ELA 1:4.4-4.1+deb9u2

.gitignore

@@ -18,7 +18,6 @@ Makefile.in
 /aclocal.m4
 /autom4te.cache
 /compile
-/config.cache
 /config.guess
 /config.h
 /config.h.in
@@ -46,5 +45,4 @@ Makefile.in
 /po/stamp-po
 
 /shadow.spec
-/shadow-*.tar.*
 /libmisc/getdate.c

.travis.yml

@@ -1,20 +0,0 @@
-sudo: false
-
-language: c
-
-compiler:
-  - gcc
-  - clang
-
-addons:
-  apt:
-    packages:
-      - autopoint
-      - xsltproc
-
-script:
- - ./autogen.sh --without-selinux --disable-man
- - grep ENABLE_ config.status
- - make
-
-# vim:et:ts=2:sw=2

ChangeLog

@@ -1,84 +1,3 @@
-2016-05-17  Serge Hallyn <serge@hallyn.com>
-
-	* Release 4.5
-
-2016-05-17  Serge Hallyn <serge@hallyn.com>
-
-	* Patch from Tobias Stoeckmann fixing regression in previous CVE fix
-	  preventing SIGTERM to su from being propagated to the job.
-	* Patch from Chris Lamb making sp_lstchg shadow field reproducible.
-	* Merge Russian translation updates from Yuri Kozlov
-	* Fix missing close of subuid file on error
-
-2016-02-23  Serge Hallyn <serge@hallyn.com>
-
-	* Merge patch by Tobias Stoeckmann <tobias@stoeckmann.org> to fix
-	  the equivalent of util-linux CVE-2017-2616.
-
-2016-02-08  Serge Hallyn <serge@hallyn.com>
-
-	* Update Kazakh translations
-	* Consult configuration before calculating subuids
-	* Remove misplaced semicolon
-
-2016-01-29  Serge Hallyn <serge@hallyn.com>
-
-	* Patch from Fedora to improve performance with SSSD, Winbind,
-	  or nss_ldap. (Tomas Mraz)
-	* Make sure knowndef_table is NULL-terminated.  (Bernhard Rosenkränzer)
-
-2016-12-21  Serge Hallyn <serge@hallyn.com>
-
-	* Drop leading underscore from _COMMONIO_H and _SHADOWIO_H
-	* Fix readability in usermod error messages.
-	* Reset user in tallylog
-	* Add audit support to su
-
-2016-12-02  Serge Hallyn <serge@hallyn.com>
-
-	* changes since 4.4
-	  - Use sizeof rather than hardcoding snprintf args
-	  - Fix useradd improper default loading
-	  - Update Vietnamese translations
-	  - Update Polish translations
-	  - Remove non-POSIX chmod option in Makefile
-	  - Fix suidubins assignments
-	  - Fix --add-subuids etc spelling in manpages
-	  - Audit homedir ownership change.
-	  - Print error on selinux file context update failure
-	  - Keep original file perms when creating a backup
-
-	* (henceforth we'll update Changelog with each commit
-	  and proper credit)
-
-2016-12-02  Serge Hallyn <serge@hallyn.com>
-
-	* Changes since 4.2.1:
-	  - Documentation, error report and translations updates
-	  - Replace path_max with 32
-	  - User namespace support fixes/updates including:
-	    - Correct sanity checks in newXidmap
-	    - Fix building without subuid support
-	    - Add /etc/subuid support for UID matching
-	    - Support subuid for nonlocal users
-	    - Default to 65536 subuid allocations
-	    - Respect -r
-	    - Check for range overflows
-	  - Add tests from svn tree
-	  - Use AC_CHECK_SIZEOF for uid_t size checks
-	  - Accomodate missing /etc and login.defs
-	  - Support FORCE_SHADOW
-	  - Be more robust in hostile environment
-	  - Allow removing a primary group
-	  - Clear passwords on __pw_dup errors
-	  - Memory leak fix in commonio_update and get_map_ranges
-	  - Fix resource leak in syslog_sg
-	  - Fix user busy error at userdel
-	  - Support set/clear lastlog record via lastlog command
-	  - Add --no-create-home as longopt for -M
-	  - Fix signal races
-	  - Reduce syslog priority of common usage events
-
 2013-08-25  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/vipw.c: After waitpid(), use errno only if waitpid returned

Makefile.am

@@ -2,5 +2,7 @@
 
 EXTRA_DIST = NEWS README TODO shadow.spec.in
 
+AUTOMAKE_OPTIONS = 1.5 dist-bzip2 foreign
+
 SUBDIRS = po man libmisc lib src \
 	contrib doc etc

README

@@ -117,6 +117,5 @@ Maintainers
 ===========
 
 Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
-Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
-Serge E. Hallyn <serge@hallyn.com> (2014-now)
+Nicolas François <nicolas.francois@centraliens.net> (2007-now)
 

configure.ac

@@ -1,9 +1,6 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_PREREQ([2.64])
-AC_INIT([shadow], [4.5], [pkg-shadow-devel@lists.alioth.debian.org], [],
-	[https://github.com/shadow-maint/shadow])
-AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
-AM_SILENT_RULES([yes])
+AC_INIT
+AM_INIT_AUTOMAKE(shadow, 4.4)
 AC_CONFIG_HEADERS([config.h])
 
 dnl Some hacks...

debian/README.source

@@ -1,4 +1,17 @@
-A testsuite is also available. Instruction on how to run this testsuite
-are available in tests/README
+This package uses quilt to patch the upstream source.
+
+You can find some info on how to generate the patched source, add a new
+modification, and remove an existing modification on:
+	/usr/share/doc/quilt/README.source
+
+================================================================================
+
+To package a new upstream release, you can use the Makefile:
+	svn://svn.debian.org/svn/pkg-shadow/debian/trunk/Makefile
+
+================================================================================
+
+A testsuite is also available. Instruction on how to run this testsuite
+are available on:
+	svn://svn.debian.org/svn/pkg-shadow/debian/trunk/tests/README
 
- -- Balint Reczey <rbalint@ubuntu.com>, Sat, 12 Aug 2017 18:46:44 -0400

debian/changelog

@@ -1,42 +1,30 @@
-shadow (1:4.5-1.1+deb10u1) buster-security; urgency=medium
+shadow (1:4.4-4.1+deb9u2) stretch-security; urgency=medium
 
   * Non-maintainer upload by the ELTS Team.
   * CVE-2018-7169: unprivileged user can drop supplementary groups
   * CVE-2023-4641: gpasswd password leak
   * CVE-2023-29383: chfn missing control character check
 
- -- Adrian Bunk <bunk@debian.org>  Sat, 26 Oct 2024 15:24:09 +0300
+ -- Adrian Bunk <bunk@debian.org>  Sat, 26 Oct 2024 18:55:08 +0300
 
-shadow (1:4.5-1.1) unstable; urgency=medium
+shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high
 
-  * Non-maintainer upload (greetings from DebCamp/DebConf Taiwan).
-  * Stop shipping su and break old util-linux version. (See #833256)
-    - Breaks on old version to force lockstep upgrade, which should
-      really be a depends-new-version (and can be switched around
-      together with util-linux once the transition is finished).
-      Using Breaks/Depends the 'wrong' way around is to make apt
-      unpack things in the 'right' order (avoiding any gaps where
-      /bin/su is not available during the upgrade phase).
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2017-20002: revert adding pts/0 and pts/1 to securetty.
+    Adding pts/* defeats the purpose of securetty. Let containers add it
+    if needed as described in #830255.
+    (cherry-picked from 1:4.5-1)
+    See also #877374 (previous proposed update) and #914957
+    (/etc/securetty will be dropped in bullseye).
+  * CVE-2017-12424: the newusers tool could be made to manipulate internal
+    data structures in ways unintended by the authors. Malformed input may
+    lead to crashes (with a buffer overflow or other memory corruption) or
+    other unspecified behaviors. This crosses a privilege boundary in, for
+    example, certain web-hosting environments in which a Control Panel
+    allows an unprivileged user account to create subaccounts.
+    (Closes: #756630)
 
- -- Andreas Henriksson <andreas@fatal.se>  Fri, 27 Jul 2018 10:07:37 +0200
-
-shadow (1:4.5-1) unstable; urgency=medium
-
-  * New upstream version 4.5
-    - Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
-      (Closes: #756630)
-    - Make the sp_lstchg shadow field reproducible (Closes: #857803)
-    - Fix regression in useradd not loading defaults properly.
-      (Closes: #865762)
-  * Refresh patches
-  * Drop patches manipulating su argument concatenation:
-  * Cut redundant information from Debian-specific README files
-  * Revert adding pts/0 and pts/1 to securetty.
-    Adding pts/* defeats the purpose of securetty. Let containers add it if
-    needed as described in #830255.
-  * Use my @ubuntu.com email address in Maintainer field
-
- -- Balint Reczey <rbalint@ubuntu.com>  Wed, 27 Sep 2017 12:45:23 -0400
+ -- Sylvain Beucler <beuc@debian.org>  Wed, 17 Mar 2021 10:27:01 +0100
 
 shadow (1:4.4-4.1) unstable; urgency=high
 

debian/control

@@ -1,7 +1,7 @@
 Source: shadow
 Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
 Uploaders: Christian Perrier <bubulle@debian.org>,
-           Balint Reczey <rbalint@ubuntu.com>,
+           Balint Reczey <balint@balintreczey.hu>,
            Serge Hallyn <serge@hallyn.com>
 Section: admin
 Priority: required
@@ -48,8 +48,7 @@ Pre-Depends: ${shlibs:Depends},
              libpam-modules (>= 1.1.8-1)
 Breaks: coreutils (<< 8.21~) [hurd-any],
         passwd (<< 1:4.1.5.1-2~) [hurd-any],
-        hurd (<< 20140206~) [hurd-any],
-        util-linux (<< 2.32-0.2~)
+        hurd (<< 20140206~) [hurd-any]
 Conflicts: gnunet (<< 0.7.0c-2),
            amavisd-new (<< 2.3.3-8),
            python-4suite (<< 0.99cvs20060405-1),

debian/login.install

@@ -2,6 +2,7 @@ usr/share/locale/*/LC_MESSAGES/shadow.mo
 usr/share/man/*/man1/login.1
 usr/share/man/*/man1/newgrp.1
 usr/share/man/*/man1/sg.1
+usr/share/man/*/man1/su.1
 usr/share/man/*/man5/faillog.5
 usr/share/man/*/man5/login.defs.5
 usr/share/man/*/man8/faillog.8
@@ -10,6 +11,7 @@ usr/share/man/*/man8/nologin.8
 usr/share/man/man1/login.1
 usr/share/man/man1/newgrp.1
 usr/share/man/man1/sg.1
+usr/share/man/man1/su.1
 usr/share/man/man5/faillog.5
 usr/share/man/man5/login.defs.5
 usr/share/man/man8/faillog.8
@@ -20,3 +22,4 @@ usr/bin/faillog
 usr/bin/lastlog
 usr/bin/newgrp
 bin/login
+bin/su

debian/patches/0001-Typos-fix-in-german-translation-of-man-pages.patch

@@ -0,0 +1,44 @@
+From bdd68116b7c5f3cbb29ea4fe3bb81e338e9544f7 Mon Sep 17 00:00:00 2001
+From: Simon Kainz <simon@familiekainz.at>
+Date: Wed, 18 Jan 2017 17:24:04 +0100
+Subject: [PATCH 1/2] Typos fix in german translation of man pages
+
+Reported to Debian BTS in #734609
+---
+ man/po/de.po | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/po/de.po b/man/po/de.po
+index b4d7218..340e15d 100644
+--- a/man/po/de.po
++++ b/man/po/de.po
+@@ -3087,7 +3087,7 @@ msgstr "5"
+ #: limits.5.xml:61(refmiscinfo) gshadow.5.xml:48(refmiscinfo)
+ #: faillog.5.xml:59(refmiscinfo)
+ msgid "File Formats and Conversions"
+-msgstr "Dateiformate und -konvertierung"
++msgstr "Dateiformate und konvertierung"
+ 
+ #: suauth.5.xml:65(refpurpose)
+ msgid "detailed su control file"
+@@ -4370,7 +4370,7 @@ msgstr ""
+ 
+ #: shadow.5.xml:235(para)
+ msgid "An empty field means that the account will never expire."
+-msgstr "Ein leeren Feld bedeutet, dass das Konto nicht verfallen wird."
++msgstr "Ein leeres Feld bedeutet, dass das Konto nicht verfallen wird."
+ 
+ #: shadow.5.xml:238(para)
+ msgid ""
+@@ -6961,7 +6961,7 @@ msgid ""
+ "contents of this file should be a message indicating why logins are "
+ "inhibited."
+ msgstr ""
+-"Falls angegeben, der Name einer Datei, dessen Existenz Anmeldungen außer von "
++"Falls angegeben, der Name einer Datei, deren Existenz Anmeldungen außer von "
+ "Root verhindert. Der Inhalt der Datei sollte die Gründe enthalten, weshalb "
+ "Anmeldungen untersagt sind."
+ 
+-- 
+2.1.4
+

debian/patches/0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch

@@ -1,4 +1,4 @@
-From 11fc74ffc7172c587bbd2a6399defbd53eab97c6 Mon Sep 17 00:00:00 2001
+From f46921b828f06435f8ec1f4ce51f8f622c97f326 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Thu, 15 Feb 2018 23:49:40 +1100
 Subject: newgidmap: enforce setgroups=deny if self-mapping a group

debian/patches/0002-Last-bits-of-enabling-subuids.patch

@@ -0,0 +1,29 @@
+From 578d495f91af8dc5dd774d4310ca06f7013712e7 Mon Sep 17 00:00:00 2001
+From: Micah Anderson <micah@riseup.net>
+Date: Wed, 18 Jan 2017 18:06:05 +0100
+Subject: [PATCH 2/2] Last bits of enabling subuids
+
+This patch has been carried by Debian, originally
+submitted to BTS in #739981
+---
+ src/newusers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/newusers.c b/src/newusers.c
+index 724cbb4..0c0cfe4 100644
+--- a/src/newusers.c
++++ b/src/newusers.c
+@@ -988,8 +988,8 @@ int main (int argc, char **argv)
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+ #ifdef ENABLE_SUBIDS
+-	is_sub_uid = sub_uid_file_present ();
+-	is_sub_gid = sub_gid_file_present ();
++	is_sub_uid = sub_uid_file_present () && !rflg;
++	is_sub_gid = sub_gid_file_present () && !rflg;
+ #endif				/* ENABLE_SUBIDS */
+ 
+ 	open_files ();
+-- 
+2.1.4
+

debian/patches/0002-gpasswd-1-Fix-password-leak.patch

@@ -1,4 +1,4 @@
-From cbfa2ff40ce629f55ddd67e3490c311dfcaa4462 Mon Sep 17 00:00:00 2001
+From c64784990ca4de6e998f67796faa7bafc15dab00 Mon Sep 17 00:00:00 2001
 From: Alejandro Colomar <alx@kernel.org>
 Date: Sat, 10 Jun 2023 16:20:05 +0200
 Subject: gpasswd(1): Fix password leak

debian/patches/0003-Added-control-character-check.patch

@@ -1,4 +1,4 @@
-From b42c60bc8f026b250810a75bafe865338d734ec3 Mon Sep 17 00:00:00 2001
+From d6f0f7cd86b189cf3bbd49e404864cb599e10244 Mon Sep 17 00:00:00 2001
 From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
 Date: Thu, 23 Mar 2023 23:39:38 +0000
 Subject: Added control character check

debian/patches/0004-Overhaul-valid_field.patch

@@ -1,4 +1,4 @@
-From 261c9cd274f07361c304d3993e325fe29d4bad14 Mon Sep 17 00:00:00 2001
+From aad293ef78b1657978adb2049974805bf20af5bb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
 Date: Fri, 31 Mar 2023 14:46:50 +0200
 Subject: Overhaul valid_field()

debian/patches/0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch

@@ -0,0 +1,98 @@
+From 8a122a90fa2afe39f2b1e56c5d45ea20f486bf0b Mon Sep 17 00:00:00 2001
+From: Lars Bahner <bahner@debian.org>
+Date: Thu, 19 Jan 2017 17:50:24 +0100
+Subject: [PATCH 7/7] Fix some spelling issues in the Norwegian translation
+
+---
+ po/nb.po | 13 +++++++------
+ po/nl.po |  8 ++++----
+ 2 files changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/po/nb.po b/po/nb.po
+index d42a864..7ad1ecb 100644
+--- a/po/nb.po
++++ b/po/nb.po
+@@ -7,12 +7,13 @@
+ # Bjørn Steensrud <bjornst@powertech.no>, 2006.
+ # Bjørn Steensrud <bjornst@skogkatt.homelinux.org>, 2009, 2012.
+ # Hans Fredrik Nordhaug <hans@nordhaug.priv.no>, 2012.
++# Lars Bahner <bahner@debian.org>, 2015
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: shadow 4.0.17\n"
+ "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
+ "POT-Creation-Date: 2016-09-18 14:03-0500\n"
+-"PO-Revision-Date: 2012-01-18 17:19+0100\n"
++"PO-Revision-Date: 2015-09-30 18:15+0100\n"
+ "Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n"
+ "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
+ "Language: nb\n"
+@@ -20,7 +21,7 @@ msgstr ""
+ "Content-Type: text/plain; charset=UTF-8\n"
+ "Content-Transfer-Encoding: 8bit\n"
+ "Plural-Forms: nplurals=2; plural=(n != 1);\n"
+-"X-Generator: Lokalize 1.2\n"
++"X-Generator: Poedit 1.7.5\n"
+ 
+ #, c-format
+ msgid ""
+@@ -48,10 +49,9 @@ msgstr "feil med oppsettet - ukjent element «%s» (kontakt administrator)\n"
+ msgid "%s: nscd did not terminate normally (signal %d)\n"
+ msgstr "%s: nscd avsluttet ikke normallt (signal %d)\n"
+ 
+-#, fuzzy, c-format
+-#| msgid "%s: nscd exited with status %d"
++#, c-format
+ msgid "%s: nscd exited with status %d\n"
+-msgstr "%s: nscd avsluttet med status %d"
++msgstr "%s: nscd avsluttet med status %d\n"
+ 
+ msgid "Password: "
+ msgstr "Passord: "
+@@ -415,8 +415,9 @@ msgstr "passwd: %s\n"
+ msgid "passwd: password unchanged\n"
+ msgstr "passwd: passordet er uendret\n"
+ 
++#, fuzzy
+ msgid "passwd: password updated successfully\n"
+-msgstr "passwd: passorder ble oppdatert\n"
++msgstr "passwd: passordet ble oppdatert\n"
+ 
+ #, c-format
+ msgid "Incorrect password for %s.\n"
+diff --git a/po/nl.po b/po/nl.po
+index 923c1d1..6cbabdd 100644
+--- a/po/nl.po
++++ b/po/nl.po
+@@ -745,7 +745,7 @@ msgstr "%s: ongeldige naam: '%s'\n"
+ 
+ #, c-format
+ msgid "%s: room number with non-ASCII characters: '%s'\n"
+-msgstr "%s: kamernummer bevat niet-ASCII tekens: '%s'"
++msgstr "%s: kamernummer bevat niet-ASCII tekens: '%s'\n"
+ 
+ #, c-format
+ msgid "%s: invalid room number: '%s'\n"
+@@ -1571,7 +1571,7 @@ msgstr "Ongeldig wachtwoord.\n"
+ 
+ #, c-format
+ msgid "%s: failure forking: %s\n"
+-msgstr "%s: nieuw proces beginnen is mislukt: %s"
++msgstr "%s: nieuw proces beginnen is mislukt: %s\n"
+ 
+ #, c-format
+ msgid "%s: GID '%lu' does not exist\n"
+@@ -2633,8 +2633,8 @@ msgstr "Kon bestand niet vergrendelen"
+ msgid "Couldn't make backup"
+ msgstr "Kon geen reservekopie maken"
+ 
+-#| msgid "Unable to open group file\n"
+-msgid "failed to open scratch file"
++#| msgid "Unable to open group file"
++msgid "failed to open scratch file\n"
+ msgstr "initieel bestand openen is mislukt\n"
+ 
+ #| msgid "%s: fields too long\n"
+-- 
+2.1.4
+

debian/patches/0008-su-properly-clear-child-PID.patch

@@ -0,0 +1,60 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,11 +363,13 @@
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+@@ -377,9 +379,22 @@
+ 		snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 

debian/patches/301-Reset-pid_child-only-if-waitpid-was-successful.patch

@@ -0,0 +1,29 @@
+From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 14 May 2017 17:58:10 +0200
+Subject: [PATCH] Reset pid_child only if waitpid was successful.
+
+Do not reset the pid_child to 0 if the child process is still
+running. This else-condition can be reached with pid being -1,
+therefore explicitly test this condition.
+
+This is a regression fix for CVE-2017-2616. If su receives a
+signal like SIGTERM, it is not propagated to the child.
+
+Reported-by: Radu Duta <raduduta@gmail.com>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/su.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+-			} else {
++			} else if (   (pid_t)-1 != pid) {
+ 				pid_child = 0;
+ 			}
+ 		} while (!stop);

debian/patches/401_cppw_src.dpatch

@@ -5,8 +5,10 @@
 ## DP: Add cppw / cpgr
 
 @DPATCH@
+Index: shadow-4.4/src/cppw.c
+===================================================================
 --- /dev/null
-+++ b/src/cppw.c
++++ shadow-4.4/src/cppw.c
 @@ -0,0 +1,238 @@
 +/*
 +  cppw, cpgr  copy with locking given file over the password or group file
@@ -246,9 +248,11 @@
 +	return 0;
 +}
 +
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -30,6 +30,7 @@
+Index: shadow-4.4/src/Makefile.am
+===================================================================
+--- shadow-4.4.orig/src/Makefile.am
++++ shadow-4.4/src/Makefile.am
+@@ -29,6 +29,7 @@ if ENABLE_SUBIDS
  ubin_PROGRAMS += newgidmap newuidmap
  endif
  usbin_PROGRAMS = \
@@ -256,7 +260,7 @@
  	chgpasswd \
  	chpasswd \
  	groupadd \
-@@ -90,6 +91,7 @@
+@@ -90,6 +91,7 @@ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LI
  chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
  chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
  chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
@@ -264,9 +268,11 @@
  gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
  groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
  groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
---- a/po/POTFILES.in
-+++ b/po/POTFILES.in
-@@ -85,6 +85,7 @@
+Index: shadow-4.4/po/POTFILES.in
+===================================================================
+--- shadow-4.4.orig/po/POTFILES.in
++++ shadow-4.4/po/POTFILES.in
+@@ -85,6 +85,7 @@ src/chfn.c
  src/chgpasswd.c
  src/chpasswd.c
  src/chsh.c

debian/patches/501_commonio_group_shadow

@@ -2,8 +2,10 @@ Goal: save the [g]shadow files with the 'shadow' group and mode 0440
 
 Fixes: #166793
 
---- a/lib/commonio.c
-+++ b/lib/commonio.c
+Index: shadow-4.4/lib/commonio.c
+===================================================================
+--- shadow-4.4.orig/lib/commonio.c
++++ shadow-4.4/lib/commonio.c
 @@ -44,6 +44,7 @@
  #include <errno.h>
  #include <stdio.h>
@@ -12,7 +14,7 @@ Fixes: #166793
  #include "nscd.h"
  #ifdef WITH_TCB
  #include <tcb.h>
-@@ -963,12 +964,23 @@
+@@ -966,12 +967,23 @@ int commonio_close (struct commonio_db *
  			goto fail;
  		}
  	} else {
@@ -36,9 +38,11 @@ Fixes: #166793
  	}
  
  	snprintf (buf, sizeof buf, "%s+", db->filename);
---- a/lib/sgroupio.c
-+++ b/lib/sgroupio.c
-@@ -229,7 +229,7 @@
+Index: shadow-4.4/lib/sgroupio.c
+===================================================================
+--- shadow-4.4.orig/lib/sgroupio.c
++++ shadow-4.4/lib/sgroupio.c
+@@ -228,7 +228,7 @@ static struct commonio_db gshadow_db = {
  #ifdef WITH_SELINUX
  	NULL,			/* scontext */
  #endif
@@ -47,9 +51,11 @@ Fixes: #166793
  	0,                      /* st_uid */
  	0,                      /* st_gid */
  	NULL,			/* head */
---- a/lib/shadowio.c
-+++ b/lib/shadowio.c
-@@ -105,7 +105,7 @@
+Index: shadow-4.4/lib/shadowio.c
+===================================================================
+--- shadow-4.4.orig/lib/shadowio.c
++++ shadow-4.4/lib/shadowio.c
+@@ -104,7 +104,7 @@ static struct commonio_db shadow_db = {
  #ifdef WITH_SELINUX
  	NULL,			/* scontext */
  #endif				/* WITH_SELINUX */

debian/patches/508_nologin_in_usr_sbin

@@ -1,6 +1,8 @@
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -24,7 +24,6 @@
+Index: git/src/Makefile.am
+===================================================================
+--- git.orig/src/Makefile.am
++++ git/src/Makefile.am
+@@ -23,7 +23,6 @@
  # $prefix/bin and $prefix/sbin, no install-data hacks...)
  
  bin_PROGRAMS   = groups login su
@@ -8,7 +10,7 @@
  ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
  if ENABLE_SUBIDS
  ubin_PROGRAMS += newgidmap newuidmap
-@@ -42,6 +41,7 @@
+@@ -41,6 +40,7 @@
  	grpunconv \
  	logoutd \
  	newusers \

debian/patches/523_su_arguments_are_concatenated

@@ -0,0 +1,50 @@
+Goal: Concatenate the non-su arguments and provide them to the shell with
+      the -c option
+Fixes: #317264
+       see also #276419
+
+Status wrt upstream: This is a Debian specific patch.
+
+Note: the fix of the man page is still missing.
+      (to be taken from the trunk)
+
+Index: shadow-4.4/src/su.c
+===================================================================
+--- shadow-4.4.orig/src/su.c
++++ shadow-4.4/src/su.c
+@@ -1155,6 +1155,35 @@ int main (int argc, char **argv)
+ 			argv[0] = "-c";
+ 			argv[1] = command;
+ 		}
++		/* On Debian, the arguments are concatenated and the
++		 * resulting string is always given to the shell with its
++		 * -c option.
++		 */
++		{
++			char **parg;
++			unsigned int cmd_len = 0;
++			char *cmd = NULL;
++			if (strcmp(argv[0], "-c") != 0) {
++				argv--;
++				argv[0] = "-c";
++			}
++			/* Now argv[0] is always -c, and other arguments
++			 * can be concatenated
++			 */
++			cmd_len = 1; /* finale '\0' */
++			for (parg = &argv[1]; *parg; parg++) {
++				cmd_len += strlen (*parg) + 1;
++			}
++			cmd = (char *) xmalloc (sizeof (char) * cmd_len);
++			cmd[0] = '\0';
++			for (parg = &argv[1]; *parg; parg++) {
++				strcat (cmd, " ");
++				strcat (cmd, *parg);
++			}
++			cmd[cmd_len - 1] = '\0';
++			argv[1] = &cmd[1]; /* do not take first space */
++			argv[2] = NULL;
++		}
+ 		/*
+ 		 * Use the shell and create an argv
+ 		 * with the rest of the command line included.

debian/patches/523_su_arguments_are_no_more_concatenated_by_default

@@ -0,0 +1,52 @@
+Goal: Do not concatenate the additional arguments, and support an
+      environment variable to revert to the old Debian's su behavior.
+
+This patch needs the su_arguments_are_concatenated patch.
+
+This patch, and su_arguments_are_concatenated should be dropped after
+Etch.
+
+Status wrt upstream: This patch is Debian specific.
+
+Index: shadow-4.4/src/su.c
+===================================================================
+--- shadow-4.4.orig/src/su.c
++++ shadow-4.4/src/su.c
+@@ -104,6 +104,19 @@ static char caller_name[BUFSIZ];
+ /* If nonzero, change some environment vars to indicate the user su'd to. */
+ static bool change_environment = true;
+ 
++/*
++ * If nonzero, keep the old Debian behavior:
++ *   * concatenate all the arguments and provide them to the -c option of
++ *     the shell
++ *   * If there are some additional arguments, but no -c, add a -c
++ *     argument anyway
++ * Drawbacks:
++ *   * you can't provide options to the shell (other than -c)
++ *   * you can't rely on the argument count
++ * See http://bugs.debian.org/276419
++ */
++static int old_debian_behavior;
++
+ #ifdef USE_PAM
+ static char kill_msg[256];
+ static char wait_msg[256];
+@@ -952,6 +965,8 @@ int main (int argc, char **argv)
+ 	int ret;
+ #endif				/* USE_PAM */
+ 
++	old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL);
++
+ 	(void) setlocale (LC_ALL, "");
+ 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
+ 	(void) textdomain (PACKAGE);
+@@ -1159,7 +1174,7 @@ int main (int argc, char **argv)
+ 		 * resulting string is always given to the shell with its
+ 		 * -c option.
+ 		 */
+-		{
++		if (old_debian_behavior) {
+ 			char **parg;
+ 			unsigned int cmd_len = 0;
+ 			char *cmd = NULL;

debian/patches/542_useradd-O_option

@@ -5,8 +5,10 @@ Note: useradd.8 needs to be regenerated.
 Status wrt upstream: not included as this is just specific 
                      backward compatibility for Debian
 
---- a/man/useradd.8.xml
-+++ b/man/useradd.8.xml
+Index: shadow-4.4/man/useradd.8.xml
+===================================================================
+--- shadow-4.4.orig/man/useradd.8.xml
++++ shadow-4.4/man/useradd.8.xml
 @@ -329,6 +329,11 @@
  	    databases are reset to avoid reusing the entry from a previously
  	    deleted user.
@@ -19,9 +21,11 @@ Status wrt upstream: not included as this is just specific
  	</listitem>
        </varlistentry>
        <varlistentry>
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -1059,9 +1059,9 @@
+Index: shadow-4.4/src/useradd.c
+===================================================================
+--- shadow-4.4.orig/src/useradd.c
++++ shadow-4.4/src/useradd.c
+@@ -1056,9 +1056,9 @@ static void process_flags (int argc, cha
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -33,7 +37,7 @@ Status wrt upstream: not included as this is just specific
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1184,6 +1184,7 @@
+@@ -1181,6 +1181,7 @@ static void process_flags (int argc, cha
  				kflg = true;
  				break;
  			case 'K':

debian/patches/CVE-2017-12424.patch

@@ -0,0 +1,43 @@
+Origin: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2021-03-16
+
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+Index: shadow-4.4/lib/commonio.c
+===================================================================
+--- shadow-4.4.orig/lib/commonio.c
++++ shadow-4.4/lib/commonio.c
+@@ -755,16 +755,16 @@ commonio_sort (struct commonio_db *db, i
+ 	for (ptr = db->head;
+ 	        (NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	     && (NULL != ptr->line)
+-	     && (   ('+' != ptr->line[0])
+-	         && ('-' != ptr->line[0]))
++	     && ((NULL == ptr->line)
++	         || (('+' != ptr->line[0])
++	             && ('-' != ptr->line[0])))
+ #endif
+ 	     ;
+ 	     ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif

debian/patches/README.patches

@@ -8,6 +8,17 @@ Small intro to the system for numbering the patches here...
 
  NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
 
+-The 1xx series are l10n patches to upstream 4.0.18.1. As upstream has
+ adopted Debian translations, it is very likely that these patches
+ will become useless when we will have synced with upstream
+
+-The 2xx series are patches for manual pages translations to upstream
+ 4.0.18.1.
+
+-The 3xx series are patches which have been temporarily applied to 
+ Debian's shadow while we *know* they have been applied upstream as well
+ These patches should NOT be kept when we will sync with upstream
+
 -The 4xx series are patches which have been applied to Debian's shadow
  and have NOT been accepted and/or applied upstream. These patches MUST be kept
  even after resynced with upstream
@@ -20,3 +31,43 @@ In short, while we are working towards synchronisation with upstream,
 our goal is to make 0xx patches disappear by moving them either to 3xx
 series (things already implemented upstream) or to 4xx series
 (Debian-specific patches).
+
+
+Short HOWTO for quilt
+=====================
+
+The quilt system can be assimilated to a Pile Of Patches management system.
+Patches live in debian/patches, the working directory is "."
+
+The basic commands are (abbreviation accepted):
+quilt push (asks to apply the next patch in the pile)
+quilt pop  (removes the current patch and go up in the pile)
+quilt refresh (take the current changes in tree onto the patch)
+
+When a file is changed by a patch, quilt saves it somewhere under .pc on
+application. This is how it can refresh it afterward (comparing the version
+in .pc and the one you currently have in your working dir).
+
+There are three common pitfalls with quilt:
+ - doing "quilt pop" without doing "quilt refresh". The version of current
+     dir is replaced with the version of the .pc dir. Your changes are lost.
+   Quilt wont let you do so, but you can force it with '-f' if you're fool.
+ - editing a file with is not in the patch yet. Quilt didn't do any previous
+     backup.
+   Use "quilt add" to add files to patches.
+   Set $EDITOR and use "quilt edit" to edit a file, and add it onto the
+     patch if needed.
+ - If you update your working directory, patches may not revert cleanly.
+   It is thus recommended to use "quilt pop -a" before updating with
+   "svn up".
+   If you forget (and run into trouble), you may want to remove the whole
+   shadow-?.?.? directory. If you use the makefile which is in the upper
+   directory (trunk/), shadow-?.?.?/debian/patches is a link to
+   debian/patches, so this dirctory does not contain any valuable info.
+
+The documentation is quite well done, I think. "quilt -h" will list you the
+commands. "quilt <cmd> -h" will give you some hints about it. "man quilt" is
+a reference documentation. /usr/share/doc/quilt/quilt.pdf.gz is a complete
+manual, with tutorial.
+
+

debian/patches/series

@@ -1,3 +1,13 @@
+0001-Typos-fix-in-german-translation-of-man-pages.patch
+0002-Last-bits-of-enabling-subuids.patch
+0003-Dutch-translation-update.patch
+0004-Updated-Czech-translation.patch
+0005-Update-for-German-man-pages.patch
+0006-French-manpage-translation.patch
+0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
+0008-su-properly-clear-child-PID.patch
+301-Reset-pid_child-only-if-waitpid-was-successful.patch
+
 # These patches are only for the testsuite:
 #900_testsuite_groupmems
 #901_testsuite_gcov
@@ -11,9 +21,15 @@
 506_relaxed_usernames
 542_useradd-O_option
 463_login_delay_obeys_to_PAM
+523_su_arguments_are_concatenated
+523_su_arguments_are_no_more_concatenated_by_default
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
 501_commonio_group_shadow
+# does not apply cleanly, please merge at upstream
+1010_vietnamese_translation
+
+CVE-2017-12424.patch
 0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch
 0002-gpasswd-1-Fix-password-leak.patch
 0003-Added-control-character-check.patch

debian/rules

@@ -50,6 +50,7 @@ ifneq ($(DEB_HOST_ARCH_OS),linux)
 	sed -i 's/session    optional   pam_keyinit.so/# Linux only # session    optional   pam_keyinit.so/' debian/login.pam
 endif
 	dh_installpam -p login
+	dh_installpam -p login --name=su
 	install -c -m 444 debian/login.defs debian/login/etc/login.defs
 	install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
 	dh_lintian -p login
@@ -80,6 +81,7 @@ binary-predeb/uidmap::
 binary-predeb/login::
 	# No real need for login to be setuid root
 	# chmod u+s debian/login/bin/login
+	chmod u+s debian/login/bin/su
 	chmod u+s debian/login/usr/bin/newgrp
 
 binary-predeb/passwd::

lib/commonio.c

@@ -301,12 +301,15 @@ static int create_backup (const char *backup, FILE * fp)
 	struct utimbuf ub;
 	FILE *bkfp;
 	int c;
+	mode_t mask;
 
 	if (fstat (fileno (fp), &sb) != 0) {
 		return -1;
 	}
 
-	bkfp = fopen_set_perms (backup, "w", &sb);
+	mask = umask (077);
+	bkfp = fopen (backup, "w");
+	(void) umask (mask);
 	if (NULL == bkfp) {
 		return -1;
 	}
@@ -751,16 +754,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
 	for (ptr = db->head;
 	        (NULL != ptr)
 #if KEEP_NIS_AT_END
-	     && ((NULL == ptr->line)
-	         || (('+' != ptr->line[0])
-	             && ('-' != ptr->line[0])))
+	     && (NULL != ptr->line)
+	     && (   ('+' != ptr->line[0])
+	         && ('-' != ptr->line[0]))
 #endif
 	     ;
 	     ptr = ptr->next) {
 		n++;
 	}
 #if KEEP_NIS_AT_END
-	if (NULL != ptr) {
+	if ((NULL != ptr) && (NULL != ptr->line)) {
 		nis = ptr;
 	}
 #endif

lib/commonio.h

@@ -31,8 +31,8 @@
  */
 
 /* $Id$ */
-#ifndef COMMONIO_H
-#define COMMONIO_H
+#ifndef _COMMONIO_H
+#define _COMMONIO_H
 
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>

lib/getdef.c

@@ -148,7 +148,6 @@ static struct itemdef knowndef_table[] = {
 #ifdef USE_PAM
 	PAMDEFS
 #endif
-	{NULL, NULL}
 };
 
 #ifndef LOGINDEFS

lib/groupio.c

@@ -338,7 +338,8 @@ static /*@null@*/struct commonio_entry *merge_group_entries (
 		errno = ENOMEM;
 		return NULL;
 	}
-	snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line);
+	snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line);
+	new_line[new_line_len] = '\0';
 
 	/* Concatenate the 2 list of members */
 	for (i=0; NULL != gptr1->gr_mem[i]; i++);

lib/prototypes.h

@@ -179,9 +179,6 @@ extern int getrange (char *range,
                      unsigned long *min, bool *has_min,
                      unsigned long *max, bool *has_max);
 
-/* gettime.c */
-extern time_t gettime ();
-
 /* get_uid.c */
 extern int get_uid (const char *uidstr, uid_t *uid);
 

lib/sgroupio.c

@@ -40,7 +40,6 @@
 #include "prototypes.h"
 #include "defines.h"
 #include "commonio.h"
-#include "getdef.h"
 #include "sgroupio.h"
 
 /*@null@*/ /*@only@*/struct sgrp *__sgr_dup (const struct sgrp *sgent)

lib/shadowio.c

@@ -40,7 +40,6 @@
 #include <shadow.h>
 #include <stdio.h>
 #include "commonio.h"
-#include "getdef.h"
 #include "shadowio.h"
 #ifdef WITH_TCB
 #include <tcb.h>

lib/shadowio.h

@@ -31,8 +31,8 @@
  */
 
 /* $Id$ */
-#ifndef SHADOWIO_H
-#define SHADOWIO_H
+#ifndef _SHADOWIO_H
+#define _SHADOWIO_H
 
 #include "defines.h"
 

libmisc/Makefile.am

@@ -1,7 +1,7 @@
 
 EXTRA_DIST = .indent.pro xgetXXbyYY.c
 
-AM_CPPFLAGS = -I$(top_srcdir)/lib
+INCLUDES = -I$(top_srcdir)/lib
 
 noinst_LIBRARIES = libmisc.a
 
@@ -31,7 +31,6 @@ libmisc_a_SOURCES = \
 	getdate.y \
 	getgr_nam_gid.c \
 	getrange.c \
-	gettime.c \
 	hushed.c \
 	idmapping.h \
 	idmapping.c \

libmisc/find_new_gid.c

@@ -1,7 +1,6 @@
 /*
  * Copyright (c) 1991 - 1994, Julianne Frances Haugh
  * Copyright (c) 2008 - 2011, Nicolas François
- * Copyright (c) 2014, Red Hat, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39,117 +38,6 @@
 #include "groupio.h"
 #include "getdef.h"
 
-/*
- * get_ranges - Get the minimum and maximum ID ranges for the search
- *
- * This function will return the minimum and maximum ranges for IDs
- *
- * 0: The function completed successfully
- * EINVAL: The provided ranges are impossible (such as maximum < minimum)
- *
- * preferred_min: The special-case minimum value for a specifically-
- * requested ID, which may be lower than the standard min_id
- */
-static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
-		       gid_t *preferred_min)
-{
-	gid_t gid_def_max = 0;
-
-	if (sys_group) {
-		/* System groups */
-
-		/* A requested ID is allowed to be below the autoselect range */
-		*preferred_min = (gid_t) 1;
-
-		/* Get the minimum ID range from login.defs or default to 101 */
-		*min_id = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
-
-		/*
-		 * If SYS_GID_MAX is unspecified, we should assume it to be one
-		 * less than the GID_MIN (which is reserved for non-system accounts)
-		 */
-		gid_def_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
-		*max_id = (gid_t) getdef_ulong ("SYS_GID_MAX",
-				(unsigned long) gid_def_max);
-
-		/* Check that the ranges make sense */
-		if (*max_id < *min_id) {
-			(void) fprintf (stderr,
-                            _("%s: Invalid configuration: SYS_GID_MIN (%lu), "
-                              "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"),
-                            Prog, (unsigned long) *min_id,
-                            getdef_ulong ("GID_MIN", 1000UL),
-                            (unsigned long) *max_id);
-			return EINVAL;
-		}
-	} else {
-		/* Non-system groups */
-
-		/* Get the values from login.defs or use reasonable defaults */
-		*min_id = (gid_t) getdef_ulong ("GID_MIN", 1000UL);
-		*max_id = (gid_t) getdef_ulong ("GID_MAX", 60000UL);
-
-		/*
-		 * The preferred minimum should match the standard ID minimum
-		 * for non-system groups.
-		 */
-		*preferred_min = *min_id;
-
-		/* Check that the ranges make sense */
-		if (*max_id < *min_id) {
-			(void) fprintf (stderr,
-					_("%s: Invalid configuration: GID_MIN (%lu), "
-					  "GID_MAX (%lu)\n"),
-					Prog, (unsigned long) *min_id,
-					(unsigned long) *max_id);
-			return EINVAL;
-		}
-	}
-
-	return 0;
-}
-
-/*
- * check_gid - See if the requested GID is available
- *
- * On success, return 0
- * If the ID is in use, return EEXIST
- * If the ID is outside the range, return ERANGE
- * In other cases, return errno from getgrgid()
- */
-static int check_gid (const gid_t gid,
-		      const gid_t gid_min,
-		      const gid_t gid_max,
-		      bool *used_gids)
-{
-	/* First test that the preferred ID is in the range */
-	if (gid < gid_min || gid > gid_max) {
-		return ERANGE;
-	}
-
-	/*
-	 * Check whether we already detected this GID
-	 * using the gr_next() loop
-	 */
-	if (used_gids != NULL && used_gids[gid]) {
-		return EEXIST;
-	}
-	/* Check if the GID exists according to NSS */
-	errno = 0;
-	if (getgrgid (gid) != NULL) {
-		return EEXIST;
-	} else {
-		/* getgrgid() was NULL
-		 * we have to ignore errors as temporary
-		 * failures of remote user identity services
-		 * would completely block user/group creation
-		 */
-	}
-
-	/* If we've made it here, the GID must be available */
-	return 0;
-}
-
 /*
  * find_new_gid - Find a new unused GID.
  *
@@ -161,338 +49,161 @@ static int check_gid (const gid_t gid,
  * Return 0 on success, -1 if no unused GIDs are available.
  */
 int find_new_gid (bool sys_group,
-                 gid_t *gid,
-                 /*@null@*/gid_t const *preferred_gid)
+                  gid_t *gid,
+                  /*@null@*/gid_t const *preferred_gid)
 {
-	bool *used_gids;
 	const struct group *grp;
-	gid_t gid_min, gid_max, preferred_min;
-	gid_t group_id, id;
-	gid_t lowest_found, highest_found;
-	int result;
-	int nospam = 0;
+	gid_t gid_min, gid_max, group_id;
+	bool *used_gids;
 
-	assert(gid != NULL);
+	assert (gid != NULL);
 
-	/*
-	 * First, figure out what ID range is appropriate for
-	 * automatic assignment
-	 */
-	result = get_ranges (sys_group, &gid_min, &gid_max, &preferred_min);
-	if (result == EINVAL) {
-		return -1;
-	}
-
-	/* Check if the preferred GID is available */
-	if (preferred_gid) {
-		result = check_gid (*preferred_gid, preferred_min, gid_max, NULL);
-		if (result == 0) {
-			/*
-			 * Make sure the GID isn't queued for use already
-			 */
-			if (gr_locate_gid (*preferred_gid) == NULL) {
-				*gid = *preferred_gid;
-				return 0;
-			}
-			/*
-			 * gr_locate_gid() found the GID in an as-yet uncommitted
-			 * entry. We'll proceed below and auto-set a GID.
-			 */
-		} else if (result == EEXIST || result == ERANGE) {
-			/*
-			 * Continue on below. At this time, we won't
-			 * treat these two cases differently.
-			 */
-		} else {
-			/*
-			 * An unexpected error occurred. We should report
-			 * this and fail the group creation.
-			 * This differs from the automatic creation
-			 * behavior below, since if a specific GID was
-			 * requested and generated an error, the user is
-			 * more likely to want to stop and address the
-			 * issue.
-			 */
-			fprintf (stderr,
-				_("%s: Encountered error attempting to use "
-				  "preferred GID: %s\n"),
-				Prog, strerror (result));
+	if (!sys_group) {
+		gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL);
+		gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL);
+		if (gid_max < gid_min) {
+			(void) fprintf (stderr,
+			                _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"),
+			                Prog, (unsigned long) gid_min, (unsigned long) gid_max);
+			return -1;
+		}
+	} else {
+		gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+		gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
+		gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
+		if (gid_max < gid_min) {
+			(void) fprintf (stderr,
+			                _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"),
+			                Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max);
 			return -1;
 		}
 	}
-
-	/*
-	 * Search the entire group file,
-	 * looking for the next unused value.
-	 *
-	 * We first check the local database with gr_rewind/gr_next to find
-	 * all local values that are in use.
-	 *
-	 * We then compare the next free value to all databases (local and
-	 * remote) and iterate until we find a free one. If there are free
-	 * values beyond the lowest (system groups) or highest (non-system
-	 * groups), we will prefer those and avoid potentially reclaiming a
-	 * deleted group (which can be a security issue, since it may grant
-	 * access to files belonging to that former group).
-	 *
-	 * If there are no GIDs available at the end of the search, we will
-	 * have no choice but to iterate through the range looking for gaps.
-	 *
-	 */
-
-	/* Create an array to hold all of the discovered GIDs */
 	used_gids = malloc (sizeof (bool) * (gid_max +1));
 	if (NULL == used_gids) {
 		fprintf (stderr,
-			 _("%s: failed to allocate memory: %s\n"),
-			 Prog, strerror (errno));
+		         _("%s: failed to allocate memory: %s\n"),
+		         Prog, strerror (errno));
 		return -1;
 	}
 	memset (used_gids, false, sizeof (bool) * (gid_max + 1));
 
-	/* First look for the lowest and highest value in the local database */
-	(void) gr_rewind ();
-	highest_found = gid_min;
-	lowest_found = gid_max;
-	while ((grp = gr_next ()) != NULL) {
-		/*
-		 * Does this entry have a lower GID than the lowest we've found
-		 * so far?
-		 */
-		if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) {
-			lowest_found = grp->gr_gid - 1;
-		}
-
-		/*
-		 * Does this entry have a higher GID than the highest we've found
-		 * so far?
-		 */
-		if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) {
-			highest_found = grp->gr_gid + 1;
-		}
-
-		/* create index of used GIDs */
-		if (grp->gr_gid >= gid_min
-			&& grp->gr_gid <= gid_max) {
-
-			used_gids[grp->gr_gid] = true;
-		}
+	if (   (NULL != preferred_gid)
+	    && (*preferred_gid >= gid_min)
+	    && (*preferred_gid <= gid_max)
+	    /* Check if the user exists according to NSS */
+	    && (getgrgid (*preferred_gid) == NULL)
+	    /* Check also the local database in case of uncommitted
+	     * changes */
+	    && (gr_locate_gid (*preferred_gid) == NULL)) {
+		*gid = *preferred_gid;
+		free (used_gids);
+		return 0;
 	}
 
+
+	/*
+	 * Search the entire group file,
+	 * looking for the largest unused value.
+	 *
+	 * We check the list of groups according to NSS (setgrent/getgrent),
+	 * but we also check the local database (gr_rewind/gr_next) in case
+	 * some groups were created but the changes were not committed yet.
+	 */
 	if (sys_group) {
-		/*
-		 * For system groups, we want to start from the
-		 * top of the range and work downwards.
+		gid_t id;
+		/* setgrent / getgrent / endgrent can be very slow with
+		 * LDAP configurations (and many accounts).
+		 * Since there is a limited amount of IDs to be tested
+		 * for system accounts, we just check the existence
+		 * of IDs with getgrgid.
 		 */
-
-		/*
-		 * At the conclusion of the gr_next() search, we will either
-		 * have a presumed-free GID or we will be at GID_MIN - 1.
-		 */
-		if (lowest_found < gid_min) {
-			/*
-			 * In this case, a GID is in use at GID_MIN.
-			 *
-			 * We will reset the search to GID_MAX and proceed down
-			 * through all the GIDs (skipping those we detected with
-			 * used_gids) for a free one. It is a known issue that
-			 * this may result in reusing a previously-deleted GID,
-			 * so administrators should be instructed to use this
-			 * auto-detection with care (and prefer to assign GIDs
-			 * explicitly).
-			 */
-			lowest_found = gid_max;
-		}
-
-		/* Search through all of the IDs in the range */
-		for (id = lowest_found; id >= gid_min; id--) {
-			result = check_gid (id, gid_min, gid_max, used_gids);
-			if (result == 0) {
-				/* This GID is available. Return it. */
-				*gid = id;
-				free (used_gids);
-				return 0;
-			} else if (result == EEXIST) {
-				/* This GID is in use, we'll continue to the next */
-			} else {
-				/*
-				 * An unexpected error occurred.
-				 *
-				 * Only report it the first time to avoid spamming
-				 * the logs
-				 *
-				 */
-				if (!nospam) {
-					fprintf (stderr,
-						_("%s: Can't get unique system GID (%s). "
-						  "Suppressing additional messages.\n"),
-						Prog, strerror (result));
-					SYSLOG ((LOG_ERR,
-						"Error checking available GIDs: %s",
-						strerror (result)));
-					nospam = 1;
-				}
-				/*
-				 * We will continue anyway. Hopefully a later GID
-				 * will work properly.
-				 */
+		group_id = gid_max;
+		for (id = gid_max; id >= gid_min; id--) {
+			if (getgrgid (id) != NULL) {
+				group_id = id - 1;
+				used_gids[id] = true;
 			}
 		}
 
-		/*
-		 * If we get all the way through the loop, try again from GID_MAX,
-		 * unless that was where we previously started. (NOTE: the worst-case
-		 * scenario here is that we will run through (GID_MAX - GID_MIN - 1)
-		 * cycles *again* if we fall into this case with lowest_found as
-		 * GID_MAX - 1, all groups in the range in use and maintained by
-		 * network services such as LDAP.)
-		 */
-		if (lowest_found != gid_max) {
-			for (id = gid_max; id >= gid_min; id--) {
-				result = check_gid (id, gid_min, gid_max, used_gids);
-				if (result == 0) {
-					/* This GID is available. Return it. */
-					*gid = id;
-					free (used_gids);
-					return 0;
-				} else if (result == EEXIST) {
-					/* This GID is in use, we'll continue to the next */
-				} else {
-					/*
-					 * An unexpected error occurred.
-					 *
-					 * Only report it the first time to avoid spamming
-					 * the logs
-					 *
-					 */
-					if (!nospam) {
-						fprintf (stderr,
-							_("%s: Can't get unique system GID (%s). "
-							  "Suppressing additional messages.\n"),
-							Prog, strerror (result));
-						SYSLOG ((LOG_ERR,
-							"Error checking available GIDs: %s",
-							strerror (result)));
-						nospam = 1;
-					}
-					/*
-					 * We will continue anyway. Hopefully a later GID
-					 * will work properly.
-					 */
-				}
+		(void) gr_rewind ();
+		while ((grp = gr_next ()) != NULL) {
+			if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) {
+				group_id = grp->gr_gid - 1;
+			}
+			/* create index of used GIDs */
+			if (grp->gr_gid <= gid_max) {
+				used_gids[grp->gr_gid] = true;
 			}
 		}
-	} else { /* !sys_group */
-		/*
-		 * For non-system groups, we want to start from the
-		 * bottom of the range and work upwards.
-		 */
-
-		/*
-		 * At the conclusion of the gr_next() search, we will either
-		 * have a presumed-free GID or we will be at GID_MAX + 1.
-		 */
-		if (highest_found > gid_max) {
-			/*
-			 * In this case, a GID is in use at GID_MAX.
-			 *
-			 * We will reset the search to GID_MIN and proceed up
-			 * through all the GIDs (skipping those we detected with
-			 * used_gids) for a free one. It is a known issue that
-			 * this may result in reusing a previously-deleted GID,
-			 * so administrators should be instructed to use this
-			 * auto-detection with care (and prefer to assign GIDs
-			 * explicitly).
-			 */
-			highest_found = gid_min;
-		}
-
-		/* Search through all of the IDs in the range */
-		for (id = highest_found; id <= gid_max; id++) {
-			result = check_gid (id, gid_min, gid_max, used_gids);
-			if (result == 0) {
-				/* This GID is available. Return it. */
-				*gid = id;
-				free (used_gids);
-				return 0;
-			} else if (result == EEXIST) {
-				/* This GID is in use, we'll continue to the next */
-			} else {
-				/*
-				 * An unexpected error occurred.
-				 *
-				 * Only report it the first time to avoid spamming
-				 * the logs
-				 *
-				 */
-				if (!nospam) {
-					fprintf (stderr,
-						_("%s: Can't get unique GID (%s). "
-						  "Suppressing additional messages.\n"),
-						Prog, strerror (result));
-					SYSLOG ((LOG_ERR,
-						"Error checking available GIDs: %s",
-						strerror (result)));
-					nospam = 1;
-				}
-				/*
-				 * We will continue anyway. Hopefully a later GID
-				 * will work properly.
-				 */
+	} else {
+		group_id = gid_min;
+		setgrent ();
+		while ((grp = getgrent ()) != NULL) {
+			if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
+				group_id = grp->gr_gid + 1;
+			}
+			/* create index of used GIDs */
+			if (grp->gr_gid <= gid_max) {
+				used_gids[grp->gr_gid] = true;
 			}
 		}
+		endgrent ();
 
-		/*
-		 * If we get all the way through the loop, try again from GID_MIN,
-		 * unless that was where we previously started. (NOTE: the worst-case
-		 * scenario here is that we will run through (GID_MAX - GID_MIN - 1)
-		 * cycles *again* if we fall into this case with highest_found as
-		 * GID_MIN + 1, all groups in the range in use and maintained by
-		 * network services such as LDAP.)
-		 */
-		if (highest_found != gid_min) {
-			for (id = gid_min; id <= gid_max; id++) {
-				result = check_gid (id, gid_min, gid_max, used_gids);
-				if (result == 0) {
-					/* This GID is available. Return it. */
-					*gid = id;
-					free (used_gids);
-					return 0;
-				} else if (result == EEXIST) {
-					/* This GID is in use, we'll continue to the next */
-				} else {
-					/*
-					 * An unexpected error occurred.
-					 *
-					 * Only report it the first time to avoid spamming
-					 * the logs
-					 *
-					 */
-					if (!nospam) {
-						fprintf (stderr,
-							_("%s: Can't get unique GID (%s). "
-							  "Suppressing additional messages.\n"),
-							Prog, strerror (result));
-						SYSLOG ((LOG_ERR,
-							"Error checking available GIDs: %s",
-							strerror (result)));
-						nospam = 1;
-					}
-					/*
-					 * We will continue anyway. Hopefully a later GID
-					 * will work properly.
-					 */
-				}
+		(void) gr_rewind ();
+		while ((grp = gr_next ()) != NULL) {
+			if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
+				group_id = grp->gr_gid + 1;
+			}
+			/* create index of used GIDs */
+			if (grp->gr_gid <= gid_max) {
+				used_gids[grp->gr_gid] = true;
+			}
+		}
+	}
+
+	/*
+	 * If a group (resp. system group) with GID equal to GID_MAX (resp.
+	 * GID_MIN) exists, the above algorithm will give us GID_MAX+1
+	 * (resp. GID_MIN-1) even if not unique. Search for the first free
+	 * GID starting with GID_MIN (resp. GID_MAX).
+	 */
+	if (sys_group) {
+		if (group_id < gid_min) {
+			for (group_id = gid_max; group_id >= gid_min; group_id--) {
+				if (false == used_gids[group_id]) {
+					break;
+				}
+			}
+			if (group_id < gid_min) {
+				fprintf (stderr,
+				         _("%s: Can't get unique system GID (no more available GIDs)\n"),
+				         Prog);
+				SYSLOG ((LOG_WARN,
+				         "no more available GID on the system"));
+				free (used_gids);
+				return -1;
+			}
+		}
+	} else {
+		if (group_id > gid_max) {
+			for (group_id = gid_min; group_id <= gid_max; group_id++) {
+				if (false == used_gids[group_id]) {
+					break;
+				}
+			}
+			if (group_id > gid_max) {
+				fprintf (stderr,
+				         _("%s: Can't get unique GID (no more available GIDs)\n"),
+				         Prog);
+				SYSLOG ((LOG_WARN, "no more available GID on the system"));
+				free (used_gids);
+				return -1;
 			}
 		}
 	}
 
-	/* The code reached here and found no available IDs in the range */
-	fprintf (stderr,
-		_("%s: Can't get unique GID (no more available GIDs)\n"),
-		Prog);
-	SYSLOG ((LOG_WARN, "no more available GIDs on the system"));
 	free (used_gids);
-	return -1;
+	*gid = group_id;
+	return 0;
 }
 

libmisc/find_new_uid.c

@@ -1,7 +1,6 @@
 /*
  * Copyright (c) 1991 - 1994, Julianne Frances Haugh
  * Copyright (c) 2008 - 2011, Nicolas François
- * Copyright (c) 2014, Red Hat, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39,117 +38,6 @@
 #include "pwio.h"
 #include "getdef.h"
 
-/*
- * get_ranges - Get the minimum and maximum ID ranges for the search
- *
- * This function will return the minimum and maximum ranges for IDs
- *
- * 0: The function completed successfully
- * EINVAL: The provided ranges are impossible (such as maximum < minimum)
- *
- * preferred_min: The special-case minimum value for a specifically-
- * requested ID, which may be lower than the standard min_id
- */
-static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
-			uid_t *preferred_min)
-{
-	uid_t uid_def_max = 0;
-
-	if (sys_user) {
-		/* System users */
-
-		/* A requested ID is allowed to be below the autoselect range */
-		*preferred_min = (uid_t) 1;
-
-		/* Get the minimum ID range from login.defs or default to 101 */
-		*min_id = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
-
-		/*
-		 * If SYS_UID_MAX is unspecified, we should assume it to be one
-		 * less than the UID_MIN (which is reserved for non-system accounts)
-		 */
-		uid_def_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1;
-		*max_id = (uid_t) getdef_ulong ("SYS_UID_MAX",
-				(unsigned long) uid_def_max);
-
-		/* Check that the ranges make sense */
-		if (*max_id < *min_id) {
-			(void) fprintf (stderr,
-                            _("%s: Invalid configuration: SYS_UID_MIN (%lu), "
-                              "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"),
-                            Prog, (unsigned long) *min_id,
-                            getdef_ulong ("UID_MIN", 1000UL),
-                            (unsigned long) *max_id);
-			return EINVAL;
-		}
-	} else {
-		/* Non-system users */
-
-		/* Get the values from login.defs or use reasonable defaults */
-		*min_id = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
-		*max_id = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
-
-		/*
-		 * The preferred minimum should match the standard ID minimum
-		 * for non-system users.
-		 */
-		*preferred_min = *min_id;
-
-		/* Check that the ranges make sense */
-		if (*max_id < *min_id) {
-			(void) fprintf (stderr,
-					_("%s: Invalid configuration: UID_MIN (%lu), "
-					  "UID_MAX (%lu)\n"),
-					Prog, (unsigned long) *min_id,
-					(unsigned long) *max_id);
-			return EINVAL;
-		}
-	}
-
-	return 0;
-}
-
-/*
- * check_uid - See if the requested UID is available
- *
- * On success, return 0
- * If the ID is in use, return EEXIST
- * If the ID is outside the range, return ERANGE
- * In other cases, return errno from getpwuid()
- */
-static int check_uid(const uid_t uid,
-		     const uid_t uid_min,
-		     const uid_t uid_max,
-		     bool *used_uids)
-{
-	/* First test that the preferred ID is in the range */
-	if (uid < uid_min || uid > uid_max) {
-		return ERANGE;
-	}
-
-	/*
-	 * Check whether we already detected this UID
-	 * using the pw_next() loop
-	 */
-	if (used_uids != NULL && used_uids[uid]) {
-		return EEXIST;
-	}
-	/* Check if the UID exists according to NSS */
-	errno = 0;
-	if (getpwuid(uid) != NULL) {
-		return EEXIST;
-	} else {
-		/* getpwuid() was NULL
-		 * we have to ignore errors as temporary
-		 * failures of remote user identity services
-		 * would completely block user/group creation
-		 */
-	}
-
-	/* If we've made it here, the UID must be available */
-	return 0;
-}
-
 /*
  * find_new_uid - Find a new unused UID.
  *
@@ -160,339 +48,162 @@ static int check_uid(const uid_t uid,
  * 
  * Return 0 on success, -1 if no unused UIDs are available.
  */
-int find_new_uid(bool sys_user,
-                 uid_t *uid,
-                 /*@null@*/uid_t const *preferred_uid)
+int find_new_uid (bool sys_user,
+                  uid_t *uid,
+                  /*@null@*/uid_t const *preferred_uid)
 {
-	bool *used_uids;
 	const struct passwd *pwd;
-	uid_t uid_min, uid_max, preferred_min;
-	uid_t user_id, id;
-	uid_t lowest_found, highest_found;
-	int result;
-	int nospam = 0;
+	uid_t uid_min, uid_max, user_id;
+	bool *used_uids;
 
 	assert (uid != NULL);
 
-	/*
-	 * First, figure out what ID range is appropriate for
-	 * automatic assignment
-	 */
-	result = get_ranges (sys_user, &uid_min, &uid_max, &preferred_min);
-	if (result == EINVAL) {
-		return -1;
-	}
-
-	/* Check if the preferred UID is available */
-	if (preferred_uid) {
-		result = check_uid (*preferred_uid, preferred_min, uid_max, NULL);
-		if (result == 0) {
-			/*
-			 * Make sure the UID isn't queued for use already
-			 */
-			if (pw_locate_uid (*preferred_uid) == NULL) {
-				*uid = *preferred_uid;
-				return 0;
-			}
-			/*
-			 * pw_locate_uid() found the UID in an as-yet uncommitted
-			 * entry. We'll proceed below and auto-set an UID.
-			 */
-		} else if (result == EEXIST || result == ERANGE) {
-			/*
-			 * Continue on below. At this time, we won't
-			 * treat these two cases differently.
-			 */
-		} else {
-			/*
-			 * An unexpected error occurred. We should report
-			 * this and fail the user creation.
-			 * This differs from the automatic creation
-			 * behavior below, since if a specific UID was
-			 * requested and generated an error, the user is
-			 * more likely to want to stop and address the
-			 * issue.
-			 */
-			fprintf (stderr,
-				_("%s: Encountered error attempting to use "
-				  "preferred UID: %s\n"),
-				Prog, strerror (result));
+	if (!sys_user) {
+		uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+		uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+		if (uid_max < uid_min) {
+			(void) fprintf (stderr,
+			                _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"),
+			                Prog, (unsigned long) uid_min, (unsigned long) uid_max);
+			return -1;
+		}
+	} else {
+		uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
+		uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1;
+		uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max);
+		if (uid_max < uid_min) {
+			(void) fprintf (stderr,
+			                _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"),
+			                Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max);
 			return -1;
 		}
 	}
-
-	/*
-	 * Search the entire passwd file,
-	 * looking for the next unused value.
-	 *
-	 * We first check the local database with pw_rewind/pw_next to find
-	 * all local values that are in use.
-	 *
-	 * We then compare the next free value to all databases (local and
-	 * remote) and iterate until we find a free one. If there are free
-	 * values beyond the lowest (system users) or highest (non-system
-	 * users), we will prefer those and avoid potentially reclaiming a
-	 * deleted user (which can be a security issue, since it may grant
-	 * access to files belonging to that former user).
-	 *
-	 * If there are no UIDs available at the end of the search, we will
-	 * have no choice but to iterate through the range looking for gaps.
-	 *
-	 */
-
-	/* Create an array to hold all of the discovered UIDs */
 	used_uids = malloc (sizeof (bool) * (uid_max +1));
 	if (NULL == used_uids) {
 		fprintf (stderr,
-			 _("%s: failed to allocate memory: %s\n"),
-			 Prog, strerror (errno));
+		         _("%s: failed to allocate memory: %s\n"),
+		         Prog, strerror (errno));
 		return -1;
 	}
 	memset (used_uids, false, sizeof (bool) * (uid_max + 1));
 
-	/* First look for the lowest and highest value in the local database */
-	(void) pw_rewind ();
-	highest_found = uid_min;
-	lowest_found = uid_max;
-	while ((pwd = pw_next ()) != NULL) {
-		/*
-		 * Does this entry have a lower UID than the lowest we've found
-		 * so far?
-		 */
-		if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) {
-			lowest_found = pwd->pw_uid - 1;
-		}
-
-		/*
-		 * Does this entry have a higher UID than the highest we've found
-		 * so far?
-		 */
-		if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) {
-			highest_found = pwd->pw_uid + 1;
-		}
-
-		/* create index of used UIDs */
-		if (pwd->pw_uid >= uid_min
-			&& pwd->pw_uid <= uid_max) {
-
-			used_uids[pwd->pw_uid] = true;
-		}
+	if (   (NULL != preferred_uid)
+	    && (*preferred_uid >= uid_min)
+	    && (*preferred_uid <= uid_max)
+	    /* Check if the user exists according to NSS */
+	    && (getpwuid (*preferred_uid) == NULL)
+	    /* Check also the local database in case of uncommitted
+	     * changes */
+	    && (pw_locate_uid (*preferred_uid) == NULL)) {
+		*uid = *preferred_uid;
+		free (used_uids);
+		return 0;
 	}
 
+
+	/*
+	 * Search the entire password file,
+	 * looking for the largest unused value.
+	 *
+	 * We check the list of users according to NSS (setpwent/getpwent),
+	 * but we also check the local database (pw_rewind/pw_next) in case
+	 * some users were created but the changes were not committed yet.
+	 */
 	if (sys_user) {
-		/*
-		 * For system users, we want to start from the
-		 * top of the range and work downwards.
+		uid_t id;
+		/* setpwent / getpwent / endpwent can be very slow with
+		 * LDAP configurations (and many accounts).
+		 * Since there is a limited amount of IDs to be tested
+		 * for system accounts, we just check the existence
+		 * of IDs with getpwuid.
 		 */
-
-		/*
-		 * At the conclusion of the pw_next() search, we will either
-		 * have a presumed-free UID or we will be at UID_MIN - 1.
-		 */
-		if (lowest_found < uid_min) {
-			/*
-			 * In this case, an UID is in use at UID_MIN.
-			 *
-			 * We will reset the search to UID_MAX and proceed down
-			 * through all the UIDs (skipping those we detected with
-			 * used_uids) for a free one. It is a known issue that
-			 * this may result in reusing a previously-deleted UID,
-			 * so administrators should be instructed to use this
-			 * auto-detection with care (and prefer to assign UIDs
-			 * explicitly).
-			 */
-			lowest_found = uid_max;
-		}
-
-		/* Search through all of the IDs in the range */
-		for (id = lowest_found; id >= uid_min; id--) {
-			result = check_uid (id, uid_min, uid_max, used_uids);
-			if (result == 0) {
-				/* This UID is available. Return it. */
-				*uid = id;
-				free (used_uids);
-				return 0;
-			} else if (result == EEXIST) {
-				/* This UID is in use, we'll continue to the next */
-			} else {
-				/*
-				 * An unexpected error occurred.
-				 *
-				 * Only report it the first time to avoid spamming
-				 * the logs
-				 *
-				 */
-				if (!nospam) {
-					fprintf (stderr,
-						_("%s: Can't get unique system UID (%s). "
-						  "Suppressing additional messages.\n"),
-						Prog, strerror (result));
-					SYSLOG ((LOG_ERR,
-						"Error checking available UIDs: %s",
-						strerror (result)));
-					nospam = 1;
-				}
-				/*
-				 * We will continue anyway. Hopefully a later UID
-				 * will work properly.
-				 */
+		user_id = uid_max;
+		for (id = uid_max; id >= uid_min; id--) {
+			if (getpwuid (id) != NULL) {
+				user_id = id - 1;
+				used_uids[id] = true;
 			}
 		}
 
-		/*
-		 * If we get all the way through the loop, try again from UID_MAX,
-		 * unless that was where we previously started. (NOTE: the worst-case
-		 * scenario here is that we will run through (UID_MAX - UID_MIN - 1)
-		 * cycles *again* if we fall into this case with lowest_found as
-		 * UID_MAX - 1, all users in the range in use and maintained by
-		 * network services such as LDAP.)
-		 */
-		if (lowest_found != uid_max) {
-			for (id = uid_max; id >= uid_min; id--) {
-				result = check_uid (id, uid_min, uid_max, used_uids);
-				if (result == 0) {
-					/* This UID is available. Return it. */
-					*uid = id;
-					free (used_uids);
-					return 0;
-				} else if (result == EEXIST) {
-					/* This UID is in use, we'll continue to the next */
-				} else {
-					/*
-					 * An unexpected error occurred.
-					 *
-					 * Only report it the first time to avoid spamming
-					 * the logs
-					 *
-					 */
-					if (!nospam) {
-						fprintf (stderr,
-							_("%s: Can't get unique system UID (%s). "
-							  "Suppressing additional messages.\n"),
-							Prog, strerror (result));
-						SYSLOG((LOG_ERR,
-							"Error checking available UIDs: %s",
-							strerror (result)));
-						nospam = 1;
-					}
-					/*
-					 * We will continue anyway. Hopefully a later UID
-					 * will work properly.
-					 */
-				}
+		(void) pw_rewind ();
+		while ((pwd = pw_next ()) != NULL) {
+			if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) {
+				user_id = pwd->pw_uid - 1;
+			}
+			/* create index of used UIDs */
+			if (pwd->pw_uid <= uid_max) {
+				used_uids[pwd->pw_uid] = true;
 			}
 		}
-	} else { /* !sys_user */
-		/*
-		 * For non-system users, we want to start from the
-		 * bottom of the range and work upwards.
-		 */
-
-		/*
-		 * At the conclusion of the pw_next() search, we will either
-		 * have a presumed-free UID or we will be at UID_MAX + 1.
-		 */
-		if (highest_found > uid_max) {
-			/*
-			 * In this case, a UID is in use at UID_MAX.
-			 *
-			 * We will reset the search to UID_MIN and proceed up
-			 * through all the UIDs (skipping those we detected with
-			 * used_uids) for a free one. It is a known issue that
-			 * this may result in reusing a previously-deleted UID,
-			 * so administrators should be instructed to use this
-			 * auto-detection with care (and prefer to assign UIDs
-			 * explicitly).
-			 */
-			highest_found = uid_min;
-		}
-
-		/* Search through all of the IDs in the range */
-		for (id = highest_found; id <= uid_max; id++) {
-			result = check_uid (id, uid_min, uid_max, used_uids);
-			if (result == 0) {
-				/* This UID is available. Return it. */
-				*uid = id;
-				free (used_uids);
-				return 0;
-			} else if (result == EEXIST) {
-				/* This UID is in use, we'll continue to the next */
-			} else {
-				/*
-				 * An unexpected error occurred.
-				 *
-				 * Only report it the first time to avoid spamming
-				 * the logs
-				 *
-				 */
-				if (!nospam) {
-					fprintf (stderr,
-						_("%s: Can't get unique UID (%s). "
-						  "Suppressing additional messages.\n"),
-						Prog, strerror (result));
-					SYSLOG ((LOG_ERR,
-						"Error checking available UIDs: %s",
-						strerror (result)));
-					nospam = 1;
-				}
-				/*
-				 * We will continue anyway. Hopefully a later UID
-				 * will work properly.
-				 */
+	} else {
+		user_id = uid_min;
+		setpwent ();
+		while ((pwd = getpwent ()) != NULL) {
+			if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
+				user_id = pwd->pw_uid + 1;
+			}
+			/* create index of used UIDs */
+			if (pwd->pw_uid <= uid_max) {
+				used_uids[pwd->pw_uid] = true;
 			}
 		}
+		endpwent ();
 
-		/*
-		 * If we get all the way through the loop, try again from UID_MIN,
-		 * unless that was where we previously started. (NOTE: the worst-case
-		 * scenario here is that we will run through (UID_MAX - UID_MIN - 1)
-		 * cycles *again* if we fall into this case with highest_found as
-		 * UID_MIN + 1, all users in the range in use and maintained by
-		 * network services such as LDAP.)
-		 */
-		if (highest_found != uid_min) {
-			for (id = uid_min; id <= uid_max; id++) {
-				result = check_uid (id, uid_min, uid_max, used_uids);
-				if (result == 0) {
-					/* This UID is available. Return it. */
-					*uid = id;
-					free (used_uids);
-					return 0;
-				} else if (result == EEXIST) {
-					/* This UID is in use, we'll continue to the next */
-				} else {
-					/*
-					 * An unexpected error occurred.
-					 *
-					 * Only report it the first time to avoid spamming
-					 * the logs
-					 *
-					 */
-					if (!nospam) {
-						fprintf (stderr,
-							_("%s: Can't get unique UID (%s). "
-							  "Suppressing additional messages.\n"),
-							Prog, strerror (result));
-						SYSLOG ((LOG_ERR,
-							"Error checking available UIDs: %s",
-							strerror (result)));
-						nospam = 1;
-					}
-					/*
-					 * We will continue anyway. Hopefully a later UID
-					 * will work properly.
-					 */
-				}
+		(void) pw_rewind ();
+		while ((pwd = pw_next ()) != NULL) {
+			if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
+				user_id = pwd->pw_uid + 1;
+			}
+			/* create index of used UIDs */
+			if (pwd->pw_uid <= uid_max) {
+				used_uids[pwd->pw_uid] = true;
+			}
+		}
+	}
+
+	/*
+	 * If a user (resp. system user) with UID equal to UID_MAX (resp.
+	 * UID_MIN) exists, the above algorithm will give us UID_MAX+1
+	 * (resp. UID_MIN-1) even if not unique. Search for the first free
+	 * UID starting with UID_MIN (resp. UID_MAX).
+	 */
+	if (sys_user) {
+		if (user_id < uid_min) {
+			for (user_id = uid_max; user_id >= uid_min; user_id--) {
+				if (false == used_uids[user_id]) {
+					break;
+				}
+			}
+			if (user_id < uid_min ) {
+				fprintf (stderr,
+				         _("%s: Can't get unique system UID (no more available UIDs)\n"),
+				         Prog);
+				SYSLOG ((LOG_WARN,
+				         "no more available UID on the system"));
+				free (used_uids);
+				return -1;
+			}
+		}
+	} else {
+		if (user_id > uid_max) {
+			for (user_id = uid_min; user_id <= uid_max; user_id++) {
+				if (false == used_uids[user_id]) {
+					break;
+				}
+			}
+			if (user_id > uid_max) {
+				fprintf (stderr,
+				         _("%s: Can't get unique UID (no more available UIDs)\n"),
+				         Prog);
+				SYSLOG ((LOG_WARN, "no more available UID on the system"));
+				free (used_uids);
+				return -1;
 			}
 		}
 	}
 
-	/* The code reached here and found no available IDs in the range */
-	fprintf (stderr,
-		_("%s: Can't get unique UID (no more available UIDs)\n"),
-		Prog);
-	SYSLOG ((LOG_WARN, "no more available UIDs on the system"));
 	free (used_uids);
-	return -1;
+	*uid = user_id;
+	return 0;
 }
 

libmisc/gettime.c

@@ -1,89 +0,0 @@
-/*
- * Copyright (c) 2017, Chris Lamb
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the copyright holders or contributors may not be used to
- *    endorse or promote products derived from this software without
- *    specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
- * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <config.h>
-
-#ident "$Id$"
-
-#include <errno.h>
-#include <limits.h>
-#include <stdio.h>
-#include "defines.h"
-#include "prototypes.h"
-
-/*
- * gettime() returns the time as the number of seconds since the Epoch
- *
- * Like time(), gettime() returns the time as the number of seconds since the
- * Epoch, 1970-01-01 00:00:00 +0000 (UTC), except that if the SOURCE_DATE_EPOCH
- * environment variable is exported it will use that instead.
- */
-/*@observer@*/time_t gettime ()
-{
-	char *endptr;
-	char *source_date_epoch;
-	time_t fallback;
-	unsigned long long epoch;
-
-	fallback = time (NULL);
-	source_date_epoch = getenv ("SOURCE_DATE_EPOCH");
-
-	if (!source_date_epoch)
-		return fallback;
-
-	errno = 0;
-	epoch = strtoull (source_date_epoch, &endptr, 10);
-	if ((errno == ERANGE && (epoch == ULLONG_MAX || epoch == 0))
-			|| (errno != 0 && epoch == 0)) {
-		fprintf (stderr,
-			 _("Environment variable $SOURCE_DATE_EPOCH: strtoull: %s\n"),
-			 strerror(errno));
-	} else if (endptr == source_date_epoch) {
-		fprintf (stderr,
-			 _("Environment variable $SOURCE_DATE_EPOCH: No digits were found: %s\n"),
-			 endptr);
-	} else if (*endptr != '\0') {
-		fprintf (stderr,
-			 _("Environment variable $SOURCE_DATE_EPOCH: Trailing garbage: %s\n"),
-			 endptr);
-	} else if (epoch > ULONG_MAX) {
-		fprintf (stderr,
-			 _("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to %lu but was found to be: %llu\n"),
-			 ULONG_MAX, epoch);
-	} else if (epoch > fallback) {
-		fprintf (stderr,
-			 _("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to the current time (%lu) but was found to be: %llu\n"),
-			 fallback, epoch);
-	} else {
-		/* Valid */
-		return (time_t)epoch;
-	}
-
-	return fallback;
-}

libmisc/user_busy.c

@@ -170,9 +170,6 @@ static int user_busy_processes (const char *name, uid_t uid)
 	proc = opendir ("/proc");
 	if (proc == NULL) {
 		perror ("opendir /proc");
-#ifdef ENABLE_SUBIDS
-		sub_uid_close();
-#endif
 		return 0;
 	}
 	if (stat ("/", &sbroot) != 0) {

man/Makefile.am

@@ -215,4 +215,5 @@ $(man_MANS):
 	@echo "Error: you need to run configure with '--enable-man'"
 	@echo "       in order to regenerate man pages."
 	@echo ""
+	@false
 endif

man/generate_mans.mak

@@ -42,11 +42,12 @@ man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml
 	            -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/profile-docbook.xsl $<
 
 clean-local:
-	rm -rf man1 man3 man5 man8
+	for d in man1 man3 man5 man8; do [ -d $$d ] && rmdir $$d; done
 
 else
 $(man_MANS):
 	@echo you need to run configure with --enable-man to generate man pages
+	@false
 endif
 
 man8/grpconv.8 man8/grpunconv.8 man8/pwunconv.8: man8/pwconv.8

man/generate_translations.mak

@@ -14,6 +14,7 @@ include ../generate_mans.mak
 else
 $(man_MANS):
 	@echo you need to run configure with --enable-man to generate man pages
+	@false
 endif
 
 CLEANFILES = .xml2po.mo $(EXTRA_DIST) $(addsuffix .xml,$(EXTRA_DIST)) config.xml

man/po/da.po

@@ -1023,7 +1023,7 @@ msgstr ""
 #| "<option>-f</option>, <option>--inactive</option>&nbsp;"
 #| "<replaceable>INACTIVE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
+"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-f</option>, <option>--inactive</option>&nbsp;<replaceable>INAKTIV</"
@@ -1052,7 +1052,7 @@ msgstr ""
 #| "<option>-e</option>, <option>--expiredate</option>&nbsp;"
 #| "<replaceable>EXPIRE_DATE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
+"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-e</option>, <option>--expiredate</option>&nbsp;"
@@ -1065,8 +1065,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subuids</option> and <option>--add-"
-"subuids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-sub-uids</option> and <option>--add-"
+"sub-uids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1076,7 +1076,7 @@ msgstr ""
 #| "<option>-f</option>, <option>--inactive</option>&nbsp;"
 #| "<replaceable>INACTIVE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
+"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-f</option>, <option>--inactive</option>&nbsp;<replaceable>INAKTIV</"
@@ -1099,7 +1099,7 @@ msgstr ""
 #| "<option>-e</option>, <option>--expiredate</option>&nbsp;"
 #| "<replaceable>EXPIRE_DATE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
+"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-e</option>, <option>--expiredate</option>&nbsp;"
@@ -1112,8 +1112,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subgids</option> and <option>--add-"
-"subgids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-sub-gids</option> and <option>--add-"
+"sub-gids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/de.po

@@ -1092,7 +1092,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
+"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1129,7 +1129,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
+"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1142,8 +1142,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subuids</option> and <option>--add-"
-"subuids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-sub-uids</option> and <option>--add-"
+"sub-uids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1153,7 +1153,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
+"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1184,7 +1184,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
+"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1201,8 +1201,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subgids</option> and <option>--add-"
-"subgids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-sub-gids</option> and <option>--add-"
+"sub-gids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 
@@ -3087,7 +3087,7 @@ msgstr "5"
 #: limits.5.xml:61(refmiscinfo) gshadow.5.xml:48(refmiscinfo)
 #: faillog.5.xml:59(refmiscinfo)
 msgid "File Formats and Conversions"
-msgstr "Dateiformate und konvertierung"
+msgstr "Dateiformate und -konvertierung"
 
 #: suauth.5.xml:65(refpurpose)
 msgid "detailed su control file"
@@ -4370,7 +4370,7 @@ msgstr ""
 
 #: shadow.5.xml:235(para)
 msgid "An empty field means that the account will never expire."
-msgstr "Ein leeres Feld bedeutet, dass das Konto nicht verfallen wird."
+msgstr "Ein leeren Feld bedeutet, dass das Konto nicht verfallen wird."
 
 #: shadow.5.xml:238(para)
 msgid ""
@@ -6961,7 +6961,7 @@ msgid ""
 "contents of this file should be a message indicating why logins are "
 "inhibited."
 msgstr ""
-"Falls angegeben, der Name einer Datei, deren Existenz Anmeldungen außer von "
+"Falls angegeben, der Name einer Datei, dessen Existenz Anmeldungen außer von "
 "Root verhindert. Der Inhalt der Datei sollte die Gründe enthalten, weshalb "
 "Anmeldungen untersagt sind."
 

man/po/fr.po

@@ -1110,7 +1110,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
+"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1147,7 +1147,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
+"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1160,8 +1160,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subuids</option> and <option>--add-"
-"subuids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-sub-uids</option> and <option>--add-"
+"sub-uids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1171,7 +1171,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
+"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1202,7 +1202,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
+"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1219,8 +1219,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subgids</option> and <option>--add-"
-"subgids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-sub-gids</option> and <option>--add-"
+"sub-gids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/it.po

@@ -1151,7 +1151,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
+"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1189,7 +1189,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
+"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1202,8 +1202,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subuids</option> and <option>--add-"
-"subuids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-sub-uids</option> and <option>--add-"
+"sub-uids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1214,7 +1214,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
+"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1247,7 +1247,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
+"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1262,8 +1262,8 @@ msgstr "Rimuove tutti gli utenti SELinux assegnati al login utente."
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subgids</option> and <option>--add-"
-"subgids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-sub-gids</option> and <option>--add-"
+"sub-gids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/pl.po

@@ -1088,7 +1088,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
+"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KLUCZ</"
@@ -1117,7 +1117,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
+"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KLUCZ</"
@@ -1130,8 +1130,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subuids</option> and <option>--add-"
-"subuids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-sub-uids</option> and <option>--add-"
+"sub-uids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1141,7 +1141,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
+"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KLUCZ</"
@@ -1164,7 +1164,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
+"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KLUCZ</"
@@ -1177,8 +1177,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subgids</option> and <option>--add-"
-"subgids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-sub-gids</option> and <option>--add-"
+"sub-gids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/ru.po

@@ -1133,7 +1133,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
+"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>УЧЁТНАЯ "
@@ -1170,7 +1170,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
+"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>УЧЁТНАЯ "
@@ -1183,8 +1183,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subuids</option> and <option>--add-"
-"subuids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-sub-uids</option> and <option>--add-"
+"sub-uids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1194,7 +1194,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
+"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>УЧЁТНАЯ "
@@ -1225,7 +1225,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
+"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>УЧЁТНАЯ "
@@ -1242,8 +1242,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subgids</option> and <option>--add-"
-"subgids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-sub-gids</option> and <option>--add-"
+"sub-gids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/shadow-man-pages.pot

@@ -458,7 +458,7 @@ msgid "Note: if you wish to unlock the account (not only access with a password)
 msgstr ""
 
 #: usermod.8.xml:384(term)
-msgid "<option>-v</option>, <option>--add-subuids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
+msgid "<option>-v</option>, <option>--add-sub-uids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 
 #: usermod.8.xml:388(para)
@@ -474,7 +474,7 @@ msgid "No checks will be performed with regard to <option>SUB_UID_MIN</option>,
 msgstr ""
 
 #: usermod.8.xml:402(term)
-msgid "<option>-V</option>, <option>--del-subuids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
+msgid "<option>-V</option>, <option>--del-sub-uids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 
 #: usermod.8.xml:406(para)
@@ -482,11 +482,11 @@ msgid "Remove a range of subordinate uids from the user's account."
 msgstr ""
 
 #: usermod.8.xml:409(para)
-msgid "This option may be specified multiple times to remove multiple ranges to a users account. When both <option>--del-subuids</option> and <option>--add-subuids</option> are specified, the removal of all subordinate uid ranges happens before any subordinate uid range is added."
+msgid "This option may be specified multiple times to remove multiple ranges to a users account. When both <option>--del-sub-uids</option> and <option>--add-sub-uids</option> are specified, the removal of all subordinate uid ranges happens before any subordinate uid range is added."
 msgstr ""
 
 #: usermod.8.xml:422(term)
-msgid "<option>-w</option>, <option>--add-subgids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
+msgid "<option>-w</option>, <option>--add-sub-gids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 
 #: usermod.8.xml:426(para)
@@ -498,7 +498,7 @@ msgid "No checks will be performed with regard to <option>SUB_GID_MIN</option>,
 msgstr ""
 
 #: usermod.8.xml:440(term)
-msgid "<option>-W</option>, <option>--del-subgids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
+msgid "<option>-W</option>, <option>--del-sub-gids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 
 #: usermod.8.xml:444(para)
@@ -506,7 +506,7 @@ msgid "Remove a range of subordinate gids from the user's account."
 msgstr ""
 
 #: usermod.8.xml:447(para)
-msgid "This option may be specified multiple times to remove multiple ranges to a users account. When both <option>--del-subgids</option> and <option>--add-subgids</option> are specified, the removal of all subordinate gid ranges happens before any subordinate gid range is added."
+msgid "This option may be specified multiple times to remove multiple ranges to a users account. When both <option>--del-sub-gids</option> and <option>--add-sub-gids</option> are specified, the removal of all subordinate gid ranges happens before any subordinate gid range is added."
 msgstr ""
 
 #: usermod.8.xml:460(term) useradd.8.xml:506(term)

man/po/sv.po

@@ -1062,7 +1062,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
+"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>NYCKEL</"
@@ -1091,7 +1091,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
+"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>NYCKEL</"
@@ -1104,8 +1104,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subuids</option> and <option>--add-"
-"subuids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-sub-uids</option> and <option>--add-"
+"sub-uids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1115,7 +1115,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
+"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>NYCKEL</"
@@ -1138,7 +1138,7 @@ msgstr ""
 #| "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>KEY</"
 #| "replaceable>=<replaceable>VALUE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
+"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-K</option>, <option>--key</option>&nbsp;<replaceable>NYCKEL</"
@@ -1151,8 +1151,8 @@ msgstr ""
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subgids</option> and <option>--add-"
-"subgids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-sub-gids</option> and <option>--add-"
+"sub-gids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/po/zh_CN.po

@@ -1043,7 +1043,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-v</option>, <option>--add-subuids</option>&nbsp;"
+"<option>-v</option>, <option>--add-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1080,7 +1080,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-V</option>, <option>--del-subuids</option>&nbsp;"
+"<option>-V</option>, <option>--del-sub-uids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1093,8 +1093,8 @@ msgstr ""
 #: usermod.8.xml:409(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subuids</option> and <option>--add-"
-"subuids</option> are specified, the removal of all subordinate uid ranges "
+"users account. When both <option>--del-sub-uids</option> and <option>--add-"
+"sub-uids</option> are specified, the removal of all subordinate uid ranges "
 "happens before any subordinate uid range is added."
 msgstr ""
 
@@ -1104,7 +1104,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-w</option>, <option>--add-subgids</option>&nbsp;"
+"<option>-w</option>, <option>--add-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1136,7 +1136,7 @@ msgstr ""
 #| "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
 #| "replaceable>|<replaceable>RANGE</replaceable>"
 msgid ""
-"<option>-W</option>, <option>--del-subgids</option>&nbsp;"
+"<option>-W</option>, <option>--del-sub-gids</option>&nbsp;"
 "<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>"
 msgstr ""
 "<option>-u</option>, <option>--user</option>&nbsp;<replaceable>LOGIN</"
@@ -1151,8 +1151,8 @@ msgstr "移除用户登录的所有 SELinux 用户映射。"
 #: usermod.8.xml:447(para)
 msgid ""
 "This option may be specified multiple times to remove multiple ranges to a "
-"users account. When both <option>--del-subgids</option> and <option>--add-"
-"subgids</option> are specified, the removal of all subordinate gid ranges "
+"users account. When both <option>--del-sub-gids</option> and <option>--add-"
+"sub-gids</option> are specified, the removal of all subordinate gid ranges "
 "happens before any subordinate gid range is added."
 msgstr ""
 

man/usermod.8.xml

@@ -382,7 +382,7 @@
       </varlistentry>
       <varlistentry condition="subids">
 	<term>
-	  <option>-v</option>, <option>--add-subuids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
+	  <option>-v</option>, <option>--add-sub-uids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
 	</term>
 	<listitem>
 	  <para>
@@ -400,7 +400,7 @@
       </varlistentry>
       <varlistentry condition="subids">
 	<term>
-	  <option>-V</option>, <option>--del-subuids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
+	  <option>-V</option>, <option>--del-sub-uids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
 	</term>
 	<listitem>
 	  <para>
@@ -408,7 +408,7 @@
 	  </para>
 	  <para>
 	    This option may be specified multiple times to remove multiple ranges to a users account.
-	    When both <option>--del-subuids</option> and <option>--add-subuids</option> are specified,
+	    When both <option>--del-sub-uids</option> and <option>--add-sub-uids</option> are specified,
 	    the removal of all subordinate uid ranges happens before any subordinate uid range is added.
 	  </para>
 	  <para>
@@ -420,7 +420,7 @@
       </varlistentry>
       <varlistentry condition="subids">
 	<term>
-	  <option>-w</option>, <option>--add-subgids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
+	  <option>-w</option>, <option>--add-sub-gids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
 	</term>
 	<listitem>
 	  <para>
@@ -438,7 +438,7 @@
       </varlistentry>
       <varlistentry condition="subids">
 	<term>
-	  <option>-W</option>, <option>--del-subgids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
+	  <option>-W</option>, <option>--del-sub-gids</option>&nbsp;<replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
 	</term>
 	<listitem>
 	  <para>
@@ -446,7 +446,7 @@
 	  </para>
 	  <para>
 	    This option may be specified multiple times to remove multiple ranges to a users account.
-	    When both <option>--del-subgids</option> and <option>--add-subgids</option> are specified,
+	    When both <option>--del-sub-gids</option> and <option>--add-sub-gids</option> are specified,
 	    the removal of all subordinate gid ranges happens before any subordinate gid range is added.
 	  </para>
 	  <para>

po/kk.po

@@ -1,22 +1,21 @@
 # shadowutils to kazakh.
 # Copyright (C) 2009 Free Software Foundation, Inc.
 # This file is distributed under the same license as the PACKAGE package.
-# Baurzhan Muftakhidinov <baurthefirst@gmail.com>, 2009-2017.
+# Baurzhan Muftakhidinov <baurthefirst@gmail.com>, 2009-2012.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: shadowutils\n"
 "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
 "POT-Creation-Date: 2016-09-18 14:03-0500\n"
-"PO-Revision-Date: 2017-02-07 17:09+0500\n"
+"PO-Revision-Date: 2012-01-20 21:16+0600\n"
 "Last-Translator: Baurzhan Muftakhidinov <baurthefirst@gmail.com>\n"
 "Language-Team: Kazakh <kk_KZ@googlegroups.com>\n"
 "Language: kk\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Poedit 1.8.11\n"
+"Plural-Forms: nplurals=1; plural=0\n"
 
 #, c-format
 msgid ""
@@ -44,9 +43,10 @@ msgstr "баптау қатесі - белгісіз элемент '%s' (адм
 msgid "%s: nscd did not terminate normally (signal %d)\n"
 msgstr "%s: nscd өз жұмысын дұрыс аяқтаған жоқ (%d сигналымен)\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: nscd exited with status %d"
 msgid "%s: nscd exited with status %d\n"
-msgstr "%s: nscd %d қалып-күймен өз жұмысын аяқтады\n"
+msgstr "%s: nscd %d статуспен жұмысын өз аяқтады"
 
 msgid "Password: "
 msgstr "Пароль: "
@@ -417,9 +417,10 @@ msgstr "%s: '%s' chroot жолы қате\n"
 msgid "%s: cannot access chroot directory %s: %s\n"
 msgstr "%s: %s chroot бумасына қатынау мүмкін емес: %s\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: cannot access chroot directory %s: %s\n"
 msgid "%s: cannot chdir to chroot directory %s: %s\n"
-msgstr "%s: %s chroot бумасына өту (chdir) мүмкін емес: %s\n"
+msgstr "%s: %s chroot бумасына қатынау мүмкін емес: %s\n"
 
 #, c-format
 msgid "%s: unable to chroot to directory %s: %s\n"
@@ -784,10 +785,10 @@ msgstr "%s: жол %d: жол өте ұзын\n"
 msgid "%s: line %d: missing new password\n"
 msgstr "%s: жол %d: жаңа пароль жоқ\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: Failed to write %s: %s\n"
 msgid "%s: failed to crypt password with salt '%s': %s\n"
-msgstr "%s: парольді '%s' тұзымен шифрлеу сәтсіз аяқталды: %s\n"
+msgstr "%s: %s жазу сәтсіз: %s\n"
 
 #, c-format
 msgid "%s: line %d: group '%s' does not exist\n"
@@ -1095,14 +1096,13 @@ msgstr "%s: GID '%lu' бар болып тұр\n"
 msgid "%s: Cannot setup cleanup service.\n"
 msgstr "%s: Тазарту қызметін орнату мүмкін емес.\n"
 
+#, fuzzy
 #| msgid ""
 #| "  -r, --reset                   reset the counters of login failures\n"
 msgid ""
 "  -f, --force                   delete group even if it is the primary group "
 "of a user\n"
-msgstr ""
-"  -f, --force                   топты өшіру, егер ол пайдаланушының "
-"біріншілік тобы болса да\n"
+msgstr "  -r, --reset                   сәтсіз кіру талап санағышын нөлдеу\n"
 
 #, c-format
 msgid "%s: cannot remove entry '%s' from %s\n"
@@ -1330,23 +1330,25 @@ msgstr ""
 "  -b, --before КҮН              мерзімі КҮНнен үлкен ғана lastlog жазбаларын "
 "көрсету\n"
 
+#, fuzzy
 #| msgid ""
 #| "  -a, --all                     display faillog records for all users\n"
 msgid ""
 "  -C, --clear                   clear lastlog record of an user (usable only "
 "with -u)\n"
 msgstr ""
-"  -C, --clear                   пайдаланушының lastlog жазбасын тазарту (тек "
-"-u опциясымен бірге пайдаланылады)\n"
+"  -a, --all                     барлық пайдаланушылар үшін faillog "
+"жазбаларын көрсету\n"
 
+#, fuzzy
 #| msgid ""
 #| "  -a, --all                     display faillog records for all users\n"
 msgid ""
 "  -S, --set                     set lastlog record to current time (usable "
 "only with -u)\n"
 msgstr ""
-"  -S, --set                     lastlog жазбасын ағымдағы уақытқа орнату "
-"(тек -u опциясымен бірге пайдаланылады)\n"
+"  -a, --all                     барлық пайдаланушылар үшін faillog "
+"жазбаларын көрсету\n"
 
 msgid ""
 "  -t, --time DAYS               print only lastlog records more recent than "
@@ -1370,22 +1372,23 @@ msgstr "Пайдаланушы             Порт     Соңғы"
 msgid "**Never logged in**"
 msgstr "**Жүйеге ешқашан кірмеген**"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: Failed to get the entry for UID %lu\n"
 msgid "%s: Failed to update the entry for UID %lu\n"
-msgstr "%s: UID %lu үшін жазбаны жаңарту сәтсіз аяқталды\n"
+msgstr "%s: UID %lu үшін жазбаны алу мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgid "%s: Failed to update the lastlog file\n"
-msgstr "%s: lastlog файлын жаңарту сәтсіз аяқталды\n"
+msgstr "%s: %lu UID-і үшін lastlog жазбасын нөлдеу сәтсіз: %s\n"
 
 #, c-format
 msgid "%s: Option -C cannot be used together with option -S\n"
-msgstr "%s: -C опциясын -S опциясымен бірге қолдануға болмайды\n"
+msgstr ""
 
 #, c-format
 msgid "%s: Options -C and -S require option -u to specify the user\n"
 msgstr ""
-"%s: -C және -S опциялары пайдаланушыны көрсету үшін -u опциясын талап етеді\n"
 
 #, c-format
 msgid "Usage: %s [-p] [name]\n"
@@ -1510,10 +1513,10 @@ msgstr "Қолданылуы: newgrp [-] [топ]\n"
 msgid "Usage: sg group [[-c] command]\n"
 msgstr "Қолданылуы: sg топ [[-c] командасы]\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: Failed to write %s: %s\n"
 msgid "%s: failed to crypt password with previous salt: %s\n"
-msgstr "%s: парольді алдыңғы тұзбен шифрлеу сәтсіз аяқталды: %s\n"
+msgstr "%s: %s жазу сәтсіз: %s\n"
 
 msgid "Invalid password.\n"
 msgstr "пароль қате.\n"
@@ -1582,18 +1585,20 @@ msgstr "%s: жол %d: chown %s сәтсіз: %s\n"
 msgid "%s: line %d: can't update entry\n"
 msgstr "%s: жол %d: жазбаны жаңарту мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to prepare new %s entry\n"
-msgstr "%s: жаңа %s жазбасын дайындау сәтсіз аяқталды\n"
+msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: can't create user\n"
 msgid "%s: can't find subordinate user range\n"
-msgstr "%s: бағынышты пайдаланушы ауқымын табу мүмкін емес\n"
+msgstr "%s: пайдаланушыны жасау мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: can't create group\n"
 msgid "%s: can't find subordinate group range\n"
-msgstr "%s: бағынышты топ ауқымын табу мүмкін емес\n"
+msgstr "%s: топты құру мүмкін емес\n"
 
 msgid ""
 "  -a, --all                     report password status on all accounts\n"
@@ -2005,10 +2010,10 @@ msgstr "%s: жаңа defaults файлын ашу мүмкін емес\n"
 msgid "%s: line too long in %s: %s..."
 msgstr "%s: %s ішіндегі жол тым ұзын: %s..."
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: Cannot create symbolic link %s: %s\n"
 msgid "%s: Cannot create backup file (%s): %s\n"
-msgstr "%s: Қор көшірме файлын жасау мүмкін емес (%s): %s\n"
+msgstr "%s: %s символдық сілтемесін жасау мүмкін емес: %s\n"
 
 #, c-format
 msgid "%s: rename: %s: %s\n"
@@ -2171,9 +2176,10 @@ msgstr "%s: %lu UID-і үшін faillog жазбасын нөлдеу сәтсі
 msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgstr "%s: %lu UID-і үшін lastlog жазбасын нөлдеу сәтсіз: %s\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to prepare the new %s entry\n"
-msgstr "%s: жаңа %s жазбасын дайындау сәтсіз аяқталды\n"
+msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
 
 #, c-format
 msgid "%s: cannot create directory %s\n"
@@ -2217,14 +2223,15 @@ msgstr "%s: %s үшін tcb бумасын жасау мүмкін емес\n"
 msgid "%s: can't create group\n"
 msgstr "%s: топты құру мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: can't create user\n"
 msgid "%s: can't create subordinate user IDs\n"
-msgstr "%s: бағынышты пайдаланушы ID-ын жасау мүмкін емес\n"
+msgstr "%s: пайдаланушыны жасау мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: can't create group\n"
 msgid "%s: can't create subordinate group IDs\n"
-msgstr "%s: бағынышты топ ID-ын жасау мүмкін емес\n"
+msgstr "%s: топты құру мүмкін емес\n"
 
 #, c-format
 msgid ""
@@ -2270,9 +2277,10 @@ msgstr ""
 "%s: %s тобын өшіру мүмкін емес, ол басқа пайдаланушы үшін басыңқы топ болып "
 "табылады.\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: cannot remove entry '%s' from %s\n"
 msgid "%s: cannot remove entry %lu from %s\n"
-msgstr "%s: %lu жазбасын %s ішінен өшіру мүмкін емес\n"
+msgstr "%s: '%s' жазбасын %s ішінен өшіру мүмкін емес\n"
 
 #, c-format
 msgid "%s: %s mail spool (%s) not found\n"
@@ -2399,16 +2407,16 @@ msgstr ""
 "  -U, --unlock                  пайдаланушы тіркелгісін оқшаулаудан босату\n"
 
 msgid "  -v, --add-subuids FIRST-LAST  add range of subordinate uids\n"
-msgstr "  -v, --add-subuids БІРІНШІ-СОҢҒЫ  бағынышты uid-тар ауқымын қосу\n"
+msgstr ""
 
 msgid "  -V, --del-subuids FIRST-LAST  remove range of subordinate uids\n"
-msgstr "  -V, --del-subuids БІРІНШІ-СОҢҒЫ  бағынышты uid-тар ауқымын өшіру\n"
+msgstr ""
 
 msgid "  -w, --add-subgids FIRST-LAST  add range of subordinate gids\n"
-msgstr "  -w, --add-subgids БІРІНШІ-СОҢҒЫ  бағынышты gid-тар ауқымын қосу\n"
+msgstr ""
 
 msgid "  -W, --del-subgids FIRST-LAST  remove range of subordinate gids\n"
-msgstr "  -W, --del-subgids БІРІНШІ-СОҢҒЫ  бағынышты gid-тар ауқымын өшіру\n"
+msgstr ""
 
 msgid ""
 "  -Z, --selinux-user SEUSER     new SELinux user mapping for the user "
@@ -2429,14 +2437,15 @@ msgstr ""
 msgid "%s: user '%s' already exists in %s\n"
 msgstr "%s: '%s' пайдаланушысы %s ішінде бар болып тұр\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: invalid date '%s'\n"
 msgid "%s: invalid subordinate uid range '%s'\n"
-msgstr "%s: жарамсыз бағынышты uid ауқымы '%s'\n"
+msgstr "%s: '%s' күні қате\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: invalid date '%s'\n"
 msgid "%s: invalid subordinate gid range '%s'\n"
-msgstr "%s: жарамсыз бағынышты gid ауқымы '%s'\n"
+msgstr "%s: '%s' күні қате\n"
 
 #, c-format
 msgid "%s: no options\n"
@@ -2454,10 +2463,10 @@ msgstr "%s: -e пен -f үшін көлеңкелі парольдер кере
 msgid "%s: UID '%lu' already exists\n"
 msgstr "%s: '%lu' UID-і бар болып тұр\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: %s is not authorized to change the password of %s\n"
 msgid "%s: %s does not exist, you cannot use the flags %s or %s\n"
-msgstr "%s: %s жоқ болып тұр, %s немесе %s жалаушаларын қолдануға болмайды\n"
+msgstr "%s: %s пайдаланушының %s үшін паролді өзгертуге құқығы жоқ\n"
 
 #, c-format
 msgid "%s: directory %s exists\n"
@@ -2503,22 +2512,25 @@ msgstr "mailbox иесін ауыстыру қатемен аяқталды"
 msgid "failed to rename mailbox"
 msgstr "mailbox атын ауыстыру қатемен аяқталды"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to remove uid range %lu-%lu from '%s'\n"
-msgstr "%s: %lu-%lu uid-тар ауқымын '%s' ішінен өшіру сәтсіз аяқталды\n"
+msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to add uid range %lu-%lu from '%s'\n"
-msgstr "%s: %lu-%lu uid ауқымын '%s' ішіне қосу сәтсіз аяқталды\n"
+msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to remove gid range %lu-%lu from '%s'\n"
-msgstr "%s: %lu-%lu gid-тар ауқымын '%s' ішінен өшіру сәтсіз аяқталды\n"
+msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to add gid range %lu-%lu from '%s'\n"
-msgstr "%s: %lu-%lu gid ауқымын '%s' ішіне қосу сәтсіз аяқталды\n"
+msgstr "%s: жаңа %s '%s' жазбаны дайындау мүмкін емес\n"
 
 #, c-format
 msgid ""
@@ -2573,18 +2585,19 @@ msgstr "Файлды оқшаулау мүмкін емес"
 msgid "Couldn't make backup"
 msgstr "Қор көшірмені жасау мүмкін емес"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: PAM: %s\n"
 msgid "%s: %s: %s\n"
-msgstr "%s: %s: %s\n"
+msgstr "%s: PAM: %s\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: nscd exited with status %d"
 msgid "%s: %s returned with status %d\n"
-msgstr "%s: %s %d қалып-күймен өз жұмысын аяқтады\n"
+msgstr "%s: nscd %d статуспен жұмысын өз аяқтады"
 
 #, c-format
 msgid "%s: %s killed by signal %d\n"
-msgstr "%s: %s %d сигналымен тоқтатылды\n"
+msgstr ""
 
 msgid "failed to open scratch file"
 msgstr "scratch файлын ашу сәтсіз"

po/nb.po

@@ -7,13 +7,12 @@
 # Bjørn Steensrud <bjornst@powertech.no>, 2006.
 # Bjørn Steensrud <bjornst@skogkatt.homelinux.org>, 2009, 2012.
 # Hans Fredrik Nordhaug <hans@nordhaug.priv.no>, 2012.
-# Lars Bahner <bahner@debian.org>, 2015
 msgid ""
 msgstr ""
 "Project-Id-Version: shadow 4.0.17\n"
 "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
 "POT-Creation-Date: 2016-09-18 14:03-0500\n"
-"PO-Revision-Date: 2015-09-30 18:15+0100\n"
+"PO-Revision-Date: 2012-01-18 17:19+0100\n"
 "Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n"
 "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
 "Language: nb\n"
@@ -21,7 +20,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Poedit 1.7.5\n"
+"X-Generator: Lokalize 1.2\n"
 
 #, c-format
 msgid ""
@@ -49,9 +48,10 @@ msgstr "feil med oppsettet - ukjent element «%s» (kontakt administrator)\n"
 msgid "%s: nscd did not terminate normally (signal %d)\n"
 msgstr "%s: nscd avsluttet ikke normallt (signal %d)\n"
 
-#, c-format
+#, fuzzy, c-format
+#| msgid "%s: nscd exited with status %d"
 msgid "%s: nscd exited with status %d\n"
-msgstr "%s: nscd avsluttet med status %d\n"
+msgstr "%s: nscd avsluttet med status %d"
 
 msgid "Password: "
 msgstr "Passord: "
@@ -415,9 +415,8 @@ msgstr "passwd: %s\n"
 msgid "passwd: password unchanged\n"
 msgstr "passwd: passordet er uendret\n"
 
-#, fuzzy
 msgid "passwd: password updated successfully\n"
-msgstr "passwd: passordet ble oppdatert\n"
+msgstr "passwd: passorder ble oppdatert\n"
 
 #, c-format
 msgid "Incorrect password for %s.\n"

po/ru.po

@@ -5,20 +5,20 @@
 # Eugene Konev <ejka@imfi.kspu.ru>, 2004.
 # alyoshin.s@gmail.com <alyoshin.s@gmail.com>, 2008.
 # Yuri Kozlov <kozlov.y@gmail.com>, 2004, 2005, 2006, 2007, 2008.
-# Yuri Kozlov <yuray@komyakino.ru>, 2009, 2011, 2012, 2017.
+# Yuri Kozlov <yuray@komyakino.ru>, 2009, 2011, 2012.
 msgid ""
 msgstr ""
 "Project-Id-Version: shadow 4.1.5.1-1\n"
 "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
 "POT-Creation-Date: 2016-09-18 14:03-0500\n"
-"PO-Revision-Date: 2017-03-05 11:14+0300\n"
+"PO-Revision-Date: 2013-07-29 10:42+0400\n"
 "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
 "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
 "Language: ru\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Lokalize 2.0\n"
+"X-Generator: Lokalize 1.0\n"
 "Plural-Forms:  nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
 "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
 
@@ -436,10 +436,10 @@ msgstr "%s: некорректное значение пути chroot «%s»\n"
 msgid "%s: cannot access chroot directory %s: %s\n"
 msgstr "%s: нет доступа к каталогу chroot %s: %s\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: cannot access chroot directory %s: %s\n"
 msgid "%s: cannot chdir to chroot directory %s: %s\n"
-msgstr "%s: не удалось выполнить chdir в chroot-каталог %s: %s\n"
+msgstr "%s: нет доступа к каталогу chroot %s: %s\n"
 
 #, c-format
 msgid "%s: unable to chroot to directory %s: %s\n"
@@ -806,10 +806,10 @@ msgstr "%s: строка %d: слишком длинная строка\n"
 msgid "%s: line %d: missing new password\n"
 msgstr "%s: строка %d: отсутствует новый пароль\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: Failed to write %s: %s\n"
 msgid "%s: failed to crypt password with salt '%s': %s\n"
-msgstr "%s: не удалось зашифровать пароль с солью «%s»: %s\n"
+msgstr "%s: не удалось записать %s: %s\n"
 
 #, c-format
 msgid "%s: line %d: group '%s' does not exist\n"
@@ -1098,7 +1098,7 @@ msgstr ""
 "                                новой группы\n"
 
 msgid "  -r, --system                  create a system account\n"
-msgstr "  -r, --system                  создавать системную группу\n"
+msgstr "  -r, --system                  создать системную учётную запись\n"
 
 #, c-format
 msgid "%s: '%s' is not a valid group name\n"
@@ -1124,15 +1124,14 @@ msgstr "%s: GID «%lu» уже существует\n"
 msgid "%s: Cannot setup cleanup service.\n"
 msgstr "%s: не удалось настроить службу очистки.\n"
 
+#, fuzzy
 #| msgid ""
 #| "  -r, --reset                   reset the counters of login failures\n"
 msgid ""
 "  -f, --force                   delete group even if it is the primary group "
 "of a user\n"
 msgstr ""
-"  -f, --force                   удалить группу, даже если она является"
-" первичной\n"
-"                                группой пользователя\n"
+"  -r, --reset                   сбросить счётчик неудачных попыток входа\n"
 
 #, c-format
 msgid "%s: cannot remove entry '%s' from %s\n"
@@ -1358,23 +1357,25 @@ msgstr ""
 "  -b, --before ДНЕЙ             показать записи lastlog за последние ДНЕЙ "
 "дней\n"
 
+#, fuzzy
 #| msgid ""
 #| "  -a, --all                     display faillog records for all users\n"
 msgid ""
 "  -C, --clear                   clear lastlog record of an user (usable only "
 "with -u)\n"
 msgstr ""
-"  -C, --clear                   очистить запись lastlog пользователя\n"
-"                                (только вместе с -u)\n"
+"  -a, --all                     показать записи faillog для всех "
+"пользователей\n"
 
+#, fuzzy
 #| msgid ""
 #| "  -a, --all                     display faillog records for all users\n"
 msgid ""
 "  -S, --set                     set lastlog record to current time (usable "
 "only with -u)\n"
 msgstr ""
-"  -S, --set                     поставить в записи lastlog текущее время\n"
-"                                (только вместе с -u)\n"
+"  -a, --all                     показать записи faillog для всех "
+"пользователей\n"
 
 msgid ""
 "  -t, --time DAYS               print only lastlog records more recent than "
@@ -1398,24 +1399,23 @@ msgstr "Пользователь            Порт     Последний ра
 msgid "**Never logged in**"
 msgstr "**Никогда не входил в систему**"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: Failed to get the entry for UID %lu\n"
 msgid "%s: Failed to update the entry for UID %lu\n"
-msgstr "%s: не удалось обновить запись для UID %lu\n"
+msgstr "%s: не удалось получить запись для UID %lu\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgid "%s: Failed to update the lastlog file\n"
-msgstr "%s: не удалось обновить файл lastlog\n"
+msgstr "%s: не удалось сбросить запись в lastlog для UID %lu: %s\n"
 
 #, c-format
 msgid "%s: Option -C cannot be used together with option -S\n"
-msgstr "%s: параметр -C нельзя использовать вместе с параметром -S\n"
+msgstr ""
 
 #, c-format
 msgid "%s: Options -C and -S require option -u to specify the user\n"
 msgstr ""
-"%s: для параметров -C и -S требуется указать пользователя в параметре -u\n"
 
 #, c-format
 msgid "Usage: %s [-p] [name]\n"
@@ -1539,10 +1539,10 @@ msgstr "Использование: newgrp [-] [группа]\n"
 msgid "Usage: sg group [[-c] command]\n"
 msgstr "Использование: sg группа [[-c] команда]\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: Failed to write %s: %s\n"
 msgid "%s: failed to crypt password with previous salt: %s\n"
-msgstr "%s: не удалось зашифровать пароль с предыдущей солью: %s\n"
+msgstr "%s: не удалось записать %s: %s\n"
 
 msgid "Invalid password.\n"
 msgstr "Неправильный пароль.\n"
@@ -1612,20 +1612,20 @@ msgstr "%s: строка %d: вызов chown %s завершился неуда
 msgid "%s: line %d: can't update entry\n"
 msgstr "%s: строка %d: не удалось обновить запись\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to prepare new %s entry\n"
-msgstr "%s: не удалось подготовить новую %s запись\n"
+msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: can't create user\n"
 msgid "%s: can't find subordinate user range\n"
-msgstr "%s: не удалось найти подчинённый диапазон пользователей\n"
+msgstr "%s: не удалось создать пользователя\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: can't create group\n"
 msgid "%s: can't find subordinate group range\n"
-msgstr "%s: не удалось найти подчинённый диапазон групп\n"
+msgstr "%s: не удалось создать группу\n"
 
 msgid ""
 "  -a, --all                     report password status on all accounts\n"
@@ -2219,10 +2219,10 @@ msgstr "%s: не удалось сбросить запись в faillog для
 msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgstr "%s: не удалось сбросить запись в lastlog для UID %lu: %s\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to prepare the new %s entry\n"
-msgstr "%s: не удалось подготовить новую %s запись\n"
+msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
 
 #, c-format
 msgid "%s: cannot create directory %s\n"
@@ -2267,15 +2267,15 @@ msgstr "%s: не удалось создать tcb-каталог для %s\n"
 msgid "%s: can't create group\n"
 msgstr "%s: не удалось создать группу\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: can't create user\n"
 msgid "%s: can't create subordinate user IDs\n"
-msgstr "%s: не удалось создать подчинённые пользовательские ID\n"
+msgstr "%s: не удалось создать пользователя\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: can't create group\n"
 msgid "%s: can't create subordinate group IDs\n"
-msgstr "%s: не удалось создать подчинённые групповые ID\n"
+msgstr "%s: не удалось создать группу\n"
 
 #, c-format
 msgid ""
@@ -2325,10 +2325,10 @@ msgstr ""
 "%s: группа %s является первичной для другого пользователя и не может быть "
 "удалена.\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: cannot remove entry '%s' from %s\n"
 msgid "%s: cannot remove entry %lu from %s\n"
-msgstr "%s: не удалось удалить запись %lu из %s\n"
+msgstr "%s: не удалось удалить запись «%s» из %s\n"
 
 #, c-format
 msgid "%s: %s mail spool (%s) not found\n"
@@ -2452,16 +2452,16 @@ msgid "  -U, --unlock                  unlock the user account\n"
 msgstr "  -U, --unlock                  разблокировать учётную запись\n"
 
 msgid "  -v, --add-subuids FIRST-LAST  add range of subordinate uids\n"
-msgstr "  -v, --add-subuids ПЕРВ-ПОСЛ   добавить диапазон подчинённых uid\n"
+msgstr ""
 
 msgid "  -V, --del-subuids FIRST-LAST  remove range of subordinate uids\n"
-msgstr "  -V, --del-subuids ПЕРВ-ПОСЛ   удалить диапазон подчинённых uid\n"
+msgstr ""
 
 msgid "  -w, --add-subgids FIRST-LAST  add range of subordinate gids\n"
-msgstr "  -w, --add-subgids ПЕРВ-ПОСЛ   добавить диапазон подчинённых gid\n"
+msgstr ""
 
 msgid "  -W, --del-subgids FIRST-LAST  remove range of subordinate gids\n"
-msgstr "  -W, --del-subgids ПЕРВ-ПОСЛ   удалить диапазон подчинённых gid\n"
+msgstr ""
 
 msgid ""
 "  -Z, --selinux-user SEUSER     new SELinux user mapping for the user "
@@ -2483,15 +2483,15 @@ msgstr ""
 msgid "%s: user '%s' already exists in %s\n"
 msgstr "%s: пользователь «%s» уже существует в %s\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: invalid date '%s'\n"
 msgid "%s: invalid subordinate uid range '%s'\n"
-msgstr "%s: некорректный диапазон подчинённых uid «%s»\n"
+msgstr "%s: неверная дата «%s»\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: invalid date '%s'\n"
 msgid "%s: invalid subordinate gid range '%s'\n"
-msgstr "%s: некорректный диапазон подчинённых gid «%s»\n"
+msgstr "%s: неверная дата «%s»\n"
 
 #, c-format
 msgid "%s: no options\n"
@@ -2510,10 +2510,10 @@ msgstr ""
 msgid "%s: UID '%lu' already exists\n"
 msgstr "%s: UID «%lu» уже существует\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: %s is not authorized to change the password of %s\n"
 msgid "%s: %s does not exist, you cannot use the flags %s or %s\n"
-msgstr "%s: %s не существует, нельзя указывать флаги %s или %s\n"
+msgstr "%s: у %s нет прав изменять пароль %s\n"
 
 #, c-format
 msgid "%s: directory %s exists\n"
@@ -2562,25 +2562,25 @@ msgstr "не удалось сменить владельца почтового
 msgid "failed to rename mailbox"
 msgstr "не удалось переименовать почтовый ящик"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to remove uid range %lu-%lu from '%s'\n"
-msgstr "%s: не удалось удалить диапазон uid %lu-%lu из «%s»\n"
+msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to add uid range %lu-%lu from '%s'\n"
-msgstr "%s: не удалось добавить диапазон uid %lu-%lu в «%s»\n"
+msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to remove gid range %lu-%lu from '%s'\n"
-msgstr "%s: не удалось удалить диапазон gid %lu-%lu из «%s»\n"
+msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: failed to prepare the new %s entry '%s'\n"
 msgid "%s: failed to add gid range %lu-%lu from '%s'\n"
-msgstr "%s: не удалось добавить диапазон gid %lu-%lu в «%s»\n"
+msgstr "%s: не удалось подготовить новую %s запись «%s»\n"
 
 #, c-format
 msgid ""
@@ -2638,19 +2638,19 @@ msgstr "Не удалось заблокировать файл"
 msgid "Couldn't make backup"
 msgstr "Не удалось создать резервную копию"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: PAM: %s\n"
 msgid "%s: %s: %s\n"
-msgstr "%s: %s: %s\n"
+msgstr "%s: PAM: %s\n"
 
-#, c-format
+#, fuzzy, c-format
 #| msgid "%s: nscd exited with status %d\n"
 msgid "%s: %s returned with status %d\n"
-msgstr "%s: %s завершился с кодом выхода %d\n"
+msgstr "%s: nscd завершился с кодом выхода %d\n"
 
 #, c-format
 msgid "%s: %s killed by signal %d\n"
-msgstr "%s: %s убит по сигналу %d\n"
+msgstr ""
 
 msgid "failed to open scratch file"
 msgstr "не удалось открыть черновой файл"

po/zh_TW.po

@@ -18,6 +18,7 @@ msgstr ""
 "Plural-Forms: nplurals=1; plural=0;\n"
 "X-Poedit-Language: Chinese\n"
 "X-Poedit-Country: TAIWAN\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
 
 #, c-format
 msgid ""

src/Makefile.am

@@ -7,10 +7,9 @@ usbindir = ${prefix}/sbin
 suidperms = 4755
 sgidperms = 2755
 
-AM_CPPFLAGS = \
+INCLUDES = \
 	-I${top_srcdir}/lib \
-	-I$(top_srcdir)/libmisc \
-	-DLOCALEDIR=\"$(datadir)/locale\"
+	-I$(top_srcdir)/libmisc
 
 # XXX why are login and su in /bin anyway (other than for
 # historical reasons)?
@@ -55,10 +54,10 @@ noinst_PROGRAMS = id sulogin
 suidbins       = su
 suidubins      = chage chfn chsh expiry gpasswd newgrp passwd
 if ACCT_TOOLS_SETUID
-suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
+	suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
 endif
 if ENABLE_SUBIDS
-suidubins += newgidmap newuidmap
+	suidubins += newgidmap newuidmap
 endif
 
 if WITH_TCB
@@ -70,6 +69,7 @@ LDADD          = $(INTLLIBS) \
 		 $(LIBTCB) \
 		 $(top_builddir)/libmisc/libmisc.a \
 		 $(top_builddir)/lib/libshadow.la
+AM_CPPFLAGS    = -DLOCALEDIR=\"$(datadir)/locale\"
 
 if ACCT_TOOLS_SETUID
 LIBPAM_SUID  = $(LIBPAM)
@@ -113,7 +113,7 @@ pwunconv_LDADD = $(LDADD) $(LIBSELINUX)
 su_SOURCES     = \
 	su.c \
 	suauth.c
-su_LDADD       = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+su_LDADD       = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
 sulogin_LDADD  = $(LDADD) $(LIBCRYPT)
 useradd_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBATTR)
 userdel_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE)
@@ -125,14 +125,14 @@ install-am: all-am
 	ln -sf newgrp	$(DESTDIR)$(ubindir)/sg
 	ln -sf vipw	$(DESTDIR)$(usbindir)/vigr
 	for i in $(suidbins); do \
-		chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \
+		chmod -f $(suidperms) $(DESTDIR)$(bindir)/$$i; \
 	done
 	for i in $(suidubins); do \
-		chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \
+		chmod -f $(suidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done
 if WITH_TCB
 	for i in $(shadowsgidubins); do \
 		chown root:shadow $(DESTDIR)$(ubindir)/$$i; \
-		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
+		chmod -f $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done
 endif

src/chpasswd.c

@@ -552,7 +552,7 @@ int main (int argc, char **argv)
 		if (NULL != sp) {
 			newsp = *sp;
 			newsp.sp_pwdp = cp;
-			newsp.sp_lstchg = (long) gettime () / SCALE;
+			newsp.sp_lstchg = (long) time ((time_t *)NULL) / SCALE;
 			if (0 == newsp.sp_lstchg) {
 				/* Better disable aging than requiring a
 				 * password change */

src/newusers.c

@@ -496,7 +496,7 @@ static int add_passwd (struct passwd *pwd, const char *password)
 			}
 			spent.sp_pwdp = cp;
 		}
-		spent.sp_lstchg = (long) gettime () / SCALE;
+		spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
 		if (0 == spent.sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change */
@@ -553,7 +553,7 @@ static int add_passwd (struct passwd *pwd, const char *password)
 	 */
 	spent.sp_pwdp = "!";
 #endif
-	spent.sp_lstchg = (long) gettime () / SCALE;
+	spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
 	if (0 == spent.sp_lstchg) {
 		/* Better disable aging than requiring a password change */
 		spent.sp_lstchg = -1;
@@ -988,8 +988,8 @@ int main (int argc, char **argv)
 	is_shadow_grp = sgr_file_present ();
 #endif
 #ifdef ENABLE_SUBIDS
-	is_sub_uid = sub_uid_file_present () && !rflg;
-	is_sub_gid = sub_gid_file_present () && !rflg;
+	is_sub_uid = sub_uid_file_present ();
+	is_sub_gid = sub_gid_file_present ();
 #endif				/* ENABLE_SUBIDS */
 
 	open_files ();

src/passwd.c

@@ -668,7 +668,7 @@ static void update_shadow (void)
 	}
 #ifndef USE_PAM
 	if (do_update_age) {
-		nsp->sp_lstchg = (long) gettime () / SCALE;
+		nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
 		if (0 == nsp->sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change */

src/su.c

@@ -219,22 +219,6 @@ static /*@noreturn@*/void su_failure (const char *tty, bool su_to_root)
 	}
 	closelog ();
 #endif
-
-#ifdef WITH_AUDIT
-	audit_fd = audit_open ();
-	audit_log_acct_message (audit_fd,
-				AUDIT_USER_ROLE_CHANGE,
-				NULL,    /* Prog. name */
-				"su",
-				('\0' != caller_name[0]) ? caller_name : "???",
-				AUDIT_NO_ID,
-				"localhost",
-				NULL,    /* addr */
-				tty,
-				0);      /* result */
-	close (audit_fd);
-#endif				/* WITH_AUDIT */
-
 	exit (1);
 }
 
@@ -379,38 +363,23 @@ static void prepare_pam_close_session (void)
 				/* wake child when resumed */
 				kill (pid, SIGCONT);
 				stop = false;
-			} else if (   (pid_t)-1 != pid) {
-				pid_child = 0;
 			}
 		} while (!stop);
 	}
 
-	if (0 != caught && 0 != pid_child) {
+	if (0 != caught) {
 		(void) fputs ("\n", stderr);
 		(void) fputs (_("Session terminated, terminating shell..."),
 		              stderr);
 		(void) kill (-pid_child, caught);
 
-		snprintf (kill_msg, sizeof kill_msg, _(" ...killed.\n"));
-		snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
+		snprintf (kill_msg, 256, _(" ...killed.\n"));
+		snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
 
 		(void) signal (SIGALRM, kill_child);
-		(void) signal (SIGCHLD, catch_signals);
 		(void) alarm (2);
 
-		sigemptyset (&ourset);
-		if ((sigaddset (&ourset, SIGALRM) != 0)
-		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
-			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
-			kill_child (0);
-		} else {
-			while (0 == waitpid (pid_child, &status, WNOHANG)) {
-				sigsuspend (&ourset);
-			}
-			pid_child = 0;
-			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
-		}
-
+		(void) wait (&status);
 		(void) fputs (_(" ...terminated.\n"), stderr);
 	}
 
@@ -1107,21 +1076,6 @@ int main (int argc, char **argv)
 	}
 #endif				/* !USE_PAM */
 
-#ifdef WITH_AUDIT
-	audit_fd = audit_open ();
-	audit_log_acct_message (audit_fd,
-				AUDIT_USER_ROLE_CHANGE,
-				NULL,    /* Prog. name */
-				"su",
-				('\0' != caller_name[0]) ? caller_name : "???",
-				AUDIT_NO_ID,
-				"localhost",
-				NULL,    /* addr */
-				caller_tty,
-				1);      /* result */
-	close (audit_fd);
-#endif				/* WITH_AUDIT */
-
 	set_environment (pw);
 
 	if (!doshell) {

src/useradd.c

@@ -51,9 +51,7 @@
 #include <string.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <sys/wait.h>
 #include <time.h>
-#include <unistd.h>
 #include "chkname.h"
 #include "defines.h"
 #include "faillog.h"
@@ -215,7 +213,6 @@ static void open_files (void);
 static void open_shadow (void);
 static void faillog_reset (uid_t);
 static void lastlog_reset (uid_t);
-static void tallylog_reset (char *);
 static void usr_update (void);
 static void create_home (void);
 static void create_mail (void);
@@ -828,7 +825,7 @@ static void new_spent (struct spwd *spent)
 	memzero (spent, sizeof *spent);
 	spent->sp_namp = (char *) user_name;
 	spent->sp_pwdp = (char *) user_pass;
-	spent->sp_lstchg = (long) gettime () / SCALE;
+	spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
 	if (0 == spent->sp_lstchg) {
 		/* Better disable aging than requiring a password change */
 		spent->sp_lstchg = -1;
@@ -1792,52 +1789,6 @@ static void lastlog_reset (uid_t uid)
 	}
 }
 
-static void tallylog_reset (char *user_name)
-{
-	const char pam_tally2[] = "/sbin/pam_tally2";
-	const char *pname;
-	pid_t childpid;
-	int failed;
-	int status;
-
-	if (access(pam_tally2, X_OK) == -1)
-		return;
-
-	failed = 0;
-	switch (childpid = fork())
-	{
-	case -1: /* error */
-		failed = 1;
-		break;
-	case 0: /* child */
-		pname = strrchr(pam_tally2, '/');
-		if (pname == NULL)
-			pname = pam_tally2;
-		else
-			pname++;        /* Skip the '/' */
-		execl(pam_tally2, pname, "--user", user_name, "--reset", "--quiet", NULL);
-		/* If we come here, something has gone terribly wrong */
-		perror(pam_tally2);
-		exit(42);       /* don't continue, we now have 2 processes running! */
-		/* NOTREACHED */
-		break;
-	default: /* parent */
-		if (waitpid(childpid, &status, 0) == -1 || !WIFEXITED(status) || WEXITSTATUS(status) != 0)
-			failed = 1;
-		break;
-	}
-
-	if (failed)
-	{
-		fprintf (stderr,
-		         _("%s: failed to reset the tallylog entry of user \"%s\"\n"),
-		         Prog, user_name);
-		SYSLOG ((LOG_WARN, "failed to reset the tallylog entry of user \"%s\"", user_name));
-	}
-
-	return;
-}
-
 /*
  * usr_update - create the user entries
  *
@@ -1945,9 +1896,6 @@ static void create_home (void)
 	if (access (user_home, F_OK) != 0) {
 #ifdef WITH_SELINUX
 		if (set_selinux_file_context (user_home) != 0) {
-			fprintf (stderr,
-			         _("%s: cannot set SELinux context for home directory %s\n"),
-			         Prog, user_home);
 			fail_exit (E_HOMEDIR);
 		}
 #endif
@@ -1977,9 +1925,6 @@ static void create_home (void)
 #ifdef WITH_SELINUX
 		/* Reset SELinux to create files with default contexts */
 		if (reset_selinux_file_context () != 0) {
-			fprintf (stderr,
-			         _("%s: cannot reset SELinux file creation context\n"),
-			         Prog);
 			fail_exit (E_HOMEDIR);
 		}
 #endif
@@ -2049,8 +1994,8 @@ int main (int argc, char **argv)
 #endif				/* ACCT_TOOLS_SETUID */
 
 #ifdef ENABLE_SUBIDS
-	uid_t uid_min;
-	uid_t uid_max;
+	uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
+	uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
 #endif
 
 	/*
@@ -2082,19 +2027,17 @@ int main (int argc, char **argv)
 	is_shadow_grp = sgr_file_present ();
 #endif
 
-	get_defaults ();
-
 	process_flags (argc, argv);
 
 #ifdef ENABLE_SUBIDS
-	uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
-	uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
 	is_sub_uid = sub_uid_file_present () && !rflg &&
 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
 	is_sub_gid = sub_gid_file_present () && !rflg &&
 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
 #endif				/* ENABLE_SUBIDS */
 
+	get_defaults ();
+
 #ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	{
@@ -2282,15 +2225,6 @@ int main (int argc, char **argv)
 
 	close_files ();
 
-	/*
-	 * tallylog_reset needs to be able to lookup
-	 * a valid existing user name,
-	 * so we canot call it before close_files()
-	 */
-	if (!lflg && getpwuid (user_id) != NULL) {
-		tallylog_reset (user_name);
-	}
-
 #ifdef WITH_SELINUX
 	if (Zflg) {
 		if (set_seuser (user_name, user_selinux) != 0) {

src/usermod.c

@@ -641,7 +641,7 @@ static void new_spent (struct spwd *spent)
 	spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
 
 	if (pflg) {
-		spent->sp_lstchg = (long) gettime () / SCALE;
+		spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
 		if (0 == spent->sp_lstchg) {
 			/* Better disable aging than requiring a password
 			 * change. */
@@ -1673,7 +1673,7 @@ static void usr_update (void)
 			spent.sp_pwdp   = xstrdup (pwent.pw_passwd);
 			pwent.pw_passwd = xstrdup (SHADOW_PASSWD_STRING);
 
-			spent.sp_lstchg = (long) gettime () / SCALE;
+			spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
 			if (0 == spent.sp_lstchg) {
 				/* Better disable aging than
 				 * requiring a password change */
@@ -1756,14 +1756,6 @@ static void move_home (void)
 			fail_exit (E_HOMEDIR);
 		}
 
-#ifdef WITH_AUDIT
-		if (uflg || gflg) {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-				      "changing home directory owner",
-				      user_newname, (unsigned int) user_newid, 1);
-		}
-#endif
-
 		if (rename (user_home, user_newhome) == 0) {
 			/* FIXME: rename above may have broken symlinks
 			 *        pointing to the user's home directory
@@ -2156,7 +2148,7 @@ int main (int argc, char **argv)
 			unsigned long count = ptr->range.last - ptr->range.first + 1;
 			if (sub_uid_add(user_name, ptr->range.first, count) == 0) {
 				fprintf (stderr,
-					_("%s: failed to add uid range %lu-%lu to '%s'\n"),
+					_("%s: failed to add uid range %lu-%lu from '%s'\n"),
 					Prog, ptr->range.first, ptr->range.last, 
 					sub_uid_dbname ());
 				fail_exit (E_SUB_UID_UPDATE);
@@ -2182,7 +2174,7 @@ int main (int argc, char **argv)
 			unsigned long count = ptr->range.last - ptr->range.first + 1;
 			if (sub_gid_add(user_name, ptr->range.first, count) == 0) {
 				fprintf (stderr,
-					_("%s: failed to add gid range %lu-%lu to '%s'\n"),
+					_("%s: failed to add gid range %lu-%lu from '%s'\n"),
 					Prog, ptr->range.first, ptr->range.last, 
 					sub_gid_dbname ());
 				fail_exit (E_SUB_GID_UPDATE);
@@ -2260,13 +2252,6 @@ int main (int argc, char **argv)
 			 * ownership.
 			 *
 			 */
-#ifdef WITH_AUDIT
-			if (uflg || gflg) {
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-					      "changing home directory owner",
-					      user_newname, (unsigned int) user_newid, 1);
-			}
-#endif
 			if (chown_tree (dflg ? user_newhome : user_home,
 			                user_id,
 			                uflg ? user_newid  : (uid_t)-1,

tests/chroot/chage/01_chage--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/chsh/01_chsh--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/grpck/01_grpck--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/pwck/01_pwck--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/01_useradd--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/userdel/01_userdel--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/chroot/usermod/01_usermod--root/config_chroot/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #

tests/grouptools/gpasswd/19_gpasswd_change_passwd-root/config/etc/login.defs

@@ -209,7 +209,7 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
-# If set to yes, userdel will remove the user's group if it contains no
+# If set to yes, userdel will remove the user´s group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #