with the debugging informations. This may be used to extract the set of
-   variables used in Debian/for each tools.
- * verify all the patches around (I've found patches for at least RedHat,
-   OWL, LFS, Mandriva, Gentoo; are they already applied?)
--- a/debian/bugs-usertags
+++ b/debian/bugs-usertags
@@ -1,25 +0,0 @@
-This described the usertags used by the team.
-
-For usertags documentation, see
-http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
-
-All bugs tagged by team members must be tagged with 
-"user pkg-shadow-devel@lists.alioth.debian.org"
-
-Tags list
---------
-
-toclose:         This bug has been announced to be closed in case no more news
-                 or information is received from the bug submitter or someone
-                 else until the delay specified in the limits_YYYYMMDD tag
-
-limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
-                 bugs can be closed without other action in case no news 
-                 is received
-
-manpages-replace A bug reported angainst a manpages-xx package to indicate
-                 conflicting man pages. This tag can be used to tune the
-                 Replaces fields.
-
-su-transition:   This bug is related to the su transition (#276419)
-
--- a/debian/changelog
+++ b/debian/changelog
--- a/debian/control
+++ b/debian/control
@@ -1,91 +0,0 @@
-Source: shadow
-Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Uploaders:
- Serge Hallyn <serge@hallyn.com>,
- Chris Hofstaedtler <zeha@debian.org>
-Section: admin
-Priority: required
-Build-Depends:
- bison,
- debhelper-compat (= 13),
- dh-package-notes,
- dh-sequence-zz-debputy-rrr (>= 0.1.23~),
- docbook-xml <!nodoc>,
- docbook-xsl <!nodoc>,
- gettext,
- itstool <!nodoc>,
- libacl1-dev,
- libattr1-dev,
- libaudit-dev [linux-any],
- libbsd-dev,
- libcrypt-dev,
- libltdl-dev,
- libpam0g-dev,
- libselinux1-dev [linux-any],
- libsemanage-dev [linux-any],
- libxml2-utils <!nodoc>,
- pkgconf,
- systemd-dev [linux-any],
- xsltproc <!nodoc>
-Standards-Version: 4.7.0
-Vcs-Git: https://salsa.debian.org/debian/shadow.git -b master
-Vcs-Browser: https://salsa.debian.org/debian/shadow
-Homepage: https://github.com/shadow-maint/shadow
-Rules-Requires-Root: no
-
-Package: passwd
-Architecture: any
-Multi-Arch: foreign
-Depends:
- base-passwd (>= 3.6.4),
- libpam-modules,
- login.defs
-Recommends:
- sensible-utils
-Replaces:
- login (<< 1:4.16.0-2~)
-Description: change and administer password and group data
- This package includes passwd, chsh, chfn, and many other programs to
- maintain password and group data.
- .
- Shadow passwords are supported.  See /usr/share/doc/passwd/README.Debian
-
-Package: login.defs
-Architecture: all
-Multi-Arch: foreign
-Replaces:
- login (<< 1:4.16.0-2~)
-Description: system user management configuration
- This package provides the login.defs configuration file,
- used by otherwise unrelated tools managing system users.
-
-Package: uidmap
-Architecture: any
-Multi-Arch: foreign
-Priority: optional
-Description: programs to help use subuids
- These programs help unprivileged users to create uid and gid mappings in
- user namespaces.
-
-Package: libsubid5
-Section: libs
-Priority: optional
-Architecture: any
-Multi-Arch: same
-Description: subordinate id handling library -- shared library
- The library provides an interface for querying, granding and ungranting
- subordinate user and group ids.
-
-Package: libsubid-dev
-Section: libdevel
-Priority: optional
-Architecture: any
-Multi-Arch: same
-Depends:
- libsubid5 (= ${binary:Version})
-Description: subordinate id handling library -- shared library
- The library provides an interface for querying, granding and ungranting
- subordinate user and group ids.
- .
- This package contains the C header files that are
- needed for applications to use the libsubid library.
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,185 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: Shadow
-Source: https://github.com/shadow-maint/shadow
-
-Files: *
-Copyright: 1989-1994, Julianne Frances Haugh
-           2016-2024, Serge Hallyn <serge@hallyn.com>
-License: BSD-3-clause
-
-Files: man/po/da.po
-       man/po/de.po
-       man/tr/man1/su.1
-       po/da.po
-       po/de.po
-       po/es.po
-       po/eu.po
-       po/fi.po
-       po/gl.po
-       po/it.po
-       po/kk.po
-       po/nb.po
-       po/nl.po
-       po/nn.po
-       po/pl.po
-       po/pt_BR.po
-       po/ru.po
-       po/sq.po
-       po/sv.po
-       po/vi.po
-Copyright: 1999-2015, Free Software Foundation, Inc
-License: BSD-3-clause
-
-Files: man/fi/man1/chfn.1
-       man/id/man1/*
-       man/ko/man1/chfn.1
-       man/ko/man1/chsh.1
-       man/tr/man1/chfn.1
-       man/zh_TW/man1/chfn.1
-       man/zh_TW/man1/chsh.1
-Copyright: 1994, salvatore valente <svalente@athena.mit.edu>
-License: GPL-1
-
-Files: man/pt_BR/man8/*
-       man/zh_TW/man8/usermod.8
-Copyright: 1991-1994, Julianne Frances Haugh
-License: BSD-3-clause
-
-Files: man/hu/man1/gpasswd.1
-       man/ja/man1/gpasswd.1
-       man/pt_BR/man1/*
-Copyright: 1996, Rafal Maszkowski <rzm@pdi.net>
-License: BSD-3-clause
-
-Files: man/id/man1/login.1
-       man/ko/man1/login.1
-       man/tr/man1/login.1
-Copyright: 1993, Rickard E. Faith <faith@cs.unc.edu>
-License: BSD-3-clause
-
-Files: man/ja/man5/limits.5
-       man/ja/man8/vipw.8
-Copyright: 2001, Maki KURODA
-License: BSD-3-clause
-
-Files: man/pt_BR/man5/passwd.5
-       man/tr/man5/passwd.5
-Copyright: 1993, Michael Haardt <michael@moria.de>
-License: GPL-2+
-
-Files: man/ja/man1/chage.1
-       man/ja/man5/suauth.5
-Copyright: 1997, Kazuyoshi Furutaka
-License: BSD-3-clause
-
-Files: man/po/fr.po
-       po/fr.po
-Copyright: 2011-2013, Debian French l10n team <debian-l10n-french@lists.debian.org>
-License: BSD-3-clause
-
-Files: man/shadowconfig.8
-Copyright: 2025 Alejandro Colomar <alx@kernel.org>
-License: BSD-3-clause
-
-Files: man/zh_TW/man5/*
-Copyright: 1993, Michael Haardt <michael@moria.de>
-           1993, Scorpio, www.linuxforum.net
-License: GPL-2+
-
-Files: man/hu/man5/*
-Copyright: 1993, Michael Haardt <u31b3hs@pool.informatik.rwth-aachen.de>
-License: GPL-2+
-
-Files: contrib/adduser2.sh
-Copyright: 1996, Petri Mattila, Prihateam Networks <petri@prihateam.fi>
-License: GPL-2+
-
-Files: lib/subordinateio.h
-Copyright: 2012, Eric W. Biederman
-License: BSD-3-clause
-
-Files: man/hu/man1/su.1
-Copyright: 1999, Ragnar Hojland Espinosa <ragnar@macula.net>
-License: BSD-3-clause
-
-Files: man/ja/man8/pwconv.8
-Copyright: 2001, Yuichi SATO
-License: BSD-3-clause
-
-Files: src/login_nopam.c
-Copyright: 1995, Wietse Venema
-License: BSD-3-clause
-
-Files: src/su.c
-Copyright: 1989 - 1994, Julianne Frances Haugh
-           1996 - 2000, Marek Michałkiewicz
-           2000 - 2006, Tomasz Kłoczko
-           2007 - 2013, Nicolas François
-License: GPL-2+
-
-Files: src/vipw.c
-Copyright: 1997, Guy Maor <maor@ece.utexas.edu>
-           1999 - 2000, Marek Michałkiewicz
-           2002 - 2006, Tomasz Kłoczko
-           2007 - 2013, Nicolas François
-License: GPL-2+
-
-Files: man/ko/man5/*
-Copyright: 2000, ASPLINUX <man@asp-linux.co.kr>
-License: GPL-2+
-
-Files: debian/*
-Copyright: 1999-2001, Ben Collins <bcollins@debian.org>
-           2001-2004 Karl Ramm <kcr@debian.org>
-           2004-2014 Christian Perrier <bubulle@debian.org>
-           2006-2012 Nicolas Francois (Nekral) <nicolas.francois@centraliens.net>
-           2017-2022 Balint Reczey <balint@balintreczey.hu>
-License: BSD-3-clause
-
-Files: debian/passwd.expire.cron
-Copyright: 1999, Ben Collins <bcollins@debian.org>
-License: BSD-3-clause
-
-License: BSD-3-clause
- All rights reserved.
- .
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
- 3. Neither the name of the University nor the names of its contributors
-    may be used to endorse or promote products derived from this software
-    without specific prior written permission.
- .
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
-License: GPL-1
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; version 1
- .
- On Debian systems, the complete text of version 1 of the GNU General
- Public License can be found in '/usr/share/common-licenses/GPL-1'.
-
-License: GPL-2+
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; version 2 dated June, 1991, or (at
- your option) any later version.
- .
- On Debian systems, the complete text of version 2 of the GNU General
- Public License can be found in '/usr/share/common-licenses/GPL-2'.
--- a/debian/debputy.manifest
+++ b/debian/debputy.manifest
@@ -1,24 +0,0 @@
-manifest-version: '0.1'
-packages:
-  passwd:
-    transformations:
-    - path-metadata:
-        paths:
-        - usr/bin/chfn
-        - usr/bin/chsh
-        - usr/bin/gpasswd
-        - usr/bin/passwd
-        mode: "u=rwxs,go=rx"
-    - path-metadata:
-        paths:
-        - usr/bin/chage
-        - usr/bin/expiry
-        group: "shadow"
-        mode: "u=rwx,go=rxs"
-  uidmap:
-    transformations:
-    - path-metadata:
-        paths:
-        - usr/bin/newgidmap
-        - usr/bin/newuidmap
-        mode: "u=rwxs,go=rx"
--- a/debian/default/useradd
+++ b/debian/default/useradd
@@ -1,37 +0,0 @@
-# Default values for useradd(8)
-#
-# The SHELL variable specifies the default login shell on your
-# system.
-# Similar to DSHELL in adduser. However, we use "sh" here because
-# useradd is a low level utility and should be as general
-# as possible
-SHELL=/bin/sh
-#
-# The default group for users
-# 100=users on Debian systems
-# Same as USERS_GID in adduser
-# This argument is used when the -n flag is specified.
-# The default behavior (when -n and -g are not specified) is to create a
-# primary user group with the same name as the user being added to the
-# system.
-# GROUP=100
-#
-# The default home directory. Same as DHOME for adduser
-# HOME=/home
-#
-# The number of days after a password expires until the account 
-# is permanently disabled
-# INACTIVE=-1
-#
-# The default expire date
-# EXPIRE=
-#
-# The SKEL variable specifies the directory containing "skeletal" user
-# files; in other words, files such as a sample .profile that will be
-# copied to the new user's home directory when it is created.
-# SKEL=/etc/skel
-#
-# Defines whether the mail spool should be created while
-# creating the account
-# CREATE_MAIL_SPOOL=no
-
--- a/debian/dependencies
+++ b/debian/dependencies
@@ -1,16 +0,0 @@
-Build-Depends:
-==============
- * gettext
-   POT, PO, GMO regenerated?
- * xsltproc
-   used to generate the manpages
- * docbook-xsl
-   needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
- * docbook-xml
-   manpages/docbook.xsl includes html/docbook.xsl
-   (But it is not strictly needed. The generated manpages are identical.
-   Without it, a warning is generated.)
-   Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
- * libxml2-utils
-   needed by the JH_CHECK_XML_CATALOG macros
-
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,2 +0,0 @@
-[pq]
-patch-numbers = False
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -1,7 +0,0 @@
-variables:
-  RELEASE: 'unstable'
-  # workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
-  SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
-include:
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
--- a/debian/libsubid-dev.install
+++ b/debian/libsubid-dev.install
@@ -1,3 +0,0 @@
-usr/include/*
-usr/lib/*/libsubid.a
-usr/lib/*/libsubid.so
--- a/debian/libsubid5.install
+++ b/debian/libsubid5.install
@@ -1 +0,0 @@
-usr/lib/*/libsubid.so.*
--- a/debian/libsubid5.symbols
+++ b/debian/libsubid5.symbols
@@ -1,11 +0,0 @@
-libsubid.so.5 libsubid5 #MINVER#
- subid_free@Base 1:4.16.0
- subid_get_gid_owners@Base 1:4.16.0
- subid_get_gid_ranges@Base 1:4.16.0
- subid_get_uid_owners@Base 1:4.16.0
- subid_get_uid_ranges@Base 1:4.16.0
- subid_grant_gid_range@Base 1:4.16.0
- subid_grant_uid_range@Base 1:4.16.0
- subid_init@Base 1:4.16.0
- subid_ungrant_gid_range@Base 1:4.16.0
- subid_ungrant_uid_range@Base 1:4.16.0
--- a/debian/login.defs.install
+++ b/debian/login.defs.install
@@ -1 +0,0 @@
-etc/login.defs etc
--- a/debian/login.defs.manpages
+++ b/debian/login.defs.manpages
@@ -1,2 +0,0 @@
-usr/share/man/*/man5/login.defs.5
-usr/share/man/man5/login.defs.5
--- a/debian/login.defs.postinst
+++ b/debian/login.defs.postinst
@@ -1,26 +0,0 @@
-#!/bin/sh
-
-set -e
-
-_adopt_conffile() {
-    conffile=$1
-    pkg=$2
-
-    [ -f ${conffile}.dpkg-bak ] || return 0
-
-    md5sum="$(md5sum ${conffile} | sed -e 's/ .*//')"
-    old_md5sum="$(dpkg-query -W -f='${Conffiles}' $pkg | \
-                        sed -n -e "\' ${conffile} ' { s/ obsolete$//; s/.* //; p }")"
-    # On new installs, if the conffile was preserved on upgrade by
-    # dpkg-maintscript helper, copy it back if the new file has not been
-    # modified yet
-    if [ "$md5sum" = "$old_md5sum" ]; then
-        mv ${conffile}.dpkg-bak ${conffile}
-    fi
-}
-
-if [ "$1" = configure ] && [ -z "$2" ]; then
-    _adopt_conffile /etc/login.defs login.defs
-fi
-
-#DEBHELPER#
--- a/debian/not-installed
+++ b/debian/not-installed
@@ -1,54 +0,0 @@
-bin/groups
-bin/login
-# Workaround debhelper complaining about login.defs, although we install it.
-etc/login.defs
-etc/pam.d/chfn
-etc/pam.d/chage
-etc/pam.d/chpasswd
-etc/pam.d/chsh
-etc/pam.d/groupadd
-etc/pam.d/groupdel
-etc/pam.d/groupmems
-etc/pam.d/groupmod
-etc/pam.d/login
-etc/pam.d/newusers
-etc/pam.d/passwd
-etc/pam.d/useradd
-etc/pam.d/userdel
-etc/pam.d/usermod
-sbin/nologin
-usr/bin/newgrp
-usr/bin/faillog
-usr/bin/sg
-usr/lib/*/libsubid.la
-usr/sbin/groupmems
-usr/sbin/logoutd
-usr/sbin/vigr
-usr/share/man/*/man1/groups.1
-usr/share/man/*/man1/login.1
-usr/share/man/*/man1/logoutd.1
-usr/share/man/*/man1/newgrp.1
-usr/share/man/*/man1/sg.1
-usr/share/man/*/man1/su.1
-usr/share/man/*/man3/getspnam.3
-usr/share/man/*/man3/shadow.3
-usr/share/man/*/man5/faillog.5
-usr/share/man/*/man5/suauth.5
-usr/share/man/*/man8/faillog.8
-usr/share/man/*/man8/groupmems.8
-usr/share/man/*/man8/logoutd.8
-usr/share/man/*/man8/nologin.8
-usr/share/man/man1/groups.1
-usr/share/man/man1/login.1
-usr/share/man/man1/logoutd.1
-usr/share/man/man1/newgrp.1
-usr/share/man/man1/sg.1
-usr/share/man/man1/su.1
-usr/share/man/man3/getspnam.3
-usr/share/man/man3/shadow.3
-usr/share/man/man5/faillog.5
-usr/share/man/man5/suauth.5
-usr/share/man/man8/faillog.8
-usr/share/man/man8/groupmems.8
-usr/share/man/man8/logoutd.8
-usr/share/man/man8/nologin.8
--- a/debian/passwd.chage.pam
+++ b/debian/passwd.chage.pam
@@ -1,8 +0,0 @@
-# The PAM configuration file for the Shadow 'chage' service
-#
-
-# This allows root to change password aging being prompted for a password
-auth		sufficient	pam_rootok.so
-
-# checks for account validity
-account	required	pam_permit.so
--- a/debian/passwd.chfn.pam
+++ b/debian/passwd.chfn.pam
@@ -1,16 +0,0 @@
-#
-# The PAM configuration file for the Shadow `chfn' service
-#
-
-# This allows root to change user infomation without being
-# prompted for a password
-auth		sufficient	pam_rootok.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
-
--- a/debian/passwd.chpasswd.pam
+++ b/debian/passwd.chpasswd.pam
@@ -1,5 +0,0 @@
-# The PAM configuration file for the Shadow 'chpasswd' service
-#
-
-@include common-password
-
--- a/debian/passwd.chsh.pam
+++ b/debian/passwd.chsh.pam
@@ -1,20 +0,0 @@
-#
-# The PAM configuration file for the Shadow `chsh' service
-#
-
-# This will not allow a user to change their shell unless
-# their current one is listed in /etc/shells. This keeps
-# accounts with special shells from changing them.
-auth       required   pam_shells.so
-
-# This allows root to change user shell without being
-# prompted for a password
-auth		sufficient	pam_rootok.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
--- a/debian/passwd.dirs
+++ b/debian/passwd.dirs
@@ -1,2 +0,0 @@
-etc/default
-usr/share/lintian/overrides
--- a/debian/passwd.examples
+++ b/debian/passwd.examples
@@ -1 +0,0 @@
-debian/passwd.expire.cron
--- a/debian/passwd.expire.cron
+++ b/debian/passwd.expire.cron
@@ -1,57 +0,0 @@
-#!/usr/bin/perl
-#
-# passwd.expire.cron: sample expiry notification script for use as a cronjob
-#
-# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
-# for use, distribution, modification, etc.
-#
-# Usage:
-#	edit the listed options, including the actual email, then rename to
-#	/etc/cron.daily/passwd
-#
-#	If your users don't have a valid login shell (ie. they are ftp or mail
-#	users only), they will need some other way to change their password
-#	(telnet will work since login will handle password aging, or a poppasswd
-#	program, if they are mail users).
-
-# <CONFIG> #
-
-# should be same as /etc/adduser.conf
-$LOW_UID=1000;
-$HIGH_UID=29999;
-
-# this let's the MTA handle the domain,
-# set it manually if you want. Make sure
-# you also add the @ like "\@domain.com"
-$MAIL_DOM="";
-
-# </CONFIG> #
-
-# Set the current day reference
-$curdays = int(time() / (60 * 60 * 24));
-
-# Now go through the list
-
-open(SH, "< /etc/shadow");
-while (<SH>) {
-    @shent = split(':', $_);
-    @userent = getpwnam($shent[0]);
-    if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
-	if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
-		$shent[4] != -1 && $shent[4] != 0 &&
-		$shent[5] != -1 && $shent[5] != 0) {
-	    $daysleft = ($shent[2] + $shent[4]) - $curdays;
-	    if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
-            if ($daysleft < 0) { next; }
-	    open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
-	    print MAIL <<EOF;
-Your account will expire in $daysleft $days. Please change your password before
-then or your account will expire
-EOF
-	    close (MAIL);
-	    # This makes sure we also get a list of almost expired users
-	    print "$shent[0]'s account will expire in $daysleft days\n";
-	}
-    }
-    @userent = getpwent();
-}
--- a/debian/passwd.groupadd.pam
+++ b/debian/passwd.groupadd.pam
@@ -1,8 +0,0 @@
-# The PAM configuration file for the Shadow 'groupadd' service
-#
-
-# This allows root to add groups without being prompted for a password
-auth		sufficient	pam_rootok.so
-
-# checks for account validity
-account	required	pam_permit.so
--- a/debian/passwd.groupdel.pam
+++ b/debian/passwd.groupdel.pam
@@ -1,8 +0,0 @@
-# The PAM configuration file for the Shadow 'groupdel' service
-#
-
-# This allows root to remove groups without being prompted for a password
-auth		sufficient	pam_rootok.so
-
-# checks for account validity
-account	required	pam_permit.so
--- a/debian/passwd.groupmod.pam
+++ b/debian/passwd.groupmod.pam
@@ -1,8 +0,0 @@
-# The PAM configuration file for the Shadow 'groupmod' service
-#
-
-# This allows root to modify groups without being prompted for a password
-auth		sufficient	pam_rootok.so
-
-# checks for account validity
-account	required	pam_permit.so
--- a/debian/passwd.install
+++ b/debian/passwd.install
@@ -1,25 +0,0 @@
-debian/default/useradd etc/default
-debian/shadowconfig usr/sbin
-usr/bin/chage
-usr/bin/chfn
-usr/bin/chsh
-usr/bin/expiry
-usr/bin/gpasswd
-usr/bin/passwd
-usr/sbin/chgpasswd
-usr/sbin/chpasswd
-usr/sbin/groupadd
-usr/sbin/groupdel
-usr/sbin/groupmod
-usr/sbin/grpck
-usr/sbin/grpconv
-usr/sbin/grpunconv
-usr/sbin/newusers
-usr/sbin/pwck
-usr/sbin/pwconv
-usr/sbin/pwunconv
-usr/sbin/useradd
-usr/sbin/userdel
-usr/sbin/usermod
-usr/sbin/vipw
-usr/share/locale/*/LC_MESSAGES/shadow.mo
--- a/debian/passwd.links
+++ b/debian/passwd.links
@@ -1 +0,0 @@
-usr/sbin/vipw usr/sbin/vigr
--- a/debian/passwd.lintian-overrides
+++ b/debian/passwd.lintian-overrides
@@ -1,6 +0,0 @@
-passwd: elevated-privileges 2755 root/shadow [usr/bin/chage]
-passwd: elevated-privileges 4755 root/root [usr/bin/chfn]
-passwd: elevated-privileges 4755 root/root [usr/bin/chsh]
-passwd: elevated-privileges 2755 root/shadow [usr/bin/expiry]
-passwd: elevated-privileges 4755 root/root [usr/bin/gpasswd]
-passwd: elevated-privileges 4755 root/root [usr/bin/passwd]
--- a/debian/passwd.maintscript
+++ b/debian/passwd.maintscript
@@ -1 +0,0 @@
-rm_conffile /etc/cron.daily/passwd 1:4.7-2~
--- a/debian/passwd.manpages
+++ b/debian/passwd.manpages
@@ -1,57 +0,0 @@
-usr/share/man/*/man1/chage.1
-usr/share/man/*/man1/chfn.1
-usr/share/man/*/man1/chsh.1
-usr/share/man/*/man1/expiry.1
-usr/share/man/*/man1/gpasswd.1
-usr/share/man/*/man1/passwd.1
-usr/share/man/*/man5/gshadow.5
-usr/share/man/*/man5/passwd.5
-usr/share/man/*/man5/shadow.5
-usr/share/man/*/man5/subgid.5
-usr/share/man/*/man5/subuid.5
-usr/share/man/*/man8/chgpasswd.8
-usr/share/man/*/man8/chpasswd.8
-usr/share/man/*/man8/groupadd.8
-usr/share/man/*/man8/groupdel.8
-usr/share/man/*/man8/groupmod.8
-usr/share/man/*/man8/grpck.8
-usr/share/man/*/man8/grpconv.8
-usr/share/man/*/man8/grpunconv.8
-usr/share/man/*/man8/newusers.8
-usr/share/man/*/man8/pwck.8
-usr/share/man/*/man8/pwconv.8
-usr/share/man/*/man8/pwunconv.8
-usr/share/man/*/man8/useradd.8
-usr/share/man/*/man8/userdel.8
-usr/share/man/*/man8/usermod.8
-usr/share/man/*/man8/vigr.8
-usr/share/man/*/man8/vipw.8
-usr/share/man/man1/chage.1
-usr/share/man/man1/chfn.1
-usr/share/man/man1/chsh.1
-usr/share/man/man1/expiry.1
-usr/share/man/man1/gpasswd.1
-usr/share/man/man1/passwd.1
-usr/share/man/man5/gshadow.5
-usr/share/man/man5/passwd.5
-usr/share/man/man5/shadow.5
-usr/share/man/man5/subgid.5
-usr/share/man/man5/subuid.5
-usr/share/man/man8/chgpasswd.8
-usr/share/man/man8/chpasswd.8
-usr/share/man/man8/groupadd.8
-usr/share/man/man8/groupdel.8
-usr/share/man/man8/groupmod.8
-usr/share/man/man8/grpck.8
-usr/share/man/man8/grpconv.8
-usr/share/man/man8/grpunconv.8
-usr/share/man/man8/newusers.8
-usr/share/man/man8/pwck.8
-usr/share/man/man8/pwconv.8
-usr/share/man/man8/pwunconv.8
-usr/share/man/man8/shadowconfig.8
-usr/share/man/man8/useradd.8
-usr/share/man/man8/userdel.8
-usr/share/man/man8/usermod.8
-usr/share/man/man8/vigr.8
-usr/share/man/man8/vipw.8
--- a/debian/passwd.newusers.pam
+++ b/debian/passwd.newusers.pam
@@ -1,5 +0,0 @@
-# The PAM configuration file for the Shadow 'newusers' service
-#
-
-@include common-password
-
--- a/debian/passwd.passwd.pam
+++ b/debian/passwd.passwd.pam
@@ -1,6 +0,0 @@
-#
-# The PAM configuration file for the Shadow `passwd' service
-#
-
-@include common-password
-
--- a/debian/passwd.postinst
+++ b/debian/passwd.postinst
@@ -1,30 +0,0 @@
-#!/bin/sh
-
-set -e
-
-case "$1" in
-configure)
-	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
-	then
-		groupadd -g 42 shadow || (
-    			cat <<EOF
-Group ID 42 has been allocated for the shadow group.  You have either
-used 42 yourself or created a shadow group with a different ID.
-Please correct this problem and reconfigure with ``dpkg --configure passwd''.
-
-Note that both user and group IDs in the range 0-99 are globally
-allocated by the Debian project and must be the same on every Debian
-system.
-EOF
-    			exit 1
-		)
-	fi
-    ;;
-esac
-
-# Run shadowconfig only on new installs
-[ -z "$2" ] && shadowconfig on
-
-#DEBHELPER#
-
-exit 0
--- a/debian/passwd.tmpfiles
+++ b/debian/passwd.tmpfiles
@@ -1,8 +0,0 @@
-# If a password operation is in progress and we lose power, stale lockfiles
-# can be left behind.  Clear them on boot.
-r! /etc/gshadow.lock
-r! /etc/shadow.lock
-r! /etc/passwd.lock
-r! /etc/group.lock
-r! /etc/subuid.lock
-r! /etc/subgid.lock
--- a/debian/passwd.useradd.pam
+++ b/debian/passwd.useradd.pam
@@ -1,8 +0,0 @@
-# The PAM configuration file for the Shadow 'useradd' service
-#
-
-# This allows root to add users without being prompted for a password
-auth		sufficient	pam_rootok.so
-
-# checks for account validity
-account	required	pam_permit.so
--- a/debian/passwd.userdel.pam
+++ b/debian/passwd.userdel.pam
@@ -1,8 +0,0 @@
-# The PAM configuration file for the Shadow 'userdel' service
-#
-
-# This allows root to remove users without being prompted for a password
-auth		sufficient	pam_rootok.so
-
-# checks for account validity
-account	required	pam_permit.so
--- a/debian/passwd.usermod.pam
+++ b/debian/passwd.usermod.pam
@@ -1,8 +0,0 @@
-# The PAM configuration file for the Shadow 'groupdel' service
-#
-
-# This allows root to remove groups without being prompted for a password
-auth		sufficient	pam_rootok.so
-
-# checks for account validity
-account	required	pam_permit.so
--- a/debian/patches/debian/Adapt-login.defs-for-Debian.patch
+++ b/debian/patches/debian/Adapt-login.defs-for-Debian.patch
@@ -1,517 +0,0 @@
-From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Date: Sun, 7 Jul 2024 14:06:39 +0200
-Subject: Adapt login.defs for Debian
-
-Remove settings only applicable to shadow's su, which we do not use.
-Remove settings only applicable without PAM support enabled.
-Remove obscure commented-out settings.
-Remove explanation about write(1), which Debian does not ship anymore.
---
- etc/login.defs | 375 ++++++++-------------------------------------------------
- 1 file changed, 47 insertions(+), 328 deletions(-)
-
-diff --git a/etc/login.defs b/etc/login.defs
-index 33622c2..91d3ec4 100644
--- a/etc/login.defs
-+++ b/etc/login.defs
-@@ -1,24 +1,38 @@
- #
- # /etc/login.defs - Configuration control definitions for the shadow package.
- #
-#	$Id$
-#
- 
-#
-# Delay in seconds before being allowed another attempt after a login failure
-# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
-#       pam_unix(8) enforces a 2s delay)
-#
-FAIL_DELAY		3
-
-#
-# Enable logging and display of /var/log/faillog login(1) failure info.
-#
-FAILLOG_ENAB		yes
-+# REQUIRED for useradd/userdel/usermod
-+#   Directory where mailboxes reside, _or_ name of file, relative to the
-+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
-+#   MAIL_DIR takes precedence.
-+#
-+#   Essentially:
-+#      - MAIL_DIR defines the location of users mail spool files
-+#        (for mbox use) by appending the username to MAIL_DIR as defined
-+#        below.
-+#      - MAIL_FILE defines the location of the users mail spool files as the
-+#        fully-qualified filename obtained by prepending the user home
-+#        directory before $MAIL_FILE
-+#
-+# NOTE: This is no more used for setting up users MAIL environment variable
-+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
-+#       job of the pam_mail PAM modules
-+#       See default PAM configuration files provided for
-+#       login, su, etc.
-+#
-+# This is a temporary situation: setting these variables will soon
-+# move to /etc/default/useradd and the variables will then be
-+# no more supported
-+MAIL_DIR        /var/mail
-+#MAIL_FILE      .mail
- 
- #
- # Enable display of unknown usernames when login(1) failures are recorded.
- #
-+# WARNING: Unknown usernames may become world readable.
-+# See #290803 and #298773 for details about how this could become a security
-+# concern
- LOG_UNKFAIL_ENAB	no
- 
- #
-@@ -26,110 +40,12 @@ LOG_UNKFAIL_ENAB	no
- #
- LOG_OK_LOGINS		no
- 
-#
-# Enable logging and display of /var/log/lastlog login(1) time info.
-#
-LASTLOG_ENAB		yes
-
-#
-# Limit the highest user ID number for which the lastlog entries should
-# be updated.
-#
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-# lastlog entries.
-#
-#LASTLOG_UID_MAX
-
-#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB		yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB	yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB	yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
-#
-QUOTAS_ENAB		yes
-
-#
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
-#
-SYSLOG_SU_ENAB		yes
-SYSLOG_SG_ENAB		yes
-
-#
-# If defined, either full pathname of a file containing device names or
-# a ":" delimited list of device names.  Root logins will be allowed only
-# from these devices.
-#
-CONSOLE		/etc/securetty
-#CONSOLE	console:tty01:tty02:tty03:tty04
-
-#
-# If defined, all su(1) activity is logged to this file.
-#
-#SULOG_FILE	/var/log/sulog
-
-#
-# If defined, ":" delimited list of "message of the day" files to
-# be displayed upon login.
-#
-MOTD_FILE	/etc/motd
-#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
-
-#
-# If defined, this file will be output before each login(1) prompt.
-#
-#ISSUE_FILE	/etc/issue
-
- #
- # If defined, file which maps tty line to TERM environment parameter.
- # Each line of the file is in a format similar to "vt100  tty01".
- #
- #TTYTYPE_FILE	/etc/ttytype
- 
-#
-# If defined, login(1) failures will be logged here in a utmp format.
-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
-#
-FTMP_FILE	/var/log/btmp
-
-#
-# If defined, name of file whose presence will inhibit non-root
-# logins.  The content of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE	/etc/nologin
-
-#
-# If defined, the command name to display when running "su -".  For
-# example, if this is defined as "su" then ps(1) will display the
-# command as "-su".  If not defined, then ps(1) will display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME		su
-
-#
-# *REQUIRED*
-#   Directory where mailboxes reside, _or_ name of file, relative to the
-#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR	/var/spool/mail
-#MAIL_FILE	.mail
-
- #
- # If defined, file which inhibits all the usual chatter during the login
- # sequence.  If a full pathname, then hushed mode will be enabled if the
-@@ -139,40 +55,21 @@ MAIL_DIR	/var/spool/mail
- HUSHLOGIN_FILE	.hushlogin
- #HUSHLOGIN_FILE	/etc/hushlogins
- 
-#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ		TZ=CST6CDT
-#ENV_TZ		/etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ		HZ=100
-# For Linux/Alpha...
-#ENV_HZ		HZ=1024
-
- #
- # *REQUIRED*  The default PATH settings, for superuser and normal users.
- #
- # (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH	PATH=/bin:/usr/bin
-+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
- 
- #
-# Terminal permissions
-+# Terminal permissions for terminals after login(1).
-+# These settings are ignored for remote and other logins.
- #
- #	TTYGROUP	Login tty will be assigned this group ownership.
- #	TTYPERM		Login tty will be set to this permission.
- #
-# If you have a write(1) program which is "setgid" to a special group
-# which owns the terminals, define TTYGROUP as the number of such group
-# and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
-# set TTYPERM to either 622 or 600.
-#
-TTYGROUP	tty
-+#TTYGROUP	tty
- TTYPERM		0600
- 
- #
-@@ -180,61 +77,35 @@ TTYPERM		0600
- #
- #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
- #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#	ULIMIT		Default "ulimit" value.
- #
- # The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
- #
- ERASECHAR	0177
- KILLCHAR	025
-#ULIMIT		2097152
-
-# Default initial "umask" value used by login(1) on non-PAM enabled systems.
-# Default "umask" value for pam_umask(8) on PAM enabled systems.
-# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories if HOME_MODE is not set.
-# 022 is the default value, but 027, or even 077, could be considered
-# for increased privacy. There is no One True Answer here: each sysadmin
-# must make up their mind.
-UMASK		022
- 
- # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
- # home directories.
-# If HOME_MODE is not set, the value of UMASK is used to create the mode.
-#HOME_MODE	0700
-+HOME_MODE	0700
- 
- #
- # Password aging controls:
- #
- #	PASS_MAX_DAYS	Maximum number of days a password may be used.
- #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
-#	PASS_MIN_LEN	Minimum acceptable password length.
- #	PASS_WARN_AGE	Number of days warning given before a password expires.
- #
- PASS_MAX_DAYS	99999
- PASS_MIN_DAYS	0
-PASS_MIN_LEN	5
- PASS_WARN_AGE	7
- 
-#
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts.  If the group doesn't exist or is empty, no one
-# will be able to "su" to uid 0.
-#
-SU_WHEEL_ONLY	no
-
- #
- # Min/max values for automatic uid selection in useradd(8)
- #
- UID_MIN			 1000
- UID_MAX			60000
- # System accounts
-SYS_UID_MIN		  101
-SYS_UID_MAX		  999
-+#SYS_UID_MIN		  101
-+#SYS_UID_MAX		  999
- # Extra per user uids
- SUB_UID_MIN		   100000
- SUB_UID_MAX		600100000
-@@ -246,8 +117,8 @@ SUB_UID_COUNT		    65536
- GID_MIN			 1000
- GID_MAX			60000
- # System accounts
-SYS_GID_MIN		  101
-SYS_GID_MAX		  999
-+#SYS_GID_MIN		  101
-+#SYS_GID_MAX		  999
- # Extra per user group ids
- SUB_GID_MIN		   100000
- SUB_GID_MAX		600100000
-@@ -255,6 +126,9 @@ SUB_GID_COUNT		    65536
- 
- #
- # Max number of login(1) retries if password is bad
-+# This will most likely be overriden by PAM, since the default pam_unix module
-+# has it's own built in of 3 retries. However, this is a safe fallback in case
-+# you are using an authentication module that does not enforce PAM_MAXTRIES.
- #
- LOGIN_RETRIES		5
- 
-@@ -263,28 +137,6 @@ LOGIN_RETRIES		5
- #
- LOGIN_TIMEOUT		60
- 
-#
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES	5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
-#
-PASS_ALWAYS_WARN	yes
-
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
-#
-#PASS_MAX_LEN		8
-
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH		yes
-
- #
- # Which fields may be changed by regular users using chfn(1) - use
- # any combination of letters "frwh" (full name, room number, work
-@@ -294,29 +146,6 @@ CHFN_AUTH		yes
- CHFN_RESTRICT		rwh
- 
- #
-# Password prompt (%s will be replaced by user name).
-#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING		"%s's Password: "
-
-#
-# Only works if compiled with MD5_CRYPT defined:
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm.  Default is "no".
-#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-#
-#MD5_CRYPT_ENAB	no
-
-#
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
- # If set to MD5, MD5-based algorithm will be used for encrypting password
- # If set to SHA256, SHA256-based algorithm will be used for encrypting password
- # If set to SHA512, SHA512-based algorithm will be used for encrypting password
-@@ -326,66 +155,10 @@ CHFN_RESTRICT		rwh
- # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
- # Overrides the MD5_CRYPT_ENAB option
- #
-# Note: If you use PAM, it is recommended to use a value consistent with
-+# Note: It is recommended to use a value consistent with
- # the PAM modules configuration.
- #
-#ENCRYPT_METHOD DES
-
-#
-# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-#
-# Define the number of SHA rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, the libc will choose the default number of rounds (5000),
-# which is orders of magnitude too low for modern hardware.
-# The values must be within the 1000-999999999 range.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#SHA_CRYPT_MIN_ROUNDS 5000
-#SHA_CRYPT_MAX_ROUNDS 5000
-
-#
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
-#
-# Define the number of BCRYPT rounds.
-# With a lot of rounds, it is more difficult to brute-force the password.
-# However, more CPU resources will be needed to authenticate users if
-# this value is increased.
-#
-# If not specified, 13 rounds will be attempted.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-#BCRYPT_MIN_ROUNDS 13
-#BCRYPT_MAX_ROUNDS 13
-
-#
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
-#
-# Define the YESCRYPT cost factor.
-# With a higher cost factor, it is more difficult to brute-force the password.
-# However, more CPU time and more memory will be needed to authenticate users
-# if this value is increased.
-#
-# If not specified, a cost factor of 5 will be used.
-# The value must be within the 1-11 range.
-#
-#YESCRYPT_COST_FACTOR 5
-
-#
-# List of groups to add to the user's supplementary group set
-# when logging in from the console (as determined by the CONSOLE
-# setting).  Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in from the console.
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS		floppy:audio:cdrom
-+ENCRYPT_METHOD YESCRYPT
- 
- #
- # Should login be allowed if we can't cd to the home directory?
-@@ -401,12 +174,6 @@ DEFAULT_HOME	yes
- #
- NONEXISTENT	/nonexistent
- 
-#
-# If this file exists and is readable, login environment will be
-# read from it.  Every line should be in the form name=value.
-#
-ENVIRON_FILE	/etc/environment
-
- #
- # If defined, this command is run when removing a user.
- # It should remove any at/cron/print jobs etc. owned by
-@@ -415,59 +182,11 @@ ENVIRON_FILE	/etc/environment
- #USERDEL_CMD	/usr/sbin/userdel_local
- 
- #
-# Enable setting of the umask group bits to be the same as owner bits
-# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
-# the same as gid, and username is the same as the primary group name.
-+# If set to yes, userdel(8) will remove the user's group if it contains no more
-+# members, and useradd(8) will create by default a group with the name of the
-+# user.
- #
-# This also enables userdel(8) to remove user groups if no members exist.
-+# Other former uses of this variable are not used in PAM environments, such as
-+# Debian.
- #
- USERGROUPS_ENAB yes
-
-#
-# If set to a non-zero number, the shadow utilities will make sure that
-# groups never have more than this number of users on one line.
-# This permits to support split groups (groups split into multiple lines,
-# with the same group ID, to avoid limitation of the line length in the
-# group file).
-#
-# 0 is the default value and disables this feature.
-#
-#MAX_MEMBERS_PER_GROUP	0
-
-#
-# If useradd(8) should create home directories for users by default (non
-# system users only).
-# This option is overridden with the -M or -m flags on the useradd(8)
-# command-line.
-#
-#CREATE_HOME     yes
-
-#
-# Force use shadow, even if shadow passwd & shadow group files are
-# missing.
-#
-#FORCE_SHADOW    yes
-
-#
-# Allow newuidmap and newgidmap when running under an alternative
-# primary group.
-#
-#GRANT_AUX_GROUP_SUBIDS yes
-
-#
-# Prevents an empty password field to be interpreted as "no authentication
-# required".
-# Set to "yes" to prevent for all accounts
-# Set to "superuser" to prevent for UID 0 / root (default)
-# Set to "no" to not prevent for any account (dangerous, historical default)
-PREVENT_NO_AUTH superuser
-
-#
-# Select the HMAC cryptography algorithm.
-# Used in pam_timestamp module to calculate the keyed-hash message
-# authentication code.
-#
-# Note: It is recommended to check hmac(3) to see the possible algorithms
-# that are available in your system.
-#
-#HMAC_CRYPTO_ALGO SHA512
--- a/debian/patches/debian/Define-LOGIN_NAME_MAX-on-HURD.patch
+++ b/debian/patches/debian/Define-LOGIN_NAME_MAX-on-HURD.patch
@@ -1,25 +0,0 @@
-From: Chris Hofstaedtler <zeha@debian.org>
-Date: Tue, 6 Aug 2024 00:16:59 +0200
-Subject: Define LOGIN_NAME_MAX on HURD
-
---
- lib/chkname.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/chkname.c b/lib/chkname.c
-index 57d6d96..6af55a9 100644
--- a/lib/chkname.c
-+++ b/lib/chkname.c
-@@ -29,6 +29,12 @@
- #include <stddef.h>
- #include <unistd.h>
- 
-+#ifdef __GNU__
-+#ifndef LOGIN_NAME_MAX
-+#define LOGIN_NAME_MAX 256
-+#endif
-+#endif
-+
- #include "defines.h"
- #include "chkname.h"
- #include "string/ctype/strisascii/strisdigit.h"
--- a/debian/patches/debian/Document-the-shadowconfig-utility.patch
+++ b/debian/patches/debian/Document-the-shadowconfig-utility.patch
@@ -1,65 +0,0 @@
-From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Date: Sat, 22 Jun 2024 17:39:41 +0200
-Subject: Document the shadowconfig utility
-
-Status wrt upstream: The shadowconfig utility is Debian-specific.
-The man page is Debian-specific, but it used to be distributed by
-upstream.
---
- man/Makefile.am         |  1 +
- man/man8/shadowconfig.8 | 34 ++++++++++++++++++++++++++++++++++
- 2 files changed, 35 insertions(+)
- create mode 100644 man/man8/shadowconfig.8
-
-diff --git a/man/Makefile.am b/man/Makefile.am
-index f34ed7a..2523e84 100644
--- a/man/Makefile.am
-+++ b/man/Makefile.am
-@@ -36,6 +36,7 @@ man_MANS = \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
-+	man8/shadowconfig.8 \
- 	man1/sg.1 \
- 	man3/shadow.3 \
- 	man5/shadow.5 \
-diff --git a/man/man8/shadowconfig.8 b/man/man8/shadowconfig.8
-new file mode 100644
-index 0000000..a463a92
--- /dev/null
-+++ b/man/man8/shadowconfig.8
-@@ -0,0 +1,34 @@
-+.TH shadowconfig 8 2025-02-17 "Debian shadow-utils"
-+.SH Name
-+shadowconfig \- turn shadow passwords on
-+.
-+.
-+.SH Synopsis
-+.SY shadowconfig on
-+.YS
-+.
-+.
-+.SH Description
-+.I shadowconfig\ on
-+will turn shadow passwords on.
-+.
-+.
-+.SH Errors
-+.B shadowconfig
-+will print an error message and exit with a nonzero code
-+if it finds anything awry.
-+If that happens,
-+you should correct the error and run it again.
-+Turning shadow passwords on when they are already on
-+is harmless.
-+.
-+.
-+.SH Caveats
-+Turning shadow passwords off using shadowconfig
-+is not supported anymore.
-+.
-+.
-+.SH See also
-+Read
-+.I /usr/share/doc/passwd/README.Debian
-+for a brief introduction to shadow passwords and related features.
--- a/debian/patches/debian/Keep-using-Debian-adduser-defaults.patch
+++ b/debian/patches/debian/Keep-using-Debian-adduser-defaults.patch
@@ -1,52 +0,0 @@
-From: Balint Reczey <balint@balintreczey.hu>
-Date: Sat, 22 Jun 2024 17:39:41 +0200
-Subject: Keep using Debian's adduser defaults
-
-Bug: https://github.com/shadow-maint/shadow/issues/501
-Bug-Debian: https://bugs.debian.org/1004710
-Forwarded: not-needed
-
-Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit
-in 4.9 merged those values from upstream's default configuration file
-which is not shipped in Debian.
-This patch keeps the program's compiled in defaults in sync with the
-configuration files shipped in Debian (debian/default/useradd).
---
- man/useradd.8.xml | 2 +-
- src/useradd.c     | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/man/useradd.8.xml b/man/useradd.8.xml
-index eda1fef..38f2c68 100644
--- a/man/useradd.8.xml
-+++ b/man/useradd.8.xml
-@@ -248,7 +248,7 @@
- 	    command line), useradd will set the primary group of the new
- 	    user to the value specified by the <option>GROUP</option>
- 	    variable in <filename>/etc/default/useradd</filename>, or
-	    1000 by default.
-+	    100 by default.
- 	  </para>
- 	</listitem>
-       </varlistentry>
-diff --git a/src/useradd.c b/src/useradd.c
-index ee52aaf..5e4eb2c 100644
--- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -97,14 +97,14 @@ static const char Prog[] = "useradd";
- /*
-  * These defaults are used if there is no defaults file.
-  */
-static gid_t def_group = 1000;
-+static gid_t def_group = 100;
- static const char *def_groups = "";
- static const char *def_gname = "other";
- static const char *def_home = "/home";
- static const char *def_shell = "/bin/bash";
- static const char *def_template = SKEL_DIR;
- static const char *def_usrtemplate = USRSKELDIR;
-static const char *def_create_mail_spool = "yes";
-+static const char *def_create_mail_spool = "no";
- static const char *def_log_init = "yes";
- 
- static long def_inactive = -1;
--- a/debian/patches/debian/Recommend-using-adduser-and-deluser.patch
+++ b/debian/patches/debian/Recommend-using-adduser-and-deluser.patch
@@ -1,46 +0,0 @@
-From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Date: Sat, 22 Jun 2024 17:39:41 +0200
-Subject: Recommend using adduser and deluser
-
-Fixes: #406046
-
-Status wrt upstream: Debian specific patch.
---
- man/useradd.8.xml | 6 ++++++
- man/userdel.8.xml | 6 ++++++
- 2 files changed, 12 insertions(+)
-
-diff --git a/man/useradd.8.xml b/man/useradd.8.xml
-index 38f2c68..9009d83 100644
--- a/man/useradd.8.xml
-+++ b/man/useradd.8.xml
-@@ -82,6 +82,12 @@
- 
-   <refsect1 id='description'>
-     <title>DESCRIPTION</title>
-+      <para>
-+	<command>useradd</command> is a low level utility for adding
-+	users.  On Debian, administrators should usually use
-+	<citerefentry><refentrytitle>adduser</refentrytitle>
-+	<manvolnum>8</manvolnum></citerefentry> instead.
-+      </para>
-       <para>
- 	When invoked without the <option>-D</option> option, the
- 	<command>useradd</command> command creates a new user account using
-diff --git a/man/userdel.8.xml b/man/userdel.8.xml
-index 32851f1..4373cd8 100644
--- a/man/userdel.8.xml
-+++ b/man/userdel.8.xml
-@@ -58,6 +58,12 @@
- 
-   <refsect1 id='description'>
-     <title>DESCRIPTION</title>
-+    <para>
-+      <command>userdel</command> is a low level utility for removing
-+      users.  On Debian, administrators should usually use
-+      <citerefentry><refentrytitle>deluser</refentrytitle>
-+      <manvolnum>8</manvolnum></citerefentry> instead.
-+    </para>
-     <para>
-       The <command>userdel</command> command modifies the system account
-       files, deleting all entries that refer to the user name <emphasis
--- a/debian/patches/debian/Set-group-and-mode-for-g-shadow-files.patch
+++ b/debian/patches/debian/Set-group-and-mode-for-g-shadow-files.patch
@@ -1,75 +0,0 @@
-From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
-Date: Sat, 22 Jun 2024 17:39:41 +0200
-Subject: Set group and mode for [g]shadow files
-
-Set group 'shadow' and mode 0400.
-
-Fixes: #166793
---
- lib/commonio.c | 12 ++++++++++++
- lib/sgroupio.c |  2 +-
- lib/shadowio.c |  2 +-
- 3 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/lib/commonio.c b/lib/commonio.c
-index b7c9a2d..309efa0 100644
--- a/lib/commonio.c
-+++ b/lib/commonio.c
-@@ -21,6 +21,7 @@
- #include <sys/stat.h>
- #include <stdlib.h>
- #include <utime.h>
-+#include <grp.h>
- 
- #include "alloc/malloc.h"
- #include "alloc/reallocf.h"
-@@ -953,12 +954,23 @@ int commonio_close (struct commonio_db *db)
- 		if (errors)
- 			goto fail;
- 	} else {
-+		struct group *grp;
- 		/*
- 		 * Default permissions for new [g]shadow files.
- 		 */
- 		sb.st_mode = db->st_mode;
- 		sb.st_uid = db->st_uid;
- 		sb.st_gid = db->st_gid;
-+
-+		/*
-+		 * Try to retrieve the shadow's GID, and fall back to GID 0.
-+		 */
-+		if (sb.st_gid == 0) {
-+			if ((grp = getgrnam("shadow")) != NULL)
-+				sb.st_gid = grp->gr_gid;
-+			else
-+				sb.st_gid = 0;
-+		}
- 	}
- 
- 	if (SNPRINTF(buf, "%s+", db->filename) == -1)
-diff --git a/lib/sgroupio.c b/lib/sgroupio.c
-index 9805761..e3c0458 100644
--- a/lib/sgroupio.c
-+++ b/lib/sgroupio.c
-@@ -210,7 +210,7 @@ static struct commonio_db gshadow_db = {
- #ifdef WITH_SELINUX
- 	NULL,			/* scontext */
- #endif
-	0400,                   /* st_mode */
-+	0440,                   /* st_mode */
- 	0,                      /* st_uid */
- 	0,                      /* st_gid */
- 	NULL,			/* head */
-diff --git a/lib/shadowio.c b/lib/shadowio.c
-index d2c3b47..53dac0b 100644
--- a/lib/shadowio.c
-+++ b/lib/shadowio.c
-@@ -85,7 +85,7 @@ static struct commonio_db shadow_db = {
- #ifdef WITH_SELINUX
- 	NULL,			/* scontext */
- #endif				/* WITH_SELINUX */
-	0400,                   /* st_mode */
-+	0440,                   /* st_mode */
- 	0,                      /* st_uid */
- 	0,                      /* st_gid */
- 	NULL,			/* head */
--- a/debian/patches/debian/Stop-building-programs-we-do-not-install.patch
+++ b/debian/patches/debian/Stop-building-programs-we-do-not-install.patch
@@ -1,561 +0,0 @@
-From: Chris Hofstaedtler <zeha@debian.org>
-Date: Tue, 6 Aug 2024 00:27:13 +0200
-Subject: Stop building programs we do not install
-
---
- man/Makefile.am       | 15 ---------------
- man/cs/Makefile.am    |  9 ---------
- man/da/Makefile.am    |  3 ---
- man/de/Makefile.am    | 10 ----------
- man/fr/Makefile.am    | 10 ----------
- man/hu/Makefile.am    |  3 ---
- man/id/Makefile.am    |  1 -
- man/it/Makefile.am    | 10 ----------
- man/ja/Makefile.am    |  8 --------
- man/ko/Makefile.am    |  2 --
- man/pl/Makefile.am    |  6 ------
- man/ru/Makefile.am    |  9 ---------
- man/sv/Makefile.am    |  8 --------
- man/tr/Makefile.am    |  2 --
- man/uk/Makefile.am    |  9 ---------
- man/zh_CN/Makefile.am | 10 ----------
- man/zh_TW/Makefile.am |  2 --
- src/Makefile.am       |  7 +++----
- 18 files changed, 3 insertions(+), 121 deletions(-)
-
-diff --git a/man/Makefile.am b/man/Makefile.am
-index 2523e84..05a0c86 100644
--- a/man/Makefile.am
-+++ b/man/Makefile.am
-@@ -13,8 +13,6 @@ man_MANS = \
- 	man8/chpasswd.8 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
-@@ -25,19 +23,14 @@ man_MANS = \
- 	man8/grpconv.8 \
- 	man8/grpunconv.8 \
- 	man5/gshadow.5 \
-	man1/login.1 \
- 	man5/login.defs.5 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
- 	man8/newusers.8 \
-	man8/nologin.8 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
- 	man8/shadowconfig.8 \
-	man1/sg.1 \
- 	man3/shadow.3 \
- 	man5/shadow.5 \
- 	man8/useradd.8 \
-@@ -82,8 +75,6 @@ man_XMANS = \
- 	chpasswd.8.xml \
- 	chsh.1.xml \
- 	expiry.1.xml \
-	faillog.5.xml \
-	faillog.8.xml \
- 	getsubids.1.xml \
- 	gpasswd.1.xml \
- 	groupadd.8.xml \
-@@ -96,12 +87,9 @@ man_XMANS = \
- 	login.1.xml \
- 	login.access.5.xml \
- 	login.defs.5.xml \
-	logoutd.8.xml \
- 	newgidmap.1.xml \
-	newgrp.1.xml \
- 	newuidmap.1.xml \
- 	newusers.8.xml \
-	nologin.8.xml \
- 	passwd.1.xml \
- 	passwd.5.xml \
- 	porttime.5.xml \
-@@ -109,9 +97,6 @@ man_XMANS = \
- 	pwconv.8.xml \
- 	shadow.3.xml \
- 	shadow.5.xml \
-	sg.1.xml \
-	su.1.xml \
-	suauth.5.xml \
- 	subgid.5.xml \
- 	subuid.5.xml \
- 	useradd.8.xml \
-diff --git a/man/cs/Makefile.am b/man/cs/Makefile.am
-index 45aec38..e1f9f87 100644
--- a/man/cs/Makefile.am
-+++ b/man/cs/Makefile.am
-@@ -3,25 +3,16 @@ mandir = @mandir@/cs
- 
- man_MANS = \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
- 	man5/gshadow.5 \
-	man8/nologin.8 \
- 	man5/passwd.5 \
- 	man5/shadow.5 \
-	man1/su.1 \
- 	man8/vipw.8
- 
- if ENABLE_LASTLOG
- man_MANS += man8/lastlog.8
- endif
-
-EXTRA_DIST = $(man_MANS) \
-	man8/groupmems.8 \
-	man8/logoutd.8
-
-diff --git a/man/da/Makefile.am b/man/da/Makefile.am
-index c61b787..12234cb 100644
--- a/man/da/Makefile.am
-+++ b/man/da/Makefile.am
-@@ -6,10 +6,7 @@ man_MANS = \
- 	man1/chfn.1 \
- 	man8/groupdel.8 \
- 	man5/gshadow.5 \
-	man8/logoutd.8 \
- 	man1/newgrp.1 \
-	man8/nologin.8 \
-	man1/sg.1 \
- 	man8/vigr.8 \
- 	man8/vipw.8
- 
-diff --git a/man/de/Makefile.am b/man/de/Makefile.am
-index d3a6d6c..59602aa 100644
--- a/man/de/Makefile.am
-+++ b/man/de/Makefile.am
-@@ -8,34 +8,24 @@ man_MANS = \
- 	man8/chpasswd.8 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-	man8/groupmems.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
- 	man8/grpconv.8 \
- 	man8/grpunconv.8 \
- 	man5/gshadow.5 \
-	man1/login.1 \
- 	man5/login.defs.5 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
- 	man8/newusers.8 \
-	man8/nologin.8 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
-	man1/sg.1 \
- 	man3/shadow.3 \
- 	man5/shadow.5 \
-	man1/su.1 \
-	man5/suauth.5 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8 \
-diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am
-index 2365e23..6cbaadc 100644
--- a/man/fr/Makefile.am
-+++ b/man/fr/Makefile.am
-@@ -8,34 +8,24 @@ man_MANS = \
- 	man8/chpasswd.8 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-	man8/groupmems.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
- 	man8/grpconv.8 \
- 	man8/grpunconv.8 \
- 	man5/gshadow.5 \
-	man1/login.1 \
- 	man5/login.defs.5 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
- 	man8/newusers.8 \
-	man8/nologin.8 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
-	man1/sg.1 \
- 	man3/shadow.3 \
- 	man5/shadow.5 \
-	man1/su.1 \
-	man5/suauth.5 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8 \
-diff --git a/man/hu/Makefile.am b/man/hu/Makefile.am
-index 6bf68e8..2930da3 100644
--- a/man/hu/Makefile.am
-+++ b/man/hu/Makefile.am
-@@ -4,11 +4,8 @@ mandir = @mandir@/hu
- man_MANS = \
- 	man1/chsh.1 \
- 	man1/gpasswd.1 \
-	man1/login.1 \
-	man1/newgrp.1 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
-	man1/sg.1 \
- 	man1/su.1
- 
- if ENABLE_LASTLOG
-diff --git a/man/id/Makefile.am b/man/id/Makefile.am
-index 21f3dbe..566fa8b 100644
--- a/man/id/Makefile.am
-+++ b/man/id/Makefile.am
-@@ -3,7 +3,6 @@ mandir = @mandir@/id
- 
- man_MANS = \
- 	man1/chsh.1 \
-	man1/login.1 \
- 	man8/useradd.8
- 
- EXTRA_DIST = $(man_MANS)
-diff --git a/man/it/Makefile.am b/man/it/Makefile.am
-index 736576c..3312232 100644
--- a/man/it/Makefile.am
-+++ b/man/it/Makefile.am
-@@ -8,34 +8,24 @@ man_MANS = \
- 	man8/chpasswd.8 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-	man8/groupmems.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
- 	man8/grpconv.8 \
- 	man8/grpunconv.8 \
- 	man5/gshadow.5 \
-	man1/login.1 \
- 	man5/login.defs.5 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
- 	man8/newusers.8 \
-	man8/nologin.8 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
-	man1/sg.1 \
- 	man3/shadow.3 \
- 	man5/shadow.5 \
-	man1/su.1 \
-	man5/suauth.5 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8 \
-diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am
-index b759726..1e22da2 100644
--- a/man/ja/Makefile.am
-+++ b/man/ja/Makefile.am
-@@ -7,8 +7,6 @@ man_MANS = \
- 	man8/chpasswd.8 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-@@ -16,20 +14,14 @@ man_MANS = \
- 	man8/grpck.8 \
- 	man8/grpconv.8 \
- 	man8/grpunconv.8 \
-	man1/login.1 \
- 	man5/login.defs.5 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
- 	man8/newusers.8 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
-	man1/sg.1 \
- 	man5/shadow.5 \
-	man1/su.1 \
-	man5/suauth.5 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8 \
-diff --git a/man/ko/Makefile.am b/man/ko/Makefile.am
-index 4f73651..0f17a17 100644
--- a/man/ko/Makefile.am
-+++ b/man/ko/Makefile.am
-@@ -4,9 +4,7 @@ mandir = @mandir@/ko
- man_MANS = \
- 	man1/chfn.1 \
- 	man1/chsh.1 \
-	man1/login.1 \
- 	man5/passwd.5 \
-	man1/su.1 \
- 	man8/vigr.8 \
- 	man8/vipw.8
- # newgrp.1 must be updated
-diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am
-index 2a015f3..02f4533 100644
--- a/man/pl/Makefile.am
-+++ b/man/pl/Makefile.am
-@@ -6,17 +6,11 @@ man_MANS = \
- 	man1/chage.1 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-	man8/groupmems.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
-	man1/sg.1 \
- 	man3/shadow.3 \
- 	man8/userdel.8 \
- 	man8/usermod.8 \
-diff --git a/man/ru/Makefile.am b/man/ru/Makefile.am
-index 845a603..9afcb22 100644
--- a/man/ru/Makefile.am
-+++ b/man/ru/Makefile.am
-@@ -8,22 +8,16 @@ man_MANS = \
- 	man8/chpasswd.8 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-	man8/groupmems.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
- 	man8/grpconv.8 \
- 	man8/grpunconv.8 \
- 	man5/gshadow.5 \
-	man1/login.1 \
- 	man5/login.defs.5 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
- 	man8/newusers.8 \
- 	man8/nologin.8 \
- 	man1/passwd.1 \
-@@ -31,11 +25,8 @@ man_MANS = \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
-	man1/sg.1 \
- 	man3/shadow.3 \
- 	man5/shadow.5 \
-	man1/su.1 \
-	man5/suauth.5 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8 \
-diff --git a/man/sv/Makefile.am b/man/sv/Makefile.am
-index 1918af7..d572c36 100644
--- a/man/sv/Makefile.am
-+++ b/man/sv/Makefile.am
-@@ -5,24 +5,16 @@ man_MANS = \
- 	man1/chage.1 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-	man8/groupmems.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
- 	man5/gshadow.5 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
-	man8/nologin.8 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man8/pwck.8 \
-	man1/sg.1 \
- 	man3/shadow.3 \
-	man5/suauth.5 \
- 	man8/userdel.8 \
- 	man8/vigr.8 \
- 	man8/vipw.8
-diff --git a/man/tr/Makefile.am b/man/tr/Makefile.am
-index 8d8b916..8b2aa2d 100644
--- a/man/tr/Makefile.am
-+++ b/man/tr/Makefile.am
-@@ -6,11 +6,9 @@ man_MANS = \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
- 	man8/groupmod.8 \
-	man1/login.1 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man5/shadow.5 \
-	man1/su.1 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8
-diff --git a/man/uk/Makefile.am b/man/uk/Makefile.am
-index a0f106d..f069eea 100644
--- a/man/uk/Makefile.am
-+++ b/man/uk/Makefile.am
-@@ -8,34 +8,25 @@ man_MANS = \
- 	man8/chpasswd.8 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-	man8/groupmems.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
- 	man8/grpconv.8 \
- 	man8/grpunconv.8 \
- 	man5/gshadow.5 \
-	man1/login.1 \
- 	man5/login.defs.5 \
-	man8/logoutd.8 \
- 	man1/newgrp.1 \
- 	man8/newusers.8 \
-	man8/nologin.8 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
-	man1/sg.1 \
- 	man3/shadow.3 \
- 	man5/shadow.5 \
-	man1/su.1 \
-	man5/suauth.5 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8 \
-diff --git a/man/zh_CN/Makefile.am b/man/zh_CN/Makefile.am
-index 59d1072..9402a9e 100644
--- a/man/zh_CN/Makefile.am
-+++ b/man/zh_CN/Makefile.am
-@@ -8,34 +8,24 @@ man_MANS = \
- 	man8/chpasswd.8 \
- 	man1/chsh.1 \
- 	man1/expiry.1 \
-	man5/faillog.5 \
-	man8/faillog.8 \
- 	man3/getspnam.3 \
- 	man1/gpasswd.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
-	man8/groupmems.8 \
- 	man8/groupmod.8 \
- 	man8/grpck.8 \
- 	man8/grpconv.8 \
- 	man8/grpunconv.8 \
- 	man5/gshadow.5 \
-	man1/login.1 \
- 	man5/login.defs.5 \
-	man8/logoutd.8 \
-	man1/newgrp.1 \
- 	man8/newusers.8 \
-	man8/nologin.8 \
- 	man1/passwd.1 \
- 	man5/passwd.5 \
- 	man8/pwck.8 \
- 	man8/pwconv.8 \
- 	man8/pwunconv.8 \
-	man1/sg.1 \
- 	man3/shadow.3 \
- 	man5/shadow.5 \
-	man1/su.1 \
-	man5/suauth.5 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8 \
-diff --git a/man/zh_TW/Makefile.am b/man/zh_TW/Makefile.am
-index c36ed2c..6fb6a15 100644
--- a/man/zh_TW/Makefile.am
-+++ b/man/zh_TW/Makefile.am
-@@ -5,12 +5,10 @@ man_MANS = \
- 	man1/chfn.1 \
- 	man1/chsh.1 \
- 	man8/chpasswd.8 \
-	man1/newgrp.1 \
- 	man8/groupadd.8 \
- 	man8/groupdel.8 \
- 	man8/groupmod.8 \
- 	man5/passwd.5 \
-	man1/su.1 \
- 	man8/useradd.8 \
- 	man8/userdel.8 \
- 	man8/usermod.8
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 6981815..5ca78ed 100644
--- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -26,8 +26,8 @@ AM_CFLAGS = $(LIBBSD_CFLAGS)
- # and installation would be much simpler (just two directories,
- # $prefix/bin and $prefix/sbin, no install-data hacks...)
- 
-bin_PROGRAMS   = login
-sbin_PROGRAMS  = nologin
-+bin_PROGRAMS   =
-+sbin_PROGRAMS  =
- ubin_PROGRAMS  = faillog chage chfn chsh expiry gpasswd newgrp passwd
- if ENABLE_SUBIDS
- ubin_PROGRAMS += newgidmap newuidmap
-@@ -48,7 +48,6 @@ usbin_PROGRAMS = \
- 	grpck \
- 	grpconv \
- 	grpunconv \
-	logoutd \
- 	newusers \
- 	pwck \
- 	pwconv \
-@@ -59,7 +58,7 @@ usbin_PROGRAMS = \
- 	vipw
- 
- # sulogin from sysvinit
-noinst_PROGRAMS = sulogin
-+noinst_PROGRAMS =
- 
- suidusbins     =
- suidbins       =
--- a/debian/patches/debian/Warn-when-badname-and-variants-are-given.patch
+++ b/debian/patches/debian/Warn-when-badname-and-variants-are-given.patch
@@ -1,104 +0,0 @@
-From: Chris Hofstaedtler <zeha@debian.org>
-Date: Mon, 17 Feb 2025 18:17:15 +0100
-Subject: Warn when --badname (and variants) are given
-
-Upstream PR 1158 will remove them, probably in the forky timeframe.
---
- src/newusers.c | 5 ++++-
- src/pwck.c     | 5 ++++-
- src/useradd.c  | 5 ++++-
- src/usermod.c  | 5 ++++-
- 4 files changed, 16 insertions(+), 4 deletions(-)
-
-diff --git a/src/newusers.c b/src/newusers.c
-index e3685ef..16abd81 100644
--- a/src/newusers.c
-+++ b/src/newusers.c
-@@ -127,7 +127,7 @@ static void usage (int status)
- 	                  "\n"
- 	                  "Options:\n"),
- 	                Prog);
-	(void) fputs (_("  -b, --badname                 allow bad names\n"), usageout);
-+	(void) fputs (_("  -b, --badname                 allow bad names (DEPRECATED)\n"), usageout);
- #ifndef USE_PAM
- 	(void) fprintf (usageout,
- 	                _("  -c, --crypt-method METHOD     the crypt method (one of %s)\n"),
-@@ -660,6 +660,9 @@ static void process_flags (int argc, char **argv)
- 		switch (c) {
- 		case 'b':
- 			allow_bad_names = true;
-+			fprintf (stderr,
-+					 _("%s: WARNING: -b and --badname are deprecated and will be removed\n"),
-+					 Prog);
- 			break;
- #ifndef USE_PAM
- 		case 'c':
-diff --git a/src/pwck.c b/src/pwck.c
-index b485a5a..e20be0f 100644
--- a/src/pwck.c
-+++ b/src/pwck.c
-@@ -133,7 +133,7 @@ usage (int status)
- 		                  "Options:\n"),
- 		                Prog);
- 	}
-	(void) fputs (_("  -b, --badname                 allow bad names\n"), usageout);
-+	(void) fputs (_("  -b, --badname                 allow bad names (DEPRECATED)\n"), usageout);
- 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
- 	(void) fputs (_("  -q, --quiet                   report errors only\n"), usageout);
- 	(void) fputs (_("  -r, --read-only               display errors and warnings\n"
-@@ -175,6 +175,9 @@ static void process_flags (int argc, char **argv)
- 		switch (c) {
- 		case 'b':
- 			allow_bad_names = true;
-+			fprintf (stderr,
-+					 _("%s: WARNING: --badname is deprecated and will be removed\n"),
-+					 Prog);
- 			break;
- 		case 'h':
- 			usage (E_SUCCESS);
-diff --git a/src/useradd.c b/src/useradd.c
-index 5e4eb2c..be9ec2e 100644
--- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -895,7 +895,7 @@ static void usage (int status)
- 	                  "\n"
- 	                  "Options:\n"),
- 	                Prog, Prog, Prog);
-	(void) fputs (_("      --badname                 do not check for bad names\n"), usageout);
-+	(void) fputs (_("      --badname                 do not check for bad names (DEPRECATED)\n"), usageout);
- 	(void) fputs (_("  -b, --base-dir BASE_DIR       base directory for the home directory of the\n"
- 	                "                                new account\n"), usageout);
- #ifdef WITH_BTRFS
-@@ -1241,6 +1241,9 @@ static void process_flags (int argc, char **argv)
- 				break;
- 			case 201:
- 				allow_bad_names = true;
-+				fprintf (stderr,
-+					     _("%s: WARNING: --badname is deprecated and will be removed\n"),
-+					     Prog);
- 				break;
- 			case 'c':
- 				if (!VALID (optarg)) {
-diff --git a/src/usermod.c b/src/usermod.c
-index 7ea1a72..3e9e046 100644
--- a/src/usermod.c
-+++ b/src/usermod.c
-@@ -383,7 +383,7 @@ usage (int status)
- 	(void) fputs (_("  -a, --append                  append the user to the supplemental GROUPS\n"
- 	                "                                mentioned by the -G option without removing\n"
- 	                "                                the user from other groups\n"), usageout);
-	(void) fputs (_("  -b, --badname                 allow bad names\n"), usageout);
-+	(void) fputs (_("  -b, --badname                 allow bad names (DEPRECATED)\n"), usageout);
- 	(void) fputs (_("  -c, --comment COMMENT         new value of the GECOS field\n"), usageout);
- 	(void) fputs (_("  -d, --home HOME_DIR           new home directory for the user account\n"), usageout);
- 	(void) fputs (_("  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE\n"), usageout);
-@@ -1043,6 +1043,9 @@ process_flags(int argc, char **argv)
- 				break;
- 			case 'b':
- 				allow_bad_names = true;
-+				fprintf (stderr,
-+					     _("%s: WARNING: -b, --badname and --badnames are deprecated and will be removed\n"),
-+					     Prog);
- 				break;
- 			case 'c':
- 				if (!VALID (optarg)) {
--- a/debian/patches/debian/configure.ac-align-exec_prefix-with-prefix.patch
+++ b/debian/patches/debian/configure.ac-align-exec_prefix-with-prefix.patch
@@ -1,23 +0,0 @@
-From: Chris Hofstaedtler <zeha@debian.org>
-Date: Mon, 24 Feb 2025 23:24:41 +0100
-Subject: configure.ac: align exec_prefix with prefix
-
-Hopefully upstream will fix this one day.
-Reported as https://github.com/shadow-maint/shadow/issues/1229
---
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 36c57d8..8a9c05a 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -18,7 +18,7 @@ AC_SUBST([LIBSUBID_ABI], [libsubid_abi])
- 
- dnl Some hacks...
- test "$prefix" = "NONE" && prefix="/usr"
-test "$prefix" = "/usr" && exec_prefix=""
-+test "$prefix" = "/usr" && exec_prefix="/usr"
- 
- AC_USE_SYSTEM_EXTENSIONS
- 
--- a/debian/patches/debian/configure.ac-be-deterministic-about-passwd-location.patch
+++ b/debian/patches/debian/configure.ac-be-deterministic-about-passwd-location.patch
@@ -1,30 +0,0 @@
-From: Chris Hofstaedtler <zeha@debian.org>
-Date: Mon, 24 Feb 2025 12:01:18 +0100
-Subject: configure.ac: be deterministic about passwd location
-
-Improve reproducibility, without Build-Depend:ing on ourselves.
-
-Forwarded: https://github.com/shadow-maint/shadow/issues/1224
---
- configure.ac | 8 +-------
- 1 file changed, 1 insertion(+), 7 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 8a9c05a..b7cc59c 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -115,13 +115,7 @@ AC_DEFINE_UNQUOTED(LASTLOG_FILE, "$shadow_cv_logdir/lastlog",
- AC_DEFINE_UNQUOTED(FAILLOG_FILE, "$shadow_cv_logdir/faillog",
- 	[Path for faillog file.])
- 
-AC_CACHE_CHECK([location of the passwd program], shadow_cv_passwd_dir,
-[if test -f /usr/bin/passwd; then
-	shadow_cv_passwd_dir=/usr/bin
-else
-	shadow_cv_passwd_dir=/bin
-fi])
-AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd",
-+AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$exec_prefix/bin/passwd",
- 	[Path to passwd program.])
- 
- AC_ARG_ENABLE(shadowgrp,
--- a/debian/patches/debian/tests-disable-su.patch
+++ b/debian/patches/debian/tests-disable-su.patch
@@ -1,89 +0,0 @@
-From: Serge Hallyn <serge@hallyn.com>
-Date: Thu, 27 Jun 2024 01:23:05 +0200
-Subject: upstream testsuite: disable su tests
-
-Debian uses su from util-linux, pointless/impossible to test shadow's su
-here.
---
- tests/run_some | 68 ----------------------------------------------------------
- 1 file changed, 68 deletions(-)
-
-diff --git a/tests/run_some b/tests/run_some
-index c58f59b..46317eb 100755
--- a/tests/run_some
-+++ b/tests/run_some
-@@ -79,74 +79,6 @@ echo "-: test failed"
- find "${build_path}" -name "*.gcda" -delete
- # ignore the result of the first test.  ~magic~
- run_test ./su/01/su_user.test ignore_failure
-run_test ./su/01/su_user.test
-run_test ./su/01/su_root.test
-find "${build_path}" -name "*.gcda" -exec chmod a+rw {} \;
-run_test ./su/02/env_FOO-options_--login
-run_test ./su/02/env_FOO-options_--login_bash
-run_test ./su/02/env_FOO-options_--preserve-environment
-run_test ./su/02/env_FOO-options_--preserve-environment_bash
-run_test ./su/02/env_FOO-options_-
-run_test ./su/02/env_FOO-options_-_bash
-run_test ./su/02/env_FOO-options_-l-m
-run_test ./su/02/env_FOO-options_-l-m_bash
-run_test ./su/02/env_FOO-options_-l
-run_test ./su/02/env_FOO-options_-l_bash
-run_test ./su/02/env_FOO-options_-m_bash
-run_test ./su/02/env_FOO-options_-m
-run_test ./su/02/env_FOO-options_-p
-run_test ./su/02/env_FOO-options_-p_bash
-run_test ./su/02/env_FOO-options__bash
-run_test ./su/02/env_FOO-options_
-run_test ./su/02/env_FOO-options_-p-
-run_test ./su/02/env_FOO-options_-p-_bash
-run_test ./su/02/env_special-options_-l-p
-run_test ./su/02/env_special-options_-l
-run_test ./su/02/env_special-options_-l-p_bash
-run_test ./su/02/env_special-options_-l_bash
-run_test ./su/02/env_special-options_-p
-run_test ./su/02/env_special-options_-p_bash
-run_test ./su/02/env_special-options_
-run_test ./su/02/env_special-options__bash
-run_test ./su/02/env_special_root-options_-l-p
-run_test ./su/02/env_special_root-options_-l-p_bash
-run_test ./su/02/env_special_root-options_-l
-run_test ./su/02/env_special_root-options_-l_bash
-run_test ./su/02/env_special_root-options_-p
-run_test ./su/02/env_special_root-options_-p_bash
-run_test ./su/02/env_special_root-options_
-run_test ./su/02/env_special_root-options__bash
-run_test ./su/03/su_run_command01.test
-run_test ./su/03/su_run_command02.test
-run_test ./su/03/su_run_command03.test
-run_test ./su/03/su_run_command04.test
-run_test ./su/03/su_run_command05.test
-run_test ./su/03/su_run_command06.test
-run_test ./su/03/su_run_command07.test
-run_test ./su/03/su_run_command08.test
-run_test ./su/03/su_run_command09.test
-run_test ./su/03/su_run_command10.test
-run_test ./su/03/su_run_command11.test
-run_test ./su/03/su_run_command12.test
-run_test ./su/03/su_run_command13.test
-run_test ./su/03/su_run_command14.test
-run_test ./su/03/su_run_command15.test
-run_test ./su/03/su_run_command16.test
-run_test ./su/03/su_run_command17.test
-run_test ./su/04/su_wrong_user.test
-run_test ./su/04/su_user_wrong_passwd.test
-run_test ./su/04/su_user_wrong_passwd_syslog.test
-run_test ./su/05/su_user_wrong_passwd_syslog.test
-run_test ./su/06/su_user_syslog.test
-run_test ./su/07/su_user_syslog.test
-run_test ./su/08/env_special-options_
-run_test ./su/08/env_special_root-options_
-run_test ./su/09/env_special-options_
-run_test ./su/09/env_special_root-options_
-run_test ./su/10_su_sulog_success/su.test
-run_test ./su/11_su_sulog_failure/su.test
-run_test ./su/12_su_child_failure/su.test
-run_test ./su/13_su_child_success/su.test
- run_test ./libsubid/01_list_ranges/list_ranges.test
- run_test ./libsubid/02_get_subid_owners/get_subid_owners.test
- run_test ./libsubid/03_add_remove/add_remove_subids.test
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,17 +0,0 @@
-debian/Set-group-and-mode-for-g-shadow-files.patch
-debian/Keep-using-Debian-adduser-defaults.patch
-debian/Document-the-shadowconfig-utility.patch
-debian/Recommend-using-adduser-and-deluser.patch
-debian/tests-disable-su.patch
-debian/Adapt-login.defs-for-Debian.patch
-debian/Define-LOGIN_NAME_MAX-on-HURD.patch
-debian/Stop-building-programs-we-do-not-install.patch
-debian/Warn-when-badname-and-variants-are-given.patch
-debian/configure.ac-align-exec_prefix-with-prefix.patch
-debian/configure.ac-be-deterministic-about-passwd-location.patch
-upstream/Revert-lib-src-Use-local-time-for-human-readable-dates.patch
-upstream/src-chfn.c-Partially-revert-lib-src-Use-strsep-3-instead-.patch
-upstream/src-chfn.c-Use-stpsep-instead-of-its-pattern.patch
-upstream/src-chfn.c-Add-local-variable-to-refer-to-the-separated-f.patch
-upstream/src-chfn.c-copy_field-Rename-local-variable.patch
-upstream/lib-getdate.y-Ignore-time-zone-information-and-use-UTC.patch
--- a/debian/patches/upstream/Revert-lib-src-Use-local-time-for-human-readable-dates.patch
+++ b/debian/patches/upstream/Revert-lib-src-Use-local-time-for-human-readable-dates.patch
@@ -1,70 +0,0 @@
-From: Alejandro Colomar <alx@kernel.org>
-Date: Fri, 14 Feb 2025 21:25:01 +0100
-Subject: Revert "lib/, src/: Use local time for human-readable dates"
-
-This reverts commit 3f5b4b56268269fefed55aa106f382037297d663.
-
-The dates are stored as UTC, and are stored as a number of days since
-Epoch.  We don't have enough precision to translate it into local time.
-Using local time has caused endless issues in users.
-
-This patch is not enough for fixing this issue completely, since
-printing a date without time-zone information means that the date is a
-local date, but what we're printing is a UTC date.  A future patch
-should add time-zone information to the date.
-
-For now, let's revert this change that has caused so many issues.
-
-Fixes: 3f5b4b562682 (2024-08-01; "lib/, src/: Use local time for human-readable dates")
-Link: <https://github.com/ansible/ansible/blob/devel/test/integration/targets/user/tasks/test_expires.yml#L2-L20>
-Link: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095430>
-Link: <https://lists.iana.org/hyperkitty/list/tz@iana.org/message/ENE5IFV3GAH6WK22UJ6YU57D6TQINSP5/>
-Link: <https://github.com/shadow-maint/shadow/issues/1202>
-Link: <https://github.com/shadow-maint/shadow/issues/1057>
-Link: <https://github.com/shadow-maint/shadow/issues/939>
-Link: <https://github.com/shadow-maint/shadow/pull/1058>
-Link: <https://github.com/shadow-maint/shadow/pull/1059#issuecomment-2309888519>
-Link: <https://github.com/shadow-maint/shadow/pull/952>
-Link: <https://github.com/shadow-maint/shadow/pull/942>
-Reported-by: Chris Hofstaedtler <zeha@debian.org>
-Reported-by: Gus Kenion <https://github.com/kenion>
-Reported-by: Alejandro Colomar <alx@kernel.org>
-Reported-by: Michael Vetter <jubalh@iodoru.org>
-Reported-by: Lee Garrett <lgarrett@rocketjump.eu>
-Cc: Paul Eggert <eggert@cs.ucla.edu>
-Cc: Tim Parenti <tim@timtimeonline.com>
-Cc: Iker Pedrosa <ipedrosa@redhat.com>
-Cc: "Serge E. Hallyn" <serge@hallyn.com>
-Cc: Brian Inglis <Brian.Inglis@SystematicSW.ab.ca>
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
- lib/time/day_to_str.h | 2 +-
- src/chage.c           | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/time/day_to_str.h b/lib/time/day_to_str.h
-index b70e989..fe3308d 100644
--- a/lib/time/day_to_str.h
-+++ b/lib/time/day_to_str.h
-@@ -38,7 +38,7 @@ day_to_str(size_t size, char buf[size], long day)
- 		return;
- 	}
- 
-	if (localtime_r(&date, &tm) == NULL) {
-+	if (gmtime_r(&date, &tm) == NULL) {
- 		strtcpy(buf, "future", size);
- 		return;
- 	}
-diff --git a/src/chage.c b/src/chage.c
-index aed8e5b..e2902a7 100644
--- a/src/chage.c
-+++ b/src/chage.c
-@@ -238,7 +238,7 @@ print_day_as_date(long day)
- 		return;
- 	}
- 
-	if (localtime_r(&date, &tm) == NULL) {
-+	if (gmtime_r(&date, &tm) == NULL) {
- 		puts(_("future"));
- 		return;
- 	}
--- a/debian/patches/upstream/lib-getdate.y-Ignore-time-zone-information-and-use-UTC.patch
+++ b/debian/patches/upstream/lib-getdate.y-Ignore-time-zone-information-and-use-UTC.patch
@@ -1,375 +0,0 @@
-From: Alejandro Colomar <alx@kernel.org>
-Date: Tue, 18 Feb 2025 00:41:56 +0100
-Subject: lib/getdate.y: Ignore time-zone information and use UTC
-
-There is exactly one caller of this function, and it wants a date, not a
-time.  It is useless to be able to parse local dates, because we
-ultimately store a UTC date.  To avoid confusion, unconditionally use
-UTC.  Since this code had important bugs regarding offset, we can safely
-assume that no existing users rely on being able to use their local
-date (this never worked correctly).
-
-Also, the code parsing time zones was quite bad.
-
-Link: <https://github.com/shadow-maint/shadow/issues/1202>
-Link: <https://github.com/shadow-maint/shadow/issues/1209>
-Reported-by: Chris Hofstaedtler <zeha@debian.org>
-Reported-by: Tim Parenti <tim@timtimeonline.com>
-Reported-by: Lee Garrett <lgarrett@rocketjump.eu>
-Cc: Gus Kenion <https://github.com/kenion>
-Cc: Michael Vetter <jubalh@iodoru.org>
-Cc: Paul Eggert <eggert@cs.ucla.edu>
-Cc: Iker Pedrosa <ipedrosa@redhat.com>
-Cc: "Serge E. Hallyn" <serge@hallyn.com>
-Cc: Brian Inglis <Brian.Inglis@SystematicSW.ab.ca>
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
- lib/getdate.y | 225 +++-------------------------------------------------------
- 1 file changed, 10 insertions(+), 215 deletions(-)
-
-diff --git a/lib/getdate.y b/lib/getdate.y
-index 20b1f5f..5b1d88d 100644
--- a/lib/getdate.y
-+++ b/lib/getdate.y
-@@ -92,8 +92,6 @@
- static int yylex (void);
- static int yyerror (const char *s);
- 
-#define EPOCH		1970
-#define HOUR(x)		((x) * 60)
- 
- #define MAX_BUFF_LEN    128   /* size of buffer to read the date into */
- 
-@@ -128,8 +126,6 @@ static int	yyHaveDate;
- static int	yyHaveDay;
- static int	yyHaveRel;
- static int	yyHaveTime;
-static int	yyHaveZone;
-static int	yyTimezone;
- static int	yyDay;
- static int	yyHour;
- static int	yyMinutes;
-@@ -151,13 +147,13 @@ static int	yyRelYear;
-     enum _MERIDIAN	Meridian;
- }
- 
-%token	tAGO tDAY tDAY_UNIT tDAYZONE tDST tHOUR_UNIT tID
-+%token	tAGO tDAY tDAY_UNIT tHOUR_UNIT tID
- %token	tMERIDIAN tMINUTE_UNIT tMONTH tMONTH_UNIT
-%token	tSEC_UNIT tSNUMBER tUNUMBER tYEAR_UNIT tZONE
-+%token	tSEC_UNIT tSNUMBER tUNUMBER tYEAR_UNIT
- 
-%type	<Number>	tDAY tDAY_UNIT tDAYZONE tHOUR_UNIT tMINUTE_UNIT
-+%type	<Number>	tDAY tDAY_UNIT tHOUR_UNIT tMINUTE_UNIT
- %type	<Number>	tMONTH tMONTH_UNIT
-%type	<Number>	tSEC_UNIT tSNUMBER tUNUMBER tYEAR_UNIT tZONE
-+%type	<Number>	tSEC_UNIT tSNUMBER tUNUMBER tYEAR_UNIT
- %type	<Meridian>	tMERIDIAN o_merid
- 
- %%
-@@ -169,9 +165,6 @@ spec	: /* NULL */
- item	: time {
- 	    yyHaveTime++;
- 	}
-	| zone {
-	    yyHaveZone++;
-	}
- 	| date {
- 	    yyHaveDate++;
- 	}
-@@ -200,10 +193,6 @@ time	: tUNUMBER tMERIDIAN {
- 	    yyHour = $1;
- 	    yyMinutes = $3;
- 	    yyMeridian = MER24;
-	    yyHaveZone++;
-	    yyTimezone = ($4 < 0
-			  ? -$4 % 100 + (-$4 / 100) * 60
-			  : - ($4 % 100 + ($4 / 100) * 60));
- 	}
- 	| tUNUMBER ':' tUNUMBER ':' tUNUMBER o_merid {
- 	    yyHour = $1;
-@@ -216,22 +205,6 @@ time	: tUNUMBER tMERIDIAN {
- 	    yyMinutes = $3;
- 	    yySeconds = $5;
- 	    yyMeridian = MER24;
-	    yyHaveZone++;
-	    yyTimezone = ($6 < 0
-			  ? -$6 % 100 + (-$6 / 100) * 60
-			  : - ($6 % 100 + ($6 / 100) * 60));
-	}
-	;
-
-zone	: tZONE {
-	    yyTimezone = $1;
-	}
-	| tDAYZONE {
-	    yyTimezone = $1 - 60;
-	}
-	|
-	  tZONE tDST {
-	    yyTimezone = $1 - 60;
- 	}
- 	;
- 
-@@ -484,91 +457,6 @@ static TABLE const OtherTable[] = {
-     { NULL, 0, 0 }
- };
- 
-/* The timezone table. */
-static TABLE const TimezoneTable[] = {
-    { "gmt",	tZONE,     HOUR ( 0) },	/* Greenwich Mean */
-    { "ut",	tZONE,     HOUR ( 0) },	/* Universal (Coordinated) */
-    { "utc",	tZONE,     HOUR ( 0) },
-    { "wet",	tZONE,     HOUR ( 0) },	/* Western European */
-    { "bst",	tDAYZONE,  HOUR ( 0) },	/* British Summer */
-    { "wat",	tZONE,     HOUR ( 1) },	/* West Africa */
-    { "at",	tZONE,     HOUR ( 2) },	/* Azores */
-    { "ast",	tZONE,     HOUR ( 4) },	/* Atlantic Standard */
-    { "adt",	tDAYZONE,  HOUR ( 4) },	/* Atlantic Daylight */
-    { "est",	tZONE,     HOUR ( 5) },	/* Eastern Standard */
-    { "edt",	tDAYZONE,  HOUR ( 5) },	/* Eastern Daylight */
-    { "cst",	tZONE,     HOUR ( 6) },	/* Central Standard */
-    { "cdt",	tDAYZONE,  HOUR ( 6) },	/* Central Daylight */
-    { "mst",	tZONE,     HOUR ( 7) },	/* Mountain Standard */
-    { "mdt",	tDAYZONE,  HOUR ( 7) },	/* Mountain Daylight */
-    { "pst",	tZONE,     HOUR ( 8) },	/* Pacific Standard */
-    { "pdt",	tDAYZONE,  HOUR ( 8) },	/* Pacific Daylight */
-    { "yst",	tZONE,     HOUR ( 9) },	/* Yukon Standard */
-    { "ydt",	tDAYZONE,  HOUR ( 9) },	/* Yukon Daylight */
-    { "hst",	tZONE,     HOUR (10) },	/* Hawaii Standard */
-    { "hdt",	tDAYZONE,  HOUR (10) },	/* Hawaii Daylight */
-    { "cat",	tZONE,     HOUR (10) },	/* Central Alaska */
-    { "ahst",	tZONE,     HOUR (10) },	/* Alaska-Hawaii Standard */
-    { "nt",	tZONE,     HOUR (11) },	/* Nome */
-    { "idlw",	tZONE,     HOUR (12) },	/* International Date Line West */
-    { "cet",	tZONE,     -HOUR (1) },	/* Central European */
-    { "met",	tZONE,     -HOUR (1) },	/* Middle European */
-    { "mewt",	tZONE,     -HOUR (1) },	/* Middle European Winter */
-    { "mest",	tDAYZONE,  -HOUR (1) },	/* Middle European Summer */
-    { "mesz",	tDAYZONE,  -HOUR (1) },	/* Middle European Summer */
-    { "swt",	tZONE,     -HOUR (1) },	/* Swedish Winter */
-    { "sst",	tDAYZONE,  -HOUR (1) },	/* Swedish Summer */
-    { "fwt",	tZONE,     -HOUR (1) },	/* French Winter */
-    { "fst",	tDAYZONE,  -HOUR (1) },	/* French Summer */
-    { "eet",	tZONE,     -HOUR (2) },	/* Eastern Europe, USSR Zone 1 */
-    { "bt",	tZONE,     -HOUR (3) },	/* Baghdad, USSR Zone 2 */
-    { "zp4",	tZONE,     -HOUR (4) },	/* USSR Zone 3 */
-    { "zp5",	tZONE,     -HOUR (5) },	/* USSR Zone 4 */
-    { "zp6",	tZONE,     -HOUR (6) },	/* USSR Zone 5 */
-    { "wast",	tZONE,     -HOUR (7) },	/* West Australian Standard */
-    { "wadt",	tDAYZONE,  -HOUR (7) },	/* West Australian Daylight */
-    { "cct",	tZONE,     -HOUR (8) },	/* China Coast, USSR Zone 7 */
-    { "jst",	tZONE,     -HOUR (9) },	/* Japan Standard, USSR Zone 8 */
-    { "east",	tZONE,     -HOUR (10) },	/* Eastern Australian Standard */
-    { "eadt",	tDAYZONE,  -HOUR (10) },	/* Eastern Australian Daylight */
-    { "gst",	tZONE,     -HOUR (10) },	/* Guam Standard, USSR Zone 9 */
-    { "nzt",	tZONE,     -HOUR (12) },	/* New Zealand */
-    { "nzst",	tZONE,     -HOUR (12) },	/* New Zealand Standard */
-    { "nzdt",	tDAYZONE,  -HOUR (12) },	/* New Zealand Daylight */
-    { "idle",	tZONE,     -HOUR (12) },	/* International Date Line East */
-    { NULL, 0, 0 }
-};
-
-/* Military timezone table. */
-static TABLE const MilitaryTable[] = {
-    { "a",	tZONE,	HOUR (  1) },
-    { "b",	tZONE,	HOUR (  2) },
-    { "c",	tZONE,	HOUR (  3) },
-    { "d",	tZONE,	HOUR (  4) },
-    { "e",	tZONE,	HOUR (  5) },
-    { "f",	tZONE,	HOUR (  6) },
-    { "g",	tZONE,	HOUR (  7) },
-    { "h",	tZONE,	HOUR (  8) },
-    { "i",	tZONE,	HOUR (  9) },
-    { "k",	tZONE,	HOUR ( 10) },
-    { "l",	tZONE,	HOUR ( 11) },
-    { "m",	tZONE,	HOUR ( 12) },
-    { "n",	tZONE,	HOUR (- 1) },
-    { "o",	tZONE,	HOUR (- 2) },
-    { "p",	tZONE,	HOUR (- 3) },
-    { "q",	tZONE,	HOUR (- 4) },
-    { "r",	tZONE,	HOUR (- 5) },
-    { "s",	tZONE,	HOUR (- 6) },
-    { "t",	tZONE,	HOUR (- 7) },
-    { "u",	tZONE,	HOUR (- 8) },
-    { "v",	tZONE,	HOUR (- 9) },
-    { "w",	tZONE,	HOUR (-10) },
-    { "x",	tZONE,	HOUR (-11) },
-    { "y",	tZONE,	HOUR (-12) },
-    { "z",	tZONE,	HOUR (  0) },
-    { NULL, 0, 0 }
-};
-
- 
- 
- 
-@@ -621,7 +509,6 @@ static int ToYear (int Year)
- static int LookupWord (char *buff)
- {
-   register char *p;
-  register char *q;
-   register const TABLE *tp;
-   int i;
-   bool abbrev;
-@@ -670,16 +557,6 @@ static int LookupWord (char *buff)
- 	}
-     }
- 
-  for (tp = TimezoneTable; tp->name; tp++)
-    if (streq(buff, tp->name))
-      {
-	yylval.Number = tp->value;
-	return tp->type;
-      }
-
-  if (streq(buff, "dst"))
-    return tDST;
-
-   for (tp = UnitsTable; tp->name; tp++)
-     if (streq(buff, tp->name))
-       {
-@@ -708,32 +585,6 @@ static int LookupWord (char *buff)
- 	return tp->type;
-       }
- 
-  /* Military timezones. */
-  if (buff[1] == '\0' && isalpha (*buff))
-    {
-      for (tp = MilitaryTable; tp->name; tp++)
-	if (streq(buff, tp->name))
-	  {
-	    yylval.Number = tp->value;
-	    return tp->type;
-	  }
-    }
-
-  /* Drop out any periods and try the timezone table again. */
-  for (i = 0, p = q = buff; !streq(q, ""); q++)
-    if (*q != '.')
-      *p++ = *q;
-    else
-      i++;
-  stpcpy(p, "");
-  if (0 != i)
-    for (tp = TimezoneTable; NULL != tp->name; tp++)
-      if (streq(buff, tp->name))
-	{
-	  yylval.Number = tp->value;
-	  return tp->type;
-	}
-
-   return tID;
- }
- 
-@@ -796,34 +647,14 @@ yylex (void)
- 
- #define TM_YEAR_ORIGIN 1900
- 
-/* Yield A - B, measured in seconds.  */
-static long difftm (struct tm *a, struct tm *b)
-{
-  int ay = a->tm_year + (TM_YEAR_ORIGIN - 1);
-  int by = b->tm_year + (TM_YEAR_ORIGIN - 1);
-  long days = (
-  /* difference in day of year */
-		a->tm_yday - b->tm_yday
-  /* + intervening leap days */
-		+ ((ay >> 2) - (by >> 2))
-		- (ay / 100 - by / 100)
-		+ ((ay / 100 >> 2) - (by / 100 >> 2))
-  /* + difference in years * 365 */
-		+ (long) (ay - by) * 365
-  );
-  return (60 * (60 * (24 * days + (a->tm_hour - b->tm_hour))
-		+ (a->tm_min - b->tm_min))
-	  + (a->tm_sec - b->tm_sec));
-}
-
- time_t get_date (const char *p, const time_t *now)
- {
-  struct tm tm, tm0, *tmp;
-+  struct tm  tm, *tmp;
-   time_t Start;
- 
-   yyInput = p;
-   Start = now ? *now : time(NULL);
-  tmp = localtime (&Start);
-+  tmp = gmtime(&Start);
-   yyYear = tmp->tm_year + TM_YEAR_ORIGIN;
-   yyMonth = tmp->tm_mon + 1;
-   yyDay = tmp->tm_mday;
-@@ -841,10 +672,9 @@ time_t get_date (const char *p, const time_t *now)
-   yyHaveDay = 0;
-   yyHaveRel = 0;
-   yyHaveTime = 0;
-  yyHaveZone = 0;
- 
-   if (yyparse ()
-      || yyHaveTime > 1 || yyHaveZone > 1 || yyHaveDate > 1 || yyHaveDay > 1)
-+      || yyHaveTime > 1 || yyHaveDate > 1 || yyHaveDay > 1)
-     return -1;
- 
-   tm.tm_year = ToYear (yyYear) - TM_YEAR_ORIGIN + yyRelYear;
-@@ -866,39 +696,12 @@ time_t get_date (const char *p, const time_t *now)
-   tm.tm_hour += yyRelHour;
-   tm.tm_min += yyRelMinutes;
-   tm.tm_sec += yyRelSeconds;
-  tm.tm_isdst = -1;
-  tm0 = tm;
-+  tm.tm_isdst = 0;
- 
-  Start = mktime (&tm);
-+  Start = timegm(&tm);
- 
-   if (Start == (time_t) -1)
-     {
-
-      /* Guard against falsely reporting errors near the time_t boundaries
-         when parsing times in other time zones.  For example, if the min
-         time_t value is 1970-01-01 00:00:00 UTC and we are 8 hours ahead
-         of UTC, then the min localtime value is 1970-01-01 08:00:00; if
-         we apply mktime to 1970-01-01 00:00:00 we will get an error, so
-         we apply mktime to 1970-01-02 08:00:00 instead and adjust the time
-         zone by 24 hours to compensate.  This algorithm assumes that
-         there is no DST transition within a day of the time_t boundaries.  */
-      if (yyHaveZone)
-	{
-	  tm = tm0;
-	  if (tm.tm_year <= EPOCH - TM_YEAR_ORIGIN)
-	    {
-	      tm.tm_mday++;
-	      yyTimezone -= 24 * 60;
-	    }
-	  else
-	    {
-	      tm.tm_mday--;
-	      yyTimezone += 24 * 60;
-	    }
-	  Start = mktime (&tm);
-	}
-
-      if (Start == (time_t) -1)
- 	return Start;
-     }
- 
-@@ -906,19 +709,11 @@ time_t get_date (const char *p, const time_t *now)
-     {
-       tm.tm_mday += ((yyDayNumber - tm.tm_wday + 7) % 7
- 		     + 7 * (yyDayOrdinal - (0 < yyDayOrdinal)));
-      Start = mktime (&tm);
-+      Start = timegm(&tm);
-       if (Start == (time_t) -1)
- 	return Start;
-     }
- 
-  if (yyHaveZone)
-    {
-      long delta = yyTimezone * 60L + difftm (&tm, gmtime (&Start));
-      if ((Start + delta < Start) != (delta < 0))
-	return -1;		/* time_t overflow */
-      Start += delta;
-    }
-
-   return Start;
- }
- 
--- a/debian/patches/upstream/src-chfn.c-Add-local-variable-to-refer-to-the-separated-f.patch
+++ b/debian/patches/upstream/src-chfn.c-Add-local-variable-to-refer-to-the-separated-f.patch
@@ -1,37 +0,0 @@
-From: Alejandro Colomar <alx@kernel.org>
-Date: Mon, 17 Feb 2025 13:44:55 +0100
-Subject: src/chfn.c: Add local variable to refer to the separated field
-
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
- src/chfn.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/chfn.c b/src/chfn.c
-index 1799d6b..3fc94dc 100644
--- a/src/chfn.c
-+++ b/src/chfn.c
-@@ -220,18 +220,20 @@ static char *copy_field (char *in, char *out, char *extra)
- 	char *cp = NULL;
- 
- 	while (NULL != in) {
-+		const char  *f;
-+
-+		f = in;
- 		cp = stpsep(in, ",");
- 
-		if (strchr (in, '=') == NULL) {
-+		if (strchr(f, '=') == NULL)
- 			break;
-		}
- 
- 		if (NULL != extra) {
- 			if (!streq(extra, "")) {
- 				strcat (extra, ",");
- 			}
- 
-			strcat (extra, in);
-+			strcat(extra, f);
- 		}
- 		in = cp;
- 	}
--- a/debian/patches/upstream/src-chfn.c-Partially-revert-lib-src-Use-strsep-3-instead-.patch
+++ b/debian/patches/upstream/src-chfn.c-Partially-revert-lib-src-Use-strsep-3-instead-.patch
@@ -1,67 +0,0 @@
-From: Alejandro Colomar <alx@kernel.org>
-Date: Mon, 17 Feb 2025 13:23:37 +0100
-Subject: src/chfn.c: Partially revert "lib/,
- src/: Use strsep(3) instead of its pattern"
-
-This partially reverts commit 16cb664865541162c504a6f5ef5ca4b38b5e0c9a.
-
-I'll try to reintroduce this change more carefully.
-For now, let's revert to a known-good state.
-
-The problem was due to accidentally ignoring the effects of the 'break'
-on the 'cp' variable.
-
-Fixes: 16cb66486554 (2024-07-01; "lib/, src/: Use strsep(3) instead of its pattern")
-Closes: <https://github.com/shadow-maint/shadow/issues/1210>
-Link: <https://github.com/shadow-maint/shadow/pull/1213>
-Link: <https://github.com/shadow-maint/shadow/pull/1212>
-Reported-by: Chris Hofstaedtler <zeha@debian.org>
-Suggested-by: Chris Hofstaedtler <zeha@debian.org>
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
- src/chfn.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/src/chfn.c b/src/chfn.c
-index 4c96fba..f06cb44 100644
--- a/src/chfn.c
-+++ b/src/chfn.c
-@@ -216,27 +216,32 @@ static void new_fields (void)
-  */
- static char *copy_field (char *in, char *out, char *extra)
- {
-	while (NULL != in) {
-		char  *f;
-+	char *cp = NULL;
- 
-		f = strsep(&in, ",");
-+	while (NULL != in) {
-+		cp = strchr (in, ',');
-+		if (NULL != cp) {
-+			*cp++ = '\0';
-+		}
- 
-		if (strchr(f, '=') == NULL)
-+		if (strchr (in, '=') == NULL) {
- 			break;
-+		}
- 
- 		if (NULL != extra) {
- 			if (!streq(extra, "")) {
- 				strcat (extra, ",");
- 			}
- 
-			strcat(extra, f);
-+			strcat (extra, in);
- 		}
-+		in = cp;
- 	}
- 	if ((NULL != in) && (NULL != out)) {
- 		strcpy (out, in);
- 	}
- 
-	return in;
-+	return cp;
- }
- 
- /*
--- a/debian/patches/upstream/src-chfn.c-Use-stpsep-instead-of-its-pattern.patch
+++ b/debian/patches/upstream/src-chfn.c-Use-stpsep-instead-of-its-pattern.patch
@@ -1,33 +0,0 @@
-From: Alejandro Colomar <alx@kernel.org>
-Date: Mon, 17 Feb 2025 13:40:02 +0100
-Subject: src/chfn.c: Use stpsep() instead of its pattern
-
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
- src/chfn.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/chfn.c b/src/chfn.c
-index f06cb44..1799d6b 100644
--- a/src/chfn.c
-+++ b/src/chfn.c
-@@ -36,6 +36,7 @@
- #include "string/strcmp/streq.h"
- #include "string/strcpy/strtcpy.h"
- #include "string/strdup/xstrdup.h"
-+#include "string/strtok/stpsep.h"
- 
- 
- /*
-@@ -219,10 +220,7 @@ static char *copy_field (char *in, char *out, char *extra)
- 	char *cp = NULL;
- 
- 	while (NULL != in) {
-		cp = strchr (in, ',');
-		if (NULL != cp) {
-			*cp++ = '\0';
-		}
-+		cp = stpsep(in, ",");
- 
- 		if (strchr (in, '=') == NULL) {
- 			break;
--- a/debian/patches/upstream/src-chfn.c-copy_field-Rename-local-variable.patch
+++ b/debian/patches/upstream/src-chfn.c-copy_field-Rename-local-variable.patch
@@ -1,47 +0,0 @@
-From: Alejandro Colomar <alx@kernel.org>
-Date: Mon, 17 Feb 2025 15:33:46 +0100
-Subject: src/chfn.c: copy_field(): Rename local variable
-
-This makes it more obvious what that pointer is.
-
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
- src/chfn.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/chfn.c b/src/chfn.c
-index 3fc94dc..d62bb8a 100644
--- a/src/chfn.c
-+++ b/src/chfn.c
-@@ -217,13 +217,13 @@ static void new_fields (void)
-  */
- static char *copy_field (char *in, char *out, char *extra)
- {
-	char *cp = NULL;
-+	char *next = NULL;
- 
- 	while (NULL != in) {
- 		const char  *f;
- 
- 		f = in;
-		cp = stpsep(in, ",");
-+		next = stpsep(in, ",");
- 
- 		if (strchr(f, '=') == NULL)
- 			break;
-@@ -235,13 +235,13 @@ static char *copy_field (char *in, char *out, char *extra)
- 
- 			strcat(extra, f);
- 		}
-		in = cp;
-+		in = next;
- 	}
- 	if ((NULL != in) && (NULL != out)) {
- 		strcpy (out, in);
- 	}
- 
-	return cp;
-+	return next;
- }
- 
- /*
--- a/debian/rules
+++ b/debian/rules
@@ -1,62 +0,0 @@
-#!/usr/bin/make -f
-# -*- mode: makefile; coding: utf-8 -*-
-
-# Enable PIE, BINDNOW, and possible future flags.
-export DEB_BUILD_MAINT_OPTIONS = hardening=+all
-DPKG_EXPORT_BUILDFLAGS = 1
-include /usr/share/dpkg/architecture.mk
-include /usr/share/dpkg/buildflags.mk
-include /usr/share/debhelper/dh_package_notes/package-notes.mk
-
-# Adds extra options when calling the configure script:
-DEB_CONFIGURE_EXTRA_FLAGS := \
-	--bindir=/usr/bin \
-	--sbindir=/usr/sbin \
-	--mandir=/usr/share/man \
-	--with-libpam \
-	--with-yescrypt \
-	--enable-shadowgrp \
-	--enable-subordinate-ids \
-	--enable-lastlog=no \
-	--enable-man \
-	--disable-account-tools-setuid \
-	--with-group-name-max-length=32 \
-	--with-acl \
-	--with-attr \
-	--without-su \
-	--without-tcb \
-
-
-ifeq ($(DEB_HOST_ARCH_OS),linux)
-DEB_CONFIGURE_EXTRA_FLAGS += --with-audit
-DEB_CONFIGURE_EXTRA_FLAGS += --with-btrfs
-endif
-
-ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
-DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
-endif
-
-DEB_CONFIGURE_EXTRA_FLAGS += SHELL=/bin/sh
-
-# Set the default editor for vipw/vigr
-CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
-
-%:
-	dh $@
-
-execute_after_dh_auto_clean:
-	# rebuild lib/getdate.c
-	rm -f lib/getdate.c
-
-override_dh_auto_configure:
-	dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_FLAGS)
-
-override_dh_installpam:
-	# Distribute the pam.d files; unless for the commands with disabled PAM
-	# support
-	dh_installpam -p passwd --name=passwd
-	dh_installpam -p passwd --name=chfn
-	dh_installpam -p passwd --name=chsh
-	dh_installpam -p passwd --name=chpasswd
-	dh_installpam -p passwd --name=newusers
-
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,40 +0,0 @@
---
-include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-extract-source:
-  extends: .provisioning-extract-source
-
-variables:
-  RELEASE: 'unstable'
-
-build:
-  extends: .build-package
-
-test-build-any:
-  extends: .test-build-package-any
-
-test-build-all:
-  extends: .test-build-package-all
-
-lintian:
-  extends: .test-lintian
-
-autopkgtest:
-  extends: .test-autopkgtest
-
-blhc:
-  extends: .test-blhc
-
-reprotest:
-  extends: .test-reprotest
-
-variables:
-  SALSA_CI_ENABLE_BUILD_PACKAGE_PROFILES: 1
-
-test-build-profiles:
-  extends: .test-build-package-profiles
-  parallel:
-    matrix:
-      - BUILD_PROFILES: nocheck
-      - BUILD_PROFILES: nodoc
-
--- a/debian/shadowconfig
+++ b/debian/shadowconfig
@@ -1,56 +0,0 @@
-#!/bin/sh
-# turn shadow passwords on on a Debian system
-
-set -e
-
-shadowon () {
-    set -e
-
-    if [ -n "$DPKG_ROOT" ] \
-        && cmp "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/usr/share/base-passwd/passwd.master" 2>/dev/null \
-        && cmp "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/usr/share/base-passwd/group.master" 2>/dev/null; then
-        # If dpkg is run with --force-script-chrootless and if /etc/passwd
-        # and /etc/group are unchanged, we avoid the chroot() call by manually
-        # processing the files. This produces bit-by-bit identical results
-        # compared to the normal case as shown by the CI setup at
-        # https://salsa.debian.org/helmutg/dpkg-root-demo/-/jobs
-        for f in passwd group; do
-            cp -a "${DPKG_ROOT}/etc/$f" "${DPKG_ROOT}/etc/$f-"
-        done
-        chmod 600 "${DPKG_ROOT}/etc/passwd-"
-        sed -i 's/^\([^:]\+\):\*:/\1:x:/' "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/etc/passwd"
-        [ -n "$SOURCE_DATE_EPOCH" ] && epoch=$SOURCE_DATE_EPOCH || epoch=$(date +%s)
-        sed "s/^\([^:]\+\):.*/\1:*:$((epoch/60/60/24)):0:99999:7:::/" "${DPKG_ROOT}/etc/passwd" > "${DPKG_ROOT}/etc/shadow"
-        sed "s/^\([^:]\+\):.*/\1:*::/" "${DPKG_ROOT}/etc/group" > "${DPKG_ROOT}/etc/gshadow"
-        touch "${DPKG_ROOT}/etc/.pwd.lock"
-        chmod 600 "${DPKG_ROOT}/etc/.pwd.lock"
-    else
-        pwck -q -r
-        grpck -r
-        pwconv
-        grpconv
-    fi
-    chown root:root "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
-    chmod 644 "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
-    chown root:shadow "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
-    chmod 640 "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
-}
-
-
-case "$1" in
-    "on")
-	if shadowon ; then
-	    echo Shadow passwords are now on.
-	else
-	    echo Please correct the error and rerun \`$0 on\'
-	    exit 1
-	fi
-	;;
-    "off")
-	echo E: Turning shadow passwords off is no longer supported.
-	exit 1
-	;;
-     *)
-	echo Usage: $0 on
-	;;
-esac
--- a/debian/shlibs.local
+++ b/debian/shlibs.local
@@ -1 +0,0 @@
-deb: libsubid 5 libsubid5 (= ${binary:Version})
--- a/debian/source/format
+++ b/debian/source/format
@@ -1 +0,0 @@
-3.0 (quilt)
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,6 +0,0 @@
-# debputy does not need misc:Depends
-debhelper-but-no-misc-depends libsubid-dev
-debhelper-but-no-misc-depends libsubid5
-debhelper-but-no-misc-depends login.defs
-debhelper-but-no-misc-depends passwd
-debhelper-but-no-misc-depends uidmap
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,10 +0,0 @@
-Tests: smoke
-Restrictions: needs-root, superficial
-
-Tests: upstream
-Depends:
- expect,
- procps,
- @,
- @builddeps@
-Restrictions: needs-root, build-needed, breaks-testbed, allow-stderr, isolation-machine
--- a/debian/tests/smoke
+++ b/debian/tests/smoke
@@ -1,24 +0,0 @@
-#!/bin/sh
-
-set -e
-
-echo "Adding a user works"
-useradd shadow-test-user
-grep '^shadow-test-user:x:' /etc/passwd
-grep '^shadow-test-user:!:' /etc/shadow
-
-# Regression test for #1096187. adduser uses this sequence.
-echo "Changing a users name and work phone number works"
-chfn "-f" "foo" "-r" "" shadow-test-user
-chfn -w "" shadow-test-user
-
-# Regression test for #1095430
-TZ=Asia/Tokyo usermod --expiredate 1970-01-02 shadow-test-user
-TZ=Asia/Tokyo LC_ALL=C chage -l shadow-test-user | grep 'Account expires'
-# We expect 1970-01-02, as passed.
-TZ=Asia/Tokyo LC_ALL=C chage -l shadow-test-user | grep -P '^Account expires.*Jan 02, 1970'
-
-echo "Removing a user works"
-userdel shadow-test-user
-! grep 'shadow-test-user' /etc/passwd
-! grep 'shadow-test-user' /etc/shadow
--- a/debian/tests/upstream
+++ b/debian/tests/upstream
@@ -1,15 +0,0 @@
-#!/bin/sh
-useradd ubuntu
-
-export BUILD_BASE_DIR=$(pwd)
-
-cd tests
-
-cleanup() {
-  cp testsuite.log $AUTOPKGTEST_ARTIFACTS/
-  cat testsuite.log
-}
-
-trap cleanup TERM EXIT
-
-./run_some 2>&1
--- a/debian/uidmap.install
+++ b/debian/uidmap.install
@@ -1,3 +0,0 @@
-usr/bin/getsubids
-usr/bin/newgidmap
-usr/bin/newuidmap
--- a/debian/uidmap.lintian-overrides
+++ b/debian/uidmap.lintian-overrides
@@ -1,2 +0,0 @@
-uidmap: elevated-privileges 4755 root/root [usr/bin/newgidmap]
-uidmap: elevated-privileges 4755 root/root [usr/bin/newuidmap]
--- a/debian/uidmap.manpages
+++ b/debian/uidmap.manpages
@@ -1,5 +0,0 @@
-usr/share/man/*/man1/newgidmap.1
-usr/share/man/*/man1/newuidmap.1
-usr/share/man/man1/getsubids.1
-usr/share/man/man1/newgidmap.1
-usr/share/man/man1/newuidmap.1
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@@ -1,4 +0,0 @@
---
-Bug-Database: https://github.com/shadow-maint/shadow/issues
-Bug-Submit: https://github.com/shadow-maint/shadow/issues/new
-Repository-Browse: https://github.com/shadow-maint/shadow
--- a/debian/upstream/signing-key.asc
+++ b/debian/upstream/signing-key.asc
--- a/debian/watch
+++ b/debian/watch
@@ -1,7 +0,0 @@
-version=4
-opts=downloadurlmangle=s/archive\/refs\/tags\/(.*)\.tar\.gz/releases\/download\/$1\/@PACKAGE@-$1\.tar\.xz/,\
-    pgpsigurlmangle=s/$/.asc/,\
-    versionmangle=s/-(alpha|beta|rc)/~$1/,\
-    dversionmangle=s/\+dfsg1//,repacksuffix=+dfsg1 \
-    https://github.com/shadow-maint/@PACKAGE@/tags \
-    /shadow-maint/@PACKAGE@/archive/refs/tags/([^v].*)\.tar\.gz
--- a/lib/audit_help.c
+++ b/lib/audit_help.c
@@ -25,6 +25,8 @@
 #include "attr.h"
 #include "prototypes.h"
 #include "shadowlog.h"
+#include "string/sprintf/snprintf.h"
+
 int audit_fd;

 void audit_help_open (void)
@@ -46,10 +48,14 @@ void audit_help_open (void)

 /*
 * This function will log a message to the audit system using a predefined
- * message format. Parameter usage is as follows:
+ * message format. For additional information on the user account lifecycle
+ * events check
+ * <https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events>
 *
- * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account
- *	  attributes.
+ * Parameter usage is as follows:
+ *
+ * type - type of message. A list of possible values is available in
+ *        "audit-records.h" file.
 * pgname - program's name
 * op  -  operation. "adding user", "changing finger info", "deleting group"
 * name - user's account or group name. If not available use NULL.
@@ -68,6 +74,47 @@ void audit_logger (int type, MAYBE_UNUSED const char *pgname, const char *op,
 	}
 }

+/*
+ * This function will log a message to the audit system using a predefined
+ * message format. For additional information on the group account lifecycle
+ * events check
+ * <https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events>
+ *
+ * Parameter usage is as follows:
+ *
+ * type - type of message. A list of possible values is available in
+ *        "audit-records.h" file.
+ * op  -  operation. "adding-user", "modify-group", "deleting-user-from-group"
+ * name - user's account or group name. If not available use NULL.
+ * id  -  uid or gid that the operation is being performed on. This is used
+ *	  only when user is NULL.
+ * grp_type - type of group: "grp" or "new_group"
+ * grp - group name associated with event
+ */
+void
+audit_logger_with_group(int type, const char *op, const char *name,
+    id_t id, const char *grp_type, const char *grp,
+    shadow_audit_result result)
+{
+	int len;
+	char enc_group[GROUP_NAME_MAX_LENGTH * 2 + 1];
+	char buf[NITEMS(enc_group) + 100];
+
+	if (audit_fd < 0)
+		return;
+
+	len = strnlen(grp, sizeof(enc_group)/2);
+	if (audit_value_needs_encoding(grp, len)) {
+		SNPRINTF(buf, "%s %s=%s", op, grp_type,
+			audit_encode_value(enc_group, grp, len));
+	} else {
+		SNPRINTF(buf, "%s %s=\"%s\"", op, grp_type, grp);
+	}
+
+	audit_log_acct_message(audit_fd, type, NULL, buf, name, id,
+		               NULL, NULL, NULL, result);
+}
+
 void audit_logger_message (const char *message, shadow_audit_result result)
 {
 	if (audit_fd < 0) {
--- a/lib/cleanup_group.c
+++ b/lib/cleanup_group.c
@@ -62,7 +62,7 @@ void cleanup_report_mod_group (void *cleanup_info)
 	         gr_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, log_get_progname(),
+	audit_logger (AUDIT_GRP_MGMT, log_get_progname(),
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -80,7 +80,7 @@ void cleanup_report_mod_gshadow (void *cleanup_info)
 	         sgr_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, log_get_progname(),
+	audit_logger (AUDIT_GRP_MGMT, log_get_progname(),
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -101,7 +101,7 @@ void cleanup_report_add_group_group (void *group_name)
 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, gr_dbname ()));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
-	              "adding group to /etc/group",
+	              "adding-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -120,8 +120,8 @@ void cleanup_report_add_group_gshadow (void *group_name)

 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, sgr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
-	              "adding group to /etc/gshadow",
+	audit_logger (AUDIT_GRP_MGMT, log_get_progname(),
+	              "adding-shadow-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -143,8 +143,8 @@ void cleanup_report_del_group_group (void *group_name)
 	         "failed to remove group %s from %s",
 	         name, gr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
-	              "removing group from /etc/group",
+	audit_logger (AUDIT_DEL_GROUP, log_get_progname(),
+	              "removing-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -166,8 +166,8 @@ void cleanup_report_del_group_gshadow (void *group_name)
 	         "failed to remove group %s from %s",
 	         name, sgr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
-	              "removing group from /etc/gshadow",
+	audit_logger (AUDIT_GRP_MGMT, log_get_progname(),
+	              "removing-shadow-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -187,7 +187,7 @@ void cleanup_unlock_group (MAYBE_UNUSED void *arg)
 		         log_get_progname(), gr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking group file",
+		audit_logger_message ("unlocking-group",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
@@ -207,7 +207,7 @@ void cleanup_unlock_gshadow (MAYBE_UNUSED void *arg)
 		         log_get_progname(), sgr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking gshadow file",
+		audit_logger_message ("unlocking-gshadow",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
--- a/lib/cleanup_user.c
+++ b/lib/cleanup_user.c
@@ -44,7 +44,7 @@ void cleanup_report_mod_passwd (void *cleanup_info)
 	         pw_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, log_get_progname(),
+	audit_logger (AUDIT_USER_MGMT, log_get_progname(),
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -65,7 +65,7 @@ void cleanup_report_add_user_passwd (void *user_name)
 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, pw_dbname ()));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_ADD_USER, log_get_progname(),
-	              "adding user to /etc/passwd",
+	              "adding-user",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -84,8 +84,8 @@ void cleanup_report_add_user_shadow (void *user_name)

 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, spw_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_USER, log_get_progname(),
-	              "adding user to /etc/shadow",
+	audit_logger (AUDIT_USER_MGMT, log_get_progname(),
+	              "adding-shadow-user",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -104,7 +104,7 @@ void cleanup_unlock_passwd (MAYBE_UNUSED void *arg)
 		         log_get_progname(), pw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking passwd file",
+		audit_logger_message ("unlocking-passwd",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
@@ -123,7 +123,7 @@ void cleanup_unlock_shadow (MAYBE_UNUSED void *arg)
 		         log_get_progname(), spw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking shadow file",
+		audit_logger_message ("unlocking-shadow",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -74,17 +74,10 @@ int lrename (const char *old, const char *new)
 {
 	int res;
 	char *r = NULL;
-
-#ifndef __GLIBC__
-	char resolved_path[PATH_MAX];
-#endif				/* !__GLIBC__ */
 	struct stat sb;
+
 	if (lstat (new, &sb) == 0 && S_ISLNK (sb.st_mode)) {
-#ifdef __GLIBC__ /* now a POSIX.1-2008 feature */
 		r = realpath (new, NULL);
-#else				/* !__GLIBC__ */
-		r = realpath (new, resolved_path);
-#endif				/* !__GLIBC__ */
 		if (NULL == r) {
 			perror ("realpath in lrename()");
 		} else {
@@ -94,9 +87,7 @@ int lrename (const char *old, const char *new)

 	res = rename (old, new);

-#ifdef __GLIBC__
 	free (r);
-#endif				/* __GLIBC__ */

 	return res;
 }
--- a/lib/fs/readlink/readlinknul.c
+++ b/lib/fs/readlink/readlinknul.c
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024, Alejandro Colomar <alx@kernel.org>
+// SPDX-FileCopyrightText: 2024-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause


@@ -6,9 +6,8 @@

 #include "fs/readlink/readlinknul.h"

-#include <stddef.h>
 #include <sys/types.h>


 extern inline ssize_t readlinknul(const char *restrict link, char *restrict buf,
-    size_t size);
+    ssize_t size);
--- a/lib/fs/readlink/readlinknul.h
+++ b/lib/fs/readlink/readlinknul.h
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024, Alejandro Colomar <alx@kernel.org>
+// SPDX-FileCopyrightText: 2024-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause


@@ -9,7 +9,6 @@
 #include <config.h>

 #include <errno.h>
-#include <stddef.h>
 #include <string.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -23,30 +22,28 @@

 ATTR_STRING(1)
 inline ssize_t readlinknul(const char *restrict link, char *restrict buf,
-    size_t size);
+    ssize_t size);


 // Similar to readlink(2), but terminate the string.
 inline ssize_t
-readlinknul(const char *restrict link, char *restrict buf, size_t size)
+readlinknul(const char *restrict link, char *restrict buf, ssize_t size)
 {
-	size_t   ulen;
-	ssize_t  slen;
+	ssize_t  len;

-	slen = readlink(link, buf, size);
-	if (slen == -1)
+	len = readlink(link, buf, size);
+	if (len == -1)
 		return -1;

-	ulen = slen;
-	if (ulen == size) {
+	if (len == size) {
 		stpcpy(&buf[size-1], "");
 		errno = E2BIG;
 		return -1;
 	}

-	stpcpy(&buf[ulen], "");
+	stpcpy(&buf[len], "");

-	return slen;
+	return len;
 }


--- a/lib/getdate.c
+++ b/lib/getdate.c
--- a/lib/getdate.y
+++ b/lib/getdate.y
@@ -92,8 +92,6 @@
 static int yylex (void);
 static int yyerror (const char *s);

-#define EPOCH		1970
-#define HOUR(x)		((x) * 60)

 #define MAX_BUFF_LEN    128   /* size of buffer to read the date into */

@@ -128,8 +126,6 @@ static int	yyHaveDate;
 static int	yyHaveDay;
 static int	yyHaveRel;
 static int	yyHaveTime;
-static int	yyHaveZone;
-static int	yyTimezone;
 static int	yyDay;
 static int	yyHour;
 static int	yyMinutes;
@@ -151,13 +147,13 @@ static int	yyRelYear;
    enum _MERIDIAN	Meridian;
 }

-%token	tAGO tDAY tDAY_UNIT tDAYZONE tDST tHOUR_UNIT tID
+%token	tAGO tDAY tDAY_UNIT tHOUR_UNIT tID
 %token	tMERIDIAN tMINUTE_UNIT tMONTH tMONTH_UNIT
-%token	tSEC_UNIT tSNUMBER tUNUMBER tYEAR_UNIT tZONE
+%token	tSEC_UNIT tSNUMBER tUNUMBER tYEAR_UNIT

-%type	<Number>	tDAY tDAY_UNIT tDAYZONE tHOUR_UNIT tMINUTE_UNIT
+%type	<Number>	tDAY tDAY_UNIT tHOUR_UNIT tMINUTE_UNIT
 %type	<Number>	tMONTH tMONTH_UNIT
-%type	<Number>	tSEC_UNIT tSNUMBER tUNUMBER tYEAR_UNIT tZONE
+%type	<Number>	tSEC_UNIT tSNUMBER tUNUMBER tYEAR_UNIT
 %type	<Meridian>	tMERIDIAN o_merid

 %%
@@ -169,9 +165,6 @@ spec	: /* NULL */
 item	: time {
 	    yyHaveTime++;
 	}
-	| zone {
-	    yyHaveZone++;
-	}
 	| date {
 	    yyHaveDate++;
 	}
@@ -196,14 +189,10 @@ time	: tUNUMBER tMERIDIAN {
 	    yySeconds = 0;
 	    yyMeridian = $4;
 	}
-	| tUNUMBER ':' tUNUMBER tSNUMBER {
+	| tUNUMBER ':' tUNUMBER {
 	    yyHour = $1;
 	    yyMinutes = $3;
 	    yyMeridian = MER24;
-	    yyHaveZone++;
-	    yyTimezone = ($4 < 0
-			  ? -$4 % 100 + (-$4 / 100) * 60
-			  : - ($4 % 100 + ($4 / 100) * 60));
 	}
 	| tUNUMBER ':' tUNUMBER ':' tUNUMBER o_merid {
 	    yyHour = $1;
@@ -211,27 +200,11 @@ time	: tUNUMBER tMERIDIAN {
 	    yySeconds = $5;
 	    yyMeridian = $6;
 	}
-	| tUNUMBER ':' tUNUMBER ':' tUNUMBER tSNUMBER {
+	| tUNUMBER ':' tUNUMBER ':' tUNUMBER {
 	    yyHour = $1;
 	    yyMinutes = $3;
 	    yySeconds = $5;
 	    yyMeridian = MER24;
-	    yyHaveZone++;
-	    yyTimezone = ($6 < 0
-			  ? -$6 % 100 + (-$6 / 100) * 60
-			  : - ($6 % 100 + ($6 / 100) * 60));
-	}
-	;
-
-zone	: tZONE {
-	    yyTimezone = $1;
-	}
-	| tDAYZONE {
-	    yyTimezone = $1 - 60;
-	}
-	|
-	  tZONE tDST {
-	    yyTimezone = $1 - 60;
 	}
 	;

@@ -484,91 +457,6 @@ static TABLE const OtherTable[] = {
    { NULL, 0, 0 }
 };

-/* The timezone table. */
-static TABLE const TimezoneTable[] = {
-    { "gmt",	tZONE,     HOUR ( 0) },	/* Greenwich Mean */
-    { "ut",	tZONE,     HOUR ( 0) },	/* Universal (Coordinated) */
-    { "utc",	tZONE,     HOUR ( 0) },
-    { "wet",	tZONE,     HOUR ( 0) },	/* Western European */
-    { "bst",	tDAYZONE,  HOUR ( 0) },	/* British Summer */
-    { "wat",	tZONE,     HOUR ( 1) },	/* West Africa */
-    { "at",	tZONE,     HOUR ( 2) },	/* Azores */
-    { "ast",	tZONE,     HOUR ( 4) },	/* Atlantic Standard */
-    { "adt",	tDAYZONE,  HOUR ( 4) },	/* Atlantic Daylight */
-    { "est",	tZONE,     HOUR ( 5) },	/* Eastern Standard */
-    { "edt",	tDAYZONE,  HOUR ( 5) },	/* Eastern Daylight */
-    { "cst",	tZONE,     HOUR ( 6) },	/* Central Standard */
-    { "cdt",	tDAYZONE,  HOUR ( 6) },	/* Central Daylight */
-    { "mst",	tZONE,     HOUR ( 7) },	/* Mountain Standard */
-    { "mdt",	tDAYZONE,  HOUR ( 7) },	/* Mountain Daylight */
-    { "pst",	tZONE,     HOUR ( 8) },	/* Pacific Standard */
-    { "pdt",	tDAYZONE,  HOUR ( 8) },	/* Pacific Daylight */
-    { "yst",	tZONE,     HOUR ( 9) },	/* Yukon Standard */
-    { "ydt",	tDAYZONE,  HOUR ( 9) },	/* Yukon Daylight */
-    { "hst",	tZONE,     HOUR (10) },	/* Hawaii Standard */
-    { "hdt",	tDAYZONE,  HOUR (10) },	/* Hawaii Daylight */
-    { "cat",	tZONE,     HOUR (10) },	/* Central Alaska */
-    { "ahst",	tZONE,     HOUR (10) },	/* Alaska-Hawaii Standard */
-    { "nt",	tZONE,     HOUR (11) },	/* Nome */
-    { "idlw",	tZONE,     HOUR (12) },	/* International Date Line West */
-    { "cet",	tZONE,     -HOUR (1) },	/* Central European */
-    { "met",	tZONE,     -HOUR (1) },	/* Middle European */
-    { "mewt",	tZONE,     -HOUR (1) },	/* Middle European Winter */
-    { "mest",	tDAYZONE,  -HOUR (1) },	/* Middle European Summer */
-    { "mesz",	tDAYZONE,  -HOUR (1) },	/* Middle European Summer */
-    { "swt",	tZONE,     -HOUR (1) },	/* Swedish Winter */
-    { "sst",	tDAYZONE,  -HOUR (1) },	/* Swedish Summer */
-    { "fwt",	tZONE,     -HOUR (1) },	/* French Winter */
-    { "fst",	tDAYZONE,  -HOUR (1) },	/* French Summer */
-    { "eet",	tZONE,     -HOUR (2) },	/* Eastern Europe, USSR Zone 1 */
-    { "bt",	tZONE,     -HOUR (3) },	/* Baghdad, USSR Zone 2 */
-    { "zp4",	tZONE,     -HOUR (4) },	/* USSR Zone 3 */
-    { "zp5",	tZONE,     -HOUR (5) },	/* USSR Zone 4 */
-    { "zp6",	tZONE,     -HOUR (6) },	/* USSR Zone 5 */
-    { "wast",	tZONE,     -HOUR (7) },	/* West Australian Standard */
-    { "wadt",	tDAYZONE,  -HOUR (7) },	/* West Australian Daylight */
-    { "cct",	tZONE,     -HOUR (8) },	/* China Coast, USSR Zone 7 */
-    { "jst",	tZONE,     -HOUR (9) },	/* Japan Standard, USSR Zone 8 */
-    { "east",	tZONE,     -HOUR (10) },	/* Eastern Australian Standard */
-    { "eadt",	tDAYZONE,  -HOUR (10) },	/* Eastern Australian Daylight */
-    { "gst",	tZONE,     -HOUR (10) },	/* Guam Standard, USSR Zone 9 */
-    { "nzt",	tZONE,     -HOUR (12) },	/* New Zealand */
-    { "nzst",	tZONE,     -HOUR (12) },	/* New Zealand Standard */
-    { "nzdt",	tDAYZONE,  -HOUR (12) },	/* New Zealand Daylight */
-    { "idle",	tZONE,     -HOUR (12) },	/* International Date Line East */
-    { NULL, 0, 0 }
-};
-
-/* Military timezone table. */
-static TABLE const MilitaryTable[] = {
-    { "a",	tZONE,	HOUR (  1) },
-    { "b",	tZONE,	HOUR (  2) },
-    { "c",	tZONE,	HOUR (  3) },
-    { "d",	tZONE,	HOUR (  4) },
-    { "e",	tZONE,	HOUR (  5) },
-    { "f",	tZONE,	HOUR (  6) },
-    { "g",	tZONE,	HOUR (  7) },
-    { "h",	tZONE,	HOUR (  8) },
-    { "i",	tZONE,	HOUR (  9) },
-    { "k",	tZONE,	HOUR ( 10) },
-    { "l",	tZONE,	HOUR ( 11) },
-    { "m",	tZONE,	HOUR ( 12) },
-    { "n",	tZONE,	HOUR (- 1) },
-    { "o",	tZONE,	HOUR (- 2) },
-    { "p",	tZONE,	HOUR (- 3) },
-    { "q",	tZONE,	HOUR (- 4) },
-    { "r",	tZONE,	HOUR (- 5) },
-    { "s",	tZONE,	HOUR (- 6) },
-    { "t",	tZONE,	HOUR (- 7) },
-    { "u",	tZONE,	HOUR (- 8) },
-    { "v",	tZONE,	HOUR (- 9) },
-    { "w",	tZONE,	HOUR (-10) },
-    { "x",	tZONE,	HOUR (-11) },
-    { "y",	tZONE,	HOUR (-12) },
-    { "z",	tZONE,	HOUR (  0) },
-    { NULL, 0, 0 }
-};
-



@@ -621,7 +509,6 @@ static int ToYear (int Year)
 static int LookupWord (char *buff)
 {
  register char *p;
-  register char *q;
  register const TABLE *tp;
  int i;
  bool abbrev;
@@ -670,16 +557,6 @@ static int LookupWord (char *buff)
 	}
    }

-  for (tp = TimezoneTable; tp->name; tp++)
-    if (streq(buff, tp->name))
-      {
-	yylval.Number = tp->value;
-	return tp->type;
-      }
-
-  if (streq(buff, "dst"))
-    return tDST;
-
  for (tp = UnitsTable; tp->name; tp++)
    if (streq(buff, tp->name))
      {
@@ -708,32 +585,6 @@ static int LookupWord (char *buff)
 	return tp->type;
      }

-  /* Military timezones. */
-  if (buff[1] == '\0' && isalpha (*buff))
-    {
-      for (tp = MilitaryTable; tp->name; tp++)
-	if (streq(buff, tp->name))
-	  {
-	    yylval.Number = tp->value;
-	    return tp->type;
-	  }
-    }
-
-  /* Drop out any periods and try the timezone table again. */
-  for (i = 0, p = q = buff; !streq(q, ""); q++)
-    if (*q != '.')
-      *p++ = *q;
-    else
-      i++;
-  stpcpy(p, "");
-  if (0 != i)
-    for (tp = TimezoneTable; NULL != tp->name; tp++)
-      if (streq(buff, tp->name))
-	{
-	  yylval.Number = tp->value;
-	  return tp->type;
-	}
-
  return tID;
 }

@@ -796,34 +647,14 @@ yylex (void)

 #define TM_YEAR_ORIGIN 1900

-/* Yield A - B, measured in seconds.  */
-static long difftm (struct tm *a, struct tm *b)
-{
-  int ay = a->tm_year + (TM_YEAR_ORIGIN - 1);
-  int by = b->tm_year + (TM_YEAR_ORIGIN - 1);
-  long days = (
-  /* difference in day of year */
-		a->tm_yday - b->tm_yday
-  /* + intervening leap days */
-		+ ((ay >> 2) - (by >> 2))
-		- (ay / 100 - by / 100)
-		+ ((ay / 100 >> 2) - (by / 100 >> 2))
-  /* + difference in years * 365 */
-		+ (long) (ay - by) * 365
-  );
-  return (60 * (60 * (24 * days + (a->tm_hour - b->tm_hour))
-		+ (a->tm_min - b->tm_min))
-	  + (a->tm_sec - b->tm_sec));
-}
-
 time_t get_date (const char *p, const time_t *now)
 {
-  struct tm tm, tm0, *tmp;
+  struct tm  tm, *tmp;
  time_t Start;

  yyInput = p;
  Start = now ? *now : time(NULL);
-  tmp = localtime (&Start);
+  tmp = gmtime(&Start);
  yyYear = tmp->tm_year + TM_YEAR_ORIGIN;
  yyMonth = tmp->tm_mon + 1;
  yyDay = tmp->tm_mday;
@@ -841,10 +672,9 @@ time_t get_date (const char *p, const time_t *now)
  yyHaveDay = 0;
  yyHaveRel = 0;
  yyHaveTime = 0;
-  yyHaveZone = 0;

  if (yyparse ()
-      || yyHaveTime > 1 || yyHaveZone > 1 || yyHaveDate > 1 || yyHaveDay > 1)
+      || yyHaveTime > 1 || yyHaveDate > 1 || yyHaveDay > 1)
    return -1;

  tm.tm_year = ToYear (yyYear) - TM_YEAR_ORIGIN + yyRelYear;
@@ -866,39 +696,12 @@ time_t get_date (const char *p, const time_t *now)
  tm.tm_hour += yyRelHour;
  tm.tm_min += yyRelMinutes;
  tm.tm_sec += yyRelSeconds;
-  tm.tm_isdst = -1;
-  tm0 = tm;
+  tm.tm_isdst = 0;

-  Start = mktime (&tm);
+  Start = timegm(&tm);

  if (Start == (time_t) -1)
    {
-
-      /* Guard against falsely reporting errors near the time_t boundaries
-         when parsing times in other time zones.  For example, if the min
-         time_t value is 1970-01-01 00:00:00 UTC and we are 8 hours ahead
-         of UTC, then the min localtime value is 1970-01-01 08:00:00; if
-         we apply mktime to 1970-01-01 00:00:00 we will get an error, so
-         we apply mktime to 1970-01-02 08:00:00 instead and adjust the time
-         zone by 24 hours to compensate.  This algorithm assumes that
-         there is no DST transition within a day of the time_t boundaries.  */
-      if (yyHaveZone)
-	{
-	  tm = tm0;
-	  if (tm.tm_year <= EPOCH - TM_YEAR_ORIGIN)
-	    {
-	      tm.tm_mday++;
-	      yyTimezone -= 24 * 60;
-	    }
-	  else
-	    {
-	      tm.tm_mday--;
-	      yyTimezone += 24 * 60;
-	    }
-	  Start = mktime (&tm);
-	}
-
-      if (Start == (time_t) -1)
 	return Start;
    }

@@ -906,19 +709,11 @@ time_t get_date (const char *p, const time_t *now)
    {
      tm.tm_mday += ((yyDayNumber - tm.tm_wday + 7) % 7
 		     + 7 * (yyDayOrdinal - (0 < yyDayOrdinal)));
-      Start = mktime (&tm);
+      Start = timegm(&tm);
      if (Start == (time_t) -1)
 	return Start;
    }

-  if (yyHaveZone)
-    {
-      long delta = yyTimezone * 60L + difftm (&tm, gmtime (&Start));
-      if ((Start + delta < Start) != (delta < 0))
-	return -1;		/* time_t overflow */
-      Start += delta;
-    }
-
  return Start;
 }

--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -189,6 +189,9 @@ extern void audit_logger (int type, const char *pgname, const char *op,
                          const char *name, unsigned int id,
                          shadow_audit_result result);
 void audit_logger_message (const char *message, shadow_audit_result result);
+void audit_logger_with_group(int type, const char *op, const char *name,
+    id_t id, const char *grp_type, const char *grp,
+    shadow_audit_result result);
 #endif

 /* limits.c */
--- a/lib/sizeof.h
+++ b/lib/sizeof.h
@@ -11,10 +11,12 @@
 #include <config.h>

 #include <limits.h>
+#include <sys/types.h>

 #include "must_be.h"


+#define ssizeof(x)           ((ssize_t) sizeof(x))
 #define memberof(T, member)  ((T){}.member)
 #define WIDTHOF(x)           (sizeof(x) * CHAR_BIT)
 #define SIZEOF_ARRAY(a)      (sizeof(a) + must_be_array(a))
--- a/lib/time/day_to_str.h
+++ b/lib/time/day_to_str.h
@@ -38,7 +38,7 @@ day_to_str(size_t size, char buf[size], long day)
 		return;
 	}

-	if (localtime_r(&date, &tm) == NULL) {
+	if (gmtime_r(&date, &tm) == NULL) {
 		strtcpy(buf, "future", size);
 		return;
 	}
--- a/man/config.xml
+++ b/man/config.xml
@@ -1,2 +1,2 @@
 <!ENTITY GROUP_NAME_MAX_LENGTH '32'>
-<!ENTITY SHADOW_UTILS_VERSION '4.17.3'>
+<!ENTITY SHADOW_UTILS_VERSION '4.17.4'>
--- a/man/da/man1/chfn.1
+++ b/man/da/man1/chfn.1
@@ -2,12 +2,12 @@
 .\"     Title: chfn
 .\"    Author: Julianne Frances Haugh
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24/02/2025
+.\"      Date: 19/03/2025
 .\"    Manual: User Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: Danish
 .\"
-.TH "CHFN" "1" "24/02/2025" "shadow\-utils 4\&.17\&.3" "User Commands"
+.TH "CHFN" "1" "19/03/2025" "shadow\-utils 4\&.17\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/da/man1/newgrp.1
+++ b/man/da/man1/newgrp.1
@@ -2,12 +2,12 @@
 .\"     Title: newgrp
 .\"    Author: Julianne Frances Haugh
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24/02/2025
+.\"      Date: 19/03/2025
 .\"    Manual: User Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: Danish
 .\"
-.TH "NEWGRP" "1" "24/02/2025" "shadow\-utils 4\&.17\&.3" "User Commands"
+.TH "NEWGRP" "1" "19/03/2025" "shadow\-utils 4\&.17\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/da/man1/sg.1
+++ b/man/da/man1/sg.1
@@ -2,12 +2,12 @@
 .\"     Title: sg
 .\"    Author: Julianne Frances Haugh
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24/02/2025
+.\"      Date: 19/03/2025
 .\"    Manual: User Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: Danish
 .\"
-.TH "SG" "1" "24/02/2025" "shadow\-utils 4\&.17\&.3" "User Commands"
+.TH "SG" "1" "19/03/2025" "shadow\-utils 4\&.17\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/da/man5/gshadow.5
+++ b/man/da/man5/gshadow.5
@@ -2,12 +2,12 @@
 .\"     Title: gshadow
 .\"    Author: Nicolas Fran\(,cois <nicolas.francois@centraliens.net>
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24/02/2025
+.\"      Date: 19/03/2025
 .\"    Manual: File Formats and Configuration Files
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: Danish
 .\"
-.TH "GSHADOW" "5" "24/02/2025" "shadow\-utils 4\&.17\&.3" "File Formats and Configuration"
+.TH "GSHADOW" "5" "19/03/2025" "shadow\-utils 4\&.17\&.4" "File Formats and Configuration"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/da/man8/groupdel.8
+++ b/man/da/man8/groupdel.8
@@ -2,12 +2,12 @@
 .\"     Title: groupdel
 .\"    Author: Julianne Frances Haugh
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24/02/2025
+.\"      Date: 19/03/2025
 .\"    Manual: System Management Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: Danish
 .\"
-.TH "GROUPDEL" "8" "24/02/2025" "shadow\-utils 4\&.17\&.3" "System Management Commands"
+.TH "GROUPDEL" "8" "19/03/2025" "shadow\-utils 4\&.17\&.4" "System Management Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/da/man8/logoutd.8
+++ b/man/da/man8/logoutd.8
@@ -2,12 +2,12 @@
 .\"     Title: logoutd
 .\"    Author: Julianne Frances Haugh
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24/02/2025
+.\"      Date: 19/03/2025
 .\"    Manual: System Management Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: Danish
 .\"
-.TH "LOGOUTD" "8" "24/02/2025" "shadow\-utils 4\&.17\&.3" "System Management Commands"
+.TH "LOGOUTD" "8" "19/03/2025" "shadow\-utils 4\&.17\&.4" "System Management Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/da/man8/nologin.8
+++ b/man/da/man8/nologin.8
@@ -2,12 +2,12 @@
 .\"     Title: nologin
 .\"    Author: Nicolas Fran\(,cois <nicolas.francois@centraliens.net>
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24/02/2025
+.\"      Date: 19/03/2025
 .\"    Manual: System Management Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: Danish
 .\"
-.TH "NOLOGIN" "8" "24/02/2025" "shadow\-utils 4\&.17\&.3" "System Management Commands"
+.TH "NOLOGIN" "8" "19/03/2025" "shadow\-utils 4\&.17\&.4" "System Management Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/da/man8/vipw.8
+++ b/man/da/man8/vipw.8
@@ -2,12 +2,12 @@
 .\"     Title: vipw
 .\"    Author: Marek Micha\(/lkiewicz
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24/02/2025
+.\"      Date: 19/03/2025
 .\"    Manual: System Management Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: Danish
 .\"
-.TH "VIPW" "8" "24/02/2025" "shadow\-utils 4\&.17\&.3" "System Management Commands"
+.TH "VIPW" "8" "19/03/2025" "shadow\-utils 4\&.17\&.4" "System Management Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/de/man1/chage.1
+++ b/man/de/man1/chage.1
@@ -2,12 +2,12 @@
 .\"     Title: chage
 .\"    Author: Julianne Frances Haugh
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24.02.2025
+.\"      Date: 19.03.2025
 .\"    Manual: User Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: German
 .\"
-.TH "CHAGE" "1" "24.02.2025" "shadow\-utils 4\&.17\&.3" "User Commands"
+.TH "CHAGE" "1" "19.03.2025" "shadow\-utils 4\&.17\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/man/de/man1/chfn.1
+++ b/man/de/man1/chfn.1
@@ -2,12 +2,12 @@
 .\"     Title: chfn
 .\"    Author: Julianne Frances Haugh
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 24.02.2025
+.\"      Date: 19.03.2025
 .\"    Manual: User Commands
-.\"    Source: shadow-utils 4.17.3
+.\"    Source: shadow-utils 4.17.4
 .\"  Language: German
 .\"
-.TH "CHFN" "1" "24.02.2025" "shadow\-utils 4\&.17\&.3" "User Commands"
+.TH "CHFN" "1" "19.03.2025" "shadow\-utils 4\&.17\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`rm_conffile /etc/cron.daily/passwd 1:4.7-2~`
				`@@ -1 +0,0 @@`
				`deb: libsubid 5 libsubid5 (= ${binary:Version})`