New upstream version 4.19.3

New upstream version 4.19.2
New upstream version 4.19.0
2026-02-02 07:32:15 +01:00 · 2026-01-25 14:17:08 +01:00 · 2026-01-06 00:37:15 +01:00 · 2025-08-26 22:55:14 +02:00 · 2025-03-29 13:24:20 +01:00 · 2025-02-24 22:57:12 +01:00
11014 changed files with 488940 additions and 68200 deletions
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -3,11 +3,20 @@ reports and various comments. This list may be incomplete, I received
 a lot of mail...
 # Maintainers
 * Marek Michałkiewicz <marekm72@gmail.com> (1995-2000)
 * Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
 * Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
 * Serge E. Hallyn <serge@hallyn.com> (2014-now)
 * Christian Brauner <christian@brauner.io> (2019-now)
 * Iker Pedrosa <ipedrosa@redhat.com> (2022-now)
 * Alejandro Colomar <alx@kernel.org> (2023-now) (4.14 stable)
 To verify signatures on releases, use the following keys under keys/ :
 * Serge Hallyn: keys/66D0387DB85D320F8408166DB175CFA98F192AF2.asc
 * Christian Brauner: keys/4880B8C9BD0E5106FC070F4F7B3C391EFEA93624.asc
 * Iker Pedrosa: keys/4E80EF49C7987B6DE2F81F5005079C6C3A653E57.asc
 * Alejandro Colomar: keys/A9348594CE31283A826FBDD8D57633D441E25BB5.asc
 # Authors and contributors
 * Adam Rudnicki <adam@v-lo.krakow.pl>
--- a/14
+++ b/14
@@ -9558,7 +9558,7 @@
 	* NEWS: release date corrected.
 	* NEWS, src/su.c:
-	fixed set enviroment too early when using PAM, so move it to !USE_PAM
+	fixed set environment too early when using PAM, so move it to !USE_PAM
 	(patch submitted by Mike Frysinger <vapier@gentoo.org>).
 2006-07-30  Tomasz Kłoczko  <kloczek@pld.org.pl>
@@ -10245,7 +10245,7 @@
 	* NEWS: cleanups.
 	* autogen.sh:
-	by default in development enviroment use CFLAGS="-O2 -Wall".
+	by default in development environment use CFLAGS="-O2 -Wall".
 	* src/chgpasswd.c (main): remove two unused variables (newgr and now).
@@ -11654,7 +11654,7 @@
 	in OPTIONS section). Describe -a and -k options.
 	* NEWS, src/su.c:
-	fixed twice copy enviroment which causes auth problems (bug was introduced in 4.0.12;
+	fixed twice copy environment which causes auth problems (bug was introduced in 4.0.12;
 	fix by Nicolas François <nicolas.francois@centraliens.net>).
 	* src/passwd.c, po/ja.po, po/ko.po, po/nb.po, po/nl.po, po/nn.po, po/pl.po, po/pt.po, po/pt_BR.po, po/ro.po, po/ru.po, po/sk.po, po/sq.po, po/sv.po, po/tl.po, po/tr.po, po/uk.po, po/vi.po, po/zh_CN.po, po/zh_TW.po, po/bs.po, po/ca.po, po/cs.po, po/da.po, po/de.po, po/el.po, po/es.po, po/eu.po, po/fi.po, po/fr.po, po/he.po, po/id.po, po/it.po:
@@ -12584,7 +12584,7 @@
 	http://bugs.debian.org/48002
 	* src/login.c, NEWS:
-	fixed loggin of username on succesful login (was using the normal username,
+	fixed loggin of username on successful login (was using the normal username,
 	when it should have used pam_user) http://bugs.debian.org/47819
 2005-06-02  Tomasz Kłoczko  <kloczek@pld.org.pl>
@@ -13029,7 +13029,7 @@
 	* man/pl/usermod.8: finish sync with english version.
 	* man/hu/login.1, man/pl/login.1, NEWS, man/Attic/login.1, man/de/login.1:
-	removed fragment about abilities pass enviroment variables in login prompt.
+	removed fragment about abilities pass environment variables in login prompt.
 	* man/Attic/gpasswd.1, man/Attic/newgrp.1:
 	fixes by Nicolas Nicolas François <nicolas.francois@centraliens.net> (not all
@@ -13508,7 +13508,7 @@
 	removed not used translations.
 	* NEWS, src/su.c:
-	fix adding of pam_env env variables to enviroment (Martin Schlemmer <azarah@nosferatu.za.org>).
+	fix adding of pam_env env variables to environment (Martin Schlemmer <azarah@nosferatu.za.org>).
 	* NEWS, configure.in:
 	fixed filling MAIL_SPOOL_DIR and MAIL_SPOOL_FILE variables which was allways
@@ -13605,7 +13605,7 @@
 	* NEWS, src/su.c:
 	add pam_open_session() support. If builded without PAM support
-	propagate $DISPLAY and $XAUTHORITY enviroment variables.
+	propagate $DISPLAY and $XAUTHORITY environment variables.
 	Based on http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch?rev=1.1
 2004-10-23  Tomasz Kłoczko  <kloczek@pld.org.pl>
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,15 +1,28 @@
 ## Process this file with automake to produce Makefile.in
 ACLOCAL_AMFLAGS = -I m4
-EXTRA_DIST = NEWS README TODO shadow.spec.in
+SUBDIRS = lib
 SUBDIRS = libmisc lib
 if ENABLE_SUBIDS
 SUBDIRS += libsubid
 endif
-SUBDIRS += src po contrib doc etc
+SUBDIRS += src po doc etc tests/unit
 if ENABLE_REGENERATE_MAN
 SUBDIRS += man
 endif
 CLEANFILES = man/8.out man/po/remove-potcdate.* man/*/login.defs.d man/*/*.mo
 EXTRA_DIST = NEWS README tests/
 dist-hook:
 	chmod -R u+w $(distdir)/tests
 	chmod u+w $(distdir)
 	mv $(distdir)/tests/unit $(distdir)/realunittest
 	mv $(distdir)/tests/tests $(distdir)/realtests
 	rm -rf $(distdir)/tests
 	mv $(distdir)/realtests $(distdir)/tests
 	rm -rf $(distdir)/tests/unit $(distdir)/tests/Makefile*
 	mv $(distdir)/realunittest $(distdir)/tests/unit
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.5 from Makefile.am.
+# Makefile.in generated by automake 1.18.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2025 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -69,6 +69,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 am__rm_f = rm -f $(am__rm_f_notfound)
 am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -108,7 +110,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
 configure.lineno config.status.lineno
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = config.h
-CONFIG_CLEAN_FILES = man/po/Makefile shadow.spec
+CONFIG_CLEAN_FILES = man/po/Makefile
 CONFIG_CLEAN_VPATH_FILES =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -163,19 +165,26 @@ am__define_uniq_tagged_files = \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
-DIST_SUBDIRS = libmisc lib libsubid src po contrib doc etc man
+DIST_SUBDIRS = lib libsubid src po doc etc tests/unit man
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
-	$(srcdir)/shadow.spec.in $(top_srcdir)/man/po/Makefile.in \
+	$(top_srcdir)/build-aux/compile \
-	ABOUT-NLS AUTHORS.md COPYING ChangeLog NEWS README TODO \
+	$(top_srcdir)/build-aux/config.guess \
-	compile config.guess config.rpath config.sub install-sh \
+	$(top_srcdir)/build-aux/config.rpath \
-	ltmain.sh missing
+	$(top_srcdir)/build-aux/config.sub \
 	$(top_srcdir)/build-aux/install-sh \
 	$(top_srcdir)/build-aux/ltmain.sh \
 	$(top_srcdir)/build-aux/missing \
 	$(top_srcdir)/man/po/Makefile.in ABOUT-NLS AUTHORS.md COPYING \
 	ChangeLog NEWS README build-aux/compile build-aux/config.guess \
 	build-aux/config.rpath build-aux/config.sub \
 	build-aux/install-sh build-aux/ltmain.sh build-aux/missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
 am__remove_distdir = \
  if test -d "$(distdir)"; then \
-    find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
+    find "$(distdir)" -type d ! -perm -700 -exec chmod u+rwx {} ';' \
-      && rm -rf "$(distdir)" \
+      ; rm -rf "$(distdir)" \
      || { sleep 5 && rm -rf "$(distdir)"; }; \
  else :; fi
 am__post_remove_distdir = $(am__remove_distdir)
@@ -205,17 +214,20 @@ am__relativize = \
  done; \
  reldir="$$dir2"
 DIST_ARCHIVES = $(distdir).tar.gz $(distdir).tar.xz
-GZIP_ENV = --best
+GZIP_ENV = -9
 DIST_TARGETS = dist-xz dist-gzip
 # Exists only to be overridden by the user if desired.
 AM_DISTCHECK_DVI_TARGET = dvi
 distuninstallcheck_listfiles = find . -type f -print
 am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
  | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
-distcleancheck_listfiles = find . -type f -print
+distcleancheck_listfiles = \
  find . \( -type f -a \! \
            \( -name .nfs* -o -name .smb* -o -name .__afs* \) \) -print
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AM_DISTCHECK_CONFIGURE_FLAGS = @AM_DISTCHECK_CONFIGURE_FLAGS@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -224,6 +236,8 @@ AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
 CMOCKA_LIBS = @CMOCKA_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CSCOPE = @CSCOPE@
@@ -242,6 +256,7 @@ EGREP = @EGREP@
 ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 FILECMD = @FILECMD@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
@@ -257,9 +272,15 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBACL = @LIBACL@
 LIBADD_DL = @LIBADD_DL@
 LIBADD_DLD_LINK = @LIBADD_DLD_LINK@
 LIBADD_DLOPEN = @LIBADD_DLOPEN@
 LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@
 LIBATTR = @LIBATTR@
 LIBAUDIT = @LIBAUDIT@
-LIBCRACK = @LIBCRACK@
+LIBBSD = @LIBBSD@
 LIBBSD_CFLAGS = @LIBBSD_CFLAGS@
 LIBBSD_LIBS = @LIBBSD_LIBS@
 LIBCRYPT = @LIBCRYPT@
 LIBECONF = @LIBECONF@
 LIBICONV = @LIBICONV@
@@ -275,14 +296,16 @@ LIBSUBID_ABI = @LIBSUBID_ABI@
 LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@
 LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@
 LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@
 LIBSYSTEMD = @LIBSYSTEMD@
 LIBTCB = @LIBTCB@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LIYESCRYPT = @LIYESCRYPT@
 LN_S = @LN_S@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_DLLOADERS = @LT_DLLOADERS@
 LT_DLPREOPEN = @LT_DLPREOPEN@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
@@ -305,6 +328,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 POSUB = @POSUB@
 RANLIB = @RANLIB@
 SED = @SED@
@@ -320,8 +346,6 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
@@ -332,8 +356,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
 am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -376,9 +402,11 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-EXTRA_DIST = NEWS README TODO shadow.spec.in
+ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = libmisc lib $(am__append_1) src po contrib doc etc \
+SUBDIRS = lib $(am__append_1) src po doc etc tests/unit \
 	$(am__append_2)
 CLEANFILES = man/8.out man/po/remove-potcdate.* man/*/login.defs.d man/*/*.mo
 EXTRA_DIST = NEWS README tests/
 all: config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
@@ -422,19 +450,17 @@ config.h: stamp-h1
 	@test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1
 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
-	@rm -f stamp-h1
+	$(AM_V_at)rm -f stamp-h1
-	cd $(top_builddir) && $(SHELL) ./config.status config.h
+	$(AM_V_GEN)cd $(top_builddir) && $(SHELL) ./config.status config.h
 $(srcdir)/config.h.in: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) 
-	($(am__cd) $(top_srcdir) && $(AUTOHEADER))
+	$(AM_V_GEN)($(am__cd) $(top_srcdir) && $(AUTOHEADER))
-	rm -f stamp-h1
+	$(AM_V_at)rm -f stamp-h1
-	touch $@
+	$(AM_V_at)touch $@
 distclean-hdr:
 	-rm -f config.h stamp-h1
 man/po/Makefile: $(top_builddir)/config.status $(top_srcdir)/man/po/Makefile.in
 	cd $(top_builddir) && $(SHELL) ./config.status $@
 shadow.spec: $(top_builddir)/config.status $(srcdir)/shadow.spec.in
 	cd $(top_builddir) && $(SHELL) ./config.status $@
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -550,12 +576,13 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 	-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 distdir-am: $(DISTFILES)
 	$(am__remove_distdir)
-	test -d "$(distdir)" || mkdir "$(distdir)"
+	$(AM_V_at)$(MKDIR_P) "$(distdir)"
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -610,6 +637,9 @@ distdir-am: $(DISTFILES)
 	      || exit 1; \
 	  fi; \
 	done
 	$(MAKE) $(AM_MAKEFLAGS) \
 	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
 	  dist-hook
 	-test -n "$(am__skip_mode_fix)" \
 	|| find "$(distdir)" -type d ! -perm -755 \
 		-exec chmod u+rwx,go+rx {} \; -o \
@@ -625,6 +655,10 @@ dist-bzip2: distdir
 	tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
 	$(am__post_remove_distdir)
 dist-bzip3: distdir
 	tardir=$(distdir) && $(am__tar) | bzip3 -c >$(distdir).tar.bz3
 	$(am__post_remove_distdir)
 dist-lzip: distdir
 	tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
 	$(am__post_remove_distdir)
@@ -665,9 +699,11 @@ dist dist-all:
 distcheck: dist
 	case '$(DIST_ARCHIVES)' in \
 	*.tar.gz*) \
-	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\
+	  eval GZIP= gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
 	*.tar.bz2*) \
 	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
 	*.tar.bz3*) \
 	  bzip3 -dc $(distdir).tar.bz3 | $(am__untar) ;;\
 	*.tar.lz*) \
 	  lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
 	*.tar.xz*) \
@@ -675,7 +711,7 @@ distcheck: dist
 	*.tar.Z*) \
 	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
 	*.shar.gz*) \
-	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
+	  eval GZIP= gzip -dc $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	*.tar.zst*) \
@@ -773,10 +809,11 @@ install-strip:
 mostlyclean-generic:
 clean-generic:
 	-$(am__rm_f) $(CLEANFILES)
 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -856,9 +893,9 @@ uninstall-am:
 .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
 	am--refresh check check-am clean clean-cscope clean-generic \
 	clean-libtool cscope cscopelist-am ctags ctags-am dist \
-	dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
+	dist-all dist-bzip2 dist-bzip3 dist-gzip dist-hook dist-lzip \
-	dist-xz dist-zip dist-zstd distcheck distclean \
+	dist-shar dist-tarZ dist-xz dist-zip dist-zstd distcheck \
-	distclean-generic distclean-hdr distclean-libtool \
+	distclean distclean-generic distclean-hdr distclean-libtool \
 	distclean-tags distcleancheck distdir distuninstallcheck dvi \
 	dvi-am html html-am info info-am install install-am \
 	install-data install-data-am install-dvi install-dvi-am \
@@ -873,6 +910,23 @@ uninstall-am:
 .PRECIOUS: Makefile
 dist-hook:
 	chmod -R u+w $(distdir)/tests
 	chmod u+w $(distdir)
 	mv $(distdir)/tests/unit $(distdir)/realunittest
 	mv $(distdir)/tests/tests $(distdir)/realtests
 	rm -rf $(distdir)/tests
 	mv $(distdir)/realtests $(distdir)/tests
 	rm -rf $(distdir)/tests/unit $(distdir)/tests/Makefile*
 	mv $(distdir)/realunittest $(distdir)/tests/unit
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
 # Tell GNU make to disable its built-in pattern rules.
 %:: %,v
 %:: RCS/%,v
 %:: RCS/%
 %:: s.%
 %:: SCCS/s.%
--- a/14
+++ b/14
@@ -696,7 +696,7 @@ shadow-4.0.18 -> shadow-4.0.18.1					03-08-2006
 shadow-4.0.17 -> shadow-4.0.18						01-08-2006
 *** general:
- su: fixed set enviroment too early when using PAM, so move it to !USE_PAM
+- su: fixed set environment too early when using PAM, so move it to !USE_PAM
  (patch submitted by Mike Frysinger <vapier@gentoo.org>),
 - groupadd, groupmod, useradd, usermod: fixed UID/GID overflow (fixed
  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198920)
@@ -855,7 +855,7 @@ shadow-4.0.14 -> shadow-4.0.15						13-03-2006
 - su: move exit() outside libmisc/shell.c::shell() for handle shell() errors
  on higher level (now is better visable where some programs exit with 126
  and 127 exit codes); added new shell() parameter (char *const envp[])
-  which allow fix preserving enviroment in su on using -p, (patch by
+  which allow fix preserving environment in su on using -p, (patch by
  Alexander Gattin <xrgtn@yandex.ru>),
 - su: added handle -c,--command option for GNU su compliance (merge
  437_su_-c_option Debian patch),
@@ -966,7 +966,7 @@ shadow-4.0.12 -> shadow-4.0.13						10-10-2005
  to example described in ident(1) man page (modern compilers like latest GCC
  removes not used functions by global optimization).
  So "ident /usr/bin/passwd" will show again some useable informations
- su: fixed twice copy enviroment which causes auth problems
+- su: fixed twice copy environment which causes auth problems
  (bug was introduced in 4.0.12; fix by Nicolas François <nicolas.francois@centraliens.net>),
 - chage: differentiate the different failure causes by the exit value
  This will permit to adduser Debian script to detect if chage failed because the
@@ -1133,7 +1133,7 @@ shadow-4.0.9 -> shadow-4.0.10						28-06-2005
  http://bugs.debian.org/53702
 - login: check for hushed login and pass PAM_SILENT if true,
  http://bugs.debian.org/48002
- login: fixed username on succesful login (was using the normal username,
+- login: fixed username on successful login (was using the normal username,
  when it should have used pam_user) http://bugs.debian.org/47819
 - remove using SHADOWPWD #define so now shadow is always built with shadow
  password support,
@@ -1212,7 +1212,7 @@ shadow-4.0.7 -> shadow-4.0.8						26-04-2005
  (without gshadow) doesn't permit to use newgrp,
 - newgrp(1): newgrp uses /bin/sh (not bash),
 - faillog(8): updated after rewritten faillog command for use getopt_long(),
- login(1): removed fragment about abilities pass enviroment variables in login prompt,
+- login(1): removed fragment about abilities pass environment variables in login prompt,
 - gshadow(5): new file (by Nicolas Nicolas François <nicolas.francois@centraliens.net>),
 - usermod(8): fixed #302388 Debian bug: added separated -o option description,
@@ -1242,7 +1242,7 @@ shadow-4.0.6 -> shadow-4.0.7						26-01-2005
 shadow-4.0.5 -> shadow-4.0.6						08-11-2004
- su: fixed adding of pam_env env variables to enviroment
+- su: fixed adding of pam_env env variables to environment
  (Martin Schlemmer <azarah@nosferatu.za.org>),
 - autoconf: fixed filling MAIL_SPOOL_DIR and MAIL_SPOOL_FILE variables
  which was always empty (Gregorio Guidi <g.guidi@sns.it>),
@@ -1275,7 +1275,7 @@ shadow-4.0.4.1 -> shadow-4.0.5						27-10-2004
  including symlinks placed into /etc/skel/public_html for example.
  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=66819
 - su: add pam_open_session() support. If built without PAM support
-  propagate $DISPLAY and $XAUTHORITY enviroment variables.
+  propagate $DISPLAY and $XAUTHORITY environment variables.
  Based on http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch?rev=1.1
 - applied 036_pam_access_with_preauth.patch Debian patch submited by Bjorn
  Torkelsson <Bjorn.Torkelsson@hpc2n.umu.se>: add support for PAM account
--- a/11
+++ b/11
@@ -17,6 +17,12 @@ are used for managing group accounts.
 * [Issue tracker](https://github.com/shadow-maint/shadow/issues)
 * [Releases](https://github.com/shadow-maint/shadow/releases)
 ## Code
 The main development branch is at [https://github.com/shadow-maint/shadow.git](https://github.com/shadow-maint/shadow)
 See [STABLE.md](https://github.com/shadow-maint/shadow/blob/master/STABLE.md) for a list of supported stable branches.
 ## Contacts
 There are several ways to contact us:
 * [the general discussion mailing list](
@@ -31,6 +37,11 @@ There are several ways to contact us:
  https://alioth-lists-archive.debian.net/pipermail/pkg-shadow-commits/),
  only used for historical purposes
 ## Contributions
 Contributions are welcome. Follow the
 [guidelines](doc/contributions/introduction.md) before posting any patches.
 ## Authors and maintainers
 Authors and maintainers are listed in [AUTHORS.md](
 https://github.com/shadow-maint/shadow/blob/master/AUTHORS.md).
--- a/127
+++ b/127
@@ -1,127 +0,0 @@
 * Create a common usage function that'd take the array of
   long options and an array of descriptions and output that so things would
   be standardized across the utils.
   Usage strings should be normalized and split first.
   Investigate optparse.
 /etc/default/useradd
 * GROUP=1000 should accept a group name.
 Check when RLOGIN is enabled if ruserok() exists
 Move selinux_file_context out of libmisc/copydir.c
 Review hardcoded root account?
 review all call to strto
 libmisc/cleanup_user.c
 	cleanup needed (cleanup_report_add_user* not used)
 libxcrypt support
 * http://wiki.linuxfromscratch.org/patches/browser/trunk/shadow/shadow-4.0.18.1-owl_blowfish-1.patch
 implement getlong, getulong.
 	avoid atoi, atol, atoul, strtol, strtoul, ...
 manpages: comment the RLOGIN parts
 Replace build_list (in lib/gshadow.c) and list (in lib/sgetgrent.c) by
 comma_to_list()
 Revert the modified files if all files could not be changed.
  * or warn and indicate which files were modified and which were not.
  * check the order the files are modified.
 report nscd_flush_cache failures?
 call nscd from the programs or from lib (commonio?)
 PAM: check if a non-interactive conversation function could be used to set
 the password in chpasswd and newusers
 WITH_SELINUX
  - review all tools to check that the strategies are consistent
 chage, chfn, chsh: same change needed as in passwd.
  - probably need moving check_selinux_access to a separate file.
 testsuite
 - newgrp
   - test with unknown user's GID
 newusers
 - add logging to SYSLOG & AUDIT
 - use CREATE_HOME
 - Add a -Z option (see useradd / usermod)
 Document when/where option appeared, document whether an option is standard
 or not.
 Check all the expiry semantics
 ALL:
 - move base passwd/shadow/group/gshadow operation to module for allow write
  different backend modules for db, NIS, LDAP and others. Default backend it
  will be goot if will be chosen depending on /etc/nsswitch.conf and allow
  override this by -r <repository> options (where the <repository> can be
  file, db, nis nisplus, ldap .. like on /etc/nsswitch.conf in service column).
  passwd have old piece of code with handling -r option and it will be good
  finish this and propagate on other shadow tools for allow operate on other
  user databases by well known tools.
 - Protect against signals. Register do_cleanups in a signal handler.
 - login.defs
  - generate depending on configuration
 - useradd:
  - add handle create user mail spool in maildir format.
  - Add support for -k in -D mode
  - Add support for -K in -D mode
  - Add option to create or not the mail spool (and set the default in -D
    mode)
  - Change -l to reset the entry if an entry was already there
  - set the mask in mkdir?
 - userdel:
  - add backup option for the removal of user resources,
  - user_busy: check that the user is not running any processes.
  - missing "deleting group" FAILED
  - home dir removed, but userdel may fail and may leave the user
    => warning needed
 - usermod
  - add an option equivalent to useradd's -l (only when uid is changed)
  - the mode of new home directories should be set according to the
    original mode. Does copy_tree does this?
  - user renamed, order is not kept in /etc/group (see
    47_usermod-l_no_shadow_file). This is a problem when the first user is
    considered as the admin.
  - see mail "user ID change" on  April, 15
    + fix call to chown (combination of -m and -u/-g)
    + add tests
 - passwd:
  - check combination of options (e.g. -u/-l)
  - when -u refuse to unlock because it would create an empty password, it
    should not display "Password changed."
    exit instead?
 - newgrp: check the USE_PAM section.
 - pwck
  - Add check to move passwd passwords to shadow if there is a shadow
    entry (with a password).
  - Add check to move passwd passwords to shadow if there is a shadow
    file.
  - Support an alternative /etc/tcb directory as second parameter.
  - add options -g / -G to specify alternative group / gshadow files
 - su
  - add a login.defs configuration parameter to add variables to keep in
    the environment with "su -l" (TERM/TERMCOLOR/...)
 - vipw
  - set ACLs and XATTRs on the temporary file (and backups?)
  - vipw + selinux -> use lib/selinux.c
--- a/aclocal.m4
+++ b/aclocal.m4
--- a/build-aux/compile
+++ b/build-aux/compile
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Wrapper for compilers which do not understand '-c -o'.
-scriptversion=2018-03-07.03; # UTC
+scriptversion=2025-06-18.21; # UTC
-# Copyright (C) 1999-2021 Free Software Foundation, Inc.
+# Copyright (C) 1999-2025 Free Software Foundation, Inc.
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
 # This program is free software; you can redistribute it and/or modify
@@ -37,11 +37,11 @@ IFS=" ""	$nl"
 file_conv=
-# func_file_conv build_file lazy
+# func_file_conv build_file unneeded_conversions
 # Convert a $build file to $host form and store it in $file
 # Currently only supports Windows hosts. If the determined conversion
-# type is listed in (the comma separated) LAZY, no conversion will
+# type is listed in (the comma separated) UNNEEDED_CONVERSIONS, no
-# take place.
+# conversion will take place.
 func_file_conv ()
 {
  file=$1
@@ -51,9 +51,20 @@ func_file_conv ()
 	# lazily determine how to convert abs files
 	case `uname -s` in
 	  MINGW*)
-	    file_conv=mingw
+	    if test -n "$MSYSTEM" && (cygpath --version) >/dev/null 2>&1; then
 	      # MSYS2 environment.
 	      file_conv=cygwin
 	    else
 	      # Original MinGW environment.
 	      file_conv=mingw
 	    fi
 	    ;;
-	  CYGWIN* | MSYS*)
+	  MSYS*)
 	    # Old MSYS environment, or MSYS2 with 32-bit MSYS2 shell.
 	    file_conv=cygwin
 	    ;;
 	  CYGWIN*)
 	    # Cygwin environment.
 	    file_conv=cygwin
 	    ;;
 	  *)
@@ -63,12 +74,14 @@ func_file_conv ()
      fi
      case $file_conv/,$2, in
 	*,$file_conv,*)
 	  # This is the optimization mentioned above:
 	  # If UNNEEDED_CONVERSIONS contains $file_conv, don't convert.
 	  ;;
 	mingw/*)
 	  file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
 	  ;;
-	cygwin/* | msys/*)
+	cygwin/*)
-	  file=`cygpath -m "$file" || echo "$file"`
+	  file=`cygpath -w "$file" || echo "$file"`
 	  ;;
 	wine/*)
 	  file=`winepath -w "$file" || echo "$file"`
@@ -143,7 +156,7 @@ func_cl_wrapper ()
 	  # configure might choose to run compile as 'compile cc -o foo foo.c'.
 	  eat=1
 	  case $2 in
-	    *.o | *.[oO][bB][jJ])
+	    *.o | *.lo | *.[oO][bB][jJ])
 	      func_file_conv "$2"
 	      set x "$@" -Fo"$file"
 	      shift
@@ -248,14 +261,17 @@ If you are trying to build a whole package this is not the
 right script to run: please start by reading the file 'INSTALL'.
 Report bugs to <bug-automake@gnu.org>.
 GNU Automake home page: <https://www.gnu.org/software/automake/>.
 General help using GNU software: <https://www.gnu.org/gethelp/>.
 EOF
    exit $?
    ;;
  -v | --v*)
-    echo "compile $scriptversion"
+    echo "compile (GNU Automake) $scriptversion"
    exit $?
    ;;
  cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \
  clang-cl | *[/\\]clang-cl | clang-cl.exe | *[/\\]clang-cl.exe | \
  icl | *[/\\]icl | icl.exe | *[/\\]icl.exe )
    func_cl_wrapper "$@"      # Doesn't return...
    ;;
@@ -340,9 +356,9 @@ exit $ret
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 2
-# eval: (add-hook 'before-save-hook 'time-stamp)
+# eval: (add-hook 'before-save-hook 'time-stamp nil t)
 # time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-format: "%Y-%02m-%02d.%02H"
 # time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/build-aux/config.guess
+++ b/build-aux/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright 1992-2022 Free Software Foundation, Inc.
+#   Copyright 1992-2024 Free Software Foundation, Inc.
 # shellcheck disable=SC2006,SC2268 # see below for rationale
-timestamp='2022-01-09'
+timestamp='2024-07-27'
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -47,7 +47,7 @@ me=`echo "$0" | sed -e 's,.*/,,'`
 usage="\
 Usage: $0 [OPTION]
-Output the configuration name of the system \`$me' is run on.
+Output the configuration name of the system '$me' is run on.
 Options:
  -h, --help         print this help, then exit
@@ -60,13 +60,13 @@ version="\
 GNU config.guess ($timestamp)
 Originally written by Per Bothner.
-Copyright 1992-2022 Free Software Foundation, Inc.
+Copyright 1992-2024 Free Software Foundation, Inc.
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
 help="
-Try \`$me --help' for more information."
+Try '$me --help' for more information."
 # Parse command line
 while test $# -gt 0 ; do
@@ -102,8 +102,8 @@ GUESS=
 # temporary files to be created and, as you can see below, it is a
 # headache to deal with in a portable fashion.
-# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# Historically, 'CC_FOR_BUILD' used to be named 'HOST_CC'. We still
-# use `HOST_CC' if defined, but it is deprecated.
+# use 'HOST_CC' if defined, but it is deprecated.
 # Portable tmp directory creation inspired by the Autoconf team.
@@ -123,7 +123,7 @@ set_cc_for_build() {
    dummy=$tmp/dummy
    case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in
 	,,)    echo "int x;" > "$dummy.c"
-	       for driver in cc gcc c89 c99 ; do
+	       for driver in cc gcc c17 c99 c89 ; do
 		   if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then
 		       CC_FOR_BUILD=$driver
 		       break
@@ -155,6 +155,9 @@ Linux|GNU|GNU/*)
 	set_cc_for_build
 	cat <<-EOF > "$dummy.c"
 	#if defined(__ANDROID__)
 	LIBC=android
 	#else
 	#include <features.h>
 	#if defined(__UCLIBC__)
 	LIBC=uclibc
@@ -162,6 +165,8 @@ Linux|GNU|GNU/*)
 	LIBC=dietlibc
 	#elif defined(__GLIBC__)
 	LIBC=gnu
 	#elif defined(__LLVM_LIBC__)
 	LIBC=llvm
 	#else
 	#include <stdarg.h>
 	/* First heuristic to detect musl libc.  */
@@ -169,6 +174,7 @@ Linux|GNU|GNU/*)
 	LIBC=musl
 	#endif
 	#endif
 	#endif
 	EOF
 	cc_set_libc=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
 	eval "$cc_set_libc"
@@ -459,7 +465,7 @@ case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in
 		UNAME_RELEASE=`uname -v`
 		;;
 	esac
-	# Japanese Language versions have a version number like `4.1.3-JL'.
+	# Japanese Language versions have a version number like '4.1.3-JL'.
 	SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/'`
 	GUESS=sparc-sun-sunos$SUN_REL
 	;;
@@ -628,7 +634,8 @@ EOF
 		sed 's/^		//' << EOF > "$dummy.c"
 		#include <sys/systemcfg.h>
-		main()
+		int
 		main ()
 			{
 			if (!__power_pc())
 				exit(1);
@@ -712,7 +719,8 @@ EOF
 		#include <stdlib.h>
 		#include <unistd.h>
-		int main ()
+		int
 		main ()
 		{
 		#if defined(_SC_KERNEL_BITS)
 		    long bits = sysconf(_SC_KERNEL_BITS);
@@ -904,7 +912,7 @@ EOF
 	fi
 	;;
    *:FreeBSD:*:*)
-	UNAME_PROCESSOR=`/usr/bin/uname -p`
+	UNAME_PROCESSOR=`uname -p`
 	case $UNAME_PROCESSOR in
 	    amd64)
 		UNAME_PROCESSOR=x86_64 ;;
@@ -966,11 +974,37 @@ EOF
 	GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'`
 	GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC
 	;;
    x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*)
 	GUESS="$UNAME_MACHINE-pc-managarm-mlibc"
 	;;
    *:[Mm]anagarm:*:*)
 	GUESS="$UNAME_MACHINE-unknown-managarm-mlibc"
 	;;
    *:Minix:*:*)
 	GUESS=$UNAME_MACHINE-unknown-minix
 	;;
    aarch64:Linux:*:*)
-	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
+	set_cc_for_build
 	CPU=$UNAME_MACHINE
 	LIBCABI=$LIBC
 	if test "$CC_FOR_BUILD" != no_compiler_found; then
 	    ABI=64
 	    sed 's/^	    //' << EOF > "$dummy.c"
 	    #ifdef __ARM_EABI__
 	    #ifdef __ARM_PCS_VFP
 	    ABI=eabihf
 	    #else
 	    ABI=eabi
 	    #endif
 	    #endif
 EOF
 	    cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'`
 	    eval "$cc_set_abi"
 	    case $ABI in
 		eabi | eabihf) CPU=armv8l; LIBCABI=$LIBC$ABI ;;
 	    esac
 	fi
 	GUESS=$CPU-unknown-linux-$LIBCABI
 	;;
    aarch64_be:Linux:*:*)
 	UNAME_MACHINE=aarch64_be
@@ -1036,7 +1070,16 @@ EOF
    k1om:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
 	;;
-    loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*)
+    kvx:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
 	;;
    kvx:cos:*:*)
 	GUESS=$UNAME_MACHINE-unknown-cos
 	;;
    kvx:mbr:*:*)
 	GUESS=$UNAME_MACHINE-unknown-mbr
 	;;
    loongarch32:Linux:*:* | loongarch64:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
 	;;
    m32r*:Linux:*:*)
@@ -1151,16 +1194,27 @@ EOF
 	;;
    x86_64:Linux:*:*)
 	set_cc_for_build
 	CPU=$UNAME_MACHINE
 	LIBCABI=$LIBC
 	if test "$CC_FOR_BUILD" != no_compiler_found; then
-	    if (echo '#ifdef __ILP32__'; echo IS_X32; echo '#endif') | \
+	    ABI=64
-		(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
+	    sed 's/^	    //' << EOF > "$dummy.c"
-		grep IS_X32 >/dev/null
+	    #ifdef __i386__
-	    then
+	    ABI=x86
-		LIBCABI=${LIBC}x32
+	    #else
-	    fi
+	    #ifdef __ILP32__
 	    ABI=x32
 	    #endif
 	    #endif
 EOF
 	    cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'`
 	    eval "$cc_set_abi"
 	    case $ABI in
 		x86) CPU=i686 ;;
 		x32) LIBCABI=${LIBC}x32 ;;
 	    esac
 	fi
-	GUESS=$UNAME_MACHINE-pc-linux-$LIBCABI
+	GUESS=$CPU-pc-linux-$LIBCABI
 	;;
    xtensa*:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
@@ -1180,7 +1234,7 @@ EOF
 	GUESS=$UNAME_MACHINE-pc-sysv4.2uw$UNAME_VERSION
 	;;
    i*86:OS/2:*:*)
-	# If we were able to find `uname', then EMX Unix compatibility
+	# If we were able to find 'uname', then EMX Unix compatibility
 	# is probably installed.
 	GUESS=$UNAME_MACHINE-pc-os2-emx
 	;;
@@ -1321,7 +1375,7 @@ EOF
 		GUESS=ns32k-sni-sysv
 	fi
 	;;
-    PENTIUM:*:4.0*:*)	# Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+    PENTIUM:*:4.0*:*)	# Unisys 'ClearPath HMP IX 4000' SVR4/MP effort
 			# says <Richard.M.Bartel@ccMail.Census.GOV>
 	GUESS=i586-unisys-sysv4
 	;;
@@ -1367,8 +1421,11 @@ EOF
    BePC:Haiku:*:*)	# Haiku running on Intel PC compatible.
 	GUESS=i586-pc-haiku
 	;;
-    x86_64:Haiku:*:*)
+    ppc:Haiku:*:*)	# Haiku running on Apple PowerPC
-	GUESS=x86_64-unknown-haiku
+	GUESS=powerpc-apple-haiku
 	;;
    *:Haiku:*:*)	# Haiku modern gcc (not bound by BeOS compat)
 	GUESS=$UNAME_MACHINE-unknown-haiku
 	;;
    SX-4:SUPER-UX:*:*)
 	GUESS=sx4-nec-superux$UNAME_RELEASE
@@ -1540,6 +1597,9 @@ EOF
    *:Unleashed:*:*)
 	GUESS=$UNAME_MACHINE-unknown-unleashed$UNAME_RELEASE
 	;;
    *:Ironclad:*:*)
 	GUESS=$UNAME_MACHINE-unknown-ironclad
 	;;
 esac
 # Do we have a guess based on uname results?
@@ -1563,6 +1623,7 @@ cat > "$dummy.c" <<EOF
 #endif
 #endif
 #endif
 int
 main ()
 {
 #if defined (sony)
--- a/build-aux/config.rpath
+++ b/build-aux/config.rpath
--- a/build-aux/config.sub
+++ b/build-aux/config.sub
--- a/build-aux/depcomp
+++ b/build-aux/depcomp
@@ -1,9 +1,9 @@
 #! /bin/sh
 # depcomp - compile a program generating dependencies as side-effects
-scriptversion=2018-03-07.03; # UTC
+scriptversion=2025-06-18.21; # UTC
-# Copyright (C) 1999-2021 Free Software Foundation, Inc.
+# Copyright (C) 1999-2025 Free Software Foundation, Inc.
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -47,11 +47,13 @@ Environment variables:
  libtool     Whether libtool is used (yes/no).
 Report bugs to <bug-automake@gnu.org>.
 GNU Automake home page: <https://www.gnu.org/software/automake/>.
 General help using GNU software: <https://www.gnu.org/gethelp/>.
 EOF
    exit $?
    ;;
  -v | --v*)
-    echo "depcomp $scriptversion"
+    echo "depcomp (GNU Automake) $scriptversion"
    exit $?
    ;;
 esac
@@ -113,7 +115,6 @@ nl='
 # These definitions help.
 upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
 lower=abcdefghijklmnopqrstuvwxyz
 digits=0123456789
 alpha=${upper}${lower}
 if test -z "$depmode" || test -z "$source" || test -z "$object"; then
@@ -128,7 +129,7 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
 rm -f "$tmpdepfile"
-# Avoid interferences from the environment.
+# Avoid interference from the environment.
 gccflag= dashmflag=
 # Some modes work just like other modes, but use different flags.  We
@@ -198,8 +199,8 @@ gcc3)
  ;;
 gcc)
-## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
+## Note that this doesn't just cater to obsolete pre-3.x GCC compilers.
-## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
+## but also to in-use compilers like IBM xlc/xlC and the HP C compiler.
 ## (see the conditional assignment to $gccflag above).
 ## There are various ways to get dependency output from gcc.  Here's
 ## why we pick this rather obscure method:
@@ -783,9 +784,9 @@ exit 0
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 2
-# eval: (add-hook 'before-save-hook 'time-stamp)
+# eval: (add-hook 'before-save-hook 'time-stamp nil t)
 # time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-format: "%Y-%02m-%02d.%02H"
 # time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/build-aux/install-sh
+++ b/build-aux/install-sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 # install - install a program, script, or datafile
-scriptversion=2020-11-14.01; # UTC
+scriptversion=2025-06-18.21; # UTC
 # This originates from X11R5 (mit/util/scripts/install.sh), which was
 # later released in X11R6 (xc/config/util/install.sh) with the
@@ -124,9 +124,9 @@ it's up to you to specify -f if you want it.
 If -S is not specified, no backups are attempted.
-Email bug reports to bug-automake@gnu.org.
+Report bugs to <bug-automake@gnu.org>.
-Automake home page: https://www.gnu.org/software/automake/
+GNU Automake home page: <https://www.gnu.org/software/automake/>.
-"
+General help using GNU software: <https://www.gnu.org/gethelp/>."
 while test $# -ne 0; do
  case $1 in
@@ -170,7 +170,7 @@ while test $# -ne 0; do
    -T) is_target_a_directory=never;;
-    --version) echo "$0 $scriptversion"; exit $?;;
+    --version) echo "$0 (GNU Automake) $scriptversion"; exit $?;;
    --) shift
        break;;
@@ -345,7 +345,7 @@ do
 	' 0
 	# Because "mkdir -p" follows existing symlinks and we likely work
-	# directly in world-writeable /tmp, make sure that the '$tmpdir'
+	# directly in world-writable /tmp, make sure that the '$tmpdir'
 	# directory is successfully created first before we actually test
 	# 'mkdir -p'.
 	if (umask $mkdir_umask &&
@@ -353,7 +353,7 @@ do
 	    exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
 	then
 	  if test -z "$dir_arg" || {
-	       # Check for POSIX incompatibilities with -m.
+	       # Check for POSIX incompatibility with -m.
 	       # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
 	       # other-writable bit of parent directory when it shouldn't.
 	       # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
@@ -533,9 +533,9 @@ do
 done
 # Local variables:
-# eval: (add-hook 'before-save-hook 'time-stamp)
+# eval: (add-hook 'before-save-hook 'time-stamp nil t)
 # time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-format: "%Y-%02m-%02d.%02H"
 # time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/build-aux/ltmain.sh
+++ b/build-aux/ltmain.sh
--- a/build-aux/missing
+++ b/build-aux/missing
@@ -1,9 +1,11 @@
 #! /bin/sh
-# Common wrapper for a few potentially missing GNU programs.
+# Common wrapper for a few potentially missing GNU and other programs.
-scriptversion=2018-03-07.03; # UTC
+scriptversion=2025-06-18.21; # UTC
-# Copyright (C) 1996-2021 Free Software Foundation, Inc.
+# shellcheck disable=SC2006,SC2268 # we must support pre-POSIX shells
 # Copyright (C) 1996-2025 Free Software Foundation, Inc.
 # Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
 # This program is free software; you can redistribute it and/or modify
@@ -54,18 +56,20 @@ Options:
  -v, --version   output version information and exit
 Supported PROGRAM values:
-  aclocal   autoconf  autoheader   autom4te  automake  makeinfo
+aclocal autoconf autogen  autoheader autom4te automake autoreconf
-  bison     yacc      flex         lex       help2man
+bison   flex     help2man lex        makeinfo perl     yacc
 Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
 'g' are ignored when checking the name.
-Send bug reports to <bug-automake@gnu.org>."
+Report bugs to <bug-automake@gnu.org>.
 GNU Automake home page: <https://www.gnu.org/software/automake/>.
 General help using GNU software: <https://www.gnu.org/gethelp/>."
    exit $?
    ;;
  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
-    echo "missing $scriptversion (GNU Automake)"
+    echo "missing (GNU Automake) $scriptversion"
    exit $?
    ;;
@@ -108,7 +112,7 @@ gnu_software_URL=https://www.gnu.org/software
 program_details ()
 {
  case $1 in
-    aclocal|automake)
+    aclocal|automake|autoreconf)
      echo "The '$1' program is part of the GNU Automake package:"
      echo "<$gnu_software_URL/automake>"
      echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
@@ -123,6 +127,9 @@ program_details ()
      echo "<$gnu_software_URL/m4/>"
      echo "<$perl_URL>"
      ;;
    *)
      :
      ;;
  esac
 }
@@ -137,48 +144,55 @@ give_advice ()
  printf '%s\n' "'$1' is $msg."
  configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
  autoheader_deps="'acconfig.h'"
  automake_deps="'Makefile.am'"
  aclocal_deps="'acinclude.m4'"
  case $normalized_program in
    aclocal*)
      echo "You should only need it if you modified $aclocal_deps or"
      echo "$configure_deps."
      ;;
    autoconf*)
-      echo "You should only need it if you modified 'configure.ac',"
+      echo "You should only need it if you modified $configure_deps."
-      echo "or m4 files included by it."
+      ;;
-      program_details 'autoconf'
+    autogen*)
      echo "You should only need it if you modified a '.def' or '.tpl' file."
      echo "You may want to install the GNU AutoGen package:"
      echo "<$gnu_software_URL/autogen/>"
      ;;
    autoheader*)
-      echo "You should only need it if you modified 'acconfig.h' or"
+      echo "You should only need it if you modified $autoheader_deps or"
      echo "$configure_deps."
      program_details 'autoheader'
      ;;
    automake*)
-      echo "You should only need it if you modified 'Makefile.am' or"
+      echo "You should only need it if you modified $automake_deps or"
      echo "$configure_deps."
      program_details 'automake'
      ;;
-    aclocal*)
+    autom4te*)
      echo "You should only need it if you modified 'acinclude.m4' or"
      echo "$configure_deps."
      program_details 'aclocal'
      ;;
   autom4te*)
      echo "You might have modified some maintainer files that require"
      echo "the 'autom4te' program to be rebuilt."
-      program_details 'autom4te'
+      ;;
    autoreconf*)
      echo "You should only need it if you modified $aclocal_deps or"
      echo "$automake_deps or $autoheader_deps or $automake_deps or"
      echo "$configure_deps."
      ;;
    bison*|yacc*)
      echo "You should only need it if you modified a '.y' file."
      echo "You may want to install the GNU Bison package:"
      echo "<$gnu_software_URL/bison/>"
      ;;
    lex*|flex*)
      echo "You should only need it if you modified a '.l' file."
      echo "You may want to install the Fast Lexical Analyzer package:"
      echo "<$flex_URL>"
      ;;
    help2man*)
      echo "You should only need it if you modified a dependency" \
           "of a man page."
      echo "You may want to install the GNU Help2man package:"
      echo "<$gnu_software_URL/help2man/>"
    ;;
    lex*|flex*)
      echo "You should only need it if you modified a '.l' file."
      echo "You may want to install the Fast Lexical Analyzer package:"
      echo "<$flex_URL>"
      ;;
    makeinfo*)
      echo "You should only need it if you modified a '.texi' file, or"
      echo "any other file indirectly affecting the aspect of the manual."
@@ -189,6 +203,12 @@ give_advice ()
      echo "want to install GNU make:"
      echo "<$gnu_software_URL/make/>"
      ;;
    perl*)
      echo "You should only need it to run GNU Autoconf, GNU Automake, "
      echo "  assorted other tools, or if you modified a Perl source file."
      echo "You may want to install the Perl 5 language interpreter:"
      echo "<$perl_URL>"
      ;;
    *)
      echo "You might have modified some files without having the proper"
      echo "tools for further handling them.  Check the 'README' file, it"
@@ -197,6 +217,7 @@ give_advice ()
      echo "case some other package contains this missing '$1' program."
      ;;
  esac
  program_details "$normalized_program"
 }
 give_advice "$1" | sed -e '1s/^/WARNING: /' \
@@ -207,9 +228,9 @@ give_advice "$1" | sed -e '1s/^/WARNING: /' \
 exit $st
 # Local variables:
-# eval: (add-hook 'before-save-hook 'time-stamp)
+# eval: (add-hook 'before-save-hook 'time-stamp nil t)
 # time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-format: "%Y-%02m-%02d.%02H"
 # time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/build-aux/test-driver
+++ b/build-aux/test-driver
@@ -0,0 +1,160 @@
 #! /bin/sh
 # test-driver - basic testsuite driver script.
 scriptversion=2025-06-18.21; # UTC
 # Copyright (C) 2011-2025 Free Software Foundation, Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 # This file is maintained in Automake, please report
 # bugs to <bug-automake@gnu.org> or send patches to
 # <automake-patches@gnu.org>.
 # Make unconditional expansion of undefined variables an error.  This
 # helps a lot in preventing typo-related bugs.
 set -u
 usage_error ()
 {
  echo "$0: $*" >&2
  print_usage >&2
  exit 2
 }
 print_usage ()
 {
  cat <<END
 Usage:
  test-driver --test-name NAME --log-file PATH --trs-file PATH
              [--expect-failure {yes|no}] [--color-tests {yes|no}]
              [--collect-skipped-logs {yes|no}]
              [--enable-hard-errors {yes|no}] [--]
              TEST-SCRIPT [TEST-SCRIPT-ARGUMENTS]
 The '--test-name', '--log-file' and '--trs-file' options are mandatory.
 See the GNU Automake documentation for information.
 Report bugs to <bug-automake@gnu.org>.
 GNU Automake home page: <https://www.gnu.org/software/automake/>.
 General help using GNU software: <https://www.gnu.org/gethelp/>.
 END
 }
 test_name= # Used for reporting.
 log_file=  # Where to save the output of the test script.
 trs_file=  # Where to save the metadata of the test run.
 expect_failure=no
 color_tests=no
 collect_skipped_logs=yes
 enable_hard_errors=yes
 while test $# -gt 0; do
  case $1 in
  --help) print_usage; exit $?;;
  --version) echo "test-driver (GNU Automake) $scriptversion"; exit $?;;
  --test-name) test_name=$2; shift;;
  --log-file) log_file=$2; shift;;
  --trs-file) trs_file=$2; shift;;
  --color-tests) color_tests=$2; shift;;
  --collect-skipped-logs) collect_skipped_logs=$2; shift;;
  --expect-failure) expect_failure=$2; shift;;
  --enable-hard-errors) enable_hard_errors=$2; shift;;
  --) shift; break;;
  -*) usage_error "invalid option: '$1'";;
   *) break;;
  esac
  shift
 done
 missing_opts=
 test x"$test_name" = x && missing_opts="$missing_opts --test-name"
 test x"$log_file"  = x && missing_opts="$missing_opts --log-file"
 test x"$trs_file"  = x && missing_opts="$missing_opts --trs-file"
 if test x"$missing_opts" != x; then
  usage_error "the following mandatory options are missing:$missing_opts"
 fi
 if test $# -eq 0; then
  usage_error "missing argument"
 fi
 if test $color_tests = yes; then
  # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'.
  red='[0;31m' # Red.
  grn='[0;32m' # Green.
  lgn='[1;32m' # Light green.
  blu='[1;34m' # Blue.
  mgn='[0;35m' # Magenta.
  std='[m'     # No color.
 else
  red= grn= lgn= blu= mgn= std=
 fi
 do_exit='rm -f $log_file $trs_file; (exit $st); exit $st'
 trap "st=129; $do_exit" 1
 trap "st=130; $do_exit" 2
 trap "st=141; $do_exit" 13
 trap "st=143; $do_exit" 15
 # Test script is run here. We create the file first, then append to it,
 # to ameliorate tests themselves also writing to the log file. Our tests
 # don't, but others can (automake bug#35762).
 : >"$log_file"
 "$@" >>"$log_file" 2>&1
 estatus=$?
 if test $enable_hard_errors = no && test $estatus -eq 99; then
  tweaked_estatus=1
 else
  tweaked_estatus=$estatus
 fi
 case $tweaked_estatus:$expect_failure in
  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
  77:*)  col=$blu res=SKIP  recheck=no  gcopy=$collect_skipped_logs;;
  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
 esac
 # Report the test outcome and exit status in the logs, so that one can
 # know whether the test passed or failed simply by looking at the '.log'
 # file, without the need of also peaking into the corresponding '.trs'
 # file (automake bug#11814).
 echo "$res $test_name (exit status: $estatus)" >>"$log_file"
 # Report outcome to console.
 echo "${col}${res}${std}: $test_name"
 # Register the test result, and other relevant metadata.
 echo ":test-result: $res" > $trs_file
 echo ":global-test-result: $res" >> $trs_file
 echo ":recheck: $recheck" >> $trs_file
 echo ":copy-in-global-log: $gcopy" >> $trs_file
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 2
 # eval: (add-hook 'before-save-hook 'time-stamp nil t)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%Y-%02m-%02d.%02H"
 # time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/config.h.in
+++ b/config.h.in
@@ -4,6 +4,12 @@
   authenticate the callers */
 #undef ACCT_TOOLS_SETUID
 /* Define to support lastlog. */
 #undef ENABLE_LASTLOG
 /* Define to manage session support with logind. */
 #undef ENABLE_LOGIND
 /* Define to 1 if translation of program messages to the user's native
   language is requested. */
 #undef ENABLE_NLS
@@ -14,10 +20,6 @@
 /* Path for faillog file. */
 #undef FAILLOG_FILE
 /* Define to the type of elements in the array set by `getgroups'. Usually
   this is either `int' or `gid_t'. */
 #undef GETGROUPS_T
 /* max group name length */
 #undef GROUP_NAME_MAX_LENGTH
@@ -30,7 +32,7 @@
 /* Define to 1 if you have the <acl/libacl.h> header file. */
 #undef HAVE_ACL_LIBACL_H
-/* Define to 1 if you have the `arc4random_buf' function. */
+/* Define to 1 if you have the 'arc4random_buf' function. */
 #undef HAVE_ARC4RANDOM_BUF
 /* Define to 1 if you have the <attr/error_context.h> header file. */
@@ -47,121 +49,77 @@
   the CoreFoundation framework. */
 #undef HAVE_CFPREFERENCESCOPYAPPVALUE
 /* Define to 1 if you have the <crypt.h> header file. */
 #undef HAVE_CRYPT_H
 /* Define if the GNU dcgettext() function is already present or preinstalled.
   */
 #undef HAVE_DCGETTEXT
-/* Define to 1 if you have the declaration of `PAM_DATA_SILENT', and to 0 if
+/* Define to 1 if you have the declaration of 'cygwin_conv_path', and to 0 if
   you don't. */
 #undef HAVE_DECL_CYGWIN_CONV_PATH
 /* Define to 1 if you have the declaration of 'PAM_DATA_SILENT', and to 0 if
   you don't. */
 #undef HAVE_DECL_PAM_DATA_SILENT
-/* Define to 1 if you have the declaration of `PAM_DELETE_CRED', and to 0 if
+/* Define to 1 if you have the declaration of 'PAM_DELETE_CRED', and to 0 if
   you don't. */
 #undef HAVE_DECL_PAM_DELETE_CRED
-/* Define to 1 if you have the declaration of `PAM_ESTABLISH_CRED', and to 0
+/* Define to 1 if you have the declaration of 'PAM_ESTABLISH_CRED', and to 0
   if you don't. */
 #undef HAVE_DECL_PAM_ESTABLISH_CRED
-/* Define to 1 if you have the declaration of `PAM_NEW_AUTHTOK_REQD', and to 0
+/* Define to 1 if you have the declaration of 'PAM_NEW_AUTHTOK_REQD', and to 0
   if you don't. */
 #undef HAVE_DECL_PAM_NEW_AUTHTOK_REQD
 /* Define if you have the GNU dld library. */
 #undef HAVE_DLD
 /* Define to 1 if you have the 'dlerror' function. */
 #undef HAVE_DLERROR
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
-/* Define to 1 if you have the <errno.h> header file. */
+/* Define if you have the _dyld_func_lookup function. */
-#undef HAVE_ERRNO_H
+#undef HAVE_DYLD
-/* Define to 1 if you have the `explicit_bzero' function. */
+/* Define to 1 if you have the 'explicit_bzero' function. */
 #undef HAVE_EXPLICIT_BZERO
-/* Define to 1 if you have the `fchmod' function. */
+/* Defined to 1 if you have the declaration of 'fgetpwent_r' */
-#undef HAVE_FCHMOD
+#undef HAVE_FGETPWENT_R
-/* Define to 1 if you have the `fchown' function. */
+/* Define to 1 if you have the 'getentropy' function. */
 #undef HAVE_FCHOWN
 /* Define to 1 if you have the <fcntl.h> header file. */
 #undef HAVE_FCNTL_H
 /* Define to 1 if you have the `fsync' function. */
 #undef HAVE_FSYNC
 /* Define to 1 if you have the `futimes' function. */
 #undef HAVE_FUTIMES
 /* Define to 1 if you have the `getentropy' function. */
 #undef HAVE_GETENTROPY
-/* Define to 1 if you have the `getgrgid_r' function. */
+/* Define to 1 if you have the 'getrandom' function. */
 #undef HAVE_GETGRGID_R
 /* Define to 1 if you have the `getgrnam_r' function. */
 #undef HAVE_GETGRNAM_R
 /* Define to 1 if you have the `getpwnam_r' function. */
 #undef HAVE_GETPWNAM_R
 /* Define to 1 if you have the `getpwuid_r' function. */
 #undef HAVE_GETPWUID_R
 /* Define to 1 if you have the `getrandom' function. */
 #undef HAVE_GETRANDOM
-/* Define to 1 if you have the `getspnam' function. */
+/* Define to 1 if you have the 'getspnam_r' function. */
 #undef HAVE_GETSPNAM
 /* Define to 1 if you have the `getspnam_r' function. */
 #undef HAVE_GETSPNAM_R
 /* Define if the GNU gettext() function is already present or preinstalled. */
 #undef HAVE_GETTEXT
 /* Define to 1 if you have the `getusershell' function. */
 #undef HAVE_GETUSERSHELL
 /* Define to 1 if you have the `getutent' function. */
 #undef HAVE_GETUTENT
 /* Define to 1 if you have the <gshadow.h> header file. */
 #undef HAVE_GSHADOW_H
 /* Define if you have the iconv() function and it works. */
 #undef HAVE_ICONV
-/* Define to 1 if you have the `initgroups' function. */
+/* Define to 1 if you have the 'innetgr' function. */
 #undef HAVE_INITGROUPS
 /* Define to 1 if you have the `innetgr' function. */
 #undef HAVE_INNETGR
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
-/* Define to 1 if you have the `l64a' function. */
+/* Define to 1 if you have the 'lckpwdf' function. */
 #undef HAVE_L64A
 /* Define to 1 if you have the <lastlog.h> header file. */
 #undef HAVE_LASTLOG_H
 /* Define to 1 if you have the `lckpwdf' function. */
 #undef HAVE_LCKPWDF
-/* Defined if you have libcrack. */
+/* Define if you have the libdl library or equivalent. */
-#undef HAVE_LIBCRACK
+#undef HAVE_LIBDL
-/* Defined if you have the ts&szs cracklib. */
+/* Define if libdlloader will be built on this platform */
-#undef HAVE_LIBCRACK_HIST
+#undef HAVE_LIBDLLOADER
 /* Defined if it includes *Pw functions. */
 #undef HAVE_LIBCRACK_PW
 /* Define to 1 if you have the <limits.h> header file. */
 #undef HAVE_LIMITS_H
 /* Define to 1 if you have the <linux/btrfs_tree.h> header file. */
 #undef HAVE_LINUX_BTRFS_TREE_H
@@ -172,44 +130,29 @@
 /* Define if struct lastlog has ll_host */
 #undef HAVE_LL_HOST
-/* Define to 1 if you have the <locale.h> header file. */
+/* Define to 1 if you have the 'lutimes' function. */
 #undef HAVE_LOCALE_H
 /* Define to 1 if you have the `lutimes' function. */
 #undef HAVE_LUTIMES
-/* Define to 1 if you have the `memset_s' function. */
+/* Define to 1 if you have the 'memset_explicit' function. */
-#undef HAVE_MEMSET_S
+#undef HAVE_MEMSET_EXPLICIT
 /* Define to 1 if you have the <minix/config.h> header file. */
 #undef HAVE_MINIX_CONFIG_H
-/* Define to 1 if you have the `mkdir' function. */
+/* Define to 1 if you have the 'putgrent' function. */
 #undef HAVE_MKDIR
 /* Define to 1 if you have the <netdb.h> header file. */
 #undef HAVE_NETDB_H
 /* Define to 1 if you have the <paths.h> header file. */
 #undef HAVE_PATHS_H
 /* Define to 1 if you have the `putgrent' function. */
 #undef HAVE_PUTGRENT
-/* Define to 1 if you have the `putpwent' function. */
+/* Define to 1 if you have the 'putpwent' function. */
 #undef HAVE_PUTPWENT
-/* Define to 1 if you have the `putspent' function. */
+/* Define to 1 if you have the 'putspent' function. */
 #undef HAVE_PUTSPENT
-/* Define to 1 if you have the `rename' function. */
+/* Define to 1 if you have the <readpassphrase.h> header file. */
-#undef HAVE_RENAME
+#undef HAVE_READPASSPHRASE_H
-/* Define to 1 if you have the `rmdir' function. */
+/* Define to 1 if you have the 'rpmatch' function. */
-#undef HAVE_RMDIR
+#undef HAVE_RPMATCH
 /* Define to 1 if you have the <rpc/key_prot.h> header file. */
 #undef HAVE_RPC_KEY_PROT_H
 /* Define to 1 if you have the <security/openpam.h> header file. */
 #undef HAVE_SECURITY_OPENPAM_H
@@ -223,29 +166,17 @@
 /* Define to 1 if you have the <semanage/semanage.h> header file. */
 #undef HAVE_SEMANAGE_SEMANAGE_H
-/* Define to 1 if you have the `setgroups' function. */
+/* Define to 1 if you have the 'sgetgrent' function. */
 #undef HAVE_SETGROUPS
 /* Define to 1 if you have the `sgetgrent' function. */
 #undef HAVE_SGETGRENT
-/* Define to 1 if you have the `sgetpwent' function. */
+/* Define to 1 if you have the 'sgetpwent' function. */
 #undef HAVE_SGETPWENT
-/* Define to 1 if you have the `sgetspent' function. */
+/* Define to 1 if you have the 'sgetspent' function. */
 #undef HAVE_SGETSPENT
-/* Define to 1 if you have the <sgtty.h> header file. */
+/* Define if you have the shl_load function. */
-#undef HAVE_SGTTY_H
+#undef HAVE_SHL_LOAD
 /* Have working shadow group support in libc */
 #undef HAVE_SHADOWGRP
 /* Define to 1 if you have the `snprintf' function. */
 #undef HAVE_SNPRINTF
 /* Define to 1 if stdbool.h conforms to C99. */
 #undef HAVE_STDBOOL_H
 /* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H
@@ -256,14 +187,11 @@
 /* Define to 1 if you have the <stdlib.h> header file. */
 #undef HAVE_STDLIB_H
-/* Define to 1 if you have the `strcasecmp' function. */
+/* Define to 1 if you have the 'stpecpy' function. */
-#undef HAVE_STRCASECMP
+#undef HAVE_STPECPY
-/* Define to 1 if you have the `strdup' function. */
+/* Define to 1 if you have the 'stpeprintf' function. */
-#undef HAVE_STRDUP
+#undef HAVE_STPEPRINTF
 /* Define to 1 if you have the `strerror' function. */
 #undef HAVE_STRERROR
 /* Define to 1 if you have the <strings.h> header file. */
 #undef HAVE_STRINGS_H
@@ -271,144 +199,57 @@
 /* Define to 1 if you have the <string.h> header file. */
 #undef HAVE_STRING_H
-/* Define to 1 if you have the `strstr' function. */
+/* Define to 1 if 'ut_addr' is a member of 'struct utmpx'. */
 #undef HAVE_STRSTR
 /* Define to 1 if `st_atim' is a member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_ATIM
 /* Define to 1 if `st_atimensec' is a member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_ATIMENSEC
 /* Define to 1 if `st_mtim' is a member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_MTIM
 /* Define to 1 if `st_mtimensec' is a member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_MTIMENSEC
 /* Define to 1 if `ut_addr' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_ADDR
-/* Define to 1 if `ut_addr_v6' is a member of `struct utmpx'. */
+/* Define to 1 if 'ut_addr_v6' is a member of 'struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_ADDR_V6
-/* Define to 1 if `ut_host' is a member of `struct utmpx'. */
+/* Define to 1 if 'ut_host' is a member of 'struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_HOST
-/* Define to 1 if `ut_name' is a member of `struct utmpx'. */
+/* Define to 1 if 'ut_name' is a member of 'struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_NAME
-/* Define to 1 if `ut_syslen' is a member of `struct utmpx'. */
+/* Define to 1 if 'ut_syslen' is a member of 'struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_SYSLEN
-/* Define to 1 if `ut_time' is a member of `struct utmpx'. */
+/* Define to 1 if 'ut_time' is a member of 'struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_TIME
-/* Define to 1 if `ut_xtime' is a member of `struct utmpx'. */
+/* Define to 1 if 'ut_xtime' is a member of 'struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_XTIME
 /* Define to 1 if `ut_addr' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_ADDR
 /* Define to 1 if `ut_addr_v6' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_ADDR_V6
 /* Define to 1 if `ut_host' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_HOST
 /* Define to 1 if `ut_id' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_ID
 /* Define to 1 if `ut_name' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_NAME
 /* Define to 1 if `ut_syslen' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_SYSLEN
 /* Define to 1 if `ut_time' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_TIME
 /* Define to 1 if `ut_tv' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_TV
 /* Define to 1 if `ut_type' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_TYPE
 /* Define to 1 if `ut_user' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_USER
 /* Define to 1 if `ut_xtime' is a member of `struct utmp'. */
 #undef HAVE_STRUCT_UTMP_UT_XTIME
 /* Define to 1 if you have the <syslog.h> header file. */
 #undef HAVE_SYSLOG_H
 /* Define to 1 if you have the <sys/capability.h> header file. */
 #undef HAVE_SYS_CAPABILITY_H
 /* Define to 1 if you have the <sys/ioctl.h> header file. */
 #undef HAVE_SYS_IOCTL_H
 /* Define to 1 if you have the <sys/random.h> header file. */
 #undef HAVE_SYS_RANDOM_H
 /* Define to 1 if you have the <sys/resource.h> header file. */
 #undef HAVE_SYS_RESOURCE_H
 /* Define to 1 if you have the <sys/statfs.h> header file. */
 #undef HAVE_SYS_STATFS_H
 /* Define to 1 if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H
 /* Define to 1 if you have the <sys/time.h> header file. */
 #undef HAVE_SYS_TIME_H
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 /* Define to 1 if you have the <tcb.h> header file. */
 #undef HAVE_TCB_H
 /* Define to 1 if you have the <termios.h> header file. */
 #undef HAVE_TERMIOS_H
 /* Define to 1 if you have the <termio.h> header file. */
 #undef HAVE_TERMIO_H
 /* Define to 1 if you have the <ulimit.h> header file. */
 #undef HAVE_ULIMIT_H
 /* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H
-/* Define to 1 if you have the `updwtmp' function. */
+/* Define to 1 if you have the 'updwtmpx' function. */
 #undef HAVE_UPDWTMP
 /* Define to 1 if you have the `updwtmpx' function. */
 #undef HAVE_UPDWTMPX
 /* Define to 1 if you have the <utime.h> header file. */
 #undef HAVE_UTIME_H
-/* Define to 1 if `utime(file, NULL)' sets file's timestamp to the present. */
+/* Define to 1 if 'utime(file, NULL)' sets file's timestamp to the present. */
 #undef HAVE_UTIME_NULL
-/* Define to 1 if you have the <utmpx.h> header file. */
+/* Define to support vendor settings. */
-#undef HAVE_UTMPX_H
+#undef HAVE_VENDORDIR
 /* Define to 1 if you have the <utmp.h> header file. */
 #undef HAVE_UTMP_H
 /* Define to 1 if you have the <wchar.h> header file. */
 #undef HAVE_WCHAR_H
 /* Define to 1 if the system has the type `_Bool'. */
 #undef HAVE__BOOL
 /* Path for lastlog file. */
 #undef LASTLOG_FILE
 /* Define to the sub-directory where libtool stores uninstalled libraries. */
 #undef LT_OBJDIR
@@ -442,12 +283,6 @@
 /* Path to passwd program. */
 #undef PASSWD_PROGRAM
 /* Define if login should support the -r flag for rlogind. */
 #undef RLOGIN
 /* Define to the ruserok() "success" return value (0 or 1). */
 #undef RUSEROK
 /* Define to support the shadow group file. */
 #undef SHADOWGRP
@@ -457,10 +292,10 @@
 /* The default shell. */
 #undef SHELL
-/* The size of `gid_t', as computed by sizeof. */
+/* The size of 'gid_t', as computed by sizeof. */
 #undef SIZEOF_GID_T
-/* The size of `uid_t', as computed by sizeof. */
+/* The size of 'uid_t', as computed by sizeof. */
 #undef SIZEOF_UID_T
 /* Define to support S/Key logins. */
@@ -469,7 +304,7 @@
 /* Define to support newer BSD S/Key API */
 #undef SKEY_BSD_STYLE
-/* Define to 1 if all of the C90 standard headers exist (not just the ones
+/* Define to 1 if all of the C89 standard headers exist (not just the ones
   required in a freestanding environment). This macro is provided for
   backward compatibility; new code need not use it. */
 #undef STDC_HEADERS
@@ -477,9 +312,6 @@
 /* Define to support /etc/suauth su access control. */
 #undef SU_ACCESS
 /* Define to 1 if your <sys/time.h> declares `struct tm'. */
 #undef TM_IN_SYS_TIME
 /* Define to allow the bcrypt password encryption algorithm */
 #undef USE_BCRYPT
@@ -495,10 +327,7 @@
 /* Define to support flushing of sssd caches */
 #undef USE_SSSD
-/* Define to use syslog(). */
+/* Enable extensions on AIX, Interix, z/OS.  */
 #undef USE_SYSLOG
 /* Enable extensions on AIX 3, Interix.  */
 #ifndef _ALL_SOURCE
 # undef _ALL_SOURCE
 #endif
@@ -559,11 +388,15 @@
 #ifndef __STDC_WANT_IEC_60559_DFP_EXT__
 # undef __STDC_WANT_IEC_60559_DFP_EXT__
 #endif
 /* Enable extensions specified by C23 Annex F.  */
 #ifndef __STDC_WANT_IEC_60559_EXT__
 # undef __STDC_WANT_IEC_60559_EXT__
 #endif
 /* Enable extensions specified by ISO/IEC TS 18661-4:2015.  */
 #ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__
 # undef __STDC_WANT_IEC_60559_FUNCS_EXT__
 #endif
-/* Enable extensions specified by ISO/IEC TS 18661-3:2015.  */
+/* Enable extensions specified by C23 Annex H and ISO/IEC TS 18661-3:2015.  */
 #ifndef __STDC_WANT_IEC_60559_TYPES_EXT__
 # undef __STDC_WANT_IEC_60559_TYPES_EXT__
 #endif
@@ -586,12 +419,12 @@
 #endif
 /* Define if utmpx should be used */
 #undef USE_UTMPX
 /* Define to allow the yescrypt password encryption algorithm */
 #undef USE_YESCRYPT
 /* Directory for distribution provided configuration files */
 #undef VENDORDIR
 /* Version number of package */
 #undef VERSION
@@ -607,6 +440,9 @@
 /* Build shadow with BtrFS support */
 #undef WITH_BTRFS
 /* Build shadow without libbsd support */
 #undef WITH_LIBBSD
 /* Build shadow with SELinux support */
 #undef WITH_SELINUX
@@ -619,17 +455,11 @@
 /* Number of bits in a file offset, on hosts where this is settable. */
 #undef _FILE_OFFSET_BITS
-/* Define for large files, on AIX-style hosts. */
+/* Define to 1 on platforms where this makes off_t a 64-bit type. */
 #undef _LARGE_FILES
-/* Path for utmp file. */
+/* Number of bits in time_t, on hosts where this is settable. */
-#undef _UTMP_FILE
+#undef _TIME_BITS
-/* Path for wtmp file. */
+/* Define to 1 on platforms where this makes time_t a 64-bit type. */
-#undef _WTMP_FILE
+#undef __MINGW_USE_VC2005_COMPAT
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef gid_t
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef uid_t
--- a/config.sub
+++ b/config.sub
--- a/7804
+++ b/7804
--- a/configure.ac
+++ b/configure.ac
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -1,6 +0,0 @@
 # This is a dummy Makefile.am to get automake work flawlessly,
 # and also cooperate to make a distribution for `make dist'
 EXTRA_DIST = README adduser.c adduser.sh adduser2.sh \
 atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
 udbachk.tgz
--- a/contrib/Makefile.in
+++ b/contrib/Makefile.in
@@ -1,496 +0,0 @@
 # Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 # Copyright (C) 1994-2021 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY, to the extent permitted by law; without
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
@SET_MAKE@
 # This is a dummy Makefile.am to get automake work flawlessly,
 # and also cooperate to make a distribution for `make dist'
 VPATH = @srcdir@
 am__is_gnu_make = { \
  if test -z '$(MAKELEVEL)'; then \
    false; \
  elif test -n '$(MAKE_HOST)'; then \
    true; \
  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
    true; \
  else \
    false; \
  fi; \
 }
 am__make_running_with_option = \
  case $${target_option-} in \
      ?) ;; \
      *) echo "am__make_running_with_option: internal error: invalid" \
              "target option '$${target_option-}' specified" >&2; \
         exit 1;; \
  esac; \
  has_opt=no; \
  sane_makeflags=$$MAKEFLAGS; \
  if $(am__is_gnu_make); then \
    sane_makeflags=$$MFLAGS; \
  else \
    case $$MAKEFLAGS in \
      *\\[\ \	]*) \
        bs=\\; \
        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
    esac; \
  fi; \
  skip_next=no; \
  strip_trailopt () \
  { \
    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
  }; \
  for flg in $$sane_makeflags; do \
    test $$skip_next = yes && { skip_next=no; continue; }; \
    case $$flg in \
      *=*|--*) continue;; \
        -*I) strip_trailopt 'I'; skip_next=yes;; \
      -*I?*) strip_trailopt 'I';; \
        -*O) strip_trailopt 'O'; skip_next=yes;; \
      -*O?*) strip_trailopt 'O';; \
        -*l) strip_trailopt 'l'; skip_next=yes;; \
      -*l?*) strip_trailopt 'l';; \
      -[dEDm]) skip_next=yes;; \
      -[JT]) skip_next=yes;; \
    esac; \
    case $$flg in \
      *$$target_option*) has_opt=yes; break;; \
    esac; \
  done; \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
 INSTALL_HEADER = $(INSTALL_DATA)
 transform = $(program_transform_name)
 NORMAL_INSTALL = :
 PRE_INSTALL = :
 POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = contrib
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
 	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
 	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
 	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
 	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
 	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
 	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
 	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
 am__v_P_1 = :
 AM_V_GEN = $(am__v_GEN_@AM_V@)
 am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
 am__v_GEN_0 = @echo "  GEN     " $@;
 am__v_GEN_1 = 
 AM_V_at = $(am__v_at_@AM_V@)
 am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
 am__v_at_0 = @
 am__v_at_1 = 
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
  case $$AM_UPDATE_INFO_DIR in \
    n|no|NO) false;; \
    *) (install-info --version) >/dev/null 2>&1;; \
  esac
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 am__DIST_COMMON = $(srcdir)/Makefile.in README
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CSCOPE = @CSCOPE@
 CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
 ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
 GROUP_NAME_MAX_LENGTH = @GROUP_NAME_MAX_LENGTH@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 INTLLIBS = @INTLLIBS@
 INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBACL = @LIBACL@
 LIBATTR = @LIBATTR@
 LIBAUDIT = @LIBAUDIT@
 LIBCRACK = @LIBCRACK@
 LIBCRYPT = @LIBCRYPT@
 LIBECONF = @LIBECONF@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBMD = @LIBMD@
 LIBOBJS = @LIBOBJS@
 LIBPAM = @LIBPAM@
 LIBS = @LIBS@
 LIBSELINUX = @LIBSELINUX@
 LIBSEMANAGE = @LIBSEMANAGE@
 LIBSKEY = @LIBSKEY@
 LIBSUBID_ABI = @LIBSUBID_ABI@
 LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@
 LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@
 LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@
 LIBTCB = @LIBTCB@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LIYESCRYPT = @LIYESCRYPT@
 LN_S = @LN_S@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MSGFMT = @MSGFMT@
 MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 POSUB = @POSUB@
 RANLIB = @RANLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 USE_NLS = @USE_NLS@
 VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
 XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 capcmd = @capcmd@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
 htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 EXTRA_DIST = README adduser.c adduser.sh adduser2.sh \
 atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
 udbachk.tgz
 all: all-am
 .SUFFIXES:
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
 	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
 	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign contrib/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign contrib/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
 	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
 	  *) \
 	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
 	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
 	esac;
 $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
 mostlyclean-libtool:
 	-rm -f *.lo
 clean-libtool:
 	-rm -rf .libs _libs
 tags TAGS:
 ctags CTAGS:
 cscope cscopelist:
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 distdir-am: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
 	  dist_files=`for file in $$list; do echo $$file; done | \
 	  sed -e "s|^$$srcdirstrip/||;t" \
 	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
 	case $$dist_files in \
 	  */*) $(MKDIR_P) `echo "$$dist_files" | \
 			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
 			   sort -u` ;; \
 	esac; \
 	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d "$(distdir)/$$file"; then \
 	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
 	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
 	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
 	    test -f "$(distdir)/$$file" \
 	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
 check-am: all-am
 check: check-am
 all-am: Makefile
 installdirs:
 install: install-am
 install-exec: install-exec-am
 install-data: install-data-am
 uninstall: uninstall-am
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 installcheck: installcheck-am
 install-strip:
 	if test -z '$(STRIP)'; then \
 	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
 	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
 	      install; \
 	else \
 	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
 	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
 	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
 	fi
 mostlyclean-generic:
 clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 clean-am: clean-generic clean-libtool mostlyclean-am
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-generic
 dvi: dvi-am
 dvi-am:
 html: html-am
 html-am:
 info: info-am
 info-am:
 install-data-am:
 install-dvi: install-dvi-am
 install-dvi-am:
 install-exec-am:
 install-html: install-html-am
 install-html-am:
 install-info: install-info-am
 install-info-am:
 install-man:
 install-pdf: install-pdf-am
 install-pdf-am:
 install-ps: install-ps-am
 install-ps-am:
 installcheck-am:
 maintainer-clean: maintainer-clean-am
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 mostlyclean: mostlyclean-am
 mostlyclean-am: mostlyclean-generic mostlyclean-libtool
 pdf: pdf-am
 pdf-am:
 ps: ps-am
 ps-am:
 uninstall-am:
 .MAKE: install-am install-strip
 .PHONY: all all-am check check-am clean clean-generic clean-libtool \
 	cscopelist-am ctags-am distclean distclean-generic \
 	distclean-libtool distdir dvi dvi-am html html-am info info-am \
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-html \
 	install-html-am install-info install-info-am install-man \
 	install-pdf install-pdf-am install-ps install-ps-am \
 	install-strip installcheck installcheck-am installdirs \
 	maintainer-clean maintainer-clean-generic mostlyclean \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags-am uninstall uninstall-am
 .PRECIOUS: Makefile
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
--- a/contrib/README
+++ b/contrib/README
@@ -1,10 +0,0 @@
 People keep sending various adduser programs and scripts...  They are
 all in this directory.  I haven't tested them, use at your own risk.
 Anyway, the best one I've seen so far is adduser-3.x from Debian.
 atudel is a perl script to remove at jobs owned by the specified user
 (atrm in at-2.9 for Linux can't do that).
 udbachk.tgz is a passwd/group/shadow file integrity checker.
 --marekm
--- a/contrib/adduser.c
+++ b/contrib/adduser.c
@@ -1,502 +0,0 @@
 /****
 ** 04/21/96
 ** hacked even more, replaced gets() with something slightly harder to buffer
 ** overflow. Added support for setting a default quota on new account, with
 ** edquota -p. Other cleanups for security, I let some users run adduser suid
 ** root to add new accounts. (overflow checks, clobber environment, valid 
 ** shell checks, restrictions on gid + home dir settings).
 ** Added max. username length. Used syslog() a bit for important events. 
 ** Support to immediately expire account with passwd -e.
 ** Called it version 2.0! Because I felt like it!
 ** -- Chris, chris@ferret.lmh.ox.ac.uk
 ** 03/17/96
 ** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
 ** --marekm
 **
 ** 02/26/96
 ** modified to call shadow utils (useradd,chage,passwd) on shadowed 
 ** systems - Cristian Gafton, gafton@sorosis.ro
 **
 ** 6/27/95
 ** shadow-adduser 1.4:
 **
 ** now it copies the /etc/skel dir into the person's dir, 
 ** makes the mail folders, changed some defaults and made a 'make 
 ** install' just for the hell of it.
 **
 ** Greg Gallagher
 ** CIN.Net
 **
 ** 1/28/95
 ** shadow-adduser 1.3:
 ** 
 ** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart 
 ** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
 ** It was such a stupid bug that I would have never seen it myself.
 **
 **                                Brandon
 *****
 ** 01/27/95
 ** 
 ** shadow-adduser 1.2:
 ** I took the C source from adduser-shadow (credits are below) and made
 ** it a little more worthwhile.  Many small changes... Here's
 ** the ones I can remember:
 ** 
 ** Removed support for non-shadowed systems (if you don't have shadow,
 **     use the original adduser, don't get this shadow version!)
 ** Added support for the correct /etc/shadow fields (Min days before
 **     password change, max days before password change, Warning days,
 **     and how many days from expiry date does the account go invalid)
 **     The previous version just left all of those fields blank.
 **     There is still one field left (expiry date for the account, period)
 **     which I have left blank because I do not use it and didn't want to
 **     spend any more time on this.  I'm sure someone will put it in and
 **     tack another plethora of credits on here. :)
 ** Added in the password date field, which should always reflect the last
 **     date the password was changed, for expiry purposes.  "passwd" always
 **     updates this field, so the adduser program should set it up right
 **     initially (or a user could keep thier initial password forever ;)
 **     The number is in days since Jan 1st, 1970.
 **
 **                       Have fun with it, and someone please make
 **                       a real version(this is still just a hack)
 **                       for us all to use (and Email it to me???)
 **
 **                               Brandon
 **                                  photon@usis.com
 **
 ***** 
 ** adduser 1.0: add a new user account (For systems not using shadow)
 ** With a nice little interface and a will to do all the work for you.
 **
 ** Craig Hagan
 ** hagan@opine.cs.umass.edu
 **
 ** Modified to really work, look clean, and find unused uid by Chris Cappuccio
 ** chris@slinky.cs.umass.edu
 **
 *****
 **
 ** 01/19/95
 **
 ** FURTHER modifications to enable shadow passwd support (kludged, but
 ** no more so than the original)  by Dan Crowson - dcrowson@mo.net
 **
 ** Search on DAN for all changes...
 **
 *****
 **
 ** cc -O -o adduser adduser.c
 ** Use gcc if you have it... (political reasons beyond my control) (chris)
 **
 ** I've gotten this program to work with success under Linux (without
 ** shadow) and SunOS 4.1.3. I would assume it should work pretty well
 ** on any system that uses no shadow. (chris)
 **
 ** If you have no crypt() then try
 ** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
 ** I'm not sure how login operates with no crypt()... I guess
 ** the same way we're doing it here.
 */
 #include <unistd.h>
 #include <stdlib.h>
 #include <pwd.h>
 #include <grp.h>
 #include <ctype.h>
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
 #include <sys/types.h>
 #include <sys/timeb.h>
 #include <sys/time.h>
 #include <sys/stat.h>
 #include <syslog.h>
 #define IMMEDIATE_CHANGE	/* Expire newly created password, must be changed
 				 * immediately upon next login */
 #define HAVE_QUOTAS		/* Obvious */
 #define EXPIRE_VALS_SET		/* If defined, 'normal' users can't change 
 				 * password expiry values (if running suid root) */
 #define HAVE_GETUSERSHELL	/* FIXME: Isn't this defined in config.h too? */
 #define LOGGING			/* If we want to log various things to syslog */
 #define MAX_USRNAME  8		/* Longer usernames seem to work on my system....
 				 * But they're probably a poor idea */
 #define DEFAULT_SHELL	"/bin/bash"	/* because BASH is your friend */
 #define DEFAULT_HOME	"/home"
 #define USERADD_PATH	"/usr/sbin/useradd"
 #define CHAGE_PATH	"/usr/bin/chage"
 #define PASSWD_PATH	"/usr/bin/passwd"
 #define EDQUOTA_PATH	"/usr/sbin/edquota"
 #define QUOTA_DEFAULT	"defuser"
 #define DEFAULT_GROUP	100
 #define DEFAULT_MIN_PASS 0
 #define DEFAULT_MAX_PASS 100
 #define DEFAULT_WARN_PASS 14
 #define DEFAULT_USER_DIE 366
 void safeget (char *, int);
 void 
 main (void)
 {
  char foo[32];
  char usrname[32], person[32], dir[32], shell[32];
  unsigned int group, min_pass, max_pass, warn_pass, user_die;
  /* the group and uid of the new user */
  int bad = 0, done = 0, correct = 0, olduid;
  char cmd[255];
  struct group *grp;
  /* flags, in order:
   * bad to see if the username is in /etc/passwd, or if strange stuff has
   * been typed if the user might be put in group 0
   * done allows the program to exit when a user has been added
   * correct loops until a username is found that isn't in /etc/passwd
   */
  /* The real program starts HERE! */
  if (geteuid () != 0)
    {
      printf ("It seems you don't have access to add a new user.  Try\n");
      printf ("logging in as root or su root to gain superuser access.\n");
      exit (1);
    }
  /* Sanity checks
   */
 #ifdef LOGGING
  openlog ("adduser", LOG_PID | LOG_CONS | LOG_NOWAIT, LOG_AUTH);
  syslog (LOG_INFO, "invoked by user %s\n", getpwuid (getuid ())->pw_name);
 #endif
  if (!(grp = getgrgid (DEFAULT_GROUP)))
    {
      printf ("Error: the default group %d does not exist on this system!\n",
 	      DEFAULT_GROUP);
      printf ("adduser must be recompiled.\n");
 #ifdef LOGGING
      syslog (LOG_ERR, "warning: failed. no such default group\n");
      closelog ();
 #endif
      exit (1);
    };
  while (!correct)
    {				/* loop until a "good" usrname is chosen */
      while (!done)
 	{
 	  printf ("\nLogin to add (^C to quit): ");
 	  fflush (stdout);
 	  safeget (usrname, sizeof (usrname));
 	  if (!strlen (usrname))
 	    {
 	      printf ("Empty input.\n");
 	      done = 0;
 	      continue;
 	    };
 	  /* what I saw here before made me think maybe I was running DOS */
 	  /* might this be a solution? (chris) */
 	  if (strlen (usrname) > MAX_USRNAME)
 	    {
 	      printf ("That name is longer than the maximum of %d characters. Choose another.\n", MAX_USRNAME);
 	      done = 0;
 	    }
 	  else if (getpwnam (usrname) != NULL)
 	    {
 	      printf ("That name is in use, choose another.\n");
 	      done = 0;
 	    }
 	  else if (strchr (usrname, ' ') != NULL)
 	    {
 	      printf ("No spaces in username!!\n");
 	      done = 0;
 	    }
 	  else
 	    done = 1;
 	};			/* done, we have a valid new user name */
      /* all set, get the rest of the stuff */
      printf ("\nEditing information for new user [%s]\n", usrname);
      printf ("\nFull Name [%s]: ", usrname);
      fflush (stdout);
      safeget (person, sizeof (person));
      if (!strlen (person))
 	{
 	  bzero (person, sizeof (person));
 	  strcpy (person, usrname);
 	};
      if (getuid () == 0)
 	{
 	  do
 	    {
 	      bad = 0;
 	      printf ("GID [%d]: ", DEFAULT_GROUP);
 	      fflush (stdout);
 	      safeget (foo, sizeof (foo));
 	      if (!strlen (foo))
 		group = DEFAULT_GROUP;
 	      else if (isdigit (*foo))
 		{
 		  group = atoi (foo);
 		  if (!(grp = getgrgid (group)))
 		    {
 		      printf ("unknown gid %s\n", foo);
 		      group = DEFAULT_GROUP;
 		      bad = 1;
 		    };
 		}
 	      else if ((grp = getgrnam (foo)))
 		group = grp->gr_gid;
 	      else
 		{
 		  printf ("unknown group %s\n", foo);
 		  group = DEFAULT_GROUP;
 		  bad = 1;
 		}
 	      if (group == 0)
 		{		/* You're not allowed to make root group users! */
 		  printf ("Creation of root group users not allowed (must be done by hand)\n");
 		  group = DEFAULT_GROUP;
 		  bad = 1;
 		};
 	    }
 	  while (bad);
 	}
      else
 	{
 	  printf ("Group will be default of: %d\n", DEFAULT_GROUP);
 	  group = DEFAULT_GROUP;
 	}
      if (getuid () == 0)
 	{
 	  printf ("\nIf home dir ends with a / then '%s' will be appended to it\n", usrname);
 	  printf ("Home Directory [%s/%s]: ", DEFAULT_HOME, usrname);
 	  fflush (stdout);
 	  safeget (dir, sizeof (dir));
 	  if (!strlen (dir))
 	    {			/* hit return */
 	      sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
 	    }
 	  else if (dir[strlen (dir) - 1] == '/')
 	    sprintf (dir+strlen(dir), "%s", usrname);
 	}
      else
 	{
 	  printf ("\nHome directory will be %s/%s\n", DEFAULT_HOME, usrname);
 	  sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
 	}
      printf ("\nShell [%s]: ", DEFAULT_SHELL);
      fflush (stdout);
      safeget (shell, sizeof (shell));
      if (!strlen (shell))
 	sprintf (shell, "%s", DEFAULT_SHELL);
      else
 	{
 	  char *sh;
 	  int ok = 0;
 #ifdef HAVE_GETUSERSHELL
 	  setusershell ();
 	  while ((sh = getusershell ()) != NULL)
 	    if (!strcmp (shell, sh))
 	      ok = 1;
 	  endusershell ();
 #endif
 	  if (!ok)
 	    {
 	      if (getuid () == 0)
 		printf ("Warning: root allowed non standard shell\n");
 	      else
 		{
 		  printf ("Shell NOT in /etc/shells, DEFAULT used\n");
 		  sprintf (shell, "%s", DEFAULT_SHELL);
 		}
 	    }
 	}
 #ifdef EXPIRE_VALS_SET
      if (getuid () == 0)
 	{
 #endif
 	  printf ("\nMin. Password Change Days [%d]: ", DEFAULT_MIN_PASS);
 	  fflush (stdout);
 	  safeget (foo, sizeof (foo));
 	  if (strlen (foo) > 1)
 	    min_pass = DEFAULT_MIN_PASS;
 	  else
 	    min_pass = atoi (foo);
 	  printf ("Max. Password Change Days [%d]: ", DEFAULT_MAX_PASS);
 	  fflush (stdout);
 	  safeget (foo, sizeof (foo));
 	  if (strlen (foo) > 1)
 	    max_pass = atoi (foo);
 	  else
 	    max_pass = DEFAULT_MAX_PASS;
 	  printf ("Password Warning Days [%d]: ", DEFAULT_WARN_PASS);
 	  fflush (stdout);
 	  safeget (foo, sizeof (foo));
 	  warn_pass = atoi (foo);
 	  if (warn_pass == 0)
 	    warn_pass = DEFAULT_WARN_PASS;
 	  printf ("Days after Password Expiry for Account Locking [%d]: ", DEFAULT_USER_DIE);
 	  fflush (stdout);
 	  safeget (foo, sizeof (foo));
 	  user_die = atoi (foo);
 	  if (user_die == 0)
 	    user_die = DEFAULT_USER_DIE;
 #ifdef EXPIRE_VALS_SET
 	}
      else
 	{
 	  printf ("\nSorry, account expiry values are set.\n");
 	  user_die = DEFAULT_USER_DIE;
 	  warn_pass = DEFAULT_WARN_PASS;
 	  max_pass = DEFAULT_MAX_PASS;
 	  min_pass = DEFAULT_MIN_PASS;
 	}
 #endif
      printf ("\nInformation for new user [%s] [%s]:\n", usrname, person);
      printf ("Home directory: [%s] Shell: [%s]\n", dir, shell);
      printf ("GID: [%d]\n", group);
      printf ("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
 	      min_pass, max_pass, warn_pass, user_die);
      printf ("\nIs this correct? [y/N]: ");
      fflush (stdout);
      safeget (foo, sizeof (foo));
      done = bad = correct = (foo[0] == 'y' || foo[0] == 'Y');
      if (bad != 1)
 	printf ("\nUser [%s] not added\n", usrname);
    }
  /* Clobber the environment, I run this suid root sometimes to let 
   * non root privileged accounts add users --chris */
  *environ = NULL;
  bzero (cmd, sizeof (cmd));
  sprintf (cmd, "%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
 	   USERADD_PATH, group, dir, shell, person, usrname);
  printf ("Calling useradd to add new user:\n%s\n", cmd);
  if (system (cmd))
    {
      printf ("User add failed!\n");
 #ifdef LOGGING
      syslog (LOG_ERR, "could not add new user\n");
      closelog ();
 #endif
      exit (errno);
    };
  olduid = getuid ();	/* chage, passwd, edquota etc. require ruid = root
 			 */
  setuid (0);
  bzero (cmd, sizeof (cmd));
  /* Chage runs suid root. => we need ruid root to run it with
   * anything other than chage -l
   */
  sprintf (cmd, "%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
 	   min_pass, max_pass, warn_pass, user_die, usrname);
  printf ("%s\n", cmd);
  if (system (cmd))
    {
      printf ("There was an error setting password expire values\n");
 #ifdef LOGGING
      syslog (LOG_ERR, "password expire values could not be set\n");
 #endif
    };
  /* I want to add a user completely with one easy command --chris */
 #ifdef HAVE_QUOTAS
  bzero (cmd, sizeof (cmd));
  sprintf (cmd, "%s -p %s -u %s", EDQUOTA_PATH, QUOTA_DEFAULT, usrname);
  printf ("%s\n", cmd);
  if (system (cmd))
    {
      printf ("\nWarning: error setting quota\n");
 #ifdef LOGGING
      syslog (LOG_ERR, "warning: account created but NO quotas set!\n");
 #endif /* LOGGING */
    }
  else
    printf ("\nDefault quota set.\n");
 #endif /* HAVE_QUOTAS */
  bzero (cmd, sizeof (cmd));
  sprintf (cmd, "%s %s", PASSWD_PATH, usrname);
  if (system (cmd))
    {
      printf ("\nWarning: error setting password\n");
 #ifdef LOGGING
      syslog (LOG_ERR, "warning: password set failed!\n");
 #endif
    }
 #ifdef IMMEDIATE_CHANGE
  bzero (cmd, sizeof (cmd));
  sprintf (cmd, "%s -e %s", PASSWD_PATH, usrname);
  if (system (cmd))
    {
      printf ("\nWarning: error expiring password\n");
 #ifdef LOGGING
      syslog (LOG_ERR, "warning: password expire failed!\n");
 #endif /* LOGGING */
    }
 #endif /* IMMEDIATE_CHANGE */
  setuid (olduid);
 #ifdef LOGGING
  closelog ();
 #endif
  printf ("\nDone.\n");
 }
 void 
 safeget (char *buf, int maxlen)
 {
  int c, i = 0, bad = 0;
  char *bstart = buf;
  while ((c = getc (stdin)) != EOF && (c != '\n') && (++i < maxlen))
    {
      bad = (!isalnum (c) && (c != '_') && (c != ' '));
      *(buf++) = (char) c;
    }
  *buf = '\0';
  if (bad)
    {
      printf ("\nString contained banned character. Please stick to alphanumerics.\n");
      *bstart = '\0';
    }
 }
--- a/contrib/adduser.sh
+++ b/contrib/adduser.sh
@@ -1,90 +0,0 @@
 #!/bin/sh
 # adduser script for use with shadow passwords and useradd command.
 # by Hrvoje Dogan <hdogan@student.math.hr>, Dec 1995.
 echo -n "Login name for new user []:"
 read LOGIN
 if [ -z $LOGIN ]
 then echo "Come on, man, you can't leave the login field empty...";exit
 fi
 echo
 echo -n "User id for $LOGIN [ defaults to next available]:"
 read ID
 GUID="-u $ID"
 if [ -z $ID ] 
 then GUID=""
 fi
 echo
 echo -n "Initial group for $LOGIN [users]:"
 read GID
 GGID="-g $GID"
 if [ -z $GID ]
 then GGID=""
 fi
 echo
 echo -n "Additional groups for $LOGIN []:"
 read AGID
 GAGID="-G $AGID"
 if [ -z $AGID ]
 then GAGID=""
 fi
 echo
 echo -n "$LOGIN's home directory [/home/$LOGIN]:"
 read HME
 GHME="-d $HME"
 if [ -z $HME ]
 then GHME=""
 fi
 echo
 echo -n "$LOGIN's shell [/bin/bash]:"
 read SHL
 GSHL="-s $SHL"
 if [ -z $SHL ]
 then GSHL=""
 fi
 echo
 echo -n "$LOGIN's account expiry date (MM/DD/YY) []:"
 read EXP
 GEXP="-e $EXP"
 if [ -z $EXP ]
 then GEXP=""
 fi
 echo
 echo OK, I'm about to make a new account. Here's what you entered so far:
 echo New login name: $LOGIN
 if [ -z $GUID ] 
 then echo New UID: [Next available]
 else echo New UID: $UID
 fi
 if [ -z $GGID ]
 then echo Initial group: users
 else echo Initial group: $GID
 fi
 if [ -z $GAGID ]
 then echo Additional groups: [none]
 else echo Additional groups: $AGID
 fi
 if [ -z $GHME ]
 then echo Home directory: /home/$LOGIN
 else echo Home directory: $HME
 fi
 if [ -z $GSHL ]
 then echo Shell: /bin/bash
 else echo Shell: $SHL
 fi
 if [ -z $GEXP ]
 then echo Expiry date: [no expiration]
 else echo Expiry date: $EXP
 fi
 echo "This is it... if you want to bail out, you'd better do it now."
 read FOO
 echo Making new account...
 /usr/sbin/useradd $GHME -m $GEXP $GGID $GAGID $GSHL $GUID $LOGIN
 /usr/bin/chfn $LOGIN
 /usr/bin/passwd $LOGIN
 echo "Done..."
--- a/contrib/adduser2.sh
+++ b/contrib/adduser2.sh
@@ -1,743 +0,0 @@
 #!/bin/bash
 #
 #  adduser			Interactive user adding program.
 #
 #  Copyright (C) 1996		Petri Mattila, Prihateam Networks
 #				petri@prihateam.fi
 #	
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
 #  the Free Software Foundation; either version 2, or (at your option)
 #  any later version.
 #
 # Changes:
 #	220496	v0.01	Initial version
 #	230496	v0.02	More checks, embolden summary
 #	240496		Even more checks
 #	250496 		Help with ?
 #	040596	v0.03	Cleanups
 #	050596	v0.04	Bug fixes, expire date checks
 #	070596	v0.05	Iso-latin-1 names
 #
 ## Defaults
 # default groups
 def_group="users"
 def_other_groups=""
 # default home directory
 def_home_dir=/home/users
 # default shell
 def_shell=/bin/tcsh
 # Default expiration date (mm/dd/yy)
 def_expire=""
 # default dates
 def_pwd_min=0
 def_pwd_max=90
 def_pwd_warn=14
 def_pwd_iact=14
 # possible UIDs
 uid_low=1000
 uid_high=64000
 # skel directory
 skel=/etc/skel
 # default mode for home directory
 def_mode=711
 # Regex, that the login name must meet, only ANSI characters
 login_regex='^[0-9a-zA-Z_-]*$'
 # Regex, that the user name must meet
 # ANSI version
 ##name_regex='^[0-9a-zA-Z_-\ ]*$'
 # ISO-LATIN-1 version
 name_regex='^[0-9a-zA-ZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõöùúûüýþÿ_-\ ]*$'
 # set PATH
 export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
 # Some special characters
 case "$TERM" in
   vt*|ansi*|con*|xterm*|linux*)
 	S='[1m'	# start embolden
 	E='[m'	# end embolden
 	;;
   *)	
 	S=''
 	E=''
 	;;
 esac
 ## Functions
 check_root() {
 	if test "$EUID" -ne 0
 	then
 		echo "You must be root to run this program."
 		exit 1
 	fi
 }
 check_user() {
 	local usr pwd uid gid name home sh
 	cat /etc/passwd | (
 		while IFS=":" read usr pwd uid gid name home sh
 		do
 			if test "$1" = "${usr}"
 			then
 				return 1
 			fi
 		done
 		return 0
 	)
 }
 check_group() {
 	local read grp pwd gid members
 	cat /etc/group | (
 		while IFS=":" read grp pwd gid members
 		do
 			if test "$1" = "${grp}"
 			then
 				return 1
 			fi
 		done
 		return 0
 	)
 }
 check_other_groups() {
 	local grp check IFS
 	check="$1"
 	IFS=","
 	set ${check}
 	for grp
 	do
 		if check_group "${grp}"
 		then
 			echo "Group ${grp} does not exist."
 			return 1
 		fi
 	done
 	return 0
 }		
 check_uid() {
 	local usr pwd uid gid name home sh
 	cat /etc/passwd | (
 		while IFS=":" read usr pwd uid gid name home sh
 		do
 			if test "$1" = "${uid}"
 			then
 				return 1
 			fi
 		done
 		return 0
 	)
 }
 read_yn() {
 	local ans ynd
 	ynd="$1"
 	while :
 	do
 		read ans	
 		case "${ans}" in
 		      "") return ${ynd} ;;
 		    [nN]) return 1 ;;
 		    [yY]) return 0 ;;
 		       *) echo -n "Y or N, please ? " ;;
 		esac
 	done
 }
 read_login() {
 	echo
 	while :
 	do
 		echo -n "Login: ${def_login:+[${def_login}] }"
 		read login
 		if test "${login}" = '?'
 		then
 			less /etc/passwd
 			echo
 			continue
 		fi
 		if test -z "${login}" -a -n "${def_login}"
 		then
 			login="${def_login}"
 			echo "Using ${login}"
 			return
 		fi
 		if test "${#login}" -gt 8
 		then
 			echo "Login must be at most 8 characters long"
 			continue
 		fi
 		if test "${#login}" -lt 2
 		then
 			echo "Login must be at least 2 characters long"
 			continue
 		fi
 		if ! expr "${login}" : "${login_regex}" &> /dev/null
 		then
 			echo "Please use letters, numbers and special characters _-,."
 			continue
 		fi
 		if ! check_user "${login}"
 		then
 			echo "Username ${login} is already in use"
 			continue
 		fi
 		def_login="${login}"
 		return
 	done
 }
 read_name () {
 	echo
 	while :
 	do
 		echo -n "Real name: ${def_name:+[${def_name}] }"
 		read name
 		if test "${name}" = '?'
 		then
 			less /etc/passwd
 			echo
 			continue
 		fi
 		if test -z "${name}" -a -n "${def_name}"
 		then
 			name="${def_name}"
 			echo "Using ${name}"
 		fi
 		if test "${#name}" -gt 32
 		then
 			echo "Name should be at most 32 characters long"
 			continue
 		fi
 		if ! expr "${name}" : "${name_regex}" &> /dev/null
 		then
 			echo "Please use letters, numbers, spaces and special characters ,._-"
 			continue
 		fi
 		def_name="${name}"
 		return
 	done
 }
 read_home() {
 	local x
 	echo
 	while :
 	do
 		echo -n "Home Directory: [${def_home_dir}/${login}] "
 		read home
 		if test -z "${home}"
 		then
 			home="${def_home_dir}/${login}"
 			echo "Using ${home}"
 		fi
 		if ! expr "${home}" : '^[0-9a-zA-Z,._-\/]*$' &> /dev/null
 		then
 			echo "Please use letters, numbers, spaces and special characters ,._-/"
 			continue
 		fi
 		x="$(basename ${home})"
 		if test "${x}" != "${login}"
 		then
 			echo "Warning: you are about to use different login name and home directory."
 		fi
 		x="$(dirname ${home})"
 		if ! test -d "${x}"
 		then
 			echo "Directory ${x} does not exist."
 			echo "If you still want to use it, please make it manually."
 			continue
 		fi
 		def_home_dir="${x}"
 		return
 	done
 }
 read_shell () {
 	local x
 	echo
 	while :
 	do
 		echo -n "Shell: [${def_shell}] "
 		read shell
 		if test -z "${shell}"
 		then
 			shell="${def_shell}"
 			echo "Using ${shell}"
 		fi
 		for x in $(cat /etc/shells)
 		do
 			if test "${x}" = "${shell}"
 			then
 				def_shell="${shell}"
 				return
 			fi
 		done
 		echo "Possible shells are:"
 		cat /etc/shells
 	done
 }
 read_group () {
 	echo
 	while :
 	do
 		echo -n "Group: [${def_group}] "
 		read group
 		if test -z "${group}"
 		then
 			group="${def_group}"
 			echo "Using ${group}"
 		fi
 		if test "${group}" = '?'
 		then
 			less /etc/group
 			echo
 			continue
 		fi
 		if check_group "${group}"
 		then
 			echo "Group ${group} does not exist."
 			continue
 		fi
 		def_group="${group}"
 		return
 	done
 }
 read_other_groups () {
 	echo
 	while :
 	do
 		echo -n "Other groups: [${def_og:-none}] "
 		read other_groups
 		if test "${other_groups}" = '?'
 		then
 			less /etc/group
 			echo
 			continue
 		fi
 		if test -z "${other_groups}"
 		then
 			if test -n "${def_og}"
 			then
 				other_groups="${def_og}"
 				echo "Using ${other_groups}"
 			else	
 				echo "No other groups"
 				return
 			fi
 		fi
 		if ! check_other_groups "${other_groups}"
 		then
 			continue
 		fi
 		def_og="${other_groups}"
 		return
 	done
 }
 read_uid () {
 	echo
 	while :
 	do
 		echo -n "uid: [first free] "
 		read uid
 		if test -z "${uid}"
 		then
 			echo "Using first free UID."
 			return
 		fi
 		if test "${uid}" = '?'
 		then
 			less /etc/passwd
 			echo
 			continue
 		fi
 		if ! expr "${uid}" : '^[0-9]+$' &> /dev/null
 		then
 			echo "Please use numbers only."
 			continue
 		fi
 		if test "${uid}" -lt "${uid_low}"
 		then
 			echo "UID must be greater than ${uid_low}"
 			continue
 		fi
 		if test "${uid}" -gt "${uid_high}"
 		then
 			echo "UID must be smaller than ${uid_high}"
 			continue
 		fi
 		if ! check_uid "${uid}"
 		then
 			echo "UID ${uid} is already in use"
 			continue
 		fi
 		return
 	done
 }
 read_max_valid_days() {
 	echo
 	while :
 	do
 		echo -en "Maximum days between password changes: [${def_pwd_max}] "
 		read max_days
 		if test -z "${max_days}"
 		then
 			max_days="${def_pwd_max}"
 			echo "Using ${max_days}"
 			return
 		fi
 		if ! expr "${max_days}" : '^[0-9]+$' &> /dev/null
 		then
 			echo "Please use numbers only."
 			continue
 		fi
 		if test "${max_days}" -lt 7
 		then
 			echo "Warning: you are using a value shorter than a week."
 		fi
 		def_pwd_max="${max_days}"
 		return	
 	done
 }
 read_min_valid_days() {
 	echo
 	while :
 	do
 		echo -en "Minimum days between password changes: [${def_pwd_min}] "
 		read min_days
 		if test -z "${min_days}"
 		then
 			min_days="${def_pwd_min}"
 			echo "Using ${min_days}"
 			return
 		fi
 		if ! expr "${min_days}" : '^[0-9]+$' &> /dev/null
 		then
 			echo "Please use numbers only."
 			continue
 		fi
 		if test "${min_days}" -gt 7
 		then
 			echo "Warning: you are using a value longer than a week."
 		fi
 		def_pwd_min="${min_days}"
 		return	
 	done
 }
 read_warning_days() {
 	echo
 	while :
 	do
 		echo -en "Number of warning days before password expires: [${def_pwd_warn}] "
 		read warn_days
 		if test -z "${warn_days}"
 		then
 			warn_days="${def_pwd_warn}"
 			echo "Using ${warn_days}"
 		fi
 		if ! expr "${warn_days}" : '^[0-9]+$' &> /dev/null
 		then
 			echo "Please use numbers only."
 			continue
 		fi
 		if test "${warn_days}" -gt 14
 		then
 			echo "Warning: you are using a value longer than two week."
 		fi
 		def_pwd_warn="${warn_days}"
 		return	
 	done
 }
 read_inactive_days() {
 	echo
 	while :
 	do
 		echo -en "Number of usable days after expiration: [${def_pwd_iact}] "
 		read iact_days
 		if test -z "${iact_days}"
 		then
 			iact_days="${def_pwd_iact}"
 			echo "Using ${iact_days}"
 			return
 		fi
 		if ! expr "${iact_days}" : '^[0-9]+$' &> /dev/null
 		then
 			echo "Please use numbers only."
 			continue
 		fi
 		if test "${iact_days}" -gt 14
 		then
 			echo "Warning: you are using a value that is more than two weeks."
 		fi
 		def_pwd_iact="${iact_days}"
 		return	
 	done
 }
 read_expire_date() {
 	local ans
 	echo
 	while :
 	do
 		echo -en "Expire date of this account (mm/dd/yy): [${def_expire:-never}] "
 		read ans
 		if test -z "${ans}"
 		then
 			if test -z "${def_expire}"
 			then
 				ans="never"
 			else
 				ans="${def_expire}"
 				echo "Using ${def_expire}"
 			fi
 		fi
 		if test "${ans}" = "never"
 		then
 			echo "Account will never expire."
 			def_expire=""
 			expire=""
 			return
 		fi
 		if ! expr "${ans}" : '^[0-9][0-9]/[0-9][0-9]/[0-9][0-9]$' &> /dev/null
 		then
 			echo "Please use format mm/dd/yy"
 			continue
 		fi
 		if ! expire_date="$(date -d ${ans} '+%A, %B %d %Y')"
 		then
 			continue
 		fi
 		def_expire="${expire}"
 		return	
 	done
 }
 read_passwd_yn() {
 	echo -en "\nDo you want to set password [Y/n] ? "
 	if read_yn 0
 	then
 		set_pwd="YES"
 	else
 		set_pwd=""
 	fi
 }
 print_values() {
 clear
 cat << EOM
 Login:        ${S}${login}${E}
 Group:        ${S}${group}${E}
 Other groups: ${S}${other_groups:-[none]}${E}
 Real Name:    ${S}${name}${E}
 uid:          ${S}${uid:-[first free]}${E}
 home:         ${S}${home}${E}
 shell:        ${S}${shell}${E}
 Account expiration date:                   ${S}${expire_date:-never}${E}
 Minimum days between password changes:     ${S}${min_days}${E}
 Maximum days between password changes:     ${S}${max_days}${E}
 Number of usable days after expiration:    ${S}${iact_days}${E}
 Number of warning days before expiration:  ${S}${warn_days}${E}
 ${S}${set_pwd:+Set password for this account.}${E}
 EOM
 }
 set_user() {
 	if ! useradd \
 		-c "${name}" \
 		-d "${home}" \
 		-g "${group}" \
 		-s "${shell}" \
 		${expire:+-e ${expire}} \
 		${uid:+-u ${uid}} \
 		${other_groups:+-G ${other_groups}} \
 		${login}
 	then
 		echo "Error ($?) in useradd...exiting..."
 		exit 1
 	fi
 }
 set_aging() {
 	if ! passwd \
 		-x ${max_days} \
 		-n ${min_days} \
 		-w ${warn_days} \
 		-i ${iact_days} \
 		${login}
 	then
 		echo "Error ($?) in setting password aging...exiting..." 
 		exit 1
 	fi
 }
 set_password() {
 	if test -n "${set_pwd}"
 	then
 		echo
 		passwd ${login}
 		echo
 	fi
 }	
 set_system() {
 	if test -d "${home}"
 	then
 		echo "Directory ${home} already exists."
 		echo "Skeleton files not copied."
 		return
 	fi
 	echo -n "Copying skeleton files..."
 	( 
 	  mkdir ${home}
 	  cd ${skel} && cp -af . ${home}
 	  chmod ${def_mode} ${home}
 	  chown -R ${login}:${group} ${home}
 	)
 	echo "done."
 	## Add your own stuff here:
 	echo -n "Setting up other files..."
 	(
 	  mailbox="/var/spool/mail/${login}"
 	  touch ${mailbox}
 	  chown "${login}:mail" ${mailbox}
 	  chmod 600 ${mailbox}
 	)
 	echo "done."
 }
 read_values() {
 	clear
 	echo -e "\nPlease answer the following questions about the new user to be added."
 	while :
 	do
 		read_login
 		read_name
 		read_group
 		read_other_groups
 		read_home
 		read_shell
 		read_uid
 		read_expire_date
 		read_max_valid_days
 		read_min_valid_days
 		read_warning_days
 		read_inactive_days
 		read_passwd_yn
 		print_values
 		echo -n "Is this correct [N/y] ? "
 		read_yn 1 && return
 	done
 }
 main() {
 	check_root
 	read_values
 	set_user
 	set_aging
 	set_system
 	set_password
 }
 ## Run it 8-)
 main
 # End.
--- a/contrib/groupmems.shar
+++ b/contrib/groupmems.shar
@@ -1,465 +0,0 @@
 #!/bin/sh
 # This is a shell archive (produced by GNU sharutils 4.2.1).
 # To extract the files from this archive, save it to some FILE, remove
 # everything before the `!/bin/sh' line above, then type `sh FILE'.
 #
 # Made on 2000-05-25 14:41 CDT by <gk4@gnu.austin.ibm.com>.
 # Source directory was `/home/gk4/src/groupmem'.
 #
 # Existing files will *not* be overwritten unless `-c' is specified.
 #
 # This shar contains:
 # length mode       name
 # ------ ---------- ------------------------------------------
 #   1960 -rw-r--r-- Makefile
 #   6348 -rw-r--r-- groupmems.c
 #   3372 -rw------- groupmems.8
 #
 save_IFS="${IFS}"
 IFS="${IFS}:"
 gettext_dir=FAILED
 locale_dir=FAILED
 first_param="$1"
 for dir in $PATH
 do
  if test "$gettext_dir" = FAILED && test -f $dir/gettext \
     && ($dir/gettext --version >/dev/null 2>&1)
  then
    set `$dir/gettext --version 2>&1`
    if test "$3" = GNU
    then
      gettext_dir=$dir
    fi
  fi
  if test "$locale_dir" = FAILED && test -f $dir/shar \
     && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
  then
    locale_dir=`$dir/shar --print-text-domain-dir`
  fi
 done
 IFS="$save_IFS"
 if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
 then
  echo=echo
 else
  TEXTDOMAINDIR=$locale_dir
  export TEXTDOMAINDIR
  TEXTDOMAIN=sharutils
  export TEXTDOMAIN
  echo="$gettext_dir/gettext -s"
 fi
 if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f 200112312359.59 -a -f $$.touch; then
  shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
 elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f 123123592001.59 -a ! -f 123123592001.5 -a -f $$.touch; then
  shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
 elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 -a -f $$.touch; then
  shar_touch='touch -am $3$4$5$6$2 "$8"'
 else
  shar_touch=:
  echo
  $echo 'WARNING: not restoring timestamps.  Consider getting and'
  $echo "installing GNU \`touch', distributed in GNU File Utilities..."
  echo
 fi
 rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
 #
 if mkdir _sh10937; then
  $echo 'x -' 'creating lock directory'
 else
  $echo 'failed to create lock directory'
  exit 1
 fi
 # ============= Makefile ==============
 if test -f 'Makefile' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'Makefile' '(file already exists)'
 else
  $echo 'x -' extracting 'Makefile' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'Makefile' &&
 /*
 # SPDX-FileCopyrightText: 2000, International Business Machines, Inc.
 # SPDX-FileCopyrightText: 2000, George Kraft IV, gk4@us.ibm.com
 # SPDX-License-Identifier: BSD-3-Clause
 # 
 X
 all: groupmems
 X
 groupmems: groupmems.c
 X	cc -g -o groupmems groupmems.c -L. -lshadow
 X
 install: groupmems
 X	-/usr/sbin/groupadd groups
 X	install -o root -g groups -m 4770 groupmems /usr/bin
 X
 install.man: groupmems.8
 X	install -o root -g root -m 644 groupmems.8 /usr/man/man8
 X
 SHAR_EOF
  (set 20 00 05 25 14 40 28 'Makefile'; eval "$shar_touch") &&
  chmod 0644 'Makefile' ||
  $echo 'restore of' 'Makefile' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'Makefile:' 'MD5 check failed'
 b46cf7ef8d59149093c011ced3f3103c  Makefile
 SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'Makefile'`"
    test 1960 -eq "$shar_count" ||
    $echo 'Makefile:' 'original size' '1960,' 'current size' "$shar_count!"
  fi
 fi
 # ============= groupmems.c ==============
 if test -f 'groupmems.c' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'groupmems.c' '(file already exists)'
 else
  $echo 'x -' extracting 'groupmems.c' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'groupmems.c' &&
 /*
 X * SPDX-FileCopyrightText: 2000, International Business Machines, Inc.
 X * SPDX-FileCopyrightText: 2000, George Kraft IV, gk4@us.ibm.com
 X * SPDX-License-Identifier: BSD-3-Clause
 X */
 /*
 **
 **	Utility "groupmem" adds and deletes members from a user's group.
 **	
 **	Setup (as "root"):
 **	
 **		groupadd -r groups 
 **		chmod 2770 groupmems
 **		chown root.groups groupmems
 **		groupmems -g groups -a gk4
 **	
 **	Usage (as "gk4"):
 **	
 **		groupmems -a olive
 **		groupmems -a jordan
 **		groupmems -a meghan
 **		groupmems -a morgan
 **		groupmems -a jake
 **		groupmems -l 
 **		groupmems -d jake
 **		groupmems -l 
 */
 X
 #include <stdio.h>
 #include <pwd.h>
 #include <grp.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 #include "defines.h"
 #include "groupio.h"
 X
 /* Exit Status Values */
 X
 #define EXIT_SUCCESS		0	/* success */
 #define EXIT_USAGE		1	/* invalid command syntax */
 #define EXIT_GROUP_FILE		2	/* group file access problems */
 #define EXIT_NOT_ROOT		3	/* not superuser  */
 #define EXIT_NOT_EROOT		4	/* not effective superuser  */
 #define EXIT_NOT_PRIMARY	5	/* not primary owner of group  */
 #define EXIT_NOT_MEMBER		6	/* member of group does not exist */
 #define EXIT_MEMBER_EXISTS	7	/* member of group already exists */
 X
 #define TRUE 1
 #define FALSE 0
 X
 /* Globals */
 X
 extern int optind;
 extern char *optarg;
 static char *adduser = NULL;
 static char *deluser = NULL;
 static char *thisgroup = NULL;
 static int purge = FALSE;
 static int list = FALSE;
 static int exclusive = 0;
 X
 static int isroot(void) {
 X	return getuid() ? FALSE : TRUE;
 }
 X
 static int isgroup(void) {
 X	gid_t g = getgid();
 X	struct group *grp = getgrgid(g);
 X
 X	return TRUE;
 }
 X
 static char *whoami(void) {
 X	struct group *grp = getgrgid(getgid());
 X	struct passwd *usr = getpwuid(getuid());
 X
 X	if (0 == strcmp(usr->pw_name, grp->gr_name)) {
 X		return (char *)strdup(usr->pw_name);
 X	} else {
 X		return NULL;
 X	} 
 }
 X
 static void
 addtogroup(char *user, char **members) {
 X	int i;
 X	char **pmembers;
 X
 X	for (i = 0; NULL != members[i]; i++ ) {
 X		if (0 == strcmp(user, members[i])) {
 X			fprintf(stderr, "Member already exists\n");
 X			exit(EXIT_MEMBER_EXISTS);
 X		}
 X	}
 X
 X	if (0 == i) {
 X		pmembers = (char **)calloc(2, sizeof(char *));
 X	} else {
 X		pmembers = (char **)realloc(members, sizeof(char *)*(i+1));
 X	}
 X
 X	*members = *pmembers;
 X	members[i] = user;
 X	members[i+1] = NULL;
 }
 X
 static void
 rmfromgroup(char *user, char **members) {
 X	int i;
 X	int found = FALSE;
 X
 X	i = 0;
 X	while (!found && NULL != members[i]) {
 X		if (0 == strcmp(user, members[i])) {
 X			found = TRUE;
 X		} else {
 X			i++;
 X		}
 X	}
 X
 X	while (found && NULL != members[i]) {
 X		members[i] = members[++i];
 X	}
 X
 X	if (!found) {
 X		fprintf(stderr, "Member to remove could not be found\n");
 X		exit(EXIT_NOT_MEMBER);
 X	}
 }
 X
 static void
 nomembers(char **members) {
 X	int i;
 X
 X	for (i = 0; NULL != members[i]; i++ ) {
 X		members[i] = NULL;
 X	}
 }
 X
 static void
 members(char **members) {
 X	int i;
 X
 X	for (i = 0; NULL != members[i]; i++ ) {
 X		printf("%s ", members[i]);
 X
 X		if (NULL == members[i+1]) {
 X			printf("\n");
 X		} else {
 X			printf(" ");
 X		}
 X	}
 }
 X
 static void usage(void) {
 X	fprintf(stderr, "usage: groupmems -a username | -d username | -D | -l [-g groupname]\n");
 X	exit(EXIT_USAGE);
 }
 X
 main(int argc, char **argv) {
 X	int arg, i;
 X	char *name;
 X	struct group *grp;
 X
 X	while ((arg = getopt(argc, argv, "a:d:g:Dl")) != EOF) {
 X		switch (arg) {
 X		case 'a':
 X			adduser = strdup(optarg);
 X			++exclusive;
 X			break;
 X		case 'd':
 X			deluser = strdup(optarg);
 X			++exclusive;
 X			break;
 X		case 'g':
 X			thisgroup = strdup(optarg);
 X			break;
 X		case 'D':
 X			purge = TRUE;
 X			++exclusive;
 X			break;
 X		case 'l':
 X			list = TRUE;
 X			++exclusive;
 X			break;
 X		default:
 X			usage();
 X		}
 X	}
 X
 X	if (exclusive > 1 || optind < argc) {
 X		usage();
 X	}
 X
 X	if (!isroot() && NULL != thisgroup) {
 X		fprintf(stderr, "Only root can add members to different groups\n");
 X		exit(EXIT_NOT_ROOT);
 X	} else if (isroot() && NULL != thisgroup) {
 X		name = thisgroup;
 X	} else if (!isgroup()) {
 X		fprintf(stderr, "Group access is required\n");
 X		exit(EXIT_NOT_EROOT);
 X	} else if (NULL == (name = whoami())) {
 X		fprintf(stderr, "Not primary owner of current group\n");
 X		exit(EXIT_NOT_PRIMARY);
 X	}
 X
 X	if (!gr_lock()) {
 X		fprintf(stderr, "Unable to lock group file\n");
 X		exit(EXIT_GROUP_FILE);
 X	}
 X
 X	if (!gr_open(O_RDWR)) {
 X		fprintf(stderr, "Unable to open group file\n");
 X		exit(EXIT_GROUP_FILE);
 X	}
 X
 X	grp = (struct group *)gr_locate(name);
 X
 X	if (NULL != adduser) {
 X		addtogroup(adduser, grp->gr_mem);
 X		gr_update(grp);
 X	} else if (NULL != deluser) {
 X		rmfromgroup(deluser, grp->gr_mem);
 X		gr_update(grp);
 X	} else if (purge) {
 X		nomembers(grp->gr_mem);
 X		gr_update(grp);
 X	} else if (list) {
 X		members(grp->gr_mem);
 X	}
 X
 X	if (!gr_close()) {
 X		fprintf(stderr, "Cannot close group file\n");
 X		exit(EXIT_GROUP_FILE);
 X	}
 X
 X	gr_unlock();
 X
 X	exit(EXIT_SUCCESS);
 }
 X
 /* EOF */
 SHAR_EOF
  (set 20 00 05 25 14 36 38 'groupmems.c'; eval "$shar_touch") &&
  chmod 0644 'groupmems.c' ||
  $echo 'restore of' 'groupmems.c' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'groupmems.c:' 'MD5 check failed'
 f0dd68f8d762d89d24d3ce1f4141f981  groupmems.c
 SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'groupmems.c'`"
    test 6348 -eq "$shar_count" ||
    $echo 'groupmems.c:' 'original size' '6348,' 'current size' "$shar_count!"
  fi
 fi
 # ============= groupmems.8 ==============
 if test -f 'groupmems.8' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'groupmems.8' '(file already exists)'
 else
  $echo 'x -' extracting 'groupmems.8' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'groupmems.8' &&
 X.\"
 X.\" SPDX-FileCopyrightText: 2000, International Business Machines, Inc.
 X.\" SPDX-FileCopyrightText: 2000, George Kraft IV, gk4@us.ibm.com
 X.\" SPDX-License-Identifier: BSD-3-Clause
 X.\"
 X.\" $Id$
 X.\"
 X.TH GROUPMEMS 8
 X.SH NAME
 groupmems \- Administer members of a user's primary group
 X.SH SYNOPSIS
 X.B groupmems
 \fB-a\fI user_name \fR |
 \fB-d\fI user_name \fR |
 \fB-l\fR |
 \fB-D\fR |
 [\fB-g\fI group_name \fR]
 X.SH DESCRIPTION
 The \fBgroupmems\fR utility allows a user to administer their own
 group membership list without the requirement of superuser privileges.
 The \fBgroupmems\fR utility is for systems that configure its users to
 be in their own name sake primary group (i.e., guest / guest).
 X.P
 Only the superuser, as administrator, can use \fBgroupmems\fR to alter
 the memberships of other groups.
 X.IP "\fB-a \fIuser_name\fR"
 Add a new user to the group membership list.
 X.IP "\fB-d \fIuser_name\fR"
 Delete a user from the group membership list.
 X.IP "\fB-l\fR"
 List the group membership list.
 X.IP "\fB-D\fR"
 Delete all users from the group membership list.
 X.IP "\fB-g \fIgroup_name\fR"
 The superuser can specify which group membership list to modify.
 X.SH SETUP
 The \fBgroupmems\fR executable should be in mode \fB2770\fR as user \fBroot\fR
 and in group \fBgroups\fR.   The system administrator can add users to
 group groups to allow or disallow them using the  \fBgroupmems\fR utility
 to manager their own group membership list.
 X.P
 X     $ groupadd -r groups
 X.br
 X     $ chmod 2770 groupmems
 X.br
 X     $ chown root.groups groupmems
 X.br
 X     $ groupmems -g groups -a gk4
 X.SH FILES
 /etc/group
 X.br
 /etc/gshadow
 X.SH SEE ALSO
 X.BR chfn (1),
 X.BR chsh (1),
 X.BR useradd (8),
 X.BR userdel (8),
 X.BR usermod (8),
 X.BR passwd (1),
 X.BR groupadd (8),
 X.BR groupdel (8)
 X.SH AUTHOR
 George Kraft IV (gk4@us.ibm.com)
 X.\" EOF
 SHAR_EOF
  (set 20 00 05 25 14 38 23 'groupmems.8'; eval "$shar_touch") &&
  chmod 0600 'groupmems.8' ||
  $echo 'restore of' 'groupmems.8' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'groupmems.8:' 'MD5 check failed'
 181e6cd3a3c9d3df320197fa2cde2b4a  groupmems.8
 SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'groupmems.8'`"
    test 3372 -eq "$shar_count" ||
    $echo 'groupmems.8:' 'original size' '3372,' 'current size' "$shar_count!"
  fi
 fi
 rm -fr _sh10937
 exit 0
--- a/contrib/pwdauth.c
+++ b/contrib/pwdauth.c
@@ -1,308 +0,0 @@
 /*
 * pwdauth.c - program to verify a given username/password pair.
 *
 * Run it with username in argv[1] (may be omitted - default is the
 * current user), and send it the password over a pipe on stdin.
 * Exit status: 0 - correct password, 1 - wrong password, >1 - other
 * errors.  For use with shadow passwords, this program should be
 * installed setuid root.
 *
 * This can be used, for example, by xlock - you don't have to install
 * this large and complex (== possibly insecure) program setuid root,
 * just modify it to run this simple program to do the authentication.
 *
 * Recent versions (xlockmore-3.9) are cleaner, and drop privileges as
 * soon as possible after getting the user's encrypted password.
 * Using this program probably doesn't make it more secure, and has one
 * disadvantage: since we don't get the encrypted user's password at
 * startup (but at the time the user is authenticated), it is not clear
 * how we should handle errors (like getpwnam() returning NULL).
 * - fail the authentication?  Problem: no way to unlock (other than kill
 *   the process from somewhere else) if the NIS server stops responding.
 * - succeed and unlock?  Problem: it's too easy to unlock by unplugging
 *   the box from the network and waiting until NIS times out...
 *
 * This program is Copyright (C) 1996 Marek Michalkiewicz
 * <marekm@i17linuxb.ists.pwr.wroc.pl>.
 *
 * It may be used and distributed freely for any purposes.  There is no
 * warranty - use at your own risk.  I am not liable for any damages etc.
 * If you improve it, please send me your changes.
 */
 static char rcsid[] = "$Id$";
 /*
 * Define USE_SYSLOG to use syslog() to log successful and failed
 * authentication.  This should be safe even if your system has
 * the infamous syslog buffer overrun security problem...
 */
 #define USE_SYSLOG
 /*
 * Define HAVE_GETSPNAM to get shadow passwords using getspnam().
 * Some systems don't have getspnam(), but getpwnam() returns
 * encrypted passwords only if running as root.
 *
 * According to the xlock source (not tested, except Linux) -
 * define: Linux, Solaris 2.x, SVR4, ...
 * undef: HP-UX with Secured Passwords, FreeBSD, NetBSD, QNX.
 * Known not supported (yet): Ultrix, OSF/1, SCO.
 */
 #define HAVE_GETSPNAM
 /*
 * Define HAVE_PW_ENCRYPT to use pw_encrypt() instead of crypt().
 * pw_encrypt() is like the standard crypt(), except that it may
 * support better password hashing algorithms.
 *
 * Define if linking with libshadow.a from the shadow password
 * suite (Linux, SunOS 4.x?).
 */
 #undef HAVE_PW_ENCRYPT
 /*
 * Define HAVE_AUTH_METHODS to support the shadow suite specific
 * extension: the encrypted password field contains a list of
 * administrator defined authentication methods, separated by
 * semicolons.  This program only supports the standard password
 * authentication method (a string that doesn't start with '@').
 */
 #undef HAVE_AUTH_METHODS
 /*
 * FAIL_DELAY - number of seconds to sleep before exiting if the
 * password was wrong, to slow down password guessing attempts.
 */
 #define FAIL_DELAY 2
 /* No user-serviceable parts below :-).  */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <pwd.h>
 #ifdef USE_SYSLOG
 #include <syslog.h>
 #ifndef LOG_AUTHPRIV
 #define LOG_AUTHPRIV LOG_AUTH
 #endif
 #endif
 #ifdef HAVE_GETSPNAM
 #include <shadow.h>
 #endif
 #ifdef HAVE_PW_ENCRYPT
 extern char *pw_encrypt();
 #define crypt pw_encrypt
 #endif
 /*
 * Read the password (one line) from fp.  We don't turn off echo
 * because we expect input from a pipe.
 */
 static char *
 get_line(fp)
 	FILE *fp;
 {
 	static char buf[128];
 	char *cp;
 	int ch;
 	cp = buf;
 	while ((ch = getc(fp)) != EOF && ch != '\0' && ch != '\n') {
 		if (cp >= buf + sizeof buf - 1)
 			break;
 		*cp++ = ch;
 	}
 	*cp = '\0';
 	return buf;
 }
 /*
 * Get the password file entry for the current user.  If the name
 * returned by getlogin() is correct (matches the current real uid),
 * return the entry for that user.  Otherwise, return the entry (if
 * any) matching the current real uid.  Return NULL on failure.
 */
 static struct passwd *
 get_my_pwent()
 {
 	uid_t uid = getuid();
 	char *name = getlogin();
 	if (name && *name) {
 		struct passwd *pw = getpwnam(name);
 		if (pw && pw->pw_uid == uid)
 			return pw;
 	}
 	return getpwuid(uid);
 }
 /*
 * Verify the password.  The system-dependent shadow support is here.
 */
 static int
 password_auth_ok(pw, pass)
 	const struct passwd *pw;
 	const char *pass;
 {
 	int result;
 	char *cp;
 #ifdef HAVE_AUTH_METHODS
 	char *buf;
 #endif
 #ifdef HAVE_GETSPNAM
 	struct spwd *sp;
 #endif
 	if (pw) {
 #ifdef HAVE_GETSPNAM
 		sp = getspnam(pw->pw_name);
 		if (sp)
 			cp = sp->sp_pwdp;
 		else
 #endif
 			cp = pw->pw_passwd;
 	} else
 		cp = "xx";
 #ifdef HAVE_AUTH_METHODS
 	buf = strdup(cp);  /* will be modified by strtok() */
 	if (!buf) {
 		fprintf(stderr, "Out of memory.\n");
 		exit(13);
 	}
 	cp = strtok(buf, ";");
 	while (cp && *cp == '@')
 		cp = strtok(NULL, ";");
 	/* fail if no password authentication for this user */
 	if (!cp)
 		cp = "xx";
 #endif
 	if (*pass || *cp)
 		result = (strcmp(crypt(pass, cp), cp) == 0);
 	else
 		result = 1;  /* user with no password */
 #ifdef HAVE_AUTH_METHODS
 	free(buf);
 #endif
 	return result;
 }
 /*
 * Main program.
 */
 int
 main(argc, argv)
 	int argc;
 	char **argv;
 {
 	struct passwd *pw;
 	char *pass, *name;
 	char myname[32];
 #ifdef USE_SYSLOG
 	openlog("pwdauth", LOG_PID | LOG_CONS, LOG_AUTHPRIV);
 #endif
 	pw = get_my_pwent();
 	if (!pw) {
 #ifdef USE_SYSLOG
 		syslog(LOG_ERR, "can't get login name for uid %d.\n",
 		       (int) getuid());
 #endif
 		fprintf(stderr, "Who are you?\n");
 		exit(2);
 	}
 	strncpy(myname, pw->pw_name, sizeof myname - 1);
 	myname[sizeof myname - 1] = '\0';
 	name = myname;
 	if (argc > 1) {
 		name = argv[1];
 		pw = getpwnam(name);
 	}
 	pass = get_line(stdin);
 	if (password_auth_ok(pw, pass)) {
 #ifdef USE_SYSLOG
 		syslog(pw->pw_uid ? LOG_INFO : LOG_NOTICE,
 		       "user `%s' entered correct password for `%.32s'.\n",
 		       myname, name);
 #endif
 		exit(0);
 	}
 #ifdef USE_SYSLOG
 	/* be careful not to overrun the syslog buffer */
 	syslog((!pw || pw->pw_uid) ? LOG_NOTICE : LOG_WARNING,
 	       "user `%s' entered incorrect password for `%.32s'.\n",
 	       myname, name);
 #endif
 #ifdef FAIL_DELAY
 	sleep(FAIL_DELAY);
 #endif
 	fprintf(stderr, "Wrong password.\n");
 	exit(1);
 }
 #if 0
 /*
 * You can use code similar to the following to run this program.
 * Return values: >=0 - program exit status (use the <sys/wait.h>
 * macros to get the exit code, it is shifted left by 8 bits),
 * -1 - check errno.
 */
 int
 verify_password(const char *username, const char *password)
 {
 	int pipe_fd[2];
 	int pid, wpid, status;
 	if (pipe(pipe_fd))
 		return -1;
 	if ((pid = fork()) == 0) {
 		char *arg[3];
 		char *env[1];
 		/* child */
 		close(pipe_fd[1]);
 		if (pipe_fd[0] != 0) {
 			if (dup2(pipe_fd[0], 0) != 0)
 				_exit(127);
 			close(pipe_fd[0]);
 		}
 		arg[0] = "/usr/bin/pwdauth";
 		arg[1] = username;
 		arg[2] = NULL;
 		env[0] = NULL;
 		execve(arg[0], arg, env);
 		_exit(127);
 	} else if (pid == -1) {
 		/* error */
 		close(pipe_fd[0]);
 		close(pipe_fd[1]);
 		return -1;
 	}
 	/* parent */
 	close(pipe_fd[0]);
 	write(pipe_fd[1], password, strlen(password));
 	write(pipe_fd[1], "\n", 1);
 	close(pipe_fd[1]);
 	while ((wpid = wait(&status)) != pid) {
 		if (wpid == -1)
 			return -1;
 	}
 	return status;
 }
 #endif
--- a/contrib/shadow-anonftp.patch
+++ b/contrib/shadow-anonftp.patch
@@ -1,147 +0,0 @@
 Hello Marek,
 I have created a diffile against the 980403 release that adds
 functionality to newusers for automatic handling of users with only
 anonymous ftp login (using the guestgroup feature in ftpaccess, which
 means that the users home directory looks like '/home/user/./'). It also
 adds a commandline argument to specify an initial directory structure
 for such users, with a tarball normally containing the bin,lib,etc
 directories used in the chrooted environment.
 I am using it to automatically create chunks of users with only ftp
 access for a webserver.
 I have tried to follow your coding standards and I believe it is bug
 free but.. well, who knows. :) It's not much code however.
 I hope you find it useful. Do what you like with it, feel free to ask if
 anything is unclear.
 Best rgds,
  Calle Karlsson
  ckn@kash.se
 diff -uNr shadow-980403.orig/src/newusers.c shadow-980403/src/newusers.c
 --- shadow-980403.orig/src/newusers.c	Fri Jan 30 00:22:43 1998
 +++ shadow-980403/src/newusers.c	Fri Apr 17 16:55:33 1998
@@ -76,11 +76,35 @@
 static void
 usage(void)
 {
 -	fprintf(stderr, "Usage: %s [ input ]\n", Prog);
 +	fprintf (stderr, "Usage: %s [-p prototype tarfile] [ input ]\n", Prog);
 +	fprintf (stderr, "The prototype tarfile is only used for users\n");
 +	fprintf (stderr, "marked as anonymous ftp users. It must be a full pathname.\n");
 	exit(1);
 }
 /*
 + * createuserdir - create a directory and chmod it
 + */
 +
 +static int
 +createuserdir (char * dir, int uid, int gid, int line)
 +{
 +	if (mkdir (dir, 0777 & ~getdef_num("UMASK", 077))) {
 +		fprintf (stderr, "%s: line %d: mkdir %s failed\n",
 +			 Prog, line, dir);
 +		return -1;
 +	}
 +
 +	if (chown (dir, uid, gid)) {
 +		fprintf (stderr, "%s: line %d: chown %s failed\n",
 +			 Prog, line, dir);
 +		return -1;
 +	}
 +
 +	return 0;
 +}
 +
 +/*
  * add_group - create a new group or add a user to an existing group
  */
@@ -328,6 +352,8 @@
 main(int argc, char **argv)
 {
 	char	buf[BUFSIZ];
 +	char	anonproto[BUFSIZ];
 +	int	flag;
 	char	*fields[8];
 	int	nfields;
 	char	*cp;
@@ -340,12 +366,23 @@
 	Prog = Basename(argv[0]);
 -	if (argc > 1 && argv[1][0] == '-')
 -		usage ();
 +	* anonproto = '\0';
 +
 +	while ((flag = getopt (argc, argv, "p:h")) != EOF) {
 +		switch (flag) {
 +		case 'p':
 +			STRFCPY(anonproto, optarg);
 +			break;
 +		case 'h':
 +		default:
 +			usage ();
 +			break;
 +		}
 +	}
 -	if (argc == 2) {
 -		if (! freopen (argv[1], "r", stdin)) {
 -			snprintf(buf, sizeof buf, "%s: %s", Prog, argv[1]);
 +	if (optind < argc) {
 +		if (! freopen (argv[optind], "r", stdin)) {
 +			snprintf(buf, sizeof buf, "%s: %s", Prog, argv[optind]);
 			perror (buf);
 			exit (1);
 		}
@@ -499,15 +536,36 @@
 		if (fields[6][0])
 			newpw.pw_shell = fields[6];
 -		if (newpw.pw_dir[0] && access(newpw.pw_dir, F_OK)) {
 -			if (mkdir (newpw.pw_dir,
 -					0777 & ~getdef_num("UMASK", 077)))
 -				fprintf (stderr, "%s: line %d: mkdir failed\n",
 -					Prog, line);
 -			else if (chown (newpw.pw_dir,
 -					newpw.pw_uid, newpw.pw_gid))
 -				fprintf (stderr, "%s: line %d: chown failed\n",
 -					Prog, line);
 +		if (newpw.pw_dir[0]) {
 +		        char * userdir = strdup (newpw.pw_dir);
 +			char * anonpart;
 +			int rc;
 +
 +			if ((anonpart = strstr (userdir, "/./"))) {
 +			        * anonpart = '\0';
 +				anonpart += 2;
 +			}
 +			
 +			if (access(userdir, F_OK))
 +				rc = createuserdir (userdir, newpw.pw_uid, newpw.pw_gid, line);
 +			else
 +				rc = 0;
 +
 +			if (rc == 0 && anonpart) {
 +				if (* anonproto) {
 +					char cmdbuf [BUFSIZ];
 +					snprintf(cmdbuf, sizeof cmdbuf,
 +						 "cd %s; tar xf %s",
 +						 userdir, anonproto);
 +					system (cmdbuf);
 +				}
 +				if (strlen (anonpart) > 1) {
 +					strcat (userdir, anonpart);
 +					if (access (userdir, F_OK))
 +						createuserdir (userdir, newpw.pw_uid, newpw.pw_gid, line);
 +				}
 +			}
 +			free (userdir);
 		}
 		/*
--- a/contrib/udbachk.tgz
+++ b/contrib/udbachk.tgz
--- a/doc/HOWTO
+++ b/doc/HOWTO
@@ -346,7 +346,7 @@
  return value points to static data whose content is overwritten by
  each call.
-  Warning: The key space consists of 2**56 equal 7.2e16 possible values.
+  Warning: the key space consists of 2**56 equal 7.2e16 possible values.
  Exhaustive searches of this key space are possible using massively
  parallel computers.  Software, such as crack(1), is available which
  will search the portion of this key space that is generally used by
@@ -471,12 +471,12 @@
  The Shadow Suite contains replacement programs for:
-  su, login, passwd, newgrp, chfn, chsh, and id
+  su, login, passwd, newgrp, chfn, chsh
  The package also contains the new programs:
  chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod,
-  groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv,
+  groupadd, groupdel, groupmod, pwck, grpck, lastlog, pwconv,
  and pwunconv
  Additionally, the library: libshadow.a is included for writing and/or
@@ -586,8 +586,6 @@
  ·  /usr/bin/chsh
  ·  /usr/bin/id
  The BETA package has a save target in the Makefile, but it's commented
  out because different distributions place the programs in different
  places.
@@ -637,8 +635,6 @@
  ·  /usr/man/man1/chsh.1.gz
  ·  /usr/man/man1/id.1.gz
  ·  /usr/man/man1/login.1.gz
  ·  /usr/man/man1/passwd.1.gz
@@ -1000,7 +996,7 @@
  sudo for the shadow suite, is available as at:
  <ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz>
-  Warning: When you install sudo your /etc/sudoers file will be replaced
+  Warning: when you install sudo your /etc/sudoers file will be replaced
  with a default one, so you need to make a backup of it if you have
  added anything to the default one.  (you could also edit the Makefile
  and remove the line that copies the default file to /etc).
@@ -1377,7 +1373,7 @@
  users or changing the group password, the /etc/gshadow file will be
  changed.
-  The programs groups, groupadd, groupmod, and groupdel are provided as
+  The programs groupadd, groupmod, and groupdel are provided as
  part of the Shadow Suite to modify groups.
  The format of the /etc/group file is as follows:
@@ -1755,7 +1751,7 @@
      }
  #ifdef HAS_SHADOW
      if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
-           && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_LOGIN, NULL))
+           && pw_auth(pw->pw_passwd+1, pw->pw_name))
          || !valid (passwd, pw)) {
          return (UPAP_AUTHNAK);
      }
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1,5 +1,4 @@
 # This is a dummy Makefile.am to get automake work flawlessly,
 # and also cooperate to make a distribution for `make dist'
-EXTRA_DIST = HOWTO README.limits \
+EXTRA_DIST = HOWTO README.limits
    README.platforms WISHLIST console.c.spec.txt cracklib26.diff
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.5 from Makefile.am.
+# Makefile.in generated by automake 1.18.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2025 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -72,6 +72,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 am__rm_f = rm -f $(am__rm_f_notfound)
 am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -133,6 +135,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AM_DISTCHECK_CONFIGURE_FLAGS = @AM_DISTCHECK_CONFIGURE_FLAGS@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -141,6 +144,8 @@ AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
 CMOCKA_LIBS = @CMOCKA_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CSCOPE = @CSCOPE@
@@ -159,6 +164,7 @@ EGREP = @EGREP@
 ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 FILECMD = @FILECMD@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
@@ -174,9 +180,15 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBACL = @LIBACL@
 LIBADD_DL = @LIBADD_DL@
 LIBADD_DLD_LINK = @LIBADD_DLD_LINK@
 LIBADD_DLOPEN = @LIBADD_DLOPEN@
 LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@
 LIBATTR = @LIBATTR@
 LIBAUDIT = @LIBAUDIT@
-LIBCRACK = @LIBCRACK@
+LIBBSD = @LIBBSD@
 LIBBSD_CFLAGS = @LIBBSD_CFLAGS@
 LIBBSD_LIBS = @LIBBSD_LIBS@
 LIBCRYPT = @LIBCRYPT@
 LIBECONF = @LIBECONF@
 LIBICONV = @LIBICONV@
@@ -192,14 +204,16 @@ LIBSUBID_ABI = @LIBSUBID_ABI@
 LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@
 LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@
 LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@
 LIBSYSTEMD = @LIBSYSTEMD@
 LIBTCB = @LIBTCB@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LIYESCRYPT = @LIYESCRYPT@
 LN_S = @LN_S@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_DLLOADERS = @LT_DLLOADERS@
 LT_DLPREOPEN = @LT_DLPREOPEN@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
@@ -222,6 +236,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 POSUB = @POSUB@
 RANLIB = @RANLIB@
 SED = @SED@
@@ -237,8 +254,6 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
@@ -249,8 +264,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
 am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -293,9 +310,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-EXTRA_DIST = HOWTO README.limits \
+EXTRA_DIST = HOWTO README.limits
    README.platforms WISHLIST console.c.spec.txt cracklib26.diff
 all: all-am
 .SUFFIXES:
@@ -340,6 +355,7 @@ ctags CTAGS:
 cscope cscopelist:
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -401,8 +417,8 @@ mostlyclean-generic:
 clean-generic:
 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -493,3 +509,10 @@ uninstall-am:
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
 # Tell GNU make to disable its built-in pattern rules.
 %:: %,v
 %:: RCS/%,v
 %:: RCS/%
 %:: s.%
 %:: SCCS/s.%
--- a/doc/README.platforms
+++ b/doc/README.platforms
@@ -1,33 +0,0 @@
 # $Id$
 #
 # This is the current (still incomplete) list of platforms this
 # package has been verified to work on.  Additions (preferably
 # in the format as described below) are welcome.  Thanks!
 #
 # V: last version reported to work
 # H: host type
 # L: Linux libc version
 # D: Linux distribution, or other OS name and version
 # C: changes (if any)
 # R: reported by
 V: 980529
 H: sparc-unknown-linux-gnu
 L: glibc-2.0.7
 D: Ultrapenguin-1.0.9
 C: had to explicitly disable desrpc.
 R: Bjorn Christianson <bjorn@cascade.psychology.mcmaster.ca>
 V: 980724
 H: i486-pc-linux-gnulibc1
 L: libc-5.4.33
 D: Debian-1.3.1.r6
 C: none (use dpkg-buildpackage)
 R: Marek Michalkiewicz <marekm@linux.org.pl>
 V: current
 H: i686-pc-linux-gnu
 L: glibc-2.0.7.19981211
 D: Debian-2.1
 C: none (use dpkg-buildpackage)
 R: Marek Michalkiewicz <marekm@linux.org.pl>
--- a/doc/WISHLIST
+++ b/doc/WISHLIST
@@ -1,39 +0,0 @@
 $Id$
 This is my wishlist for the shadow suite, in no particular order.  Feel
 free to do anything from this list and mail me the diffs :-).
 Patches in diff -u format, against the latest version (sometimes in the
 "beta" directory) are preferred and make my job easier.  Please, no
 MIME, base64, quoted-printable, or HTML.  For very big patches, or if
 your mailer can corrupt them, please use gzip and uuencode.  Thanks!
 New ideas to add to this list are welcome, too.  --marekm
 - fix all the bugs, of course
 - implement "su only" accounts (no logins, only su from other account)
 - rewrite getdef.c to be more general? (no hardcoded names)
 - patch for rlogind/telnetd to create utmp entry and fill in ut_addr
 - option to specify encrypted password in passwd (for yppasswdd, so it
  doesn't need to know about shadow/non-shadow); should probably use a pipe
  (less insecure than command line arguments)
 - add support for changing NIS passwords
 - add option to check passwords by piping them to external programs
 - add functionality of the contrib/rpasswd.c wrapper to passwd
 - option to generate pronounceable passwords (like on SCO), external program?
 - poppassd (remote password change for eudora etc.)
 - add support for passwd/shadow db files (glibc)
 - vipw: check password files for errors after editing
 - add "maximum time users allowed to stay logged in" limit option to logoutd
 - handle quotes in /etc/environment like the shell does (but sshd doesn't...)
 - better utmpx support (logoutd, ...)
 - better OPIE support (report number of logins left, etc.)
 - new option for /etc/suauth: don't load user's environment (force "su -")
  suggested by Ulisses Alonso Camaro
 - find out why recent releases won't compile on Solaris
 - newusers should be able to copy /etc/skel to the new home directory
  (like useradd)
 - add directories where other packages can add hooks for package-specific
  per-user configuration, to be executed with run-parts. Some hooks should
  be executed at package install time for existing users, likewise for
  package removal and possibly modification.  (Debian Bug#36019)
--- a/doc/console.c.spec.txt
+++ b/doc/console.c.spec.txt
@@ -1,36 +0,0 @@
 $Id$
 Specification for console.c source file --
 input values --
 	tty -- character pointer to device name with leading "/dev/"
 	       removed.
 return values --
 	0 -- false
 	1 -- true
 int console (char * tty)
 	if "CONSOLE" string value is not present in login.defs
 		return true
 	if the first character of "CONSOLE" string value is not "/"
 		treat the string as a ":" delimited list of device
 		names and search for the value of tty in that
 		tokenized list.
 		if a match is found
 			return true
 		return false
 	if the file named by "CONSOLE" cannot be opened
 		return true
 	scan the file looking for a match between the input line
 	and the value of tty
 	if a match is found
 		return true
 	return false
--- a/doc/cracklib26.diff
+++ b/doc/cracklib26.diff
@@ -1,340 +0,0 @@
 diff -ur orig/cracklib26_small/cracklib/fascist.c cracklib26_small/cracklib/fascist.c
 --- orig/cracklib26_small/cracklib/fascist.c	Mon Dec 15 02:56:55 1997
 +++ cracklib26_small/cracklib/fascist.c	Sat Apr  4 22:14:45 1998
@@ -12,6 +12,7 @@
 #include <ctype.h>
 #include <sys/types.h>
 #include <pwd.h>
 +#include <string.h>
 #define ISSKIP(x) (isspace(x) || ispunct(x))
@@ -460,28 +461,27 @@
 }
 char *
 -FascistGecos(password, uid)
 +FascistGecosPw(password, pwd)
     char *password;
 -    int uid;
 +    struct passwd *pwd;
 {
     int i;
     int j;
     int wc;
     char *ptr;
 -    struct passwd *pwp;
     char gbuffer[STRINGSIZE];
     char tbuffer[STRINGSIZE];
     char *uwords[STRINGSIZE];
     char longbuffer[STRINGSIZE * 2];
 -    if (!(pwp = getpwuid(uid)))
 +    if (!pwd)
     {
 	return ("you are not registered in the password file");
     }
     /* lets get really paranoid and assume a dangerously long gecos entry */
 -    strncpy(tbuffer, pwp->pw_name, STRINGSIZE);
 +    strncpy(tbuffer, pwd->pw_name, STRINGSIZE);
     tbuffer[STRINGSIZE-1] = '\0';
     if (GTry(tbuffer, password))
     {
@@ -490,12 +490,13 @@
     /* it never used to be that you got passwd strings > 1024 chars, but now... */
 -    strncpy(tbuffer, pwp->pw_gecos, STRINGSIZE);
 +    strncpy(tbuffer, pwd->pw_gecos, STRINGSIZE);
     tbuffer[STRINGSIZE-1] = '\0';
     strcpy(gbuffer, Lowercase(tbuffer));
     wc = 0;
     ptr = gbuffer;
 +    uwords[0] = (char *) 0;
     while (*ptr)
     {
@@ -530,6 +531,8 @@
 	    *(ptr++) = '\0';
 	}
     }
 +    if (!uwords[0])
 +	return ((char *) 0);  /* empty gecos */
 #ifdef DEBUG
     for (i = 0; uwords[i]; i++)
     {
@@ -586,9 +589,10 @@
 }
 char *
 -FascistLook(pwp, instring)
 +FascistLookPw(pwp, instring, pwd)
     PWDICT *pwp;
     char *instring;
 +    struct passwd *pwd;
 {
     int i;
     char *ptr;
@@ -667,7 +671,7 @@
 	return ("it looks like a National Insurance number.");
     }
 -    if (ptr = FascistGecos(password, getuid()))
 +    if (ptr = FascistGecosPw(password, pwd ? pwd : getpwuid(getuid())))
     {
 	return (ptr);
     }
@@ -715,9 +719,10 @@
 }
 char *
 -FascistCheck(password, path)
 +FascistCheckPw(password, path, pwd)
     char *password;
     char *path;
 +    struct passwd *pwd;
 {
     static char lastpath[STRINGSIZE];
     static PWDICT *pwp;
@@ -750,5 +755,29 @@
 	strncpy(lastpath, path, STRINGSIZE);
     }
 -    return (FascistLook(pwp, pwtrunced));
 +    return (FascistLookPw(pwp, pwtrunced, pwd));
 +}
 +
 +char *
 +FascistGecos(password, uid)
 +    char *password;
 +    int uid;
 +{
 +    return (FascistGecosPw(password, getpwuid(uid)));
 +}
 +
 +char *
 +FascistLook(pwp, instring)
 +    PWDICT *pwp;
 +    char *instring;
 +{
 +    return (FascistLookPw(pwp, instring, (char *) 0));
 +}
 +
 +char *
 +FascistCheck(password, path)
 +    char *password;
 +    char *path;
 +{
 +    return (FascistCheckPw(password, path, (char *) 0));
 }
 diff -ur orig/cracklib26_small/cracklib/packer.h cracklib26_small/cracklib/packer.h
 --- orig/cracklib26_small/cracklib/packer.h	Mon Dec 15 00:09:30 1997
 +++ cracklib26_small/cracklib/packer.h	Sat Jan 10 22:13:46 1998
@@ -34,6 +34,7 @@
     FILE *dfp;
     FILE *wfp;
 +    int canfree;
     int32 flags;
 #define PFOR_WRITE	0x0001
 #define PFOR_FLUSH	0x0002
 diff -ur orig/cracklib26_small/cracklib/packlib.c cracklib26_small/cracklib/packlib.c
 --- orig/cracklib26_small/cracklib/packlib.c	Fri Jul  9 22:22:58 1993
 +++ cracklib26_small/cracklib/packlib.c	Sat Jan 10 22:28:49 1998
@@ -16,7 +16,7 @@
     char *mode;
 {
     int32 i;
 -    static PWDICT pdesc;
 +    PWDICT *pdesc;
     char iname[STRINGSIZE];
     char dname[STRINGSIZE];
     char wname[STRINGSIZE];
@@ -25,92 +25,94 @@
     FILE *ifp;
     FILE *wfp;
 -    if (pdesc.header.pih_magic == PIH_MAGIC)
 -    {
 -	fprintf(stderr, "%s: another dictionary already open\n", prefix);
 +    if ((pdesc = (PWDICT *) malloc(sizeof(PWDICT))) == 0)
 	return ((PWDICT *) 0);
 -    }
 -    memset(&pdesc, '\0', sizeof(pdesc));
 +    memset(pdesc, '\0', sizeof(*pdesc));
     sprintf(iname, "%s.pwi", prefix);
     sprintf(dname, "%s.pwd", prefix);
     sprintf(wname, "%s.hwm", prefix);
 -    if (!(pdesc.dfp = fopen(dname, mode)))
 +    if (!(pdesc->dfp = fopen(dname, mode)))
     {
 	perror(dname);
 +	free(pdesc);
 	return ((PWDICT *) 0);
     }
 -    if (!(pdesc.ifp = fopen(iname, mode)))
 +    if (!(pdesc->ifp = fopen(iname, mode)))
     {
 -	fclose(pdesc.dfp);
 +	fclose(pdesc->dfp);
 	perror(iname);
 +	free(pdesc);
 	return ((PWDICT *) 0);
     }
 -    if (pdesc.wfp = fopen(wname, mode))
 +    if (pdesc->wfp = fopen(wname, mode))
     {
 -	pdesc.flags |= PFOR_USEHWMS;
 +	pdesc->flags |= PFOR_USEHWMS;
     }
 -    ifp = pdesc.ifp;
 -    dfp = pdesc.dfp;
 -    wfp = pdesc.wfp;
 +    ifp = pdesc->ifp;
 +    dfp = pdesc->dfp;
 +    wfp = pdesc->wfp;
     if (mode[0] == 'w')
     {
 -	pdesc.flags |= PFOR_WRITE;
 -	pdesc.header.pih_magic = PIH_MAGIC;
 -	pdesc.header.pih_blocklen = NUMWORDS;
 -	pdesc.header.pih_numwords = 0;
 +	pdesc->flags |= PFOR_WRITE;
 +	pdesc->header.pih_magic = PIH_MAGIC;
 +	pdesc->header.pih_blocklen = NUMWORDS;
 +	pdesc->header.pih_numwords = 0;
 -	fwrite((char *) &pdesc.header, sizeof(pdesc.header), 1, ifp);
 +	fwrite((char *) &pdesc->header, sizeof(pdesc->header), 1, ifp);
     } else
     {
 -	pdesc.flags &= ~PFOR_WRITE;
 +	pdesc->flags &= ~PFOR_WRITE;
 -	if (!fread((char *) &pdesc.header, sizeof(pdesc.header), 1, ifp))
 +	if (!fread((char *) &pdesc->header, sizeof(pdesc->header), 1, ifp))
 	{
 	    fprintf(stderr, "%s: error reading header\n", prefix);
 -	    pdesc.header.pih_magic = 0;
 +	    pdesc->header.pih_magic = 0;
 	    fclose(ifp);
 	    fclose(dfp);
 +	    free(pdesc);
 	    return ((PWDICT *) 0);
 	}
 -	if (pdesc.header.pih_magic != PIH_MAGIC)
 +	if (pdesc->header.pih_magic != PIH_MAGIC)
 	{
 	    fprintf(stderr, "%s: magic mismatch\n", prefix);
 -	    pdesc.header.pih_magic = 0;
 +	    pdesc->header.pih_magic = 0;
 	    fclose(ifp);
 	    fclose(dfp);
 +	    free(pdesc);
 	    return ((PWDICT *) 0);
 	}
 -	if (pdesc.header.pih_blocklen != NUMWORDS)
 +	if (pdesc->header.pih_blocklen != NUMWORDS)
 	{
 	    fprintf(stderr, "%s: size mismatch\n", prefix);
 -	    pdesc.header.pih_magic = 0;
 +	    pdesc->header.pih_magic = 0;
 	    fclose(ifp);
 	    fclose(dfp);
 +	    free(pdesc);
 	    return ((PWDICT *) 0);
 	}
 -	if (pdesc.flags & PFOR_USEHWMS)
 +	if (pdesc->flags & PFOR_USEHWMS)
 	{
 -	    if (fread(pdesc.hwms, 1, sizeof(pdesc.hwms), wfp) != sizeof(pdesc.hwms))
 +	    if (fread(pdesc->hwms, 1, sizeof(pdesc->hwms), wfp) != sizeof(pdesc->hwms))
 	    {
 -		pdesc.flags &= ~PFOR_USEHWMS;
 +		pdesc->flags &= ~PFOR_USEHWMS;
 	    }
 	}
     }
 -
 -    return (&pdesc);
 +    pdesc->canfree = 1;
 +    return (pdesc);
 }
 int
@@ -159,8 +161,13 @@
     fclose(pwp->ifp);
     fclose(pwp->dfp);
 +    if (pwp->wfp)
 +	fclose(pwp->wfp);
 -    pwp->header.pih_magic = 0;
 +    if (pwp->canfree)
 +	free(pwp);
 +    else
 +	pwp->header.pih_magic = 0;
     return (0);
 }
@@ -307,6 +314,11 @@
     register char *this;
     int idx;
 +/*
 + * comment in npasswd-2.0beta4 says this:
 + * This does not work under all circumstances, so don't bother
 + */
 +#if 0
     if (pwp->flags & PFOR_USEHWMS)
     {
 	idx = string[0] & 0xff;
@@ -317,6 +329,10 @@
     	lwm = 0;
     	hwm = PW_WORDS(pwp) - 1;
     }
 +#else
 +    lwm = 0;
 +    hwm = PW_WORDS(pwp);
 +#endif
 #ifdef DEBUG
     printf("---- %lu, %lu ----\n", lwm, hwm);
 diff -ur orig/cracklib26_small/util/mkdict cracklib26_small/util/mkdict
 --- orig/cracklib26_small/util/mkdict	Fri Jul  9 22:23:03 1993
 +++ cracklib26_small/util/mkdict	Sat Apr  4 22:31:45 1998
@@ -14,9 +14,16 @@
 SORT="sort"
 ###SORT="sort -T /tmp"
 -cat $* |
 +### Use zcat to read compressed (as well as uncompressed) dictionaries.
 +### Compressed dictionaries can save quite a lot of disk space.
 +
 +CAT="gzip -cdf"
 +###CAT="zcat"
 +###CAT="cat"
 +
 +$CAT $* |
 	tr '[A-Z]' '[a-z]' |
 -	tr -cd '[\012a-z0-9]' |
 +	tr -cd '\012[a-z][0-9]' |
 	$SORT |
 	uniq |
 	grep -v '^#' |
--- a/etc/Makefile.am
+++ b/etc/Makefile.am
@@ -20,4 +20,4 @@ EXTRA_DIST = \
 	$(sysconf_DATA) \
 	$(default_DATA)
-SUBDIRS = pam.d
+SUBDIRS = pam.d shadow-maint
--- a/etc/Makefile.in
+++ b/etc/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.5 from Makefile.am.
+# Makefile.in generated by automake 1.18.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2025 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -73,6 +73,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 am__rm_f = rm -f $(am__rm_f_notfound)
 am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -158,10 +160,9 @@ am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
         $(am__cd) "$$dir" && rm -f $$files; }; \
  }
 am__installdirs = "$(DESTDIR)$(defaultdir)" "$(DESTDIR)$(nonpamdir)" \
 	"$(DESTDIR)$(sysconfdir)"
@@ -222,6 +223,7 @@ am__relativize = \
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AM_DISTCHECK_CONFIGURE_FLAGS = @AM_DISTCHECK_CONFIGURE_FLAGS@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -230,6 +232,8 @@ AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
 CMOCKA_LIBS = @CMOCKA_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CSCOPE = @CSCOPE@
@@ -248,6 +252,7 @@ EGREP = @EGREP@
 ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 FILECMD = @FILECMD@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
@@ -263,9 +268,15 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBACL = @LIBACL@
 LIBADD_DL = @LIBADD_DL@
 LIBADD_DLD_LINK = @LIBADD_DLD_LINK@
 LIBADD_DLOPEN = @LIBADD_DLOPEN@
 LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@
 LIBATTR = @LIBATTR@
 LIBAUDIT = @LIBAUDIT@
-LIBCRACK = @LIBCRACK@
+LIBBSD = @LIBBSD@
 LIBBSD_CFLAGS = @LIBBSD_CFLAGS@
 LIBBSD_LIBS = @LIBBSD_LIBS@
 LIBCRYPT = @LIBCRYPT@
 LIBECONF = @LIBECONF@
 LIBICONV = @LIBICONV@
@@ -281,14 +292,16 @@ LIBSUBID_ABI = @LIBSUBID_ABI@
 LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@
 LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@
 LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@
 LIBSYSTEMD = @LIBSYSTEMD@
 LIBTCB = @LIBTCB@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LIYESCRYPT = @LIYESCRYPT@
 LN_S = @LN_S@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_DLLOADERS = @LT_DLLOADERS@
 LT_DLPREOPEN = @LT_DLPREOPEN@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
@@ -311,6 +324,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 POSUB = @POSUB@
 RANLIB = @RANLIB@
 SED = @SED@
@@ -326,8 +342,6 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
@@ -338,8 +352,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
 am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -396,7 +412,7 @@ EXTRA_DIST = \
 	$(sysconf_DATA) \
 	$(default_DATA)
-SUBDIRS = pam.d
+SUBDIRS = pam.d shadow-maint
 all: all-recursive
 .SUFFIXES:
@@ -597,6 +613,7 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -687,8 +704,8 @@ mostlyclean-generic:
 clean-generic:
 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -784,3 +801,10 @@ uninstall-am: uninstall-defaultDATA uninstall-nonpamDATA \
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
 # Tell GNU make to disable its built-in pattern rules.
 %:: %,v
 %:: RCS/%,v
 %:: RCS/%
 %:: s.%
 %:: SCCS/s.%
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -6,7 +6,7 @@
 #
 # Delay in seconds before being allowed another attempt after a login failure
-# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
+# Note: when PAM is used, some modules may enforce a minimum delay (e.g.
 #       pam_unix(8) enforces a 2s delay)
 #
 FAIL_DELAY		3
@@ -227,11 +227,6 @@ PASS_WARN_AGE	7
 #
 SU_WHEEL_ONLY	no
 #
 # If compiled with cracklib support, sets the path to the dictionaries
 #
 CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
 #
 # Min/max values for automatic uid selection in useradd(8)
 #
@@ -281,7 +276,7 @@ PASS_ALWAYS_WARN	yes
 #
 # Number of significant characters in the password for crypt().
 # Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
+# Only used for DES encryption algorithm.
 #
 #PASS_MAX_LEN		8
@@ -313,7 +308,7 @@ CHFN_RESTRICT		rwh
 # Set to "no" if you need to copy encrypted passwords to other systems
 # which don't understand the new algorithm.  Default is "no".
 #
-# Note: If you use PAM, it is recommended to use a value consistent with
+# Note: if you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 # This variable is deprecated. You should use ENCRYPT_METHOD instead.
@@ -331,7 +326,7 @@ CHFN_RESTRICT		rwh
 # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
 # Overrides the MD5_CRYPT_ENAB option
 #
-# Note: If you use PAM, it is recommended to use a value consistent with
+# Note: if you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 #ENCRYPT_METHOD DES
@@ -472,7 +467,7 @@ PREVENT_NO_AUTH superuser
 # Used in pam_timestamp module to calculate the keyed-hash message
 # authentication code.
 #
-# Note: It is recommended to check hmac(3) to see the possible algorithms
+# Note: it is recommended to check hmac(3) to see the possible algorithms
 # that are available in your system.
 #
 #HMAC_CRYPTO_ALGO SHA512
--- a/etc/pam.d/Makefile.am
+++ b/etc/pam.d/Makefile.am
@@ -2,20 +2,19 @@
 # and also cooperate to make a distribution for `make dist'
 pamd_files = \
 	chpasswd \
 	chfn \
 	chsh \
 	groupmems \
 	login \
 	newusers \
 	passwd
 pamd_acct_tools_files = \
 	chage \
 	chgpasswd \
 	chpasswd \
 	groupadd \
 	groupdel \
 	groupmod \
 	newusers \
 	useradd \
 	userdel \
 	usermod
--- a/etc/pam.d/Makefile.in
+++ b/etc/pam.d/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.5 from Makefile.am.
+# Makefile.in generated by automake 1.18.1 from Makefile.am.
 # @configure_input@
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+# Copyright (C) 1994-2025 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -73,6 +73,8 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 am__rm_f = rm -f $(am__rm_f_notfound)
 am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -152,10 +154,9 @@ am__base_list = \
  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
         $(am__cd) "$$dir" && rm -f $$files; }; \
  }
 am__installdirs = "$(DESTDIR)$(pamddir)"
 DATA = $(pamd_DATA)
@@ -165,6 +166,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AM_DISTCHECK_CONFIGURE_FLAGS = @AM_DISTCHECK_CONFIGURE_FLAGS@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -173,6 +175,8 @@ AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
 CMOCKA_LIBS = @CMOCKA_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CSCOPE = @CSCOPE@
@@ -191,6 +195,7 @@ EGREP = @EGREP@
 ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 FILECMD = @FILECMD@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
@@ -206,9 +211,15 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBACL = @LIBACL@
 LIBADD_DL = @LIBADD_DL@
 LIBADD_DLD_LINK = @LIBADD_DLD_LINK@
 LIBADD_DLOPEN = @LIBADD_DLOPEN@
 LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@
 LIBATTR = @LIBATTR@
 LIBAUDIT = @LIBAUDIT@
-LIBCRACK = @LIBCRACK@
+LIBBSD = @LIBBSD@
 LIBBSD_CFLAGS = @LIBBSD_CFLAGS@
 LIBBSD_LIBS = @LIBBSD_LIBS@
 LIBCRYPT = @LIBCRYPT@
 LIBECONF = @LIBECONF@
 LIBICONV = @LIBICONV@
@@ -224,14 +235,16 @@ LIBSUBID_ABI = @LIBSUBID_ABI@
 LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@
 LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@
 LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@
 LIBSYSTEMD = @LIBSYSTEMD@
 LIBTCB = @LIBTCB@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LIYESCRYPT = @LIYESCRYPT@
 LN_S = @LN_S@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_DLLOADERS = @LT_DLLOADERS@
 LT_DLPREOPEN = @LT_DLPREOPEN@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
@@ -254,6 +267,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 POSUB = @POSUB@
 RANLIB = @RANLIB@
 SED = @SED@
@@ -269,8 +285,6 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
@@ -281,8 +295,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
 am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -325,15 +341,13 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-pamd_files = chfn chsh groupmems login passwd $(am__append_2)
+pamd_files = chpasswd chfn chsh groupmems login newusers passwd \
 	$(am__append_2)
 pamd_acct_tools_files = \
 	chage \
 	chgpasswd \
 	chpasswd \
 	groupadd \
 	groupdel \
 	groupmod \
 	newusers \
 	useradd \
 	userdel \
 	usermod
@@ -406,6 +420,7 @@ ctags CTAGS:
 cscope cscopelist:
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -470,8 +485,8 @@ mostlyclean-generic:
 clean-generic:
 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -562,3 +577,10 @@ uninstall-am: uninstall-pamdDATA
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
 # Tell GNU make to disable its built-in pattern rules.
 %:: %,v
 %:: RCS/%,v
 %:: RCS/%
 %:: s.%
 %:: SCCS/s.%
--- a/etc/pam.d/chage
+++ b/etc/pam.d/chage
@@ -1,4 +0,0 @@
 #%PAM-1.0
 auth		sufficient	pam_rootok.so
 account		required	pam_permit.so
 password	include		system-auth
--- a/etc/shadow-maint/Makefile.am
+++ b/etc/shadow-maint/Makefile.am
@@ -0,0 +1,5 @@
 shadowmaint_files = \
 	groupdel-pre.d/01-kill_group_procs.sh \
 	userdel-pre.d/01-kill_user_procs.sh
 EXTRA_DIST = $(shadowmaint_files)
--- a/etc/shadow-maint/Makefile.in
+++ b/etc/shadow-maint/Makefile.in
@@ -0,0 +1,519 @@
 # Makefile.in generated by automake 1.18.1 from Makefile.am.
 # @configure_input@
 # Copyright (C) 1994-2025 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY, to the extent permitted by law; without
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
@SET_MAKE@
 VPATH = @srcdir@
 am__is_gnu_make = { \
  if test -z '$(MAKELEVEL)'; then \
    false; \
  elif test -n '$(MAKE_HOST)'; then \
    true; \
  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
    true; \
  else \
    false; \
  fi; \
 }
 am__make_running_with_option = \
  case $${target_option-} in \
      ?) ;; \
      *) echo "am__make_running_with_option: internal error: invalid" \
              "target option '$${target_option-}' specified" >&2; \
         exit 1;; \
  esac; \
  has_opt=no; \
  sane_makeflags=$$MAKEFLAGS; \
  if $(am__is_gnu_make); then \
    sane_makeflags=$$MFLAGS; \
  else \
    case $$MAKEFLAGS in \
      *\\[\ \	]*) \
        bs=\\; \
        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
    esac; \
  fi; \
  skip_next=no; \
  strip_trailopt () \
  { \
    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
  }; \
  for flg in $$sane_makeflags; do \
    test $$skip_next = yes && { skip_next=no; continue; }; \
    case $$flg in \
      *=*|--*) continue;; \
        -*I) strip_trailopt 'I'; skip_next=yes;; \
      -*I?*) strip_trailopt 'I';; \
        -*O) strip_trailopt 'O'; skip_next=yes;; \
      -*O?*) strip_trailopt 'O';; \
        -*l) strip_trailopt 'l'; skip_next=yes;; \
      -*l?*) strip_trailopt 'l';; \
      -[dEDm]) skip_next=yes;; \
      -[JT]) skip_next=yes;; \
    esac; \
    case $$flg in \
      *$$target_option*) has_opt=yes; break;; \
    esac; \
  done; \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 am__rm_f = rm -f $(am__rm_f_notfound)
 am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
 INSTALL_HEADER = $(INSTALL_DATA)
 transform = $(program_transform_name)
 NORMAL_INSTALL = :
 PRE_INSTALL = :
 POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = etc/shadow-maint
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
 	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
 	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
 	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
 	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
 	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
 	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
 	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
 am__v_P_1 = :
 AM_V_GEN = $(am__v_GEN_@AM_V@)
 am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
 am__v_GEN_0 = @echo "  GEN     " $@;
 am__v_GEN_1 = 
 AM_V_at = $(am__v_at_@AM_V@)
 am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
 am__v_at_0 = @
 am__v_at_1 = 
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
  case $$AM_UPDATE_INFO_DIR in \
    n|no|NO) false;; \
    *) (install-info --version) >/dev/null 2>&1;; \
  esac
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AM_DISTCHECK_CONFIGURE_FLAGS = @AM_DISTCHECK_CONFIGURE_FLAGS@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
 CMOCKA_LIBS = @CMOCKA_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CSCOPE = @CSCOPE@
 CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
 ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 FILECMD = @FILECMD@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
 GROUP_NAME_MAX_LENGTH = @GROUP_NAME_MAX_LENGTH@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 INTLLIBS = @INTLLIBS@
 INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBACL = @LIBACL@
 LIBADD_DL = @LIBADD_DL@
 LIBADD_DLD_LINK = @LIBADD_DLD_LINK@
 LIBADD_DLOPEN = @LIBADD_DLOPEN@
 LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@
 LIBATTR = @LIBATTR@
 LIBAUDIT = @LIBAUDIT@
 LIBBSD = @LIBBSD@
 LIBBSD_CFLAGS = @LIBBSD_CFLAGS@
 LIBBSD_LIBS = @LIBBSD_LIBS@
 LIBCRYPT = @LIBCRYPT@
 LIBECONF = @LIBECONF@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBMD = @LIBMD@
 LIBOBJS = @LIBOBJS@
 LIBPAM = @LIBPAM@
 LIBS = @LIBS@
 LIBSELINUX = @LIBSELINUX@
 LIBSEMANAGE = @LIBSEMANAGE@
 LIBSKEY = @LIBSKEY@
 LIBSUBID_ABI = @LIBSUBID_ABI@
 LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@
 LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@
 LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@
 LIBSYSTEMD = @LIBSYSTEMD@
 LIBTCB = @LIBTCB@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
 LT_DLLOADERS = @LT_DLLOADERS@
 LT_DLPREOPEN = @LT_DLPREOPEN@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 MSGFMT = @MSGFMT@
 MSGFMT_015 = @MSGFMT_015@
 MSGMERGE = @MSGMERGE@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 POSUB = @POSUB@
 RANLIB = @RANLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 USE_NLS = @USE_NLS@
 VENDORDIR = @VENDORDIR@
 VERSION = @VERSION@
 XGETTEXT = @XGETTEXT@
 XGETTEXT_015 = @XGETTEXT_015@
 XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
 am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 capcmd = @capcmd@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
 htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 shadowmaint_files = \
 	groupdel-pre.d/01-kill_group_procs.sh \
 	userdel-pre.d/01-kill_user_procs.sh
 EXTRA_DIST = $(shadowmaint_files)
 all: all-am
 .SUFFIXES:
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
 	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
 	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign etc/shadow-maint/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign etc/shadow-maint/Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
 	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
 	  *) \
 	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
 	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
 	esac;
 $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
 mostlyclean-libtool:
 	-rm -f *.lo
 clean-libtool:
 	-rm -rf .libs _libs
 tags TAGS:
 ctags CTAGS:
 cscope cscopelist:
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 distdir-am: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
 	  dist_files=`for file in $$list; do echo $$file; done | \
 	  sed -e "s|^$$srcdirstrip/||;t" \
 	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
 	case $$dist_files in \
 	  */*) $(MKDIR_P) `echo "$$dist_files" | \
 			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
 			   sort -u` ;; \
 	esac; \
 	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d "$(distdir)/$$file"; then \
 	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
 	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
 	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
 	    test -f "$(distdir)/$$file" \
 	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
 check-am: all-am
 check: check-am
 all-am: Makefile
 installdirs:
 install: install-am
 install-exec: install-exec-am
 install-data: install-data-am
 uninstall: uninstall-am
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 installcheck: installcheck-am
 install-strip:
 	if test -z '$(STRIP)'; then \
 	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
 	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
 	      install; \
 	else \
 	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
 	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
 	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
 	fi
 mostlyclean-generic:
 clean-generic:
 distclean-generic:
 	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 clean-am: clean-generic clean-libtool mostlyclean-am
 distclean: distclean-am
 	-rm -f Makefile
 distclean-am: clean-am distclean-generic
 dvi: dvi-am
 dvi-am:
 html: html-am
 html-am:
 info: info-am
 info-am:
 install-data-am:
 install-dvi: install-dvi-am
 install-dvi-am:
 install-exec-am:
 install-html: install-html-am
 install-html-am:
 install-info: install-info-am
 install-info-am:
 install-man:
 install-pdf: install-pdf-am
 install-pdf-am:
 install-ps: install-ps-am
 install-ps-am:
 installcheck-am:
 maintainer-clean: maintainer-clean-am
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 mostlyclean: mostlyclean-am
 mostlyclean-am: mostlyclean-generic mostlyclean-libtool
 pdf: pdf-am
 pdf-am:
 ps: ps-am
 ps-am:
 uninstall-am:
 .MAKE: install-am install-strip
 .PHONY: all all-am check check-am clean clean-generic clean-libtool \
 	cscopelist-am ctags-am distclean distclean-generic \
 	distclean-libtool distdir dvi dvi-am html html-am info info-am \
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-html \
 	install-html-am install-info install-info-am install-man \
 	install-pdf install-pdf-am install-ps install-ps-am \
 	install-strip installcheck installcheck-am installdirs \
 	maintainer-clean maintainer-clean-generic mostlyclean \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags-am uninstall uninstall-am
 .PRECIOUS: Makefile
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
 # Tell GNU make to disable its built-in pattern rules.
 %:: %,v
 %:: RCS/%,v
 %:: RCS/%
 %:: s.%
 %:: SCCS/s.%
--- a/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh
+++ b/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh
@@ -0,0 +1,26 @@
 #!/bin/sh
 PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 GROUPID=`awk -F: '$1 == "'"${SUBJECT}"'" { print $3 }' /etc/group`
 if [ "${GROUPID}" = "" ]; then
    exit 0
 fi
 for status in /proc/*/status; do
    # either this isn't a process or its already dead since expanding the list
    [ -f "$status" ] || continue
    tbuf=${status%/status}
    pid=${tbuf#/proc/}
    case "$pid" in
        "$$") continue;;
        [0-9]*) :;;
        *) continue
    esac
    grep -q '^Groups:.*\b'"${GROUPID}"'\b.*' "/proc/$pid/status" || continue
    kill -9 "$pid" || echo "cannot kill $pid" 1>&2
 done
--- a/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh
+++ b/etc/shadow-maint/userdel-pre.d/01-kill_user_procs.sh
@@ -0,0 +1,31 @@
 #!/bin/sh
 PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 # Check user exists, and if so, send sigkill to processes that the user owns
 ps -eo user >/dev/null 2>&1
 if [ $? -eq 0 ]; then
    RUNNING=`ps -eo user | grep -Fx "$SUBJECT" | wc -l`
    # if the user does not exist, RUNNING will be 0
    if [ "${RUNNING}x" = "0x" ]; then
        exit 0
    fi
 fi
 # If there is no ps -eo, traverse the process directly.
 ls -1 /proc | while IFS= read -r PROC; do
  echo "$PROC" | grep -E '^[0-9]+$' >/dev/null
  if [ $? -ne 0 ]; then
    continue
  fi
  if [ -d "/proc/${PROC}" ]; then
    USR=`stat -c "%U" /proc/${PROC}`
    if [ "${USR}" = "${SUBJECT}" ]; then
      echo "Killing ${SUBJECT} owned ${PROC}"
      kill -9 "${PROC}"
    fi
  fi
 done
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -5,73 +5,303 @@ DEFS =
 noinst_LTLIBRARIES = libshadow.la
 if USE_PAM
 LIBCRYPT_PAM = $(LIBCRYPT)
 else
 LIBCRYPT_PAM =
 endif
 AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
 libshadow_la_CPPFLAGS = $(ECONF_CPPFLAGS)
 if HAVE_VENDORDIR
 libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
 endif
 libshadow_la_CPPFLAGS += -I$(top_srcdir)
 libshadow_la_CFLAGS = $(LIBBSD_CFLAGS) $(LIBCRYPT_PAM) $(LIBSYSTEMD)
 libshadow_la_LIBADD = $(LIBADD_DLOPEN)
 libshadow_la_SOURCES = \
 	addgrps.c \
 	adds.c \
 	adds.h \
 	age.c \
 	agetpass.c \
 	agetpass.h \
 	alloc/calloc.c \
 	alloc/calloc.h \
 	alloc/malloc.c \
 	alloc/malloc.h \
 	alloc/realloc.c \
 	alloc/realloc.h \
 	alloc/reallocf.c \
 	alloc/reallocf.h \
 	atoi/a2i.c \
 	atoi/a2i.h \
 	atoi/getnum.c \
 	atoi/getnum.h \
 	atoi/strtoi/strtoi.c \
 	atoi/strtoi/strtoi.h \
 	atoi/strtoi/strtou.c \
 	atoi/strtoi/strtou.h \
 	atoi/strtoi/strtou_noneg.c \
 	atoi/strtoi/strtou_noneg.h \
 	attr.h \
 	audit_help.c \
 	basename.c \
 	bit.c \
 	bit.h \
 	cast.h \
 	chkname.c \
 	chkname.h \
 	chkhash.c \
 	chkhash.h \
 	chowndir.c \
 	chowntty.c \
 	cleanup.c \
 	cleanup_group.c \
 	cleanup_user.c \
 	commonio.c \
 	commonio.h \
 	console.c \
 	copydir.c \
 	csrand.c \
 	defines.h \
 	encrypt.c \
 	env.c \
 	exit_if_null.c \
 	exit_if_null.h \
 	exitcodes.h \
 	faillog.h \
 	failure.c \
 	failure.h \
 	fd.c \
 	fields.c \
-	fputsx.c \
+	fields.h \
 	find_new_gid.c \
 	find_new_uid.c \
 	find_new_sub_gids.c \
 	find_new_sub_uids.c \
 	fs/mkstemp/fmkomstemp.c \
 	fs/mkstemp/fmkomstemp.h \
 	fs/mkstemp/mkomstemp.c \
 	fs/mkstemp/mkomstemp.h \
 	fs/readlink/areadlink.c \
 	fs/readlink/areadlink.h \
 	fs/readlink/readlinknul.c \
 	fs/readlink/readlinknul.h \
 	get_pid.c \
 	getdef.c \
 	getdef.h \
-	get_gid.c \
+	getgr_nam_gid.c \
-	getlong.c \
+	getrange.c \
-	get_pid.c \
+	gettime.c \
 	get_uid.c \
 	getulong.c \
 	groupio.c \
 	groupmem.c \
 	groupio.h \
-	gshadow.c \
+	hushed.c \
 	idmapping.h \
 	idmapping.c \
 	isexpired.c \
 	limits.c \
 	list.c \
 	lockpw.c \
 	loginprompt.c \
 	mail.c \
 	motd.c \
 	myname.c \
 	nss.c \
 	nscd.c \
 	nscd.h \
-	shadowlog.c \
+	obscure.c \
 	shadowlog.h \
 	shadowlog_internal.h \
 	sssd.c \
 	sssd.h \
 	pam_defs.h \
 	pam_pass.c \
 	pam_pass_non_interactive.c \
 	port.c \
 	port.h \
 	prefix_flag.c \
 	prototypes.h \
 	pwauth.c \
 	pwauth.h \
 	pwio.c \
 	pwio.h \
 	pwd_init.c \
 	pwd2spwd.c \
 	pwdcheck.c \
 	pwmem.c \
 	remove_tree.c \
 	root_flag.c \
 	run_part.h \
 	run_part.c \
-	subordinateio.h \
+	salt.c \
-	subordinateio.c \
+	search/cmp/cmp.c \
 	search/cmp/cmp.h \
 	search/l/lfind.c \
 	search/l/lfind.h \
 	search/l/lsearch.c \
 	search/l/lsearch.h \
 	search/sort/qsort.c \
 	search/sort/qsort.h \
 	selinux.c \
 	semanage.c \
-	sgetgrent.c \
+	setugid.c \
-	sgetpwent.c \
+	setupenv.c \
 	sgetspent.c \
 	sgroupio.c \
-	sgroupio.h\
+	sgroupio.h \
-	shadow.c \
+	shadow/group/sgetgrent.c \
 	shadow/group/sgetgrent.h \
 	shadow/grp/agetgroups.c \
 	shadow/grp/agetgroups.h \
 	shadow/gshadow/endsgent.c \
 	shadow/gshadow/endsgent.h \
 	shadow/gshadow/fgetsgent.c \
 	shadow/gshadow/fgetsgent.h \
 	shadow/gshadow/getsgent.c \
 	shadow/gshadow/getsgent.h \
 	shadow/gshadow/getsgnam.c \
 	shadow/gshadow/getsgnam.h \
 	shadow/gshadow/gshadow.c \
 	shadow/gshadow/gshadow.h \
 	shadow/gshadow/putsgent.c \
 	shadow/gshadow/putsgent.h \
 	shadow/gshadow/setsgent.c \
 	shadow/gshadow/setsgent.h \
 	shadow/gshadow/sgetsgent.c \
 	shadow/gshadow/sgetsgent.h \
 	shadow/gshadow/sgrp.c \
 	shadow/gshadow/sgrp.h \
 	shadow/passwd/sgetpwent.c \
 	shadow/passwd/sgetpwent.h \
 	shadow/shadow/sgetspent.c \
 	shadow/shadow/sgetspent.h \
 	shadowio.c \
 	shadowio.h \
 	shadowlog.c \
 	shadowlog.h \
 	shadowlog_internal.h \
 	shadowmem.c \
 	shell.c \
 	sizeof.h \
 	spawn.c \
-	utent.c
+	sssd.c \
 	sssd.h \
 	string/ctype/strchrisascii/strchriscntrl.c \
 	string/ctype/strchrisascii/strchriscntrl.h \
 	string/ctype/strisascii/strisdigit.c \
 	string/ctype/strisascii/strisdigit.h \
 	string/ctype/strisascii/strisprint.c \
 	string/ctype/strisascii/strisprint.h \
 	string/ctype/strtoascii/strtolower.c \
 	string/ctype/strtoascii/strtolower.h \
 	string/memset/memzero.c \
 	string/memset/memzero.h \
 	string/sprintf/aprintf.c \
 	string/sprintf/aprintf.h \
 	string/sprintf/snprintf.c \
 	string/sprintf/snprintf.h \
 	string/sprintf/stpeprintf.c \
 	string/sprintf/stpeprintf.h \
 	string/strchr/strchrcnt.c \
 	string/strchr/strchrcnt.h \
 	string/strchr/strchrscnt.c \
 	string/strchr/strchrscnt.h \
 	string/strchr/strnul.c \
 	string/strchr/strnul.h \
 	string/strcmp/strcaseeq.c \
 	string/strcmp/strcaseeq.h \
 	string/strcmp/strcaseprefix.c \
 	string/strcmp/strcaseprefix.h \
 	string/strcmp/streq.c \
 	string/strcmp/streq.h \
 	string/strcmp/strneq.c \
 	string/strcmp/strneq.h \
 	string/strcmp/strprefix.c \
 	string/strcmp/strprefix.h \
 	string/strcpy/stpecpy.c \
 	string/strcpy/stpecpy.h \
 	string/strcpy/strncat.c \
 	string/strcpy/strncat.h \
 	string/strcpy/strncpy.c \
 	string/strcpy/strncpy.h \
 	string/strcpy/strtcpy.c \
 	string/strcpy/strtcpy.h \
 	string/strdup/strdup.c \
 	string/strdup/strdup.h \
 	string/strdup/strndupa.c \
 	string/strdup/strndupa.h \
 	string/strdup/strndup.c \
 	string/strdup/strndup.h \
 	string/strerrno.c \
 	string/strerrno.h \
 	string/strftime.c \
 	string/strftime.h \
 	string/strspn/stpspn.c \
 	string/strspn/stpspn.h \
 	string/strspn/stprcspn.c \
 	string/strspn/stprcspn.h \
 	string/strspn/stprspn.c \
 	string/strspn/stprspn.h \
 	string/strspn/strrcspn.c \
 	string/strspn/strrcspn.h \
 	string/strspn/strrspn.c \
 	string/strspn/strrspn.h \
 	string/strtok/stpsep.c \
 	string/strtok/stpsep.h \
 	string/strtok/astrsep2ls.c \
 	string/strtok/astrsep2ls.h \
 	string/strtok/strsep2arr.c \
 	string/strtok/strsep2arr.h \
 	string/strtok/strsep2ls.c \
 	string/strtok/strsep2ls.h \
 	strtoday.c \
 	sub.c \
 	subordinateio.h \
 	subordinateio.c \
 	sulog.c \
 	time/day_to_str.c \
 	time/day_to_str.h \
 	ttytype.c \
 	typetraits.h \
 	tz.c \
 	ulimit.c \
 	user_busy.c \
 	valid.c \
 	write_full.c \
 	xgetpwnam.c \
 	xprefix_getpwnam.c \
 	xgetpwuid.c \
 	xgetgrnam.c \
 	xgetgrgid.c \
 	xgetspnam.c \
 	yesno.c
 if WITH_TCB
 libshadow_la_SOURCES += tcbfuncs.c tcbfuncs.h
 endif
 if WITH_BTRFS
 libshadow_la_SOURCES += btrfs.c
 endif
 if ENABLE_LASTLOG
 libshadow_la_SOURCES += log.c
 endif
 if ENABLE_LOGIND
 libshadow_la_SOURCES += logind.c
 else
 libshadow_la_SOURCES += utmp.c
 endif
 if !WITH_LIBBSD
 libshadow_la_SOURCES += \
 	freezero.h \
 	freezero.c \
 	readpassphrase.h \
 	readpassphrase.c
 endif
 # These files are unneeded for some reason, listed in
 # order of appearance:
 #
@@ -79,4 +309,4 @@ endif
 EXTRA_DIST = \
 	.indent.pro \
-	gshadow_.h
+	xgetXXbyYY.c
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
--- a/lib/addgrps.c
+++ b/lib/addgrps.c
@@ -0,0 +1,88 @@
 // SPDX-FileCopyrightText: 1989-1994, Julianne Frances Haugh
 // SPDX-FileCopyrightText: 1996-1998, Marek Michałkiewicz
 // SPDX-FileCopyrightText: 2001-2006, Tomasz Kłoczko
 // SPDX-FileCopyrightText: 2007-2009, Nicolas François
 // SPDX-FileCopyrightText: 2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #if !defined(USE_PAM)
 #include "prototypes.h"
 #include "defines.h"
 #include <errno.h>
 #include <grp.h>
 #include <stdio.h>
 #include <string.h>
 #include <sys/types.h>
 #include "alloc/reallocf.h"
 #include "search/l/lsearch.h"
 #include "shadow/grp/agetgroups.h"
 #include "shadowlog.h"
 #include "string/strchr/strchrscnt.h"
 #include "string/strcmp/streq.h"
 #include "string/strerrno.h"
 /*
 * Add groups with names from LIST (separated by commas or colons)
 * to the supplementary group set.  Silently ignore groups which are
 * already there.
 */
 int
 add_groups(const char *list)
 {
 	char    *dup;
 	FILE *shadow_logfd = log_get_logfd();
 	gid_t   *gids;
 	size_t  n;
 	gids = agetgroups(&n);
 	if (gids == NULL)
 		return -1;
 	gids = reallocf_T(gids, n + strchrscnt(list, ",:") + 1, gid_t);
 	if (gids == NULL)
 		return -1;
 	dup = strdup(list);
 	if (dup == NULL)
 		goto free_gids;
 	if (!streq(dup, "")) {
 		char  *g, *p;
 		p = dup;
 		while (NULL != (g = strsep(&p, ",:"))) {
 			struct group  *grp;
 			grp = getgrnam(g); /* local, no need for xgetgrnam */
 			if (NULL == grp) {
 				fprintf(shadow_logfd, _("Warning: unknown group %s\n"), g);
 				continue;
 			}
 			LSEARCH(gid_t, &grp->gr_gid, gids, &n);
 		}
 	}
 	free(dup);
 	if (setgroups(n, gids) == -1) {
 		fprintf(shadow_logfd, "setgroups: %s\n", strerrno());
 		goto free_gids;
 	}
 	free(gids);
 	return 0;
 free_gids:
 	free(gids);
 	return -1;
 }
 #else				/* !USE_PAM */
 extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* !USE_PAM */
--- a/lib/adds.c
+++ b/lib/adds.c
@@ -0,0 +1,13 @@
 // SPDX-FileCopyrightText: 2023, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "adds.h"
 #include <stddef.h>
 extern inline long addsl2(long a, long b);
 extern inline long addslN(size_t n, long addend[n]);
--- a/lib/adds.h
+++ b/lib/adds.h
@@ -0,0 +1,70 @@
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ADDS_H_
 #define SHADOW_INCLUDE_LIB_ADDS_H_
 #include "config.h"
 #include <errno.h>
 #include <limits.h>
 #include <stddef.h>
 #include "search/sort/qsort.h"
 #include "sizeof.h"
 #define addsl(a, b, ...)                                                      \
 ({                                                                            \
 	long  addend_[] = {a, b, __VA_ARGS__};                                \
                                                                              \
 	addslN(countof(addend_), addend_);                                    \
 })
 inline long addsl2(long a, long b);
 inline long addslN(size_t n, long addend[n]);
 inline long
 addsl2(long a, long b)
 {
 	if (a > 0 && b > LONG_MAX - a) {
 		errno = EOVERFLOW;
 		return LONG_MAX;
 	}
 	if (a < 0 && b < LONG_MIN - a) {
 		errno = EOVERFLOW;
 		return LONG_MIN;
 	}
 	return a + b;
 }
 inline long
 addslN(size_t n, long addend[n])
 {
 	int   e;
 	if (n == 0) {
 		errno = EDOM;
 		return 0;
 	}
 	e = errno;
 	while (n > 1) {
 		QSORT(long, addend, n);
 		errno = 0;
 		addend[0] = addsl2(addend[0], addend[--n]);
 		if (errno == EOVERFLOW)
 			return addend[0];
 	}
 	errno = e;
 	return addend[0];
 }
 #endif  // include guard
--- a/libmisc/age.c
+++ b/libmisc/age.c
@@ -7,18 +7,22 @@
 * SPDX-License-Identifier: BSD-3-Clause
 */
-#include <config.h>
+#include "config.h"
 #include <sys/types.h>
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
 #include "prototypes.h"
 #include "defines.h"
 #include "exitcodes.h"
 #include <pwd.h>
 #include <grp.h>
 #include "adds.h"
 #include "defines.h"
 #include "exitcodes.h"
 #include "prototypes.h"
 #include "shadow/gshadow/endsgent.h"
 #ident "$Id$"
 #ifndef PASSWD_PROGRAM
@@ -103,7 +107,7 @@ int expire (const struct passwd *pw, /*@null@*/const struct spwd *sp)
 		 * passwd to work just like it would had they executed
 		 * it from the command line while logged in.
 		 */
-#if defined(HAVE_INITGROUPS) && ! defined(USE_PAM)
+#if !defined(USE_PAM)
 		if (setup_uid_gid (pw, false) != 0)
 #else
 		if (setup_uid_gid (pw) != 0)
@@ -112,7 +116,7 @@ int expire (const struct passwd *pw, /*@null@*/const struct spwd *sp)
 			_exit (126);
 		}
-		(void) execl (PASSWD_PROGRAM, PASSWD_PROGRAM, pw->pw_name, (char *) 0);
+		(void) execl (PASSWD_PROGRAM, PASSWD_PROGRAM, pw->pw_name, (char *) NULL);
 		err = errno;
 		perror ("Can't execute " PASSWD_PROGRAM);
 		_exit ((ENOENT == err) ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
@@ -139,7 +143,7 @@ int expire (const struct passwd *pw, /*@null@*/const struct spwd *sp)
 void agecheck (/*@null@*/const struct spwd *sp)
 {
-	long now = (long) time ((time_t *) 0) / SCALE;
+	long now = time(NULL) / DAY;
 	long remain;
 	if (NULL == sp) {
@@ -162,9 +166,9 @@ void agecheck (/*@null@*/const struct spwd *sp)
 		return;
 	}
-	remain = sp->sp_lstchg + sp->sp_max - now;
+	remain = addsl(sp->sp_lstchg, sp->sp_max, -now);
 	if (remain <= sp->sp_warn) {
 		remain /= DAY / SCALE;
 		if (remain > 1) {
 			(void) printf (_("Your password will expire in %ld days.\n"),
 			               remain);
--- a/lib/agetpass.c
+++ b/lib/agetpass.c
@@ -0,0 +1,145 @@
 /*
 * SPDX-FileCopyrightText:  2022, Alejandro Colomar <alx@kernel.org>
 *
 * SPDX-License-Identifier:  BSD-3-Clause
 */
 #include "config.h"
 #include "agetpass.h"
 #include <limits.h>
 #include <readpassphrase.h>
 #include <stdlib.h>
 #include <string.h>
 #ident "$Id$"
 #include "alloc/malloc.h"
 #if WITH_LIBBSD == 0
 #include "freezero.h"
 #endif /* WITH_LIBBSD */
 /*
 * SYNOPSIS
 *	[[gnu::malloc(erase_pass)]]
 *	char *agetpass(const char *prompt);
 *	char *agetpass_stdin();
 *
 *	void erase_pass(char *pass);
 *
 * ARGUMENTS
 *   agetpass()
 *	prompt	String to be printed before reading a password.
 *
 *   erase_pass()
 *	pass	password previously returned by agetpass().
 *
 * DESCRIPTION
 *   agetpass()
 *	This function is very similar to getpass(3).  It has several
 *	advantages compared to getpass(3):
 *
 *	- Instead of using a static buffer, agetpass() allocates memory
 *	  through malloc(3).  This makes the function thread-safe, and
 *	  also reduces the visibility of the buffer.
 *
 *	- agetpass() doesn't reallocate internally.  Some
 *	  implementations of getpass(3), such as glibc, do that, as a
 *	  consequence of calling getline(3).  That's a bug in glibc,
 *	  which allows leaking prefixes of passwords in freed memory.
 *
 *	- agetpass() doesn't overrun the output buffer.  If the input
 *	  password is too long, it simply fails.  Some implementations
 *	  of getpass(3), share the same bug that gets(3) has.
 *
 *	As soon as possible, the password obtained from agetpass() be
 *	erased by calling erase_pass(), to avoid possibly leaking the
 *	password.
 *
 *   agetpass_stdin()
 *	This function is the same as previous one (agetpass). Just the
 *	password is read from stdin and terminal is not required.
 *
 *   erase_pass()
 *	This function first clears the password, by calling
 *	explicit_bzero(3) (or an equivalent call), and then frees the
 *	allocated memory by calling free(3).
 *
 *	NULL is a valid input pointer, and in such a case, this call is
 *	a no-op.
 *
 * RETURN VALUE
 *	agetpass() returns a newly allocated buffer containing the
 *	password on success.  On error, errno is set to indicate the
 *	error, and NULL is returned.
 *
 * ERRORS
 *   agetpass()
 *	This function may fail for any errors that malloc(3) or
 *	readpassphrase(3) may fail, and in addition it may fail for the
 *	following errors:
 *
 *	ENOBUFS
 *		The input password was longer than PASS_MAX.
 *
 * CAVEATS
 *	If a password is passed twice to erase_pass(), the behavior is
 *	undefined.
 */
 static char *
 agetpass_internal(const char *prompt, int flags)
 {
 	char    *pass;
 	size_t  len;
 	/*
 	 * Since we want to support passwords upto PASS_MAX, we need
 	 * PASS_MAX bytes for the password itself, and one more byte for
 	 * the terminating '\0'.  We also want to detect truncation, and
 	 * readpassphrase(3) doesn't detect it, so we need some trick.
 	 * Let's add one more byte, and if the password uses it, it
 	 * means the introduced password was longer than PASS_MAX.
 	 */
 	pass = malloc_T(PASS_MAX + 2, char);
 	if (pass == NULL)
 		return NULL;
 	if (readpassphrase(prompt, pass, PASS_MAX + 2, flags) == NULL)
 		goto fail;
 	len = strlen(pass);
 	if (len == PASS_MAX + 1) {
 		errno = ENOBUFS;
 		goto fail;
 	}
 	return pass;
 fail:
 	freezero(pass, PASS_MAX + 2);
 	return NULL;
 }
 char *
 agetpass(const char *prompt)
 {
 	return agetpass_internal(prompt, RPP_REQUIRE_TTY);
 }
 char *
 agetpass_stdin()
 {
 	return agetpass_internal("", RPP_STDIN);
 }
 void
 erase_pass(char *pass)
 {
 	freezero(pass, PASS_MAX + 2);
 }
--- a/lib/agetpass.h
+++ b/lib/agetpass.h
@@ -0,0 +1,23 @@
 /*
 * SPDX-FileCopyrightText: 2022-2023, Alejandro Colomar <alx@kernel.org>
 * SPDX-License-Identifier: BSD-3-Clause
 */
 #ifndef SHADOW_INCLUDE_LIB_AGETPASS_H_
 #define SHADOW_INCLUDE_LIB_AGETPASS_H_
 #include "config.h"
 #include "attr.h"
 #include "defines.h"
 void erase_pass(char *pass);
 ATTR_MALLOC(erase_pass)
 char *agetpass(const char *prompt);
 char *agetpass_stdin();
 #endif  // include guard
--- a/lib/alloc/calloc.c
+++ b/lib/alloc/calloc.c
@@ -0,0 +1,11 @@
 // SPDX-FileCopyrightText: 1990-1994, Julianne Frances Haugh
 // SPDX-FileCopyrightText: 1996-1998, Marek Michałkiewicz
 // SPDX-FileCopyrightText: 2003-2006, Tomasz Kłoczko
 // SPDX-FileCopyrightText: 2008     , Nicolas François
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "alloc/calloc.h"
--- a/lib/alloc/calloc.h
+++ b/lib/alloc/calloc.h
@@ -0,0 +1,29 @@
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ALLOC_CALLOC_H_
 #define SHADOW_INCLUDE_LIB_ALLOC_CALLOC_H_
 #include "config.h"
 #include <stdlib.h>
 #include "exit_if_null.h"
 #include "sizeof.h"
 // calloc_T - calloc type-safe
 #define calloc_T(n, T)   calloc_T_(n, typeas(T))
 #define calloc_T_(n, T)                                               \
 ({                                                                    \
 	(T *){calloc(n, sizeof(T))};                                  \
 })
 // xcalloc_T - exit-on-error calloc type-safe
 #define xcalloc_T(n, T)  exit_if_null(calloc_T(n, T))
 #endif  // include guard
--- a/lib/alloc/malloc.c
+++ b/lib/alloc/malloc.c
@@ -0,0 +1,16 @@
 // SPDX-FileCopyrightText: 1990-1994, Julianne Frances Haugh
 // SPDX-FileCopyrightText: 1996-1998, Marek Michałkiewicz
 // SPDX-FileCopyrightText: 2003-2006, Tomasz Kłoczko
 // SPDX-FileCopyrightText: 2008     , Nicolas François
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "alloc/malloc.h"
 #include <stddef.h>
 extern inline void *mallocarray(size_t nmemb, size_t size);
--- a/lib/alloc/malloc.h
+++ b/lib/alloc/malloc.h
@@ -0,0 +1,43 @@
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ALLOC_MALLOC_H_
 #define SHADOW_INCLUDE_LIB_ALLOC_MALLOC_H_
 #include "config.h"
 #include <stdlib.h>
 #include "attr.h"
 #include "exit_if_null.h"
 #include "sizeof.h"
 // malloc_T - malloc type-safe
 #define malloc_T(n, T)   malloc_T_(n, typeas(T))
 #define malloc_T_(n, T)                                               \
 ({                                                                    \
 	(T *){mallocarray(n, sizeof(T))};                             \
 })
 // xmalloc_T - exit-on-error malloc type-safe
 #define xmalloc_T(n, T)  exit_if_null(malloc_T(n, T))
 // mallocarray - malloc array
 ATTR_ALLOC_SIZE(1, 2)
 ATTR_MALLOC(free)
 inline void *mallocarray(size_t nmemb, size_t size);
 inline void *
 mallocarray(size_t nmemb, size_t size)
 {
 	return reallocarray(NULL, nmemb, size);
 }
 #endif  // include guard
--- a/lib/alloc/realloc.c
+++ b/lib/alloc/realloc.c
@@ -0,0 +1,11 @@
 // SPDX-FileCopyrightText: 1990-1994, Julianne Frances Haugh
 // SPDX-FileCopyrightText: 1996-1998, Marek Michałkiewicz
 // SPDX-FileCopyrightText: 2003-2006, Tomasz Kłoczko
 // SPDX-FileCopyrightText: 2008     , Nicolas François
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "alloc/realloc.h"
--- a/lib/alloc/realloc.h
+++ b/lib/alloc/realloc.h
@@ -0,0 +1,32 @@
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ALLOC_REALLOC_H_
 #define SHADOW_INCLUDE_LIB_ALLOC_REALLOC_H_
 #include "config.h"
 #include <stdlib.h>
 #include "exit_if_null.h"
 #include "sizeof.h"
 // realloc_T - realloc type-safe
 #define realloc_T(p, n, T)   realloc_T_(p, n, typeas(T))
 #define realloc_T_(p, n, T)                                           \
 ({                                                                    \
 	_Generic(p, T *: (void)0);                                    \
 	(T *){reallocarray_(p, n, sizeof(T))};                        \
 })
 #define reallocarray_(p, n, size)  reallocarray(p, (n) ?: 1, (size) ?: 1)
 // xrealloc_T - exit-on-error realloc type-safe
 #define xrealloc_T(p, n, T)  exit_if_null(realloc_T(p, n, T))
 #endif  // include guard
--- a/lib/alloc/reallocf.c
+++ b/lib/alloc/reallocf.c
@@ -0,0 +1,16 @@
 // SPDX-FileCopyrightText: 1990-1994, Julianne Frances Haugh
 // SPDX-FileCopyrightText: 1996-1998, Marek Michałkiewicz
 // SPDX-FileCopyrightText: 2003-2006, Tomasz Kłoczko
 // SPDX-FileCopyrightText: 2008     , Nicolas François
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "alloc/reallocf.h"
 #include <stddef.h>
 extern inline void *reallocarrayf(void *p, size_t nmemb, size_t size);
--- a/lib/alloc/reallocf.h
+++ b/lib/alloc/reallocf.h
@@ -0,0 +1,48 @@
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ALLOC_REALLOCF_H_
 #define SHADOW_INCLUDE_LIB_ALLOC_REALLOCF_H_
 #include "config.h"
 #include <stddef.h>
 #include <stdlib.h>
 #include "attr.h"
 #include "sizeof.h"
 // reallocf_T - realloc free-on-error type-safe
 #define reallocf_T(p, n, T)   reallocf_T_(p, n, typeas(T))
 #define reallocf_T_(p, n, T)                                          \
 ({                                                                    \
 	_Generic(p, T *: (void)0);                                    \
 	(T *){reallocarrayf_(p, n, sizeof(T))};                       \
 })
 #define reallocarrayf_(p, n, size)  reallocarrayf(p, (n) ?: 1, (size) ?: 1)
 // reallocarrayf - realloc array free-on-error
 ATTR_ALLOC_SIZE(2, 3)
 ATTR_MALLOC(free)
 inline void *reallocarrayf(void *p, size_t nmemb, size_t size);
 inline void *
 reallocarrayf(void *p, size_t nmemb, size_t size)
 {
 	void  *q;
 	q = reallocarray(p, nmemb ?: 1, size ?: 1);
 	if (q == NULL)
 		free(p);
 	return q;
 }
 #endif  // include guard
--- a/lib/atoi/a2i.c
+++ b/lib/atoi/a2i.c
@@ -0,0 +1,7 @@
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "atoi/a2i.h"
--- a/lib/atoi/a2i.h
+++ b/lib/atoi/a2i.h
@@ -0,0 +1,69 @@
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ATOI_A2I_H_
 #define SHADOW_INCLUDE_LIB_ATOI_A2I_H_
 #include "config.h"
 #include <errno.h>
 #include <stddef.h>
 #include "atoi/strtoi/strtoi.h"
 #include "atoi/strtoi/strtou_noneg.h"
 #include "typetraits.h"
 // a2i - alpha to integer
 #define a2i(T, n, s, endp, base, min, max)                            \
 ({                                                                    \
 	T            *n_ = n;                                         \
 	QChar_of(s)  **endp_ = endp;                                  \
 	T            min_ = min;                                      \
 	T            max_ = max;                                      \
 	                                                              \
 	int  status;                                                  \
 	                                                              \
 	*n_ = _Generic((T){0},                                        \
 		short:              strtoi_,                          \
 		int:                strtoi_,                          \
 		long:               strtoi_,                          \
 		long long:          strtoi_,                          \
 		unsigned short:     strtou_noneg,                     \
 		unsigned int:       strtou_noneg,                     \
 		unsigned long:      strtou_noneg,                     \
 		unsigned long long: strtou_noneg                      \
 	)(s, (char **) endp_, base, min_, max_, &status);             \
 	                                                              \
 	if (status != 0)                                              \
 		errno = status;                                       \
 	-!!status;                                                    \
 })
 #define a2sh(...)   a2i(short, __VA_ARGS__)
 #define a2si(...)   a2i(int, __VA_ARGS__)
 #define a2sl(...)   a2i(long, __VA_ARGS__)
 #define a2sll(...)  a2i(long long, __VA_ARGS__)
 #define a2uh(...)   a2i(unsigned short, __VA_ARGS__)
 #define a2ui(...)   a2i(unsigned int, __VA_ARGS__)
 #define a2ul(...)   a2i(unsigned long, __VA_ARGS__)
 #define a2ull(...)  a2i(unsigned long long, __VA_ARGS__)
 #define str2i(T, ...)  a2i(T, __VA_ARGS__, NULL, 0, type_min(T), type_max(T))
 #define str2sh(...)    str2i(short, __VA_ARGS__)
 #define str2si(...)    str2i(int, __VA_ARGS__)
 #define str2sl(...)    str2i(long, __VA_ARGS__)
 #define str2sll(...)   str2i(long long, __VA_ARGS__)
 #define str2uh(...)    str2i(unsigned short, __VA_ARGS__)
 #define str2ui(...)    str2i(unsigned int, __VA_ARGS__)
 #define str2ul(...)    str2i(unsigned long, __VA_ARGS__)
 #define str2ull(...)   str2i(unsigned long long, __VA_ARGS__)
 #endif  // include guard
--- a/lib/atoi/getnum.c
+++ b/lib/atoi/getnum.c
@@ -0,0 +1,16 @@
 // SPDX-FileCopyrightText: 2009, Nicolas François
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include <sys/types.h>
 #include "atoi/getnum.h"
 extern inline int get_fd(const char *restrict fdstr, int *restrict fd);
 extern inline int get_gid(const char *restrict gidstr, gid_t *restrict gid);
 extern inline int get_pid(const char *restrict pidstr, pid_t *restrict pid);
 extern inline int get_uid(const char *restrict uidstr, uid_t *restrict uid);
--- a/lib/atoi/getnum.h
+++ b/lib/atoi/getnum.h
@@ -0,0 +1,59 @@
 // SPDX-FileCopyrightText: 2009, Nicolas François
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ATOI_GETNUM_H_
 #define SHADOW_INCLUDE_LIB_ATOI_GETNUM_H_
 #include "config.h"
 #include <limits.h>
 #include <stddef.h>
 #include <sys/types.h>
 #include "atoi/a2i.h"
 #include "attr.h"
 #include "typetraits.h"
 ATTR_STRING(1) ATTR_ACCESS(write_only, 2)
 inline int get_fd(const char *restrict fdstr, int *restrict fd);
 ATTR_STRING(1) ATTR_ACCESS(write_only, 2)
 inline int get_gid(const char *restrict gidstr, gid_t *restrict gid);
 ATTR_STRING(1) ATTR_ACCESS(write_only, 2)
 inline int get_pid(const char *restrict pidstr, pid_t *restrict pid);
 ATTR_STRING(1) ATTR_ACCESS(write_only, 2)
 inline int get_uid(const char *restrict uidstr, uid_t *restrict uid);
 inline int
 get_fd(const char *restrict fdstr, int *restrict fd)
 {
 	return a2si(fd, fdstr, NULL, 10, 0, INT_MAX);
 }
 inline int
 get_gid(const char *restrict gidstr, gid_t *restrict gid)
 {
 	return a2i(gid_t, gid, gidstr, NULL, 10, type_min(gid_t), type_max(gid_t));
 }
 inline int
 get_pid(const char *restrict pidstr, pid_t *restrict pid)
 {
 	return a2i(pid_t, pid, pidstr, NULL, 10, 1, type_max(pid_t));
 }
 inline int
 get_uid(const char *restrict uidstr, uid_t *restrict uid)
 {
 	return a2i(uid_t, uid, uidstr, NULL, 10, type_min(uid_t), type_max(uid_t));
 }
 #endif  // include guard
--- a/lib/atoi/strtoi/strtoi.c
+++ b/lib/atoi/strtoi/strtoi.c
@@ -0,0 +1,13 @@
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "atoi/strtoi/strtoi.h"
 #include <stdint.h>
 extern inline intmax_t strtoi_(const char *s, char **restrict endp, int base,
    intmax_t min, intmax_t max, int *restrict status);
--- a/lib/atoi/strtoi/strtoi.h
+++ b/lib/atoi/strtoi/strtoi.h
@@ -0,0 +1,64 @@
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ATOI_STRTOI_STRTOI_H_
 #define SHADOW_INCLUDE_LIB_ATOI_STRTOI_STRTOI_H_
 #include "config.h"
 #include <errno.h>
 #include <inttypes.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <sys/param.h>
 #include "attr.h"
 ATTR_STRING(1) ATTR_ACCESS(write_only, 2) ATTR_ACCESS(write_only, 6)
 inline intmax_t strtoi_(const char *s, char **restrict endp, int base,
    intmax_t min, intmax_t max, int *restrict status);
 inline intmax_t
 strtoi_(const char *s, char **restrict endp, int base,
    intmax_t min, intmax_t max, int *restrict status)
 {
 	int        e, st;
 	char       *end;
 	intmax_t   n;
 	if (endp == NULL)
 		endp = &end;
 	if (status == NULL)
 		status = &st;
 	if (base != 0 && (base < 2 || base > 36)) {
 		*status = EINVAL;
 		return MAX(min, MIN(max, 0));
 	}
 	e = errno;
 	errno = 0;
 	n = strtoimax(s, endp, base);
 	if (*endp == s)
 		*status = ECANCELED;
 	else if (errno == ERANGE || n < min || n > max)
 		*status = ERANGE;
 	else if (**endp != '\0')
 		*status = ENOTSUP;
 	else
 		*status = 0;
 	errno = e;
 	return MAX(min, MIN(max, n));
 }
 #endif  // include guard
--- a/lib/atoi/strtoi/strtou.c
+++ b/lib/atoi/strtoi/strtou.c
@@ -0,0 +1,13 @@
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "atoi/strtoi/strtou.h"
 #include <stdint.h>
 extern inline uintmax_t strtou_(const char *s, char **restrict endp, int base,
    uintmax_t min, uintmax_t max, int *restrict status);
--- a/lib/atoi/strtoi/strtou.h
+++ b/lib/atoi/strtoi/strtou.h
@@ -0,0 +1,64 @@
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ATOI_STRTOI_STRTOU_H_
 #define SHADOW_INCLUDE_LIB_ATOI_STRTOI_STRTOU_H_
 #include "config.h"
 #include <errno.h>
 #include <inttypes.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <sys/param.h>
 #include "attr.h"
 ATTR_STRING(1) ATTR_ACCESS(write_only, 2) ATTR_ACCESS(write_only, 6)
 inline uintmax_t strtou_(const char *s, char **restrict endp, int base,
    uintmax_t min, uintmax_t max, int *restrict status);
 inline uintmax_t
 strtou_(const char *s, char **restrict endp, int base,
    uintmax_t min, uintmax_t max, int *restrict status)
 {
 	int        e, st;
 	char       *end;
 	uintmax_t  n;
 	if (endp == NULL)
 		endp = &end;
 	if (status == NULL)
 		status = &st;
 	if (base != 0 && (base < 2 || base > 36)) {
 		*status = EINVAL;
 		return MAX(min, 0);
 	}
 	e = errno;
 	errno = 0;
 	n = strtoumax(s, endp, base);
 	if (*endp == s)
 		*status = ECANCELED;
 	else if (errno == ERANGE || n < min || n > max)
 		*status = ERANGE;
 	else if (**endp != '\0')
 		*status = ENOTSUP;
 	else
 		*status = 0;
 	errno = e;
 	return MAX(min, MIN(max, n));
 }
 #endif  // include guard
--- a/lib/atoi/strtoi/strtou_noneg.c
+++ b/lib/atoi/strtoi/strtou_noneg.c
@@ -0,0 +1,13 @@
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "atoi/strtoi/strtou_noneg.h"
 #include <stdint.h>
 extern inline uintmax_t strtou_noneg(const char *s, char **restrict endp,
    int base, uintmax_t min, uintmax_t max, int *restrict status);
--- a/lib/atoi/strtoi/strtou_noneg.h
+++ b/lib/atoi/strtoi/strtou_noneg.h
@@ -0,0 +1,40 @@
 // SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_ATOI_STRTOI_STRTOU_NONEG_H_
 #define SHADOW_INCLUDE_LIB_ATOI_STRTOI_STRTOU_NONEG_H_
 #include "config.h"
 #include <errno.h>
 #include <stddef.h>
 #include <stdint.h>
 #include "atoi/strtoi/strtoi.h"
 #include "atoi/strtoi/strtou.h"
 #include "attr.h"
 ATTR_STRING(1) ATTR_ACCESS(write_only, 2) ATTR_ACCESS(write_only, 6)
 inline uintmax_t strtou_noneg(const char *s, char **restrict endp,
    int base, uintmax_t min, uintmax_t max, int *restrict status);
 inline uintmax_t
 strtou_noneg(const char *s, char **restrict endp, int base,
    uintmax_t min, uintmax_t max, int *restrict status)
 {
 	int  st;
 	if (status == NULL)
 		status = &st;
 	if (strtoi_(s, endp, base, 0, 1, status) == 0 && *status == ERANGE)
 		return min;
 	return strtou_(s, endp, base, min, max, status);
 }
 #endif  // include guard
--- a/lib/attr.h
+++ b/lib/attr.h
@@ -0,0 +1,62 @@
 #ifndef SHADOW_INCLUDE_LIB_ATTR_H_
 #define SHADOW_INCLUDE_LIB_ATTR_H_
 #include "config.h"
 #if !defined(__has_c_attribute)
 # define __has_c_attribute(x)  0
 #endif
 #if __has_c_attribute(maybe_unused)
 # define MAYBE_UNUSED                [[maybe_unused]]
 #else
 # define MAYBE_UNUSED
 #endif
 #if __has_c_attribute(noreturn)
 # define NORETURN                    [[noreturn]]
 #else
 # define NORETURN
 #endif
 #if __has_c_attribute(gnu::format)
 # define format_attr(type, fmt, va)  [[gnu::format(type, fmt, va)]]
 #else
 # define format_attr(type, fmt, va)
 #endif
 #if __has_c_attribute(gnu::access)
 # define ATTR_ACCESS(...)            [[gnu::access(__VA_ARGS__)]]
 #else
 # define ATTR_ACCESS(...)
 #endif
 #if __has_c_attribute(gnu::alloc_size)
 # define ATTR_ALLOC_SIZE(...)        [[gnu::alloc_size(__VA_ARGS__)]]
 #else
 # define ATTR_ALLOC_SIZE(...)
 #endif
 #if (__GNUC__ >= 11) && !defined(__clang__)
 # define ATTR_MALLOC(deallocator)    [[gnu::malloc(deallocator)]]
 #else
 # define ATTR_MALLOC(deallocator)
 #endif
 #if __has_c_attribute(gnu::null_terminated_string_arg)
 # define ATTR_STRING(i)              [[gnu::null_terminated_string_arg(i)]]
 #else
 # define ATTR_STRING(i)
 #endif
 #if __has_c_attribute(gnu::nonstring)
 # define ATTR_NONSTRING              [[gnu::nonstring]]
 #else
 # define ATTR_NONSTRING
 #endif
 #endif  // include guard
--- a/lib/audit_help.c
+++ b/lib/audit_help.c
@@ -0,0 +1,135 @@
 /*
 * SPDX-FileCopyrightText: 2005       , Red Hat, Inc.
 * SPDX-FileCopyrightText: 2005       , Tomasz Kłoczko
 * SPDX-FileCopyrightText: 2008       , Nicolas François
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
 /*
 *  Audit helper functions used throughout shadow
 *
 */
 #include "config.h"
 #ifdef WITH_AUDIT
 #include <stdlib.h>
 #include <syslog.h>
 #include <stdarg.h>
 #include <libaudit.h>
 #include <errno.h>
 #include <stdio.h>
 #include "attr.h"
 #include "prototypes.h"
 #include "shadowlog.h"
 #include "string/sprintf/snprintf.h"
 int audit_fd;
 void audit_help_open (void)
 {
 	audit_fd = audit_open ();
 	if (audit_fd < 0) {
 		/* You get these only when the kernel doesn't have
 		 * audit compiled in. */
 		if (   (errno == EINVAL)
 		    || (errno == EPROTONOSUPPORT)
 		    || (errno == EAFNOSUPPORT)) {
 			return;
 		}
 		(void) fputs (_("Cannot open audit interface - aborting.\n"),
 		              log_get_logfd());
 		exit (EXIT_FAILURE);
 	}
 }
 /*
 * This function will log a message to the audit system using a predefined
 * message format. For additional information on the user account lifecycle
 * events check
 * <https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events>
 *
 * Parameter usage is as follows:
 *
 * type - type of message. A list of possible values is available in
 *        "audit-records.h" file.
 * op  -  operation. "adding user", "changing finger info", "deleting group"
 * name - user's account or group name. If not available use NULL.
 * id  -  uid or gid that the operation is being performed on. This is used
 *	  only when user is NULL.
 */
 void audit_logger (int type, const char *op,
                   const char *name, unsigned int id,
                   shadow_audit_result result)
 {
 	if (audit_fd < 0) {
 		return;
 	} else {
 		audit_log_acct_message (audit_fd, type, NULL, op, name, id,
 		                        NULL, NULL, NULL, result);
 	}
 }
 /*
 * This function will log a message to the audit system using a predefined
 * message format. For additional information on the group account lifecycle
 * events check
 * <https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events>
 *
 * Parameter usage is as follows:
 *
 * type - type of message. A list of possible values is available in
 *        "audit-records.h" file.
 * op  -  operation. "adding-user", "modify-group", "deleting-user-from-group"
 * name - user's account or group name. If not available use NULL.
 * id  -  uid or gid that the operation is being performed on. This is used
 *	  only when user is NULL.
 * grp_type - type of group: "grp" or "new_group"
 * grp - group name associated with event
 */
 void
 audit_logger_with_group(int type, const char *op, const char *name,
    id_t id, const char *grp_type, const char *grp,
    shadow_audit_result result)
 {
 	int len;
 	char enc_group[GROUP_NAME_MAX_LENGTH * 2 + 1];
 	char buf[countof(enc_group) + 100];
 	if (audit_fd < 0)
 		return;
 	len = strnlen(grp, sizeof(enc_group)/2);
 	if (audit_value_needs_encoding(grp, len)) {
 		stprintf_a(buf, "%s %s=%s", op, grp_type,
 			audit_encode_value(enc_group, grp, len));
 	} else {
 		stprintf_a(buf, "%s %s=\"%s\"", op, grp_type, grp);
 	}
 	audit_log_acct_message(audit_fd, type, NULL, buf, name, id,
 		               NULL, NULL, NULL, result);
 }
 void audit_logger_message (const char *message, shadow_audit_result result)
 {
 	if (audit_fd < 0) {
 		return;
 	} else {
 		audit_log_user_message (audit_fd,
 		                        AUDIT_USYS_CONFIG,
 		                        message,
 		                        NULL, /* hostname */
 		                        NULL, /* addr */
 		                        NULL, /* tty */
 		                        result);
 	}
 }
 #else				/* WITH_AUDIT */
 extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* WITH_AUDIT */
--- a/lib/basename.c
+++ b/lib/basename.c
@@ -0,0 +1,31 @@
 // SPDX-FileCopyrightText: 1990-1994, Julianne Frances Haugh
 // SPDX-FileCopyrightText: 1996-1997, Marek Michałkiewicz
 // SPDX-FileCopyrightText: 2003-2005, Tomasz Kłoczko
 // SPDX-FileCopyrightText: 2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 /*
 * basename.c - not worth copyrighting :-).  Some versions of Linux libc
 * already have basename(), other versions don't.  To avoid confusion,
 * we will not use the function from libc and use a different name here.
 * --marekm
 */
 #include "config.h"
 #include <stddef.h>
 #include <stdlib.h>
 #include "prototypes.h"
 #include "string/strspn/stprcspn.h"
 /*@observer@*/const char *
 Basename(const char *str)
 {
 	if (str == NULL) {
 		abort ();
 	}
 	return stprcspn(str, "/");
 }
--- a/lib/bit.c
+++ b/lib/bit.c
@@ -0,0 +1,19 @@
 /*
 * SPDX-FileCopyrightText:  2022 - 2023, Alejandro Colomar <alx@kernel.org>
 *
 * SPDX-License-Identifier:  BSD-3-Clause
 */
 #include "config.h"
 #ident "$Id$"
 #include "bit.h"
 #include <limits.h>
 extern inline unsigned long bit_ceilul(unsigned long x);
 extern inline unsigned long bit_ceil_wrapul(unsigned long x);
 extern inline int leading_zerosul(unsigned long x);
--- a/lib/bit.h
+++ b/lib/bit.h
@@ -0,0 +1,53 @@
 /*
 * SPDX-FileCopyrightText:  2022 - 2023, Alejandro Colomar <alx@kernel.org>
 *
 * SPDX-License-Identifier:  BSD-3-Clause
 */
 #ifndef SHADOW_INCLUDE_LIB_BIT_H_
 #define SHADOW_INCLUDE_LIB_BIT_H_
 #include "config.h"
 #include <limits.h>
 #ifndef ULONG_WIDTH
 #define ULONG_WIDTH (sizeof(unsigned long) * CHAR_BIT)
 #endif
 inline unsigned long bit_ceilul(unsigned long x);
 inline unsigned long bit_ceil_wrapul(unsigned long x);
 inline int leading_zerosul(unsigned long x);
 /* stdc_bit_ceilul(3) */
 inline unsigned long
 bit_ceilul(unsigned long x)
 {
 	return 1 + (ULONG_MAX >> leading_zerosul(x));
 }
 /* stdc_bit_ceilul(3), but wrap instead of having Undefined Behavior */
 inline unsigned long
 bit_ceil_wrapul(unsigned long x)
 {
 	if (x == 0)
 		return 0;
 	return bit_ceilul(x);
 }
 /* stdc_leading_zerosul(3) */
 inline int
 leading_zerosul(unsigned long x)
 {
 	return (x == 0) ? ULONG_WIDTH : __builtin_clzl(x);
 }
 #endif  // include guard
--- a/libmisc/btrfs.c
+++ b/libmisc/btrfs.c
@@ -39,7 +39,7 @@ static int run_btrfs_subvolume_cmd(const char *subcmd, const char *arg1, const c
 		NULL
 	};
-	if (access(cmd, X_OK)) {
+	if (!cmd || access(cmd, X_OK)) {
 		return 1;
 	}
--- a/lib/cast.h
+++ b/lib/cast.h
@@ -0,0 +1,15 @@
 // SPDX-FileCopyrightText: 2022-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_CAST_H_
 #define SHADOW_INCLUDE_LIB_CAST_H_
 #include "config.h"
 #define const_cast(T, p)  _Generic(p, const T:  (T) (p))
 #endif  // include guard
--- a/lib/chkhash.c
+++ b/lib/chkhash.c
@@ -0,0 +1,82 @@
 #include "config.h"
 #include "chkhash.h"
 #include <regex.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <string.h>
 #include "string/strcmp/streq.h"
 #include "string/strcmp/strprefix.h"
 /*
 * match_regex - return true if match, false if not
 */
 bool 
 match_regex(const char *pattern, const char *string) 
 {
 	regex_t regex;
 	int result;
 	if (regcomp(&regex, pattern, REG_EXTENDED) != 0)
 		return false;
 	result = regexec(&regex, string, 0, NULL, 0);
 	regfree(&regex);
 	return result == 0;
 }
 /*
 * is_valid_hash - check if the given string is a valid password hash
 *
 * Returns true if the string appears to be a valid hash, false otherwise.
 *
 * regex from: https://man.archlinux.org/man/crypt.5.en
 */
 bool 
 is_valid_hash(const char *hash) 
 {
 	hash = strprefix(hash, "!") ?: hash;
 	// Passwordless account; discouraged
 	if (streq(hash, ""))
 		return true;
 	if (streq(hash, "*"))
 		return true;
 	// Minimum hash length
 	if (strlen(hash) < 13)
 		return false;
 	// Yescrypt: $y$ + algorithm parameters + $ + salt + $ + 43-char (minimum) hash
 	if (match_regex("^\\$y\\$[./A-Za-z0-9]+\\$[./A-Za-z0-9]{1,86}\\$[./A-Za-z0-9]{43}$", hash))
 		return true;
 	// Bcrypt: $2[abxy]$ + 2-digit cost + $ + 53-char hash
 	if (match_regex("^\\$2[abxy]\\$[0-9]{2}\\$[./A-Za-z0-9]{53}$", hash))
 		return true;
 	// SHA-512: $6$ + salt + $ + 86-char hash
 	if (match_regex("^\\$6\\$(rounds=[1-9][0-9]{3,8}\\$)?[^$:\n]{1,16}\\$[./A-Za-z0-9]{86}$", hash))
 		return true;
 	// SHA-256: $5$ + salt + $ + 43-char hash
 	if (match_regex("^\\$5\\$(rounds=[1-9][0-9]{3,8}\\$)?[^$:\n]{1,16}\\$[./A-Za-z0-9]{43}$", hash))
 		return true;
 	// MD5: $1$ + salt + $ + 22-char hash
 	if (match_regex("^\\$1\\$[^$:\n]{1,8}\\$[./A-Za-z0-9]{22}$", hash))
 		return true;
 	// DES: exactly 13 characters from [A-Za-z0-9./]
 	if (match_regex("^[./A-Za-z0-9]{13}$", hash))
 		return true;
 	// Not a valid hash
 	return false;
 }
--- a/lib/chkhash.h
+++ b/lib/chkhash.h
@@ -0,0 +1,13 @@
 #ifndef SHADOW_INCLUDE_CHKHASH_H
 #define SHADOW_INCLUDE_CHKHASH_H
 #include "config.h"
 #include <stdbool.h>
 bool is_valid_hash(const char *hash);
 #endif
--- a/lib/chkname.c
+++ b/lib/chkname.c
@@ -0,0 +1,146 @@
 // SPDX-FileCopyrightText: 1990-1994, Julianne Frances Haugh
 // SPDX-FileCopyrightText: 1996-2000, Marek Michałkiewicz
 // SPDX-FileCopyrightText: 2001-2005, Tomasz Kłoczko
 // SPDX-FileCopyrightText: 2005-2008, Nicolas François
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 /*
 * is_valid_user_name(), is_valid_group_name() - check the new user/group
 * name for validity;
 * return values:
 *   true  - OK
 *   false - bad name
 * errors:
 *   EINVAL	Invalid name
 *   EILSEQ	Invalid name character sequence (acceptable with --badname)
 *   EOVERFLOW	Name longer than maximum size
 */
 #include "config.h"
 #ident "$Id$"
 #include <ctype.h>
 #include <errno.h>
 #include <limits.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <string.h>
 #include <unistd.h>
 #include "defines.h"
 #include "chkname.h"
 #include "string/ctype/strchrisascii/strchriscntrl.h"
 #include "string/ctype/strisascii/strisdigit.h"
 #include "string/strcmp/streq.h"
 #include "string/strcmp/strcaseeq.h"
 #ifndef  LOGIN_NAME_MAX
 # define LOGIN_NAME_MAX  256
 #endif
 int allow_bad_names = false;
 size_t
 login_name_max_size(void)
 {
 	long  conf;
 	conf = sysconf(_SC_LOGIN_NAME_MAX);
 	if (conf == -1)
 		return LOGIN_NAME_MAX;
 	return conf;
 }
 static bool
 is_valid_name(const char *name)
 {
 	if (streq(name, "")
 	 || streq(name, ".")
 	 || streq(name, "..")
 	 || strspn(name, "-")
 	 || strpbrk(name, " \"#',/:;")
 	 || strchriscntrl(name)
 	 || strisdigit(name))
 	{
 		errno = EINVAL;
 		return false;
 	}
 	if (allow_bad_names) {
 		return true;
 	}
 	/*
 	 * User/group names must match BRE regex:
 	 *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
 	 *
 	 * as a non-POSIX, extension, allow "$" as the last char for
 	 * sake of Samba 3.x "add machine script"
 	 */
 	if (!((*name >= 'a' && *name <= 'z') ||
 	      (*name >= 'A' && *name <= 'Z') ||
 	      (*name >= '0' && *name <= '9') ||
 	      *name == '_' ||
 	      *name == '.'))
 	{
 		errno = EILSEQ;
 		return false;
 	}
 	while (!streq(++name, "")) {
 		if (!((*name >= 'a' && *name <= 'z') ||
 		      (*name >= 'A' && *name <= 'Z') ||
 		      (*name >= '0' && *name <= '9') ||
 		      *name == '_' ||
 		      *name == '.' ||
 		      *name == '-' ||
 		      streq(name, "$")
 		     ))
 		{
 			errno = EILSEQ;
 			return false;
 		}
 	}
 	return true;
 }
 bool
 is_valid_user_name(const char *name)
 {
 	if (strlen(name) >= login_name_max_size()) {
 		errno = EOVERFLOW;
 		return false;
 	}
 	return is_valid_name(name);
 }
 bool
 is_valid_group_name(const char *name)
 {
 	/*
 	 * Arbitrary limit for group names.
 	 * HP-UX 10 limits to 16 characters
 	 */
 	if (   (GROUP_NAME_MAX_LENGTH > 0)
 	    && (strlen (name) > GROUP_NAME_MAX_LENGTH))
 	{
 		errno = EOVERFLOW;
 		return false;
 	}
 	return is_valid_name (name);
 }
--- a/libmisc/chkname.h
+++ b/libmisc/chkname.h
@@ -11,6 +11,7 @@
 #ifndef _CHKNAME_H_
 #define _CHKNAME_H_
 /*
 * is_valid_user_name(), is_valid_group_name() - check the new user/group
 * name for validity;
@@ -19,8 +20,14 @@
 *   false - bad name
 */
 #include "defines.h"
 #include "config.h"
 #include <stdbool.h>
 #include <stddef.h>
 extern size_t login_name_max_size(void);
 extern bool is_valid_user_name (const char *name);
 extern bool is_valid_group_name (const char *name);
--- a/libmisc/chowndir.c
+++ b/libmisc/chowndir.c
@@ -7,18 +7,21 @@
 * SPDX-License-Identifier: BSD-3-Clause
 */
-#include <config.h>
+#include "config.h"
 #ident "$Id$"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include "prototypes.h"
 #include "defines.h"
 #include <fcntl.h>
 #include <stdio.h>
 #include <unistd.h>
 #include "defines.h"
 #include "prototypes.h"
 #include "string/strcmp/streq.h"
 static int chown_tree_at (int at_fd,
                const char *path,
                uid_t old_uid,
@@ -56,8 +59,8 @@ static int chown_tree_at (int at_fd,
 		/*
 		 * Skip the "." and ".." entries
 		 */
-		if (   (strcmp (ent->d_name, ".") == 0)
+		if (   streq(ent->d_name, ".")
-		    || (strcmp (ent->d_name, "..") == 0)) {
+		    || streq(ent->d_name, "..")) {
 			continue;
 		}
--- a/libmisc/chowntty.c
+++ b/libmisc/chowntty.c
@@ -7,7 +7,7 @@
 * SPDX-License-Identifier: BSD-3-Clause
 */
-#include <config.h>
+#include "config.h"
 #ident "$Id$"
@@ -51,7 +51,7 @@ void chown_tty (const struct passwd *info)
 	 */
 	if (   (fchown (STDIN_FILENO, info->pw_uid, gid) != 0)
-	    || (fchmod (STDIN_FILENO, (mode_t)getdef_num ("TTYPERM", 0600)) != 0)) {
+	    || (fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600)) != 0)) {
 		int err = errno;
 		FILE *shadow_logfd = log_get_logfd();
--- a/libmisc/cleanup.c
+++ b/libmisc/cleanup.c
@@ -4,7 +4,7 @@
 * SPDX-License-Identifier: BSD-3-Clause
 */
-#include <config.h>
+#include "config.h"
 #include <assert.h>
 #include <stdio.h>
@@ -44,7 +44,7 @@ void do_cleanups (void)
 {
 	unsigned int i;
-	/* Make sure there were no overflow */
+	/* Make sure there were no overflows */
 	assert (NULL == cleanup_functions[CLEANUP_FUNCTIONS-1]);
 	if (getpid () != cleanup_pid) {
--- a/libmisc/cleanup_group.c
+++ b/libmisc/cleanup_group.c
@@ -4,11 +4,12 @@
 * SPDX-License-Identifier: BSD-3-Clause
 */
-#include <config.h>
+#include "config.h"
 #include <assert.h>
 #include <stdio.h>
 #include "attr.h"
 #include "defines.h"
 #include "groupio.h"
 #include "sgroupio.h"
@@ -22,11 +23,11 @@
 */
 void cleanup_report_add_group (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;
 	SYSLOG ((LOG_ERR, "failed to add group %s", name));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
+	audit_logger (AUDIT_ADD_GROUP,
 	              "",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -40,11 +41,11 @@ void cleanup_report_add_group (void *group_name)
 */
 void cleanup_report_del_group (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;
 	SYSLOG ((LOG_ERR, "failed to remove group %s", name));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_DEL_GROUP, log_get_progname(),
+	audit_logger (AUDIT_DEL_GROUP,
 	              "",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -61,7 +62,7 @@ void cleanup_report_mod_group (void *cleanup_info)
 	         gr_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, log_get_progname(),
+	audit_logger (AUDIT_GRP_MGMT,
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -79,7 +80,7 @@ void cleanup_report_mod_gshadow (void *cleanup_info)
 	         sgr_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, log_get_progname(),
+	audit_logger (AUDIT_GRP_MGMT,
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -95,12 +96,12 @@ void cleanup_report_mod_gshadow (void *cleanup_info)
 */
 void cleanup_report_add_group_group (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;
 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, gr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
+	audit_logger (AUDIT_ADD_GROUP,
-	              "adding group to /etc/group",
+	              "adding-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -115,12 +116,12 @@ void cleanup_report_add_group_group (void *group_name)
 */
 void cleanup_report_add_group_gshadow (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;
 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, sgr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
+	audit_logger (AUDIT_GRP_MGMT,
-	              "adding group to /etc/gshadow",
+	              "adding-shadow-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -136,14 +137,14 @@ void cleanup_report_add_group_gshadow (void *group_name)
 */
 void cleanup_report_del_group_group (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;
 	SYSLOG ((LOG_ERR,
 	         "failed to remove group %s from %s",
 	         name, gr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
+	audit_logger (AUDIT_DEL_GROUP,
-	              "removing group from /etc/group",
+	              "removing-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -159,14 +160,14 @@ void cleanup_report_del_group_group (void *group_name)
 */
 void cleanup_report_del_group_gshadow (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;
 	SYSLOG ((LOG_ERR,
 	         "failed to remove group %s from %s",
 	         name, sgr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
+	audit_logger (AUDIT_GRP_MGMT,
-	              "removing group from /etc/gshadow",
+	              "removing-shadow-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -178,15 +179,17 @@ void cleanup_report_del_group_gshadow (void *group_name)
 *
 * It should be registered after the group file is successfully locked.
 */
-void cleanup_unlock_group (unused void *arg)
+void cleanup_unlock_group (void *process_selinux)
 {
-	if (gr_unlock () == 0) {
+	bool process = *((bool *) process_selinux);
 	if (gr_unlock (process) == 0) {
 		fprintf (log_get_logfd(),
 		         _("%s: failed to unlock %s\n"),
 		         log_get_progname(), gr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking group file",
+		audit_logger_message ("unlocking-group",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
@@ -198,15 +201,17 @@ void cleanup_unlock_group (unused void *arg)
 *
 * It should be registered after the gshadow file is successfully locked.
 */
-void cleanup_unlock_gshadow (unused void *arg)
+void cleanup_unlock_gshadow (void *process_selinux)
 {
-	if (sgr_unlock () == 0) {
+	bool process = *((bool *) process_selinux);
 	if (sgr_unlock (process) == 0) {
 		fprintf (log_get_logfd(),
 		         _("%s: failed to unlock %s\n"),
 		         log_get_progname(), sgr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking gshadow file",
+		audit_logger_message ("unlocking-gshadow",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
--- a/lib/cleanup_user.c
+++ b/lib/cleanup_user.c
@@ -0,0 +1,134 @@
 /*
 * SPDX-FileCopyrightText: 2008       , Nicolas François
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
 #include "config.h"
 #include <assert.h>
 #include <stdio.h>
 #include "defines.h"
 #include "pwio.h"
 #include "shadowio.h"
 #include "prototypes.h"
 #include "shadowlog.h"
 /*
 * cleanup_report_add_user - Report failure to add a user to the system
 *
 * It should be registered when it is decided to add a user to the system.
 */
 void cleanup_report_add_user (void *user_name)
 {
 	const char *name = user_name;
 	SYSLOG ((LOG_ERR, "failed to add user %s", name));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_ADD_USER,
 	              "",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
 }
 void cleanup_report_mod_passwd (void *cleanup_info)
 {
 	const struct cleanup_info_mod *info;
 	info = (const struct cleanup_info_mod *)cleanup_info;
 	SYSLOG ((LOG_ERR,
 	         "failed to change %s (%s)",
 	         pw_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_USER_MGMT,
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
 }
 /*
 * cleanup_report_add_user_passwd - Report failure to add a user to
 * /etc/passwd
 *
 * It should be registered when it is decided to add a user to the
 * /etc/passwd database.
 */
 void cleanup_report_add_user_passwd (void *user_name)
 {
 	const char *name = user_name;
 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, pw_dbname ()));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_ADD_USER,
 	              "adding-user",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
 }
 /*
 * cleanup_report_add_user_shadow - Report failure to add a user to
 * /etc/shadow
 *
 * It should be registered when it is decided to add a user to the
 * /etc/shadow database.
 */
 void cleanup_report_add_user_shadow (void *user_name)
 {
 	const char *name = user_name;
 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, spw_dbname ()));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_USER_MGMT,
 	              "adding-shadow-user",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
 }
 /*
 * cleanup_unlock_passwd - Unlock the /etc/passwd database
 *
 * It should be registered after the passwd database is successfully locked.
 */
 void cleanup_unlock_passwd (void *process_selinux)
 {
 	bool process = *((bool *) process_selinux);
 	if (pw_unlock (process) == 0) {
 		fprintf (log_get_logfd(),
 		         _("%s: failed to unlock %s\n"),
 		         log_get_progname(), pw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
 #ifdef WITH_AUDIT
 		audit_logger_message ("unlocking-passwd",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
 }
 /*
 * cleanup_unlock_shadow - Unlock the /etc/shadow database
 *
 * It should be registered after the shadow database is successfully locked.
 */
 void cleanup_unlock_shadow (void *process_selinux)
 {
 	bool process = *((bool *) process_selinux);
 	if (spw_unlock (process) == 0) {
 		fprintf (log_get_logfd(),
 		         _("%s: failed to unlock %s\n"),
 		         log_get_progname(), spw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
 #ifdef WITH_AUDIT
 		audit_logger_message ("unlocking-shadow",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
 }
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -7,28 +7,41 @@
 * SPDX-License-Identifier: BSD-3-Clause
 */
-#include <config.h>
+#include "config.h"
 #ident "$Id$"
 #include "defines.h"
 #include <assert.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
 #include <signal.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <stdlib.h>
 #include <limits.h>
 #include <utime.h>
-#include <fcntl.h>
+
-#include <errno.h>
+#include "alloc/malloc.h"
-#include <stdio.h>
+#include "atoi/getnum.h"
-#include <signal.h>
+#include "commonio.h"
 #include "defines.h"
 #include "nscd.h"
 #include "sssd.h"
 #ifdef WITH_TCB
 #include <tcb.h>
 #endif				/* WITH_TCB */
 #include "prototypes.h"
 #include "commonio.h"
 #include "shadowlog_internal.h"
 #include "sssd.h"
 #include "string/memset/memzero.h"
 #include "string/sprintf/aprintf.h"
 #include "string/sprintf/snprintf.h"
 #include "string/strcmp/streq.h"
 #include "string/strcmp/strprefix.h"
 #include "string/strerrno.h"
 #include "string/strtok/stpsep.h"
 /* local function prototypes */
 static int lrename (const char *, const char *);
@@ -64,17 +77,10 @@ int lrename (const char *old, const char *new)
 {
 	int res;
 	char *r = NULL;
 #ifndef __GLIBC__
 	char resolved_path[PATH_MAX];
 #endif				/* !__GLIBC__ */
 	struct stat sb;
 	if (lstat (new, &sb) == 0 && S_ISLNK (sb.st_mode)) {
 #ifdef __GLIBC__ /* now a POSIX.1-2008 feature */
 		r = realpath (new, NULL);
 #else				/* !__GLIBC__ */
 		r = realpath (new, resolved_path);
 #endif				/* !__GLIBC__ */
 		if (NULL == r) {
 			perror ("realpath in lrename()");
 		} else {
@@ -84,9 +90,7 @@ int lrename (const char *old, const char *new)
 	res = rename (old, new);
 #ifdef __GLIBC__
 	free (r);
 #endif				/* __GLIBC__ */
 	return res;
 }
@@ -99,16 +103,16 @@ static int check_link_count (const char *file, bool log)
 		if (log) {
 			(void) fprintf (shadow_logfd,
 			                "%s: %s file stat error: %s\n",
-			                shadow_progname, file, strerror (errno));
+			                shadow_progname, file, strerrno());
 		}
 		return 0;
 	}
 	if (sb.st_nlink != 2) {
 		if (log) {
-			(void) fprintf (shadow_logfd,
+			fprintf(shadow_logfd,
-			                "%s: %s: lock file already used (nlink: %u)\n",
+			        "%s: %s: lock file already used (nlink: %ju)\n",
-			                shadow_progname, file, sb.st_nlink);
+			        shadow_progname, file, (uintmax_t) sb.st_nlink);
 		}
 		return 0;
 	}
@@ -119,30 +123,30 @@ static int check_link_count (const char *file, bool log)
 static int do_lock_file (const char *file, const char *lock, bool log)
 {
-	int fd;
+	int      fd;
-	pid_t pid;
+	int      retval;
-	ssize_t len;
+	char     buf[32];
-	int retval;
+	pid_t    pid;
-	char buf[32];
+	ssize_t  len;
 	fd = open (file, O_CREAT | O_TRUNC | O_WRONLY, 0600);
 	if (-1 == fd) {
 		if (log) {
 			(void) fprintf (shadow_logfd,
 			                "%s: %s: %s\n",
-			                shadow_progname, file, strerror (errno));
+			                shadow_progname, file, strerrno());
 		}
 		return 0;
 	}
 	pid = getpid ();
-	snprintf (buf, sizeof buf, "%lu", (unsigned long) pid);
+	stprintf_a(buf, "%lu", (unsigned long) pid);
 	len = (ssize_t) strlen (buf) + 1;
-	if (write (fd, buf, (size_t) len) != len) {
+	if (write_full(fd, buf, len) == -1) {
 		if (log) {
 			(void) fprintf (shadow_logfd,
 			                "%s: %s file write error: %s\n",
-			                shadow_progname, file, strerror (errno));
+			                shadow_progname, file, strerrno());
 		}
 		(void) close (fd);
 		unlink (file);
@@ -152,7 +156,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 		if (log) {
 			(void) fprintf (shadow_logfd,
 			                "%s: %s file sync error: %s\n",
-			                shadow_progname, file, strerror (errno));
+			                shadow_progname, file, strerrno());
 		}
 		(void) close (fd);
 		unlink (file);
@@ -171,13 +175,13 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 		if (log) {
 			(void) fprintf (shadow_logfd,
 			                "%s: %s: %s\n",
-			                shadow_progname, lock, strerror (errno));
+			                shadow_progname, lock, strerrno());
 		}
 		unlink (file);
 		errno = EINVAL;
 		return 0;
 	}
-	len = read (fd, buf, sizeof (buf) - 1);
+	len = read(fd, buf, sizeof(buf) - 1);
 	close (fd);
 	if (len <= 0) {
 		if (log) {
@@ -189,8 +193,8 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 		errno = EINVAL;
 		return 0;
 	}
-	buf[len] = '\0';
+	stpcpy(&buf[len], "");
-	if (get_pid (buf, &pid) == 0) {
+	if (get_pid(buf, &pid) == -1) {
 		if (log) {
 			(void) fprintf (shadow_logfd,
 			                "%s: existing lock file %s with an invalid PID '%s'\n",
@@ -214,7 +218,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 		if (log) {
 			(void) fprintf (shadow_logfd,
 			                "%s: cannot get lock %s: %s\n",
-			                shadow_progname, lock, strerror (errno));
+			                shadow_progname, lock, strerrno());
 		}
 		unlink (file);
 		return 0;
@@ -227,7 +231,7 @@ static int do_lock_file (const char *file, const char *lock, bool log)
 		if (log) {
 			(void) fprintf (shadow_logfd,
 			                "%s: cannot get lock %s: %s\n",
-			                shadow_progname, lock, strerror (errno));
+			                shadow_progname, lock, strerrno());
 		}
 	}
@@ -251,25 +255,13 @@ static /*@null@*/ /*@dependent@*/FILE *fopen_set_perms (
 		return NULL;
 	}
 #ifdef HAVE_FCHOWN
 	if (fchown (fileno (fp), sb->st_uid, sb->st_gid) != 0) {
 		goto fail;
 	}
 #else				/* !HAVE_FCHOWN */
 	if (chown (name, sb->st_mode) != 0) {
 		goto fail;
 	}
 #endif				/* !HAVE_FCHOWN */
 #ifdef HAVE_FCHMOD
 	if (fchmod (fileno (fp), sb->st_mode & 0664) != 0) {
 		goto fail;
 	}
-#else				/* !HAVE_FCHMOD */
+
 	if (chmod (name, sb->st_mode & 0664) != 0) {
 		goto fail;
 	}
 #endif				/* !HAVE_FCHMOD */
 	return fp;
      fail:
@@ -337,9 +329,8 @@ static void free_linked_list (struct commonio_db *db)
 		free (p->line);
-		if (NULL != p->eptr) {
+		if (NULL != p->eptr)
-			db->ops->free (p->eptr);
+			db->ops->cio_free(p->eptr);
 		}
 		free (p);
 	}
@@ -349,7 +340,7 @@ static void free_linked_list (struct commonio_db *db)
 int commonio_setname (struct commonio_db *db, const char *name)
 {
-	snprintf (db->filename, sizeof (db->filename), "%s", name);
+	stprintf_a(db->filename, "%s", name);
 	db->setname = true;
 	return 1;
 }
@@ -363,33 +354,28 @@ bool commonio_present (const struct commonio_db *db)
 int commonio_lock_nowait (struct commonio_db *db, bool log)
 {
-	char* file = NULL;
+	int   err = 0;
-	char* lock = NULL;
+	char  *file = NULL;
-	size_t lock_file_len;
+	char  *lock = NULL;
 	size_t file_len;
 	int err = 0;
 	if (db->locked) {
 		return 1;
 	}
-	file_len = strlen(db->filename) + 11;/* %lu max size */
+
-	lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
+	file = aprintf("%s.%ju", db->filename, (uintmax_t) getpid());
-	file = (char*)malloc(file_len);
+	if (file == NULL)
 	if (file == NULL) {
 		goto cleanup_ENOMEM;
-	}
+
-	lock = (char*)malloc(lock_file_len);
+	lock = aprintf("%s.lock", db->filename);
-	if (lock == NULL) {
+	if (lock == NULL)
 		goto cleanup_ENOMEM;
-	}
+
 	snprintf (file, file_len, "%s.%lu",
 	          db->filename, (unsigned long) getpid ());
 	snprintf (lock, lock_file_len, "%s.lock", db->filename);
 	if (do_lock_file (file, lock, log) != 0) {
 		db->locked = true;
 		lock_count++;
 		err = 1;
 	}
 cleanup_ENOMEM:
 	free(file);
 	free(lock);
@@ -481,13 +467,13 @@ static void dec_lock_count (void)
 }
-int commonio_unlock (struct commonio_db *db)
+int commonio_unlock (struct commonio_db *db, bool process_selinux)
 {
-	char lock[1024];
+	char  lock[1029];
 	if (db->isopen) {
 		db->readonly = true;
-		if (commonio_close (db) == 0) {
+		if (commonio_close (db, process_selinux) == 0) {
 			if (db->locked) {
 				dec_lock_count ();
 			}
@@ -500,7 +486,7 @@ int commonio_unlock (struct commonio_db *db)
 		 * then call ulckpwdf() (if used) on last unlock.
 		 */
 		db->locked = false;
-		snprintf (lock, sizeof lock, "%s.lock", db->filename);
+		stprintf_a(lock, "%s.lock", db->filename);
 		unlink (lock);
 		dec_lock_count ();
 		return 1;
@@ -534,7 +520,7 @@ static void add_one_entry (struct commonio_db *db,
 static bool name_is_nis (const char *name)
 {
-	return (('+' == name[0]) || ('-' == name[0]));
+	return strprefix(name, "+") || strprefix(name, "-");
 }
@@ -562,7 +548,7 @@ static void add_one_entry_nis (struct commonio_db *db,
 	struct commonio_entry *p;
 	for (p = db->head; NULL != p; p = p->next) {
-		if (name_is_nis (p->eptr ? db->ops->getname (p->eptr)
+		if (name_is_nis (p->eptr ? db->ops->cio_getname(p->eptr)
 		                         : p->line)) {
 			/*@-mustfreeonly@*/
 			newp->next = p;
@@ -581,16 +567,12 @@ static void add_one_entry_nis (struct commonio_db *db,
 }
 #endif				/* KEEP_NIS_AT_END */
 /* Initial buffer size, as well as increment if not sufficient
   (for reading very long lines in group files).  */
 #define BUFLEN 4096
-int commonio_open (struct commonio_db *db, int mode)
+int
 commonio_open(struct commonio_db *db, int mode)
 {
 	char *buf;
 	char *cp;
 	char *line;
 	struct commonio_entry *p;
 	void *eptr = NULL;
 	int flags = mode;
 	size_t buflen;
@@ -618,7 +600,7 @@ int commonio_open (struct commonio_db *db, int mode)
 	fd = open (db->filename,
 	             (db->readonly ? O_RDONLY : O_RDWR)
-	           | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
+	           | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC);
 	saved_errno = errno;
 	db->fp = NULL;
 	if (fd >= 0) {
@@ -649,37 +631,12 @@ int commonio_open (struct commonio_db *db, int mode)
 		return 0;
 	}
-	/* Do not inherit fd in spawned processes (e.g. nscd) */
+	buf = NULL;
-	fcntl (fileno (db->fp), F_SETFD, FD_CLOEXEC);
+	while (getline(&buf, &buflen, db->fp) != -1) {
 		struct commonio_entry  *p;
-	buflen = BUFLEN;
+		if (stpsep(buf, "\n") == NULL)
-	buf = (char *) malloc (buflen);
+			goto cleanup_buf;
 	if (NULL == buf) {
 		goto cleanup_ENOMEM;
 	}
 	while (db->ops->fgets (buf, (int) buflen, db->fp) == buf) {
 		while (   ((cp = strrchr (buf, '\n')) == NULL)
 		       && (feof (db->fp) == 0)) {
 			size_t len;
 			buflen += BUFLEN;
 			cp = (char *) realloc (buf, buflen);
 			if (NULL == cp) {
 				goto cleanup_buf;
 			}
 			buf = cp;
 			len = strlen (buf);
 			if (db->ops->fgets (buf + len,
 			                    (int) (buflen - len),
 			                    db->fp) == NULL) {
 				goto cleanup_buf;
 			}
 		}
 		cp = strrchr (buf, '\n');
 		if (NULL != cp) {
 			*cp = '\0';
 		}
 		line = strdup (buf);
 		if (NULL == line) {
@@ -689,16 +646,16 @@ int commonio_open (struct commonio_db *db, int mode)
 		if (name_is_nis (line)) {
 			eptr = NULL;
 		} else {
-			eptr = db->ops->parse (line);
+			eptr = db->ops->cio_parse(line);
 			if (NULL != eptr) {
-				eptr = db->ops->dup (eptr);
+				eptr = db->ops->cio_dup(eptr);
 				if (NULL == eptr) {
 					goto cleanup_line;
 				}
 			}
 		}
-		p = (struct commonio_entry *) malloc (sizeof *p);
+		p = malloc_T(1, struct commonio_entry);
 		if (NULL == p) {
 			goto cleanup_entry;
 		}
@@ -716,7 +673,7 @@ int commonio_open (struct commonio_db *db, int mode)
 		goto cleanup_errno;
 	}
-	if ((NULL != db->ops->open_hook) && (db->ops->open_hook () == 0)) {
+	if ((NULL != db->ops->cio_open_hook) && (db->ops->cio_open_hook() == 0)) {
 		goto cleanup_errno;
 	}
@@ -724,14 +681,12 @@ int commonio_open (struct commonio_db *db, int mode)
 	return 1;
      cleanup_entry:
-	if (NULL != eptr) {
+	if (NULL != eptr)
-		db->ops->free (eptr);
+		db->ops->cio_free(eptr);
 	}
      cleanup_line:
 	free (line);
      cleanup_buf:
 	free (buf);
      cleanup_ENOMEM:
 	errno = ENOMEM;
      cleanup_errno:
 	saved_errno = errno;
@@ -742,6 +697,7 @@ int commonio_open (struct commonio_db *db, int mode)
 	return 0;
 }
 /*
 * Sort given db according to cmp function (usually compares uids)
 */
@@ -775,7 +731,7 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
 		return 0;
 	}
-	entries = malloc (n * sizeof (struct commonio_entry *));
+	entries = malloc_T(n, struct commonio_entry *);
 	if (entries == NULL) {
 		return -1;
 	}
@@ -794,7 +750,7 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
 		entries[n] = ptr;
 		n++;
 	}
-	qsort (entries, n, sizeof (struct commonio_entry *), cmp);
+	qsort(entries, n, sizeof(struct commonio_entry *), cmp);
 	/* Take care of the head and tail separately */
 	db->head = entries[0];
@@ -843,17 +799,15 @@ int commonio_sort_wrt (struct commonio_db *shadow,
 		if (NULL == pw_ptr->eptr) {
 			continue;
 		}
-		name = passwd->ops->getname (pw_ptr->eptr);
+		name = passwd->ops->cio_getname(pw_ptr->eptr);
 		for (spw_ptr = shadow->head;
 		     NULL != spw_ptr;
 		     spw_ptr = spw_ptr->next) {
 			if (NULL == spw_ptr->eptr) {
 				continue;
 			}
-			if (strcmp (name, shadow->ops->getname (spw_ptr->eptr))
+			if (streq(name, shadow->ops->cio_getname(spw_ptr->eptr)))
 			    == 0) {
 				break;
 			}
 		}
 		if (NULL == spw_ptr) {
 			continue;
@@ -894,13 +848,13 @@ static int write_all (const struct commonio_db *db)
 		if (p->changed) {
 			eptr = p->eptr;
 			assert (NULL != eptr);
-			if (db->ops->put (eptr, db->fp) != 0) {
+			if (db->ops->cio_put(eptr, db->fp) != 0) {
 				return -1;
 			}
 		} else if (NULL != p->line) {
-			if (db->ops->fputs (p->line, db->fp) == EOF) {
+			if (fputs(p->line, db->fp) == EOF)
 				return -1;
-			}
+
 			if (putc ('\n', db->fp) == EOF) {
 				return -1;
 			}
@@ -910,11 +864,12 @@ static int write_all (const struct commonio_db *db)
 }
-int commonio_close (struct commonio_db *db)
+int
 commonio_close(struct commonio_db *db, MAYBE_UNUSED bool process_selinux)
 {
-	char buf[1024];
+	bool         errors = false;
-	int errors = 0;
+	char         buf[1024];
-	struct stat sb;
+	struct stat  sb;
 	if (!db->isopen) {
 		errno = EINVAL;
@@ -930,11 +885,11 @@ int commonio_close (struct commonio_db *db)
 		goto success;
 	}
-	if ((NULL != db->ops->close_hook) && (db->ops->close_hook () == 0)) {
+	if ((NULL != db->ops->cio_close_hook) && (db->ops->cio_close_hook() == 0)) {
 		goto fail;
 	}
-	memzero (&sb, sizeof sb);
+	memzero(&sb, sizeof(sb));
 	if (NULL != db->fp) {
 		if (fstat (fileno (db->fp), &sb) != 0) {
 			(void) fclose (db->fp);
@@ -945,30 +900,36 @@ int commonio_close (struct commonio_db *db)
 		/*
 		 * Create backup file.
 		 */
-		snprintf (buf, sizeof buf, "%s-", db->filename);
+		if (stprintf_a(buf, "%s-", db->filename) == -1) {
-
+			(void) fclose (db->fp);
 #ifdef WITH_SELINUX
 		if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
 			errors++;
 		}
 #endif
 		if (create_backup (buf, db->fp) != 0) {
 			errors++;
 		}
 		if (fclose (db->fp) != 0) {
 			errors++;
 		}
 #ifdef WITH_SELINUX
 		if (reset_selinux_file_context () != 0) {
 			errors++;
 		}
 #endif
 		if (errors != 0) {
 			db->fp = NULL;
 			goto fail;
 		}
 #ifdef WITH_SELINUX
 		if (process_selinux
 		    && set_selinux_file_context (db->filename, S_IFREG) != 0) {
 			errors = true;
 		}
 #endif
 		if (create_backup (buf, db->fp) != 0) {
 			errors = true;
 		}
 		if (fclose (db->fp) != 0) {
 			errors = true;
 		}
 		db->fp = NULL;
 #ifdef WITH_SELINUX
 		if (process_selinux
 		    && reset_selinux_file_context () != 0) {
 			errors = true;
 		}
 #endif
 		if (errors)
 			goto fail;
 	} else {
 		/*
 		 * Default permissions for new [g]shadow files.
@@ -978,11 +939,13 @@ int commonio_close (struct commonio_db *db)
 		sb.st_gid = db->st_gid;
 	}
-	snprintf (buf, sizeof buf, "%s+", db->filename);
+	if (stprintf_a(buf, "%s+", db->filename) == -1)
 		goto fail;
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
+	if (process_selinux
-		errors++;
+	    && set_selinux_file_context (db->filename, S_IFREG) != 0) {
 		errors = true;
 	}
 #endif
@@ -992,26 +955,24 @@ int commonio_close (struct commonio_db *db)
 	}
 	if (write_all (db) != 0) {
-		errors++;
+		errors = true;
 	}
 	if (fflush (db->fp) != 0) {
-		errors++;
+		errors = true;
 	}
-#ifdef HAVE_FSYNC
+
 	if (fsync (fileno (db->fp)) != 0) {
-		errors++;
+		errors = true;
 	}
-#else				/* !HAVE_FSYNC */
+
 	sync ();
 #endif				/* !HAVE_FSYNC */
 	if (fclose (db->fp) != 0) {
-		errors++;
+		errors = true;
 	}
 	db->fp = NULL;
-	if (errors != 0) {
+	if (errors) {
 		unlink (buf);
 		goto fail;
 	}
@@ -1021,7 +982,8 @@ int commonio_close (struct commonio_db *db)
 	}
 #ifdef WITH_SELINUX
-	if (reset_selinux_file_context () != 0) {
+	if (process_selinux
 	    && reset_selinux_file_context () != 0) {
 		goto fail;
 	}
 #endif
@@ -1029,11 +991,11 @@ int commonio_close (struct commonio_db *db)
 	nscd_need_reload = true;
 	goto success;
      fail:
-	errors++;
+	errors = true;
      success:
 	free_linked_list (db);
-	return errors == 0;
+	return !errors;
 }
 static /*@dependent@*/ /*@null@*/struct commonio_entry *next_entry_by_name (
@@ -1051,7 +1013,7 @@ static /*@dependent@*/ /*@null@*/struct commonio_entry *next_entry_by_name (
 	for (p = pos; NULL != p; p = p->next) {
 		ep = p->eptr;
 		if (   (NULL != ep)
-		    && (strcmp (db->ops->getname (ep), name) == 0)) {
+		    && streq(db->ops->cio_getname(ep), name)) {
 			break;
 		}
 	}
@@ -1075,19 +1037,19 @@ int commonio_update (struct commonio_db *db, const void *eptr)
 		errno = EINVAL;
 		return 0;
 	}
-	nentry = db->ops->dup (eptr);
+	nentry = db->ops->cio_dup(eptr);
 	if (NULL == nentry) {
 		errno = ENOMEM;
 		return 0;
 	}
-	p = find_entry_by_name (db, db->ops->getname (eptr));
+	p = find_entry_by_name(db, db->ops->cio_getname(eptr));
 	if (NULL != p) {
-		if (next_entry_by_name (db, p->next, db->ops->getname (eptr)) != NULL) {
+		if (next_entry_by_name(db, p->next, db->ops->cio_getname(eptr)) != NULL) {
-			fprintf (shadow_logfd, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), db->ops->getname (eptr), db->filename);
+			fprintf(shadow_logfd, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), db->ops->cio_getname(eptr), db->filename);
-			db->ops->free (nentry);
+			db->ops->cio_free(nentry);
 			return 0;
 		}
-		db->ops->free (p->eptr);
+		db->ops->cio_free(p->eptr);
 		p->eptr = nentry;
 		p->changed = true;
 		db->cursor = p;
@@ -1096,9 +1058,9 @@ int commonio_update (struct commonio_db *db, const void *eptr)
 		return 1;
 	}
 	/* not found, new entry */
-	p = (struct commonio_entry *) malloc (sizeof *p);
+	p = malloc_T(1, struct commonio_entry);
 	if (NULL == p) {
-		db->ops->free (nentry);
+		db->ops->cio_free(nentry);
 		errno = ENOMEM;
 		return 0;
 	}
@@ -1127,15 +1089,15 @@ int commonio_append (struct commonio_db *db, const void *eptr)
 		errno = EINVAL;
 		return 0;
 	}
-	nentry = db->ops->dup (eptr);
+	nentry = db->ops->cio_dup(eptr);
 	if (NULL == nentry) {
 		errno = ENOMEM;
 		return 0;
 	}
 	/* new entry */
-	p = (struct commonio_entry *) malloc (sizeof *p);
+	p = malloc_T(1, struct commonio_entry);
 	if (NULL == p) {
-		db->ops->free (nentry);
+		db->ops->cio_free(nentry);
 		errno = ENOMEM;
 		return 0;
 	}
@@ -1196,9 +1158,10 @@ int commonio_remove (struct commonio_db *db, const char *name)
 	free (p->line);
-	if (NULL != p->eptr) {
+	if (NULL != p->eptr)
-		db->ops->free (p->eptr);
+		db->ops->cio_free(p->eptr);
-	}
+
 	free(p);
 	return 1;
 }
@@ -1255,7 +1218,7 @@ int commonio_rewind (struct commonio_db *db)
 	if (!db->isopen) {
 		errno = EINVAL;
-		return 0;
+		return NULL;
 	}
 	if (NULL == db->cursor) {
 		db->cursor = db->head;
--- a/lib/commonio.h
+++ b/lib/commonio.h
@@ -11,8 +11,11 @@
 #ifndef COMMONIO_H
 #define COMMONIO_H
 #include "attr.h"
 #include "defines.h" /* bool */
 /*
 * Linked list entry.
 */
@@ -32,37 +35,30 @@ struct commonio_ops {
 	 * Make a copy of the object (for example, struct passwd)
 	 * and all strings pointed by it, in malloced memory.
 	 */
-	/*@null@*/ /*@only@*/void *(*dup) (const void *);
+	/*@null@*/ /*@only@*/void *(*cio_dup)(const void *);
 	/*
 	 * free() the object including any strings pointed by it.
 	 */
-	void (*free) (/*@out@*/ /*@only@*/void *);
+	void (*cio_free)(/*@only@*/void *);
 	/*
 	 * Return the name of the object (for example, pw_name
 	 * for struct passwd).
 	 */
-	const char *(*getname) (const void *);
+	const char *(*cio_getname)(const void *);
 	/*
 	 * Parse a string, return object (in static area -
 	 * should be copied using the dup operation above).
 	 */
-	void *(*parse) (const char *);
+	void *(*cio_parse)(const char *);
 	/*
 	 * Write the object to the file (this calls putpwent()
 	 * for struct passwd, for example).
 	 */
-	int (*put) (const void *, FILE *);
+	int (*cio_put)(const void *, FILE *);
 	/*
 	 * fgets and fputs (can be replaced by versions that
 	 * understand line continuation conventions).
 	 */
 	/*@null@*/char *(*fgets) (/*@returned@*/ /*@out@*/char *s, int n, FILE *stream);
 	int (*fputs) (const char *, FILE *);
 	/*
 	 * open_hook and close_hook.
@@ -70,8 +66,8 @@ struct commonio_ops {
 	 * is open or before it is closed.
 	 * They return 0 on failure and 1 on success.
 	 */
-	/*@null@*/int (*open_hook) (void);
+	/*@null@*/int (*cio_open_hook)(void);
-	/*@null@*/int (*close_hook) (void);
+	/*@null@*/int (*cio_close_hook)(void);
 };
 /*
@@ -98,7 +94,7 @@ struct commonio_db {
 #endif
 	/*
 	 * Default permissions and owner for newly created data file.
-         */
+	 */
 	mode_t st_mode;
 	uid_t st_uid;
 	gid_t st_gid;
@@ -123,6 +119,7 @@ extern int commonio_setname (struct commonio_db *, const char *);
 extern bool commonio_present (const struct commonio_db *db);
 extern int commonio_lock (struct commonio_db *);
 extern int commonio_lock_nowait (struct commonio_db *, bool log);
 extern int do_fcntl_lock (const char *file, bool log, short type);
 extern int commonio_open (struct commonio_db *, int);
 extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
 extern int commonio_update (struct commonio_db *, const void *);
@@ -132,8 +129,8 @@ extern int commonio_append (struct commonio_db *, const void *);
 extern int commonio_remove (struct commonio_db *, const char *);
 extern int commonio_rewind (struct commonio_db *);
 extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);
-extern int commonio_close (struct commonio_db *);
+extern int commonio_close (struct commonio_db *, bool);
-extern int commonio_unlock (struct commonio_db *);
+extern int commonio_unlock (struct commonio_db *, bool);
 extern void commonio_del_entry (struct commonio_db *,
                                const struct commonio_entry *);
 extern int commonio_sort_wrt (struct commonio_db *shadow,
--- a/libmisc/console.c
+++ b/libmisc/console.c
@@ -8,20 +8,27 @@
 * SPDX-License-Identifier: BSD-3-Clause
 */
-#include <config.h>
+#include "config.h"
-#include "defines.h"
+
 #include <stdio.h>
 #include <string.h>
 #include "defines.h"
 #include "getdef.h"
 #include "prototypes.h"
 #include "string/strcmp/streq.h"
 #include "string/strcmp/strprefix.h"
 #include "string/strcpy/strtcpy.h"
 #include "string/strtok/stpsep.h"
 #ident "$Id$"
 /*
 * This is now rather generic function which decides if "tty" is listed
 * under "cfgin" in config (directly or indirectly). Fallback to default if
 * something is bad.
 */
-static bool is_listed (const char *cfgin, const char *tty, bool def)
+static bool
 is_listed(const char *cfgin, const char *tty, bool def)
 {
 	FILE *fp;
 	char buf[1024], *s;
@@ -44,15 +51,13 @@ static bool is_listed (const char *cfgin, const char *tty, bool def)
 	if (*cons != '/') {
 		char *pbuf;
-		strncpy (buf, cons, sizeof (buf));
+
-		buf[sizeof (buf) - 1] = '\0';
+		strtcpy_a(buf, cons);
-		pbuf = &buf[0];
+		pbuf = buf;
-		while ((s = strtok (pbuf, ":")) != NULL) {
+		while (NULL != (s = strsep(&pbuf, ":"))) {
-			if (strcmp (s, tty) == 0) {
+			if (streq(s, tty)) {
 				return true;
 			}
 			pbuf = NULL;
 		}
 		return false;
 	}
@@ -71,9 +76,9 @@ static bool is_listed (const char *cfgin, const char *tty, bool def)
 	 * See if this tty is listed in the console file.
 	 */
-	while (fgets (buf, (int) sizeof (buf), fp) != NULL) {
+	while (fgets(buf, sizeof(buf), fp) != NULL) {
-		buf[strlen (buf) - 1] = '\0';
+		stpsep(buf, "\n");
-		if (strcmp (buf, tty) == 0) {
+		if (streq(buf, tty)) {
 			(void) fclose (fp);
 			return true;
 		}
@@ -99,9 +104,7 @@ static bool is_listed (const char *cfgin, const char *tty, bool def)
 bool console (const char *tty)
 {
-	if (strncmp (tty, "/dev/", 5) == 0) {
+	tty = strprefix(tty, "/dev/") ?: tty;
 		tty += 5;
 	}
 	return is_listed ("CONSOLE", tty, true);
 }
--- a/lib/copydir.c
+++ b/lib/copydir.c
@@ -0,0 +1,889 @@
 /*
 * SPDX-FileCopyrightText: 1991 - 1994, Julianne Frances Haugh
 * SPDX-FileCopyrightText: 1996 - 2001, Marek Michałkiewicz
 * SPDX-FileCopyrightText: 2003 - 2006, Tomasz Kłoczko
 * SPDX-FileCopyrightText: 2007 - 2010, Nicolas François
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
 #include "config.h"
 #ident "$Id$"
 #include <assert.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <string.h>
 #include "alloc/malloc.h"
 #include "attr.h"
 #include "fs/readlink/areadlink.h"
 #include "prototypes.h"
 #include "defines.h"
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
 #endif				/* WITH_SELINUX */
 #if defined(WITH_ACL) || defined(WITH_ATTR)
 #include <stdarg.h>
 #include <attr/error_context.h>
 #endif				/* WITH_ACL || WITH_ATTR */
 #ifdef WITH_ACL
 #include <acl/libacl.h>
 #endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 #include <attr/libattr.h>
 #endif				/* WITH_ATTR */
 #include "shadowlog.h"
 #include "string/sprintf/aprintf.h"
 #include "string/strcmp/streq.h"
 #include "string/strcmp/strprefix.h"
 #include "string/strerrno.h"
 static /*@null@*/const char *src_orig;
 static /*@null@*/const char *dst_orig;
 struct link_name {
 	dev_t ln_dev;
 	ino_t ln_ino;
 	nlink_t ln_count;
 	char *ln_name;
 	/*@dependent@*/struct link_name *ln_next;
 };
 static /*@exposed@*/struct link_name *links;
 struct path_info {
 	const char *full_path;
 	int dirfd;
 	const char *name;
 };
 static int copy_entry (const struct path_info *src, const struct path_info *dst,
                       bool reset_selinux,
                       uid_t old_uid, uid_t new_uid,
                       gid_t old_gid, gid_t new_gid);
 static int copy_dir (const struct path_info *src, const struct path_info *dst,
                     bool reset_selinux,
                     const struct stat *statp, const struct timespec mt[],
                     uid_t old_uid, uid_t new_uid,
                     gid_t old_gid, gid_t new_gid);
 static int copy_symlink (const struct path_info *src, const struct path_info *dst,
                         const struct stat *statp, const struct timespec mt[],
                         uid_t old_uid, uid_t new_uid,
                         gid_t old_gid, gid_t new_gid);
 static int copy_hardlink (const struct path_info *dst,
                          struct link_name *lp);
 static int copy_special (const struct path_info *src, const struct path_info *dst,
                         bool reset_selinux,
                         const struct stat *statp, const struct timespec mt[],
                         uid_t old_uid, uid_t new_uid,
                         gid_t old_gid, gid_t new_gid);
 static int copy_file (const struct path_info *src, const struct path_info *dst,
                      bool reset_selinux,
                      const struct stat *statp, const struct timespec mt[],
                      uid_t old_uid, uid_t new_uid,
                      gid_t old_gid, gid_t new_gid);
 static int chownat_if_needed (const struct path_info *dst, const struct stat *statp,
                            uid_t old_uid, uid_t new_uid,
                            gid_t old_gid, gid_t new_gid);
 static int fchown_if_needed (int fdst, const struct stat *statp,
                             uid_t old_uid, uid_t new_uid,
                             gid_t old_gid, gid_t new_gid);
 #if defined(WITH_ACL) || defined(WITH_ATTR)
 /*
 * error_acl - format the error messages for the ACL and EQ libraries.
 */
 format_attr(printf, 2, 3)
 static void
 error_acl(struct error_context *, const char *fmt, ...)
 {
 	va_list ap;
 	FILE *shadow_logfd = log_get_logfd();
 	/* ignore the case when destination does not support ACLs
 	 * or extended attributes */
 	if (ENOTSUP == errno) {
 		errno = 0;
 		return;
 	}
 	va_start (ap, fmt);
 	(void) fprintf (shadow_logfd, _("%s: "), log_get_progname());
 	if (vfprintf (shadow_logfd, fmt, ap) != 0) {
 		(void) fputs (_(": "), shadow_logfd);
 	}
 	(void) fprintf(shadow_logfd, "%s\n", strerrno());
 	va_end (ap);
 }
 static struct error_context ctx = {
 	error_acl, NULL, NULL
 };
 #endif				/* WITH_ACL || WITH_ATTR */
 #ifdef WITH_ACL
 static int perm_copy_path(const struct path_info *src,
 						  const struct path_info *dst,
 						  struct error_context *errctx)
 {
 	int src_fd, dst_fd, ret;
 	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
 	if (src_fd < 0) {
 		return -1;
 	}
 	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
 	if (dst_fd < 0) {
 		(void) close (src_fd);
 		return -1;
 	}
 	ret = perm_copy_fd(src->full_path, src_fd, dst->full_path, dst_fd, errctx);
 	(void) close (src_fd);
 	(void) close (dst_fd);
 	return ret;
 }
 #endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 static int attr_copy_path(const struct path_info *src,
 						  const struct path_info *dst,
 						  int (*callback) (const char *, struct error_context *),
 						  struct error_context *errctx)
 {
 	int src_fd, dst_fd, ret;
 	src_fd = openat(src->dirfd, src->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
 	if (src_fd < 0) {
 		return -1;
 	}
 	dst_fd = openat(dst->dirfd, dst->name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK | O_CLOEXEC);
 	if (dst_fd < 0) {
 		(void) close (src_fd);
 		return -1;
 	}
 	ret = attr_copy_fd(src->full_path, src_fd, dst->full_path, dst_fd, callback, errctx);
 	(void) close (src_fd);
 	(void) close (dst_fd);
 	return ret;
 }
 #endif				/* WITH_ATTR */
 /*
 * remove_link - delete a link from the linked list
 */
 static void remove_link (/*@only@*/struct link_name *ln)
 {
 	struct link_name *lp;
 	if (links == ln) {
 		links = ln->ln_next;
 		free (ln->ln_name);
 		free (ln);
 		return;
 	}
 	for (lp = links; NULL !=lp; lp = lp->ln_next) {
 		if (lp->ln_next == ln) {
 			break;
 		}
 	}
 	if (NULL == lp) {
 		free (ln->ln_name);
 		free (ln);
 		return;
 	}
 	lp->ln_next = lp->ln_next->ln_next;
 	free (ln->ln_name);
 	free (ln);
 }
 /*
 * check_link - see if a file is really a link
 */
 static /*@exposed@*/ /*@null@*/struct link_name *check_link (const char *name, const struct stat *sb)
 {
 	struct link_name  *lp;
 	/* copy_tree () must be the entry point */
 	assert (NULL != src_orig);
 	assert (NULL != dst_orig);
 	for (lp = links; NULL != lp; lp = lp->ln_next) {
 		if ((lp->ln_dev == sb->st_dev) && (lp->ln_ino == sb->st_ino)) {
 			return lp;
 		}
 	}
 	if (sb->st_nlink == 1) {
 		return NULL;
 	}
 	lp = xmalloc_T(1, struct link_name);
 	lp->ln_dev = sb->st_dev;
 	lp->ln_ino = sb->st_ino;
 	lp->ln_count = sb->st_nlink;
 	lp->ln_name = xaprintf("%s%s", dst_orig, name + strlen(src_orig));
 	lp->ln_next = links;
 	links = lp;
 	return NULL;
 }
 static int copy_tree_impl (const struct path_info *src, const struct path_info *dst,
               bool copy_root, bool reset_selinux,
               uid_t old_uid, uid_t new_uid,
               gid_t old_gid, gid_t new_gid)
 {
 	int dst_fd, src_fd, err = 0;
 	bool set_orig = false;
 	const struct dirent *ent;
 	DIR *dir;
 	if (copy_root) {
 		struct stat sb;
 		if (   fstatat (dst->dirfd, dst->name, &sb, 0) == 0
 		    || errno != ENOENT) {
 			return -1;
 		}
 		if (fstatat (src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
 			return -1;
 		}
 		if (!S_ISDIR (sb.st_mode)) {
 			fprintf (log_get_logfd(),
 			         "%s: %s is not a directory",
 			         log_get_progname(), src->full_path);
 			return -1;
 		}
 		return copy_entry (src, dst, reset_selinux,
 		                   old_uid, new_uid, old_gid, new_gid);
 	}
 	/*
 	 * Make certain both directories exist.  This routine is called
 	 * after the home directory is created, or recursively after the
 	 * target is created.  It assumes the target directory exists.
 	 */
 	src_fd = openat (src->dirfd, src->name, O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
 	if (src_fd < 0) {
 		return -1;
 	}
 	dst_fd = openat (dst->dirfd, dst->name, O_DIRECTORY | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
 	if (dst_fd < 0) {
 		(void) close (src_fd);
 		return -1;
 	}
 	/*
 	 * Open the source directory and read each entry.  Every file
 	 * entry in the directory is copied with the UID and GID set
 	 * to the provided values.  As an added security feature only
 	 * regular files (and directories ...) are copied, and no file
 	 * is made set-ID.
 	 */
 	dir = fdopendir (src_fd);
 	if (NULL == dir) {
 		(void) close (src_fd);
 		(void) close (dst_fd);
 		return -1;
 	}
 	if (src_orig == NULL) {
 		src_orig = src->full_path;
 		dst_orig = dst->full_path;
 		set_orig = true;
 	}
 	while (0 == err && NULL != (ent = readdir(dir))) {
 		char              *src_name = NULL;
 		char              *dst_name;
 		struct path_info  src_entry, dst_entry;
 		/*
 		 * Skip the "." and ".." entries
 		 */
 		if (streq(ent->d_name, ".") ||
 		    streq(ent->d_name, ".."))
 		{
 			continue;
 		}
 		src_name = aprintf("%s/%s", src->full_path, ent->d_name);
 		if (src_name == NULL) {
 			err = -1;
 			continue;
 		}
 		dst_name = aprintf("%s/%s", dst->full_path, ent->d_name);
 		if (dst_name == NULL) {
 			err = -1;
 			goto skip;
 		}
 		src_entry.full_path = src_name;
 		src_entry.dirfd = dirfd(dir);
 		src_entry.name = ent->d_name;
 		dst_entry.full_path = dst_name;
 		dst_entry.dirfd = dst_fd;
 		dst_entry.name = ent->d_name;
 		err = copy_entry(&src_entry, &dst_entry, reset_selinux,
 				 old_uid, new_uid, old_gid, new_gid);
 		free(dst_name);
 skip:
 		free(src_name);
 	}
 	(void) closedir (dir);
 	(void) close (dst_fd);
 	if (set_orig) {
 		src_orig = NULL;
 		dst_orig = NULL;
 		/* FIXME: clean links
 		 * Since there can be hardlinks elsewhere on the device,
 		 * we cannot check that all the hardlinks were found:
 		assert (NULL == links);
 		 */
 	}
 #ifdef WITH_SELINUX
 	/* Reset SELinux to create files with default contexts.
 	 * Note that the context is only reset on exit of copy_tree (it is
 	 * assumed that the program would quit without needing a restored
 	 * context if copy_tree failed previously), and that copy_tree can
 	 * be called recursively (hence the context is set on the
 	 * sub-functions of copy_entry).
 	 */
 	if (reset_selinux_file_context () != 0) {
 		err = -1;
 	}
 #endif				/* WITH_SELINUX */
 	return err;
 }
 /*
 * copy_entry - copy the entry of a directory
 *
 *	Copy the entry src to dst.
 *	Depending on the type of entry, this function will forward the
 *	request to copy_dir(), copy_symlink(), copy_hardlink(),
 *	copy_special(), or copy_file().
 *
 *	The access and modification time will not be modified.
 *
 *	The permissions will be set to new_uid/new_gid.
 *
 *	If new_uid (resp. new_gid) is equal to -1, the user (resp. group) will
 *	not be modified.
 *
 *	Only the files owned (resp. group-owned) by old_uid (resp.
 *	old_gid) will be modified, unless old_uid (resp. old_gid) is set
 *	to -1.
 */
 static int copy_entry (const struct path_info *src, const struct path_info *dst,
                       bool reset_selinux,
                       uid_t old_uid, uid_t new_uid,
                       gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;
 	struct stat sb;
 	struct stat tmp_sb;
 	struct link_name *lp;
 	struct timespec mt[2];
 	if (fstatat(src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
 		/* If we cannot stat the file, do not care. */
 		return 0;
 	}
 	mt[0].tv_sec  = sb.st_atim.tv_sec;
 	mt[0].tv_nsec = sb.st_atim.tv_nsec;
 	mt[1].tv_sec  = sb.st_mtim.tv_sec;
 	mt[1].tv_nsec = sb.st_mtim.tv_nsec;
 	if (S_ISDIR (sb.st_mode)) {
 		err = copy_dir (src, dst, reset_selinux, &sb, mt,
 				old_uid, new_uid, old_gid, new_gid);
 	}
 	/*
 	* If the destination already exists do nothing.
 	* This is after the copy_dir above to still iterate into subdirectories.
 	*/
 	if (fstatat(dst->dirfd, dst->name, &tmp_sb, AT_SYMLINK_NOFOLLOW) != -1) {
 		return err;
 	}
 	/*
 	* Copy any symbolic links
 	*/
 	else if (S_ISLNK (sb.st_mode)) {
 		err = copy_symlink (src, dst, &sb, mt,
 				    old_uid, new_uid, old_gid, new_gid);
 	}
 	/*
 	* See if this is a previously copied link
 	*/
 	else if ((lp = check_link (src->full_path, &sb)) != NULL) {
 		err = copy_hardlink (dst, lp);
 	}
 	/*
 	* Deal with FIFOs and special files.  The user really
 	* shouldn't have any of these, but it seems like it
 	* would be nice to copy everything ...
 	*/
 	else if (!S_ISREG (sb.st_mode)) {
 		err = copy_special (src, dst, reset_selinux, &sb, mt,
 				    old_uid, new_uid, old_gid, new_gid);
 	}
 	/*
 	* Create the new file and copy the contents.  The new
 	* file will be owned by the provided UID and GID values.
 	*/
 	else {
 		err = copy_file (src, dst, reset_selinux, &sb, mt,
 				 old_uid, new_uid, old_gid, new_gid);
 	}
 	return err;
 }
 /*
 * copy_dir - copy a directory
 *
 *	Copy a directory (recursively) from src to dst.
 *
 *	statp, mt, old_uid, new_uid, old_gid, and new_gid are used to set
 *	the access and modification and the access rights.
 *
 *	Return 0 on success, -1 on error.
 */
 static int copy_dir (const struct path_info *src, const struct path_info *dst,
                     bool reset_selinux,
                     const struct stat *statp, const struct timespec mt[],
                     uid_t old_uid, uid_t new_uid,
                     gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;
 	struct stat dst_sb;
 	/*
 	 * Create a new target directory, make it owned by
 	 * the user and then recursively copy that directory.
 	 */
 #ifdef WITH_SELINUX
 	if (set_selinux_file_context (dst->full_path, S_IFDIR) != 0) {
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
 	/*
 	 * If the destination is already a directory, don't change it
 	 * but copy into it (recursively).
 	 */
 	if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) {
 		return (copy_tree_impl (src, dst, false, reset_selinux,
 		               old_uid, new_uid, old_gid, new_gid) != 0);
 	}
 	if (   (mkdirat (dst->dirfd, dst->name, 0700) != 0)
 	    || (chownat_if_needed (dst, statp,
 	                         old_uid, new_uid, old_gid, new_gid) != 0)
 	    || (fchmodat (dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) != 0)
 #ifdef WITH_ACL
 	    || (   (perm_copy_path (src, dst, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 	/*
 	 * If the third parameter is NULL, all extended attributes
 	 * except those that define Access Control Lists are copied.
 	 * ACLs are excluded by default because copying them between
 	 * file systems with and without ACL support needs some
 	 * additional logic so that no unexpected permissions result.
 	 */
 	    || (   !reset_selinux
 	        && (attr_copy_path (src, dst, NULL, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
 	    || (copy_tree_impl (src, dst, false, reset_selinux,
 	                   old_uid, new_uid, old_gid, new_gid) != 0)
 	    || (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0)) {
 		err = -1;
 	}
 	return err;
 }
 /*
 * copy_symlink - copy a symlink
 *
 *	Copy a symlink from src to dst.
 *
 *	statp, mt, old_uid, new_uid, old_gid, and new_gid are used to set
 *	the access and modification and the access rights.
 *
 *	Return 0 on success, -1 on error.
 */
 static int copy_symlink (const struct path_info *src, const struct path_info *dst,
                         const struct stat *statp, const struct timespec mt[],
                         uid_t old_uid, uid_t new_uid,
                         gid_t old_gid, gid_t new_gid)
 {
 	char *oldlink;
 	/* copy_tree () must be the entry point */
 	assert (NULL != src_orig);
 	assert (NULL != dst_orig);
 	/*
 	 * Get the name of the file which the link points
 	 * to.  If that name begins with the original
 	 * source directory name, that part of the link
 	 * name will be replaced with the original
 	 * destination directory name.
 	 */
 	oldlink = areadlink(src->full_path);
 	if (NULL == oldlink)
 		return -1;
 	/* If src was a link to an entry of the src_orig directory itself,
 	 * create a link to the corresponding entry in the dst_orig
 	 * directory.
 	 */
 	if (strprefix(oldlink, src_orig)) {
 		char  *dummy;
 		dummy = xaprintf("%s%s", dst_orig, oldlink + strlen(src_orig));
 		free(oldlink);
 		oldlink = dummy;
 	}
 #ifdef WITH_SELINUX
 	if (set_selinux_file_context (dst->full_path, S_IFLNK) != 0) {
 		free (oldlink);
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
 	if (   (symlinkat (oldlink, dst->dirfd, dst->name) != 0)
 	    || (chownat_if_needed (dst, statp,
 	                          old_uid, new_uid, old_gid, new_gid) != 0)) {
 		/* FIXME: there are no modes on symlinks, right?
 		 *        ACL could be copied, but this would be much more
 		 *        complex than calling perm_copy_file.
 		 *        Ditto for Extended Attributes.
 		 *        We currently only document that ACL and Extended
 		 *        Attributes are not copied.
 		 */
 		free (oldlink);
 		return -1;
 	}
 	free (oldlink);
 	if (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0) {
 		return -1;
 	}
 	return 0;
 }
 /*
 * copy_hardlink - copy a hardlink
 *
 *	Copy a hardlink from src to dst.
 *
 *	Return 0 on success, -1 on error.
 */
 static int copy_hardlink (const struct path_info *dst,
                          struct link_name *lp)
 {
 	/* FIXME: selinux, ACL, Extended Attributes needed? */
 	if (linkat (AT_FDCWD, lp->ln_name, dst->dirfd, dst->name, 0) != 0) {
 		return -1;
 	}
 	/* If the file could be unlinked, decrement the links counter,
 	 * and forget about this link if it was the last reference */
 	lp->ln_count--;
 	if (lp->ln_count <= 0) {
 		remove_link (lp);
 	}
 	return 0;
 }
 /*
 * copy_special - copy a special file
 *
 *	Copy a special file from src to dst.
 *
 *	statp, mt, old_uid, new_uid, old_gid, and new_gid are used to set
 *	the access and modification and the access rights.
 *
 *	Return 0 on success, -1 on error.
 */
 static int
 copy_special(MAYBE_UNUSED const struct path_info *src, const struct path_info *dst,
             MAYBE_UNUSED bool reset_selinux,
             const struct stat *statp, const struct timespec mt[],
             uid_t old_uid, uid_t new_uid,
             gid_t old_gid, gid_t new_gid)
 {
 #if defined(WITH_SELINUX)
 	if (set_selinux_file_context(dst->full_path, statp->st_mode & S_IFMT) != 0)
 		return -1;
 #endif
 	if (mknodat(dst->dirfd, dst->name, statp->st_mode & ~07777U, statp->st_rdev) == -1)
 		return -1;
 	if (chownat_if_needed(dst, statp, old_uid, new_uid, old_gid, new_gid) == -1)
 		return -1;
 	if (fchmodat(dst->dirfd, dst->name, statp->st_mode & 07777, AT_SYMLINK_NOFOLLOW) == -1)
 		return -1;
 #if defined(WITH_ACL)
 	if (perm_copy_path(src, dst, &ctx) == -1 && errno != 0)
 		return -1;
 #endif
 #if defined(WITH_ATTR)
 	/*
 	 * If the third parameter is NULL, all extended attributes
 	 * except those that define Access Control Lists are copied.
 	 * ACLs are excluded by default because copying them between
 	 * file systems with and without ACL support needs some
 	 * additional logic so that no unexpected permissions result.
 	 */
 	if (!reset_selinux) {
 		if (attr_copy_path(src, dst, NULL, &ctx) == -1 && errno != 0)
 			return -1;
 	}
 #endif
 	if (utimensat(dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) == -1)
 		return -1;
 	return 0;
 }
 /*
 * copy_file - copy a file
 *
 *	Copy a file from src to dst.
 *
 *	statp, mt, old_uid, new_uid, old_gid, and new_gid are used to set
 *	the access and modification and the access rights.
 *
 *	Return 0 on success, -1 on error.
 */
 static int copy_file (const struct path_info *src, const struct path_info *dst,
                      MAYBE_UNUSED bool reset_selinux,
                      const struct stat *statp, const struct timespec mt[],
                      uid_t old_uid, uid_t new_uid,
                      gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;
 	int ifd;
 	int ofd;
 	ifd = openat (src->dirfd, src->name, O_RDONLY|O_NOFOLLOW|O_CLOEXEC);
 	if (ifd < 0) {
 		return -1;
 	}
 #ifdef WITH_SELINUX
 	if (set_selinux_file_context (dst->full_path, S_IFREG) != 0) {
 		(void) close (ifd);
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
 	ofd = openat (dst->dirfd, dst->name, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC | O_NOFOLLOW | O_CLOEXEC, 0600);
 	if (   (ofd < 0)
 	    || (fchown_if_needed (ofd, statp,
 	                          old_uid, new_uid, old_gid, new_gid) != 0)
 	    || (fchmod (ofd, statp->st_mode & 07777) != 0)
 #ifdef WITH_ACL
 	    || (   (perm_copy_fd (src->full_path, ifd, dst->full_path, ofd, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ACL */
 #ifdef WITH_ATTR
 	/*
 	 * If the third parameter is NULL, all extended attributes
 	 * except those that define Access Control Lists are copied.
 	 * ACLs are excluded by default because copying them between
 	 * file systems with and without ACL support needs some
 	 * additional logic so that no unexpected permissions result.
 	 */
 	    || (   !reset_selinux
 	        && (attr_copy_fd (src->full_path, ifd, dst->full_path, ofd, NULL, &ctx) != 0)
 	        && (errno != 0))
 #endif				/* WITH_ATTR */
 	   ) {
 		if (ofd >= 0) {
 			(void) close (ofd);
 		}
 		(void) close (ifd);
 		return -1;
 	}
 	while (true) {
 		char buf[8192];
 		ssize_t cnt;
 		cnt = read(ifd, buf, sizeof(buf));
 		if (cnt < 0) {
 			if (errno == EINTR) {
 				continue;
 			}
 			(void) close (ofd);
 			(void) close (ifd);
 			return -1;
 		}
 		if (cnt == 0) {
 			break;
 		}
 		if (write_full(ofd, buf, cnt) == -1) {
 			(void) close (ofd);
 			(void) close (ifd);
 			return -1;
 		}
 	}
 	(void) close (ifd);
 	if (close (ofd) != 0 && errno != EINTR) {
 		return -1;
 	}
 	if (utimensat (dst->dirfd, dst->name, mt, AT_SYMLINK_NOFOLLOW) != 0) {
 		return -1;
 	}
 	return err;
 }
 #define def_chown_if_needed(chown_function, type_dst)                  \
 static int chown_function ## _if_needed (type_dst dst,                 \
                                         const struct stat *statp,     \
                                         uid_t old_uid, uid_t new_uid, \
                                         gid_t old_gid, gid_t new_gid) \
 {                                                                      \
 	uid_t tmpuid = (uid_t) -1;                                     \
 	gid_t tmpgid = (gid_t) -1;                                     \
 	                                                               \
 	/* Use new_uid if old_uid is set to -1 or if the file was      \
 	 * owned by the user. */                                       \
 	if (((uid_t) -1 == old_uid) || (statp->st_uid == old_uid)) {   \
 		tmpuid = new_uid;                                      \
 	}                                                              \
 	/* Otherwise, or if new_uid was set to -1, we keep the same    \
 	 * owner. */                                                   \
 	if ((uid_t) -1 == tmpuid) {                                    \
 		tmpuid = statp->st_uid;                                \
 	}                                                              \
 	                                                               \
 	if (((gid_t) -1 == old_gid) || (statp->st_gid == old_gid)) {   \
 		tmpgid = new_gid;                                      \
 	}                                                              \
 	if ((gid_t) -1 == tmpgid) {                                    \
 		tmpgid = statp->st_gid;                                \
 	}                                                              \
 	                                                               \
 	return chown_function (dst, tmpuid, tmpgid);                   \
 }
 def_chown_if_needed (fchown, int)
 static int chownat_if_needed (const struct path_info *dst,
 							  const struct stat *statp,
                              uid_t old_uid, uid_t new_uid,
                              gid_t old_gid, gid_t new_gid)
 {
 	uid_t tmpuid = (uid_t) -1;
 	gid_t tmpgid = (gid_t) -1;
 	/* Use new_uid if old_uid is set to -1 or if the file was
 	 * owned by the user. */
 	if (((uid_t) -1 == old_uid) || (statp->st_uid == old_uid)) {
 		tmpuid = new_uid;
 	}
 	/* Otherwise, or if new_uid was set to -1, we keep the same
 	 * owner. */
 	if ((uid_t) -1 == tmpuid) {
 		tmpuid = statp->st_uid;
 	}
 	if (((gid_t) -1 == old_gid) || (statp->st_gid == old_gid)) {
 		tmpgid = new_gid;
 	}
 	if ((gid_t) -1 == tmpgid) {
 		tmpgid = statp->st_gid;
 	}
 	return fchownat (dst->dirfd, dst->name, tmpuid, tmpgid, AT_SYMLINK_NOFOLLOW);
 }
 /*
 * copy_tree - copy files in a directory tree
 *
 *	copy_tree() walks a directory tree and copies ordinary files
 *	as it goes.
 *
 *	When reset_selinux is enabled, extended attributes (and thus
 *	SELinux attributes) are not copied.
 *
 *	old_uid and new_uid are used to set the ownership of the copied
 *	files. Unless old_uid is set to -1, only the files owned by
 *	old_uid have their ownership changed to new_uid. In addition, if
 *	new_uid is set to -1, no ownership will be changed.
 *
 *	The same logic applies for the group-ownership and
 *	old_gid/new_gid.
 */
 int copy_tree (const char *src_root, const char *dst_root,
               bool copy_root, bool reset_selinux,
               uid_t old_uid, uid_t new_uid,
               gid_t old_gid, gid_t new_gid)
 {
 	const struct path_info src = {
 		.full_path = src_root,
 		.dirfd = AT_FDCWD,
 		.name = src_root
 	};
 	const struct path_info dst = {
 		.full_path = dst_root,
 		.dirfd = AT_FDCWD,
 		.name = dst_root
 	};
 	return copy_tree_impl(&src, &dst, copy_root, reset_selinux,
 						  old_uid, new_uid, old_gid, new_gid);
 }
--- a/lib/csrand.c
+++ b/lib/csrand.c
@@ -0,0 +1,147 @@
 // SPDX-FileCopyrightText: 2022-2024, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #ident "$Id$"
 #include <fcntl.h>
 #include <limits.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <unistd.h>
 #if __has_include(<sys/random.h>)
 # include <sys/random.h>
 #endif
 #include "bit.h"
 #include "defines.h"
 #include "prototypes.h"
 #include "shadowlog.h"
 #include "sizeof.h"
 static uint32_t csrand32(void);
 static uint32_t csrand_uniform32(uint32_t n);
 static unsigned long csrand_uniform_slow(unsigned long n);
 /*
 * Return a uniformly-distributed CS random u_long value.
 */
 unsigned long
 csrand(void)
 {
 	int            fd;
 	unsigned long  r;
 #ifdef HAVE_GETENTROPY
 	/* getentropy may exist but lack kernel support.  */
 	if (getentropy(&r, sizeof(r)) == 0)
 		return r;
 #endif
 #ifdef HAVE_GETRANDOM
 	/* Likewise getrandom.  */
 	if (getrandom(&r, sizeof(r), 0) == sizeof(r))
 		return r;
 #endif
 #ifdef HAVE_ARC4RANDOM_BUF
 	/* arc4random_buf can never fail.  */
 	arc4random_buf(&r, sizeof(r));
 	return r;
 #endif
 	/* Use /dev/urandom as a last resort.  */
 	fd = open("/dev/urandom", O_RDONLY);
 	if (fd == -1)
 		goto fail;
 	if (read(fd, &r, sizeof(r)) != sizeof(r)) {
 		close(fd);
 		goto fail;
 	}
 	close(fd);
 	return r;
 fail:
 	fprintf(log_get_logfd(), _("Unable to obtain random bytes.\n"));
 	exit(1);
 }
 /*
 * Return a uniformly-distributed CS random value in the interval [0, n-1].
 */
 unsigned long
 csrand_uniform(unsigned long n)
 {
 	if (n == 0 || n > UINT32_MAX)
 		return csrand_uniform_slow(n);
 	return csrand_uniform32(n);
 }
 /*
 * Return a uniformly-distributed CS random value in the interval [min, max].
 */
 unsigned long
 csrand_interval(unsigned long min, unsigned long max)
 {
 	return csrand_uniform(max - min + 1) + min;
 }
 static uint32_t
 csrand32(void)
 {
 	return csrand();
 }
 /*
 * Fast Random Integer Generation in an Interval
 * ACM Transactions on Modeling and Computer Simulation 29 (1), 2019
 * <https://arxiv.org/abs/1805.10941>
 */
 static uint32_t
 csrand_uniform32(uint32_t n)
 {
 	uint32_t  bound, rem;
 	uint64_t  r, mult;
 	if (n == 0)
 		return csrand32();
 	bound = -n % n;  // analogous to `2^32 % n`, since `x % y == (x-y) % y`
 	do {
 		r = csrand32();
 		mult = r * n;
 		rem = mult;  // analogous to `mult % 2^32`
 	} while (rem < bound);  // p = (2^32 % n) / 2^32;  W.C.: n=2^31+1, p=0.5
 	r = mult >> WIDTHOF(n);  // analogous to `mult / 2^32`
 	return r;
 }
 static unsigned long
 csrand_uniform_slow(unsigned long n)
 {
 	unsigned long  r, max, mask;
 	max = n - 1;
 	mask = bit_ceil_wrapul(n) - 1;
 	do {
 		r = csrand();
 		r &= mask;  // optimization
 	} while (r > max);  // p = ((mask+1) % n) / (mask+1);  W.C.: p=0.5
 	return r;
 }
--- a/lib/defines.h
+++ b/lib/defines.h
@@ -6,41 +6,8 @@
 #include "config.h"
-#if HAVE_STDBOOL_H
+#include <stdbool.h>
-# include <stdbool.h>
+#include <locale.h>
 #else
 # if ! HAVE__BOOL
 #  ifdef __cplusplus
 typedef bool _Bool;
 #  else
 typedef unsigned char _Bool;
 #  endif
 # endif
 # define bool _Bool
 # define false (0)
 # define true  (1)
 # define __bool_true_false_are_defined 1
 #endif
 /* Take care of NLS matters.  */
 #ifdef S_SPLINT_S
 extern char *setlocale(int categories, const char *locale);
 # define LC_ALL		(6)
 extern char * bindtextdomain (const char * domainname, const char * dirname);
 extern char * textdomain (const char * domainname);
 # define _(Text) Text
 # define ngettext(Msgid1, Msgid2, N) \
    ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2))
 #else
 #ifdef HAVE_LOCALE_H
 # include <locale.h>
 #else
 # undef setlocale
 # define setlocale(category, locale)	(NULL)
 # ifndef LC_ALL
 #  define LC_ALL	6
 # endif
 #endif
 #define gettext_noop(String) (String)
 /* #define gettext_def(String) "#define String" */
@@ -57,84 +24,50 @@ extern char * textdomain (const char * domainname);
 # define ngettext(Msgid1, Msgid2, N) \
    ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2))
 #endif
 #endif
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#if HAVE_ERRNO_H
+#include <errno.h>
 # include <errno.h>
 #endif
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
-#if HAVE_UNISTD_H
+#include <unistd.h>
 # include <unistd.h>
 #endif
 /*
 * crypt(3), crypt_gensalt(3), and their
 * feature test macros may be defined in here.
 */
-#if HAVE_CRYPT_H
+#if __has_include(<crypt.h>)
 # include <crypt.h>
 #endif
 #include <sys/time.h>
 #include <time.h>
 #ifdef HAVE_MEMSET_S
 # define memzero(ptr, size) memset_s((ptr), 0, (size))
 #elif defined HAVE_EXPLICIT_BZERO	/* !HAVE_MEMSET_S */
 # define memzero(ptr, size) explicit_bzero((ptr), (size))
 #else					/* !HAVE_MEMSET_S && HAVE_EXPLICIT_BZERO */
 static inline void memzero(void *ptr, size_t size)
 {
 	volatile unsigned char * volatile p = ptr;
 	while (size--) {
 		*p++ = '\0';
 	}
 }
 #endif					/* !HAVE_MEMSET_S && !HAVE_EXPLICIT_BZERO */
 #define strzero(s) memzero(s, strlen(s))	/* warning: evaluates twice */
 #include <dirent.h>
 /*
 * Possible cases:
 * - /usr/include/shadow.h exists and includes the shadow group stuff.
 * - /usr/include/shadow.h exists, but we use our own gshadow.h.
 */
 #include <shadow.h>
 #if defined(SHADOWGRP) && !defined(GSHADOW)
 #include "gshadow_.h"
 #endif
 #include <limits.h>
-#ifndef	NGROUPS_MAX
+#ifndef PATH_MAX
-#ifdef	NGROUPS
+#define PATH_MAX 4096
-#define	NGROUPS_MAX	NGROUPS
+#endif
-#else
+
-#define	NGROUPS_MAX	64
+#ifndef MAXHOSTNAMELEN
-#endif
+#define MAXHOSTNAMELEN 64
 #endif
 #ifdef USE_SYSLOG
 #include <syslog.h>
 #ifndef LOG_WARN
 #define LOG_WARN LOG_WARNING
 #endif
 /* LOG_NOWAIT is deprecated */
 #ifndef LOG_NOWAIT
 #define LOG_NOWAIT 0
 #endif
 /* LOG_AUTH is deprecated, use LOG_AUTHPRIV instead */
 #ifndef LOG_AUTHPRIV
 #define LOG_AUTHPRIV LOG_AUTH
@@ -148,7 +81,7 @@ static inline void memzero(void *ptr, size_t size)
   syslogd should log the current system time for each event, and not
   trust the formatted time received from the unix domain (or worse,
   UDP) socket.  -MM */
-/* Avoid translated PAM error messages: Set LC_ALL to "C".
+/* Avoid translated PAM error messages: set LC_ALL to "C".
 * --Nekral */
 #define SYSLOG(x)							\
 	do {								\
@@ -170,19 +103,11 @@ static inline void memzero(void *ptr, size_t size)
 #define SYSLOG(x) syslog x
 #endif				/* !ENABLE_NLS */
 #else				/* !USE_SYSLOG */
 #define SYSLOG(x)		/* empty */
 #define openlog(a,b,c)		/* empty */
 #define closelog()		/* empty */
 #endif				/* !USE_SYSLOG */
 /* The default syslog settings can now be changed here,
   in just one place.  */
 #ifndef SYSLOG_OPTIONS
-/* #define SYSLOG_OPTIONS (LOG_PID | LOG_CONS | LOG_NOWAIT) */
+/* #define SYSLOG_OPTIONS (LOG_PID | LOG_CONS) */
 #define SYSLOG_OPTIONS (LOG_PID)
 #endif
@@ -192,63 +117,25 @@ static inline void memzero(void *ptr, size_t size)
 #define OPENLOG(progname) openlog(progname, SYSLOG_OPTIONS, SYSLOG_FACILITY)
-#ifndef F_OK
+#include <termios.h>
-# define F_OK 0
+#define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio)
-# define X_OK 1
+#define GTTY(fd, termio) tcgetattr(fd, termio)
-# define W_OK 2
+#define TERMIO struct termios
 # define R_OK 4
 #endif
 #ifndef SEEK_SET
 # define SEEK_SET 0
 # define SEEK_CUR 1
 # define SEEK_END 2
 #endif
 #if HAVE_TERMIOS_H
 # include <termios.h>
 # define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio)
 # define GTTY(fd, termio) tcgetattr(fd, termio)
 # define TERMIO struct termios
 # define USE_TERMIOS
 #else				/* assumed HAVE_TERMIO_H */
 # include <sys/ioctl.h>
 # include <termio.h>
 # define STTY(fd, termio) ioctl(fd, TCSETA, termio)
 # define GTTY(fd, termio) ioctl(fd, TCGETA, termio)
 # define TEMRIO struct termio
 # define USE_TERMIO
 #endif
 /*
 * Password aging constants
 *
 * DAY - seconds / day
 * WEEK - seconds / week
 * SCALE - seconds / aging unit
 */
 /* Solaris defines this in shadow.h */
 #ifndef DAY
-#define DAY (24L*3600L)
+#define DAY  ((time_t) 24 * 3600)
 #endif
 #define WEEK (7*DAY)
 #ifdef ITI_AGING
 #define SCALE 1
 #else
 #define SCALE DAY
 #endif
 /* Copy string pointed by B to array A with size checking.  It was originally
   in lmain.c but is _very_ useful elsewhere.  Some setuid root programs with
   very sloppy coding used to assume that BUFSIZ will always be enough...  */
 					/* danger - side effects */
 #define STRFCPY(A,B) \
 	(strncpy((A), (B), sizeof(A) - 1), (A)[sizeof(A) - 1] = '\0')
 #ifndef PASSWD_FILE
 #define PASSWD_FILE "/etc/passwd"
 #endif
@@ -257,26 +144,12 @@ static inline void memzero(void *ptr, size_t size)
 #define GROUP_FILE "/etc/group"
 #endif
-#ifndef SHADOW_FILE
+#ifndef SUBUID_FILE
-#define SHADOW_FILE "/etc/shadow"
+#define SUBUID_FILE "/etc/subuid"
 #endif
-#ifdef SHADOWGRP
+#ifndef SUBGID_FILE
-#ifndef SGROUP_FILE
+#define SUBGID_FILE "/etc/subgid"
 #define SGROUP_FILE "/etc/gshadow"
 #endif
 #endif
 #ifndef NULL
 #define NULL ((void *) 0)
 #endif
 #ifdef sun			/* hacks for compiling on SunOS */
 # ifndef SOLARIS
 extern int fputs ();
 extern char *strdup ();
 extern char *strerror ();
 # endif
 #endif
 /*
@@ -288,45 +161,16 @@ extern char *strerror ();
 #define SHADOW_PASSWD_STRING "x"
 #endif
-#define SHADOW_SP_FLAG_UNSET ((unsigned long int)-1)
+#define SHADOW_SP_FLAG_UNSET ((unsigned long)-1)
 #ifdef WITH_AUDIT
-#ifdef __u8			/* in case we use pam < 0.80 */
+/* in case we use pam < 0.80 */
 #undef __u8
 #endif
 #ifdef __u32
 #undef __u32
 #endif
 #include <libaudit.h>
 #endif
 /* To be used for verified unused parameters */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
 # define unused __attribute__((unused))
 # define format_attr(type, index, check) __attribute__((format (type, index, check)))
 #else
 # define unused
 # define format_attr(type, index, check)
 #endif
 /* Maximum length of usernames */
 #ifdef HAVE_UTMPX_H
 # include <utmpx.h>
 # define USER_NAME_MAX_LENGTH (sizeof (((struct utmpx *)NULL)->ut_user))
 #else
 # include <utmp.h>
 # ifdef HAVE_STRUCT_UTMP_UT_USER
 #  define USER_NAME_MAX_LENGTH (sizeof (((struct utmp *)NULL)->ut_user))
 # else
 #  ifdef HAVE_STRUCT_UTMP_UT_NAME
 #   define USER_NAME_MAX_LENGTH (sizeof (((struct utmp *)NULL)->ut_name))
 #  else
 #   define USER_NAME_MAX_LENGTH 32
 #  endif
 # endif
 #endif
 /* Maximum length of passwd entry */
 #define PASSWD_ENTRY_MAX_LENGTH 32768
@@ -336,4 +180,14 @@ extern char *strerror ();
 #  define shadow_getenv(name) getenv(name)
 #endif
 /*
 * Maximum password length
 *
 * Consider that there is also limit in PAM (PAM_MAX_RESP_SIZE)
 * currently set to 512.
 */
 #if !defined(PASS_MAX)
 #define PASS_MAX  BUFSIZ - 1
 #endif
 #endif				/* _DEFINES_H_ */
--- a/lib/encrypt.c
+++ b/lib/encrypt.c
@@ -7,7 +7,7 @@
 * SPDX-License-Identifier: BSD-3-Clause
 */
-#include <config.h>
+#include "config.h"
 #ident "$Id$"
@@ -17,6 +17,8 @@
 #include "prototypes.h"
 #include "defines.h"
 #include "shadowlog_internal.h"
 #include "string/strcmp/strprefix.h"
 /*@exposed@*//*@null@*/char *pw_encrypt (const char *clear, const char *salt)
 {
@@ -35,7 +37,7 @@
 	/* Some crypt() do not return NULL if the algorithm is not
 	 * supported, and return a DES encrypted password. */
-	if ((NULL != salt) && (salt[0] == '$') && (strlen (cp) <= 13))
+	if ((NULL != salt) && strprefix(salt, "$") && (strlen (cp) <= 13))
 	{
 		/*@observer@*/const char *method;
 		switch (salt[1])
@@ -65,7 +67,8 @@
 		(void) fprintf (shadow_logfd,
 		                _("crypt method not supported by libcrypt? (%s)\n"),
 		                method);
-		exit (EXIT_FAILURE);
+		errno = EINVAL;
 		return NULL;
 	}
 	if (strlen (cp) != 13) {
--- a/lib/env.c
+++ b/lib/env.c
@@ -0,0 +1,241 @@
 /*
 * SPDX-FileCopyrightText: 1989 - 1992, Julianne Frances Haugh
 * SPDX-FileCopyrightText: 1996 - 1999, Marek Michałkiewicz
 * SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko
 * SPDX-FileCopyrightText: 2008 - 2009, Nicolas François
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
 #include "config.h"
 #ident "$Id$"
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "alloc/malloc.h"
 #include "alloc/realloc.h"
 #include "prototypes.h"
 #include "defines.h"
 #include "shadowlog.h"
 #include "string/sprintf/aprintf.h"
 #include "string/sprintf/snprintf.h"
 #include "string/sprintf/aprintf.h"
 #include "string/strcmp/strprefix.h"
 #include "string/strdup/strdup.h"
 /*
 * NEWENVP_STEP must be a power of two.  This is the number
 * of (char *) pointers to allocate at a time, to avoid using
 * realloc() too often.
 */
 #define NEWENVP_STEP 16
 size_t newenvc = 0;
 /*@null@*/char **newenvp = NULL;
 static const char *const forbid[] = {
 	"_RLD_=",
 	"BASH_ENV=",		/* GNU creeping featurism strikes again... */
 	"ENV=",
 	"HOME=",
 	"IFS=",
 	"KRB_CONF=",
 	"LD_",			/* anything with the LD_ prefix */
 	"LIBPATH=",
 	"MAIL=",
 	"NLSPATH=",
 	"PATH=",
 	"SHELL=",
 	"SHLIB_PATH=",
 	NULL
 };
 /* these are allowed, but with no slashes inside
   (to work around security problems in GNU gettext) */
 static const char *const noslash[] = {
 	"LANG=",
 	"LANGUAGE=",
 	"LC_",			/* anything with the LC_ prefix */
 	NULL
 };
 /*
 * initenv() must be called once before using addenv().
 */
 void initenv (void)
 {
 	newenvp = xmalloc_T(NEWENVP_STEP, char *);
 	*newenvp = NULL;
 }
 void addenv (const char *string, /*@null@*/const char *value)
 {
 	char    *cp, *newstring;
 	size_t  i, n;
 	if (NULL != value) {
 		newstring = xaprintf("%s=%s", string, value);
 	} else {
 		newstring = xstrdup (string);
 	}
 	/*
 	 * Search for a '=' character within the string and if none is found
 	 * just ignore the whole string.
 	 */
 	cp = strchr (newstring, '=');
 	if (NULL == cp) {
 		free(newstring);
 		return;
 	}
 	n = (size_t) (cp - newstring);
 	/*
 	 * If this environment variable is already set, change its value.
 	 */
 	for (i = 0; i < newenvc; i++) {
 		if (   (strncmp (newstring, newenvp[i], n) == 0)
 		    && (('=' == newenvp[i][n]) || ('\0' == newenvp[i][n]))) {
 			break;
 		}
 	}
 	if (i < newenvc) {
 		free(newenvp[i]);
 		newenvp[i] = newstring;
 		return;
 	}
 	/*
 	 * Otherwise, save the new environment variable
 	 */
 	newenvp[newenvc++] = newstring;
 	/*
 	 * And extend the environment if needed.
 	 */
 	/*
 	 * Check whether newenvc is a multiple of NEWENVP_STEP.
 	 * If so we have to resize the vector.
 	 * the expression (newenvc & (NEWENVP_STEP - 1)) == 0
 	 * is equal to    (newenvc %  NEWENVP_STEP) == 0
 	 * as long as NEWENVP_STEP is a power of 2.
 	 */
 	if ((newenvc & (NEWENVP_STEP - 1)) == 0) {
 		bool  update_environ;
 		update_environ = (environ == newenvp);
 		newenvp = xrealloc_T(newenvp, newenvc + NEWENVP_STEP, char *);
 		/*
 		 * If this is our current environment, update
 		 * environ so that it doesn't point to some
 		 * free memory area (realloc() could move it).
 		 */
 		if (update_environ)
 			environ = newenvp;
 	}
 	/*
 	 * The last entry of newenvp must be NULL
 	 */
 	newenvp[newenvc] = NULL;
 }
 /*
 * set_env - copy command line arguments into the environment
 */
 void set_env (int argc, char *const *argv)
 {
 	int   noname = 1;
 	char  variable[1024];
 	char  *cp;
 	for (; argc > 0; argc--, argv++) {
 		if (strlen(*argv) >= sizeof(variable)) {
 			continue;	/* ignore long entries */
 		}
 		cp = strchr (*argv, '=');
 		if (NULL == cp) {
 			assert(stprintf_a(variable, "L%d", noname) != -1);
 			noname++;
 			addenv (variable, *argv);
 		} else {
 			const char *const *p;
 			for (p = forbid; NULL != *p; p++) {
 				if (strprefix(*argv, *p)) {
 					break;
 				}
 			}
 			if (NULL != *p) {
 				stpcpy(mempcpy(variable, *argv, (size_t)(cp - *argv)), "");
 				printf (_("You may not change $%s\n"),
 					variable);
 				continue;
 			}
 			addenv (*argv, NULL);
 		}
 	}
 }
 /*
 * sanitize_env - remove some nasty environment variables
 * If you fall into a total paranoia, you should call this
 * function for any root-setuid program or anything the user
 * might change the environment with. 99% useless as almost
 * all modern Unixes will handle setuid executables properly,
 * but... I feel better with that silly precaution. -j.
 */
 void sanitize_env (void)
 {
 	char **envp = environ;
 	const char *const *bad;
 	char **cur;
 	char **move;
 	for (cur = envp; NULL != *cur; cur++) {
 		for (bad = forbid; NULL != *bad; bad++) {
 			if (strprefix(*cur, *bad)) {
 				for (move = cur; NULL != *move; move++) {
 					*move = *(move + 1);
 				}
 				cur--;
 				break;
 			}
 		}
 	}
 	for (cur = envp; NULL != *cur; cur++) {
 		for (bad = noslash; NULL != *bad; bad++) {
 			if (!strprefix(*cur, *bad)) {
 				continue;
 			}
 			if (!strchr(*cur, '/'))
 				continue;	/* OK */
 			for (move = cur; NULL != *move; move++) {
 				*move = *(move + 1);
 			}
 			cur--;
 			break;
 		}
 	}
 }
--- a/lib/exit_if_null.c
+++ b/lib/exit_if_null.c
@@ -0,0 +1,10 @@
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #include "config.h"
 #include "exit_if_null.h"
 extern inline void exit_if_null_(void *p);
--- a/lib/exit_if_null.h
+++ b/lib/exit_if_null.h
@@ -0,0 +1,48 @@
 // SPDX-FileCopyrightText: 2023-2025, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause
 #ifndef SHADOW_INCLUDE_LIB_EXIT_IF_NULL_H_
 #define SHADOW_INCLUDE_LIB_EXIT_IF_NULL_H_
 #include "config.h"
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include "shadowlog.h"
 #include "string/strerrno.h"
 /*
 * This macro is used for implementing x*() variants of functions that
 * allocate memory, such as xstrdup() for wrapping strdup(3).  The macro
 * returns the input pointer transparently, with the same type, but
 * calls exit(3) if the input is a null pointer (thus, if the allocation
 * failed).
 */
 #define exit_if_null(p)                                               \
 ({                                                                    \
 	__auto_type  p_ = p;                                          \
 	                                                              \
 	exit_if_null_(p_);                                            \
 	p_;                                                           \
 })
 inline void exit_if_null_(void *p);
 inline void
 exit_if_null_(void *p)
 {
 	if (p == NULL) {
 		fprintf(log_get_logfd(), "%s: %s\n", log_get_progname(), strerrno());
 		exit(13);
 	}
 }
 #endif  // include guard
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Chris Hofstaedtler	1f240237fc	New upstream version 4.19.3	2026-02-02 07:32:15 +01:00
Chris Hofstaedtler	c5f795a54a	New upstream version 4.19.2	2026-01-25 14:17:08 +01:00
Chris Hofstaedtler	428fe43d86	New upstream version 4.19.0	2026-01-06 00:37:15 +01:00
Chris Hofstaedtler	9d5ab87d61	New upstream version 4.18.0	2025-08-26 22:55:14 +02:00
Chris Hofstaedtler	a9c3448878	New upstream version 4.17.4	2025-03-29 13:24:20 +01:00
Chris Hofstaedtler	a475f464e0	New upstream version 4.17.3	2025-02-24 22:57:12 +01:00
Chris Hofstaedtler	65261e28f4	New upstream version 4.17.2	2025-02-09 18:13:39 +01:00
Chris Hofstaedtler	bd724b34e0	New upstream version 4.17.1	2025-01-04 12:41:43 +01:00
Chris Hofstaedtler	c2a3ebed18	New upstream version 4.17.0	2024-12-28 13:12:23 +01:00
Chris Hofstaedtler	f78a468368	New upstream version 4.17.0~rc1	2024-12-06 19:17:25 +01:00
Chris Hofstaedtler	9f68246a01	New upstream version 4.15.3	2024-07-06 16:53:58 +02:00
Chris Hofstaedtler	e8b8d7a84b	New upstream version 4.16.0	2024-06-25 20:09:23 +02:00
Chris Hofstaedtler	0fda4df4f1	New upstream version 4.15.2	2024-06-22 17:34:25 +02:00
Chris Hofstaedtler	f7f4fd7c05	New upstream version 4.15.1	2024-06-13 03:08:44 +02:00