ELA 1:4.5-1.1+deb10u1

Breaks on old version to force lockstep upgrade, which should
really be a depends-new-version (and can be switched around
together with util-linux once the transition is finished).
Using Breaks/Depends the 'wrong' way around is to make apt
unpack things in the 'right' order (avoiding any gaps where
/bin/su is not available during the upgrade phase).

.gitignore

@@ -7,6 +7,7 @@ lib*.a
 .deps
 .libs
 
+*.patch
 *.rej
 *.orig
 
@@ -17,6 +18,7 @@ Makefile.in
 /aclocal.m4
 /autom4te.cache
 /compile
+/config.cache
 /config.guess
 /config.h
 /config.h.in
@@ -44,4 +46,5 @@ Makefile.in
 /po/stamp-po
 
 /shadow.spec
+/shadow-*.tar.*
 /libmisc/getdate.c

.travis.yml

@@ -0,0 +1,20 @@
+sudo: false
+
+language: c
+
+compiler:
+  - gcc
+  - clang
+
+addons:
+  apt:
+    packages:
+      - autopoint
+      - xsltproc
+
+script:
+ - ./autogen.sh --without-selinux --disable-man
+ - grep ENABLE_ config.status
+ - make
+
+# vim:et:ts=2:sw=2

ChangeLog

@@ -1,3 +1,84 @@
+2016-05-17  Serge Hallyn <serge@hallyn.com>
+
+	* Release 4.5
+
+2016-05-17  Serge Hallyn <serge@hallyn.com>
+
+	* Patch from Tobias Stoeckmann fixing regression in previous CVE fix
+	  preventing SIGTERM to su from being propagated to the job.
+	* Patch from Chris Lamb making sp_lstchg shadow field reproducible.
+	* Merge Russian translation updates from Yuri Kozlov
+	* Fix missing close of subuid file on error
+
+2016-02-23  Serge Hallyn <serge@hallyn.com>
+
+	* Merge patch by Tobias Stoeckmann <tobias@stoeckmann.org> to fix
+	  the equivalent of util-linux CVE-2017-2616.
+
+2016-02-08  Serge Hallyn <serge@hallyn.com>
+
+	* Update Kazakh translations
+	* Consult configuration before calculating subuids
+	* Remove misplaced semicolon
+
+2016-01-29  Serge Hallyn <serge@hallyn.com>
+
+	* Patch from Fedora to improve performance with SSSD, Winbind,
+	  or nss_ldap. (Tomas Mraz)
+	* Make sure knowndef_table is NULL-terminated.  (Bernhard Rosenkränzer)
+
+2016-12-21  Serge Hallyn <serge@hallyn.com>
+
+	* Drop leading underscore from _COMMONIO_H and _SHADOWIO_H
+	* Fix readability in usermod error messages.
+	* Reset user in tallylog
+	* Add audit support to su
+
+2016-12-02  Serge Hallyn <serge@hallyn.com>
+
+	* changes since 4.4
+	  - Use sizeof rather than hardcoding snprintf args
+	  - Fix useradd improper default loading
+	  - Update Vietnamese translations
+	  - Update Polish translations
+	  - Remove non-POSIX chmod option in Makefile
+	  - Fix suidubins assignments
+	  - Fix --add-subuids etc spelling in manpages
+	  - Audit homedir ownership change.
+	  - Print error on selinux file context update failure
+	  - Keep original file perms when creating a backup
+
+	* (henceforth we'll update Changelog with each commit
+	  and proper credit)
+
+2016-12-02  Serge Hallyn <serge@hallyn.com>
+
+	* Changes since 4.2.1:
+	  - Documentation, error report and translations updates
+	  - Replace path_max with 32
+	  - User namespace support fixes/updates including:
+	    - Correct sanity checks in newXidmap
+	    - Fix building without subuid support
+	    - Add /etc/subuid support for UID matching
+	    - Support subuid for nonlocal users
+	    - Default to 65536 subuid allocations
+	    - Respect -r
+	    - Check for range overflows
+	  - Add tests from svn tree
+	  - Use AC_CHECK_SIZEOF for uid_t size checks
+	  - Accomodate missing /etc and login.defs
+	  - Support FORCE_SHADOW
+	  - Be more robust in hostile environment
+	  - Allow removing a primary group
+	  - Clear passwords on __pw_dup errors
+	  - Memory leak fix in commonio_update and get_map_ranges
+	  - Fix resource leak in syslog_sg
+	  - Fix user busy error at userdel
+	  - Support set/clear lastlog record via lastlog command
+	  - Add --no-create-home as longopt for -M
+	  - Fix signal races
+	  - Reduce syslog priority of common usage events
+
 2013-08-25  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/vipw.c: After waitpid(), use errno only if waitpid returned

Makefile.am

@@ -2,7 +2,5 @@
 
 EXTRA_DIST = NEWS README TODO shadow.spec.in
 
-AUTOMAKE_OPTIONS = 1.5 dist-bzip2 foreign
-
 SUBDIRS = po man libmisc lib src \
 	contrib doc etc

README

@@ -117,5 +117,6 @@ Maintainers
 ===========
 
 Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
-Nicolas François <nicolas.francois@centraliens.net> (2007-now)
+Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
+Serge E. Hallyn <serge@hallyn.com> (2014-now)
 

configure.ac

@@ -1,6 +1,9 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_INIT
-AM_INIT_AUTOMAKE(shadow, 4.4)
+AC_PREREQ([2.64])
+AC_INIT([shadow], [4.5], [pkg-shadow-devel@lists.alioth.debian.org], [],
+	[https://github.com/shadow-maint/shadow])
+AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
+AM_SILENT_RULES([yes])
 AC_CONFIG_HEADERS([config.h])
 
 dnl Some hacks...

debian/README.source

@@ -1,17 +1,4 @@
-This package uses quilt to patch the upstream source.
-
-You can find some info on how to generate the patched source, add a new
-modification, and remove an existing modification on:
-	/usr/share/doc/quilt/README.source
-
-================================================================================
-
-To package a new upstream release, you can use the Makefile:
-	svn://svn.debian.org/svn/pkg-shadow/debian/trunk/Makefile
-
-================================================================================
-
 A testsuite is also available. Instruction on how to run this testsuite
-are available on:
-	svn://svn.debian.org/svn/pkg-shadow/debian/trunk/tests/README
+are available in tests/README
 
+ -- Balint Reczey <rbalint@ubuntu.com>, Sat, 12 Aug 2017 18:46:44 -0400

debian/changelog

@@ -1,3 +1,70 @@
+shadow (1:4.5-1.1+deb10u1) buster-security; urgency=medium
+
+  * Non-maintainer upload by the ELTS Team.
+  * CVE-2018-7169: unprivileged user can drop supplementary groups
+  * CVE-2023-4641: gpasswd password leak
+  * CVE-2023-29383: chfn missing control character check
+
+ -- Adrian Bunk <bunk@debian.org>  Sat, 26 Oct 2024 15:24:09 +0300
+
+shadow (1:4.5-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload (greetings from DebCamp/DebConf Taiwan).
+  * Stop shipping su and break old util-linux version. (See #833256)
+    - Breaks on old version to force lockstep upgrade, which should
+      really be a depends-new-version (and can be switched around
+      together with util-linux once the transition is finished).
+      Using Breaks/Depends the 'wrong' way around is to make apt
+      unpack things in the 'right' order (avoiding any gaps where
+      /bin/su is not available during the upgrade phase).
+
+ -- Andreas Henriksson <andreas@fatal.se>  Fri, 27 Jul 2018 10:07:37 +0200
+
+shadow (1:4.5-1) unstable; urgency=medium
+
+  * New upstream version 4.5
+    - Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
+      (Closes: #756630)
+    - Make the sp_lstchg shadow field reproducible (Closes: #857803)
+    - Fix regression in useradd not loading defaults properly.
+      (Closes: #865762)
+  * Refresh patches
+  * Drop patches manipulating su argument concatenation:
+  * Cut redundant information from Debian-specific README files
+  * Revert adding pts/0 and pts/1 to securetty.
+    Adding pts/* defeats the purpose of securetty. Let containers add it if
+    needed as described in #830255.
+  * Use my @ubuntu.com email address in Maintainer field
+
+ -- Balint Reczey <rbalint@ubuntu.com>  Wed, 27 Sep 2017 12:45:23 -0400
+
+shadow (1:4.4-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Reset pid_child only if waitpid was successful.
+    This is a regression fix for CVE-2017-2616. If su receives a signal like
+    SIGTERM, it is not propagated to the child. (Closes: #862806)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 17 May 2017 13:59:59 +0200
+
+shadow (1:4.4-4) unstable; urgency=high
+
+  * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Fri, 24 Feb 2017 01:33:25 +0100
+
+shadow (1:4.4-3) unstable; urgency=medium
+
+  [ Balint Reczey ]
+  * Clean up stale locks on boot (Closes: #478771)
+  * Sync motd handling with sshd.
+    Using patch from Ubuntu (Closes: #757148)
+
+  [ Stéphane Graber ]
+  * Add missing /etc/{subgid|subuid} in postinst
+
+ -- Balint Reczey <balint@balintreczey.hu>  Wed, 25 Jan 2017 16:43:09 +0100
+
 shadow (1:4.4-2) unstable; urgency=medium
 
   [ Balint Reczey ]

debian/control

@@ -1,7 +1,7 @@
 Source: shadow
 Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
 Uploaders: Christian Perrier <bubulle@debian.org>,
-           Balint Reczey <balint@balintreczey.hu>,
+           Balint Reczey <rbalint@ubuntu.com>,
            Serge Hallyn <serge@hallyn.com>
 Section: admin
 Priority: required
@@ -48,7 +48,8 @@ Pre-Depends: ${shlibs:Depends},
              libpam-modules (>= 1.1.8-1)
 Breaks: coreutils (<< 8.21~) [hurd-any],
         passwd (<< 1:4.1.5.1-2~) [hurd-any],
-        hurd (<< 20140206~) [hurd-any]
+        hurd (<< 20140206~) [hurd-any],
+        util-linux (<< 2.32-0.2~)
 Conflicts: gnunet (<< 0.7.0c-2),
            amavisd-new (<< 2.3.3-8),
            python-4suite (<< 0.99cvs20060405-1),

debian/login.install

@@ -2,7 +2,6 @@ usr/share/locale/*/LC_MESSAGES/shadow.mo
 usr/share/man/*/man1/login.1
 usr/share/man/*/man1/newgrp.1
 usr/share/man/*/man1/sg.1
-usr/share/man/*/man1/su.1
 usr/share/man/*/man5/faillog.5
 usr/share/man/*/man5/login.defs.5
 usr/share/man/*/man8/faillog.8
@@ -11,7 +10,6 @@ usr/share/man/*/man8/nologin.8
 usr/share/man/man1/login.1
 usr/share/man/man1/newgrp.1
 usr/share/man/man1/sg.1
-usr/share/man/man1/su.1
 usr/share/man/man5/faillog.5
 usr/share/man/man5/login.defs.5
 usr/share/man/man8/faillog.8
@@ -22,4 +20,3 @@ usr/bin/faillog
 usr/bin/lastlog
 usr/bin/newgrp
 bin/login
-bin/su

debian/login.pam

@@ -92,8 +92,10 @@ session    optional   pam_lastlog.so
 
 # Prints the message of the day upon successful login.
 # (Replaces the `MOTD_FILE' option in login.defs)
-session    optional   pam_exec.so type=open_session stdout /bin/uname -snrvm
-session    optional   pam_motd.so
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
 
 # Prints the status of the user's mailbox upon successful login
 # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 

debian/login.postinst

@@ -16,14 +16,26 @@ then
 fi
 rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
 
-if [ "$1" = "configure" ] && [ "$2" = "" ]
-then
+if [ "$1" = "configure" ]; then
 	# Install faillog during initial installs only
-	if [ ! -f /var/log/faillog ] ; then
+	if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
 		touch /var/log/faillog
 		chown root:root /var/log/faillog
 		chmod 644 /var/log/faillog
 	fi
+
+	# Create subuid/subgid if missing
+	if [ ! -e /etc/subuid ]; then
+		touch /etc/subuid
+		chown root:root /etc/subuid
+		chmod 644 /etc/subuid
+	fi
+
+	if [ ! -e /etc/subgid ]; then
+		touch /etc/subgid
+		chown root:root /etc/subgid
+		chmod 644 /etc/subgid
+	fi
 fi
 
         # Create subuid/subgid if missing

debian/passwd.tmpfile

@@ -0,0 +1,8 @@
+# If a password operation is in progress and we lose power, stale lockfiles
+# can be left behind.  Clear them on boot.
+r! /etc/gshadow.lock
+r! /etc/shadow.lock
+r! /etc/passwd.lock
+r! /etc/group.lock
+r! /etc/subuid.lock
+r! /etc/subgid.lock

debian/patches/0001-Typos-fix-in-german-translation-of-man-pages.patch

@@ -1,44 +0,0 @@
-From bdd68116b7c5f3cbb29ea4fe3bb81e338e9544f7 Mon Sep 17 00:00:00 2001
-From: Simon Kainz <simon@familiekainz.at>
-Date: Wed, 18 Jan 2017 17:24:04 +0100
-Subject: [PATCH 1/2] Typos fix in german translation of man pages
-
-Reported to Debian BTS in #734609
----
- man/po/de.po | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/man/po/de.po b/man/po/de.po
-index b4d7218..340e15d 100644
---- a/man/po/de.po
-+++ b/man/po/de.po
-@@ -3087,7 +3087,7 @@ msgstr "5"
- #: limits.5.xml:61(refmiscinfo) gshadow.5.xml:48(refmiscinfo)
- #: faillog.5.xml:59(refmiscinfo)
- msgid "File Formats and Conversions"
--msgstr "Dateiformate und -konvertierung"
-+msgstr "Dateiformate und konvertierung"
- 
- #: suauth.5.xml:65(refpurpose)
- msgid "detailed su control file"
-@@ -4370,7 +4370,7 @@ msgstr ""
- 
- #: shadow.5.xml:235(para)
- msgid "An empty field means that the account will never expire."
--msgstr "Ein leeren Feld bedeutet, dass das Konto nicht verfallen wird."
-+msgstr "Ein leeres Feld bedeutet, dass das Konto nicht verfallen wird."
- 
- #: shadow.5.xml:238(para)
- msgid ""
-@@ -6961,7 +6961,7 @@ msgid ""
- "contents of this file should be a message indicating why logins are "
- "inhibited."
- msgstr ""
--"Falls angegeben, der Name einer Datei, dessen Existenz Anmeldungen außer von "
-+"Falls angegeben, der Name einer Datei, deren Existenz Anmeldungen außer von "
- "Root verhindert. Der Inhalt der Datei sollte die Gründe enthalten, weshalb "
- "Anmeldungen untersagt sind."
- 
--- 
-2.1.4
-

debian/patches/0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch

@@ -0,0 +1,183 @@
+From 11fc74ffc7172c587bbd2a6399defbd53eab97c6 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ src/newgidmap.c | 89 ++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 80 insertions(+), 9 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index b1e33513..59a2e75c 100644
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+  */
+ const char *Prog;
+ 
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ 	/* An empty range is invalid */
+ 	if (range->count == 0)
+ 		return false;
+ 
+-	/* Test /etc/subgid */
+-	if (have_sub_gids(pw->pw_name, range->lower, range->count))
++	/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++	if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++		*allow_setgroups = true;
+ 		return true;
++	}
+ 
+-	/* Allow a process to map its own gid */
+-	if ((range->count == 1) && (pw->pw_gid == range->lower))
++	/* Allow a process to map its own gid. */
++	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++		/* noop -- if setgroups is enabled already we won't disable it. */
+ 		return true;
++	}
+ 
+ 	return false;
+ }
+ 
+ static void verify_ranges(struct passwd *pw, int ranges,
+-	struct map_range *mappings)
++	struct map_range *mappings, bool *allow_setgroups)
+ {
+ 	struct map_range *mapping;
+ 	int idx;
+ 
+ 	mapping = mappings;
+ 	for (idx = 0; idx < ranges; idx++, mapping++) {
+-		if (!verify_range(pw, mapping)) {
++		if (!verify_range(pw, mapping, allow_setgroups)) {
+ 			fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ 				Prog,
+ 				mapping->upper,
+@@ -89,6 +94,70 @@ static void usage(void)
+ 	exit(EXIT_FAILURE);
+ }
+ 
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++	int setgroups_fd;
++	char *policy, policy_buffer[4096];
++
++	/*
++	 * Default is "deny", and any "allow" will out-rank a "deny". We don't
++	 * forcefully write an "allow" here because the process we are writing
++	 * mappings for may have already set themselves to "deny" (and "allow"
++	 * is the default anyway). So allow_setgroups == true is a noop.
++	 */
++	policy = "deny\n";
++	if (allow_setgroups)
++		return;
++
++	setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++	if (setgroups_fd < 0) {
++		/*
++		 * If it's an ENOENT then we are on too old a kernel for the setgroups
++		 * code to exist. Emit a warning and bail on this.
++		 */
++		if (ENOENT == errno) {
++			fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++			goto out;
++		}
++		fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++	/*
++	 * Check whether the policy is already what we want. /proc/self/setgroups
++	 * is write-once, so attempting to write after it's already written to will
++	 * fail.
++	 */
++	if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++		fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (!strncmp(policy_buffer, policy, strlen(policy)))
++		goto out;
++
++	/* Write the policy. */
++	if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++		fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (dprintf(setgroups_fd, "%s", policy) < 0) {
++		fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++			Prog,
++			policy,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++out:
++	close(setgroups_fd);
++}
++
+ /*
+  * newgidmap - Set the gid_map for the specified process
+  */
+@@ -103,6 +172,7 @@ int main(int argc, char **argv)
+ 	struct stat st;
+ 	struct passwd *pw;
+ 	int written;
++	bool allow_setgroups = false;
+ 
+ 	Prog = Basename (argv[0]);
+ 
+@@ -145,7 +215,7 @@ int main(int argc, char **argv)
+ 				(unsigned long) getuid ()));
+ 		return EXIT_FAILURE;
+ 	}
+-	
++
+ 	/* Get the effective uid and effective gid of the target process */
+ 	if (fstat(proc_dir_fd, &st) < 0) {
+ 		fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -177,8 +247,9 @@ int main(int argc, char **argv)
+ 	if (!mappings)
+ 		usage();
+ 
+-	verify_ranges(pw, ranges, mappings);
++	verify_ranges(pw, ranges, mappings, &allow_setgroups);
+ 
++	write_setgroups(proc_dir_fd, allow_setgroups);
+ 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ 	sub_gid_close();
+ 
+-- 
+2.30.2
+

debian/patches/0002-Last-bits-of-enabling-subuids.patch

@@ -1,29 +0,0 @@
-From 578d495f91af8dc5dd774d4310ca06f7013712e7 Mon Sep 17 00:00:00 2001
-From: Micah Anderson <micah@riseup.net>
-Date: Wed, 18 Jan 2017 18:06:05 +0100
-Subject: [PATCH 2/2] Last bits of enabling subuids
-
-This patch has been carried by Debian, originally
-submitted to BTS in #739981
----
- src/newusers.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/newusers.c b/src/newusers.c
-index 724cbb4..0c0cfe4 100644
---- a/src/newusers.c
-+++ b/src/newusers.c
-@@ -988,8 +988,8 @@ int main (int argc, char **argv)
- 	is_shadow_grp = sgr_file_present ();
- #endif
- #ifdef ENABLE_SUBIDS
--	is_sub_uid = sub_uid_file_present ();
--	is_sub_gid = sub_gid_file_present ();
-+	is_sub_uid = sub_uid_file_present () && !rflg;
-+	is_sub_gid = sub_gid_file_present () && !rflg;
- #endif				/* ENABLE_SUBIDS */
- 
- 	open_files ();
--- 
-2.1.4
-

debian/patches/0002-gpasswd-1-Fix-password-leak.patch

@@ -0,0 +1,142 @@
+From cbfa2ff40ce629f55ddd67e3490c311dfcaa4462 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index c4a492b1..cbbd8068 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -917,6 +917,7 @@ static void change_passwd (struct group *gr)
+ 		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
+-- 
+2.30.2
+

debian/patches/0003-Added-control-character-check.patch

@@ -0,0 +1,45 @@
+From b42c60bc8f026b250810a75bafe865338d734ec3 Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 649fae17..b8f13ba7 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -44,9 +44,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -68,10 +68,13 @@ int valid_field (const char *field, const char *illegal)
+ 	}
+ 
+ 	if (0 == err) {
+-		/* Search if there are some non-printable characters */
++		/* Search if there are non-printable or control characters */
+ 		for (cp = field; '\0' != *cp; cp++) {
+ 			if (!isprint (*cp)) {
+ 				err = 1;
++			}
++			if (!iscntrl (*cp)) {
++				err = -1;
+ 				break;
+ 			}
+ 		}
+-- 
+2.30.2
+

debian/patches/0004-Overhaul-valid_field.patch

@@ -0,0 +1,61 @@
+From 261c9cd274f07361c304d3993e325fe29d4bad14 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index b8f13ba7..191257e8 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -60,26 +60,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are non-printable or control characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-			}
+-			if (!iscntrl (*cp)) {
+-				err = -1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 
+-- 
+2.30.2
+

debian/patches/0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch

@@ -1,98 +0,0 @@
-From 8a122a90fa2afe39f2b1e56c5d45ea20f486bf0b Mon Sep 17 00:00:00 2001
-From: Lars Bahner <bahner@debian.org>
-Date: Thu, 19 Jan 2017 17:50:24 +0100
-Subject: [PATCH 7/7] Fix some spelling issues in the Norwegian translation
-
----
- po/nb.po | 13 +++++++------
- po/nl.po |  8 ++++----
- 2 files changed, 11 insertions(+), 10 deletions(-)
-
-diff --git a/po/nb.po b/po/nb.po
-index d42a864..7ad1ecb 100644
---- a/po/nb.po
-+++ b/po/nb.po
-@@ -7,12 +7,13 @@
- # Bjørn Steensrud <bjornst@powertech.no>, 2006.
- # Bjørn Steensrud <bjornst@skogkatt.homelinux.org>, 2009, 2012.
- # Hans Fredrik Nordhaug <hans@nordhaug.priv.no>, 2012.
-+# Lars Bahner <bahner@debian.org>, 2015
- msgid ""
- msgstr ""
- "Project-Id-Version: shadow 4.0.17\n"
- "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
- "POT-Creation-Date: 2016-09-18 14:03-0500\n"
--"PO-Revision-Date: 2012-01-18 17:19+0100\n"
-+"PO-Revision-Date: 2015-09-30 18:15+0100\n"
- "Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n"
- "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
- "Language: nb\n"
-@@ -20,7 +21,7 @@ msgstr ""
- "Content-Type: text/plain; charset=UTF-8\n"
- "Content-Transfer-Encoding: 8bit\n"
- "Plural-Forms: nplurals=2; plural=(n != 1);\n"
--"X-Generator: Lokalize 1.2\n"
-+"X-Generator: Poedit 1.7.5\n"
- 
- #, c-format
- msgid ""
-@@ -48,10 +49,9 @@ msgstr "feil med oppsettet - ukjent element «%s» (kontakt administrator)\n"
- msgid "%s: nscd did not terminate normally (signal %d)\n"
- msgstr "%s: nscd avsluttet ikke normallt (signal %d)\n"
- 
--#, fuzzy, c-format
--#| msgid "%s: nscd exited with status %d"
-+#, c-format
- msgid "%s: nscd exited with status %d\n"
--msgstr "%s: nscd avsluttet med status %d"
-+msgstr "%s: nscd avsluttet med status %d\n"
- 
- msgid "Password: "
- msgstr "Passord: "
-@@ -415,8 +415,9 @@ msgstr "passwd: %s\n"
- msgid "passwd: password unchanged\n"
- msgstr "passwd: passordet er uendret\n"
- 
-+#, fuzzy
- msgid "passwd: password updated successfully\n"
--msgstr "passwd: passorder ble oppdatert\n"
-+msgstr "passwd: passordet ble oppdatert\n"
- 
- #, c-format
- msgid "Incorrect password for %s.\n"
-diff --git a/po/nl.po b/po/nl.po
-index 923c1d1..6cbabdd 100644
---- a/po/nl.po
-+++ b/po/nl.po
-@@ -745,7 +745,7 @@ msgstr "%s: ongeldige naam: '%s'\n"
- 
- #, c-format
- msgid "%s: room number with non-ASCII characters: '%s'\n"
--msgstr "%s: kamernummer bevat niet-ASCII tekens: '%s'"
-+msgstr "%s: kamernummer bevat niet-ASCII tekens: '%s'\n"
- 
- #, c-format
- msgid "%s: invalid room number: '%s'\n"
-@@ -1571,7 +1571,7 @@ msgstr "Ongeldig wachtwoord.\n"
- 
- #, c-format
- msgid "%s: failure forking: %s\n"
--msgstr "%s: nieuw proces beginnen is mislukt: %s"
-+msgstr "%s: nieuw proces beginnen is mislukt: %s\n"
- 
- #, c-format
- msgid "%s: GID '%lu' does not exist\n"
-@@ -2633,8 +2633,8 @@ msgstr "Kon bestand niet vergrendelen"
- msgid "Couldn't make backup"
- msgstr "Kon geen reservekopie maken"
- 
--#| msgid "Unable to open group file\n"
--msgid "failed to open scratch file"
-+#| msgid "Unable to open group file"
-+msgid "failed to open scratch file\n"
- msgstr "initieel bestand openen is mislukt\n"
- 
- #| msgid "%s: fields too long\n"
--- 
-2.1.4
-

debian/patches/401_cppw_src.dpatch

@@ -5,10 +5,8 @@
 ## DP: Add cppw / cpgr
 
 @DPATCH@
-Index: shadow-4.4/src/cppw.c
-===================================================================
 --- /dev/null
-+++ shadow-4.4/src/cppw.c
++++ b/src/cppw.c
 @@ -0,0 +1,238 @@
 +/*
 +  cppw, cpgr  copy with locking given file over the password or group file
@@ -248,11 +246,9 @@ Index: shadow-4.4/src/cppw.c
 +	return 0;
 +}
 +
-Index: shadow-4.4/src/Makefile.am
-===================================================================
---- shadow-4.4.orig/src/Makefile.am
-+++ shadow-4.4/src/Makefile.am
-@@ -29,6 +29,7 @@ if ENABLE_SUBIDS
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -30,6 +30,7 @@
  ubin_PROGRAMS += newgidmap newuidmap
  endif
  usbin_PROGRAMS = \
@@ -260,7 +256,7 @@ Index: shadow-4.4/src/Makefile.am
  	chgpasswd \
  	chpasswd \
  	groupadd \
-@@ -90,6 +91,7 @@ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LI
+@@ -90,6 +91,7 @@
  chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
  chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
  chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
@@ -268,11 +264,9 @@ Index: shadow-4.4/src/Makefile.am
  gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
  groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
  groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
-Index: shadow-4.4/po/POTFILES.in
-===================================================================
---- shadow-4.4.orig/po/POTFILES.in
-+++ shadow-4.4/po/POTFILES.in
-@@ -85,6 +85,7 @@ src/chfn.c
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -85,6 +85,7 @@
  src/chgpasswd.c
  src/chpasswd.c
  src/chsh.c

debian/patches/501_commonio_group_shadow

@@ -2,10 +2,8 @@ Goal: save the [g]shadow files with the 'shadow' group and mode 0440
 
 Fixes: #166793
 
-Index: shadow-4.4/lib/commonio.c
-===================================================================
---- shadow-4.4.orig/lib/commonio.c
-+++ shadow-4.4/lib/commonio.c
+--- a/lib/commonio.c
++++ b/lib/commonio.c
 @@ -44,6 +44,7 @@
  #include <errno.h>
  #include <stdio.h>
@@ -14,7 +12,7 @@ Index: shadow-4.4/lib/commonio.c
  #include "nscd.h"
  #ifdef WITH_TCB
  #include <tcb.h>
-@@ -966,12 +967,23 @@ int commonio_close (struct commonio_db *
+@@ -963,12 +964,23 @@
  			goto fail;
  		}
  	} else {
@@ -38,11 +36,9 @@ Index: shadow-4.4/lib/commonio.c
  	}
  
  	snprintf (buf, sizeof buf, "%s+", db->filename);
-Index: shadow-4.4/lib/sgroupio.c
-===================================================================
---- shadow-4.4.orig/lib/sgroupio.c
-+++ shadow-4.4/lib/sgroupio.c
-@@ -228,7 +228,7 @@ static struct commonio_db gshadow_db = {
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -229,7 +229,7 @@
  #ifdef WITH_SELINUX
  	NULL,			/* scontext */
  #endif
@@ -51,11 +47,9 @@ Index: shadow-4.4/lib/sgroupio.c
  	0,                      /* st_uid */
  	0,                      /* st_gid */
  	NULL,			/* head */
-Index: shadow-4.4/lib/shadowio.c
-===================================================================
---- shadow-4.4.orig/lib/shadowio.c
-+++ shadow-4.4/lib/shadowio.c
-@@ -104,7 +104,7 @@ static struct commonio_db shadow_db = {
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -105,7 +105,7 @@
  #ifdef WITH_SELINUX
  	NULL,			/* scontext */
  #endif				/* WITH_SELINUX */

debian/patches/508_nologin_in_usr_sbin

@@ -1,8 +1,6 @@
-Index: git/src/Makefile.am
-===================================================================
---- git.orig/src/Makefile.am
-+++ git/src/Makefile.am
-@@ -23,7 +23,6 @@
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -24,7 +24,6 @@
  # $prefix/bin and $prefix/sbin, no install-data hacks...)
  
  bin_PROGRAMS   = groups login su
@@ -10,7 +8,7 @@ Index: git/src/Makefile.am
  ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
  if ENABLE_SUBIDS
  ubin_PROGRAMS += newgidmap newuidmap
-@@ -41,6 +40,7 @@
+@@ -42,6 +41,7 @@
  	grpunconv \
  	logoutd \
  	newusers \

debian/patches/523_su_arguments_are_concatenated

@@ -1,50 +0,0 @@
-Goal: Concatenate the non-su arguments and provide them to the shell with
-      the -c option
-Fixes: #317264
-       see also #276419
-
-Status wrt upstream: This is a Debian specific patch.
-
-Note: the fix of the man page is still missing.
-      (to be taken from the trunk)
-
-Index: shadow-4.4/src/su.c
-===================================================================
---- shadow-4.4.orig/src/su.c
-+++ shadow-4.4/src/su.c
-@@ -1155,6 +1155,35 @@ int main (int argc, char **argv)
- 			argv[0] = "-c";
- 			argv[1] = command;
- 		}
-+		/* On Debian, the arguments are concatenated and the
-+		 * resulting string is always given to the shell with its
-+		 * -c option.
-+		 */
-+		{
-+			char **parg;
-+			unsigned int cmd_len = 0;
-+			char *cmd = NULL;
-+			if (strcmp(argv[0], "-c") != 0) {
-+				argv--;
-+				argv[0] = "-c";
-+			}
-+			/* Now argv[0] is always -c, and other arguments
-+			 * can be concatenated
-+			 */
-+			cmd_len = 1; /* finale '\0' */
-+			for (parg = &argv[1]; *parg; parg++) {
-+				cmd_len += strlen (*parg) + 1;
-+			}
-+			cmd = (char *) xmalloc (sizeof (char) * cmd_len);
-+			cmd[0] = '\0';
-+			for (parg = &argv[1]; *parg; parg++) {
-+				strcat (cmd, " ");
-+				strcat (cmd, *parg);
-+			}
-+			cmd[cmd_len - 1] = '\0';
-+			argv[1] = &cmd[1]; /* do not take first space */
-+			argv[2] = NULL;
-+		}
- 		/*
- 		 * Use the shell and create an argv
- 		 * with the rest of the command line included.

debian/patches/523_su_arguments_are_no_more_concatenated_by_default

@@ -1,52 +0,0 @@
-Goal: Do not concatenate the additional arguments, and support an
-      environment variable to revert to the old Debian's su behavior.
-
-This patch needs the su_arguments_are_concatenated patch.
-
-This patch, and su_arguments_are_concatenated should be dropped after
-Etch.
-
-Status wrt upstream: This patch is Debian specific.
-
-Index: shadow-4.4/src/su.c
-===================================================================
---- shadow-4.4.orig/src/su.c
-+++ shadow-4.4/src/su.c
-@@ -104,6 +104,19 @@ static char caller_name[BUFSIZ];
- /* If nonzero, change some environment vars to indicate the user su'd to. */
- static bool change_environment = true;
- 
-+/*
-+ * If nonzero, keep the old Debian behavior:
-+ *   * concatenate all the arguments and provide them to the -c option of
-+ *     the shell
-+ *   * If there are some additional arguments, but no -c, add a -c
-+ *     argument anyway
-+ * Drawbacks:
-+ *   * you can't provide options to the shell (other than -c)
-+ *   * you can't rely on the argument count
-+ * See http://bugs.debian.org/276419
-+ */
-+static int old_debian_behavior;
-+
- #ifdef USE_PAM
- static char kill_msg[256];
- static char wait_msg[256];
-@@ -952,6 +965,8 @@ int main (int argc, char **argv)
- 	int ret;
- #endif				/* USE_PAM */
- 
-+	old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL);
-+
- 	(void) setlocale (LC_ALL, "");
- 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
- 	(void) textdomain (PACKAGE);
-@@ -1159,7 +1174,7 @@ int main (int argc, char **argv)
- 		 * resulting string is always given to the shell with its
- 		 * -c option.
- 		 */
--		{
-+		if (old_debian_behavior) {
- 			char **parg;
- 			unsigned int cmd_len = 0;
- 			char *cmd = NULL;

debian/patches/542_useradd-O_option

@@ -5,10 +5,8 @@ Note: useradd.8 needs to be regenerated.
 Status wrt upstream: not included as this is just specific 
                      backward compatibility for Debian
 
-Index: shadow-4.4/man/useradd.8.xml
-===================================================================
---- shadow-4.4.orig/man/useradd.8.xml
-+++ shadow-4.4/man/useradd.8.xml
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
 @@ -329,6 +329,11 @@
  	    databases are reset to avoid reusing the entry from a previously
  	    deleted user.
@@ -21,11 +19,9 @@ Index: shadow-4.4/man/useradd.8.xml
  	</listitem>
        </varlistentry>
        <varlistentry>
-Index: shadow-4.4/src/useradd.c
-===================================================================
---- shadow-4.4.orig/src/useradd.c
-+++ shadow-4.4/src/useradd.c
-@@ -1056,9 +1056,9 @@ static void process_flags (int argc, cha
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -1059,9 +1059,9 @@
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -37,7 +33,7 @@ Index: shadow-4.4/src/useradd.c
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1181,6 +1181,7 @@ static void process_flags (int argc, cha
+@@ -1184,6 +1184,7 @@
  				kflg = true;
  				break;
  			case 'K':

debian/patches/README.patches

@@ -8,17 +8,6 @@ Small intro to the system for numbering the patches here...
 
  NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
 
--The 1xx series are l10n patches to upstream 4.0.18.1. As upstream has
- adopted Debian translations, it is very likely that these patches
- will become useless when we will have synced with upstream
-
--The 2xx series are patches for manual pages translations to upstream
- 4.0.18.1.
-
--The 3xx series are patches which have been temporarily applied to 
- Debian's shadow while we *know* they have been applied upstream as well
- These patches should NOT be kept when we will sync with upstream
-
 -The 4xx series are patches which have been applied to Debian's shadow
  and have NOT been accepted and/or applied upstream. These patches MUST be kept
  even after resynced with upstream
@@ -31,43 +20,3 @@ In short, while we are working towards synchronisation with upstream,
 our goal is to make 0xx patches disappear by moving them either to 3xx
 series (things already implemented upstream) or to 4xx series
 (Debian-specific patches).
-
-
-Short HOWTO for quilt
-=====================
-
-The quilt system can be assimilated to a Pile Of Patches management system.
-Patches live in debian/patches, the working directory is "."
-
-The basic commands are (abbreviation accepted):
-quilt push (asks to apply the next patch in the pile)
-quilt pop  (removes the current patch and go up in the pile)
-quilt refresh (take the current changes in tree onto the patch)
-
-When a file is changed by a patch, quilt saves it somewhere under .pc on
-application. This is how it can refresh it afterward (comparing the version
-in .pc and the one you currently have in your working dir).
-
-There are three common pitfalls with quilt:
- - doing "quilt pop" without doing "quilt refresh". The version of current
-     dir is replaced with the version of the .pc dir. Your changes are lost.
-   Quilt wont let you do so, but you can force it with '-f' if you're fool.
- - editing a file with is not in the patch yet. Quilt didn't do any previous
-     backup.
-   Use "quilt add" to add files to patches.
-   Set $EDITOR and use "quilt edit" to edit a file, and add it onto the
-     patch if needed.
- - If you update your working directory, patches may not revert cleanly.
-   It is thus recommended to use "quilt pop -a" before updating with
-   "svn up".
-   If you forget (and run into trouble), you may want to remove the whole
-   shadow-?.?.? directory. If you use the makefile which is in the upper
-   directory (trunk/), shadow-?.?.?/debian/patches is a link to
-   debian/patches, so this dirctory does not contain any valuable info.
-
-The documentation is quite well done, I think. "quilt -h" will list you the
-commands. "quilt <cmd> -h" will give you some hints about it. "man quilt" is
-a reference documentation. /usr/share/doc/quilt/quilt.pdf.gz is a complete
-manual, with tutorial.
-
-

debian/patches/series

@@ -1,10 +1,3 @@
-0001-Typos-fix-in-german-translation-of-man-pages.patch
-0002-Last-bits-of-enabling-subuids.patch
-0003-Dutch-translation-update.patch
-0004-Updated-Czech-translation.patch
-0005-Update-for-German-man-pages.patch
-0006-French-manpage-translation.patch
-0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
 # These patches are only for the testsuite:
 #900_testsuite_groupmems
 #901_testsuite_gcov
@@ -18,10 +11,10 @@
 506_relaxed_usernames
 542_useradd-O_option
 463_login_delay_obeys_to_PAM
-523_su_arguments_are_concatenated
-523_su_arguments_are_no_more_concatenated_by_default
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
 501_commonio_group_shadow
-# does not apply cleanly, please merge at upstream
-1010_vietnamese_translation
+0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch
+0002-gpasswd-1-Fix-password-leak.patch
+0003-Added-control-character-check.patch
+0004-Overhaul-valid_field.patch

debian/rules

@@ -50,7 +50,6 @@ ifneq ($(DEB_HOST_ARCH_OS),linux)
 	sed -i 's/session    optional   pam_keyinit.so/# Linux only # session    optional   pam_keyinit.so/' debian/login.pam
 endif
 	dh_installpam -p login
-	dh_installpam -p login --name=su
 	install -c -m 444 debian/login.defs debian/login/etc/login.defs
 	install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
 	dh_lintian -p login
@@ -81,7 +80,6 @@ binary-predeb/uidmap::
 binary-predeb/login::
 	# No real need for login to be setuid root
 	# chmod u+s debian/login/bin/login
-	chmod u+s debian/login/bin/su
 	chmod u+s debian/login/usr/bin/newgrp
 
 binary-predeb/passwd::

debian/securetty.linux

@@ -164,11 +164,6 @@ ttyM0
 ttyM1
 #...
 
-# Unix98 PTY slaves
-pts/0
-pts/1
-#...
-
 # Technology Concepts serial card
 ttyT0
 ttyT1

lib/commonio.c

@@ -301,15 +301,12 @@ static int create_backup (const char *backup, FILE * fp)
 	struct utimbuf ub;
 	FILE *bkfp;
 	int c;
-	mode_t mask;
 
 	if (fstat (fileno (fp), &sb) != 0) {
 		return -1;
 	}
 
-	mask = umask (077);
-	bkfp = fopen (backup, "w");
-	(void) umask (mask);
+	bkfp = fopen_set_perms (backup, "w", &sb);
 	if (NULL == bkfp) {
 		return -1;
 	}
@@ -754,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
 	for (ptr = db->head;
 	        (NULL != ptr)
 #if KEEP_NIS_AT_END
-	     && (NULL != ptr->line)
-	     && (   ('+' != ptr->line[0])
-	         && ('-' != ptr->line[0]))
+	     && ((NULL == ptr->line)
+	         || (('+' != ptr->line[0])
+	             && ('-' != ptr->line[0])))
 #endif
 	     ;
 	     ptr = ptr->next) {
 		n++;
 	}
 #if KEEP_NIS_AT_END
-	if ((NULL != ptr) && (NULL != ptr->line)) {
+	if (NULL != ptr) {
 		nis = ptr;
 	}
 #endif

lib/commonio.h

@@ -31,8 +31,8 @@
  */
 
 /* $Id$ */
-#ifndef _COMMONIO_H
-#define _COMMONIO_H
+#ifndef COMMONIO_H
+#define COMMONIO_H
 
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>

lib/getdef.c

@@ -148,6 +148,7 @@ static struct itemdef knowndef_table[] = {
 #ifdef USE_PAM
 	PAMDEFS
 #endif
+	{NULL, NULL}
 };
 
 #ifndef LOGINDEFS

lib/groupio.c

@@ -338,8 +338,7 @@ static /*@null@*/struct commonio_entry *merge_group_entries (
 		errno = ENOMEM;
 		return NULL;
 	}
-	snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line);
-	new_line[new_line_len] = '\0';
+	snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line);
 
 	/* Concatenate the 2 list of members */
 	for (i=0; NULL != gptr1->gr_mem[i]; i++);

lib/prototypes.h

@@ -179,6 +179,9 @@ extern int getrange (char *range,
                      unsigned long *min, bool *has_min,
                      unsigned long *max, bool *has_max);
 
+/* gettime.c */
+extern time_t gettime ();
+
 /* get_uid.c */
 extern int get_uid (const char *uidstr, uid_t *uid);
 

lib/sgroupio.c

@@ -40,6 +40,7 @@
 #include "prototypes.h"
 #include "defines.h"
 #include "commonio.h"
+#include "getdef.h"
 #include "sgroupio.h"
 
 /*@null@*/ /*@only@*/struct sgrp *__sgr_dup (const struct sgrp *sgent)

lib/shadowio.c

@@ -40,6 +40,7 @@
 #include <shadow.h>
 #include <stdio.h>
 #include "commonio.h"
+#include "getdef.h"
 #include "shadowio.h"
 #ifdef WITH_TCB
 #include <tcb.h>

lib/shadowio.h

@@ -31,8 +31,8 @@
  */
 
 /* $Id$ */
-#ifndef _SHADOWIO_H
-#define _SHADOWIO_H
+#ifndef SHADOWIO_H
+#define SHADOWIO_H
 
 #include "defines.h"
 

libmisc/Makefile.am

@@ -1,7 +1,7 @@
 
 EXTRA_DIST = .indent.pro xgetXXbyYY.c
 
-INCLUDES = -I$(top_srcdir)/lib
+AM_CPPFLAGS = -I$(top_srcdir)/lib
 
 noinst_LIBRARIES = libmisc.a
 
@@ -31,6 +31,7 @@ libmisc_a_SOURCES = \
 	getdate.y \
 	getgr_nam_gid.c \
 	getrange.c \
+	gettime.c \
 	hushed.c \
 	idmapping.h \
 	idmapping.c \

libmisc/find_new_gid.c

@@ -1,6 +1,7 @@
 /*
  * Copyright (c) 1991 - 1994, Julianne Frances Haugh
  * Copyright (c) 2008 - 2011, Nicolas François
+ * Copyright (c) 2014, Red Hat, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38,6 +39,117 @@
 #include "groupio.h"
 #include "getdef.h"
 
+/*
+ * get_ranges - Get the minimum and maximum ID ranges for the search
+ *
+ * This function will return the minimum and maximum ranges for IDs
+ *
+ * 0: The function completed successfully
+ * EINVAL: The provided ranges are impossible (such as maximum < minimum)
+ *
+ * preferred_min: The special-case minimum value for a specifically-
+ * requested ID, which may be lower than the standard min_id
+ */
+static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
+		       gid_t *preferred_min)
+{
+	gid_t gid_def_max = 0;
+
+	if (sys_group) {
+		/* System groups */
+
+		/* A requested ID is allowed to be below the autoselect range */
+		*preferred_min = (gid_t) 1;
+
+		/* Get the minimum ID range from login.defs or default to 101 */
+		*min_id = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+
+		/*
+		 * If SYS_GID_MAX is unspecified, we should assume it to be one
+		 * less than the GID_MIN (which is reserved for non-system accounts)
+		 */
+		gid_def_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
+		*max_id = (gid_t) getdef_ulong ("SYS_GID_MAX",
+				(unsigned long) gid_def_max);
+
+		/* Check that the ranges make sense */
+		if (*max_id < *min_id) {
+			(void) fprintf (stderr,
+                            _("%s: Invalid configuration: SYS_GID_MIN (%lu), "
+                              "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"),
+                            Prog, (unsigned long) *min_id,
+                            getdef_ulong ("GID_MIN", 1000UL),
+                            (unsigned long) *max_id);
+			return EINVAL;
+		}
+	} else {
+		/* Non-system groups */
+
+		/* Get the values from login.defs or use reasonable defaults */
+		*min_id = (gid_t) getdef_ulong ("GID_MIN", 1000UL);
+		*max_id = (gid_t) getdef_ulong ("GID_MAX", 60000UL);
+
+		/*
+		 * The preferred minimum should match the standard ID minimum
+		 * for non-system groups.
+		 */
+		*preferred_min = *min_id;
+
+		/* Check that the ranges make sense */
+		if (*max_id < *min_id) {
+			(void) fprintf (stderr,
+					_("%s: Invalid configuration: GID_MIN (%lu), "
+					  "GID_MAX (%lu)\n"),
+					Prog, (unsigned long) *min_id,
+					(unsigned long) *max_id);
+			return EINVAL;
+		}
+	}
+
+	return 0;
+}
+
+/*
+ * check_gid - See if the requested GID is available
+ *
+ * On success, return 0
+ * If the ID is in use, return EEXIST
+ * If the ID is outside the range, return ERANGE
+ * In other cases, return errno from getgrgid()
+ */
+static int check_gid (const gid_t gid,
+		      const gid_t gid_min,
+		      const gid_t gid_max,
+		      bool *used_gids)
+{
+	/* First test that the preferred ID is in the range */
+	if (gid < gid_min || gid > gid_max) {
+		return ERANGE;
+	}
+
+	/*
+	 * Check whether we already detected this GID
+	 * using the gr_next() loop
+	 */
+	if (used_gids != NULL && used_gids[gid]) {
+		return EEXIST;
+	}
+	/* Check if the GID exists according to NSS */
+	errno = 0;
+	if (getgrgid (gid) != NULL) {
+		return EEXIST;
+	} else {
+		/* getgrgid() was NULL
+		 * we have to ignore errors as temporary
+		 * failures of remote user identity services
+		 * would completely block user/group creation
+		 */
+	}
+
+	/* If we've made it here, the GID must be available */
+	return 0;
+}
+
 /*
  * find_new_gid - Find a new unused GID.
  *
@@ -49,161 +161,338 @@
  * Return 0 on success, -1 if no unused GIDs are available.
  */
 int find_new_gid (bool sys_group,
-                  gid_t *gid,
-                  /*@null@*/gid_t const *preferred_gid)
+                 gid_t *gid,
+                 /*@null@*/gid_t const *preferred_gid)
 {
-	const struct group *grp;
-	gid_t gid_min, gid_max, group_id;
 	bool *used_gids;
+	const struct group *grp;
+	gid_t gid_min, gid_max, preferred_min;
+	gid_t group_id, id;
+	gid_t lowest_found, highest_found;
+	int result;
+	int nospam = 0;
 
-	assert (gid != NULL);
+	assert(gid != NULL);
 
-	if (!sys_group) {
-		gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL);
-		gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL);
-		if (gid_max < gid_min) {
-			(void) fprintf (stderr,
-			                _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"),
-			                Prog, (unsigned long) gid_min, (unsigned long) gid_max);
-			return -1;
-		}
-	} else {
-		gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
-		gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
-		gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
-		if (gid_max < gid_min) {
-			(void) fprintf (stderr,
-			                _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"),
-			                Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max);
+	/*
+	 * First, figure out what ID range is appropriate for
+	 * automatic assignment
+	 */
+	result = get_ranges (sys_group, &gid_min, &gid_max, &preferred_min);
+	if (result == EINVAL) {
+		return -1;
+	}
+
+	/* Check if the preferred GID is available */
+	if (preferred_gid) {
+		result = check_gid (*preferred_gid, preferred_min, gid_max, NULL);
+		if (result == 0) {
+			/*
+			 * Make sure the GID isn't queued for use already
+			 */
+			if (gr_locate_gid (*preferred_gid) == NULL) {
+				*gid = *preferred_gid;
+				return 0;
+			}
+			/*
+			 * gr_locate_gid() found the GID in an as-yet uncommitted
+			 * entry. We'll proceed below and auto-set a GID.
+			 */
+		} else if (result == EEXIST || result == ERANGE) {
+			/*
+			 * Continue on below. At this time, we won't
+			 * treat these two cases differently.
+			 */
+		} else {
+			/*
+			 * An unexpected error occurred. We should report
+			 * this and fail the group creation.
+			 * This differs from the automatic creation
+			 * behavior below, since if a specific GID was
+			 * requested and generated an error, the user is
+			 * more likely to want to stop and address the
+			 * issue.
+			 */
+			fprintf (stderr,
+				_("%s: Encountered error attempting to use "
+				  "preferred GID: %s\n"),
+				Prog, strerror (result));
 			return -1;
 		}
 	}
+
+	/*
+	 * Search the entire group file,
+	 * looking for the next unused value.
+	 *
+	 * We first check the local database with gr_rewind/gr_next to find
+	 * all local values that are in use.
+	 *
+	 * We then compare the next free value to all databases (local and
+	 * remote) and iterate until we find a free one. If there are free
+	 * values beyond the lowest (system groups) or highest (non-system
+	 * groups), we will prefer those and avoid potentially reclaiming a
+	 * deleted group (which can be a security issue, since it may grant
+	 * access to files belonging to that former group).
+	 *
+	 * If there are no GIDs available at the end of the search, we will
+	 * have no choice but to iterate through the range looking for gaps.
+	 *
+	 */
+
+	/* Create an array to hold all of the discovered GIDs */
 	used_gids = malloc (sizeof (bool) * (gid_max +1));
 	if (NULL == used_gids) {
 		fprintf (stderr,
-		         _("%s: failed to allocate memory: %s\n"),
-		         Prog, strerror (errno));
+			 _("%s: failed to allocate memory: %s\n"),
+			 Prog, strerror (errno));
 		return -1;
 	}
 	memset (used_gids, false, sizeof (bool) * (gid_max + 1));
 
-	if (   (NULL != preferred_gid)
-	    && (*preferred_gid >= gid_min)
-	    && (*preferred_gid <= gid_max)
-	    /* Check if the user exists according to NSS */
-	    && (getgrgid (*preferred_gid) == NULL)
-	    /* Check also the local database in case of uncommitted
-	     * changes */
-	    && (gr_locate_gid (*preferred_gid) == NULL)) {
-		*gid = *preferred_gid;
-		free (used_gids);
-		return 0;
-	}
-
-
-	/*
-	 * Search the entire group file,
-	 * looking for the largest unused value.
-	 *
-	 * We check the list of groups according to NSS (setgrent/getgrent),
-	 * but we also check the local database (gr_rewind/gr_next) in case
-	 * some groups were created but the changes were not committed yet.
-	 */
-	if (sys_group) {
-		gid_t id;
-		/* setgrent / getgrent / endgrent can be very slow with
-		 * LDAP configurations (and many accounts).
-		 * Since there is a limited amount of IDs to be tested
-		 * for system accounts, we just check the existence
-		 * of IDs with getgrgid.
+	/* First look for the lowest and highest value in the local database */
+	(void) gr_rewind ();
+	highest_found = gid_min;
+	lowest_found = gid_max;
+	while ((grp = gr_next ()) != NULL) {
+		/*
+		 * Does this entry have a lower GID than the lowest we've found
+		 * so far?
 		 */
-		group_id = gid_max;
-		for (id = gid_max; id >= gid_min; id--) {
-			if (getgrgid (id) != NULL) {
-				group_id = id - 1;
-				used_gids[id] = true;
-			}
+		if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) {
+			lowest_found = grp->gr_gid - 1;
 		}
 
-		(void) gr_rewind ();
-		while ((grp = gr_next ()) != NULL) {
-			if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) {
-				group_id = grp->gr_gid - 1;
-			}
-			/* create index of used GIDs */
-			if (grp->gr_gid <= gid_max) {
-				used_gids[grp->gr_gid] = true;
-			}
+		/*
+		 * Does this entry have a higher GID than the highest we've found
+		 * so far?
+		 */
+		if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) {
+			highest_found = grp->gr_gid + 1;
 		}
-	} else {
-		group_id = gid_min;
-		setgrent ();
-		while ((grp = getgrent ()) != NULL) {
-			if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
-				group_id = grp->gr_gid + 1;
-			}
-			/* create index of used GIDs */
-			if (grp->gr_gid <= gid_max) {
-				used_gids[grp->gr_gid] = true;
-			}
-		}
-		endgrent ();
 
-		(void) gr_rewind ();
-		while ((grp = gr_next ()) != NULL) {
-			if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
-				group_id = grp->gr_gid + 1;
-			}
-			/* create index of used GIDs */
-			if (grp->gr_gid <= gid_max) {
-				used_gids[grp->gr_gid] = true;
-			}
+		/* create index of used GIDs */
+		if (grp->gr_gid >= gid_min
+			&& grp->gr_gid <= gid_max) {
+
+			used_gids[grp->gr_gid] = true;
 		}
 	}
 
-	/*
-	 * If a group (resp. system group) with GID equal to GID_MAX (resp.
-	 * GID_MIN) exists, the above algorithm will give us GID_MAX+1
-	 * (resp. GID_MIN-1) even if not unique. Search for the first free
-	 * GID starting with GID_MIN (resp. GID_MAX).
-	 */
 	if (sys_group) {
-		if (group_id < gid_min) {
-			for (group_id = gid_max; group_id >= gid_min; group_id--) {
-				if (false == used_gids[group_id]) {
-					break;
-				}
-			}
-			if (group_id < gid_min) {
-				fprintf (stderr,
-				         _("%s: Can't get unique system GID (no more available GIDs)\n"),
-				         Prog);
-				SYSLOG ((LOG_WARN,
-				         "no more available GID on the system"));
+		/*
+		 * For system groups, we want to start from the
+		 * top of the range and work downwards.
+		 */
+
+		/*
+		 * At the conclusion of the gr_next() search, we will either
+		 * have a presumed-free GID or we will be at GID_MIN - 1.
+		 */
+		if (lowest_found < gid_min) {
+			/*
+			 * In this case, a GID is in use at GID_MIN.
+			 *
+			 * We will reset the search to GID_MAX and proceed down
+			 * through all the GIDs (skipping those we detected with
+			 * used_gids) for a free one. It is a known issue that
+			 * this may result in reusing a previously-deleted GID,
+			 * so administrators should be instructed to use this
+			 * auto-detection with care (and prefer to assign GIDs
+			 * explicitly).
+			 */
+			lowest_found = gid_max;
+		}
+
+		/* Search through all of the IDs in the range */
+		for (id = lowest_found; id >= gid_min; id--) {
+			result = check_gid (id, gid_min, gid_max, used_gids);
+			if (result == 0) {
+				/* This GID is available. Return it. */
+				*gid = id;
 				free (used_gids);
-				return -1;
+				return 0;
+			} else if (result == EEXIST) {
+				/* This GID is in use, we'll continue to the next */
+			} else {
+				/*
+				 * An unexpected error occurred.
+				 *
+				 * Only report it the first time to avoid spamming
+				 * the logs
+				 *
+				 */
+				if (!nospam) {
+					fprintf (stderr,
+						_("%s: Can't get unique system GID (%s). "
+						  "Suppressing additional messages.\n"),
+						Prog, strerror (result));
+					SYSLOG ((LOG_ERR,
+						"Error checking available GIDs: %s",
+						strerror (result)));
+					nospam = 1;
+				}
+				/*
+				 * We will continue anyway. Hopefully a later GID
+				 * will work properly.
+				 */
 			}
 		}
-	} else {
-		if (group_id > gid_max) {
-			for (group_id = gid_min; group_id <= gid_max; group_id++) {
-				if (false == used_gids[group_id]) {
-					break;
+
+		/*
+		 * If we get all the way through the loop, try again from GID_MAX,
+		 * unless that was where we previously started. (NOTE: the worst-case
+		 * scenario here is that we will run through (GID_MAX - GID_MIN - 1)
+		 * cycles *again* if we fall into this case with lowest_found as
+		 * GID_MAX - 1, all groups in the range in use and maintained by
+		 * network services such as LDAP.)
+		 */
+		if (lowest_found != gid_max) {
+			for (id = gid_max; id >= gid_min; id--) {
+				result = check_gid (id, gid_min, gid_max, used_gids);
+				if (result == 0) {
+					/* This GID is available. Return it. */
+					*gid = id;
+					free (used_gids);
+					return 0;
+				} else if (result == EEXIST) {
+					/* This GID is in use, we'll continue to the next */
+				} else {
+					/*
+					 * An unexpected error occurred.
+					 *
+					 * Only report it the first time to avoid spamming
+					 * the logs
+					 *
+					 */
+					if (!nospam) {
+						fprintf (stderr,
+							_("%s: Can't get unique system GID (%s). "
+							  "Suppressing additional messages.\n"),
+							Prog, strerror (result));
+						SYSLOG ((LOG_ERR,
+							"Error checking available GIDs: %s",
+							strerror (result)));
+						nospam = 1;
+					}
+					/*
+					 * We will continue anyway. Hopefully a later GID
+					 * will work properly.
+					 */
 				}
 			}
-			if (group_id > gid_max) {
-				fprintf (stderr,
-				         _("%s: Can't get unique GID (no more available GIDs)\n"),
-				         Prog);
-				SYSLOG ((LOG_WARN, "no more available GID on the system"));
+		}
+	} else { /* !sys_group */
+		/*
+		 * For non-system groups, we want to start from the
+		 * bottom of the range and work upwards.
+		 */
+
+		/*
+		 * At the conclusion of the gr_next() search, we will either
+		 * have a presumed-free GID or we will be at GID_MAX + 1.
+		 */
+		if (highest_found > gid_max) {
+			/*
+			 * In this case, a GID is in use at GID_MAX.
+			 *
+			 * We will reset the search to GID_MIN and proceed up
+			 * through all the GIDs (skipping those we detected with
+			 * used_gids) for a free one. It is a known issue that
+			 * this may result in reusing a previously-deleted GID,
+			 * so administrators should be instructed to use this
+			 * auto-detection with care (and prefer to assign GIDs
+			 * explicitly).
+			 */
+			highest_found = gid_min;
+		}
+
+		/* Search through all of the IDs in the range */
+		for (id = highest_found; id <= gid_max; id++) {
+			result = check_gid (id, gid_min, gid_max, used_gids);
+			if (result == 0) {
+				/* This GID is available. Return it. */
+				*gid = id;
 				free (used_gids);
-				return -1;
+				return 0;
+			} else if (result == EEXIST) {
+				/* This GID is in use, we'll continue to the next */
+			} else {
+				/*
+				 * An unexpected error occurred.
+				 *
+				 * Only report it the first time to avoid spamming
+				 * the logs
+				 *
+				 */
+				if (!nospam) {
+					fprintf (stderr,
+						_("%s: Can't get unique GID (%s). "
+						  "Suppressing additional messages.\n"),
+						Prog, strerror (result));
+					SYSLOG ((LOG_ERR,
+						"Error checking available GIDs: %s",
+						strerror (result)));
+					nospam = 1;
+				}
+				/*
+				 * We will continue anyway. Hopefully a later GID
+				 * will work properly.
+				 */
+			}
+		}
+
+		/*
+		 * If we get all the way through the loop, try again from GID_MIN,
+		 * unless that was where we previously started. (NOTE: the worst-case
+		 * scenario here is that we will run through (GID_MAX - GID_MIN - 1)
+		 * cycles *again* if we fall into this case with highest_found as
+		 * GID_MIN + 1, all groups in the range in use and maintained by
+		 * network services such as LDAP.)
+		 */
+		if (highest_found != gid_min) {
+			for (id = gid_min; id <= gid_max; id++) {
+				result = check_gid (id, gid_min, gid_max, used_gids);
+				if (result == 0) {
+					/* This GID is available. Return it. */
+					*gid = id;
+					free (used_gids);
+					return 0;
+				} else if (result == EEXIST) {
+					/* This GID is in use, we'll continue to the next */
+				} else {
+					/*
+					 * An unexpected error occurred.
+					 *
+					 * Only report it the first time to avoid spamming
+					 * the logs
+					 *
+					 */
+					if (!nospam) {
+						fprintf (stderr,
+							_("%s: Can't get unique GID (%s). "
+							  "Suppressing additional messages.\n"),
+							Prog, strerror (result));
+						SYSLOG ((LOG_ERR,
+							"Error checking available GIDs: %s",
+							strerror (result)));
+						nospam = 1;
+					}
+					/*
+					 * We will continue anyway. Hopefully a later GID
+					 * will work properly.
+					 */
+				}
 			}
 		}
 	}
 
+	/* The code reached here and found no available IDs in the range */
+	fprintf (stderr,
+		_("%s: Can't get unique GID (no more available GIDs)\n"),
+		Prog);
+	SYSLOG ((LOG_WARN, "no more available GIDs on the system"));
 	free (used_gids);
-	*gid = group_id;
-	return 0;
+	return -1;
 }
 

libmisc/find_new_uid.c

@@ -1,6 +1,7 @@
 /*
  * Copyright (c) 1991 - 1994, Julianne Frances Haugh
  * Copyright (c) 2008 - 2011, Nicolas François
+ * Copyright (c) 2014, Red Hat, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38,6 +39,117 @@
 #include "pwio.h"
 #include "getdef.h"
 
+/*
+ * get_ranges - Get the minimum and maximum ID ranges for the search
+ *
+ * This function will return the minimum and maximum ranges for IDs
+ *
+ * 0: The function completed successfully
+ * EINVAL: The provided ranges are impossible (such as maximum < minimum)
+ *
+ * preferred_min: The special-case minimum value for a specifically-
+ * requested ID, which may be lower than the standard min_id
+ */
+static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
+			uid_t *preferred_min)
+{
+	uid_t uid_def_max = 0;
+
+	if (sys_user) {
+		/* System users */
+
+		/* A requested ID is allowed to be below the autoselect range */
+		*preferred_min = (uid_t) 1;
+
+		/* Get the minimum ID range from login.defs or default to 101 */
+		*min_id = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
+
+		/*
+		 * If SYS_UID_MAX is unspecified, we should assume it to be one
+		 * less than the UID_MIN (which is reserved for non-system accounts)
+		 */
+		uid_def_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1;
+		*max_id = (uid_t) getdef_ulong ("SYS_UID_MAX",
+				(unsigned long) uid_def_max);
+
+		/* Check that the ranges make sense */
+		if (*max_id < *min_id) {
+			(void) fprintf (stderr,
+                            _("%s: Invalid configuration: SYS_UID_MIN (%lu), "
+                              "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"),
+                            Prog, (unsigned long) *min_id,
+                            getdef_ulong ("UID_MIN", 1000UL),
+                            (unsigned long) *max_id);
+			return EINVAL;
+		}
+	} else {
+		/* Non-system users */
+
+		/* Get the values from login.defs or use reasonable defaults */
+		*min_id = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+		*max_id = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+
+		/*
+		 * The preferred minimum should match the standard ID minimum
+		 * for non-system users.
+		 */
+		*preferred_min = *min_id;
+
+		/* Check that the ranges make sense */
+		if (*max_id < *min_id) {
+			(void) fprintf (stderr,
+					_("%s: Invalid configuration: UID_MIN (%lu), "
+					  "UID_MAX (%lu)\n"),
+					Prog, (unsigned long) *min_id,
+					(unsigned long) *max_id);
+			return EINVAL;
+		}
+	}
+
+	return 0;
+}
+
+/*
+ * check_uid - See if the requested UID is available
+ *
+ * On success, return 0
+ * If the ID is in use, return EEXIST
+ * If the ID is outside the range, return ERANGE
+ * In other cases, return errno from getpwuid()
+ */
+static int check_uid(const uid_t uid,
+		     const uid_t uid_min,
+		     const uid_t uid_max,
+		     bool *used_uids)
+{
+	/* First test that the preferred ID is in the range */
+	if (uid < uid_min || uid > uid_max) {
+		return ERANGE;
+	}
+
+	/*
+	 * Check whether we already detected this UID
+	 * using the pw_next() loop
+	 */
+	if (used_uids != NULL && used_uids[uid]) {
+		return EEXIST;
+	}
+	/* Check if the UID exists according to NSS */
+	errno = 0;
+	if (getpwuid(uid) != NULL) {
+		return EEXIST;
+	} else {
+		/* getpwuid() was NULL
+		 * we have to ignore errors as temporary
+		 * failures of remote user identity services
+		 * would completely block user/group creation
+		 */
+	}
+
+	/* If we've made it here, the UID must be available */
+	return 0;
+}
+
 /*
  * find_new_uid - Find a new unused UID.
  *
@@ -48,162 +160,339 @@
  * 
  * Return 0 on success, -1 if no unused UIDs are available.
  */
-int find_new_uid (bool sys_user,
-                  uid_t *uid,
-                  /*@null@*/uid_t const *preferred_uid)
+int find_new_uid(bool sys_user,
+                 uid_t *uid,
+                 /*@null@*/uid_t const *preferred_uid)
 {
-	const struct passwd *pwd;
-	uid_t uid_min, uid_max, user_id;
 	bool *used_uids;
+	const struct passwd *pwd;
+	uid_t uid_min, uid_max, preferred_min;
+	uid_t user_id, id;
+	uid_t lowest_found, highest_found;
+	int result;
+	int nospam = 0;
 
 	assert (uid != NULL);
 
-	if (!sys_user) {
-		uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
-		uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
-		if (uid_max < uid_min) {
-			(void) fprintf (stderr,
-			                _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"),
-			                Prog, (unsigned long) uid_min, (unsigned long) uid_max);
-			return -1;
-		}
-	} else {
-		uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
-		uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1;
-		uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max);
-		if (uid_max < uid_min) {
-			(void) fprintf (stderr,
-			                _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"),
-			                Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max);
+	/*
+	 * First, figure out what ID range is appropriate for
+	 * automatic assignment
+	 */
+	result = get_ranges (sys_user, &uid_min, &uid_max, &preferred_min);
+	if (result == EINVAL) {
+		return -1;
+	}
+
+	/* Check if the preferred UID is available */
+	if (preferred_uid) {
+		result = check_uid (*preferred_uid, preferred_min, uid_max, NULL);
+		if (result == 0) {
+			/*
+			 * Make sure the UID isn't queued for use already
+			 */
+			if (pw_locate_uid (*preferred_uid) == NULL) {
+				*uid = *preferred_uid;
+				return 0;
+			}
+			/*
+			 * pw_locate_uid() found the UID in an as-yet uncommitted
+			 * entry. We'll proceed below and auto-set an UID.
+			 */
+		} else if (result == EEXIST || result == ERANGE) {
+			/*
+			 * Continue on below. At this time, we won't
+			 * treat these two cases differently.
+			 */
+		} else {
+			/*
+			 * An unexpected error occurred. We should report
+			 * this and fail the user creation.
+			 * This differs from the automatic creation
+			 * behavior below, since if a specific UID was
+			 * requested and generated an error, the user is
+			 * more likely to want to stop and address the
+			 * issue.
+			 */
+			fprintf (stderr,
+				_("%s: Encountered error attempting to use "
+				  "preferred UID: %s\n"),
+				Prog, strerror (result));
 			return -1;
 		}
 	}
+
+	/*
+	 * Search the entire passwd file,
+	 * looking for the next unused value.
+	 *
+	 * We first check the local database with pw_rewind/pw_next to find
+	 * all local values that are in use.
+	 *
+	 * We then compare the next free value to all databases (local and
+	 * remote) and iterate until we find a free one. If there are free
+	 * values beyond the lowest (system users) or highest (non-system
+	 * users), we will prefer those and avoid potentially reclaiming a
+	 * deleted user (which can be a security issue, since it may grant
+	 * access to files belonging to that former user).
+	 *
+	 * If there are no UIDs available at the end of the search, we will
+	 * have no choice but to iterate through the range looking for gaps.
+	 *
+	 */
+
+	/* Create an array to hold all of the discovered UIDs */
 	used_uids = malloc (sizeof (bool) * (uid_max +1));
 	if (NULL == used_uids) {
 		fprintf (stderr,
-		         _("%s: failed to allocate memory: %s\n"),
-		         Prog, strerror (errno));
+			 _("%s: failed to allocate memory: %s\n"),
+			 Prog, strerror (errno));
 		return -1;
 	}
 	memset (used_uids, false, sizeof (bool) * (uid_max + 1));
 
-	if (   (NULL != preferred_uid)
-	    && (*preferred_uid >= uid_min)
-	    && (*preferred_uid <= uid_max)
-	    /* Check if the user exists according to NSS */
-	    && (getpwuid (*preferred_uid) == NULL)
-	    /* Check also the local database in case of uncommitted
-	     * changes */
-	    && (pw_locate_uid (*preferred_uid) == NULL)) {
-		*uid = *preferred_uid;
-		free (used_uids);
-		return 0;
-	}
-
-
-	/*
-	 * Search the entire password file,
-	 * looking for the largest unused value.
-	 *
-	 * We check the list of users according to NSS (setpwent/getpwent),
-	 * but we also check the local database (pw_rewind/pw_next) in case
-	 * some users were created but the changes were not committed yet.
-	 */
-	if (sys_user) {
-		uid_t id;
-		/* setpwent / getpwent / endpwent can be very slow with
-		 * LDAP configurations (and many accounts).
-		 * Since there is a limited amount of IDs to be tested
-		 * for system accounts, we just check the existence
-		 * of IDs with getpwuid.
+	/* First look for the lowest and highest value in the local database */
+	(void) pw_rewind ();
+	highest_found = uid_min;
+	lowest_found = uid_max;
+	while ((pwd = pw_next ()) != NULL) {
+		/*
+		 * Does this entry have a lower UID than the lowest we've found
+		 * so far?
 		 */
-		user_id = uid_max;
-		for (id = uid_max; id >= uid_min; id--) {
-			if (getpwuid (id) != NULL) {
-				user_id = id - 1;
-				used_uids[id] = true;
-			}
+		if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) {
+			lowest_found = pwd->pw_uid - 1;
 		}
 
-		(void) pw_rewind ();
-		while ((pwd = pw_next ()) != NULL) {
-			if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) {
-				user_id = pwd->pw_uid - 1;
-			}
-			/* create index of used UIDs */
-			if (pwd->pw_uid <= uid_max) {
-				used_uids[pwd->pw_uid] = true;
-			}
+		/*
+		 * Does this entry have a higher UID than the highest we've found
+		 * so far?
+		 */
+		if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) {
+			highest_found = pwd->pw_uid + 1;
 		}
-	} else {
-		user_id = uid_min;
-		setpwent ();
-		while ((pwd = getpwent ()) != NULL) {
-			if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
-				user_id = pwd->pw_uid + 1;
-			}
-			/* create index of used UIDs */
-			if (pwd->pw_uid <= uid_max) {
-				used_uids[pwd->pw_uid] = true;
-			}
-		}
-		endpwent ();
 
-		(void) pw_rewind ();
-		while ((pwd = pw_next ()) != NULL) {
-			if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
-				user_id = pwd->pw_uid + 1;
-			}
-			/* create index of used UIDs */
-			if (pwd->pw_uid <= uid_max) {
-				used_uids[pwd->pw_uid] = true;
-			}
+		/* create index of used UIDs */
+		if (pwd->pw_uid >= uid_min
+			&& pwd->pw_uid <= uid_max) {
+
+			used_uids[pwd->pw_uid] = true;
 		}
 	}
 
-	/*
-	 * If a user (resp. system user) with UID equal to UID_MAX (resp.
-	 * UID_MIN) exists, the above algorithm will give us UID_MAX+1
-	 * (resp. UID_MIN-1) even if not unique. Search for the first free
-	 * UID starting with UID_MIN (resp. UID_MAX).
-	 */
 	if (sys_user) {
-		if (user_id < uid_min) {
-			for (user_id = uid_max; user_id >= uid_min; user_id--) {
-				if (false == used_uids[user_id]) {
-					break;
-				}
-			}
-			if (user_id < uid_min ) {
-				fprintf (stderr,
-				         _("%s: Can't get unique system UID (no more available UIDs)\n"),
-				         Prog);
-				SYSLOG ((LOG_WARN,
-				         "no more available UID on the system"));
+		/*
+		 * For system users, we want to start from the
+		 * top of the range and work downwards.
+		 */
+
+		/*
+		 * At the conclusion of the pw_next() search, we will either
+		 * have a presumed-free UID or we will be at UID_MIN - 1.
+		 */
+		if (lowest_found < uid_min) {
+			/*
+			 * In this case, an UID is in use at UID_MIN.
+			 *
+			 * We will reset the search to UID_MAX and proceed down
+			 * through all the UIDs (skipping those we detected with
+			 * used_uids) for a free one. It is a known issue that
+			 * this may result in reusing a previously-deleted UID,
+			 * so administrators should be instructed to use this
+			 * auto-detection with care (and prefer to assign UIDs
+			 * explicitly).
+			 */
+			lowest_found = uid_max;
+		}
+
+		/* Search through all of the IDs in the range */
+		for (id = lowest_found; id >= uid_min; id--) {
+			result = check_uid (id, uid_min, uid_max, used_uids);
+			if (result == 0) {
+				/* This UID is available. Return it. */
+				*uid = id;
 				free (used_uids);
-				return -1;
+				return 0;
+			} else if (result == EEXIST) {
+				/* This UID is in use, we'll continue to the next */
+			} else {
+				/*
+				 * An unexpected error occurred.
+				 *
+				 * Only report it the first time to avoid spamming
+				 * the logs
+				 *
+				 */
+				if (!nospam) {
+					fprintf (stderr,
+						_("%s: Can't get unique system UID (%s). "
+						  "Suppressing additional messages.\n"),
+						Prog, strerror (result));
+					SYSLOG ((LOG_ERR,
+						"Error checking available UIDs: %s",
+						strerror (result)));
+					nospam = 1;
+				}
+				/*
+				 * We will continue anyway. Hopefully a later UID
+				 * will work properly.
+				 */
 			}
 		}
-	} else {
-		if (user_id > uid_max) {
-			for (user_id = uid_min; user_id <= uid_max; user_id++) {
-				if (false == used_uids[user_id]) {
-					break;
+
+		/*
+		 * If we get all the way through the loop, try again from UID_MAX,
+		 * unless that was where we previously started. (NOTE: the worst-case
+		 * scenario here is that we will run through (UID_MAX - UID_MIN - 1)
+		 * cycles *again* if we fall into this case with lowest_found as
+		 * UID_MAX - 1, all users in the range in use and maintained by
+		 * network services such as LDAP.)
+		 */
+		if (lowest_found != uid_max) {
+			for (id = uid_max; id >= uid_min; id--) {
+				result = check_uid (id, uid_min, uid_max, used_uids);
+				if (result == 0) {
+					/* This UID is available. Return it. */
+					*uid = id;
+					free (used_uids);
+					return 0;
+				} else if (result == EEXIST) {
+					/* This UID is in use, we'll continue to the next */
+				} else {
+					/*
+					 * An unexpected error occurred.
+					 *
+					 * Only report it the first time to avoid spamming
+					 * the logs
+					 *
+					 */
+					if (!nospam) {
+						fprintf (stderr,
+							_("%s: Can't get unique system UID (%s). "
+							  "Suppressing additional messages.\n"),
+							Prog, strerror (result));
+						SYSLOG((LOG_ERR,
+							"Error checking available UIDs: %s",
+							strerror (result)));
+						nospam = 1;
+					}
+					/*
+					 * We will continue anyway. Hopefully a later UID
+					 * will work properly.
+					 */
 				}
 			}
-			if (user_id > uid_max) {
-				fprintf (stderr,
-				         _("%s: Can't get unique UID (no more available UIDs)\n"),
-				         Prog);
-				SYSLOG ((LOG_WARN, "no more available UID on the system"));
+		}
+	} else { /* !sys_user */
+		/*
+		 * For non-system users, we want to start from the
+		 * bottom of the range and work upwards.
+		 */
+
+		/*
+		 * At the conclusion of the pw_next() search, we will either
+		 * have a presumed-free UID or we will be at UID_MAX + 1.
+		 */
+		if (highest_found > uid_max) {
+			/*
+			 * In this case, a UID is in use at UID_MAX.
+			 *
+			 * We will reset the search to UID_MIN and proceed up
+			 * through all the UIDs (skipping those we detected with
+			 * used_uids) for a free one. It is a known issue that
+			 * this may result in reusing a previously-deleted UID,
+			 * so administrators should be instructed to use this
+			 * auto-detection with care (and prefer to assign UIDs
+			 * explicitly).
+			 */
+			highest_found = uid_min;
+		}
+
+		/* Search through all of the IDs in the range */
+		for (id = highest_found; id <= uid_max; id++) {
+			result = check_uid (id, uid_min, uid_max, used_uids);
+			if (result == 0) {
+				/* This UID is available. Return it. */
+				*uid = id;
 				free (used_uids);
-				return -1;
+				return 0;
+			} else if (result == EEXIST) {
+				/* This UID is in use, we'll continue to the next */
+			} else {
+				/*
+				 * An unexpected error occurred.
+				 *
+				 * Only report it the first time to avoid spamming
+				 * the logs
+				 *
+				 */
+				if (!nospam) {
+					fprintf (stderr,
+						_("%s: Can't get unique UID (%s). "
+						  "Suppressing additional messages.\n"),
+						Prog, strerror (result));
+					SYSLOG ((LOG_ERR,
+						"Error checking available UIDs: %s",
+						strerror (result)));
+					nospam = 1;
+				}
+				/*
+				 * We will continue anyway. Hopefully a later UID
+				 * will work properly.
+				 */
+			}
+		}
+
+		/*
+		 * If we get all the way through the loop, try again from UID_MIN,
+		 * unless that was where we previously started. (NOTE: the worst-case
+		 * scenario here is that we will run through (UID_MAX - UID_MIN - 1)
+		 * cycles *again* if we fall into this case with highest_found as
+		 * UID_MIN + 1, all users in the range in use and maintained by
+		 * network services such as LDAP.)
+		 */
+		if (highest_found != uid_min) {
+			for (id = uid_min; id <= uid_max; id++) {
+				result = check_uid (id, uid_min, uid_max, used_uids);
+				if (result == 0) {
+					/* This UID is available. Return it. */
+					*uid = id;
+					free (used_uids);
+					return 0;
+				} else if (result == EEXIST) {
+					/* This UID is in use, we'll continue to the next */
+				} else {
+					/*
+					 * An unexpected error occurred.
+					 *
+					 * Only report it the first time to avoid spamming
+					 * the logs
+					 *
+					 */
+					if (!nospam) {
+						fprintf (stderr,
+							_("%s: Can't get unique UID (%s). "
+							  "Suppressing additional messages.\n"),
+							Prog, strerror (result));
+						SYSLOG ((LOG_ERR,
+							"Error checking available UIDs: %s",
+							strerror (result)));
+						nospam = 1;
+					}
+					/*
+					 * We will continue anyway. Hopefully a later UID
+					 * will work properly.
+					 */
+				}
 			}
 		}
 	}
 
+	/* The code reached here and found no available IDs in the range */
+	fprintf (stderr,
+		_("%s: Can't get unique UID (no more available UIDs)\n"),
+		Prog);
+	SYSLOG ((LOG_WARN, "no more available UIDs on the system"));
 	free (used_uids);
-	*uid = user_id;
-	return 0;
+	return -1;
 }
 

libmisc/gettime.c

@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2017, Chris Lamb
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the copyright holders or contributors may not be used to
+ *    endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#ident "$Id$"
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include "defines.h"
+#include "prototypes.h"
+
+/*
+ * gettime() returns the time as the number of seconds since the Epoch
+ *
+ * Like time(), gettime() returns the time as the number of seconds since the
+ * Epoch, 1970-01-01 00:00:00 +0000 (UTC), except that if the SOURCE_DATE_EPOCH
+ * environment variable is exported it will use that instead.
+ */
+/*@observer@*/time_t gettime ()
+{
+	char *endptr;
+	char *source_date_epoch;
+	time_t fallback;
+	unsigned long long epoch;
+
+	fallback = time (NULL);
+	source_date_epoch = getenv ("SOURCE_DATE_EPOCH");
+
+	if (!source_date_epoch)
+		return fallback;
+
+	errno = 0;
+	epoch = strtoull (source_date_epoch, &endptr, 10);
+	if ((errno == ERANGE && (epoch == ULLONG_MAX || epoch == 0))
+			|| (errno != 0 && epoch == 0)) {
+		fprintf (stderr,
+			 _("Environment variable $SOURCE_DATE_EPOCH: strtoull: %s\n"),
+			 strerror(errno));
+	} else if (endptr == source_date_epoch) {
+		fprintf (stderr,
+			 _("Environment variable $SOURCE_DATE_EPOCH: No digits were found: %s\n"),
+			 endptr);
+	} else if (*endptr != '\0') {
+		fprintf (stderr,
+			 _("Environment variable $SOURCE_DATE_EPOCH: Trailing garbage: %s\n"),
+			 endptr);
+	} else if (epoch > ULONG_MAX) {
+		fprintf (stderr,
+			 _("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to %lu but was found to be: %llu\n"),
+			 ULONG_MAX, epoch);
+	} else if (epoch > fallback) {
+		fprintf (stderr,
+			 _("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to the current time (%lu) but was found to be: %llu\n"),
+			 fallback, epoch);
+	} else {
+		/* Valid */
+		return (time_t)epoch;
+	}
+
+	return fallback;
+}

libmisc/user_busy.c

@@ -170,6 +170,9 @@ static int user_busy_processes (const char *name, uid_t uid)
 	proc = opendir ("/proc");
 	if (proc == NULL) {
 		perror ("opendir /proc");
+#ifdef ENABLE_SUBIDS
+		sub_uid_close();
+#endif
 		return 0;
 	}
 	if (stat ("/", &sbroot) != 0) {

man/Makefile.am

@@ -215,5 +215,4 @@ $(man_MANS):
 	@echo "Error: you need to run configure with '--enable-man'"
 	@echo "       in order to regenerate man pages."
 	@echo ""
-	@false
 endif

man/generate_mans.mak

@@ -42,12 +42,11 @@ man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml
 	            -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/profile-docbook.xsl $<
 
 clean-local:
-	for d in man1 man3 man5 man8; do [ -d $$d ] && rmdir $$d; done
+	rm -rf man1 man3 man5 man8
 
 else
 $(man_MANS):
 	@echo you need to run configure with --enable-man to generate man pages
-	@false
 endif
 
 man8/grpconv.8 man8/grpunconv.8 man8/pwunconv.8: man8/pwconv.8

man/generate_translations.mak

@@ -14,7 +14,6 @@ include ../generate_mans.mak
 else
 $(man_MANS):
 	@echo you need to run configure with --enable-man to generate man pages
-	@false
 endif
 
 CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml

man/po/da.po

@@ -1023,7 +1023,7 @@ msgstr ""
 #| "<option>-f</option>, <option>--inactive</option>&nbsp;"
 #| "<replaceable>INACTIVE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
+"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-f</option>, <option>--inactive</option>&nbsp;<replaceable>INAKTIV</"
@@ -1052,7 +1052,7 @@ msgstr ""
 #| "<option>-e</option>, <option>--expiredate</option>&nbsp;"
 #| "<replaceable>EXPIRE_DATE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
+"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-e</option>, <option>--expiredate</option>&nbsp;"
@@ -1065,8 +1065,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-uids</option> and <option>--add-"
-"sub-uids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-subuids</option> and <option>--add-"
+"subuids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1076,7 +1076,7 @@ msgstr ""
 #| "<option>-f</option>, <option>--inactive</option>&nbsp;"
 #| "<replaceable>INACTIVE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
+"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-f</option>, <option>--inactive</option>&nbsp;<replaceable>INAKTIV</"
@@ -1099,7 +1099,7 @@ msgstr ""
 #| "<option>-e</option>, <option>--expiredate</option>&nbsp;"
 #| "<replaceable>EXPIRE_DATE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
+"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-e</option>, <option>--expiredate</option>&nbsp;"
@@ -1112,8 +1112,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-gids</option> and <option>--add-"
-"sub-gids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-subgids</option> and <option>--add-"
+"subgids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/de.po

@@ -1092,7 +1092,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
+"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1129,7 +1129,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
+"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1142,8 +1142,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-uids</option> and <option>--add-"
-"sub-uids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-subuids</option> and <option>--add-"
+"subuids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1153,7 +1153,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
+"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1184,7 +1184,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
+"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1201,8 +1201,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-gids</option> and <option>--add-"
-"sub-gids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-subgids</option> and <option>--add-"
+"subgids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 
@@ -3087,7 +3087,7 @@ msgstr "5"
 #: limits.5.xml:61(refmiscinfo) gshadow.5.xml:48(refmiscinfo)
 #: faillog.5.xml:59(refmiscinfo)
 msgid "File Formats and Conversions"
-msgstr "Dateiformate und -konvertierung"
+msgstr "Dateiformate und konvertierung"
 
 #: suauth.5.xml:65(refpurpose)
 msgid "detailed su control file"
@@ -4370,7 +4370,7 @@ msgstr ""
 
 #: shadow.5.xml:235(para)
 msgid "An empty field means that the account will never expire."
-msgstr "Ein leeren Feld bedeutet, dass das Konto nicht verfallen wird."
+msgstr "Ein leeres Feld bedeutet, dass das Konto nicht verfallen wird."
 
 #: shadow.5.xml:238(para)
 msgid ""
@@ -6961,7 +6961,7 @@ msgid ""
 "contents of this file should be a message indicating why logins are "
 "inhibited."
 msgstr ""
-"Falls angegeben, der Name einer Datei, dessen Existenz Anmeldungen außer von "
+"Falls angegeben, der Name einer Datei, deren Existenz Anmeldungen außer von "
 "Root verhindert. Der Inhalt der Datei sollte die Gründe enthalten, weshalb "
 "Anmeldungen untersagt sind."
 

man/po/fr.po

@@ -1110,7 +1110,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
+"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1147,7 +1147,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
+"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1160,8 +1160,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-uids</option> and <option>--add-"
-"sub-uids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-subuids</option> and <option>--add-"
+"subuids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1171,7 +1171,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
+"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1202,7 +1202,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
+"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1219,8 +1219,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-gids</option> and <option>--add-"
-"sub-gids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-subgids</option> and <option>--add-"
+"subgids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/it.po

@@ -1151,7 +1151,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
+"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1189,7 +1189,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
+"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1202,8 +1202,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-uids</option> and <option>--add-"
-"sub-uids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-subuids</option> and <option>--add-"
+"subuids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1214,7 +1214,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
+"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1247,7 +1247,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
+"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1262,8 +1262,8 @@ msgstr "Rimuove tutti gli utenti SELinux assegnati al login utente."
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-gids</option> and <option>--add-"
-"sub-gids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-subgids</option> and <option>--add-"
+"subgids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/pl.po

@@ -1088,7 +1088,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
+"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KLUCZ</"
@@ -1117,7 +1117,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
+"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KLUCZ</"
@@ -1130,8 +1130,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-uids</option> and <option>--add-"
-"sub-uids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-subuids</option> and <option>--add-"
+"subuids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1141,7 +1141,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
+"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KLUCZ</"
@@ -1164,7 +1164,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
+"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KLUCZ</"
@@ -1177,8 +1177,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-gids</option> and <option>--add-"
-"sub-gids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-subgids</option> and <option>--add-"
+"subgids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/ru.po

@@ -1133,7 +1133,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
+"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>УЧЁТНАЯ "
@@ -1170,7 +1170,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
+"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>УЧЁТНАЯ "
@@ -1183,8 +1183,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-uids</option> and <option>--add-"
-"sub-uids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-subuids</option> and <option>--add-"
+"subuids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1194,7 +1194,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
+"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>УЧЁТНАЯ "
@@ -1225,7 +1225,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
+"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>УЧЁТНАЯ "
@@ -1242,8 +1242,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-gids</option> and <option>--add-"
-"sub-gids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-subgids</option> and <option>--add-"
+"subgids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/shadow-man-pages.pot

@@ -458,7 +458,7 @@ msgid "Note: if you wish to unlock the account (not only access with a password)
 msgstr ""
 
 #: usermod.8.xml:384(term)
-msgid "<option>-v</option>, <option>--add-sub-uids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
+msgid "<option>-v</option>, <option>--add-subuids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 
 #: usermod.8.xml:388(para)
@@ -474,7 +474,7 @@ msgid "No checks will be performed with regard to <option>SUB_UID_MIN</option>,
 msgstr ""
 
 #: usermod.8.xml:402(term)
-msgid "<option>-V</option>, <option>--del-sub-uids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
+msgid "<option>-V</option>, <option>--del-subuids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 
 #: usermod.8.xml:406(para)
@@ -482,11 +482,11 @@ msgid "Remove a range of subordinate uids from the user's account."
 msgstr ""
 
 #: usermod.8.xml:409(para)
-msgid "This option may be specified multiple times to remove multiple ranges to a users account. When both <option>--del-sub-uids</option> and <option>--add-sub-uids</option> are specified, the removal of all subordinate uid ranges happens before any subordinate uid range is added."
+msgid "This option may be specified multiple times to remove multiple ranges to a users account. When both <option>--del-subuids</option> and <option>--add-subuids</option> are specified, the removal of all subordinate uid ranges happens before any subordinate uid range is added."
 msgstr ""
 
 #: usermod.8.xml:422(term)
-msgid "<option>-w</option>, <option>--add-sub-gids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
+msgid "<option>-w</option>, <option>--add-subgids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 
 #: usermod.8.xml:426(para)
@@ -498,7 +498,7 @@ msgid "No checks will be performed with regard to <option>SUB_GID_MIN</option>,
 msgstr ""
 
 #: usermod.8.xml:440(term)
-msgid "<option>-W</option>, <option>--del-sub-gids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
+msgid "<option>-W</option>, <option>--del-subgids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 
 #: usermod.8.xml:444(para)
@@ -506,7 +506,7 @@ msgid "Remove a range of subordinate gids from the user's account."
 msgstr ""
 
 #: usermod.8.xml:447(para)
-msgid "This option may be specified multiple times to remove multiple ranges to a users account. When both <option>--del-sub-gids</option> and <option>--add-sub-gids</option> are specified, the removal of all subordinate gid ranges happens before any subordinate gid range is added."
+msgid "This option may be specified multiple times to remove multiple ranges to a users account. When both <option>--del-subgids</option> and <option>--add-subgids</option> are specified, the removal of all subordinate gid ranges happens before any subordinate gid range is added."
 msgstr ""
 
 #: usermod.8.xml:460(term) useradd.8.xml:506(term)

man/po/sv.po

@@ -1062,7 +1062,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
+"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>NYCKEL</"
@@ -1091,7 +1091,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
+"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>NYCKEL</"
@@ -1104,8 +1104,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-uids</option> and <option>--add-"
-"sub-uids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-subuids</option> and <option>--add-"
+"subuids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1115,7 +1115,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
+"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>NYCKEL</"
@@ -1138,7 +1138,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
+"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>NYCKEL</"
@@ -1151,8 +1151,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-gids</option> and <option>--add-"
-"sub-gids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-subgids</option> and <option>--add-"
+"subgids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/zh_CN.po

@@ -1043,7 +1043,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
+"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1080,7 +1080,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
+"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1093,8 +1093,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-uids</option> and <option>--add-"
-"sub-uids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-subuids</option> and <option>--add-"
+"subuids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1104,7 +1104,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
+"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1136,7 +1136,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
+"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1151,8 +1151,8 @@ msgstr "移除用户登录的所有 SELinux 用户映射。"
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-sub-gids</option> and <option>--add-"
-"sub-gids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-subgids</option> and <option>--add-"
+"subgids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/usermod.8.xml

@@ -382,7 +382,7 @@
       </varlistentry>
       <varlistentry condition="subids">
 	<term>
-	  <option>-v</option>, <option>--add-sub-uids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
+	  <option>-v</option>, <option>--add-subuids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
 	</term>
 	<listitem>
 	  <para>
@@ -400,7 +400,7 @@
       </varlistentry>
       <varlistentry condition="subids">
 	<term>
-	  <option>-V</option>, <option>--del-sub-uids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
+	  <option>-V</option>, <option>--del-subuids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
 	</term>
 	<listitem>
 	  <para>
@@ -408,7 +408,7 @@
 	  </para>
 	  <para>
 	    This option may be specified multiple times to remove multiple ranges to a users account.
-	    When both <option>--del-sub-uids</option> and <option>--add-sub-uids</option> are specified,
+	    When both <option>--del-subuids</option> and <option>--add-subuids</option> are specified,
 	    the removal of all subordinate uid ranges happens before any subordinate uid range is added.
 	  </para>
 	  <para>
@@ -420,7 +420,7 @@
       </varlistentry>
       <varlistentry condition="subids">
 	<term>
-	  <option>-w</option>, <option>--add-sub-gids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
+	  <option>-w</option>, <option>--add-subgids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
 	</term>
 	<listitem>
 	  <para>
@@ -438,7 +438,7 @@
       </varlistentry>
       <varlistentry condition="subids">
 	<term>
-	  <option>-W</option>, <option>--del-sub-gids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
+	  <option>-W</option>, <option>--del-subgids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
 	</term>
 	<listitem>
 	  <para>
@@ -446,7 +446,7 @@
 	  </para>
 	  <para>
 	    This option may be specified multiple times to remove multiple ranges to a users account.
-	    When both <option>--del-sub-gids</option> and <option>--add-sub-gids</option> are specified,
+	    When both <option>--del-subgids</option> and <option>--add-subgids</option> are specified,
 	    the removal of all subordinate gid ranges happens before any subordinate gid range is added.
 	  </para>
 	  <para>

po/kk.po

@@ -1,21 +1,22 @@
 # shadowutils to kazakh.
 # Copyright (C) 2009 Free Software Foundation, Inc.
 # This file is distributed under the same license as the PACKAGE package.
-# Baurzhan Muftakhidinov <baurthefirst@gmail.com>, 2009-2012.
+# Baurzhan Muftakhidinov <baurthefirst@gmail.com>, 2009-2017.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: shadowutils\n"
 "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
 "POT-Creation-Date: 2016-09-18 14:03-0500\n"
-"PO-Revision-Date: 2012-01-20 21:16+0600\n"
+"PO-Revision-Date: 2017-02-07 17:09+0500\n"
 "Last-Translator: Baurzhan Muftakhidinov <baurthefirst@gmail.com>\n"
 "Language-Team: Kazakh <kk_KZ@googlegroups.com>\n"
 "Language: kk\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=1; plural=0\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+"X-Generator: Poedit 1.8.11\n"
 
 #, c-format
 msgid ""
@@ -43,10 +44,9 @@ msgstr "баптау қатесі - белгісіз элемент '%s' (адм
 msgid "%s: nscd did not terminate normally (signal %d)\n"
 msgstr "%s: nscd өз жұмысын дұрыс аяқтаған жоқ (%d сигналымен)\n"
 
-#, fuzzy, c-format
-#| msgid "%s: nscd exited with status %d"
+#, c-format
 msgid "%s: nscd exited with status %d\n"
-msgstr "%s: nscd %d статуспен жұмысын өз аяқтады"
+msgstr "%s: nscd %d қалып-күймен өз жұмысын аяқтады\n"
 
 msgid "Password: "
 msgstr "Пароль: "
@@ -417,10 +417,9 @@ msgstr "%s: '%s' chroot жолы қате\n"
 msgid "%s: cannot access chroot directory %s: %s\n"
 msgstr "%s: %s chroot бумасына қатынау мүмкін емес: %s\n"
 
-#, fuzzy, c-format
-#| msgid "%s: cannot access chroot directory %s: %s\n"
+#, c-format
 msgid "%s: cannot chdir to chroot directory %s: %s\n"
-msgstr "%s: %s chroot бумасына қатынау мүмкін емес: %s\n"
+msgstr "%s: %s chroot бумасына өту (chdir) мүмкін емес: %s\n"
 
 #, c-format
 msgid "%s: unable to chroot to directory %s: %s\n"
@@ -785,10 +784,10 @@ msgstr "%s: жол %d: жол өте ұзын\n"
 msgid "%s: line %d: missing new password\n"
 msgstr "%s: жол %d: жаңа пароль жоқ\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: Failed to write %s: %s\n"
 msgid "%s: failed to crypt password with salt '%s': %s\n"
-msgstr "%s: %s жазу сәтсіз: %s\n"
+msgstr "%s: парольді '%s' тұзымен шифрлеу сәтсіз аяқталды: %s\n"
 
 #, c-format
 msgid "%s: line %d: group '%s' does not exist\n"
@@ -1096,13 +1095,14 @@ msgstr "%s: GID '%lu' бар болып тұр\n"
 msgid "%s: Cannot setup cleanup service.\n"
 msgstr "%s: Тазарту қызметін орнату мүмкін емес.\n"
 
-#, fuzzy
 #| msgid ""
 #| "  -r, --reset                   reset the counters of login failures\n"
 msgid ""
 "  -f, --force                   delete group even if it is the primary group "
 "of a user\n"
-msgstr "  -r, --reset                   сәтсіз кіру талап санағышын нөлдеу\n"
+msgstr ""
+"  -f, --force                   топты өшіру, егер ол пайдаланушының "
+"біріншілік тобы болса да\n"
 
 #, c-format
 msgid "%s: cannot remove entry '%s' from %s\n"
@@ -1330,25 +1330,23 @@ msgstr ""
 "  -b, --before КҮН              мерзімі КҮНнен үлкен ғана lastlog жазбаларын "
 "көрсету\n"
 
-#, fuzzy
 #| msgid ""
 #| "  -a, --all                     display faillog records for all users\n"
 msgid ""
 "  -C, --clear                   clear lastlog record of an user (usable only "
 "with -u)\n"
 msgstr ""
-"  -a, --all                     барлық пайдаланушылар үшін faillog "
-"жазбаларын көрсету\n"
+"  -C, --clear                   пайдаланушының lastlog жазбасын тазарту (тек "
+"-u опциясымен бірге пайдаланылады)\n"
 
-#, fuzzy
 #| msgid ""
 #| "  -a, --all                     display faillog records for all users\n"
 msgid ""
 "  -S, --set                     set lastlog record to current time (usable "
 "only with -u)\n"
 msgstr ""
-"  -a, --all                     барлық пайдаланушылар үшін faillog "
-"жазбаларын көрсету\n"
+"  -S, --set                     lastlog жазбасын ағымдағы уақытқа орнату "
+"(тек -u опциясымен бірге пайдаланылады)\n"
 
 msgid ""
 "  -t, --time DAYS               print only lastlog records more recent than "
@@ -1372,23 +1370,22 @@ msgstr "Пайдаланушы             Порт     Соңғы"
 msgid "**Never logged in**"
 msgstr "**Жүйеге ешқашан кірмеген**"
 
-#, fuzzy, c-format
-#| msgid "%s: Failed to get the entry for UID %lu\n"
+#, c-format
 msgid "%s: Failed to update the entry for UID %lu\n"
-msgstr "%s: UID %lu үшін жазбаны алу мүмкін емес\n"
+msgstr "%s: UID %lu үшін жазбаны жаңарту сәтсіз аяқталды\n"
 
-#, fuzzy, c-format
-#| msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
+#, c-format
 msgid "%s: Failed to update the lastlog file\n"
-msgstr "%s: %lu UID-і үшін lastlog жазбасын нөлдеу сәтсіз: %s\n"
+msgstr "%s: lastlog файлын жаңарту сәтсіз аяқталды\n"
 
 #, c-format
 msgid "%s: Option -C cannot be used together with option -S\n"
-msgstr ""
+msgstr "%s: -C опциясын -S опциясымен бірге қолдануға болмайды\n"
 
 #, c-format
 msgid "%s: Options -C and -S require option -u to specify the user\n"
 msgstr ""
+"%s: -C және -S опциялары пайдаланушыны көрсету үшін -u опциясын талап етеді\n"
 
 #, c-format
 msgid "Usage: %s [-p] [name]\n"
@@ -1513,10 +1510,10 @@ msgstr "Қолданылуы: newgrp [-] [топ]\n"
 msgid "Usage: sg group [[-c] command]\n"
 msgstr "Қолданылуы: sg топ [[-c] командасы]\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: Failed to write %s: %s\n"
 msgid "%s: failed to crypt password with previous salt: %s\n"
-msgstr "%s: %s жазу сәтсіз: %s\n"
+msgstr "%s: парольді алдыңғы тұзбен шифрлеу сәтсіз аяқталды: %s\n"
 
 msgid "Invalid password.\n"
 msgstr "пароль қате.\n"
@@ -1585,20 +1582,18 @@ msgstr "%s: жол %d: chown %s сәтсіз: %s\n"
 msgid "%s: line %d: can't update entry\n"
 msgstr "%s: жол %d: жазбаны жаңарту мүмкін емес\n"
 
-#, fuzzy, c-format
-#| msgid "%s: failed to prepare the new %s entry '%s'\n"
+#, c-format
 msgid "%s: failed to prepare new %s entry\n"
-msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
+msgstr "%s: жаңа %s жазбасын дайындау сәтсіз аяқталды\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: can't create user\n"
 msgid "%s: can't find subordinate user range\n"
-msgstr "%s: пайдаланушыны жасау мүмкін емес\n"
+msgstr "%s: бағынышты пайдаланушы ауқымын табу мүмкін емес\n"
 
-#, fuzzy, c-format
-#| msgid "%s: can't create group\n"
+#, c-format
 msgid "%s: can't find subordinate group range\n"
-msgstr "%s: топты құру мүмкін емес\n"
+msgstr "%s: бағынышты топ ауқымын табу мүмкін емес\n"
 
 msgid ""
 "  -a, --all                     report password status on all accounts\n"
@@ -2010,10 +2005,10 @@ msgstr "%s: жаңа defaults файлын ашу мүмкін емес\n"
 msgid "%s: line too long in %s: %s..."
 msgstr "%s: %s ішіндегі жол тым ұзын: %s..."
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: Cannot create symbolic link %s: %s\n"
 msgid "%s: Cannot create backup file (%s): %s\n"
-msgstr "%s: %s символдық сілтемесін жасау мүмкін емес: %s\n"
+msgstr "%s: Қор көшірме файлын жасау мүмкін емес (%s): %s\n"
 
 #, c-format
 msgid "%s: rename: %s: %s\n"
@@ -2176,10 +2171,9 @@ msgstr "%s: %lu UID-і үшін faillog жазбасын нөлдеу сәтсі
 msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgstr "%s: %lu UID-і үшін lastlog жазбасын нөлдеу сәтсіз: %s\n"
 
-#, fuzzy, c-format
-#| msgid "%s: failed to prepare the new %s entry '%s'\n"
+#, c-format
 msgid "%s: failed to prepare the new %s entry\n"
-msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
+msgstr "%s: жаңа %s жазбасын дайындау сәтсіз аяқталды\n"
 
 #, c-format
 msgid "%s: cannot create directory %s\n"
@@ -2223,15 +2217,14 @@ msgstr "%s: %s үшін tcb бумасын жасау мүмкін емес\n"
 msgid "%s: can't create group\n"
 msgstr "%s: топты құру мүмкін емес\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: can't create user\n"
 msgid "%s: can't create subordinate user IDs\n"
-msgstr "%s: пайдаланушыны жасау мүмкін емес\n"
+msgstr "%s: бағынышты пайдаланушы ID-ын жасау мүмкін емес\n"
 
-#, fuzzy, c-format
-#| msgid "%s: can't create group\n"
+#, c-format
 msgid "%s: can't create subordinate group IDs\n"
-msgstr "%s: топты құру мүмкін емес\n"
+msgstr "%s: бағынышты топ ID-ын жасау мүмкін емес\n"
 
 #, c-format
 msgid ""
@@ -2277,10 +2270,9 @@ msgstr ""
 "%s: %s тобын өшіру мүмкін емес, ол басқа пайдаланушы үшін басыңқы топ болып "
 "табылады.\n"
 
-#, fuzzy, c-format
-#| msgid "%s: cannot remove entry '%s' from %s\n"
+#, c-format
 msgid "%s: cannot remove entry %lu from %s\n"
-msgstr "%s: '%s' жазбасын %s ішінен өшіру мүмкін емес\n"
+msgstr "%s: %lu жазбасын %s ішінен өшіру мүмкін емес\n"
 
 #, c-format
 msgid "%s: %s mail spool (%s) not found\n"
@@ -2407,16 +2399,16 @@ msgstr ""
 "  -U, --unlock                  пайдаланушы тіркелгісін оқшаулаудан босату\n"
 
 msgid "  -v, --add-subuids FIRST-LAST  add range of subordinate uids\n"
-msgstr ""
+msgstr "  -v, --add-subuids БІРІНШІ-СОҢҒЫ  бағынышты uid-тар ауқымын қосу\n"
 
 msgid "  -V, --del-subuids FIRST-LAST  remove range of subordinate uids\n"
-msgstr ""
+msgstr "  -V, --del-subuids БІРІНШІ-СОҢҒЫ  бағынышты uid-тар ауқымын өшіру\n"
 
 msgid "  -w, --add-subgids FIRST-LAST  add range of subordinate gids\n"
-msgstr ""
+msgstr "  -w, --add-subgids БІРІНШІ-СОҢҒЫ  бағынышты gid-тар ауқымын қосу\n"
 
 msgid "  -W, --del-subgids FIRST-LAST  remove range of subordinate gids\n"
-msgstr ""
+msgstr "  -W, --del-subgids БІРІНШІ-СОҢҒЫ  бағынышты gid-тар ауқымын өшіру\n"
 
 msgid ""
 "  -Z, --selinux-user SEUSER     new SELinux user mapping for the user "
@@ -2437,15 +2429,14 @@ msgstr ""
 msgid "%s: user '%s' already exists in %s\n"
 msgstr "%s: '%s' пайдаланушысы %s ішінде бар болып тұр\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: invalid date '%s'\n"
 msgid "%s: invalid subordinate uid range '%s'\n"
-msgstr "%s: '%s' күні қате\n"
+msgstr "%s: жарамсыз бағынышты uid ауқымы '%s'\n"
 
-#, fuzzy, c-format
-#| msgid "%s: invalid date '%s'\n"
+#, c-format
 msgid "%s: invalid subordinate gid range '%s'\n"
-msgstr "%s: '%s' күні қате\n"
+msgstr "%s: жарамсыз бағынышты gid ауқымы '%s'\n"
 
 #, c-format
 msgid "%s: no options\n"
@@ -2463,10 +2454,10 @@ msgstr "%s: -e пен -f үшін көлеңкелі парольдер кере
 msgid "%s: UID '%lu' already exists\n"
 msgstr "%s: '%lu' UID-і бар болып тұр\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: %s is not authorized to change the password of %s\n"
 msgid "%s: %s does not exist, you cannot use the flags %s or %s\n"
-msgstr "%s: %s пайдаланушының %s үшін паролді өзгертуге құқығы жоқ\n"
+msgstr "%s: %s жоқ болып тұр, %s немесе %s жалаушаларын қолдануға болмайды\n"
 
 #, c-format
 msgid "%s: directory %s exists\n"
@@ -2512,25 +2503,22 @@ msgstr "mailbox иесін ауыстыру қатемен аяқталды"
 msgid "failed to rename mailbox"
 msgstr "mailbox атын ауыстыру қатемен аяқталды"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to remove uid range %lu-%lu from '%s'\n"
-msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
+msgstr "%s: %lu-%lu uid-тар ауқымын '%s' ішінен өшіру сәтсіз аяқталды\n"
 
-#, fuzzy, c-format
-#| msgid "%s: failed to prepare the new %s entry '%s'\n"
+#, c-format
 msgid "%s: failed to add uid range %lu-%lu from '%s'\n"
-msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
+msgstr "%s: %lu-%lu uid ауқымын '%s' ішіне қосу сәтсіз аяқталды\n"
 
-#, fuzzy, c-format
-#| msgid "%s: failed to prepare the new %s entry '%s'\n"
+#, c-format
 msgid "%s: failed to remove gid range %lu-%lu from '%s'\n"
-msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
+msgstr "%s: %lu-%lu gid-тар ауқымын '%s' ішінен өшіру сәтсіз аяқталды\n"
 
-#, fuzzy, c-format
-#| msgid "%s: failed to prepare the new %s entry '%s'\n"
+#, c-format
 msgid "%s: failed to add gid range %lu-%lu from '%s'\n"
-msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
+msgstr "%s: %lu-%lu gid ауқымын '%s' ішіне қосу сәтсіз аяқталды\n"
 
 #, c-format
 msgid ""
@@ -2585,19 +2573,18 @@ msgstr "Файлды оқшаулау мүмкін емес"
 msgid "Couldn't make backup"
 msgstr "Қор көшірмені жасау мүмкін емес"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: PAM: %s\n"
 msgid "%s: %s: %s\n"
-msgstr "%s: PAM: %s\n"
+msgstr "%s: %s: %s\n"
 
-#, fuzzy, c-format
-#| msgid "%s: nscd exited with status %d"
+#, c-format
 msgid "%s: %s returned with status %d\n"
-msgstr "%s: nscd %d статуспен жұмысын өз аяқтады"
+msgstr "%s: %s %d қалып-күймен өз жұмысын аяқтады\n"
 
 #, c-format
 msgid "%s: %s killed by signal %d\n"
-msgstr ""
+msgstr "%s: %s %d сигналымен тоқтатылды\n"
 
 msgid "failed to open scratch file"
 msgstr "scratch файлын ашу сәтсіз"

po/nb.po

@@ -7,12 +7,13 @@
 # Bjørn Steensrud <bjornst@powertech.no>, 2006.
 # Bjørn Steensrud <bjornst@skogkatt.homelinux.org>, 2009, 2012.
 # Hans Fredrik Nordhaug <hans@nordhaug.priv.no>, 2012.
+# Lars Bahner <bahner@debian.org>, 2015
 msgid ""
 msgstr ""
 "Project-Id-Version: shadow 4.0.17\n"
 "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
 "POT-Creation-Date: 2016-09-18 14:03-0500\n"
-"PO-Revision-Date: 2012-01-18 17:19+0100\n"
+"PO-Revision-Date: 2015-09-30 18:15+0100\n"
 "Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n"
 "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
 "Language: nb\n"
@@ -20,7 +21,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Lokalize 1.2\n"
+"X-Generator: Poedit 1.7.5\n"
 
 #, c-format
 msgid ""
@@ -48,10 +49,9 @@ msgstr "feil med oppsettet - ukjent element «%s» (kontakt administrator)\n"
 msgid "%s: nscd did not terminate normally (signal %d)\n"
 msgstr "%s: nscd avsluttet ikke normallt (signal %d)\n"
 
-#, fuzzy, c-format
-#| msgid "%s: nscd exited with status %d"
+#, c-format
 msgid "%s: nscd exited with status %d\n"
-msgstr "%s: nscd avsluttet med status %d"
+msgstr "%s: nscd avsluttet med status %d\n"
 
 msgid "Password: "
 msgstr "Passord: "
@@ -415,8 +415,9 @@ msgstr "passwd: %s\n"
 msgid "passwd: password unchanged\n"
 msgstr "passwd: passordet er uendret\n"
 
+#, fuzzy
 msgid "passwd: password updated successfully\n"
-msgstr "passwd: passorder ble oppdatert\n"
+msgstr "passwd: passordet ble oppdatert\n"
 
 #, c-format
 msgid "Incorrect password for %s.\n"

po/ru.po

@@ -5,20 +5,20 @@
 # Eugene Konev <ejka@imfi.kspu.ru>, 2004.
 # alyoshin.s@gmail.com <alyoshin.s@gmail.com>, 2008.
 # Yuri Kozlov <kozlov.y@gmail.com>, 2004, 2005, 2006, 2007, 2008.
-# Yuri Kozlov <yuray@komyakino.ru>, 2009, 2011, 2012.
+# Yuri Kozlov <yuray@komyakino.ru>, 2009, 2011, 2012, 2017.
 msgid ""
 msgstr ""
 "Project-Id-Version: shadow 4.1.5.1-1\n"
 "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
 "POT-Creation-Date: 2016-09-18 14:03-0500\n"
-"PO-Revision-Date: 2013-07-29 10:42+0400\n"
+"PO-Revision-Date: 2017-03-05 11:14+0300\n"
 "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
 "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
 "Language: ru\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Lokalize 1.0\n"
+"X-Generator: Lokalize 2.0\n"
 "Plural-Forms:  nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
 "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
 
@@ -436,10 +436,10 @@ msgstr "%s: некорректное значение пути chroot «%s»\n"
 msgid "%s: cannot access chroot directory %s: %s\n"
 msgstr "%s: нет доступа к каталогу chroot %s: %s\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: cannot access chroot directory %s: %s\n"
 msgid "%s: cannot chdir to chroot directory %s: %s\n"
-msgstr "%s: нет доступа к каталогу chroot %s: %s\n"
+msgstr "%s: не удалось выполнить chdir в chroot-каталог %s: %s\n"
 
 #, c-format
 msgid "%s: unable to chroot to directory %s: %s\n"
@@ -806,10 +806,10 @@ msgstr "%s: строка %d: слишком длинная строка\n"
 msgid "%s: line %d: missing new password\n"
 msgstr "%s: строка %d: отсутствует новый пароль\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: Failed to write %s: %s\n"
 msgid "%s: failed to crypt password with salt '%s': %s\n"
-msgstr "%s: не удалось записать %s: %s\n"
+msgstr "%s: не удалось зашифровать пароль с солью «%s»: %s\n"
 
 #, c-format
 msgid "%s: line %d: group '%s' does not exist\n"
@@ -1098,7 +1098,7 @@ msgstr ""
 "                                новой группы\n"
 
 msgid "  -r, --system                  create a system account\n"
-msgstr "  -r, --system                  создать системную учётную запись\n"
+msgstr "  -r, --system                  создавать системную группу\n"
 
 #, c-format
 msgid "%s: '%s' is not a valid group name\n"
@@ -1124,14 +1124,15 @@ msgstr "%s: GID «%lu» уже существует\n"
 msgid "%s: Cannot setup cleanup service.\n"
 msgstr "%s: не удалось настроить службу очистки.\n"
 
-#, fuzzy
 #| msgid ""
 #| "  -r, --reset                   reset the counters of login failures\n"
 msgid ""
 "  -f, --force                   delete group even if it is the primary group "
 "of a user\n"
 msgstr ""
-"  -r, --reset                   сбросить счётчик неудачных попыток входа\n"
+"  -f, --force                   удалить группу, даже если она является"
+" первичной\n"
+"                                группой пользователя\n"
 
 #, c-format
 msgid "%s: cannot remove entry '%s' from %s\n"
@@ -1357,25 +1358,23 @@ msgstr ""
 "  -b, --before ДНЕЙ             показать записи lastlog за последние ДНЕЙ "
 "дней\n"
 
-#, fuzzy
 #| msgid ""
 #| "  -a, --all                     display faillog records for all users\n"
 msgid ""
 "  -C, --clear                   clear lastlog record of an user (usable only "
 "with -u)\n"
 msgstr ""
-"  -a, --all                     показать записи faillog для всех "
-"пользователей\n"
+"  -C, --clear                   очистить запись lastlog пользователя\n"
+"                                (только вместе с -u)\n"
 
-#, fuzzy
 #| msgid ""
 #| "  -a, --all                     display faillog records for all users\n"
 msgid ""
 "  -S, --set                     set lastlog record to current time (usable "
 "only with -u)\n"
 msgstr ""
-"  -a, --all                     показать записи faillog для всех "
-"пользователей\n"
+"  -S, --set                     поставить в записи lastlog текущее время\n"
+"                                (только вместе с -u)\n"
 
 msgid ""
 "  -t, --time DAYS               print only lastlog records more recent than "
@@ -1399,23 +1398,24 @@ msgstr "Пользователь            Порт     Последний ра
 msgid "**Never logged in**"
 msgstr "**Никогда не входил в систему**"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: Failed to get the entry for UID %lu\n"
 msgid "%s: Failed to update the entry for UID %lu\n"
-msgstr "%s: не удалось получить запись для UID %lu\n"
+msgstr "%s: не удалось обновить запись для UID %lu\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgid "%s: Failed to update the lastlog file\n"
-msgstr "%s: не удалось сбросить запись в lastlog для UID %lu: %s\n"
+msgstr "%s: не удалось обновить файл lastlog\n"
 
 #, c-format
 msgid "%s: Option -C cannot be used together with option -S\n"
-msgstr ""
+msgstr "%s: параметр -C нельзя использовать вместе с параметром -S\n"
 
 #, c-format
 msgid "%s: Options -C and -S require option -u to specify the user\n"
 msgstr ""
+"%s: для параметров -C и -S требуется указать пользователя в параметре -u\n"
 
 #, c-format
 msgid "Usage: %s [-p] [name]\n"
@@ -1539,10 +1539,10 @@ msgstr "Использование: newgrp [-] [группа]\n"
 msgid "Usage: sg group [[-c] command]\n"
 msgstr "Использование: sg группа [[-c] команда]\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: Failed to write %s: %s\n"
 msgid "%s: failed to crypt password with previous salt: %s\n"
-msgstr "%s: не удалось записать %s: %s\n"
+msgstr "%s: не удалось зашифровать пароль с предыдущей солью: %s\n"
 
 msgid "Invalid password.\n"
 msgstr "Неправильный пароль.\n"
@@ -1612,20 +1612,20 @@ msgstr "%s: строка %d: вызов chown %s завершился неуда
 msgid "%s: line %d: can't update entry\n"
 msgstr "%s: строка %d: не удалось обновить запись\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to prepare new %s entry\n"
-msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
+msgstr "%s: не удалось подготовить новую %s запись\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: can't create user\n"
 msgid "%s: can't find subordinate user range\n"
-msgstr "%s: не удалось создать пользователя\n"
+msgstr "%s: не удалось найти подчинённый диапазон пользователей\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: can't create group\n"
 msgid "%s: can't find subordinate group range\n"
-msgstr "%s: не удалось создать группу\n"
+msgstr "%s: не удалось найти подчинённый диапазон групп\n"
 
 msgid ""
 "  -a, --all                     report password status on all accounts\n"
@@ -2219,10 +2219,10 @@ msgstr "%s: не удалось сбросить запись в faillog для
 msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgstr "%s: не удалось сбросить запись в lastlog для UID %lu: %s\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to prepare the new %s entry\n"
-msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
+msgstr "%s: не удалось подготовить новую %s запись\n"
 
 #, c-format
 msgid "%s: cannot create directory %s\n"
@@ -2267,15 +2267,15 @@ msgstr "%s: не удалось создать tcb-каталог для %s\n"
 msgid "%s: can't create group\n"
 msgstr "%s: не удалось создать группу\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: can't create user\n"
 msgid "%s: can't create subordinate user IDs\n"
-msgstr "%s: не удалось создать пользователя\n"
+msgstr "%s: не удалось создать подчинённые пользовательские ID\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: can't create group\n"
 msgid "%s: can't create subordinate group IDs\n"
-msgstr "%s: не удалось создать группу\n"
+msgstr "%s: не удалось создать подчинённые групповые ID\n"
 
 #, c-format
 msgid ""
@@ -2325,10 +2325,10 @@ msgstr ""
 "%s: группа %s является первичной для другого пользователя и не может быть "
 "удалена.\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: cannot remove entry '%s' from %s\n"
 msgid "%s: cannot remove entry %lu from %s\n"
-msgstr "%s: не удалось удалить запись «%s» из %s\n"
+msgstr "%s: не удалось удалить запись %lu из %s\n"
 
 #, c-format
 msgid "%s: %s mail spool (%s) not found\n"
@@ -2452,16 +2452,16 @@ msgid "  -U, --unlock                  unlock the user account\n"
 msgstr "  -U, --unlock                  разблокировать учётную запись\n"
 
 msgid "  -v, --add-subuids FIRST-LAST  add range of subordinate uids\n"
-msgstr ""
+msgstr "  -v, --add-subuids ПЕРВ-ПОСЛ   добавить диапазон подчинённых uid\n"
 
 msgid "  -V, --del-subuids FIRST-LAST  remove range of subordinate uids\n"
-msgstr ""
+msgstr "  -V, --del-subuids ПЕРВ-ПОСЛ   удалить диапазон подчинённых uid\n"
 
 msgid "  -w, --add-subgids FIRST-LAST  add range of subordinate gids\n"
-msgstr ""
+msgstr "  -w, --add-subgids ПЕРВ-ПОСЛ   добавить диапазон подчинённых gid\n"
 
 msgid "  -W, --del-subgids FIRST-LAST  remove range of subordinate gids\n"
-msgstr ""
+msgstr "  -W, --del-subgids ПЕРВ-ПОСЛ   удалить диапазон подчинённых gid\n"
 
 msgid ""
 "  -Z, --selinux-user SEUSER     new SELinux user mapping for the user "
@@ -2483,15 +2483,15 @@ msgstr ""
 msgid "%s: user '%s' already exists in %s\n"
 msgstr "%s: пользователь «%s» уже существует в %s\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: invalid date '%s'\n"
 msgid "%s: invalid subordinate uid range '%s'\n"
-msgstr "%s: неверная дата «%s»\n"
+msgstr "%s: некорректный диапазон подчинённых uid «%s»\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: invalid date '%s'\n"
 msgid "%s: invalid subordinate gid range '%s'\n"
-msgstr "%s: неверная дата «%s»\n"
+msgstr "%s: некорректный диапазон подчинённых gid «%s»\n"
 
 #, c-format
 msgid "%s: no options\n"
@@ -2510,10 +2510,10 @@ msgstr ""
 msgid "%s: UID '%lu' already exists\n"
 msgstr "%s: UID «%lu» уже существует\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: %s is not authorized to change the password of %s\n"
 msgid "%s: %s does not exist, you cannot use the flags %s or %s\n"
-msgstr "%s: у %s нет прав изменять пароль %s\n"
+msgstr "%s: %s не существует, нельзя указывать флаги %s или %s\n"
 
 #, c-format
 msgid "%s: directory %s exists\n"
@@ -2562,25 +2562,25 @@ msgstr "не удалось сменить владельца почтового
 msgid "failed to rename mailbox"
 msgstr "не удалось переименовать почтовый ящик"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to remove uid range %lu-%lu from '%s'\n"
-msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
+msgstr "%s: не удалось удалить диапазон uid %lu-%lu из «%s»\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to add uid range %lu-%lu from '%s'\n"
-msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
+msgstr "%s: не удалось добавить диапазон uid %lu-%lu в «%s»\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to remove gid range %lu-%lu from '%s'\n"
-msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
+msgstr "%s: не удалось удалить диапазон gid %lu-%lu из «%s»\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to add gid range %lu-%lu from '%s'\n"
-msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
+msgstr "%s: не удалось добавить диапазон gid %lu-%lu в «%s»\n"
 
 #, c-format
 msgid ""
@@ -2638,19 +2638,19 @@ msgstr "Не удалось заблокировать файл"
 msgid "Couldn't make backup"
 msgstr "Не удалось создать резервную копию"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: PAM: %s\n"
 msgid "%s: %s: %s\n"
-msgstr "%s: PAM: %s\n"
+msgstr "%s: %s: %s\n"
 
-#, fuzzy, c-format
+#, c-format
 #| msgid "%s: nscd exited with status %d\n"
 msgid "%s: %s returned with status %d\n"
-msgstr "%s: nscd завершился с кодом выхода %d\n"
+msgstr "%s: %s завершился с кодом выхода %d\n"
 
 #, c-format
 msgid "%s: %s killed by signal %d\n"
-msgstr ""
+msgstr "%s: %s убит по сигналу %d\n"
 
 msgid "failed to open scratch file"
 msgstr "не удалось открыть черновой файл"

po/zh_TW.po

@@ -18,7 +18,6 @@ msgstr ""
 "Plural-Forms: nplurals=1; plural=0;\n"
 "X-Poedit-Language: Chinese\n"
 "X-Poedit-Country: TAIWAN\n"
-"Plural-Forms: nplurals=1; plural=0;\n"
 
 #, c-format
 msgid ""

src/Makefile.am

@@ -7,9 +7,10 @@ usbindir = ${prefix}/sbin
 suidperms = 4755
 sgidperms = 2755
 
-INCLUDES = \
+AM_CPPFLAGS = \
 	-I${top_srcdir}/lib \
-	-I$(top_srcdir)/libmisc
+	-I$(top_srcdir)/libmisc \
+	-DLOCALEDIR=\"$(datadir)/locale\"
 
 # XXX why are login and su in /bin anyway (other than for
 # historical reasons)?
@@ -54,10 +55,10 @@ noinst_PROGRAMS = id sulogin
 suidbins       = su
 suidubins      = chage chfn chsh expiry gpasswd newgrp passwd
 if ACCT_TOOLS_SETUID
-	suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
+suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
 endif
 if ENABLE_SUBIDS
-	suidubins += newgidmap newuidmap
+suidubins += newgidmap newuidmap
 endif
 
 if WITH_TCB
@@ -69,7 +70,6 @@ LDADD          = $(INTLLIBS) \
 		 $(LIBTCB) \
 		 $(top_builddir)/libmisc/libmisc.a \
 		 $(top_builddir)/lib/libshadow.la
-AM_CPPFLAGS    = -DLOCALEDIR=\"$(datadir)/locale\"
 
 if ACCT_TOOLS_SETUID
 LIBPAM_SUID  = $(LIBPAM)
@@ -113,7 +113,7 @@ pwunconv_LDADD = $(LDADD) $(LIBSELINUX)
 su_SOURCES     = \
 	su.c \
 	suauth.c
-su_LDADD       = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+su_LDADD       = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
 sulogin_LDADD  = $(LDADD) $(LIBCRYPT)
 useradd_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR)
 userdel_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE)
@@ -125,14 +125,14 @@ install-am: all-am
 	ln -sf newgrp	$(DESTDIR)$(ubindir)/sg
 	ln -sf vipw	$(DESTDIR)$(usbindir)/vigr
 	for i in $(suidbins); do \
-		chmod -f $(suidperms) $(DESTDIR)$(bindir)/$$i; \
+		chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \
 	done
 	for i in $(suidubins); do \
-		chmod -f $(suidperms) $(DESTDIR)$(ubindir)/$$i; \
+		chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done
 if WITH_TCB
 	for i in $(shadowsgidubins); do \
 		chown root:shadow $(DESTDIR)$(ubindir)/$$i; \
-		chmod -f $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
+		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done
 endif

src/chpasswd.c

@@ -552,7 +552,7 @@ int main (int argc, char **argv)
 		if (NULL != sp) {
 			newsp = *sp;
 			newsp.sp_pwdp = cp;
-			newsp.sp_lstchg = (long) time ((time_t *)NULL) / SCALE;
+			newsp.sp_lstchg = (long) gettime () / SCALE;
 			if (0 == newsp.sp_lstchg) {
 				/* Better disable aging than requiring a
 				 * password change */

src/newusers.c

@@ -496,7 +496,7 @@ static int add_passwd (struct passwd *pwd, const char *password)
 			}
 			spent.sp_pwdp = cp;
 		}
-		spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+		spent.sp_lstchg = (long) gettime () / SCALE;
 		if (0 == spent.sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change */
@@ -553,7 +553,7 @@ static int add_passwd (struct passwd *pwd, const char *password)
 	 */
 	spent.sp_pwdp = "!";
 #endif
-	spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+	spent.sp_lstchg = (long) gettime () / SCALE;
 	if (0 == spent.sp_lstchg) {
 		/* Better disable aging than requiring a password change */
 		spent.sp_lstchg = -1;
@@ -988,8 +988,8 @@ int main (int argc, char **argv)
 	is_shadow_grp = sgr_file_present ();
 #endif
 #ifdef ENABLE_SUBIDS
-	is_sub_uid = sub_uid_file_present ();
-	is_sub_gid = sub_gid_file_present ();
+	is_sub_uid = sub_uid_file_present () && !rflg;
+	is_sub_gid = sub_gid_file_present () && !rflg;
 #endif				/* ENABLE_SUBIDS */
 
 	open_files ();

src/passwd.c

@@ -668,7 +668,7 @@ static void update_shadow (void)
 	}
 #ifndef USE_PAM
 	if (do_update_age) {
-		nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+		nsp->sp_lstchg = (long) gettime () / SCALE;
 		if (0 == nsp->sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change */

src/su.c

@@ -219,6 +219,22 @@ static /*@noreturn@*/void su_failure (const char *tty, bool su_to_root)
 	}
 	closelog ();
 #endif
+
+#ifdef WITH_AUDIT
+	audit_fd = audit_open ();
+	audit_log_acct_message (audit_fd,
+				AUDIT_USER_ROLE_CHANGE,
+				NULL,    /* Prog. name */
+				"su",
+				('\0' != caller_name[0]) ? caller_name : "???",
+				AUDIT_NO_ID,
+				"localhost",
+				NULL,    /* addr */
+				tty,
+				0);      /* result */
+	close (audit_fd);
+#endif				/* WITH_AUDIT */
+
 	exit (1);
 }
 
@@ -363,23 +379,38 @@ static void prepare_pam_close_session (void)
 				/* wake child when resumed */
 				kill (pid, SIGCONT);
 				stop = false;
+			} else if (   (pid_t)-1 != pid) {
+				pid_child = 0;
 			}
 		} while (!stop);
 	}
 
-	if (0 != caught) {
+	if (0 != caught && 0 != pid_child) {
 		(void) fputs ("\n", stderr);
 		(void) fputs (_("Session terminated, terminating shell..."),
 		              stderr);
 		(void) kill (-pid_child, caught);
 
-		snprintf (kill_msg, 256, _(" ...killed.\n"));
-		snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
+		snprintf (kill_msg, sizeof kill_msg, _(" ...killed.\n"));
+		snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
 
 		(void) signal (SIGALRM, kill_child);
+		(void) signal (SIGCHLD, catch_signals);
 		(void) alarm (2);
 
-		(void) wait (&status);
+		sigemptyset (&ourset);
+		if ((sigaddset (&ourset, SIGALRM) != 0)
+		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+			kill_child (0);
+		} else {
+			while (0 == waitpid (pid_child, &status, WNOHANG)) {
+				sigsuspend (&ourset);
+			}
+			pid_child = 0;
+			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+		}
+
 		(void) fputs (_(" ...terminated.\n"), stderr);
 	}
 
@@ -1076,6 +1107,21 @@ int main (int argc, char **argv)
 	}
 #endif				/* !USE_PAM */
 
+#ifdef WITH_AUDIT
+	audit_fd = audit_open ();
+	audit_log_acct_message (audit_fd,
+				AUDIT_USER_ROLE_CHANGE,
+				NULL,    /* Prog. name */
+				"su",
+				('\0' != caller_name[0]) ? caller_name : "???",
+				AUDIT_NO_ID,
+				"localhost",
+				NULL,    /* addr */
+				caller_tty,
+				1);      /* result */
+	close (audit_fd);
+#endif				/* WITH_AUDIT */
+
 	set_environment (pw);
 
 	if (!doshell) {

src/useradd.c

@@ -51,7 +51,9 @@
 #include <string.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <sys/wait.h>
 #include <time.h>
+#include <unistd.h>
 #include "chkname.h"
 #include "defines.h"
 #include "faillog.h"
@@ -213,6 +215,7 @@ static void open_files (void);
 static void open_shadow (void);
 static void faillog_reset (uid_t);
 static void lastlog_reset (uid_t);
+static void tallylog_reset (char *);
 static void usr_update (void);
 static void create_home (void);
 static void create_mail (void);
@@ -825,7 +828,7 @@ static void new_spent (struct spwd *spent)
 	memzero (spent, sizeof *spent);
 	spent->sp_namp = (char *) user_name;
 	spent->sp_pwdp = (char *) user_pass;
-	spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+	spent->sp_lstchg = (long) gettime () / SCALE;
 	if (0 == spent->sp_lstchg) {
 		/* Better disable aging than requiring a password change */
 		spent->sp_lstchg = -1;
@@ -1789,6 +1792,52 @@ static void lastlog_reset (uid_t uid)
 	}
 }
 
+static void tallylog_reset (char *user_name)
+{
+	const char pam_tally2[] = "/sbin/pam_tally2";
+	const char *pname;
+	pid_t childpid;
+	int failed;
+	int status;
+
+	if (access(pam_tally2, X_OK) == -1)
+		return;
+
+	failed = 0;
+	switch (childpid = fork())
+	{
+	case -1: /* error */
+		failed = 1;
+		break;
+	case 0: /* child */
+		pname = strrchr(pam_tally2, '/');
+		if (pname == NULL)
+			pname = pam_tally2;
+		else
+			pname++;        /* Skip the '/' */
+		execl(pam_tally2, pname, "--user", user_name, "--reset", "--quiet", NULL);
+		/* If we come here, something has gone terribly wrong */
+		perror(pam_tally2);
+		exit(42);       /* don't continue, we now have 2 processes running! */
+		/* NOTREACHED */
+		break;
+	default: /* parent */
+		if (waitpid(childpid, &status, 0) == -1 || !WIFEXITED(status) || WEXITSTATUS(status) != 0)
+			failed = 1;
+		break;
+	}
+
+	if (failed)
+	{
+		fprintf (stderr,
+		         _("%s: failed to reset the tallylog entry of user \"%s\"\n"),
+		         Prog, user_name);
+		SYSLOG ((LOG_WARN, "failed to reset the tallylog entry of user \"%s\"", user_name));
+	}
+
+	return;
+}
+
 /*
  * usr_update - create the user entries
  *
@@ -1896,6 +1945,9 @@ static void create_home (void)
 	if (access (user_home, F_OK) != 0) {
 #ifdef WITH_SELINUX
 		if (set_selinux_file_context (user_home) != 0) {
+			fprintf (stderr,
+			         _("%s: cannot set SELinux context for home directory %s\n"),
+			         Prog, user_home);
 			fail_exit (E_HOMEDIR);
 		}
 #endif
@@ -1925,6 +1977,9 @@ static void create_home (void)
 #ifdef WITH_SELINUX
 		/* Reset SELinux to create files with default contexts */
 		if (reset_selinux_file_context () != 0) {
+			fprintf (stderr,
+			         _("%s: cannot reset SELinux file creation context\n"),
+			         Prog);
 			fail_exit (E_HOMEDIR);
 		}
 #endif
@@ -1994,8 +2049,8 @@ int main (int argc, char **argv)
 #endif				/* ACCT_TOOLS_SETUID */
 
 #ifdef ENABLE_SUBIDS
-	uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
-	uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+	uid_t uid_min;
+	uid_t uid_max;
 #endif
 
 	/*
@@ -2027,17 +2082,19 @@ int main (int argc, char **argv)
 	is_shadow_grp = sgr_file_present ();
 #endif
 
+	get_defaults ();
+
 	process_flags (argc, argv);
 
 #ifdef ENABLE_SUBIDS
+	uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+	uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
 	is_sub_uid = sub_uid_file_present () && !rflg &&
 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
 	is_sub_gid = sub_gid_file_present () && !rflg &&
 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
 #endif				/* ENABLE_SUBIDS */
 
-	get_defaults ();
-
 #ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	{
@@ -2225,6 +2282,15 @@ int main (int argc, char **argv)
 
 	close_files ();
 
+	/*
+	 * tallylog_reset needs to be able to lookup
+	 * a valid existing user name,
+	 * so we canot call it before close_files()
+	 */
+	if (!lflg && getpwuid (user_id) != NULL) {
+		tallylog_reset (user_name);
+	}
+
 #ifdef WITH_SELINUX
 	if (Zflg) {
 		if (set_seuser (user_name, user_selinux) != 0) {

src/usermod.c

@@ -641,7 +641,7 @@ static void new_spent (struct spwd *spent)
 	spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
 
 	if (pflg) {
-		spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+		spent->sp_lstchg = (long) gettime () / SCALE;
 		if (0 == spent->sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change. */
@@ -1673,7 +1673,7 @@ static void usr_update (void)
 			spent.sp_pwdp   = xstrdup (pwent.pw_passwd);
 			pwent.pw_passwd = xstrdup (SHADOW_PASSWD_STRING);
 
-			spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+			spent.sp_lstchg = (long) gettime () / SCALE;
 			if (0 == spent.sp_lstchg) {
 				/* Better disable aging than
 				 * requiring a password change */
@@ -1756,6 +1756,14 @@ static void move_home (void)
 			fail_exit (E_HOMEDIR);
 		}
 
+#ifdef WITH_AUDIT
+		if (uflg || gflg) {
+			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+				      "changing home directory owner",
+				      user_newname, (unsigned int) user_newid, 1);
+		}
+#endif
+
 		if (rename (user_home, user_newhome) == 0) {
 			/* FIXME: rename above may have broken symlinks
 			 *        pointing to the user's home directory
@@ -2148,7 +2156,7 @@ int main (int argc, char **argv)
 			unsigned long count = ptr->range.last - ptr->range.first + 1;
 			if (sub_uid_add(user_name, ptr->range.first, count) == 0) {
 				fprintf (stderr,
-					_("%s: failed to add uid range %lu-%lu from '%s'\n"),
+					_("%s: failed to add uid range %lu-%lu to '%s'\n"),
 					Prog, ptr->range.first, ptr->range.last, 
 					sub_uid_dbname ());
 				fail_exit (E_SUB_UID_UPDATE);
@@ -2174,7 +2182,7 @@ int main (int argc, char **argv)
 			unsigned long count = ptr->range.last - ptr->range.first + 1;
 			if (sub_gid_add(user_name, ptr->range.first, count) == 0) {
 				fprintf (stderr,
-					_("%s: failed to add gid range %lu-%lu from '%s'\n"),
+					_("%s: failed to add gid range %lu-%lu to '%s'\n"),
 					Prog, ptr->range.first, ptr->range.last, 
 					sub_gid_dbname ());
 				fail_exit (E_SUB_GID_UPDATE);
@@ -2252,6 +2260,13 @@ int main (int argc, char **argv)
 			 * ownership.
 			 *
 			 */
+#ifdef WITH_AUDIT
+			if (uflg || gflg) {
+				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+					      "changing home directory owner",
+					      user_newname, (unsigned int) user_newid, 1);
+			}
+#endif
 			if (chown_tree (dflg ? user_newhome : user_home,
 			                user_id,
 			                uflg ? user_newid  : (uid_t)-1,

tests/chroot/chage/01_chage--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/chsh/01_chsh--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/grpck/01_grpck--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/pwck/01_pwck--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/01_useradd--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/userdel/01_userdel--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/usermod/01_usermod--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user´s group if it contains no
+# If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #