Import Debian changes 1:4.8.1-1+deb11u1

shadow (1:4.8.1-1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2023-4641: When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. (Closes: #1051062) * CVE-2023-29383: It is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. (Closes: #1034482) * Add Salsa-CI configuration. * Silence lintian error that can't be fixed after freeze.
Update changelog
2025-04-18 17:29:39 +02:00 · 2020-02-07 15:54:36 +01:00 · 2020-02-07 00:22:41 +01:00 · 2020-02-07 00:10:01 +01:00 · 2020-02-06 23:33:56 +01:00 · 2020-02-06 23:15:01 +01:00
11267 changed files with 173664 additions and 645384 deletions
--- a/2025
+++ b/2025
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -1,98 +0,0 @@
-Thanks to at least the following people for sending patches, bug
-reports and various comments. This list may be incomplete, I received
-a lot of mail...
-
-# Maintainers
-* Marek Michałkiewicz <marekm72@gmail.com> (1995-2000)
-* Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
-* Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
-* Serge E. Hallyn <serge@hallyn.com> (2014-now)
-* Christian Brauner <christian@brauner.io> (2019-now)
-* Iker Pedrosa <ipedrosa@redhat.com> (2022-now)
-* Alejandro Colomar <alx@kernel.org> (2023-now) (4.14 stable)
-
-To verify signatures on releases, use the following keys under keys/ :
-
-* Serge Hallyn: keys/66D0387DB85D320F8408166DB175CFA98F192AF2.asc
-* Christian Brauner: keys/4880B8C9BD0E5106FC070F4F7B3C391EFEA93624.asc
-* Iker Pedrosa: keys/4E80EF49C7987B6DE2F81F5005079C6C3A653E57.asc
-* Alejandro Colomar: keys/A9348594CE31283A826FBDD8D57633D441E25BB5.asc
-
-# Authors and contributors
-* Adam Rudnicki <adam@v-lo.krakow.pl>
-* Alan Curry <pacman@tardis.mars.net>
-* Aleksa Sarai <cyphar@cyphar.com>
-* Alexander O. Yuriev <alex@bach.cis.temple.edu>
-* Algis Rudys <arudys@rice.edu>
-* Andreas Jaeger <aj@arthur.rhein-neckar.de>
-* Andy Zaugg <andy.zaugg@gmail.com>
-* Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
-* Anton Gluck <gluc@midway.uchicago.edu>
-* Arkadiusz Miskiewicz <misiek@pld.org.pl>
-* Ben Collins <bcollins@debian.org>
-* Brian R. Gaeke <brg@dgate.org>
-* Calle Karlsson <ckn@kash.se>
-* Chip Rosenthal <chip@unicom.com>
-* Chris Evans <lady0110@sable.ox.ac.uk>
-* Chris Lamb <chris@chris-lamb.co.uk>
-* Cristian Gafton <gafton@sorosis.ro>
-* Dan Walsh <dwalsh@redhat.com>
-* Darcy Boese <possum@chardonnay.niagara.com>
-* Dave Hagewood <admin@arrowweb.com>
-* David A. Holland <dholland@hcs.harvard.edu>
-* David Frey <David.Frey@lugs.ch>
-* Ed Carp <ecarp@netcom.com>
-* Ed Neville <ed@s5h.net>
-* Eric W. Biederman" <ebiederm@xmission.com>
-* Floody <flood@evcom.net>
-* Frank Denis <j@4u.net>
-* George Kraft IV <gk4@us.ibm.com>
-* Greg Mortensen <loki@world.std.com>
-* Guido van Rooij
-* Guy Maor <maor@debian.org>
-* Hrvoje Dogan <hdogan@bjesomar.srce.hr>
-* Jakub Hrozek <jhrozek@redhat.com>
-* Janos Farkas <chexum@bankinf.banki.hu>
-* Jason Franklin <jason.franklin@quoininc.com>
-* Jay Soffian <jay@lw.net>
-* Jesse Thilo <Jesse.Thilo@pobox.com>
-* Joey Hess <joey@kite.ml.org>
-* John Adelsberger <jja@umr.edu>
-* Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
-* Jon Lewis <jlewis@lewis.org>
-* Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
-* Judd Bourgeois <shagboy@bluesky.net>
-* Juergen Heinzl <unicorn@noris.net>
-* Juha Virtanen <jiivee@iki.fi>
-* Julian Pidancet <julian.pidancet@gmail.com>
-* Julianne Frances Haugh <julie78787@gmail.com>
-* Leonard N. Zubkoff <lnz@dandelion.com>
-* Luca Berra <bluca@www.polimi.it>
-* Lukáš Kuklínek <lkukline@redhat.com>
-* Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
-* Marc Ewing <marc@redhat.com>
-* Martin Bene <mb@sime.com>
-* Martin Mares <mj@gts.cz>
-* Michael Meskes <meskes@topsystem.de>
-* Michael Talbot-Wilson <mike@calypso.bns.com.au>
-* Michael Vetter <jubalh@iodoru.org>
-* Mike Frysinger <vapier@gentoo.org>
-* Mike Pakovic <mpakovic@users.southeast.net>
-* Nicolas François <nicolas.francois@centraliens.net>
-* Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
-* Pavel Machek <pavel@bug.ucw.cz>
-* Peter Vrabec <pvrabec@redhat.com>
-* Phillip Street
-* Rafał Maszkowski <rzm@icm.edu.pl>
-* Rani Chouha <ranibey@smartec.com>
-* Sami Kerola <kerolasa@rocketmail.com>
-* Scott Garman <scott.a.garman@intel.com>
-* Sebastian Rick Rijkers <srrijkers@gmail.com>
-* Seraphim Mellos <mellos@ceid.upatras.gr>
-* Shane Watts <shane@nexus.mlckew.edu.au>
-* Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
-* Thorsten Kukuk <kukuk@suse.de>
-* Tim Hockin <thockin@eagle.ais.net>
-* Timo Karjalainen <timok@iki.fi>
-* Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
-* Werner Fink <werner@suse.de>
--- a/143
+++ b/143
@@ -1,41 +1,118 @@
-SPDX-License-Identifier: BSD-3-Clause
+NOTE:
+  This license has been obsoleted by the change to the BSD-style copyright.
+  You may continue to use this license if you wish, but you are under no
+  obligation to do so.

-All files under this project either
+(*
+This document is freely plagiarised from the 'Artistic Licence',
+distributed as part of the Perl v4.0 kit by Larry Wall, which is
+available from most major archive sites.  I stole it from CrackLib.

-1. fall under the BSD 3 clause license (by default).
+	$Id$
+*)

-2. carry an SPDX header declaring what license applies.
+This documents purpose is to state the conditions under which this
+Package (See definition below) viz: "Shadow", the Shadow Password Suite
+which is held by Julianne Frances Haugh, may be copied, such that the
+copyright holder maintains some semblance of artistic control over the
+development of the package, while giving the users of the package the
+right to use and distribute the Package in a more-or-less customary
+fashion, plus the right to make reasonable modifications. 

-or
+So there.

-3. list a full custom license
+***************************************************************************

-This software is originally
+Definitions:

- * Copyright (c) 1989 - 1994, Julianne Frances Haugh

- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the copyright holders or contributors may not be used to
- *    endorse or promote products derived from this software without
- *    specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
- * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+A "Package" refers to the collection of files distributed by the
+Copyright Holder, and derivatives of that collection of files created
+through textual modification, or segments thereof. 
+
+"Standard Version" refers to such a Package if it has not been modified,
+or has been modified in accordance with the wishes of the Copyright
+Holder.
+
+"Copyright Holder" is whoever is named in the copyright or copyrights
+for the package.
+
+"You" is you, if you're thinking about copying or distributing this
+Package.
+
+"Reasonable copying fee" is whatever you can justify on the basis of
+media cost, duplication charges, time of people involved, and so on.
+(You will not be required to justify it to the Copyright Holder, but
+only to the computing community at large as a market that must bear the
+fee.)
+
+"Freely Available" means that no fee is charged for the item itself,
+though there may be fees involved in handling the item.  It also means
+that recipients of the item may redistribute it under the same
+conditions they received it.
+
+
+1.  You may make and give away verbatim copies of the source form of the
+Standard Version of this Package without restriction, provided that you
+duplicate all of the original copyright notices and associated
+disclaimers.
+
+2.  You may apply bug fixes, portability fixes and other modifications
+derived from the Public Domain or from the Copyright Holder.  A Package
+modified in such a way shall still be considered the Standard Version.
+
+3.  You may otherwise modify your copy of this Package in any way,
+provided that you insert a prominent notice in each changed file stating
+how and when AND WHY you changed that file, and provided that you do at
+least ONE of the following:
+
+a) place your modifications in the Public Domain or otherwise make them
+Freely Available, such as by posting said modifications to Usenet or an
+equivalent medium, or placing the modifications on a major archive site
+such as uunet.uu.net, or by allowing the Copyright Holder to include
+your modifications in the Standard Version of the Package.
+
+b) use the modified Package only within your corporation or organization.
+
+c) rename any non-standard executables so the names do not conflict with
+standard executables, which must also be provided, and provide separate
+documentation for each non-standard executable that clearly documents
+how it differs from the Standard Version.
+
+d) make other distribution arrangements with the Copyright Holder.
+
+4.  You may distribute the programs of this Package in object code or
+executable form, provided that you do at least ONE of the following:
+
+a) distribute a Standard Version of the executables and library files,
+together with instructions (in the manual page or equivalent) on where
+to get the Standard Version.
+
+b) accompany the distribution with the machine-readable source of the
+Package with your modifications.
+
+c) accompany any non-standard executables with their corresponding
+Standard Version executables, giving the non-standard executables
+non-standard names, and clearly documenting the differences in manual
+pages (or equivalent), together with instructions on where to get the
+Standard Version.
+
+d) make other distribution arrangements with the Copyright Holder.
+
+5.  You may charge a reasonable copying fee for any distribution of this
+Package.  You may charge any fee you choose for support of this Package. 
+YOU MAY NOT CHARGE A FEE FOR THIS PACKAGE ITSELF.  However, you may
+distribute this Package in aggregate with other (possibly commercial)
+programs as part of a larger (possibly commercial) software distribution
+provided that YOU DO NOT ADVERTISE this package as a product of your
+own. 
+
+6.  The name of the Copyright Holder may not be used to endorse or
+promote products derived from this software without specific prior
+written permission.
+
+7.  THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+				The End
--- a/225
+++ b/225
@@ -1,184 +1,3 @@
-2022-11-08  Serge Hallyn <serge@hallyn.com>
-
-	* useradd.8: fix default group ID (Tim Biermann)
-	* Revert drop of subid_init() (Serge Hallyn)
-	* Georgian translation (NorwayFun)
-	* useradd: Avoid taking unneeded space: do not reset non-existent data
-	  in lastlog (David Kalnischkies)
-	* relax username restrictions (Alexander Kanavin)
-	* selinux: check MLS enabled before setting serange (genBTC)
-	* copy_tree: use fchmodat instead of chmod (Samanta Navarro)
-	* copy_tree: don't block on FIFOs (Samanta Navarro)
-	* add shell linter (Jan Macku)
-	* copy_tree: carefully treat permissions (Samanta Navarro)
-	* lib/commonio: make lock failures more detailed (Luca BRUNO)
-	* lib: use strzero and memzero where applicable (Christian Göttsche)
-	* Update Dutch translation (Frans Spiesschaert)
-	* Don't test for NULL before calling free (Alex Colomar)
-	* Use libc MAX() and MIN() (Alejandro Colomar)
-	* chage: Fix regression in print_date (Xiami)
-	* usermod: report error if homedir does not exist (Iker Pedrosa)
-	* libmisc: minimum id check for system accounts (Iker Pedrosa)
-	* fix usermod -rG x y wrongly adding a group (xyz)
-	* man: add missing space in useradd.8.xml (Iker Pedrosa)
-	* lastlog: check for localtime() return value (Iker Pedrosa)
-	* Raise limit for passwd and shadow entry length (Iker Pedrosa)
-	* Remove adduser-old.c (Alejandro Colomar)
-	* useradd: Fix buffer overflow when using a prefix (David Michael)
-	* Don't warn when failed to open /etc/nsswitch.conf (Serge Hallyn)
-
-2022-08-15  Serge Hallyn <serge@hallyn.com>
-
-	* Address CVE-2013-4235 (TOCTTOU when copying directories)
-	  (Christian Göttsche)
-
-2022-08-15  Serge Hallyn <serge@hallyn.com>
-
-	* Fix uk manpages
-
-2022-08-08  Serge Hallyn <serge@hallyn.com>
-
-	* Add absolute path hint to --root (Celeste Liu)
-	* Various cleanups (Christian Göttsche)
-	* Fix Ubuntu release used in CI tests (Jeremy Whiting)
-	* add -F options to useradd (and tests) (Masatake YAMATO)
-	* useradd manpage updates (Masatake YAMATO and Alexander Zhang))
-	* Check for ownerid (not just username) in subid ranges (Iker Pedrosa)
-
-2022-07-04  Serge Hallyn <serge@hallyn.com>
-
-	* Declare file local functions static (Christian Göttsche)
-	* Use strict prototypes (Christian Göttsche)
-	* Do not drop const qualifier for Basename (Christian Göttsche)
-	* Constify various pointers (Christian Göttsche)
-	* Don't return uninitialized memory (Christian Göttsche)
-	* Don't let compiler optimize away memory cleaning (Christian Göttsche)
-	* Remove many obsolete compatibility checks  and defines (Alejandro Colomar)
-	* Modify ID range check in useradd (Iker Pedrosa)
-	* Use "extern "C"" to make libsubid easier to use from C++ (Alois Wohlschlager)
-	* French translation updates (bubu)
-	* Fix s/with-pam/with-libpam/ (serge)
-	* Spanish translation updates (Fernando)
-	* French translation fixes (Balint Reczey)
-	* Default max group name length to 32 (Jami Kettunen)
-	* Fix PAM service files without-selinux (Ali Riza KESKIN)
-	* Improve manpages (Markus Hiereth)
-	  - groupadd, useradd, usermod
-	  - groups and id
-	  - pwck
-	* Add fedora to CI builds (Iker Pedrosa)
-	* Fix condition under which pw_dir check happens (Ed Neville)
-	* logoutd: switch to strncat (Steve Grubb)
-	* AUTHORS: improve markdown output (Iker Pedrosa)
-	* Handle ERANGE errors correctly (Niko)
-	* Check for fopen NULL return (juyin)
-	* Split get_salt() into its own fn juyin)
-	* Get salt before chroot to ensure /dev/urandom. (juyin)
-	* Chpasswd code cleanup (juyin)
-	* Work around git safe.directory enforcement (serge)
-	* Alphabetize order in usermod help (Matheus Marques)
-	* Erase password copy on error branches (Christian Göttsche)
-	* Suggest using --badname if needed (Iker Pedrosa)
-	* Update translation files (Iker Pedrosa)
-	* Correct badnames option to badname (Iker Pedrosa)
-	* configure: replace obsolete autoconf macros (Christian Göttsche)
-	* tests: replace egrep with grep -E (Sam James)
-	* Update Ukrainian translations (Yuri Chornoivan)
-	* Cleanups (Iker Pedrosa)
-	  - Remove redeclared variable
-	  - Remove commented out code and FIXMEs
-	  - Add header guards
-	  - Initialize local variables
-	* CI updates (Iker Pedrosa)
-	  - Create github workflow to install dependencies
-	  - Enable CodeQL
-	  - Update actions version
-	* libmisc: use /dev/urandom as fallback if other methods fail (Xi Ruoyao)
-
-
-2022-01-02  Serge Hallyn <serge@hallyn.com>
-
-	* build: include lib/shadowlog_internal.h in dist tarballs (Sam James)
-
-2022-01-02  Serge Hallyn <serge@hallyn.com>
-
-	* Handle possible TOCTTOU issues in usermod/userdel (edneville)
-	  * (CVE-2013-4235)
-	  * Use O_NOFOLLOW when copying file
-	  * Kill all user tasks in userdel
-	* Fix useradd -D segfault (Xi Ruoyao)
-	* Clean up obsolete libc feature-check ifdefs (Alejandro Colomar)
-	* Fix -fno-common build breaks due to duplicate Prog declarations
-	  (Adam Sampson)
-	* Have single date_to_str definition (Alejandro Colomar)
-	* Fix libsubid SONAME version (Sam James)
-
-2021-12-19  Serge Hallyn <serge@hallyn.com>
-
-	Note: From this release forward, su from this package should be
-	considered deprecated.  Please replace any users of it with su from
-	util-linux.  Please open an issue if there is a problem with that.
-	We intend to remove it in an upcoming release.
-
-	* libsubid fixes (Xi Ruoyao, Serge Hallyn, Iker Pedrosa, Mike Gilbert,
-	  GalaxyMaster, and Luís Ferreira)
-	* Rename the test program list_subid_ranges to getsubids, write
-	  a manpage, so distros can ship it. (Iker Pedrosa)
-	* Add libeconf dep for new*idmap (Iker Pedrosa)
-	* Allow all group types with usermod -G (Iker Pedrosa)
-	* Avoid useradd generating empty subid range (Iker Pedrosa)
-	* Handle NULL pw_passwd (Jaroslav Jindrak)
-	* Fix default value SHA_get_salt_rounds (Mike Gilbert)
-	* Use https where possible in README (Paul Menzel)
-	* Update content and format of README (Iker Pedrosa)
-	* Translation updates (Balint Reczey, Frans Spiesschaert)
-	* Switch from xml2po to itstool in 'make dist' (Serge Hallyn)
-	* Fix double frees (Michael Vetter)
-	* Add LOG_INIT configurable to useradd (Andy Zaugg)
-	* Add CREATE_MAIL_SPOOL documentation (Andy Zaugg)
-	* Create a security.md
-	* Fix su never being SIGKILLd when trapping TERM (Ruihan li)
-	* Fix wrong SELinux labels in several possible cases (Iker Pedrosa)
-	* Fix missing chmod in chadowtb_move (GalaxyMaster)
-	* Handle malformed hushlogins entries (Tobias Stoeckmann)
-	* Fix groupdel segv when passwd does not exist (François Rigault)
-	* Fix covscan-found newgrp segfault (Iker Pedrosa)
-	* Remove trailing slash on hoedir (Ed Neville)
-	* Fix passwd -l message - it does not change expirey (Ed Neville)
-	* Fix SIGCHLD handling bugs in su and vipw (Tobias Stoeckmann)
-	* Remove special case for "" in usermod (Alejandro Colomar)
-	* Implement usermod -rG to remove a specific group
-	  (Andy Zaugg)
-	* call pam_end() after fork in child path for su and login
-	  (Björn Fischer)
-	* useradd: In absence of /etc/passwd, assume 0 == root
-	  (Ludwig Nussel)
-	* lib: check NULL before freeing data (Iker Pedrosa)
-	* Fix pwck segfault (Iker Pedrosa)
-
-2021-07-22  Serge Hallyn <serge@hallyn.com>
-
-	* Updated translations (Björn Esser, Juergen Hoetzel)
-	* Major salt updates (Björn Esser)
-	* Various coverity and cleanup fixes (Iker Pedrosa)
-	* Consistently use 0 to disable PASS_MIN_DAYS  in man (tzccinct)
-	* Implement NSS support for subids and a libsubid (Serge Hallyn)
-	* setfcap: retain setfcap when mapping uid 0 (Christian Brauner)
-	* login.defs: include HMAC_CRYPTO_ALGO key (Iker Pedrosa)
-	* selinux fixes (Christian Göttsche)
-	* Fix path prefix path handling (Lucas Servén Marín)
-	* Manpage updates (tzccinct, Sevan Janiyan, Iker Pedrosa, Geert Ijewski,
-		谭九鼎, Jamin W. Collins, towerpark, andydna, Frans Spiesschaert)
-	* Treat an empty passwd field as invalid (Haelwenn Monnier)
-	* newxidmap: allow running under alternative gid (Martijn de Gouw)
-	* usermod: check that  shell is executable (Geert Ijewski)
-	* Add yescript support (Rodolphe Bréard)
-	* useradd memleak fixes (whzhe)
-	* useradd: use built-in settings by default (Ludwig Nussel)
-	* getdefs: add foreign (non-shadow-utils) items (Karel Zak)
-	* buffer overflow fixes (Tobias Stoeckmann)
-	* Adding run-parts style for pre and post useradd/del (ed@s5h.net)
-
 2020-01-23  Serge Hallyn <serge@hallyn.com>

 	* selinux: inclue stdio (Michael Vetter)
@@ -443,7 +262,7 @@
 2013-08-15  Nicolas François  <nicolas.francois@centraliens.net>

 	* src/usermod.c: Check early if /etc/subuid (/etc/subgid) exists
-	when option -v/-V (-w/-W) are provided.
+	when option -v/-V (-w/-W) are provided. 

 2013-08-15  Nicolas François  <nicolas.francois@centraliens.net>

@@ -820,8 +639,8 @@

 	* configure.in: Prepare for next point release 4.2.
 	* if using the static char* for pw_dir, strdup it so
-	  pw_free() can be used. (Closes: Debian#691459, alioth#313957)
-	* Kill the child process group, rather than just the
+	  pw_free() can be used. (Closes: Debian#691459, alioth#313957) 
+	* Kill the child process group, rather than just the 
 	  immediate child; this is needed now that su no
 	  longer starts a controlling terminal when not running an
 	  interactive shell (closes: Debian#713979)
@@ -1048,7 +867,7 @@

 	* po/pt.po: Updated to 557t.

-2012-01-19  Holger Wansing  <linux@wansing-online.de>
+2012-01-19  Holger Wansing  <linux@wansing-online.de> 

 	* po/de.po: Updated to 557t.

@@ -1635,8 +1454,8 @@
 	* NEWS, src/chpasswd.c: Create a shadow entry if the password is
 	set to 'x' in passwd and there are no entry in shadow for the
 	user.
-	* NEWS, src/chgpasswd.c: Create a gshadow entry if the password is
-	set to 'x' in group and there are no entry in gshadow for the
+	* NEWS, src/chgpasswd.c: Create a gshadow entry if the password is 
+	set to 'x' in group and there are no entry in gshadow for the 
 	group.

 2011-07-28  Nicolas François  <nicolas.francois@centraliens.net>
@@ -1708,7 +1527,7 @@
 2011-07-22  Nicolas François  <nicolas.francois@centraliens.net>

 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Fail in case of
-	invalid configuration.
+	invalid configuration. 
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Updated
 	comments.
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Be more strict
@@ -1945,7 +1764,7 @@
 	  man/login.defs.d/DEFAULT_HOME.xml,
 	  man/login.defs.d/LOGIN_RETRIES.xml,
 	  man/login.defs.d/MD5_CRYPT_ENAB.xml,
-	  man/login.defs.d/PORTTIME_CHECKS_ENAB.xml,
+	  man/login.defs.d/PORTTIME_CHECKS_ENAB.xml, 
 	  man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml:
 	  Fix typos
 	* man/po/de.po: German translation of manpages completed
@@ -1992,7 +1811,7 @@

 2011-03-30  YunQiang Su  <wzssyqa@gmail.com>

-	* man/po/zh_CN.po: convert Simplified Chinese translation
+	* man/po/zh_CN.po: convert Simplified Chinese translation 
 	  of manpages to gettext
 	* po/zh_CN.po: Simplified Chinese translation completed

@@ -2131,7 +1950,7 @@
 	boolean. safe_system last argument is a boolean.
 	* libmisc/system.c: Check return value of dup2.
 	* libmisc/system.c: Do not check *printf/*puts return value.
-	* libmisc/system.c: Do not check execve return value.
+	* libmisc/system.c: Do not check execve return value. 
 	* libmisc/salt.c: Do not check *printf/*puts return value.
 	* libmisc/loginprompt.c: Do not check gethostname return value.
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Do not check
@@ -2284,7 +2103,7 @@
 2010-04-04  Nicolas François  <nicolas.francois@centraliens.net>

 	* src/useradd.c: spool is a constant string.
-	* src/useradd.c: Set the new copy_tree's paramater 'copy_root' to false
+	* src/useradd.c: Set the new copy_tree's paramater 'copy_root' to false 

 2010-04-04  Nicolas François  <nicolas.francois@centraliens.net>

@@ -5133,7 +4952,7 @@
 	<sgrubb@redhat.com>
 	* src/groupadd.c: Log to audit with type AUDIT_ADD_GROUP instead
 	of AUDIT_USER_CHAUTHTOK.
-	* src/groupdel.c: Log to audit with type AUDIT_DEL_GROUP instead
+	* src/groupdel.c: Log to audit with type AUDIT_DEL_GROUP instead 
 	of AUDIT_USER_CHAUTHTOK.
 	* src/useradd.c: Log to audit with type AUDIT_ADD_USER /
 	AUDIT_ADD_GROUP / AUDIT_USYS_CONFIG instead of
@@ -5389,7 +5208,7 @@
 	* NEWS, src/gpasswd.c: Use getopt_long instead of getopt. Added
 	support for long options --add (-a), --delete (-d),
 	--remove-password (-r), --restrict (-R), --administrators (-A),
-	and --members (-M)
+	and --members (-M) 
 	* man/gpasswd.1.xml: Document the new long options.
 	* src/gpasswd.c: The sgrp structure is only used if SHADOWGRP is
 	defined.
@@ -7578,7 +7397,7 @@
 	to mimic useradd's behavior choices of UID and GID.
 	* src/newusers.c: Reuse the generic find_new_uid() and
 	find_new_gid() functions. This permits to respect the
-	UID_MIN/UID_MAX and GID_MIN/GID_MAX variables, should
+	UID_MIN/UID_MAX and GID_MIN/GID_MAX variables, should 
 	* src/newusers.c: Check if the user or group exist using the
 	external databases (with the libc getpwnam/getgrnam functions).
 	Refuse to update an user which exist in an external database but
@@ -9375,7 +9194,7 @@
 	Debian's patch 202_it_man_uses_gettext. Thanks to Giuseppe
 	Sacco who contributed the Italian translation.
 	* man/de/de.po: (nearly) complete German translation of man pages
-	Imported from Debian's patch 203_de-man-update. Thanks to
+	Imported from Debian's patch 203_de-man-update. Thanks to 
 	Simon Brandmair
 	* src/usermod.c: Clarify the online help of usermod for "-a"
 	Imported from Debian's patch 402-clarify_usermod_usage
@@ -9558,7 +9377,7 @@
 	* NEWS: release date corrected.

 	* NEWS, src/su.c:
-	fixed set environment too early when using PAM, so move it to !USE_PAM
+	fixed set enviroment too early when using PAM, so move it to !USE_PAM
 	(patch submitted by Mike Frysinger <vapier@gentoo.org>).

 2006-07-30  Tomasz Kłoczko  <kloczek@pld.org.pl>
@@ -10245,7 +10064,7 @@
 	* NEWS: cleanups.

 	* autogen.sh:
-	by default in development environment use CFLAGS="-O2 -Wall".
+	by default in development enviroment use CFLAGS="-O2 -Wall".

 	* src/chgpasswd.c (main): remove two unused variables (newgr and now).

@@ -11654,7 +11473,7 @@
 	in OPTIONS section). Describe -a and -k options.

 	* NEWS, src/su.c:
-	fixed twice copy environment which causes auth problems (bug was introduced in 4.0.12;
+	fixed twice copy enviroment which causes auth problems (bug was introduced in 4.0.12;
 	fix by Nicolas François <nicolas.francois@centraliens.net>).

 	* src/passwd.c, po/ja.po, po/ko.po, po/nb.po, po/nl.po, po/nn.po, po/pl.po, po/pt.po, po/pt_BR.po, po/ro.po, po/ru.po, po/sk.po, po/sq.po, po/sv.po, po/tl.po, po/tr.po, po/uk.po, po/vi.po, po/zh_CN.po, po/zh_TW.po, po/bs.po, po/ca.po, po/cs.po, po/da.po, po/de.po, po/el.po, po/es.po, po/eu.po, po/fi.po, po/fr.po, po/he.po, po/id.po, po/it.po:
@@ -12584,7 +12403,7 @@
 	http://bugs.debian.org/48002

 	* src/login.c, NEWS:
-	fixed loggin of username on successful login (was using the normal username,
+	fixed loggin of username on succesful login (was using the normal username,
 	when it should have used pam_user) http://bugs.debian.org/47819

 2005-06-02  Tomasz Kłoczko  <kloczek@pld.org.pl>
@@ -13029,7 +12848,7 @@
 	* man/pl/usermod.8: finish sync with english version.

 	* man/hu/login.1, man/pl/login.1, NEWS, man/Attic/login.1, man/de/login.1:
-	removed fragment about abilities pass environment variables in login prompt.
+	removed fragment about abilities pass enviroment variables in login prompt.

 	* man/Attic/gpasswd.1, man/Attic/newgrp.1:
 	fixes by Nicolas Nicolas François <nicolas.francois@centraliens.net> (not all
@@ -13508,7 +13327,7 @@
 	removed not used translations.

 	* NEWS, src/su.c:
-	fix adding of pam_env env variables to environment (Martin Schlemmer <azarah@nosferatu.za.org>).
+	fix adding of pam_env env variables to enviroment (Martin Schlemmer <azarah@nosferatu.za.org>).

 	* NEWS, configure.in:
 	fixed filling MAIL_SPOOL_DIR and MAIL_SPOOL_FILE variables which was allways
@@ -13605,7 +13424,7 @@

 	* NEWS, src/su.c:
 	add pam_open_session() support. If builded without PAM support
-	propagate $DISPLAY and $XAUTHORITY environment variables.
+	propagate $DISPLAY and $XAUTHORITY enviroment variables.
 	Based on http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch?rev=1.1

 2004-10-23  Tomasz Kłoczko  <kloczek@pld.org.pl>
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,28 +1,6 @@
 ## Process this file with automake to produce Makefile.in
-ACLOCAL_AMFLAGS = -I m4

-SUBDIRS = lib
+EXTRA_DIST = NEWS README TODO shadow.spec.in

-if ENABLE_SUBIDS
-SUBDIRS += libsubid
-endif
-
-SUBDIRS += src po doc etc tests/unit
-
-if ENABLE_REGENERATE_MAN
-SUBDIRS += man
-endif
-
-CLEANFILES = man/8.out man/po/remove-potcdate.* man/*/login.defs.d man/*/*.mo
-
-EXTRA_DIST = NEWS README tests/
-
-dist-hook:
-	chmod -R u+w $(distdir)/tests
-	chmod u+w $(distdir)
-	mv $(distdir)/tests/unit $(distdir)/realunittest
-	mv $(distdir)/tests/tests $(distdir)/realtests
-	rm -rf $(distdir)/tests
-	mv $(distdir)/realtests $(distdir)/tests
-	rm -rf $(distdir)/tests/unit $(distdir)/tests/Makefile*
-	mv $(distdir)/realunittest $(distdir)/tests/unit
+SUBDIRS = po man libmisc lib src \
+	contrib doc etc
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.18.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@

-# Copyright (C) 1994-2025 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.

 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -69,8 +69,6 @@ am__make_running_with_option = \
  test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-am__rm_f = rm -f $(am__rm_f_notfound)
-am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -89,18 +87,9 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-@ENABLE_SUBIDS_TRUE@am__append_1 = libsubid
-@ENABLE_REGENERATE_MAN_TRUE@am__append_2 = man
 subdir = .
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
-	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
-	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
-	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
-	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
-	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
-	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
-	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -110,7 +99,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
 configure.lineno config.status.lineno
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = config.h
-CONFIG_CLEAN_FILES = man/po/Makefile
+CONFIG_CLEAN_FILES = man/po/Makefile shadow.spec
 CONFIG_CLEAN_VPATH_FILES =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -147,8 +136,8 @@ am__recursive_targets = \
  $(am__extra_recursive_targets)
 AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
 	cscope distdir distdir-am dist dist-all distcheck
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) \
-	config.h.in
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \
+	$(LISP)config.h.in
 # Read a list of newline-separated strings from the standard input,
 # and print each of them once, without duplicates.  Input order is
 # *not* preserved.
@@ -165,26 +154,22 @@ am__define_uniq_tagged_files = \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
-DIST_SUBDIRS = lib libsubid src po doc etc tests/unit man
+ETAGS = etags
+CTAGS = ctags
+CSCOPE = cscope
+DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
-	$(top_srcdir)/build-aux/compile \
-	$(top_srcdir)/build-aux/config.guess \
-	$(top_srcdir)/build-aux/config.rpath \
-	$(top_srcdir)/build-aux/config.sub \
-	$(top_srcdir)/build-aux/install-sh \
-	$(top_srcdir)/build-aux/ltmain.sh \
-	$(top_srcdir)/build-aux/missing \
-	$(top_srcdir)/man/po/Makefile.in ABOUT-NLS AUTHORS.md COPYING \
-	ChangeLog NEWS README build-aux/compile build-aux/config.guess \
-	build-aux/config.rpath build-aux/config.sub \
-	build-aux/install-sh build-aux/ltmain.sh build-aux/missing
+	$(srcdir)/shadow.spec.in $(top_srcdir)/man/po/Makefile.in \
+	ABOUT-NLS COPYING ChangeLog NEWS README TODO compile \
+	config.guess config.rpath config.sub install-sh ltmain.sh \
+	missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
 am__remove_distdir = \
  if test -d "$(distdir)"; then \
-    find "$(distdir)" -type d ! -perm -700 -exec chmod u+rwx {} ';' \
-      ; rm -rf "$(distdir)" \
+    find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
+      && rm -rf "$(distdir)" \
      || { sleep 5 && rm -rf "$(distdir)"; }; \
  else :; fi
 am__post_remove_distdir = $(am__remove_distdir)
@@ -214,20 +199,15 @@ am__relativize = \
  done; \
  reldir="$$dir2"
 DIST_ARCHIVES = $(distdir).tar.gz $(distdir).tar.xz
-GZIP_ENV = -9
+GZIP_ENV = --best
 DIST_TARGETS = dist-xz dist-gzip
-# Exists only to be overridden by the user if desired.
-AM_DISTCHECK_DVI_TARGET = dvi
 distuninstallcheck_listfiles = find . -type f -print
 am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
  | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
-distcleancheck_listfiles = \
-  find . \( -type f -a \! \
-            \( -name .nfs* -o -name .smb* -o -name .__afs* \) \) -print
+distcleancheck_listfiles = find . -type f -print
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AM_DISTCHECK_CONFIGURE_FLAGS = @AM_DISTCHECK_CONFIGURE_FLAGS@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -236,12 +216,8 @@ AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
-CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
-CMOCKA_LIBS = @CMOCKA_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -253,10 +229,8 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
 EGREP = @EGREP@
-ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
-FILECMD = @FILECMD@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
@@ -272,15 +246,9 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBACL = @LIBACL@
-LIBADD_DL = @LIBADD_DL@
-LIBADD_DLD_LINK = @LIBADD_DLD_LINK@
-LIBADD_DLOPEN = @LIBADD_DLOPEN@
-LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@
 LIBATTR = @LIBATTR@
 LIBAUDIT = @LIBAUDIT@
-LIBBSD = @LIBBSD@
-LIBBSD_CFLAGS = @LIBBSD_CFLAGS@
-LIBBSD_LIBS = @LIBBSD_LIBS@
+LIBCRACK = @LIBCRACK@
 LIBCRYPT = @LIBCRYPT@
 LIBECONF = @LIBECONF@
 LIBICONV = @LIBICONV@
@@ -292,11 +260,6 @@ LIBS = @LIBS@
 LIBSELINUX = @LIBSELINUX@
 LIBSEMANAGE = @LIBSEMANAGE@
 LIBSKEY = @LIBSKEY@
-LIBSUBID_ABI = @LIBSUBID_ABI@
-LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@
-LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@
-LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@
-LIBSYSTEMD = @LIBSYSTEMD@
 LIBTCB = @LIBTCB@
 LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
@@ -304,8 +267,6 @@ LN_S = @LN_S@
 LTLIBICONV = @LTLIBICONV@
 LTLIBINTL = @LTLIBINTL@
 LTLIBOBJS = @LTLIBOBJS@
-LT_DLLOADERS = @LT_DLLOADERS@
-LT_DLPREOPEN = @LT_DLPREOPEN@
 LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
@@ -328,9 +289,6 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 POSUB = @POSUB@
 RANLIB = @RANLIB@
 SED = @SED@
@@ -346,6 +304,8 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
@@ -356,10 +316,8 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
-am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
-am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -402,11 +360,10 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = lib $(am__append_1) src po doc etc tests/unit \
-	$(am__append_2)
-CLEANFILES = man/8.out man/po/remove-potcdate.* man/*/login.defs.d man/*/*.mo
-EXTRA_DIST = NEWS README tests/
+EXTRA_DIST = NEWS README TODO shadow.spec.in
+SUBDIRS = po man libmisc lib src \
+	contrib doc etc
+
 all: config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive

@@ -450,17 +407,19 @@ config.h: stamp-h1
 	@test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1

 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
-	$(AM_V_at)rm -f stamp-h1
-	$(AM_V_GEN)cd $(top_builddir) && $(SHELL) ./config.status config.h
+	@rm -f stamp-h1
+	cd $(top_builddir) && $(SHELL) ./config.status config.h
 $(srcdir)/config.h.in: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) 
-	$(AM_V_GEN)($(am__cd) $(top_srcdir) && $(AUTOHEADER))
-	$(AM_V_at)rm -f stamp-h1
-	$(AM_V_at)touch $@
+	($(am__cd) $(top_srcdir) && $(AUTOHEADER))
+	rm -f stamp-h1
+	touch $@

 distclean-hdr:
 	-rm -f config.h stamp-h1
 man/po/Makefile: $(top_builddir)/config.status $(top_srcdir)/man/po/Makefile.in
 	cd $(top_builddir) && $(SHELL) ./config.status $@
+shadow.spec: $(top_builddir)/config.status $(srcdir)/shadow.spec.in
+	cd $(top_builddir) && $(SHELL) ./config.status $@

 mostlyclean-libtool:
 	-rm -f *.lo
@@ -582,7 +541,7 @@ distdir: $(BUILT_SOURCES)

 distdir-am: $(DISTFILES)
 	$(am__remove_distdir)
-	$(AM_V_at)$(MKDIR_P) "$(distdir)"
+	test -d "$(distdir)" || mkdir "$(distdir)"
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -637,9 +596,6 @@ distdir-am: $(DISTFILES)
 	      || exit 1; \
 	  fi; \
 	done
-	$(MAKE) $(AM_MAKEFLAGS) \
-	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
-	  dist-hook
 	-test -n "$(am__skip_mode_fix)" \
 	|| find "$(distdir)" -type d ! -perm -755 \
 		-exec chmod u+rwx,go+rx {} \; -o \
@@ -655,10 +611,6 @@ dist-bzip2: distdir
 	tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
 	$(am__post_remove_distdir)

-dist-bzip3: distdir
-	tardir=$(distdir) && $(am__tar) | bzip3 -c >$(distdir).tar.bz3
-	$(am__post_remove_distdir)
-
 dist-lzip: distdir
 	tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
 	$(am__post_remove_distdir)
@@ -666,10 +618,6 @@ dist-xz: distdir
 	tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
 	$(am__post_remove_distdir)

-dist-zstd: distdir
-	tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst
-	$(am__post_remove_distdir)
-
 dist-tarZ: distdir
 	@echo WARNING: "Support for distribution archives compressed with" \
 		       "legacy program 'compress' is deprecated." >&2
@@ -699,11 +647,9 @@ dist dist-all:
 distcheck: dist
 	case '$(DIST_ARCHIVES)' in \
 	*.tar.gz*) \
-	  eval GZIP= gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
+	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\
 	*.tar.bz2*) \
 	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
-	*.tar.bz3*) \
-	  bzip3 -dc $(distdir).tar.bz3 | $(am__untar) ;;\
 	*.tar.lz*) \
 	  lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
 	*.tar.xz*) \
@@ -711,11 +657,9 @@ distcheck: dist
 	*.tar.Z*) \
 	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
 	*.shar.gz*) \
-	  eval GZIP= gzip -dc $(distdir).shar.gz | unshar ;;\
+	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
-	*.tar.zst*) \
-	  zstd -dc $(distdir).tar.zst | $(am__untar) ;;\
 	esac
 	chmod -R a-w $(distdir)
 	chmod u+w $(distdir)
@@ -731,7 +675,7 @@ distcheck: dist
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	    --srcdir=../.. --prefix="$$dc_install_base" \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
-	  && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \
+	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
 	  && $(MAKE) $(AM_MAKEFLAGS) check \
 	  && $(MAKE) $(AM_MAKEFLAGS) install \
 	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
@@ -809,11 +753,10 @@ install-strip:
 mostlyclean-generic:

 clean-generic:
-	-$(am__rm_f) $(CLEANFILES)

 distclean-generic:
-	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)

 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -893,40 +836,23 @@ uninstall-am:
 .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
 	am--refresh check check-am clean clean-cscope clean-generic \
 	clean-libtool cscope cscopelist-am ctags ctags-am dist \
-	dist-all dist-bzip2 dist-bzip3 dist-gzip dist-hook dist-lzip \
-	dist-shar dist-tarZ dist-xz dist-zip dist-zstd distcheck \
-	distclean distclean-generic distclean-hdr distclean-libtool \
-	distclean-tags distcleancheck distdir distuninstallcheck dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs installdirs-am \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-am uninstall uninstall-am
+	dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
+	dist-xz dist-zip distcheck distclean distclean-generic \
+	distclean-hdr distclean-libtool distclean-tags distcleancheck \
+	distdir distuninstallcheck dvi dvi-am html html-am info \
+	info-am install install-am install-data install-data-am \
+	install-dvi install-dvi-am install-exec install-exec-am \
+	install-html install-html-am install-info install-info-am \
+	install-man install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am

 .PRECIOUS: Makefile


-dist-hook:
-	chmod -R u+w $(distdir)/tests
-	chmod u+w $(distdir)
-	mv $(distdir)/tests/unit $(distdir)/realunittest
-	mv $(distdir)/tests/tests $(distdir)/realtests
-	rm -rf $(distdir)/tests
-	mv $(distdir)/realtests $(distdir)/tests
-	rm -rf $(distdir)/tests/unit $(distdir)/tests/Makefile*
-	mv $(distdir)/realunittest $(distdir)/tests/unit
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
-
-# Tell GNU make to disable its built-in pattern rules.
-%:: %,v
-%:: RCS/%,v
-%:: RCS/%
-%:: s.%
-%:: SCCS/s.%
--- a/38
+++ b/38
@@ -15,7 +15,7 @@ shadow-4.1.5.1 -> shadow-4.2					UNRELEASED

 - su
  * When su receives a signal (SIGTERM, or SIGINT/SIGQUIT in non
-    interactive mode), kill the child process group, rather than just the
+    interactive mode), kill the child process group, rather than just the 
    immediate child.
  * Fix segmentation faults for users without a proper home or shell in
    their passwd entries.
@@ -622,7 +622,7 @@ shadow-4.0.18.2 -> shadow-4.1.0						09-12-2007
 - Add support for uClibc with no l64a().
 - userdel, usermod: Fix infinite loop caused by erroneous group file
  containing two entries with the same name. (The fix strategy differs
-  from
+  from 
  (https://bugzilla.redhat.com/show_bug.cgi?id=240915)
 - userdel: Abort if an error is detected while updating the passwd or group
  databases. The passwd or group files will not be written.
@@ -696,7 +696,7 @@ shadow-4.0.18 -> shadow-4.0.18.1					03-08-2006
 shadow-4.0.17 -> shadow-4.0.18						01-08-2006

 *** general:
- su: fixed set environment too early when using PAM, so move it to !USE_PAM
+- su: fixed set enviroment too early when using PAM, so move it to !USE_PAM
  (patch submitted by Mike Frysinger <vapier@gentoo.org>),
 - groupadd, groupmod, useradd, usermod: fixed UID/GID overflow (fixed
  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198920)
@@ -855,7 +855,7 @@ shadow-4.0.14 -> shadow-4.0.15						13-03-2006
 - su: move exit() outside libmisc/shell.c::shell() for handle shell() errors
  on higher level (now is better visable where some programs exit with 126
  and 127 exit codes); added new shell() parameter (char *const envp[])
-  which allow fix preserving environment in su on using -p, (patch by
+  which allow fix preserving enviroment in su on using -p, (patch by
  Alexander Gattin <xrgtn@yandex.ru>),
 - su: added handle -c,--command option for GNU su compliance (merge
  437_su_-c_option Debian patch),
@@ -966,7 +966,7 @@ shadow-4.0.12 -> shadow-4.0.13						10-10-2005
  to example described in ident(1) man page (modern compilers like latest GCC
  removes not used functions by global optimization).
  So "ident /usr/bin/passwd" will show again some useable informations
- su: fixed twice copy environment which causes auth problems
+- su: fixed twice copy enviroment which causes auth problems
  (bug was introduced in 4.0.12; fix by Nicolas François <nicolas.francois@centraliens.net>),
 - chage: differentiate the different failure causes by the exit value
  This will permit to adduser Debian script to detect if chage failed because the
@@ -1001,9 +1001,9 @@ shadow-4.0.12 -> shadow-4.0.13						10-10-2005
 shadow-4.0.11.1 -> shadow-4.0.12					22-08-2005

 *** general:
- newgrp, login: remove using login.defs::CLOSE_SESSIONS variable and always
+- newgrp, login: remove using login.defs::CLOSE_SESSIONS variable and always 
  close PAM session,
- fixed configure.in: really enable shadow group support by default (pointed by
+- fixed configure.in: really enable shadow group support by default (pointed by 
  Greg Schafer <gschafer@zip.com.au> and Peter Vrabec <pvrabec@redhat.com>),
 - login.defs: removed handle QMAIL_DIR variable,
 - login: allow regular user to login on read-only root file system (not only for root)
@@ -1080,7 +1080,7 @@ shadow-4.0.10 -> shadow-4.0.11						18-07-2005
 - S/Key support is back,
 - usermod: added -a option. This flag can only be used in conjunction with the -G
  option. It cause usermod to append user to the current supplementary group list.
-  (patch by Peter Vrabec <pvrabec@redhat.com>)
+  (patch by Peter Vrabec <pvrabec@redhat.com>) 
 - chage: added missing \n in error messages,
 - useradd, groupadd: change -O option to -K and document it in man page,
 - su, sulogin, login: fixed erroneous warning messages when used with PAM about some
@@ -1130,10 +1130,10 @@ shadow-4.0.9 -> shadow-4.0.10						28-06-2005
  http://bugs.debian.org/53570 http://bugs.debian.org/195048 http://bugs.debian.org/211884
 - login: made login's -f option also able to use the username after -- if none
  was passed as it's optarg
-  http://bugs.debian.org/53702
+  http://bugs.debian.org/53702 
 - login: check for hushed login and pass PAM_SILENT if true,
  http://bugs.debian.org/48002
- login: fixed username on successful login (was using the normal username,
+- login: fixed username on succesful login (was using the normal username,
  when it should have used pam_user) http://bugs.debian.org/47819
 - remove using SHADOWPWD #define so now shadow is always built with shadow
  password support,
@@ -1208,11 +1208,11 @@ shadow-4.0.7 -> shadow-4.0.8						26-04-2005
 -- new: chage.1, chpasswd.8, expiry.1, faillog.5, faillog.8, getspnam.3,
   logoutd.8, porttime.5, pwck.8, shadow.3, shadowconfig.8, su.1,
 - passwd(1): fix #160477 Debian bug: improve -S output description,
- newgrp(1): fix #251926, #166173, #113191 Debian bugs: explain why editing /etc/group
+- newgrp(1): fix #251926, #166173, #113191 Debian bugs: explain why editing /etc/group   
  (without gshadow) doesn't permit to use newgrp,
 - newgrp(1): newgrp uses /bin/sh (not bash),
 - faillog(8): updated after rewritten faillog command for use getopt_long(),
- login(1): removed fragment about abilities pass environment variables in login prompt,
+- login(1): removed fragment about abilities pass enviroment variables in login prompt,
 - gshadow(5): new file (by Nicolas Nicolas François <nicolas.francois@centraliens.net>),
 - usermod(8): fixed #302388 Debian bug: added separated -o option description,

@@ -1238,11 +1238,11 @@ shadow-4.0.6 -> shadow-4.0.7						26-01-2005
 - chpasswd:
 -- switch chpasswd to use getopt_long() and adds a --md5 option
   (by Ian Gulliver <ian@penguinhosting.net>),
-- rewritten chpasswd(8) man page.
+-- rewritten chpasswd(8) man page.  

 shadow-4.0.5 -> shadow-4.0.6						08-11-2004

- su: fixed adding of pam_env env variables to environment
+- su: fixed adding of pam_env env variables to enviroment
  (Martin Schlemmer <azarah@nosferatu.za.org>),
 - autoconf: fixed filling MAIL_SPOOL_DIR and MAIL_SPOOL_FILE variables
  which was always empty (Gregorio Guidi <g.guidi@sns.it>),
@@ -1275,7 +1275,7 @@ shadow-4.0.4.1 -> shadow-4.0.5						27-10-2004
  including symlinks placed into /etc/skel/public_html for example.
  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=66819
 - su: add pam_open_session() support. If built without PAM support
-  propagate $DISPLAY and $XAUTHORITY environment variables.
+  propagate $DISPLAY and $XAUTHORITY enviroment variables.
  Based on http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch?rev=1.1
 - applied 036_pam_access_with_preauth.patch Debian patch submited by Bjorn
  Torkelsson <Bjorn.Torkelsson@hpc2n.umu.se>: add support for PAM account
@@ -1309,7 +1309,7 @@ shadow-4.0.4 => shadow-4.0.4.1						14-01-2004
 - bug fixes in automake files for generate correct tar ball on "make dist":
  added missing "EXTRA_DIST = $(man_MANS)" in man/*/Makefile.am.

-shadow-4.0.3 => shadow-4.0.4						14-01-2004
+shadow-4.0.3 => shadow-4.0.4						14-01-2004	

 *** general:
 - added missing information about -f options in groupadd usage message
@@ -1408,7 +1408,7 @@ shadow-4.0.0 => shadow-4.0.1
 - fixes for handle/print correctly 32bit uid/gid (Thorsten Kukuk <kukuk@suse.de>),
 - implemented functions for better reloading the nscd cache (per NSS map)
  (Thorsten Kukuk <kukuk@suse.de>),
- fixed warnings "not used but defined" on compile using gcc 3.0.x
+- fixed warnings "not used but defined" on compile using gcc 3.0.x 
  (bulletpr00ph <bullet@users.sourceforge.net>),
 - added ja, ko translations found in SuSE,
 - added symlinks: newgrp -> sg, vipw -> vigr,
@@ -1416,7 +1416,7 @@ shadow-4.0.0 => shadow-4.0.1
 - added sg(1) man page as roff .so link to newgrp(1),
 - installed fix for SEGV when using pwck -s on /etc/passwd file with
  empty lines in it.
-
+  
 shadow-20001016 => shadow-4.0.0						 06-01-2002

 - fix bug discovered and fixed by Marcel Ritter
@@ -1466,7 +1466,7 @@ shadow-20000902 => shadow-20001012
  overwrite previously existing groups in adduser,
 - added PAM support for chage (bind to "chage" PAM config file) also
  added PAM support for all other small tools like chpasswd, groupadd,
-  groupdel, groupmod, newusers, useradd, userdel, usermod (bind to common
+  groupdel, groupmod, newusers, useradd, userdel, usermod (bind to common 
  "shadow" PAM config file) - this modifications mainly based on
  modifications prepared by Janek Rękojarski <baggins@pld.org.pl>,
 - many small fixes and improvements in automake (mow "make dist"
--- a/149
+++ b/149
@@ -1,47 +1,122 @@
-# shadow-utils
+Shadow SITES
+============

-## Introduction
-The shadow-utils package includes the necessary programs for
-converting UNIX password files to the shadow password format, plus
-programs for managing user and group accounts. The pwconv command
-converts passwords to the shadow password format. The pwunconv command
-unconverts shadow passwords and generates a passwd file (a standard
-UNIX password file). The pwck command checks the integrity of password
-and shadow files. The lastlog command prints out the last login times
-for all users. The useradd, userdel, and usermod commands are used for
-managing user accounts. The groupadd, groupdel, and groupmod commands
-are used for managing group accounts.
+Homepage
+	http://github.com/shadow-maint/shadow

-## Sites
-* [Homepage](https://github.com/shadow-maint/shadow)
-* [Issue tracker](https://github.com/shadow-maint/shadow/issues)
-* [Releases](https://github.com/shadow-maint/shadow/releases)
+Issue tracker
+	http://github.com/shadow-maint/shadow/issues

-## Code
+Releases
+	https://github.com/shadow-maint/shadow/releases

-The main development branch is at [https://github.com/shadow-maint/shadow.git](https://github.com/shadow-maint/shadow)
+Mailing lists
+	for general discuss: pkg-shadow-devel@alioth-lists.debian.net
+	commit list: pkg-shadow-commits@alioth-lists.debian.net

-See [STABLE.md](https://github.com/shadow-maint/shadow/blob/master/STABLE.md) for a list of supported stable branches.
+Mailing lists subscription
+	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel
+	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-commits

-## Contacts
-There are several ways to contact us:
-* [the general discussion mailing list](
-  https://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel)
-* the #shadow IRC channel on libera.chat:
-  * irc://irc.libera.chat/shadow
+Mailing lists archives:
+	http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/
+	http://alioth-lists.debian.net/pipermail/pkg-shadow-commits/

-### Mailing archives
-* [the general discussion mailing list archive](
-  https://alioth-lists.debian.net/pipermail/pkg-shadow-devel/)
-* [the commit mailing list archive](
-  https://alioth-lists-archive.debian.net/pipermail/pkg-shadow-commits/),
-  only used for historical purposes
+S/Key support:
+	Shadow can be built with S/Key support using the S/Key package from:

-## Contributions
+	http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/
+	or
+	http://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2

-Contributions are welcome. Follow the
-[guidelines](doc/contributions/introduction.md) before posting any patches.
+Authors and contributors
+========================
+
+Thanks to at least the following people for sending patches, bug
+reports and various comments.  This list may be incomplete, I received
+a lot of mail...
+
+
+Adam Rudnicki <adam@v-lo.krakow.pl>
+Alan Curry <pacman@tardis.mars.net>
+Aleksa Sarai <cyphar@cyphar.com>
+Alexander O. Yuriev <alex@bach.cis.temple.edu>
+Algis Rudys <arudys@rice.edu>
+Andreas Jaeger <aj@arthur.rhein-neckar.de>
+Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
+Anton Gluck <gluc@midway.uchicago.edu>
+Arkadiusz Miskiewicz <misiek@pld.org.pl>
+Ben Collins <bcollins@debian.org>
+Brian R. Gaeke <brg@dgate.org>
+Calle Karlsson <ckn@kash.se>
+Chip Rosenthal <chip@unicom.com>
+Chris Evans <lady0110@sable.ox.ac.uk>
+Chris Lamb <chris@chris-lamb.co.uk>
+Cristian Gafton <gafton@sorosis.ro>
+Dan Walsh <dwalsh@redhat.com>
+Darcy Boese <possum@chardonnay.niagara.com>
+Dave Hagewood <admin@arrowweb.com>
+David A. Holland <dholland@hcs.harvard.edu>
+David Frey <David.Frey@lugs.ch>
+Ed Carp <ecarp@netcom.com>
+Eric W. Biederman" <ebiederm@xmission.com>
+Floody <flood@evcom.net>
+Frank Denis <j@4u.net>
+George Kraft IV <gk4@us.ibm.com>
+Greg Mortensen <loki@world.std.com>
+Guido van Rooij
+Guy Maor <maor@debian.org>
+Hrvoje Dogan <hdogan@bjesomar.srce.hr>
+Jakub Hrozek <jhrozek@redhat.com>
+Janos Farkas <chexum@bankinf.banki.hu>
+Jay Soffian <jay@lw.net>
+Jesse Thilo <Jesse.Thilo@pobox.com>
+Joey Hess <joey@kite.ml.org>
+John Adelsberger <jja@umr.edu>
+Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
+Jon Lewis <jlewis@lewis.org>
+Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
+Judd Bourgeois <shagboy@bluesky.net>
+Juergen Heinzl <unicorn@noris.net>
+Juha Virtanen <jiivee@iki.fi>
+Julian Pidancet <julian.pidancet@gmail.com>
+Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Leonard N. Zubkoff <lnz@dandelion.com>
+Luca Berra <bluca@www.polimi.it>
+Lukáš Kuklínek <lkukline@redhat.com>
+Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
+Marc Ewing <marc@redhat.com>
+Martin Bene <mb@sime.com>
+Martin Mares <mj@gts.cz>
+Michael Meskes <meskes@topsystem.de>
+Michael Talbot-Wilson <mike@calypso.bns.com.au>
+Michael Vetter <jubalh@iodoru.org>
+Mike Frysinger <vapier@gentoo.org>
+Mike Pakovic <mpakovic@users.southeast.net>
+Nicolas François <nicolas.francois@centraliens.net>
+Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
+Pavel Machek <pavel@bug.ucw.cz>
+Peter Vrabec <pvrabec@redhat.com>
+Phillip Street
+Rafał Maszkowski <rzm@icm.edu.pl>
+Rani Chouha <ranibey@smartec.com>
+Sami Kerola <kerolasa@rocketmail.com>
+Scott Garman <scott.a.garman@intel.com>
+Sebastian Rick Rijkers <srrijkers@gmail.com>
+Seraphim Mellos <mellos@ceid.upatras.gr>
+Shane Watts <shane@nexus.mlckew.edu.au>
+Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
+Thorsten Kukuk <kukuk@suse.de>
+Tim Hockin <thockin@eagle.ais.net>
+Timo Karjalainen <timok@iki.fi>
+Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
+Werner Fink <werner@suse.de>
+
+Maintainers
+===========
+
+Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
+Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
+Serge E. Hallyn <serge@hallyn.com> (2014-now)
+Christian Brauner <christian@brauner.io> (2019-now)

-## Authors and maintainers
-Authors and maintainers are listed in [AUTHORS.md](
-https://github.com/shadow-maint/shadow/blob/master/AUTHORS.md).
--- a/127
+++ b/127
@@ -0,0 +1,127 @@
+ * Create a common usage function that'd take the array of     
+   long options and an array of descriptions and output that so things would
+   be standardized across the utils.
+   Usage strings should be normalized and split first.
+   Investigate optparse.
+
+
+/etc/default/useradd
+ * GROUP=1000 should accept a group name.
+
+Check when RLOGIN is enabled if ruserok() exists
+
+Move selinux_file_context out of libmisc/copydir.c
+
+Review hardcoded root account?
+
+review all call to strto
+
+libmisc/cleanup_user.c
+	cleanup needed (cleanup_report_add_user* not used)
+
+
+libxcrypt support
+ * http://wiki.linuxfromscratch.org/patches/browser/trunk/shadow/shadow-4.0.18.1-owl_blowfish-1.patch
+
+implement getlong, getulong.
+	avoid atoi, atol, atoul, strtol, strtoul, ...
+
+manpages: comment the RLOGIN parts
+
+Replace build_list (in lib/gshadow.c) and list (in lib/sgetgrent.c) by
+comma_to_list()
+
+Revert the modified files if all files could not be changed.
+  * or warn and indicate which files were modified and which were not.
+  * check the order the files are modified.
+
+report nscd_flush_cache failures?
+call nscd from the programs or from lib (commonio?)
+
+PAM: check if a non-interactive conversation function could be used to set
+the password in chpasswd and newusers
+
+WITH_SELINUX
+  - review all tools to check that the strategies are consistent
+
+chage, chfn, chsh: same change needed as in passwd.
+  - probably need moving check_selinux_access to a separate file.
+
+testsuite
+ - newgrp
+   - test with unknown user's GID
+
+newusers
+ - add logging to SYSLOG & AUDIT
+ - use CREATE_HOME
+ - Add a -Z option (see useradd / usermod)
+
+Document when/where option appeared, document whether an option is standard
+or not.
+
+Check all the expiry semantics
+
+ALL:
+- move base passwd/shadow/group/gshadow operation to module for allow write
+  different backend modules for db, NIS, LDAP and others. Default backend it
+  will be goot if will be chosen depending on /etc/nsswitch.conf and allow
+  override this by -r <repository> options (where the <repository> can be
+  file, db, nis nisplus, ldap .. like on /etc/nsswitch.conf in service column).
+  passwd have old piece of code with handling -r option and it will be good
+  finish this and propagate on other shadow tools for allow operate on other
+  user databases by well known tools.
+- Protect against signals. Register do_cleanups in a signal handler.
+
+- login.defs
+  - generate depending on configuration
+
+- useradd:
+  - add handle create user mail spool in maildir format.
+  - Add support for -k in -D mode
+  - Add support for -K in -D mode
+  - Add option to create or not the mail spool (and set the default in -D
+    mode)
+  - Change -l to reset the entry if an entry was already there
+  - set the mask in mkdir?
+
+- userdel:
+  - add backup option for the removal of user resources,
+  - user_busy: check that the user is not running any processes.
+  - missing "deleting group" FAILED
+  - home dir removed, but userdel may fail and may leave the user
+    => warning needed
+
+- usermod
+  - add an option equivalent to useradd's -l (only when uid is changed)
+  - the mode of new home directories should be set according to the
+    original mode. Does copy_tree does this?
+  - user renamed, order is not kept in /etc/group (see
+    47_usermod-l_no_shadow_file). This is a problem when the first user is
+    considered as the admin.
+  - see mail "user ID change" on  April, 15
+    + fix call to chown (combination of -m and -u/-g)
+    + add tests
+
+- passwd:
+  - check combination of options (e.g. -u/-l)
+  - when -u refuse to unlock because it would create an empty password, it
+    should not display "Password changed."
+    exit instead?
+
+- newgrp: check the USE_PAM section.
+
+- pwck
+  - Add check to move passwd passwords to shadow if there is a shadow
+    entry (with a password).
+  - Add check to move passwd passwords to shadow if there is a shadow
+    file.
+  - Support an alternative /etc/tcb directory as second parameter.
+  - add options -g / -G to specify alternative group / gshadow files
+
+- su
+  - add a login.defs configuration parameter to add variables to keep in
+    the environment with "su -l" (TERM/TERMCOLOR/...)
+
+- vipw
+  - set ACLs and XATTRs on the temporary file (and backups?)
+  - vipw + selinux -> use lib/selinux.c
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -6,7 +6,7 @@ AC_DEFUN([JH_PATH_XML_CATALOG],
 [
  # check for the presence of the XML catalog
  AC_ARG_WITH([xml-catalog],
-              AS_HELP_STRING([--with-xml-catalog=CATALOG],
+              AC_HELP_STRING([--with-xml-catalog=CATALOG],
                             [path to xml catalog to use]),,
              [with_xml_catalog=/etc/xml/catalog])
  jh_found_xmlcatalog=true
--- a/aclocal.m4
+++ b/aclocal.m4
--- a/build-aux/config.guess
+++ b/build-aux/config.guess
--- a/build-aux/config.rpath
+++ b/build-aux/config.rpath
@@ -1,690 +0,0 @@
-#! /bin/sh
-# Output a system dependent set of variables, describing how to set the
-# run time search path of shared libraries in an executable.
-#
-#   Copyright 1996-2014 Free Software Foundation, Inc.
-#   Taken from GNU libtool, 2001
-#   Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-#   This file is free software; the Free Software Foundation gives
-#   unlimited permission to copy and/or distribute it, with or without
-#   modifications, as long as this notice is preserved.
-#
-# The first argument passed to this file is the canonical host specification,
-#    CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
-# or
-#    CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
-# The environment variables CC, GCC, LDFLAGS, LD, with_gnu_ld
-# should be set by the caller.
-#
-# The set of defined variables is at the end of this script.
-
-# Known limitations:
-# - On IRIX 6.5 with CC="cc", the run time search patch must not be longer
-#   than 256 bytes, otherwise the compiler driver will dump core. The only
-#   known workaround is to choose shorter directory names for the build
-#   directory and/or the installation directory.
-
-# All known linkers require a '.a' archive for static linking (except MSVC,
-# which needs '.lib').
-libext=a
-shrext=.so
-
-host="$1"
-host_cpu=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-host_vendor=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-host_os=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-
-# Code taken from libtool.m4's _LT_CC_BASENAME.
-
-for cc_temp in $CC""; do
-  case $cc_temp in
-    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
-    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
-    \-*) ;;
-    *) break;;
-  esac
-done
-cc_basename=`echo "$cc_temp" | sed -e 's%^.*/%%'`
-
-# Code taken from libtool.m4's _LT_COMPILER_PIC.
-
-wl=
-if test "$GCC" = yes; then
-  wl='-Wl,'
-else
-  case "$host_os" in
-    aix*)
-      wl='-Wl,'
-      ;;
-    mingw* | cygwin* | pw32* | os2* | cegcc*)
-      ;;
-    hpux9* | hpux10* | hpux11*)
-      wl='-Wl,'
-      ;;
-    irix5* | irix6* | nonstopux*)
-      wl='-Wl,'
-      ;;
-    linux* | k*bsd*-gnu | kopensolaris*-gnu)
-      case $cc_basename in
-        ecc*)
-          wl='-Wl,'
-          ;;
-        icc* | ifort*)
-          wl='-Wl,'
-          ;;
-        lf95*)
-          wl='-Wl,'
-          ;;
-        nagfor*)
-          wl='-Wl,-Wl,,'
-          ;;
-        pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*)
-          wl='-Wl,'
-          ;;
-        ccc*)
-          wl='-Wl,'
-          ;;
-        xl* | bgxl* | bgf* | mpixl*)
-          wl='-Wl,'
-          ;;
-        como)
-          wl='-lopt='
-          ;;
-        *)
-          case `$CC -V 2>&1 | sed 5q` in
-            *Sun\ F* | *Sun*Fortran*)
-              wl=
-              ;;
-            *Sun\ C*)
-              wl='-Wl,'
-              ;;
-          esac
-          ;;
-      esac
-      ;;
-    newsos6)
-      ;;
-    *nto* | *qnx*)
-      ;;
-    osf3* | osf4* | osf5*)
-      wl='-Wl,'
-      ;;
-    rdos*)
-      ;;
-    solaris*)
-      case $cc_basename in
-        f77* | f90* | f95* | sunf77* | sunf90* | sunf95*)
-          wl='-Qoption ld '
-          ;;
-        *)
-          wl='-Wl,'
-          ;;
-      esac
-      ;;
-    sunos4*)
-      wl='-Qoption ld '
-      ;;
-    sysv4 | sysv4.2uw2* | sysv4.3*)
-      wl='-Wl,'
-      ;;
-    sysv4*MP*)
-      ;;
-    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
-      wl='-Wl,'
-      ;;
-    unicos*)
-      wl='-Wl,'
-      ;;
-    uts4*)
-      ;;
-  esac
-fi
-
-# Code taken from libtool.m4's _LT_LINKER_SHLIBS.
-
-hardcode_libdir_flag_spec=
-hardcode_libdir_separator=
-hardcode_direct=no
-hardcode_minus_L=no
-
-case "$host_os" in
-  cygwin* | mingw* | pw32* | cegcc*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  interix*)
-    # we just hope/assume this is gcc and not c89 (= MSVC++)
-    with_gnu_ld=yes
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-esac
-
-ld_shlibs=yes
-if test "$with_gnu_ld" = yes; then
-  # Set some defaults for GNU ld with shared library support. These
-  # are reset later if shared libraries are not supported. Putting them
-  # here allows them to be overridden if necessary.
-  # Unlike libtool, we use -rpath here, not --rpath, since the documented
-  # option of GNU ld is called -rpath, not --rpath.
-  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-  case "$host_os" in
-    aix[3-9]*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-        ld_shlibs=no
-      fi
-      ;;
-    amigaos*)
-      case "$host_cpu" in
-        powerpc)
-          ;;
-        m68k)
-          hardcode_libdir_flag_spec='-L$libdir'
-          hardcode_minus_L=yes
-          ;;
-      esac
-      ;;
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        :
-      else
-        ld_shlibs=no
-      fi
-      ;;
-    cygwin* | mingw* | pw32* | cegcc*)
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec='-L$libdir'
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        :
-      else
-        ld_shlibs=no
-      fi
-      ;;
-    haiku*)
-      ;;
-    interix[3-9]*)
-      hardcode_direct=no
-      hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-      ;;
-    gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        :
-      else
-        ld_shlibs=no
-      fi
-      ;;
-    netbsd*)
-      ;;
-    solaris*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-        ld_shlibs=no
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        :
-      else
-        ld_shlibs=no
-      fi
-      ;;
-    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
-      case `$LD -v 2>&1` in
-        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
-          ld_shlibs=no
-          ;;
-        *)
-          if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-            hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
-          else
-            ld_shlibs=no
-          fi
-          ;;
-      esac
-      ;;
-    sunos4*)
-      hardcode_direct=yes
-      ;;
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        :
-      else
-        ld_shlibs=no
-      fi
-      ;;
-  esac
-  if test "$ld_shlibs" = no; then
-    hardcode_libdir_flag_spec=
-  fi
-else
-  case "$host_os" in
-    aix3*)
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L=yes
-      if test "$GCC" = yes; then
-        # Neither direct hardcoding nor static linking is supported with a
-        # broken collect2.
-        hardcode_direct=unsupported
-      fi
-      ;;
-    aix[4-9]*)
-      if test "$host_cpu" = ia64; then
-        # On IA64, the linker does run time linking by default, so we don't
-        # have to do anything special.
-        aix_use_runtimelinking=no
-      else
-        aix_use_runtimelinking=no
-        # Test if we are trying to use run time linking or normal
-        # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-        # need to do runtime linking.
-        case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*)
-          for ld_flag in $LDFLAGS; do
-            if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-              aix_use_runtimelinking=yes
-              break
-            fi
-          done
-          ;;
-        esac
-      fi
-      hardcode_direct=yes
-      hardcode_libdir_separator=':'
-      if test "$GCC" = yes; then
-        case $host_os in aix4.[012]|aix4.[012].*)
-          collect2name=`${CC} -print-prog-name=collect2`
-          if test -f "$collect2name" && \
-            strings "$collect2name" | grep resolve_lib_name >/dev/null
-          then
-            # We have reworked collect2
-            :
-          else
-            # We have old collect2
-            hardcode_direct=unsupported
-            hardcode_minus_L=yes
-            hardcode_libdir_flag_spec='-L$libdir'
-            hardcode_libdir_separator=
-          fi
-          ;;
-        esac
-      fi
-      # Begin _LT_AC_SYS_LIBPATH_AIX.
-      echo 'int main () { return 0; }' > conftest.c
-      ${CC} ${LDFLAGS} conftest.c -o conftest
-      aix_libpath=`dump -H conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-      if test -z "$aix_libpath"; then
-        aix_libpath=`dump -HX64 conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-      fi
-      if test -z "$aix_libpath"; then
-        aix_libpath="/usr/lib:/lib"
-      fi
-      rm -f conftest.c conftest
-      # End _LT_AC_SYS_LIBPATH_AIX.
-      if test "$aix_use_runtimelinking" = yes; then
-        hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-      else
-        if test "$host_cpu" = ia64; then
-          hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
-        else
-          hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-        fi
-      fi
-      ;;
-    amigaos*)
-      case "$host_cpu" in
-        powerpc)
-          ;;
-        m68k)
-          hardcode_libdir_flag_spec='-L$libdir'
-          hardcode_minus_L=yes
-          ;;
-      esac
-      ;;
-    bsdi[45]*)
-      ;;
-    cygwin* | mingw* | pw32* | cegcc*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      libext=lib
-      ;;
-    darwin* | rhapsody*)
-      hardcode_direct=no
-      if { case $cc_basename in ifort*) true;; *) test "$GCC" = yes;; esac; }; then
-        :
-      else
-        ld_shlibs=no
-      fi
-      ;;
-    dgux*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      ;;
-    freebsd2.2*)
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      ;;
-    freebsd2*)
-      hardcode_direct=yes
-      hardcode_minus_L=yes
-      ;;
-    freebsd* | dragonfly*)
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      ;;
-    hpux9*)
-      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator=:
-      hardcode_direct=yes
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L=yes
-      ;;
-    hpux10*)
-      if test "$with_gnu_ld" = no; then
-        hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-        hardcode_libdir_separator=:
-        hardcode_direct=yes
-        # hardcode_minus_L: Not really in the search PATH,
-        # but as the default location of the library.
-        hardcode_minus_L=yes
-      fi
-      ;;
-    hpux11*)
-      if test "$with_gnu_ld" = no; then
-        hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-        hardcode_libdir_separator=:
-        case $host_cpu in
-          hppa*64*|ia64*)
-            hardcode_direct=no
-            ;;
-          *)
-            hardcode_direct=yes
-            # hardcode_minus_L: Not really in the search PATH,
-            # but as the default location of the library.
-            hardcode_minus_L=yes
-            ;;
-        esac
-      fi
-      ;;
-    irix5* | irix6* | nonstopux*)
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      ;;
-    netbsd*)
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      ;;
-    newsos6)
-      hardcode_direct=yes
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      ;;
-    *nto* | *qnx*)
-      ;;
-    openbsd*)
-      if test -f /usr/libexec/ld.so; then
-        hardcode_direct=yes
-        if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-          hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-        else
-          case "$host_os" in
-            openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-              hardcode_libdir_flag_spec='-R$libdir'
-              ;;
-            *)
-              hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-              ;;
-          esac
-        fi
-      else
-        ld_shlibs=no
-      fi
-      ;;
-    os2*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      ;;
-    osf3*)
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      ;;
-    osf4* | osf5*)
-      if test "$GCC" = yes; then
-        hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      else
-        # Both cc and cxx compiler support -rpath directly
-        hardcode_libdir_flag_spec='-rpath $libdir'
-      fi
-      hardcode_libdir_separator=:
-      ;;
-    solaris*)
-      hardcode_libdir_flag_spec='-R$libdir'
-      ;;
-    sunos4*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_direct=yes
-      hardcode_minus_L=yes
-      ;;
-    sysv4)
-      case $host_vendor in
-        sni)
-          hardcode_direct=yes # is this really true???
-          ;;
-        siemens)
-          hardcode_direct=no
-          ;;
-        motorola)
-          hardcode_direct=no #Motorola manual says yes, but my tests say they lie
-          ;;
-      esac
-      ;;
-    sysv4.3*)
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-        ld_shlibs=yes
-      fi
-      ;;
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
-      ;;
-    sysv5* | sco3.2v5* | sco5v6*)
-      hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
-      hardcode_libdir_separator=':'
-      ;;
-    uts4*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      ;;
-    *)
-      ld_shlibs=no
-      ;;
-  esac
-fi
-
-# Check dynamic linker characteristics
-# Code taken from libtool.m4's _LT_SYS_DYNAMIC_LINKER.
-# Unlike libtool.m4, here we don't care about _all_ names of the library, but
-# only about the one the linker finds when passed -lNAME. This is the last
-# element of library_names_spec in libtool.m4, or possibly two of them if the
-# linker has special search rules.
-library_names_spec=      # the last element of library_names_spec in libtool.m4
-libname_spec='lib$name'
-case "$host_os" in
-  aix3*)
-    library_names_spec='$libname.a'
-    ;;
-  aix[4-9]*)
-    library_names_spec='$libname$shrext'
-    ;;
-  amigaos*)
-    case "$host_cpu" in
-      powerpc*)
-        library_names_spec='$libname$shrext' ;;
-      m68k)
-        library_names_spec='$libname.a' ;;
-    esac
-    ;;
-  beos*)
-    library_names_spec='$libname$shrext'
-    ;;
-  bsdi[45]*)
-    library_names_spec='$libname$shrext'
-    ;;
-  cygwin* | mingw* | pw32* | cegcc*)
-    shrext=.dll
-    library_names_spec='$libname.dll.a $libname.lib'
-    ;;
-  darwin* | rhapsody*)
-    shrext=.dylib
-    library_names_spec='$libname$shrext'
-    ;;
-  dgux*)
-    library_names_spec='$libname$shrext'
-    ;;
-  freebsd* | dragonfly*)
-    case "$host_os" in
-      freebsd[123]*)
-        library_names_spec='$libname$shrext$versuffix' ;;
-      *)
-        library_names_spec='$libname$shrext' ;;
-    esac
-    ;;
-  gnu*)
-    library_names_spec='$libname$shrext'
-    ;;
-  haiku*)
-    library_names_spec='$libname$shrext'
-    ;;
-  hpux9* | hpux10* | hpux11*)
-    case $host_cpu in
-      ia64*)
-        shrext=.so
-        ;;
-      hppa*64*)
-        shrext=.sl
-        ;;
-      *)
-        shrext=.sl
-        ;;
-    esac
-    library_names_spec='$libname$shrext'
-    ;;
-  interix[3-9]*)
-    library_names_spec='$libname$shrext'
-    ;;
-  irix5* | irix6* | nonstopux*)
-    library_names_spec='$libname$shrext'
-    case "$host_os" in
-      irix5* | nonstopux*)
-        libsuff= shlibsuff=
-        ;;
-      *)
-        case $LD in
-          *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") libsuff= shlibsuff= ;;
-          *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") libsuff=32 shlibsuff=N32 ;;
-          *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") libsuff=64 shlibsuff=64 ;;
-          *) libsuff= shlibsuff= ;;
-        esac
-        ;;
-    esac
-    ;;
-  linux*oldld* | linux*aout* | linux*coff*)
-    ;;
-  linux* | k*bsd*-gnu | kopensolaris*-gnu)
-    library_names_spec='$libname$shrext'
-    ;;
-  knetbsd*-gnu)
-    library_names_spec='$libname$shrext'
-    ;;
-  netbsd*)
-    library_names_spec='$libname$shrext'
-    ;;
-  newsos6)
-    library_names_spec='$libname$shrext'
-    ;;
-  *nto* | *qnx*)
-    library_names_spec='$libname$shrext'
-    ;;
-  openbsd*)
-    library_names_spec='$libname$shrext$versuffix'
-    ;;
-  os2*)
-    libname_spec='$name'
-    shrext=.dll
-    library_names_spec='$libname.a'
-    ;;
-  osf3* | osf4* | osf5*)
-    library_names_spec='$libname$shrext'
-    ;;
-  rdos*)
-    ;;
-  solaris*)
-    library_names_spec='$libname$shrext'
-    ;;
-  sunos4*)
-    library_names_spec='$libname$shrext$versuffix'
-    ;;
-  sysv4 | sysv4.3*)
-    library_names_spec='$libname$shrext'
-    ;;
-  sysv4*MP*)
-    library_names_spec='$libname$shrext'
-    ;;
-  sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
-    library_names_spec='$libname$shrext'
-    ;;
-  tpf*)
-    library_names_spec='$libname$shrext'
-    ;;
-  uts4*)
-    library_names_spec='$libname$shrext'
-    ;;
-esac
-
-sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
-escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"`
-shlibext=`echo "$shrext" | sed -e 's,^\.,,'`
-escaped_libname_spec=`echo "X$libname_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
-escaped_library_names_spec=`echo "X$library_names_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
-escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
-
-LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <<EOF
-
-# How to pass a linker flag through the compiler.
-wl="$escaped_wl"
-
-# Static library suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally "so").
-shlibext="$shlibext"
-
-# Format of library name prefix.
-libname_spec="$escaped_libname_spec"
-
-# Library names that the linker finds when passed -lNAME.
-library_names_spec="$escaped_library_names_spec"
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec="$escaped_hardcode_libdir_flag_spec"
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator="$hardcode_libdir_separator"
-
-# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct="$hardcode_direct"
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L="$hardcode_minus_L"
-
-EOF
--- a/build-aux/config.sub
+++ b/build-aux/config.sub
--- a/build-aux/test-driver
+++ b/build-aux/test-driver
@@ -1,160 +0,0 @@
-#! /bin/sh
-# test-driver - basic testsuite driver script.
-
-scriptversion=2025-06-18.21; # UTC
-
-# Copyright (C) 2011-2025 Free Software Foundation, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-# Make unconditional expansion of undefined variables an error.  This
-# helps a lot in preventing typo-related bugs.
-set -u
-
-usage_error ()
-{
-  echo "$0: $*" >&2
-  print_usage >&2
-  exit 2
-}
-
-print_usage ()
-{
-  cat <<END
-Usage:
-  test-driver --test-name NAME --log-file PATH --trs-file PATH
-              [--expect-failure {yes|no}] [--color-tests {yes|no}]
-              [--collect-skipped-logs {yes|no}]
-              [--enable-hard-errors {yes|no}] [--]
-              TEST-SCRIPT [TEST-SCRIPT-ARGUMENTS]
-
-The '--test-name', '--log-file' and '--trs-file' options are mandatory.
-See the GNU Automake documentation for information.
-
-Report bugs to <bug-automake@gnu.org>.
-GNU Automake home page: <https://www.gnu.org/software/automake/>.
-General help using GNU software: <https://www.gnu.org/gethelp/>.
-END
-}
-
-test_name= # Used for reporting.
-log_file=  # Where to save the output of the test script.
-trs_file=  # Where to save the metadata of the test run.
-expect_failure=no
-color_tests=no
-collect_skipped_logs=yes
-enable_hard_errors=yes
-while test $# -gt 0; do
-  case $1 in
-  --help) print_usage; exit $?;;
-  --version) echo "test-driver (GNU Automake) $scriptversion"; exit $?;;
-  --test-name) test_name=$2; shift;;
-  --log-file) log_file=$2; shift;;
-  --trs-file) trs_file=$2; shift;;
-  --color-tests) color_tests=$2; shift;;
-  --collect-skipped-logs) collect_skipped_logs=$2; shift;;
-  --expect-failure) expect_failure=$2; shift;;
-  --enable-hard-errors) enable_hard_errors=$2; shift;;
-  --) shift; break;;
-  -*) usage_error "invalid option: '$1'";;
-   *) break;;
-  esac
-  shift
-done
-
-missing_opts=
-test x"$test_name" = x && missing_opts="$missing_opts --test-name"
-test x"$log_file"  = x && missing_opts="$missing_opts --log-file"
-test x"$trs_file"  = x && missing_opts="$missing_opts --trs-file"
-if test x"$missing_opts" != x; then
-  usage_error "the following mandatory options are missing:$missing_opts"
-fi
-
-if test $# -eq 0; then
-  usage_error "missing argument"
-fi
-
-if test $color_tests = yes; then
-  # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'.
-  red='[0;31m' # Red.
-  grn='[0;32m' # Green.
-  lgn='[1;32m' # Light green.
-  blu='[1;34m' # Blue.
-  mgn='[0;35m' # Magenta.
-  std='[m'     # No color.
-else
-  red= grn= lgn= blu= mgn= std=
-fi
-
-do_exit='rm -f $log_file $trs_file; (exit $st); exit $st'
-trap "st=129; $do_exit" 1
-trap "st=130; $do_exit" 2
-trap "st=141; $do_exit" 13
-trap "st=143; $do_exit" 15
-
-# Test script is run here. We create the file first, then append to it,
-# to ameliorate tests themselves also writing to the log file. Our tests
-# don't, but others can (automake bug#35762).
-: >"$log_file"
-"$@" >>"$log_file" 2>&1
-estatus=$?
-
-if test $enable_hard_errors = no && test $estatus -eq 99; then
-  tweaked_estatus=1
-else
-  tweaked_estatus=$estatus
-fi
-
-case $tweaked_estatus:$expect_failure in
-  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
-  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
-  77:*)  col=$blu res=SKIP  recheck=no  gcopy=$collect_skipped_logs;;
-  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
-  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
-  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
-esac
-
-# Report the test outcome and exit status in the logs, so that one can
-# know whether the test passed or failed simply by looking at the '.log'
-# file, without the need of also peaking into the corresponding '.trs'
-# file (automake bug#11814).
-echo "$res $test_name (exit status: $estatus)" >>"$log_file"
-
-# Report outcome to console.
-echo "${col}${res}${std}: $test_name"
-
-# Register the test result, and other relevant metadata.
-echo ":test-result: $res" > $trs_file
-echo ":global-test-result: $res" >> $trs_file
-echo ":recheck: $recheck" >> $trs_file
-echo ":copy-in-global-log: $gcopy" >> $trs_file
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'before-save-hook 'time-stamp nil t)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%Y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC0"
-# time-stamp-end: "; # UTC"
-# End:
--- a/build-aux/compile
+++ b/build-aux/compile
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Wrapper for compilers which do not understand '-c -o'.

-scriptversion=2025-06-18.21; # UTC
+scriptversion=2018-03-07.03; # UTC

-# Copyright (C) 1999-2025 Free Software Foundation, Inc.
+# Copyright (C) 1999-2018 Free Software Foundation, Inc.
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
 # This program is free software; you can redistribute it and/or modify
@@ -37,11 +37,11 @@ IFS=" ""	$nl"

 file_conv=

-# func_file_conv build_file unneeded_conversions
+# func_file_conv build_file lazy
 # Convert a $build file to $host form and store it in $file
 # Currently only supports Windows hosts. If the determined conversion
-# type is listed in (the comma separated) UNNEEDED_CONVERSIONS, no
-# conversion will take place.
+# type is listed in (the comma separated) LAZY, no conversion will
+# take place.
 func_file_conv ()
 {
  file=$1
@@ -51,20 +51,9 @@ func_file_conv ()
 	# lazily determine how to convert abs files
 	case `uname -s` in
 	  MINGW*)
-	    if test -n "$MSYSTEM" && (cygpath --version) >/dev/null 2>&1; then
-	      # MSYS2 environment.
-	      file_conv=cygwin
-	    else
-	      # Original MinGW environment.
-	      file_conv=mingw
-	    fi
-	    ;;
-	  MSYS*)
-	    # Old MSYS environment, or MSYS2 with 32-bit MSYS2 shell.
-	    file_conv=cygwin
+	    file_conv=mingw
 	    ;;
 	  CYGWIN*)
-	    # Cygwin environment.
 	    file_conv=cygwin
 	    ;;
 	  *)
@@ -74,14 +63,12 @@ func_file_conv ()
      fi
      case $file_conv/,$2, in
 	*,$file_conv,*)
-	  # This is the optimization mentioned above:
-	  # If UNNEEDED_CONVERSIONS contains $file_conv, don't convert.
 	  ;;
 	mingw/*)
 	  file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
 	  ;;
 	cygwin/*)
-	  file=`cygpath -w "$file" || echo "$file"`
+	  file=`cygpath -m "$file" || echo "$file"`
 	  ;;
 	wine/*)
 	  file=`winepath -w "$file" || echo "$file"`
@@ -156,7 +143,7 @@ func_cl_wrapper ()
 	  # configure might choose to run compile as 'compile cc -o foo foo.c'.
 	  eat=1
 	  case $2 in
-	    *.o | *.lo | *.[oO][bB][jJ])
+	    *.o | *.[oO][bB][jJ])
 	      func_file_conv "$2"
 	      set x "$@" -Fo"$file"
 	      shift
@@ -261,17 +248,14 @@ If you are trying to build a whole package this is not the
 right script to run: please start by reading the file 'INSTALL'.

 Report bugs to <bug-automake@gnu.org>.
-GNU Automake home page: <https://www.gnu.org/software/automake/>.
-General help using GNU software: <https://www.gnu.org/gethelp/>.
 EOF
    exit $?
    ;;
  -v | --v*)
-    echo "compile (GNU Automake) $scriptversion"
+    echo "compile $scriptversion"
    exit $?
    ;;
  cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \
-  clang-cl | *[/\\]clang-cl | clang-cl.exe | *[/\\]clang-cl.exe | \
  icl | *[/\\]icl | icl.exe | *[/\\]icl.exe )
    func_cl_wrapper "$@"      # Doesn't return...
    ;;
@@ -356,9 +340,9 @@ exit $ret
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 2
-# eval: (add-hook 'before-save-hook 'time-stamp nil t)
+# eval: (add-hook 'before-save-hook 'time-stamp)
 # time-stamp-start: "scriptversion="
-# time-stamp-format: "%Y-%02m-%02d.%02H"
+# time-stamp-format: "%:y-%02m-%02d.%02H"
 # time-stamp-time-zone: "UTC0"
 # time-stamp-end: "; # UTC"
 # End:
--- a/config.guess
+++ b/config.guess
--- a/config.h.in
+++ b/config.h.in
@@ -4,12 +4,6 @@
   authenticate the callers */
 #undef ACCT_TOOLS_SETUID

-/* Define to support lastlog. */
-#undef ENABLE_LASTLOG
-
-/* Define to manage session support with logind. */
-#undef ENABLE_LOGIND
-
 /* Define to 1 if translation of program messages to the user's native
   language is requested. */
 #undef ENABLE_NLS
@@ -20,6 +14,10 @@
 /* Path for faillog file. */
 #undef FAILLOG_FILE

+/* Define to the type of elements in the array set by `getgroups'. Usually
+   this is either `int' or `gid_t'. */
+#undef GETGROUPS_T
+
 /* max group name length */
 #undef GROUP_NAME_MAX_LENGTH

@@ -32,9 +30,6 @@
 /* Define to 1 if you have the <acl/libacl.h> header file. */
 #undef HAVE_ACL_LIBACL_H

-/* Define to 1 if you have the 'arc4random_buf' function. */
-#undef HAVE_ARC4RANDOM_BUF
-
 /* Define to 1 if you have the <attr/error_context.h> header file. */
 #undef HAVE_ATTR_ERROR_CONTEXT_H

@@ -53,73 +48,124 @@
   */
 #undef HAVE_DCGETTEXT

-/* Define to 1 if you have the declaration of 'cygwin_conv_path', and to 0 if
-   you don't. */
-#undef HAVE_DECL_CYGWIN_CONV_PATH
-
-/* Define to 1 if you have the declaration of 'PAM_DATA_SILENT', and to 0 if
+/* Define to 1 if you have the declaration of `PAM_DATA_SILENT', and to 0 if
   you don't. */
 #undef HAVE_DECL_PAM_DATA_SILENT

-/* Define to 1 if you have the declaration of 'PAM_DELETE_CRED', and to 0 if
+/* Define to 1 if you have the declaration of `PAM_DELETE_CRED', and to 0 if
   you don't. */
 #undef HAVE_DECL_PAM_DELETE_CRED

-/* Define to 1 if you have the declaration of 'PAM_ESTABLISH_CRED', and to 0
+/* Define to 1 if you have the declaration of `PAM_ESTABLISH_CRED', and to 0
   if you don't. */
 #undef HAVE_DECL_PAM_ESTABLISH_CRED

-/* Define to 1 if you have the declaration of 'PAM_NEW_AUTHTOK_REQD', and to 0
+/* Define to 1 if you have the declaration of `PAM_NEW_AUTHTOK_REQD', and to 0
   if you don't. */
 #undef HAVE_DECL_PAM_NEW_AUTHTOK_REQD

-/* Define if you have the GNU dld library. */
-#undef HAVE_DLD
-
-/* Define to 1 if you have the 'dlerror' function. */
-#undef HAVE_DLERROR
+/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
+   */
+#undef HAVE_DIRENT_H

 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H

-/* Define if you have the _dyld_func_lookup function. */
-#undef HAVE_DYLD
+/* Define to 1 if you have the <errno.h> header file. */
+#undef HAVE_ERRNO_H

-/* Define to 1 if you have the 'explicit_bzero' function. */
-#undef HAVE_EXPLICIT_BZERO
+/* Define to 1 if you have the `fchmod' function. */
+#undef HAVE_FCHMOD

-/* Defined to 1 if you have the declaration of 'fgetpwent_r' */
-#undef HAVE_FGETPWENT_R
+/* Define to 1 if you have the `fchown' function. */
+#undef HAVE_FCHOWN

-/* Define to 1 if you have the 'getentropy' function. */
-#undef HAVE_GETENTROPY
+/* Define to 1 if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H

-/* Define to 1 if you have the 'getrandom' function. */
-#undef HAVE_GETRANDOM
+/* Define to 1 if you have the `fsync' function. */
+#undef HAVE_FSYNC

-/* Define to 1 if you have the 'getspnam_r' function. */
+/* Define to 1 if you have the `futimes' function. */
+#undef HAVE_FUTIMES
+
+/* Define to 1 if you have the `getaddrinfo' function. */
+#undef HAVE_GETADDRINFO
+
+/* Define to 1 if you have the `getgrgid_r' function. */
+#undef HAVE_GETGRGID_R
+
+/* Define to 1 if you have the `getgrnam_r' function. */
+#undef HAVE_GETGRNAM_R
+
+/* Define to 1 if you have the `getgroups' function. */
+#undef HAVE_GETGROUPS
+
+/* Define to 1 if you have the `gethostname' function. */
+#undef HAVE_GETHOSTNAME
+
+/* Define to 1 if you have the `getpwnam_r' function. */
+#undef HAVE_GETPWNAM_R
+
+/* Define to 1 if you have the `getpwuid_r' function. */
+#undef HAVE_GETPWUID_R
+
+/* Define to 1 if you have the `getspnam' function. */
+#undef HAVE_GETSPNAM
+
+/* Define to 1 if you have the `getspnam_r' function. */
 #undef HAVE_GETSPNAM_R

 /* Define if the GNU gettext() function is already present or preinstalled. */
 #undef HAVE_GETTEXT

+/* Define to 1 if you have the `gettimeofday' function. */
+#undef HAVE_GETTIMEOFDAY
+
+/* Define to 1 if you have the `getusershell' function. */
+#undef HAVE_GETUSERSHELL
+
+/* Define to 1 if you have the `getutent' function. */
+#undef HAVE_GETUTENT
+
+/* Define to 1 if you have the <gshadow.h> header file. */
+#undef HAVE_GSHADOW_H
+
 /* Define if you have the iconv() function and it works. */
 #undef HAVE_ICONV

-/* Define to 1 if you have the 'innetgr' function. */
+/* Define to 1 if you have the `initgroups' function. */
+#undef HAVE_INITGROUPS
+
+/* Define to 1 if you have the `innetgr' function. */
 #undef HAVE_INNETGR

 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H

-/* Define to 1 if you have the 'lckpwdf' function. */
+/* Define to 1 if you have the `l64a' function. */
+#undef HAVE_L64A
+
+/* Define to 1 if you have the <lastlog.h> header file. */
+#undef HAVE_LASTLOG_H
+
+/* Define to 1 if you have the `lchown' function. */
+#undef HAVE_LCHOWN
+
+/* Define to 1 if you have the `lckpwdf' function. */
 #undef HAVE_LCKPWDF

-/* Define if you have the libdl library or equivalent. */
-#undef HAVE_LIBDL
+/* Defined if you have libcrack. */
+#undef HAVE_LIBCRACK

-/* Define if libdlloader will be built on this platform */
-#undef HAVE_LIBDLLOADER
+/* Defined if you have the ts&szs cracklib. */
+#undef HAVE_LIBCRACK_HIST
+
+/* Defined if it includes *Pw functions. */
+#undef HAVE_LIBCRACK_PW
+
+/* Define to 1 if you have the <limits.h> header file. */
+#undef HAVE_LIMITS_H

 /* Define to 1 if you have the <linux/btrfs_tree.h> header file. */
 #undef HAVE_LINUX_BTRFS_TREE_H
@@ -130,29 +176,56 @@
 /* Define if struct lastlog has ll_host */
 #undef HAVE_LL_HOST

-/* Define to 1 if you have the 'lutimes' function. */
+/* Define to 1 if you have the <locale.h> header file. */
+#undef HAVE_LOCALE_H
+
+/* Define to 1 if you have the `lstat' function. */
+#undef HAVE_LSTAT
+
+/* Define to 1 if you have the `lutimes' function. */
 #undef HAVE_LUTIMES

-/* Define to 1 if you have the 'memset_explicit' function. */
-#undef HAVE_MEMSET_EXPLICIT
+/* Define to 1 if you have the `memcpy' function. */
+#undef HAVE_MEMCPY

-/* Define to 1 if you have the <minix/config.h> header file. */
-#undef HAVE_MINIX_CONFIG_H
+/* Define to 1 if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H

-/* Define to 1 if you have the 'putgrent' function. */
+/* Define to 1 if you have the `memset' function. */
+#undef HAVE_MEMSET
+
+/* Define to 1 if you have the `mkdir' function. */
+#undef HAVE_MKDIR
+
+/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
+#undef HAVE_NDIR_H
+
+/* Define to 1 if you have the <netdb.h> header file. */
+#undef HAVE_NETDB_H
+
+/* Define to 1 if you have the <paths.h> header file. */
+#undef HAVE_PATHS_H
+
+/* Define to 1 if you have the `putgrent' function. */
 #undef HAVE_PUTGRENT

-/* Define to 1 if you have the 'putpwent' function. */
+/* Define to 1 if you have the `putpwent' function. */
 #undef HAVE_PUTPWENT

-/* Define to 1 if you have the 'putspent' function. */
+/* Define to 1 if you have the `putspent' function. */
 #undef HAVE_PUTSPENT

-/* Define to 1 if you have the <readpassphrase.h> header file. */
-#undef HAVE_READPASSPHRASE_H
+/* Define to 1 if you have the `rename' function. */
+#undef HAVE_RENAME

-/* Define to 1 if you have the 'rpmatch' function. */
-#undef HAVE_RPMATCH
+/* Define to 1 if you have the `rmdir' function. */
+#undef HAVE_RMDIR
+
+/* Define to 1 if you have the <rpc/key_prot.h> header file. */
+#undef HAVE_RPC_KEY_PROT_H
+
+/* Define to 1 if you have the `ruserok' function. */
+#undef HAVE_RUSEROK

 /* Define to 1 if you have the <security/openpam.h> header file. */
 #undef HAVE_SECURITY_OPENPAM_H
@@ -166,32 +239,53 @@
 /* Define to 1 if you have the <semanage/semanage.h> header file. */
 #undef HAVE_SEMANAGE_SEMANAGE_H

-/* Define to 1 if you have the 'sgetgrent' function. */
+/* Define to 1 if you have the `setgroups' function. */
+#undef HAVE_SETGROUPS
+
+/* Define to 1 if you have the `sgetgrent' function. */
 #undef HAVE_SGETGRENT

-/* Define to 1 if you have the 'sgetpwent' function. */
+/* Define to 1 if you have the `sgetpwent' function. */
 #undef HAVE_SGETPWENT

-/* Define to 1 if you have the 'sgetspent' function. */
+/* Define to 1 if you have the `sgetspent' function. */
 #undef HAVE_SGETSPENT

-/* Define if you have the shl_load function. */
-#undef HAVE_SHL_LOAD
+/* Define to 1 if you have the <sgtty.h> header file. */
+#undef HAVE_SGTTY_H
+
+/* Have working shadow group support in libc */
+#undef HAVE_SHADOWGRP
+
+/* Define to 1 if you have the `sigaction' function. */
+#undef HAVE_SIGACTION
+
+/* Define to 1 if you have the `snprintf' function. */
+#undef HAVE_SNPRINTF
+
+/* Define to 1 if stdbool.h conforms to C99. */
+#undef HAVE_STDBOOL_H

 /* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H

-/* Define to 1 if you have the <stdio.h> header file. */
-#undef HAVE_STDIO_H
-
 /* Define to 1 if you have the <stdlib.h> header file. */
 #undef HAVE_STDLIB_H

-/* Define to 1 if you have the 'stpecpy' function. */
-#undef HAVE_STPECPY
+/* Define to 1 if you have the `strcasecmp' function. */
+#undef HAVE_STRCASECMP

-/* Define to 1 if you have the 'stpeprintf' function. */
-#undef HAVE_STPEPRINTF
+/* Define to 1 if you have the `strchr' function. */
+#undef HAVE_STRCHR
+
+/* Define to 1 if you have the `strdup' function. */
+#undef HAVE_STRDUP
+
+/* Define to 1 if you have the `strerror' function. */
+#undef HAVE_STRERROR
+
+/* Define to 1 if you have the `strftime' function. */
+#undef HAVE_STRFTIME

 /* Define to 1 if you have the <strings.h> header file. */
 #undef HAVE_STRINGS_H
@@ -199,56 +293,151 @@
 /* Define to 1 if you have the <string.h> header file. */
 #undef HAVE_STRING_H

-/* Define to 1 if 'ut_addr' is a member of 'struct utmpx'. */
+/* Define to 1 if you have the `strstr' function. */
+#undef HAVE_STRSTR
+
+/* Define to 1 if `st_atim' is a member of `struct stat'. */
+#undef HAVE_STRUCT_STAT_ST_ATIM
+
+/* Define to 1 if `st_atimensec' is a member of `struct stat'. */
+#undef HAVE_STRUCT_STAT_ST_ATIMENSEC
+
+/* Define to 1 if `st_mtim' is a member of `struct stat'. */
+#undef HAVE_STRUCT_STAT_ST_MTIM
+
+/* Define to 1 if `st_mtimensec' is a member of `struct stat'. */
+#undef HAVE_STRUCT_STAT_ST_MTIMENSEC
+
+/* Define to 1 if `st_rdev' is a member of `struct stat'. */
+#undef HAVE_STRUCT_STAT_ST_RDEV
+
+/* Define to 1 if `ut_addr' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_ADDR

-/* Define to 1 if 'ut_addr_v6' is a member of 'struct utmpx'. */
+/* Define to 1 if `ut_addr_v6' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_ADDR_V6

-/* Define to 1 if 'ut_host' is a member of 'struct utmpx'. */
+/* Define to 1 if `ut_host' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_HOST

-/* Define to 1 if 'ut_name' is a member of 'struct utmpx'. */
+/* Define to 1 if `ut_name' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_NAME

-/* Define to 1 if 'ut_syslen' is a member of 'struct utmpx'. */
+/* Define to 1 if `ut_syslen' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_SYSLEN

-/* Define to 1 if 'ut_time' is a member of 'struct utmpx'. */
+/* Define to 1 if `ut_time' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_TIME

-/* Define to 1 if 'ut_xtime' is a member of 'struct utmpx'. */
+/* Define to 1 if `ut_xtime' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_XTIME

+/* Define to 1 if `ut_addr' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_ADDR
+
+/* Define to 1 if `ut_addr_v6' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_ADDR_V6
+
+/* Define to 1 if `ut_host' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_HOST
+
+/* Define to 1 if `ut_id' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_ID
+
+/* Define to 1 if `ut_name' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_NAME
+
+/* Define to 1 if `ut_syslen' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_SYSLEN
+
+/* Define to 1 if `ut_time' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_TIME
+
+/* Define to 1 if `ut_tv' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_TV
+
+/* Define to 1 if `ut_type' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_TYPE
+
+/* Define to 1 if `ut_user' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_USER
+
+/* Define to 1 if `ut_xtime' is a member of `struct utmp'. */
+#undef HAVE_STRUCT_UTMP_UT_XTIME
+
+/* Define to 1 if you have the <syslog.h> header file. */
+#undef HAVE_SYSLOG_H
+
+/* Define to 1 if you have the <sys/capability.h> header file. */
+#undef HAVE_SYS_CAPABILITY_H
+
+/* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'.
+   */
+#undef HAVE_SYS_DIR_H
+
+/* Define to 1 if you have the <sys/ioctl.h> header file. */
+#undef HAVE_SYS_IOCTL_H
+
+/* Define to 1 if you have the <sys/ndir.h> header file, and it defines `DIR'.
+   */
+#undef HAVE_SYS_NDIR_H
+
+/* Define to 1 if you have the <sys/resource.h> header file. */
+#undef HAVE_SYS_RESOURCE_H
+
 /* Define to 1 if you have the <sys/statfs.h> header file. */
 #undef HAVE_SYS_STATFS_H

 /* Define to 1 if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H

+/* Define to 1 if you have the <sys/time.h> header file. */
+#undef HAVE_SYS_TIME_H
+
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H

+/* Define to 1 if you have <sys/wait.h> that is POSIX.1 compatible. */
+#undef HAVE_SYS_WAIT_H
+
 /* Define to 1 if you have the <tcb.h> header file. */
 #undef HAVE_TCB_H

+/* Define to 1 if you have the <termios.h> header file. */
+#undef HAVE_TERMIOS_H
+
+/* Define to 1 if you have the <termio.h> header file. */
+#undef HAVE_TERMIO_H
+
+/* Define to 1 if you have the <ulimit.h> header file. */
+#undef HAVE_ULIMIT_H
+
 /* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H

-/* Define to 1 if you have the 'updwtmpx' function. */
+/* Define to 1 if you have the `updwtmp' function. */
+#undef HAVE_UPDWTMP
+
+/* Define to 1 if you have the `updwtmpx' function. */
 #undef HAVE_UPDWTMPX

 /* Define to 1 if you have the <utime.h> header file. */
 #undef HAVE_UTIME_H

-/* Define to 1 if 'utime(file, NULL)' sets file's timestamp to the present. */
+/* Define to 1 if `utime(file, NULL)' sets file's timestamp to the present. */
 #undef HAVE_UTIME_NULL

-/* Define to support vendor settings. */
-#undef HAVE_VENDORDIR
+/* Define to 1 if you have the <utmpx.h> header file. */
+#undef HAVE_UTMPX_H

-/* Define to 1 if you have the <wchar.h> header file. */
-#undef HAVE_WCHAR_H
+/* Define to 1 if you have the <utmp.h> header file. */
+#undef HAVE_UTMP_H
+
+/* Define to 1 if the system has the type `_Bool'. */
+#undef HAVE__BOOL
+
+/* Path for lastlog file. */
+#undef LASTLOG_FILE

 /* Define to the sub-directory where libtool stores uninstalled libraries. */
 #undef LT_OBJDIR
@@ -283,6 +472,15 @@
 /* Path to passwd program. */
 #undef PASSWD_PROGRAM

+/* Define as the return type of signal handlers (`int' or `void'). */
+#undef RETSIGTYPE
+
+/* Define if login should support the -r flag for rlogind. */
+#undef RLOGIN
+
+/* Define to the ruserok() "success" return value (0 or 1). */
+#undef RUSEROK
+
 /* Define to support the shadow group file. */
 #undef SHADOWGRP

@@ -292,10 +490,10 @@
 /* The default shell. */
 #undef SHELL

-/* The size of 'gid_t', as computed by sizeof. */
+/* The size of `gid_t', as computed by sizeof. */
 #undef SIZEOF_GID_T

-/* The size of 'uid_t', as computed by sizeof. */
+/* The size of `uid_t', as computed by sizeof. */
 #undef SIZEOF_UID_T

 /* Define to support S/Key logins. */
@@ -304,14 +502,21 @@
 /* Define to support newer BSD S/Key API */
 #undef SKEY_BSD_STYLE

-/* Define to 1 if all of the C89 standard headers exist (not just the ones
-   required in a freestanding environment). This macro is provided for
-   backward compatibility; new code need not use it. */
+/* Define to 1 if the `S_IS*' macros in <sys/stat.h> do not work properly. */
+#undef STAT_MACROS_BROKEN
+
+/* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS

 /* Define to support /etc/suauth su access control. */
 #undef SU_ACCESS

+/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
+#undef TIME_WITH_SYS_TIME
+
+/* Define to 1 if your <sys/time.h> declares `struct tm'. */
+#undef TM_IN_SYS_TIME
+
 /* Define to allow the bcrypt password encryption algorithm */
 #undef USE_BCRYPT

@@ -327,103 +532,33 @@
 /* Define to support flushing of sssd caches */
 #undef USE_SSSD

-/* Enable extensions on AIX, Interix, z/OS.  */
+/* Define to use syslog(). */
+#undef USE_SYSLOG
+
+/* Enable extensions on AIX 3, Interix.  */
 #ifndef _ALL_SOURCE
 # undef _ALL_SOURCE
 #endif
-/* Enable general extensions on macOS.  */
-#ifndef _DARWIN_C_SOURCE
-# undef _DARWIN_C_SOURCE
-#endif
-/* Enable general extensions on Solaris.  */
-#ifndef __EXTENSIONS__
-# undef __EXTENSIONS__
-#endif
 /* Enable GNU extensions on systems that have them.  */
 #ifndef _GNU_SOURCE
 # undef _GNU_SOURCE
 #endif
-/* Enable X/Open compliant socket functions that do not require linking
-   with -lxnet on HP-UX 11.11.  */
-#ifndef _HPUX_ALT_XOPEN_SOCKET_API
-# undef _HPUX_ALT_XOPEN_SOCKET_API
-#endif
-/* Identify the host operating system as Minix.
-   This macro does not affect the system headers' behavior.
-   A future release of Autoconf may stop defining this macro.  */
-#ifndef _MINIX
-# undef _MINIX
-#endif
-/* Enable general extensions on NetBSD.
-   Enable NetBSD compatibility extensions on Minix.  */
-#ifndef _NETBSD_SOURCE
-# undef _NETBSD_SOURCE
-#endif
-/* Enable OpenBSD compatibility extensions on NetBSD.
-   Oddly enough, this does nothing on OpenBSD.  */
-#ifndef _OPENBSD_SOURCE
-# undef _OPENBSD_SOURCE
-#endif
-/* Define to 1 if needed for POSIX-compatible behavior.  */
-#ifndef _POSIX_SOURCE
-# undef _POSIX_SOURCE
-#endif
-/* Define to 2 if needed for POSIX-compatible behavior.  */
-#ifndef _POSIX_1_SOURCE
-# undef _POSIX_1_SOURCE
-#endif
-/* Enable POSIX-compatible threading on Solaris.  */
+/* Enable threading extensions on Solaris.  */
 #ifndef _POSIX_PTHREAD_SEMANTICS
 # undef _POSIX_PTHREAD_SEMANTICS
 #endif
-/* Enable extensions specified by ISO/IEC TS 18661-5:2014.  */
-#ifndef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
-# undef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
-#endif
-/* Enable extensions specified by ISO/IEC TS 18661-1:2014.  */
-#ifndef __STDC_WANT_IEC_60559_BFP_EXT__
-# undef __STDC_WANT_IEC_60559_BFP_EXT__
-#endif
-/* Enable extensions specified by ISO/IEC TS 18661-2:2015.  */
-#ifndef __STDC_WANT_IEC_60559_DFP_EXT__
-# undef __STDC_WANT_IEC_60559_DFP_EXT__
-#endif
-/* Enable extensions specified by C23 Annex F.  */
-#ifndef __STDC_WANT_IEC_60559_EXT__
-# undef __STDC_WANT_IEC_60559_EXT__
-#endif
-/* Enable extensions specified by ISO/IEC TS 18661-4:2015.  */
-#ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__
-# undef __STDC_WANT_IEC_60559_FUNCS_EXT__
-#endif
-/* Enable extensions specified by C23 Annex H and ISO/IEC TS 18661-3:2015.  */
-#ifndef __STDC_WANT_IEC_60559_TYPES_EXT__
-# undef __STDC_WANT_IEC_60559_TYPES_EXT__
-#endif
-/* Enable extensions specified by ISO/IEC TR 24731-2:2010.  */
-#ifndef __STDC_WANT_LIB_EXT2__
-# undef __STDC_WANT_LIB_EXT2__
-#endif
-/* Enable extensions specified by ISO/IEC 24747:2009.  */
-#ifndef __STDC_WANT_MATH_SPEC_FUNCS__
-# undef __STDC_WANT_MATH_SPEC_FUNCS__
-#endif
 /* Enable extensions on HP NonStop.  */
 #ifndef _TANDEM_SOURCE
 # undef _TANDEM_SOURCE
 #endif
-/* Enable X/Open extensions.  Define to 500 only if necessary
-   to make mbstate_t available.  */
-#ifndef _XOPEN_SOURCE
-# undef _XOPEN_SOURCE
+/* Enable general extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
 #endif


-/* Define to allow the yescrypt password encryption algorithm */
-#undef USE_YESCRYPT
-
-/* Directory for distribution provided configuration files */
-#undef VENDORDIR
+/* Define if utmpx should be used */
+#undef USE_UTMPX

 /* Version number of package */
 #undef VERSION
@@ -440,9 +575,6 @@
 /* Build shadow with BtrFS support */
 #undef WITH_BTRFS

-/* Build shadow without libbsd support */
-#undef WITH_LIBBSD
-
 /* Build shadow with SELinux support */
 #undef WITH_SELINUX

@@ -452,14 +584,47 @@
 /* Build shadow with tcb support (incomplete) */
 #undef WITH_TCB

+/* Enable large inode numbers on Mac OS X 10.5.  */
+#ifndef _DARWIN_USE_64_BIT_INODE
+# define _DARWIN_USE_64_BIT_INODE 1
+#endif
+
 /* Number of bits in a file offset, on hosts where this is settable. */
 #undef _FILE_OFFSET_BITS

-/* Define to 1 on platforms where this makes off_t a 64-bit type. */
+/* Define for large files, on AIX-style hosts. */
 #undef _LARGE_FILES

-/* Number of bits in time_t, on hosts where this is settable. */
-#undef _TIME_BITS
+/* Define to 1 if on MINIX. */
+#undef _MINIX

-/* Define to 1 on platforms where this makes time_t a 64-bit type. */
-#undef __MINGW_USE_VC2005_COMPAT
+/* Define to 2 if the system does not provide POSIX.1 features except with
+   this defined. */
+#undef _POSIX_1_SOURCE
+
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+#undef _POSIX_SOURCE
+
+/* Path for utmp file. */
+#undef _UTMP_FILE
+
+/* Path for wtmp file. */
+#undef _WTMP_FILE
+
+/* Define to empty if `const' does not conform to ANSI C. */
+#undef const
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef gid_t
+
+/* Define to `int' if <sys/types.h> does not define. */
+#undef mode_t
+
+/* Define to `long int' if <sys/types.h> does not define. */
+#undef off_t
+
+/* Define to `int' if <sys/types.h> does not define. */
+#undef pid_t
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef uid_t
--- a/config.rpath
+++ b/config.rpath
@@ -0,0 +1,614 @@
+#! /bin/sh
+# Output a system dependent set of variables, describing how to set the
+# run time search path of shared libraries in an executable.
+#
+#   Copyright 1996-2006 Free Software Foundation, Inc.
+#   Taken from GNU libtool, 2001
+#   Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+#   This file is free software; the Free Software Foundation gives
+#   unlimited permission to copy and/or distribute it, with or without
+#   modifications, as long as this notice is preserved.
+#
+# The first argument passed to this file is the canonical host specification,
+#    CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or
+#    CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# The environment variables CC, GCC, LDFLAGS, LD, with_gnu_ld
+# should be set by the caller.
+#
+# The set of defined variables is at the end of this script.
+
+# Known limitations:
+# - On IRIX 6.5 with CC="cc", the run time search patch must not be longer
+#   than 256 bytes, otherwise the compiler driver will dump core. The only
+#   known workaround is to choose shorter directory names for the build
+#   directory and/or the installation directory.
+
+# All known linkers require a `.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
+shrext=.so
+
+host="$1"
+host_cpu=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
+# Code taken from libtool.m4's _LT_CC_BASENAME.
+
+for cc_temp in $CC""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`echo "$cc_temp" | sed -e 's%^.*/%%'`
+
+# Code taken from libtool.m4's AC_LIBTOOL_PROG_COMPILER_PIC.
+
+wl=
+if test "$GCC" = yes; then
+  wl='-Wl,'
+else
+  case "$host_os" in
+    aix*)
+      wl='-Wl,'
+      ;;
+    darwin*)
+      case $cc_basename in
+        xlc*)
+          wl='-Wl,'
+          ;;
+      esac
+      ;;
+    mingw* | pw32* | os2*)
+      ;;
+    hpux9* | hpux10* | hpux11*)
+      wl='-Wl,'
+      ;;
+    irix5* | irix6* | nonstopux*)
+      wl='-Wl,'
+      ;;
+    newsos6)
+      ;;
+    linux*)
+      case $cc_basename in
+        icc* | ecc*)
+          wl='-Wl,'
+          ;;
+        pgcc | pgf77 | pgf90)
+          wl='-Wl,'
+          ;;
+        ccc*)
+          wl='-Wl,'
+          ;;
+        como)
+          wl='-lopt='
+          ;;
+        *)
+          case `$CC -V 2>&1 | sed 5q` in
+            *Sun\ C*)
+              wl='-Wl,'
+              ;;
+          esac
+          ;;
+      esac
+      ;;
+    osf3* | osf4* | osf5*)
+      wl='-Wl,'
+      ;;
+    sco3.2v5*)
+      ;;
+    solaris*)
+      wl='-Wl,'
+      ;;
+    sunos4*)
+      wl='-Qoption ld '
+      ;;
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      wl='-Wl,'
+      ;;
+    sysv4*MP*)
+      ;;
+    unicos*)
+      wl='-Wl,'
+      ;;
+    uts4*)
+      ;;
+  esac
+fi
+
+# Code taken from libtool.m4's AC_LIBTOOL_PROG_LD_SHLIBS.
+
+hardcode_libdir_flag_spec=
+hardcode_libdir_separator=
+hardcode_direct=no
+hardcode_minus_L=no
+
+case "$host_os" in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+esac
+
+ld_shlibs=yes
+if test "$with_gnu_ld" = yes; then
+  # Set some defaults for GNU ld with shared library support. These
+  # are reset later if shared libraries are not supported. Putting them
+  # here allows them to be overridden if necessary.
+  # Unlike libtool, we use -rpath here, not --rpath, since the documented
+  # option of GNU ld is called -rpath, not --rpath.
+  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+  case "$host_os" in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+        ld_shlibs=no
+      fi
+      ;;
+    amigaos*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we cannot use
+      # them.
+      ld_shlibs=no
+      ;;
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+        :
+      else
+        ld_shlibs=no
+      fi
+      ;;
+    cygwin* | mingw* | pw32*)
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec='-L$libdir'
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        :
+      else
+        ld_shlibs=no
+      fi
+      ;;
+    interix3*)
+      hardcode_direct=no
+      hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+      ;;
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+        :
+      else
+        ld_shlibs=no
+      fi
+      ;;
+    netbsd*)
+      ;;
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+        ld_shlibs=no
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+        :
+      else
+        ld_shlibs=no
+      fi
+      ;;
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+          ld_shlibs=no
+          ;;
+        *)
+          if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+            hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+          else
+            ld_shlibs=no
+          fi
+          ;;
+      esac
+      ;;
+    sunos4*)
+      hardcode_direct=yes
+      ;;
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+        :
+      else
+        ld_shlibs=no
+      fi
+      ;;
+  esac
+  if test "$ld_shlibs" = no; then
+    hardcode_libdir_flag_spec=
+  fi
+else
+  case "$host_os" in
+    aix3*)
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L=yes
+      if test "$GCC" = yes; then
+        # Neither direct hardcoding nor static linking is supported with a
+        # broken collect2.
+        hardcode_direct=unsupported
+      fi
+      ;;
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+        # On IA64, the linker does run time linking by default, so we don't
+        # have to do anything special.
+        aix_use_runtimelinking=no
+      else
+        aix_use_runtimelinking=no
+        # Test if we are trying to use run time linking or normal
+        # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+        # need to do runtime linking.
+        case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+          for ld_flag in $LDFLAGS; do
+            if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+              aix_use_runtimelinking=yes
+              break
+            fi
+          done
+          ;;
+        esac
+      fi
+      hardcode_direct=yes
+      hardcode_libdir_separator=':'
+      if test "$GCC" = yes; then
+        case $host_os in aix4.[012]|aix4.[012].*)
+          collect2name=`${CC} -print-prog-name=collect2`
+          if test -f "$collect2name" && \
+            strings "$collect2name" | grep resolve_lib_name >/dev/null
+          then
+            # We have reworked collect2
+            hardcode_direct=yes
+          else
+            # We have old collect2
+            hardcode_direct=unsupported
+            hardcode_minus_L=yes
+            hardcode_libdir_flag_spec='-L$libdir'
+            hardcode_libdir_separator=
+          fi
+          ;;
+        esac
+      fi
+      # Begin _LT_AC_SYS_LIBPATH_AIX.
+      echo 'int main () { return 0; }' > conftest.c
+      ${CC} ${LDFLAGS} conftest.c -o conftest
+      aix_libpath=`dump -H conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+      if test -z "$aix_libpath"; then
+        aix_libpath=`dump -HX64 conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+      fi
+      if test -z "$aix_libpath"; then
+        aix_libpath="/usr/lib:/lib"
+      fi
+      rm -f conftest.c conftest
+      # End _LT_AC_SYS_LIBPATH_AIX.
+      if test "$aix_use_runtimelinking" = yes; then
+        hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+      else
+        if test "$host_cpu" = ia64; then
+          hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
+        else
+          hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+        fi
+      fi
+      ;;
+    amigaos*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs=no
+      ;;
+    bsdi[45]*)
+      ;;
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec=' '
+      libext=lib
+      ;;
+    darwin* | rhapsody*)
+      hardcode_direct=no
+      if test "$GCC" = yes ; then
+        :
+      else
+        case $cc_basename in
+          xlc*)
+            ;;
+          *)
+            ld_shlibs=no
+            ;;
+        esac
+      fi
+      ;;
+    dgux*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      ;;
+    freebsd1*)
+      ld_shlibs=no
+      ;;
+    freebsd2.2*)
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      ;;
+    freebsd2*)
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      ;;
+    freebsd* | kfreebsd*-gnu | dragonfly*)
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      ;;
+    hpux9*)
+      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_direct=yes
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L=yes
+      ;;
+    hpux10*)
+      if test "$with_gnu_ld" = no; then
+        hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+        hardcode_libdir_separator=:
+        hardcode_direct=yes
+        # hardcode_minus_L: Not really in the search PATH,
+        # but as the default location of the library.
+        hardcode_minus_L=yes
+      fi
+      ;;
+    hpux11*)
+      if test "$with_gnu_ld" = no; then
+        hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+        hardcode_libdir_separator=:
+        case $host_cpu in
+          hppa*64*|ia64*)
+            hardcode_direct=no
+            ;;
+          *)
+            hardcode_direct=yes
+            # hardcode_minus_L: Not really in the search PATH,
+            # but as the default location of the library.
+            hardcode_minus_L=yes
+            ;;
+        esac
+      fi
+      ;;
+    irix5* | irix6* | nonstopux*)
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      ;;
+    netbsd*)
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      ;;
+    newsos6)
+      hardcode_direct=yes
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      ;;
+    openbsd*)
+      hardcode_direct=yes
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+        hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+      else
+        case "$host_os" in
+          openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+            hardcode_libdir_flag_spec='-R$libdir'
+            ;;
+          *)
+            hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+            ;;
+        esac
+      fi
+      ;;
+    os2*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      ;;
+    osf3*)
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      ;;
+    osf4* | osf5*)
+      if test "$GCC" = yes; then
+        hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      else
+        # Both cc and cxx compiler support -rpath directly
+        hardcode_libdir_flag_spec='-rpath $libdir'
+      fi
+      hardcode_libdir_separator=:
+      ;;
+    solaris*)
+      hardcode_libdir_flag_spec='-R$libdir'
+      ;;
+    sunos4*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      ;;
+    sysv4)
+      case $host_vendor in
+        sni)
+          hardcode_direct=yes # is this really true???
+          ;;
+        siemens)
+          hardcode_direct=no
+          ;;
+        motorola)
+          hardcode_direct=no #Motorola manual says yes, but my tests say they lie
+          ;;
+      esac
+      ;;
+    sysv4.3*)
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+        ld_shlibs=yes
+      fi
+      ;;
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+      ;;
+    sysv5* | sco3.2v5* | sco5v6*)
+      hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator=':'
+      ;;
+    uts4*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      ;;
+    *)
+      ld_shlibs=no
+      ;;
+  esac
+fi
+
+# Check dynamic linker characteristics
+# Code taken from libtool.m4's AC_LIBTOOL_SYS_DYNAMIC_LINKER.
+libname_spec='lib$name'
+case "$host_os" in
+  aix3*)
+    ;;
+  aix4* | aix5*)
+    ;;
+  amigaos*)
+    ;;
+  beos*)
+    ;;
+  bsdi[45]*)
+    ;;
+  cygwin* | mingw* | pw32*)
+    shrext=.dll
+    ;;
+  darwin* | rhapsody*)
+    shrext=.dylib
+    ;;
+  dgux*)
+    ;;
+  freebsd1*)
+    ;;
+  kfreebsd*-gnu)
+    ;;
+  freebsd* | dragonfly*)
+    ;;
+  gnu*)
+    ;;
+  hpux9* | hpux10* | hpux11*)
+    case $host_cpu in
+      ia64*)
+        shrext=.so
+        ;;
+      hppa*64*)
+        shrext=.sl
+        ;;
+      *)
+        shrext=.sl
+        ;;
+    esac
+    ;;
+  interix3*)
+    ;;
+  irix5* | irix6* | nonstopux*)
+    case "$host_os" in
+      irix5* | nonstopux*)
+        libsuff= shlibsuff=
+        ;;
+      *)
+        case $LD in
+          *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") libsuff= shlibsuff= ;;
+          *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") libsuff=32 shlibsuff=N32 ;;
+          *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") libsuff=64 shlibsuff=64 ;;
+          *) libsuff= shlibsuff= ;;
+        esac
+        ;;
+    esac
+    ;;
+  linux*oldld* | linux*aout* | linux*coff*)
+    ;;
+  linux*)
+    ;;
+  knetbsd*-gnu)
+    ;;
+  netbsd*)
+    ;;
+  newsos6)
+    ;;
+  nto-qnx*)
+    ;;
+  openbsd*)
+    ;;
+  os2*)
+    libname_spec='$name'
+    shrext=.dll
+    ;;
+  osf3* | osf4* | osf5*)
+    ;;
+  solaris*)
+    ;;
+  sunos4*)
+    ;;
+  sysv4 | sysv4.3*)
+    ;;
+  sysv4*MP*)
+    ;;
+  sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+    ;;
+  uts4*)
+    ;;
+esac
+
+sed_quote_subst='s/\(["`$\\]\)/\\\1/g'
+escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"`
+shlibext=`echo "$shrext" | sed -e 's,^\.,,'`
+escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"`
+
+LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <<EOF
+
+# How to pass a linker flag through the compiler.
+wl="$escaped_wl"
+
+# Static library suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally "so").
+shlibext="$shlibext"
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec="$escaped_hardcode_libdir_flag_spec"
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator="$hardcode_libdir_separator"
+
+# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct="$hardcode_direct"
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L="$hardcode_minus_L"
+
+EOF
--- a/config.sub
+++ b/config.sub
--- a/14492
+++ b/14492
--- a/configure.ac
+++ b/configure.ac
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -0,0 +1,6 @@
+# This is a dummy Makefile.am to get automake work flawlessly,
+# and also cooperate to make a distribution for `make dist'
+
+EXTRA_DIST = README adduser.c adduser-old.c adduser.sh adduser2.sh \
+ atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
+ udbachk.tgz
--- a/contrib/Makefile.in
+++ b/contrib/Makefile.in
@@ -0,0 +1,482 @@
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# This is a dummy Makefile.am to get automake work flawlessly,
+# and also cooperate to make a distribution for `make dist'
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = contrib
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(srcdir)/Makefile.in README
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+GROUP_NAME_MAX_LENGTH = @GROUP_NAME_MAX_LENGTH@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LIBACL = @LIBACL@
+LIBATTR = @LIBATTR@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBECONF = @LIBECONF@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBMD = @LIBMD@
+LIBOBJS = @LIBOBJS@
+LIBPAM = @LIBPAM@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBSEMANAGE = @LIBSEMANAGE@
+LIBSKEY = @LIBSKEY@
+LIBTCB = @LIBTCB@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VENDORDIR = @VENDORDIR@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
+XMLCATALOG = @XMLCATALOG@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+capcmd = @capcmd@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+EXTRA_DIST = README adduser.c adduser-old.c adduser.sh adduser2.sh \
+ atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
+ udbachk.tgz
+
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign contrib/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign contrib/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	cscopelist-am ctags-am distclean distclean-generic \
+	distclean-libtool distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags-am uninstall uninstall-am
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
--- a/contrib/README
+++ b/contrib/README
@@ -0,0 +1,10 @@
+People keep sending various adduser programs and scripts...  They are
+all in this directory.  I haven't tested them, use at your own risk.
+Anyway, the best one I've seen so far is adduser-3.x from Debian.
+
+atudel is a perl script to remove at jobs owned by the specified user
+(atrm in at-2.9 for Linux can't do that).
+
+udbachk.tgz is a passwd/group/shadow file integrity checker.
+
+--marekm
--- a/contrib/adduser-old.c
+++ b/contrib/adduser-old.c
@@ -0,0 +1,300 @@
+/****
+** 03/17/96
+** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
+** --marekm
+**
+** 02/26/96
+** modified to call shadow utils (useradd,chage,passwd) on shadowed 
+** systems - Cristian Gafton, gafton@sorosis.ro
+**
+** 6/27/95
+** shadow-adduser 1.4:
+**
+** now it copies the /etc/skel dir into the person's dir, 
+** makes the mail folders, changed some defaults and made a 'make 
+** install' just for the hell of it.
+**
+** Greg Gallagher
+** CIN.Net
+**
+** 1/28/95
+** shadow-adduser 1.3:
+** 
+** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart 
+** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
+** It was such a stupid bug that I would have never seen it myself.
+**
+**                                Brandon
+*****
+** 01/27/95
+** 
+** shadow-adduser 1.2:
+** I took the C source from adduser-shadow (credits are below) and made
+** it a little more worthwhile.  Many small changes... Here's
+** the ones I can remember:
+** 
+** Removed support for non-shadowed systems (if you don't have shadow,
+**     use the original adduser, don't get this shadow version!)
+** Added support for the correct /etc/shadow fields (Min days before
+**     password change, max days before password change, Warning days,
+**     and how many days from expiry date does the account go invalid)
+**     The previous version just left all of those fields blank.
+**     There is still one field left (expiry date for the account, period)
+**     which I have left blank because I do not use it and didn't want to
+**     spend any more time on this.  I'm sure someone will put it in and
+**     tack another plethora of credits on here. :)
+** Added in the password date field, which should always reflect the last
+**     date the password was changed, for expiry purposes.  "passwd" always
+**     updates this field, so the adduser program should set it up right
+**     initially (or a user could keep thier initial password forever ;)
+**     The number is in days since Jan 1st, 1970.
+**
+**                       Have fun with it, and someone please make
+**                       a real version(this is still just a hack)
+**                       for us all to use (and Email it to me???)
+**
+**                               Brandon
+**                                  photon@usis.com
+**
+***** 
+** adduser 1.0: add a new user account (For systems not using shadow)
+** With a nice little interface and a will to do all the work for you.
+**
+** Craig Hagan
+** hagan@opine.cs.umass.edu
+**
+** Modified to really work, look clean, and find unused uid by Chris Cappuccio
+** chris@slinky.cs.umass.edu
+**
+*****
+**
+** 01/19/95
+**
+** FURTHER modifications to enable shadow passwd support (kludged, but
+** no more so than the original)  by Dan Crowson - dcrowson@mo.net
+**
+** Search on DAN for all changes...
+**
+*****
+**
+** cc -O -o adduser adduser.c
+** Use gcc if you have it... (political reasons beyond my control) (chris)
+**
+** I've gotten this program to work with success under Linux (without
+** shadow) and SunOS 4.1.3. I would assume it should work pretty well
+** on any system that uses no shadow. (chris)
+**
+** If you have no crypt() then try
+** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
+** I'm not sure how login operates with no crypt()... I guess
+** the same way we're doing it here.
+*/
+
+#include <pwd.h>
+#include <grp.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/timeb.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+
+#define DEFAULT_SHELL	"/bin/bash"  /* because BASH is your friend */
+#define DEFAULT_HOME	"/home"
+#define USERADD_PATH	"/usr/sbin/useradd"
+#define CHAGE_PATH	"/usr/sbin/chage"
+#define PASSWD_PATH	"/usr/bin/passwd"
+#define DEFAULT_GROUP	100
+
+#define DEFAULT_MAX_PASS 60
+#define DEFAULT_WARN_PASS 10
+/* if you use this feature, you will get a lot of complaints from users
+   who rarely use their accounts :)  (something like 3 months would be
+   more reasonable)  --marekm */
+#define DEFAULT_USER_DIE /* 10 */ 0
+
+void main()
+{
+	char foo[32];			
+	char uname[9],person[32],dir[32],shell[32];
+	unsigned int group,min_pass,max_pass,warn_pass,user_die;
+	/* the group and uid of the new user */
+	int bad=0,done=0,correct=0,gets_warning=0;
+	char cmd[255];
+	struct group *grp;
+	
+	/* flags, in order:
+	* bad to see if the username is in /etc/passwd, or if strange stuff has
+	* been typed if the user might be put in group 0
+	* done allows the program to exit when a user has been added
+	* correct loops until a password is found that isn't in /etc/passwd
+	* gets_warning allows the fflush to be skipped for the first gets
+	* so that output is still legible
+	*/
+
+	/* The real program starts HERE! */
+  
+	if(geteuid()!=0)
+	{
+		printf("It seems you don't have access to add a new user.  Try\n");
+		printf("logging in as root or su root to gain super-user access.\n");
+		exit(1);
+	}
+  
+	/* Sanity checks
+	*/
+	
+	if (!(grp=getgrgid(DEFAULT_GROUP))){
+		printf("Error: the default group %d does not exist on this system!\n",
+				DEFAULT_GROUP);
+		printf("adduser must be recompiled.\n");
+		exit(1);
+	}; 
+ 
+	while(!correct) {		/* loop until a "good" uname is chosen */
+		while(!done) {
+			printf("\nLogin to add (^C to quit): ");
+			if(gets_warning)	/* if the warning was already shown */
+				fflush(stdout);	/* fflush stdout, otherwise set the flag */
+			else
+				gets_warning=1;
+
+			gets(uname);
+			if(!strlen(uname)) {
+				printf("Empty input.\n");
+				done=0;
+				continue;
+			};
+
+			/* what I saw here before made me think maybe I was running DOS */
+			/* might this be a solution? (chris) */
+			if (getpwnam(uname) != NULL) {
+				printf("That name is in use, choose another.\n");
+				done=0;
+			} else
+				done=1;
+		}; /* done, we have a valid new user name */
+		
+		/* all set, get the rest of the stuff */
+		printf("\nEditing information for new user [%s]\n",uname);
+  
+		printf("\nFull Name [%s]: ",uname);
+		gets(person);
+		if (!strlen(person)) {
+			bzero(person,sizeof(person));
+			strcpy(person,uname);
+		};
+      
+		do {
+			bad=0; 
+			printf("GID [%d]: ",DEFAULT_GROUP);
+			gets(foo);
+			if (!strlen(foo))
+				group=DEFAULT_GROUP;
+			else
+				if (isdigit (*foo)) {
+					group = atoi(foo);
+					if (! (grp = getgrgid (group))) {
+						printf("unknown gid %s\n",foo);
+						group=DEFAULT_GROUP;
+						bad=1;
+					};
+			} else
+				if ((grp = getgrnam (foo)))
+					group = grp->gr_gid;
+				else {
+					printf("unknown group %s\n",foo);
+					group=DEFAULT_GROUP;
+					bad=1;
+				}
+			if (group==0){	/* You're not allowed to make root group users! */
+				printf("Creation of root group users not allowed (must be done by hand)\n");
+				group=DEFAULT_GROUP;
+				bad=1;
+			};
+		} while(bad);
+
+
+		fflush(stdin);
+      
+		printf("\nIf home dir ends with a / then [%s] will be appended to it\n",uname);
+		printf("Home Directory [%s/%s]: ",DEFAULT_HOME,uname);
+		fflush(stdout);
+		gets(dir);
+		if (!strlen(dir)) { /* hit return */
+			sprintf(dir,"%s/%s",DEFAULT_HOME,uname);
+			fflush(stdin);
+		} else
+			if (dir[strlen(dir)-1]=='/')
+				sprintf(dir+strlen(dir),"%s",uname);
+
+		printf("\nShell [%s]: ",DEFAULT_SHELL);
+		fflush(stdout);
+		gets(shell);
+		if (!strlen(shell))
+			sprintf(shell,"%s",DEFAULT_SHELL);
+      
+		printf("\nMin. Password Change Days [0]: ");
+		gets(foo);
+		min_pass=atoi(foo);
+            
+		printf("Max. Password Change Days [%d]: ",DEFAULT_MAX_PASS);
+		gets(foo);
+		if (strlen(foo) > 1)
+			max_pass = atoi(foo);
+		else
+			max_pass = DEFAULT_MAX_PASS;
+            
+		printf("Password Warning Days [%d]: ",DEFAULT_WARN_PASS);
+		gets(foo);
+		warn_pass = atoi(foo);
+		if (warn_pass==0)
+			warn_pass = DEFAULT_WARN_PASS;
+            
+		printf("Days after Password Expiry for Account Locking [%d]: ",DEFAULT_USER_DIE);
+		gets(foo);
+		user_die = atoi(foo);
+		if (user_die == 0)
+			user_die = DEFAULT_USER_DIE;
+      
+		printf("\nInformation for new user [%s] [%s]:\n",uname,person);
+		printf("Home directory: [%s] Shell: [%s]\n",dir,shell);
+		printf("GID: [%d]\n",group);
+		printf("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
+				min_pass,max_pass,warn_pass,user_die);
+		printf("\nIs this correct? [y/N]: ");
+		fflush(stdout);
+		gets(foo);
+
+		done=bad=correct=(foo[0]=='y'||foo[0]=='Y');
+
+		if(bad!=1)
+			printf("\nUser [%s] not added\n",uname);
+    }
+
+	bzero(cmd,sizeof(cmd));
+	sprintf(cmd,"%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
+			USERADD_PATH,group,dir,shell,person,uname);
+	printf("Calling useradd to add new user:\n%s\n",cmd);  
+	if(system(cmd)){
+		printf("User add failed!\n");
+		exit(errno);
+	};
+	bzero(cmd,sizeof(cmd));
+	sprintf(cmd,"%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
+			min_pass,max_pass,warn_pass,user_die,uname);
+	printf("%s\n",cmd);
+	if(system(cmd)){
+		printf("There was an error setting password expire values\n");
+		exit(errno);
+	};
+	bzero(cmd,sizeof(cmd));
+	sprintf(cmd,"%s %s",PASSWD_PATH,uname);
+	system(cmd);
+	printf("\nDone.\n");
+}
+
--- a/contrib/adduser.c
+++ b/contrib/adduser.c
@@ -0,0 +1,502 @@
+/****
+** 04/21/96
+** hacked even more, replaced gets() with something slightly harder to buffer
+** overflow. Added support for setting a default quota on new account, with
+** edquota -p. Other cleanups for security, I let some users run adduser suid
+** root to add new accounts. (overflow checks, clobber environment, valid 
+** shell checks, restrictions on gid + home dir settings).
+
+** Added max. username length. Used syslog() a bit for important events. 
+** Support to immediately expire account with passwd -e.
+
+** Called it version 2.0! Because I felt like it!
+
+** -- Chris, chris@ferret.lmh.ox.ac.uk
+
+** 03/17/96
+** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
+** --marekm
+**
+** 02/26/96
+** modified to call shadow utils (useradd,chage,passwd) on shadowed 
+** systems - Cristian Gafton, gafton@sorosis.ro
+**
+** 6/27/95
+** shadow-adduser 1.4:
+**
+** now it copies the /etc/skel dir into the person's dir, 
+** makes the mail folders, changed some defaults and made a 'make 
+** install' just for the hell of it.
+**
+** Greg Gallagher
+** CIN.Net
+**
+** 1/28/95
+** shadow-adduser 1.3:
+** 
+** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart 
+** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
+** It was such a stupid bug that I would have never seen it myself.
+**
+**                                Brandon
+*****
+** 01/27/95
+** 
+** shadow-adduser 1.2:
+** I took the C source from adduser-shadow (credits are below) and made
+** it a little more worthwhile.  Many small changes... Here's
+** the ones I can remember:
+** 
+** Removed support for non-shadowed systems (if you don't have shadow,
+**     use the original adduser, don't get this shadow version!)
+** Added support for the correct /etc/shadow fields (Min days before
+**     password change, max days before password change, Warning days,
+**     and how many days from expiry date does the account go invalid)
+**     The previous version just left all of those fields blank.
+**     There is still one field left (expiry date for the account, period)
+**     which I have left blank because I do not use it and didn't want to
+**     spend any more time on this.  I'm sure someone will put it in and
+**     tack another plethora of credits on here. :)
+** Added in the password date field, which should always reflect the last
+**     date the password was changed, for expiry purposes.  "passwd" always
+**     updates this field, so the adduser program should set it up right
+**     initially (or a user could keep thier initial password forever ;)
+**     The number is in days since Jan 1st, 1970.
+**
+**                       Have fun with it, and someone please make
+**                       a real version(this is still just a hack)
+**                       for us all to use (and Email it to me???)
+**
+**                               Brandon
+**                                  photon@usis.com
+**
+***** 
+** adduser 1.0: add a new user account (For systems not using shadow)
+** With a nice little interface and a will to do all the work for you.
+**
+** Craig Hagan
+** hagan@opine.cs.umass.edu
+**
+** Modified to really work, look clean, and find unused uid by Chris Cappuccio
+** chris@slinky.cs.umass.edu
+**
+*****
+**
+** 01/19/95
+**
+** FURTHER modifications to enable shadow passwd support (kludged, but
+** no more so than the original)  by Dan Crowson - dcrowson@mo.net
+**
+** Search on DAN for all changes...
+**
+*****
+**
+** cc -O -o adduser adduser.c
+** Use gcc if you have it... (political reasons beyond my control) (chris)
+**
+** I've gotten this program to work with success under Linux (without
+** shadow) and SunOS 4.1.3. I would assume it should work pretty well
+** on any system that uses no shadow. (chris)
+**
+** If you have no crypt() then try
+** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
+** I'm not sure how login operates with no crypt()... I guess
+** the same way we're doing it here.
+*/
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <pwd.h>
+#include <grp.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/timeb.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <syslog.h>
+
+#define IMMEDIATE_CHANGE	/* Expire newly created password, must be changed
+				 * immediately upon next login */
+#define HAVE_QUOTAS		/* Obvious */
+#define EXPIRE_VALS_SET		/* If defined, 'normal' users can't change 
+				 * password expiry values (if running suid root) */
+
+#define HAVE_GETUSERSHELL	/* FIXME: Isn't this defined in config.h too? */
+#define LOGGING			/* If we want to log various things to syslog */
+#define MAX_USRNAME  8		/* Longer usernames seem to work on my system....
+				 * But they're probably a poor idea */
+
+
+#define DEFAULT_SHELL	"/bin/bash"	/* because BASH is your friend */
+#define DEFAULT_HOME	"/home"
+#define USERADD_PATH	"/usr/sbin/useradd"
+#define CHAGE_PATH	"/usr/bin/chage"
+#define PASSWD_PATH	"/usr/bin/passwd"
+#define EDQUOTA_PATH	"/usr/sbin/edquota"
+#define QUOTA_DEFAULT	"defuser"
+#define DEFAULT_GROUP	100
+
+#define DEFAULT_MIN_PASS 0
+#define DEFAULT_MAX_PASS 100
+#define DEFAULT_WARN_PASS 14
+#define DEFAULT_USER_DIE 366
+
+void safeget (char *, int);
+
+void 
+main (void)
+{
+  char foo[32];
+  char usrname[32], person[32], dir[32], shell[32];
+  unsigned int group, min_pass, max_pass, warn_pass, user_die;
+  /* the group and uid of the new user */
+  int bad = 0, done = 0, correct = 0, olduid;
+  char cmd[255];
+  struct group *grp;
+
+  /* flags, in order:
+   * bad to see if the username is in /etc/passwd, or if strange stuff has
+   * been typed if the user might be put in group 0
+   * done allows the program to exit when a user has been added
+   * correct loops until a username is found that isn't in /etc/passwd
+   */
+
+  /* The real program starts HERE! */
+
+  if (geteuid () != 0)
+    {
+      printf ("It seems you don't have access to add a new user.  Try\n");
+      printf ("logging in as root or su root to gain superuser access.\n");
+      exit (1);
+    }
+
+  /* Sanity checks
+   */
+
+#ifdef LOGGING
+  openlog ("adduser", LOG_PID | LOG_CONS | LOG_NOWAIT, LOG_AUTH);
+  syslog (LOG_INFO, "invoked by user %s\n", getpwuid (getuid ())->pw_name);
+#endif
+
+  if (!(grp = getgrgid (DEFAULT_GROUP)))
+    {
+      printf ("Error: the default group %d does not exist on this system!\n",
+	      DEFAULT_GROUP);
+      printf ("adduser must be recompiled.\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "warning: failed. no such default group\n");
+      closelog ();
+#endif
+      exit (1);
+    };
+
+  while (!correct)
+    {				/* loop until a "good" usrname is chosen */
+      while (!done)
+	{
+	  printf ("\nLogin to add (^C to quit): ");
+	  fflush (stdout);
+
+	  safeget (usrname, sizeof (usrname));
+
+	  if (!strlen (usrname))
+	    {
+	      printf ("Empty input.\n");
+	      done = 0;
+	      continue;
+	    };
+
+	  /* what I saw here before made me think maybe I was running DOS */
+	  /* might this be a solution? (chris) */
+	  if (strlen (usrname) > MAX_USRNAME)
+	    {
+	      printf ("That name is longer than the maximum of %d characters. Choose another.\n", MAX_USRNAME);
+	      done = 0;
+	    }
+	  else if (getpwnam (usrname) != NULL)
+	    {
+	      printf ("That name is in use, choose another.\n");
+	      done = 0;
+	    }
+	  else if (strchr (usrname, ' ') != NULL)
+	    {
+	      printf ("No spaces in username!!\n");
+	      done = 0;
+	    }
+	  else
+	    done = 1;
+	};			/* done, we have a valid new user name */
+
+      /* all set, get the rest of the stuff */
+      printf ("\nEditing information for new user [%s]\n", usrname);
+
+      printf ("\nFull Name [%s]: ", usrname);
+      fflush (stdout);
+      safeget (person, sizeof (person));
+      if (!strlen (person))
+	{
+	  bzero (person, sizeof (person));
+	  strcpy (person, usrname);
+	};
+
+      if (getuid () == 0)
+	{
+	  do
+	    {
+	      bad = 0;
+	      printf ("GID [%d]: ", DEFAULT_GROUP);
+	      fflush (stdout);
+	      safeget (foo, sizeof (foo));
+	      if (!strlen (foo))
+		group = DEFAULT_GROUP;
+	      else if (isdigit (*foo))
+		{
+		  group = atoi (foo);
+		  if (!(grp = getgrgid (group)))
+		    {
+		      printf ("unknown gid %s\n", foo);
+		      group = DEFAULT_GROUP;
+		      bad = 1;
+		    };
+		}
+	      else if ((grp = getgrnam (foo)))
+		group = grp->gr_gid;
+	      else
+		{
+		  printf ("unknown group %s\n", foo);
+		  group = DEFAULT_GROUP;
+		  bad = 1;
+		}
+	      if (group == 0)
+		{		/* You're not allowed to make root group users! */
+		  printf ("Creation of root group users not allowed (must be done by hand)\n");
+		  group = DEFAULT_GROUP;
+		  bad = 1;
+		};
+	    }
+	  while (bad);
+	}
+      else
+	{
+	  printf ("Group will be default of: %d\n", DEFAULT_GROUP);
+	  group = DEFAULT_GROUP;
+	}
+
+      if (getuid () == 0)
+	{
+	  printf ("\nIf home dir ends with a / then '%s' will be appended to it\n", usrname);
+	  printf ("Home Directory [%s/%s]: ", DEFAULT_HOME, usrname);
+	  fflush (stdout);
+	  safeget (dir, sizeof (dir));
+	  if (!strlen (dir))
+	    {			/* hit return */
+	      sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
+	    }
+	  else if (dir[strlen (dir) - 1] == '/')
+	    sprintf (dir+strlen(dir), "%s", usrname);
+	}
+      else
+	{
+	  printf ("\nHome directory will be %s/%s\n", DEFAULT_HOME, usrname);
+	  sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
+	}
+
+      printf ("\nShell [%s]: ", DEFAULT_SHELL);
+      fflush (stdout);
+      safeget (shell, sizeof (shell));
+      if (!strlen (shell))
+	sprintf (shell, "%s", DEFAULT_SHELL);
+      else
+	{
+	  char *sh;
+	  int ok = 0;
+#ifdef HAVE_GETUSERSHELL
+	  setusershell ();
+	  while ((sh = getusershell ()) != NULL)
+	    if (!strcmp (shell, sh))
+	      ok = 1;
+	  endusershell ();
+#endif
+	  if (!ok)
+	    {
+	      if (getuid () == 0)
+		printf ("Warning: root allowed non standard shell\n");
+	      else
+		{
+		  printf ("Shell NOT in /etc/shells, DEFAULT used\n");
+		  sprintf (shell, "%s", DEFAULT_SHELL);
+		}
+	    }
+	}
+
+#ifdef EXPIRE_VALS_SET
+      if (getuid () == 0)
+	{
+#endif
+	  printf ("\nMin. Password Change Days [%d]: ", DEFAULT_MIN_PASS);
+	  fflush (stdout);
+	  safeget (foo, sizeof (foo));
+	  if (strlen (foo) > 1)
+	    min_pass = DEFAULT_MIN_PASS;
+	  else
+	    min_pass = atoi (foo);
+
+	  printf ("Max. Password Change Days [%d]: ", DEFAULT_MAX_PASS);
+	  fflush (stdout);
+	  safeget (foo, sizeof (foo));
+	  if (strlen (foo) > 1)
+	    max_pass = atoi (foo);
+	  else
+	    max_pass = DEFAULT_MAX_PASS;
+
+	  printf ("Password Warning Days [%d]: ", DEFAULT_WARN_PASS);
+	  fflush (stdout);
+	  safeget (foo, sizeof (foo));
+	  warn_pass = atoi (foo);
+	  if (warn_pass == 0)
+
+	    warn_pass = DEFAULT_WARN_PASS;
+
+	  printf ("Days after Password Expiry for Account Locking [%d]: ", DEFAULT_USER_DIE);
+	  fflush (stdout);
+	  safeget (foo, sizeof (foo));
+	  user_die = atoi (foo);
+	  if (user_die == 0)
+	    user_die = DEFAULT_USER_DIE;
+
+#ifdef EXPIRE_VALS_SET
+	}
+      else
+	{
+	  printf ("\nSorry, account expiry values are set.\n");
+	  user_die = DEFAULT_USER_DIE;
+	  warn_pass = DEFAULT_WARN_PASS;
+	  max_pass = DEFAULT_MAX_PASS;
+	  min_pass = DEFAULT_MIN_PASS;
+	}
+#endif
+
+      printf ("\nInformation for new user [%s] [%s]:\n", usrname, person);
+      printf ("Home directory: [%s] Shell: [%s]\n", dir, shell);
+      printf ("GID: [%d]\n", group);
+      printf ("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
+	      min_pass, max_pass, warn_pass, user_die);
+      printf ("\nIs this correct? [y/N]: ");
+      fflush (stdout);
+      safeget (foo, sizeof (foo));
+
+      done = bad = correct = (foo[0] == 'y' || foo[0] == 'Y');
+
+      if (bad != 1)
+	printf ("\nUser [%s] not added\n", usrname);
+    }
+
+  /* Clobber the environment, I run this suid root sometimes to let 
+   * non root privileged accounts add users --chris */
+
+  *environ = NULL;
+
+  bzero (cmd, sizeof (cmd));
+  sprintf (cmd, "%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
+	   USERADD_PATH, group, dir, shell, person, usrname);
+  printf ("Calling useradd to add new user:\n%s\n", cmd);
+  if (system (cmd))
+    {
+      printf ("User add failed!\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "could not add new user\n");
+      closelog ();
+#endif
+      exit (errno);
+    };
+
+  olduid = getuid ();	/* chage, passwd, edquota etc. require ruid = root
+			 */
+  setuid (0);
+
+  bzero (cmd, sizeof (cmd));
+
+  /* Chage runs suid root. => we need ruid root to run it with
+   * anything other than chage -l
+   */
+
+  sprintf (cmd, "%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
+	   min_pass, max_pass, warn_pass, user_die, usrname);
+  printf ("%s\n", cmd);
+  if (system (cmd))
+    {
+      printf ("There was an error setting password expire values\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "password expire values could not be set\n");
+#endif
+    };
+
+  /* I want to add a user completely with one easy command --chris */
+
+#ifdef HAVE_QUOTAS
+  bzero (cmd, sizeof (cmd));
+  sprintf (cmd, "%s -p %s -u %s", EDQUOTA_PATH, QUOTA_DEFAULT, usrname);
+  printf ("%s\n", cmd);
+  if (system (cmd))
+    {
+      printf ("\nWarning: error setting quota\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "warning: account created but NO quotas set!\n");
+#endif /* LOGGING */
+    }
+  else
+    printf ("\nDefault quota set.\n");
+#endif /* HAVE_QUOTAS */
+
+  bzero (cmd, sizeof (cmd));
+  sprintf (cmd, "%s %s", PASSWD_PATH, usrname);
+  if (system (cmd))
+    {
+      printf ("\nWarning: error setting password\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "warning: password set failed!\n");
+#endif
+    }
+#ifdef IMMEDIATE_CHANGE
+  bzero (cmd, sizeof (cmd));
+  sprintf (cmd, "%s -e %s", PASSWD_PATH, usrname);
+  if (system (cmd))
+    {
+      printf ("\nWarning: error expiring password\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "warning: password expire failed!\n");
+#endif /* LOGGING */
+    }
+#endif /* IMMEDIATE_CHANGE */
+
+  setuid (olduid);
+
+#ifdef LOGGING
+  closelog ();
+#endif
+
+  printf ("\nDone.\n");
+}
+
+void 
+safeget (char *buf, int maxlen)
+{
+  int c, i = 0, bad = 0;
+  char *bstart = buf;
+  while ((c = getc (stdin)) != EOF && (c != '\n') && (++i < maxlen))
+    {
+      bad = (!isalnum (c) && (c != '_') && (c != ' '));
+      *(buf++) = (char) c;
+    }
+  *buf = '\0';
+
+  if (bad)
+    {
+      printf ("\nString contained banned character. Please stick to alphanumerics.\n");
+      *bstart = '\0';
+    }
+}
+
--- a/contrib/adduser.sh
+++ b/contrib/adduser.sh
@@ -0,0 +1,90 @@
+#!/bin/sh
+# adduser script for use with shadow passwords and useradd command.
+# by Hrvoje Dogan <hdogan@student.math.hr>, Dec 1995.
+
+echo -n "Login name for new user []:"
+read LOGIN
+if [ -z $LOGIN ]
+then echo "Come on, man, you can't leave the login field empty...";exit
+fi
+echo
+echo -n "User id for $LOGIN [ defaults to next available]:"
+read ID
+GUID="-u $ID"
+if [ -z $ID ] 
+then GUID=""
+fi
+
+echo
+echo -n "Initial group for $LOGIN [users]:"
+read GID
+GGID="-g $GID"
+if [ -z $GID ]
+then GGID=""
+fi
+
+echo
+echo -n "Additional groups for $LOGIN []:"
+read AGID
+GAGID="-G $AGID"
+if [ -z $AGID ]
+then GAGID=""
+fi
+
+echo
+echo -n "$LOGIN's home directory [/home/$LOGIN]:"
+read HME
+GHME="-d $HME"
+if [ -z $HME ]
+then GHME=""
+fi
+
+echo
+echo -n "$LOGIN's shell [/bin/bash]:"
+read SHL
+GSHL="-s $SHL"
+if [ -z $SHL ]
+then GSHL=""
+fi
+
+echo
+echo -n "$LOGIN's account expiry date (MM/DD/YY) []:"
+read EXP
+GEXP="-e $EXP"
+if [ -z $EXP ]
+then GEXP=""
+fi
+echo
+echo OK, I'm about to make a new account. Here's what you entered so far:
+echo New login name: $LOGIN
+if [ -z $GUID ] 
+then echo New UID: [Next available]
+else echo New UID: $UID
+fi
+if [ -z $GGID ]
+then echo Initial group: users
+else echo Initial group: $GID
+fi
+if [ -z $GAGID ]
+then echo Additional groups: [none]
+else echo Additional groups: $AGID
+fi
+if [ -z $GHME ]
+then echo Home directory: /home/$LOGIN
+else echo Home directory: $HME
+fi
+if [ -z $GSHL ]
+then echo Shell: /bin/bash
+else echo Shell: $SHL
+fi
+if [ -z $GEXP ]
+then echo Expiry date: [no expiration]
+else echo Expiry date: $EXP
+fi
+echo "This is it... if you want to bail out, you'd better do it now."
+read FOO
+echo Making new account...
+/usr/sbin/useradd $GHME -m $GEXP $GGID $GAGID $GSHL $GUID $LOGIN
+/usr/bin/chfn $LOGIN
+/usr/bin/passwd $LOGIN
+echo "Done..."
--- a/contrib/adduser2.sh
+++ b/contrib/adduser2.sh
@@ -0,0 +1,743 @@
+#!/bin/bash
+#
+#  adduser			Interactive user adding program.
+#
+#  Copyright (C) 1996		Petri Mattila, Prihateam Networks
+#				petri@prihateam.fi
+#	
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2, or (at your option)
+#  any later version.
+#
+# Changes:
+#	220496	v0.01	Initial version
+#	230496	v0.02	More checks, embolden summary
+#	240496		Even more checks
+#	250496 		Help with ?
+#	040596	v0.03	Cleanups
+#	050596	v0.04	Bug fixes, expire date checks
+#	070596	v0.05	Iso-latin-1 names
+#
+
+## Defaults
+
+# default groups
+def_group="users"
+def_other_groups=""
+
+# default home directory
+def_home_dir=/home/users
+
+# default shell
+def_shell=/bin/tcsh
+
+# Default expiration date (mm/dd/yy)
+def_expire=""
+
+# default dates
+def_pwd_min=0
+def_pwd_max=90
+def_pwd_warn=14
+def_pwd_iact=14
+
+
+# possible UIDs
+uid_low=1000
+uid_high=64000
+
+# skel directory
+skel=/etc/skel
+
+# default mode for home directory
+def_mode=711
+
+# Regex, that the login name must meet, only ANSI characters
+login_regex='^[0-9a-zA-Z_-]*$'
+
+# Regex, that the user name must meet
+# ANSI version
+##name_regex='^[0-9a-zA-Z_-\ ]*$'
+# ISO-LATIN-1 version
+name_regex='^[0-9a-zA-ZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõöùúûüýþÿ_-\ ]*$'
+
+# set PATH
+export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
+
+# Some special characters
+case "$TERM" in
+   vt*|ansi*|con*|xterm*|linux*)
+	S='[1m'	# start embolden
+	E='[m'	# end embolden
+	;;
+   *)	
+	S=''
+	E=''
+	;;
+esac
+
+
+## Functions
+
+check_root() {
+	if test "$EUID" -ne 0
+	then
+		echo "You must be root to run this program."
+		exit 1
+	fi
+}
+
+check_user() {
+	local usr pwd uid gid name home sh
+
+	cat /etc/passwd | (
+		while IFS=":" read usr pwd uid gid name home sh
+		do
+			if test "$1" = "${usr}"
+			then
+				return 1
+			fi
+		done
+		return 0
+	)
+}
+
+check_group() {
+	local read grp pwd gid members
+
+	cat /etc/group | (
+		while IFS=":" read grp pwd gid members
+		do
+			if test "$1" = "${grp}"
+			then
+				return 1
+			fi
+		done
+		return 0
+	)
+}
+
+check_other_groups() {
+	local grp check IFS
+
+	check="$1"
+	IFS=","
+
+	set ${check}
+	for grp
+	do
+		if check_group "${grp}"
+		then
+			echo "Group ${grp} does not exist."
+			return 1
+		fi
+	done
+	return 0
+}		
+
+check_uid() {
+	local usr pwd uid gid name home sh
+	
+	cat /etc/passwd | (
+		while IFS=":" read usr pwd uid gid name home sh
+		do
+			if test "$1" = "${uid}"
+			then
+				return 1
+			fi
+		done
+		return 0
+	)
+}
+
+read_yn() {
+	local ans ynd
+	
+	ynd="$1"
+	
+	while :
+	do
+		read ans	
+		case "${ans}" in
+		      "") return ${ynd} ;;
+		    [nN]) return 1 ;;
+		    [yY]) return 0 ;;
+		       *) echo -n "Y or N, please ? " ;;
+		esac
+	done
+}
+
+read_login() {
+	echo
+	while :
+	do
+		echo -n "Login: ${def_login:+[${def_login}] }"
+		read login
+		
+		if test "${login}" = '?'
+		then
+			less /etc/passwd
+			echo
+			continue
+		fi
+
+		if test -z "${login}" -a -n "${def_login}"
+		then
+			login="${def_login}"
+			echo "Using ${login}"
+			return
+		fi
+		
+		if test "${#login}" -gt 8
+		then
+			echo "Login must be at most 8 characters long"
+			continue
+		fi
+		
+		if test "${#login}" -lt 2
+		then
+			echo "Login must be at least 2 characters long"
+			continue
+		fi
+		
+		if ! expr "${login}" : "${login_regex}" &> /dev/null
+		then
+			echo "Please use letters, numbers and special characters _-,."
+			continue
+		fi
+		
+		if ! check_user "${login}"
+		then
+			echo "Username ${login} is already in use"
+			continue
+		fi
+		
+		def_login="${login}"
+		return
+	done
+}
+
+read_name () {
+	echo
+	while :
+	do
+		echo -n "Real name: ${def_name:+[${def_name}] }"
+		read name
+		
+		if test "${name}" = '?'
+		then
+			less /etc/passwd
+			echo
+			continue
+		fi
+
+		if test -z "${name}" -a -n "${def_name}"
+		then
+			name="${def_name}"
+			echo "Using ${name}"
+		fi
+
+		if test "${#name}" -gt 32
+		then
+			echo "Name should be at most 32 characters long"
+			continue
+		fi
+
+		if ! expr "${name}" : "${name_regex}" &> /dev/null
+		then
+			echo "Please use letters, numbers, spaces and special characters ,._-"
+			continue
+		fi
+		
+		def_name="${name}"
+		return
+	done
+}
+
+read_home() {
+	local x
+	
+	echo
+	while :
+	do
+		echo -n "Home Directory: [${def_home_dir}/${login}] "
+		read home
+		
+		if test -z "${home}"
+		then
+			home="${def_home_dir}/${login}"
+			echo "Using ${home}"
+		fi
+		
+		if ! expr "${home}" : '^[0-9a-zA-Z,._-\/]*$' &> /dev/null
+		then
+			echo "Please use letters, numbers, spaces and special characters ,._-/"
+			continue
+		fi
+		
+		x="$(basename ${home})"
+		if test "${x}" != "${login}"
+		then
+			echo "Warning: you are about to use different login name and home directory."
+		fi
+		
+		x="$(dirname ${home})"
+		if ! test -d "${x}"
+		then
+			echo "Directory ${x} does not exist."
+			echo "If you still want to use it, please make it manually."
+			continue
+		fi
+		
+		def_home_dir="${x}"
+		return
+	done
+}
+
+read_shell () {
+	local x
+
+	echo
+	while :
+	do
+		echo -n "Shell: [${def_shell}] "
+		read shell
+		
+		if test -z "${shell}"
+		then
+			shell="${def_shell}"
+			echo "Using ${shell}"
+		fi
+		
+		for x in $(cat /etc/shells)
+		do
+			if test "${x}" = "${shell}"
+			then
+				def_shell="${shell}"
+				return
+			fi
+		done
+
+		echo "Possible shells are:"
+		cat /etc/shells
+	done
+}
+
+read_group () {
+	echo
+	while :
+	do
+		echo -n "Group: [${def_group}] "
+		read group
+		
+		if test -z "${group}"
+		then
+			group="${def_group}"
+			echo "Using ${group}"
+		fi
+		
+		if test "${group}" = '?'
+		then
+			less /etc/group
+			echo
+			continue
+		fi
+
+		if check_group "${group}"
+		then
+			echo "Group ${group} does not exist."
+			continue
+		fi
+		
+		def_group="${group}"
+		return
+	done
+}
+
+read_other_groups () {
+	echo
+	while :
+	do
+		echo -n "Other groups: [${def_og:-none}] "
+		read other_groups
+		
+		if test "${other_groups}" = '?'
+		then
+			less /etc/group
+			echo
+			continue
+		fi
+
+		if test -z "${other_groups}"
+		then
+			if test -n "${def_og}"
+			then
+				other_groups="${def_og}"
+				echo "Using ${other_groups}"
+			else	
+				echo "No other groups"
+				return
+			fi
+		fi
+		
+		
+		if ! check_other_groups "${other_groups}"
+		then
+			continue
+		fi
+		
+		def_og="${other_groups}"
+		return
+	done
+}
+
+read_uid () {
+	echo
+	while :
+	do
+		echo -n "uid: [first free] "
+		read uid
+			
+		if test -z "${uid}"
+		then
+			echo "Using first free UID."
+			return
+		fi
+		
+		if test "${uid}" = '?'
+		then
+			less /etc/passwd
+			echo
+			continue
+		fi
+
+		if ! expr "${uid}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${uid}" -lt "${uid_low}"
+		then
+			echo "UID must be greater than ${uid_low}"
+			continue
+		fi
+		if test "${uid}" -gt "${uid_high}"
+		then
+			echo "UID must be smaller than ${uid_high}"
+			continue
+		fi
+		if ! check_uid "${uid}"
+		then
+			echo "UID ${uid} is already in use"
+			continue
+		fi
+		
+		return
+	done
+}
+
+read_max_valid_days() {
+	echo
+	while :
+	do
+		echo -en "Maximum days between password changes: [${def_pwd_max}] "
+		read max_days
+		
+		if test -z "${max_days}"
+		then
+			max_days="${def_pwd_max}"
+			echo "Using ${max_days}"
+			return
+		fi
+		
+		if ! expr "${max_days}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${max_days}" -lt 7
+		then
+			echo "Warning: you are using a value shorter than a week."
+		fi
+		
+		def_pwd_max="${max_days}"
+		return	
+	done
+}
+
+read_min_valid_days() {
+	echo
+	while :
+	do
+		echo -en "Minimum days between password changes: [${def_pwd_min}] "
+		read min_days
+		
+		if test -z "${min_days}"
+		then
+			min_days="${def_pwd_min}"
+			echo "Using ${min_days}"
+			return
+		fi
+		
+		if ! expr "${min_days}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${min_days}" -gt 7
+		then
+			echo "Warning: you are using a value longer than a week."
+		fi
+		
+		def_pwd_min="${min_days}"
+		return	
+	done
+}
+
+read_warning_days() {
+	echo
+	while :
+	do
+		echo -en "Number of warning days before password expires: [${def_pwd_warn}] "
+		read warn_days
+		
+		if test -z "${warn_days}"
+		then
+			warn_days="${def_pwd_warn}"
+			echo "Using ${warn_days}"
+		fi
+
+		if ! expr "${warn_days}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${warn_days}" -gt 14
+		then
+			echo "Warning: you are using a value longer than two week."
+		fi
+		
+		def_pwd_warn="${warn_days}"
+		return	
+	done
+}
+
+
+read_inactive_days() {
+	echo
+	while :
+	do
+		echo -en "Number of usable days after expiration: [${def_pwd_iact}] "
+		read iact_days
+		
+		if test -z "${iact_days}"
+		then
+			iact_days="${def_pwd_iact}"
+			echo "Using ${iact_days}"
+			return
+		fi
+		if ! expr "${iact_days}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${iact_days}" -gt 14
+		then
+			echo "Warning: you are using a value that is more than two weeks."
+		fi
+		
+		def_pwd_iact="${iact_days}"
+		return	
+	done
+}
+
+read_expire_date() {
+	local ans
+	
+	echo
+	while :
+	do
+		echo -en "Expire date of this account (mm/dd/yy): [${def_expire:-never}] "
+		read ans
+		
+		if test -z "${ans}"
+		then
+			if test -z "${def_expire}"
+			then
+				ans="never"
+			else
+				ans="${def_expire}"
+				echo "Using ${def_expire}"
+			fi
+		fi
+		
+		if test "${ans}" = "never"
+		then
+			echo "Account will never expire."
+			def_expire=""
+			expire=""
+			return
+		fi
+
+		if ! expr "${ans}" : '^[0-9][0-9]/[0-9][0-9]/[0-9][0-9]$' &> /dev/null
+		then
+			echo "Please use format mm/dd/yy"
+			continue
+		fi
+		
+		if ! expire_date="$(date -d ${ans} '+%A, %B %d %Y')"
+		then
+			continue
+		fi
+		
+		def_expire="${expire}"
+		return	
+	done
+}
+
+read_passwd_yn() {
+	echo -en "\nDo you want to set password [Y/n] ? "
+	if read_yn 0
+	then
+		set_pwd="YES"
+	else
+		set_pwd=""
+	fi
+}
+
+
+print_values() {
+
+clear
+cat << EOM
+
+Login:        ${S}${login}${E}
+Group:        ${S}${group}${E}
+Other groups: ${S}${other_groups:-[none]}${E}
+
+Real Name:    ${S}${name}${E}
+
+uid:          ${S}${uid:-[first free]}${E}
+home:         ${S}${home}${E}
+shell:        ${S}${shell}${E}
+
+Account expiration date:                   ${S}${expire_date:-never}${E}
+Minimum days between password changes:     ${S}${min_days}${E}
+Maximum days between password changes:     ${S}${max_days}${E}
+Number of usable days after expiration:    ${S}${iact_days}${E}
+Number of warning days before expiration:  ${S}${warn_days}${E}
+
+${S}${set_pwd:+Set password for this account.}${E}
+
+EOM
+}
+
+set_user() {
+	if ! useradd \
+		-c "${name}" \
+		-d "${home}" \
+		-g "${group}" \
+		-s "${shell}" \
+		${expire:+-e ${expire}} \
+		${uid:+-u ${uid}} \
+		${other_groups:+-G ${other_groups}} \
+		${login}
+	then
+		echo "Error ($?) in useradd...exiting..."
+		exit 1
+	fi
+}
+
+set_aging() {
+	if ! passwd \
+		-x ${max_days} \
+		-n ${min_days} \
+		-w ${warn_days} \
+		-i ${iact_days} \
+		${login}
+	then
+		echo "Error ($?) in setting password aging...exiting..." 
+		exit 1
+	fi
+}
+
+set_password() {
+	if test -n "${set_pwd}"
+	then
+		echo
+		passwd ${login}
+		echo
+	fi
+}	
+
+set_system() {
+	if test -d "${home}"
+	then
+		echo "Directory ${home} already exists."
+		echo "Skeleton files not copied."
+		return
+	fi
+	
+	echo -n "Copying skeleton files..."
+	( 
+	  mkdir ${home}
+	  cd ${skel} && cp -af . ${home}
+	  chmod ${def_mode} ${home}
+	  chown -R ${login}:${group} ${home}
+	)
+	echo "done."
+
+	## Add your own stuff here:
+	echo -n "Setting up other files..."
+	(
+	  mailbox="/var/spool/mail/${login}"
+	  touch ${mailbox}
+	  chown "${login}:mail" ${mailbox}
+	  chmod 600 ${mailbox}
+	)
+	echo "done."
+}
+
+
+read_values() {
+	clear
+	echo -e "\nPlease answer the following questions about the new user to be added."
+	
+	while :
+	do
+		read_login
+		read_name
+		read_group
+		read_other_groups
+		read_home
+		read_shell
+		read_uid
+		read_expire_date
+		read_max_valid_days
+		read_min_valid_days
+		read_warning_days
+		read_inactive_days
+		read_passwd_yn
+
+		print_values
+		
+		echo -n "Is this correct [N/y] ? "
+		read_yn 1 && return
+	done
+}
+
+
+main() {
+	check_root
+	read_values
+	set_user
+	set_aging
+	set_system
+	set_password
+}
+
+
+## Run it 8-)
+main
+
+# End.
--- a/contrib/atudel
+++ b/contrib/atudel
@@ -0,0 +1,85 @@
+#!/usr/bin/perl
+#
+# Copyright (c) 1996 Brian R. Gaeke
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#    This product includes software developed by Brian R. Gaeke.
+# 4. The name of the author, Brian R. Gaeke, may not be used to endorse
+#    or promote products derived from this software without specific
+#    prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY BRIAN R. GAEKE ``AS IS'' AND ANY EXPRESS
+# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED.  IN NO EVENT SHALL BRIAN R. GAEKE BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+# Additionally:
+#
+# This software is provided without support and without any obligation
+# on the part of Brian R. Gaeke to assist in its use, correction,
+# modification or enhancement.
+#
+#######################################################################
+#
+# this is atudel, version 2, by Brian R. Gaeke <brg@dgate.org>
+#
+
+require "getopts.pl";
+&Getopts('v');
+$username = shift(@ARGV);
+&usage unless $username;
+
+sub usage
+{
+	print STDERR "atudel - remove all at jobs owned by a user\n";
+	print STDERR "usage: $0 [-v] username\n";
+	exit(1);
+}
+
+# odd. unless getpwnam($uname) doesn't seem to work for $uname eq "root" on
+# my linux system. but this does.
+die "user $username does not exist; stopping"
+	unless defined(getpwnam($username));
+
+print "searching for at jobs owned by user $username ..." if $opt_v;
+
+chdir "/var/spool/atjobs" ||
+	die "can't chdir to /var/spool/atjobs: $!\nstopping";
+opendir(DIR,".") || die "can't opendir(/var/spool/atjobs): $!\nstopping";
+@files = grep(!/^\./,grep(-f,readdir(DIR)));
+closedir DIR;
+
+foreach $x (@files)
+{
+	$owner = (getpwuid((stat($x))[4]))[0];
+	push(@nuke_bait,$x) if $owner eq $username;
+}
+
+if (@nuke_bait)
+{
+	print "removed jobIDs: @{nuke_bait}.\n" if $opt_v;
+	unlink @nuke_bait;
+}
+elsif ($opt_v)
+{
+	print "\n";
+}
+
+exit 0;
--- a/contrib/groupmems.shar
+++ b/contrib/groupmems.shar
@@ -0,0 +1,546 @@
+#!/bin/sh
+# This is a shell archive (produced by GNU sharutils 4.2.1).
+# To extract the files from this archive, save it to some FILE, remove
+# everything before the `!/bin/sh' line above, then type `sh FILE'.
+#
+# Made on 2000-05-25 14:41 CDT by <gk4@gnu.austin.ibm.com>.
+# Source directory was `/home/gk4/src/groupmem'.
+#
+# Existing files will *not* be overwritten unless `-c' is specified.
+#
+# This shar contains:
+# length mode       name
+# ------ ---------- ------------------------------------------
+#   1960 -rw-r--r-- Makefile
+#   6348 -rw-r--r-- groupmems.c
+#   3372 -rw------- groupmems.8
+#
+save_IFS="${IFS}"
+IFS="${IFS}:"
+gettext_dir=FAILED
+locale_dir=FAILED
+first_param="$1"
+for dir in $PATH
+do
+  if test "$gettext_dir" = FAILED && test -f $dir/gettext \
+     && ($dir/gettext --version >/dev/null 2>&1)
+  then
+    set `$dir/gettext --version 2>&1`
+    if test "$3" = GNU
+    then
+      gettext_dir=$dir
+    fi
+  fi
+  if test "$locale_dir" = FAILED && test -f $dir/shar \
+     && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
+  then
+    locale_dir=`$dir/shar --print-text-domain-dir`
+  fi
+done
+IFS="$save_IFS"
+if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
+then
+  echo=echo
+else
+  TEXTDOMAINDIR=$locale_dir
+  export TEXTDOMAINDIR
+  TEXTDOMAIN=sharutils
+  export TEXTDOMAIN
+  echo="$gettext_dir/gettext -s"
+fi
+if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f 200112312359.59 -a -f $$.touch; then
+  shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
+elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f 123123592001.59 -a ! -f 123123592001.5 -a -f $$.touch; then
+  shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
+elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 -a -f $$.touch; then
+  shar_touch='touch -am $3$4$5$6$2 "$8"'
+else
+  shar_touch=:
+  echo
+  $echo 'WARNING: not restoring timestamps.  Consider getting and'
+  $echo "installing GNU \`touch', distributed in GNU File Utilities..."
+  echo
+fi
+rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
+#
+if mkdir _sh10937; then
+  $echo 'x -' 'creating lock directory'
+else
+  $echo 'failed to create lock directory'
+  exit 1
+fi
+# ============= Makefile ==============
+if test -f 'Makefile' && test "$first_param" != -c; then
+  $echo 'x -' SKIPPING 'Makefile' '(file already exists)'
+else
+  $echo 'x -' extracting 'Makefile' '(text)'
+  sed 's/^X//' << 'SHAR_EOF' > 'Makefile' &&
+/*
+# Copyright 2000, International Business Machines, Inc.
+# All rights reserved.
+#
+# original author: George Kraft IV, gk4@us.ibm.com
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. Neither the name of International Business Machines, Inc., nor the 
+#    names of its contributors may be used to endorse or promote products 
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY INTERNATIONAL BUSINESS MACHINES, INC. AND
+# CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, 
+# BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL 
+# INTERNATIONAL BUSINESS MACHINES, INC. OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+# 
+X
+all: groupmems
+X
+groupmems: groupmems.c
+X	cc -g -o groupmems groupmems.c -L. -lshadow
+X
+install: groupmems
+X	-/usr/sbin/groupadd groups
+X	install -o root -g groups -m 4770 groupmems /usr/bin
+X
+install.man: groupmems.8
+X	install -o root -g root -m 644 groupmems.8 /usr/man/man8
+X
+SHAR_EOF
+  (set 20 00 05 25 14 40 28 'Makefile'; eval "$shar_touch") &&
+  chmod 0644 'Makefile' ||
+  $echo 'restore of' 'Makefile' 'failed'
+  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
+  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
+    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
+    || $echo 'Makefile:' 'MD5 check failed'
+b46cf7ef8d59149093c011ced3f3103c  Makefile
+SHAR_EOF
+  else
+    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'Makefile'`"
+    test 1960 -eq "$shar_count" ||
+    $echo 'Makefile:' 'original size' '1960,' 'current size' "$shar_count!"
+  fi
+fi
+# ============= groupmems.c ==============
+if test -f 'groupmems.c' && test "$first_param" != -c; then
+  $echo 'x -' SKIPPING 'groupmems.c' '(file already exists)'
+else
+  $echo 'x -' extracting 'groupmems.c' '(text)'
+  sed 's/^X//' << 'SHAR_EOF' > 'groupmems.c' &&
+/*
+X * Copyright 2000, International Business Machines, Inc.
+X * All rights reserved.
+X *
+X * original author: George Kraft IV, gk4@us.ibm.com
+X *
+X * Redistribution and use in source and binary forms, with or without
+X * modification, are permitted provided that the following conditions
+X * are met:
+X *
+X * 1. Redistributions of source code must retain the above copyright
+X *    notice, this list of conditions and the following disclaimer.
+X * 2. Redistributions in binary form must reproduce the above copyright
+X *    notice, this list of conditions and the following disclaimer in the
+X *    documentation and/or other materials provided with the distribution.
+X * 3. Neither the name of International Business Machines, Inc., nor the 
+X *    names of its contributors may be used to endorse or promote products 
+X *    derived from this software without specific prior written permission.
+X *
+X * THIS SOFTWARE IS PROVIDED BY INTERNATIONAL BUSINESS MACHINES, INC. AND
+X * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, 
+X * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
+X * FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL 
+X * INTERNATIONAL BUSINESS MACHINES, INC. OR CONTRIBUTORS BE LIABLE
+X * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+X * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+X * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+X * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+X * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+X * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+X * SUCH DAMAGE.
+X */
+/*
+**
+**	Utility "groupmem" adds and deletes members from a user's group.
+**	
+**	Setup (as "root"):
+**	
+**		groupadd -r groups 
+**		chmod 2770 groupmems
+**		chown root.groups groupmems
+**		groupmems -g groups -a gk4
+**	
+**	Usage (as "gk4"):
+**	
+**		groupmems -a olive
+**		groupmems -a jordan
+**		groupmems -a meghan
+**		groupmems -a morgan
+**		groupmems -a jake
+**		groupmems -l 
+**		groupmems -d jake
+**		groupmems -l 
+*/
+X
+#include <stdio.h>
+#include <pwd.h>
+#include <grp.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include "defines.h"
+#include "groupio.h"
+X
+/* Exit Status Values */
+X
+#define EXIT_SUCCESS		0	/* success */
+#define EXIT_USAGE		1	/* invalid command syntax */
+#define EXIT_GROUP_FILE		2	/* group file access problems */
+#define EXIT_NOT_ROOT		3	/* not superuser  */
+#define EXIT_NOT_EROOT		4	/* not effective superuser  */
+#define EXIT_NOT_PRIMARY	5	/* not primary owner of group  */
+#define EXIT_NOT_MEMBER		6	/* member of group does not exist */
+#define EXIT_MEMBER_EXISTS	7	/* member of group already exists */
+X
+#define TRUE 1
+#define FALSE 0
+X
+/* Globals */
+X
+extern int optind;
+extern char *optarg;
+static char *adduser = NULL;
+static char *deluser = NULL;
+static char *thisgroup = NULL;
+static int purge = FALSE;
+static int list = FALSE;
+static int exclusive = 0;
+X
+static int isroot(void) {
+X	return getuid() ? FALSE : TRUE;
+}
+X
+static int isgroup(void) {
+X	gid_t g = getgid();
+X	struct group *grp = getgrgid(g);
+X
+X	return TRUE;
+}
+X
+static char *whoami(void) {
+X	struct group *grp = getgrgid(getgid());
+X	struct passwd *usr = getpwuid(getuid());
+X
+X	if (0 == strcmp(usr->pw_name, grp->gr_name)) {
+X		return (char *)strdup(usr->pw_name);
+X	} else {
+X		return NULL;
+X	} 
+}
+X
+static void
+addtogroup(char *user, char **members) {
+X	int i;
+X	char **pmembers;
+X
+X	for (i = 0; NULL != members[i]; i++ ) {
+X		if (0 == strcmp(user, members[i])) {
+X			fprintf(stderr, "Member already exists\n");
+X			exit(EXIT_MEMBER_EXISTS);
+X		}
+X	}
+X
+X	if (0 == i) {
+X		pmembers = (char **)calloc(2, sizeof(char *));
+X	} else {
+X		pmembers = (char **)realloc(members, sizeof(char *)*(i+1));
+X	}
+X
+X	*members = *pmembers;
+X	members[i] = user;
+X	members[i+1] = NULL;
+}
+X
+static void
+rmfromgroup(char *user, char **members) {
+X	int i;
+X	int found = FALSE;
+X
+X	i = 0;
+X	while (!found && NULL != members[i]) {
+X		if (0 == strcmp(user, members[i])) {
+X			found = TRUE;
+X		} else {
+X			i++;
+X		}
+X	}
+X
+X	while (found && NULL != members[i]) {
+X		members[i] = members[++i];
+X	}
+X
+X	if (!found) {
+X		fprintf(stderr, "Member to remove could not be found\n");
+X		exit(EXIT_NOT_MEMBER);
+X	}
+}
+X
+static void
+nomembers(char **members) {
+X	int i;
+X
+X	for (i = 0; NULL != members[i]; i++ ) {
+X		members[i] = NULL;
+X	}
+}
+X
+static void
+members(char **members) {
+X	int i;
+X
+X	for (i = 0; NULL != members[i]; i++ ) {
+X		printf("%s ", members[i]);
+X
+X		if (NULL == members[i+1]) {
+X			printf("\n");
+X		} else {
+X			printf(" ");
+X		}
+X	}
+}
+X
+static void usage(void) {
+X	fprintf(stderr, "usage: groupmems -a username | -d username | -D | -l [-g groupname]\n");
+X	exit(EXIT_USAGE);
+}
+X
+main(int argc, char **argv) {
+X	int arg, i;
+X	char *name;
+X	struct group *grp;
+X
+X	while ((arg = getopt(argc, argv, "a:d:g:Dl")) != EOF) {
+X		switch (arg) {
+X		case 'a':
+X			adduser = strdup(optarg);
+X			++exclusive;
+X			break;
+X		case 'd':
+X			deluser = strdup(optarg);
+X			++exclusive;
+X			break;
+X		case 'g':
+X			thisgroup = strdup(optarg);
+X			break;
+X		case 'D':
+X			purge = TRUE;
+X			++exclusive;
+X			break;
+X		case 'l':
+X			list = TRUE;
+X			++exclusive;
+X			break;
+X		default:
+X			usage();
+X		}
+X	}
+X
+X	if (exclusive > 1 || optind < argc) {
+X		usage();
+X	}
+X
+X	if (!isroot() && NULL != thisgroup) {
+X		fprintf(stderr, "Only root can add members to different groups\n");
+X		exit(EXIT_NOT_ROOT);
+X	} else if (isroot() && NULL != thisgroup) {
+X		name = thisgroup;
+X	} else if (!isgroup()) {
+X		fprintf(stderr, "Group access is required\n");
+X		exit(EXIT_NOT_EROOT);
+X	} else if (NULL == (name = whoami())) {
+X		fprintf(stderr, "Not primary owner of current group\n");
+X		exit(EXIT_NOT_PRIMARY);
+X	}
+X
+X	if (!gr_lock()) {
+X		fprintf(stderr, "Unable to lock group file\n");
+X		exit(EXIT_GROUP_FILE);
+X	}
+X
+X	if (!gr_open(O_RDWR)) {
+X		fprintf(stderr, "Unable to open group file\n");
+X		exit(EXIT_GROUP_FILE);
+X	}
+X
+X	grp = (struct group *)gr_locate(name);
+X
+X	if (NULL != adduser) {
+X		addtogroup(adduser, grp->gr_mem);
+X		gr_update(grp);
+X	} else if (NULL != deluser) {
+X		rmfromgroup(deluser, grp->gr_mem);
+X		gr_update(grp);
+X	} else if (purge) {
+X		nomembers(grp->gr_mem);
+X		gr_update(grp);
+X	} else if (list) {
+X		members(grp->gr_mem);
+X	}
+X
+X	if (!gr_close()) {
+X		fprintf(stderr, "Cannot close group file\n");
+X		exit(EXIT_GROUP_FILE);
+X	}
+X
+X	gr_unlock();
+X
+X	exit(EXIT_SUCCESS);
+}
+X
+/* EOF */
+SHAR_EOF
+  (set 20 00 05 25 14 36 38 'groupmems.c'; eval "$shar_touch") &&
+  chmod 0644 'groupmems.c' ||
+  $echo 'restore of' 'groupmems.c' 'failed'
+  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
+  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
+    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
+    || $echo 'groupmems.c:' 'MD5 check failed'
+f0dd68f8d762d89d24d3ce1f4141f981  groupmems.c
+SHAR_EOF
+  else
+    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'groupmems.c'`"
+    test 6348 -eq "$shar_count" ||
+    $echo 'groupmems.c:' 'original size' '6348,' 'current size' "$shar_count!"
+  fi
+fi
+# ============= groupmems.8 ==============
+if test -f 'groupmems.8' && test "$first_param" != -c; then
+  $echo 'x -' SKIPPING 'groupmems.8' '(file already exists)'
+else
+  $echo 'x -' extracting 'groupmems.8' '(text)'
+  sed 's/^X//' << 'SHAR_EOF' > 'groupmems.8' &&
+X.\"
+X.\" Copyright 2000, International Business Machines, Inc.
+X.\" All rights reserved.
+X.\"
+X.\" original author: George Kraft IV, gk4@us.ibm.com
+X.\"
+X.\" Redistribution and use in source and binary forms, with or without
+X.\" modification, are permitted provided that the following conditions
+X.\" are met:
+X.\"
+X.\" 1. Redistributions of source code must retain the above copyright
+X.\"    notice, this list of conditions and the following disclaimer.
+X.\" 2. Redistributions in binary form must reproduce the above copyright
+X.\"    notice, this list of conditions and the following disclaimer in the
+X.\"    documentation and/or other materials provided with the distribution.
+X.\" 3. Neither the name of International Business Machines, Inc., nor the 
+X.\"    names of its contributors may be used to endorse or promote products 
+X.\"    derived from this software without specific prior written permission.
+X.\"
+X.\" THIS SOFTWARE IS PROVIDED BY INTERNATIONAL BUSINESS MACHINES, INC. AND
+X.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, 
+X.\" BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
+X.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL 
+X.\" INTERNATIONAL BUSINESS MACHINES, INC. OR CONTRIBUTORS BE LIABLE
+X.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+X.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+X.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+X.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+X.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+X.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+X.\" SUCH DAMAGE.
+X.\"
+X.\" $Id$
+X.\"
+X.TH GROUPMEMS 8
+X.SH NAME
+groupmems \- Administer members of a user's primary group
+X.SH SYNOPSIS
+X.B groupmems
+\fB-a\fI user_name \fR |
+\fB-d\fI user_name \fR |
+\fB-l\fR |
+\fB-D\fR |
+[\fB-g\fI group_name \fR]
+X.SH DESCRIPTION
+The \fBgroupmems\fR utility allows a user to administer their own
+group membership list without the requirement of superuser privileges.
+The \fBgroupmems\fR utility is for systems that configure its users to
+be in their own name sake primary group (i.e., guest / guest).
+X.P
+Only the superuser, as administrator, can use \fBgroupmems\fR to alter
+the memberships of other groups.
+X.IP "\fB-a \fIuser_name\fR"
+Add a new user to the group membership list.
+X.IP "\fB-d \fIuser_name\fR"
+Delete a user from the group membership list.
+X.IP "\fB-l\fR"
+List the group membership list.
+X.IP "\fB-D\fR"
+Delete all users from the group membership list.
+X.IP "\fB-g \fIgroup_name\fR"
+The superuser can specify which group membership list to modify.
+X.SH SETUP
+The \fBgroupmems\fR executable should be in mode \fB2770\fR as user \fBroot\fR
+and in group \fBgroups\fR.   The system administrator can add users to
+group groups to allow or disallow them using the  \fBgroupmems\fR utility
+to manager their own group membership list.
+X.P
+X     $ groupadd -r groups
+X.br
+X     $ chmod 2770 groupmems
+X.br
+X     $ chown root.groups groupmems
+X.br
+X     $ groupmems -g groups -a gk4
+X.SH FILES
+/etc/group
+X.br
+/etc/gshadow
+X.SH SEE ALSO
+X.BR chfn (1),
+X.BR chsh (1),
+X.BR useradd (8),
+X.BR userdel (8),
+X.BR usermod (8),
+X.BR passwd (1),
+X.BR groupadd (8),
+X.BR groupdel (8)
+X.SH AUTHOR
+George Kraft IV (gk4@us.ibm.com)
+X.\" EOF
+SHAR_EOF
+  (set 20 00 05 25 14 38 23 'groupmems.8'; eval "$shar_touch") &&
+  chmod 0600 'groupmems.8' ||
+  $echo 'restore of' 'groupmems.8' 'failed'
+  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
+  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
+    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
+    || $echo 'groupmems.8:' 'MD5 check failed'
+181e6cd3a3c9d3df320197fa2cde2b4a  groupmems.8
+SHAR_EOF
+  else
+    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'groupmems.8'`"
+    test 3372 -eq "$shar_count" ||
+    $echo 'groupmems.8:' 'original size' '3372,' 'current size' "$shar_count!"
+  fi
+fi
+rm -fr _sh10937
+exit 0
--- a/contrib/pwdauth.c
+++ b/contrib/pwdauth.c
@@ -0,0 +1,308 @@
+/*
+ * pwdauth.c - program to verify a given username/password pair.
+ *
+ * Run it with username in argv[1] (may be omitted - default is the
+ * current user), and send it the password over a pipe on stdin.
+ * Exit status: 0 - correct password, 1 - wrong password, >1 - other
+ * errors.  For use with shadow passwords, this program should be
+ * installed setuid root.
+ *
+ * This can be used, for example, by xlock - you don't have to install
+ * this large and complex (== possibly insecure) program setuid root,
+ * just modify it to run this simple program to do the authentication.
+ *
+ * Recent versions (xlockmore-3.9) are cleaner, and drop privileges as
+ * soon as possible after getting the user's encrypted password.
+ * Using this program probably doesn't make it more secure, and has one
+ * disadvantage: since we don't get the encrypted user's password at
+ * startup (but at the time the user is authenticated), it is not clear
+ * how we should handle errors (like getpwnam() returning NULL).
+ * - fail the authentication?  Problem: no way to unlock (other than kill
+ *   the process from somewhere else) if the NIS server stops responding.
+ * - succeed and unlock?  Problem: it's too easy to unlock by unplugging
+ *   the box from the network and waiting until NIS times out...
+ *
+ * This program is Copyright (C) 1996 Marek Michalkiewicz
+ * <marekm@i17linuxb.ists.pwr.wroc.pl>.
+ *
+ * It may be used and distributed freely for any purposes.  There is no
+ * warranty - use at your own risk.  I am not liable for any damages etc.
+ * If you improve it, please send me your changes.
+ */
+
+static char rcsid[] = "$Id$";
+
+/*
+ * Define USE_SYSLOG to use syslog() to log successful and failed
+ * authentication.  This should be safe even if your system has
+ * the infamous syslog buffer overrun security problem...
+ */
+#define USE_SYSLOG
+
+/*
+ * Define HAVE_GETSPNAM to get shadow passwords using getspnam().
+ * Some systems don't have getspnam(), but getpwnam() returns
+ * encrypted passwords only if running as root.
+ *
+ * According to the xlock source (not tested, except Linux) -
+ * define: Linux, Solaris 2.x, SVR4, ...
+ * undef: HP-UX with Secured Passwords, FreeBSD, NetBSD, QNX.
+ * Known not supported (yet): Ultrix, OSF/1, SCO.
+ */
+#define HAVE_GETSPNAM
+
+/*
+ * Define HAVE_PW_ENCRYPT to use pw_encrypt() instead of crypt().
+ * pw_encrypt() is like the standard crypt(), except that it may
+ * support better password hashing algorithms.
+ *
+ * Define if linking with libshadow.a from the shadow password
+ * suite (Linux, SunOS 4.x?).
+ */
+#undef HAVE_PW_ENCRYPT
+
+/*
+ * Define HAVE_AUTH_METHODS to support the shadow suite specific
+ * extension: the encrypted password field contains a list of
+ * administrator defined authentication methods, separated by
+ * semicolons.  This program only supports the standard password
+ * authentication method (a string that doesn't start with '@').
+ */
+#undef HAVE_AUTH_METHODS
+
+/*
+ * FAIL_DELAY - number of seconds to sleep before exiting if the
+ * password was wrong, to slow down password guessing attempts.
+ */
+#define FAIL_DELAY 2
+
+/* No user-serviceable parts below :-).  */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <pwd.h>
+
+#ifdef USE_SYSLOG
+#include <syslog.h>
+#ifndef LOG_AUTHPRIV
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+#endif
+
+#ifdef HAVE_GETSPNAM
+#include <shadow.h>
+#endif
+
+#ifdef HAVE_PW_ENCRYPT
+extern char *pw_encrypt();
+#define crypt pw_encrypt
+#endif
+
+/*
+ * Read the password (one line) from fp.  We don't turn off echo
+ * because we expect input from a pipe.
+ */
+static char *
+get_line(fp)
+	FILE *fp;
+{
+	static char buf[128];
+	char *cp;
+	int ch;
+
+	cp = buf;
+	while ((ch = getc(fp)) != EOF && ch != '\0' && ch != '\n') {
+		if (cp >= buf + sizeof buf - 1)
+			break;
+		*cp++ = ch;
+	}
+	*cp = '\0';
+	return buf;
+}
+
+/*
+ * Get the password file entry for the current user.  If the name
+ * returned by getlogin() is correct (matches the current real uid),
+ * return the entry for that user.  Otherwise, return the entry (if
+ * any) matching the current real uid.  Return NULL on failure.
+ */
+static struct passwd *
+get_my_pwent()
+{
+	uid_t uid = getuid();
+	char *name = getlogin();
+
+	if (name && *name) {
+		struct passwd *pw = getpwnam(name);
+
+		if (pw && pw->pw_uid == uid)
+			return pw;
+	}
+	return getpwuid(uid);
+}
+
+/*
+ * Verify the password.  The system-dependent shadow support is here.
+ */
+static int
+password_auth_ok(pw, pass)
+	const struct passwd *pw;
+	const char *pass;
+{
+	int result;
+	char *cp;
+#ifdef HAVE_AUTH_METHODS
+	char *buf;
+#endif
+#ifdef HAVE_GETSPNAM
+	struct spwd *sp;
+#endif
+
+	if (pw) {
+#ifdef HAVE_GETSPNAM
+		sp = getspnam(pw->pw_name);
+		if (sp)
+			cp = sp->sp_pwdp;
+		else
+#endif
+			cp = pw->pw_passwd;
+	} else
+		cp = "xx";
+
+#ifdef HAVE_AUTH_METHODS
+	buf = strdup(cp);  /* will be modified by strtok() */
+	if (!buf) {
+		fprintf(stderr, "Out of memory.\n");
+		exit(13);
+	}
+	cp = strtok(buf, ";");
+	while (cp && *cp == '@')
+		cp = strtok(NULL, ";");
+
+	/* fail if no password authentication for this user */
+	if (!cp)
+		cp = "xx";
+#endif
+
+	if (*pass || *cp)
+		result = (strcmp(crypt(pass, cp), cp) == 0);
+	else
+		result = 1;  /* user with no password */
+
+#ifdef HAVE_AUTH_METHODS
+	free(buf);
+#endif
+	return result;
+}
+
+/*
+ * Main program.
+ */
+int
+main(argc, argv)
+	int argc;
+	char **argv;
+{
+	struct passwd *pw;
+	char *pass, *name;
+	char myname[32];
+
+#ifdef USE_SYSLOG
+	openlog("pwdauth", LOG_PID | LOG_CONS, LOG_AUTHPRIV);
+#endif
+	pw = get_my_pwent();
+	if (!pw) {
+#ifdef USE_SYSLOG
+		syslog(LOG_ERR, "can't get login name for uid %d.\n",
+		       (int) getuid());
+#endif
+		fprintf(stderr, "Who are you?\n");
+		exit(2);
+	}
+	strncpy(myname, pw->pw_name, sizeof myname - 1);
+	myname[sizeof myname - 1] = '\0';
+	name = myname;
+
+	if (argc > 1) {
+		name = argv[1];
+		pw = getpwnam(name);
+	}
+
+	pass = get_line(stdin);
+	if (password_auth_ok(pw, pass)) {
+#ifdef USE_SYSLOG
+		syslog(pw->pw_uid ? LOG_INFO : LOG_NOTICE,
+		       "user `%s' entered correct password for `%.32s'.\n",
+		       myname, name);
+#endif
+		exit(0);
+	}
+#ifdef USE_SYSLOG
+	/* be careful not to overrun the syslog buffer */
+	syslog((!pw || pw->pw_uid) ? LOG_NOTICE : LOG_WARNING,
+	       "user `%s' entered incorrect password for `%.32s'.\n",
+	       myname, name);
+#endif
+#ifdef FAIL_DELAY
+	sleep(FAIL_DELAY);
+#endif
+	fprintf(stderr, "Wrong password.\n");
+	exit(1);
+}
+
+#if 0
+/*
+ * You can use code similar to the following to run this program.
+ * Return values: >=0 - program exit status (use the <sys/wait.h>
+ * macros to get the exit code, it is shifted left by 8 bits),
+ * -1 - check errno.
+ */
+int
+verify_password(const char *username, const char *password)
+{
+	int pipe_fd[2];
+	int pid, wpid, status;
+
+	if (pipe(pipe_fd))
+		return -1;
+	
+	if ((pid = fork()) == 0) {
+		char *arg[3];
+		char *env[1];
+
+		/* child */
+		close(pipe_fd[1]);
+		if (pipe_fd[0] != 0) {
+			if (dup2(pipe_fd[0], 0) != 0)
+				_exit(127);
+			close(pipe_fd[0]);
+		}
+		arg[0] = "/usr/bin/pwdauth";
+		arg[1] = username;
+		arg[2] = NULL;
+		env[0] = NULL;
+		execve(arg[0], arg, env);
+		_exit(127);
+	} else if (pid == -1) {
+		/* error */
+		close(pipe_fd[0]);
+		close(pipe_fd[1]);
+		return -1;
+	}
+	/* parent */
+	close(pipe_fd[0]);
+	write(pipe_fd[1], password, strlen(password));
+	write(pipe_fd[1], "\n", 1);
+	close(pipe_fd[1]);
+
+	while ((wpid = wait(&status)) != pid) {
+		if (wpid == -1)
+			return -1;
+	}
+	return status;
+}
+#endif
--- a/contrib/shadow-anonftp.patch
+++ b/contrib/shadow-anonftp.patch
@@ -0,0 +1,147 @@
+Hello Marek,
+
+I have created a diffile against the 980403 release that adds
+functionality to newusers for automatic handling of users with only
+anonymous ftp login (using the guestgroup feature in ftpaccess, which
+means that the users home directory looks like '/home/user/./'). It also
+adds a commandline argument to specify an initial directory structure
+for such users, with a tarball normally containing the bin,lib,etc
+directories used in the chrooted environment.
+
+I am using it to automatically create chunks of users with only ftp
+access for a webserver.
+
+I have tried to follow your coding standards and I believe it is bug
+free but.. well, who knows. :) It's not much code however.
+
+I hope you find it useful. Do what you like with it, feel free to ask if
+anything is unclear.
+
+Best rgds,
+  Calle Karlsson
+  ckn@kash.se
+
+diff -uNr shadow-980403.orig/src/newusers.c shadow-980403/src/newusers.c
+--- shadow-980403.orig/src/newusers.c	Fri Jan 30 00:22:43 1998
+++ shadow-980403/src/newusers.c	Fri Apr 17 16:55:33 1998
+@@ -76,11 +76,35 @@
+ static void
+ usage(void)
+ {
+-	fprintf(stderr, "Usage: %s [ input ]\n", Prog);
+	fprintf (stderr, "Usage: %s [-p prototype tarfile] [ input ]\n", Prog);
+	fprintf (stderr, "The prototype tarfile is only used for users\n");
+	fprintf (stderr, "marked as anonymous ftp users. It must be a full pathname.\n");
+ 	exit(1);
+ }
+ 
+ /*
+ * createuserdir - create a directory and chmod it
+ */
+
+static int
+createuserdir (char * dir, int uid, int gid, int line)
+{
+	if (mkdir (dir, 0777 & ~getdef_num("UMASK", 077))) {
+		fprintf (stderr, "%s: line %d: mkdir %s failed\n",
+			 Prog, line, dir);
+		return -1;
+	}
+
+	if (chown (dir, uid, gid)) {
+		fprintf (stderr, "%s: line %d: chown %s failed\n",
+			 Prog, line, dir);
+		return -1;
+	}
+
+	return 0;
+}
+
+/*
+  * add_group - create a new group or add a user to an existing group
+  */
+ 
+@@ -328,6 +352,8 @@
+ main(int argc, char **argv)
+ {
+ 	char	buf[BUFSIZ];
+	char	anonproto[BUFSIZ];
+	int	flag;
+ 	char	*fields[8];
+ 	int	nfields;
+ 	char	*cp;
+@@ -340,12 +366,23 @@
+ 
+ 	Prog = Basename(argv[0]);
+ 
+-	if (argc > 1 && argv[1][0] == '-')
+-		usage ();
+	* anonproto = '\0';
+
+	while ((flag = getopt (argc, argv, "p:h")) != EOF) {
+		switch (flag) {
+		case 'p':
+			STRFCPY(anonproto, optarg);
+			break;
+		case 'h':
+		default:
+			usage ();
+			break;
+		}
+	}
+ 
+-	if (argc == 2) {
+-		if (! freopen (argv[1], "r", stdin)) {
+-			snprintf(buf, sizeof buf, "%s: %s", Prog, argv[1]);
+	if (optind < argc) {
+		if (! freopen (argv[optind], "r", stdin)) {
+			snprintf(buf, sizeof buf, "%s: %s", Prog, argv[optind]);
+ 			perror (buf);
+ 			exit (1);
+ 		}
+@@ -499,15 +536,36 @@
+ 		if (fields[6][0])
+ 			newpw.pw_shell = fields[6];
+ 
+-		if (newpw.pw_dir[0] && access(newpw.pw_dir, F_OK)) {
+-			if (mkdir (newpw.pw_dir,
+-					0777 & ~getdef_num("UMASK", 077)))
+-				fprintf (stderr, "%s: line %d: mkdir failed\n",
+-					Prog, line);
+-			else if (chown (newpw.pw_dir,
+-					newpw.pw_uid, newpw.pw_gid))
+-				fprintf (stderr, "%s: line %d: chown failed\n",
+-					Prog, line);
+		if (newpw.pw_dir[0]) {
+		        char * userdir = strdup (newpw.pw_dir);
+			char * anonpart;
+			int rc;
+
+			if ((anonpart = strstr (userdir, "/./"))) {
+			        * anonpart = '\0';
+				anonpart += 2;
+			}
+			
+			if (access(userdir, F_OK))
+				rc = createuserdir (userdir, newpw.pw_uid, newpw.pw_gid, line);
+			else
+				rc = 0;
+
+			if (rc == 0 && anonpart) {
+				if (* anonproto) {
+					char cmdbuf [BUFSIZ];
+					snprintf(cmdbuf, sizeof cmdbuf,
+						 "cd %s; tar xf %s",
+						 userdir, anonproto);
+					system (cmdbuf);
+				}
+				if (strlen (anonpart) > 1) {
+					strcat (userdir, anonpart);
+					if (access (userdir, F_OK))
+						createuserdir (userdir, newpw.pw_uid, newpw.pw_gid, line);
+				}
+			}
+			free (userdir);
+ 		}
+ 
+ 		/*
--- a/contrib/udbachk.tgz
+++ b/contrib/udbachk.tgz
--- a/debian/HOME_MODE.xml
+++ b/debian/HOME_MODE.xml
@@ -0,0 +1,43 @@
+<!--
+   Copyright (c) 1991 - 1993, Julianne Frances Haugh
+   Copyright (c) 1991 - 1993, Chip Rosenthal
+   Copyright (c) 2007 - 2009, Nicolas François
+   All rights reserved.
+  
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. The name of the copyright holders or contributors may not be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+  
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+  <term><option>HOME_MODE</option> (number)</term>
+  <listitem>
+    <para>
+      The mode for new home directories. If not specified,
+      the <option>UMASK</option> is used to create the mode.
+    </para>
+    <para>
+      <command>useradd</command> and <command>newusers</command> use this
+      to set the mode of the home directory they create.
+    </para>
+  </listitem>
+</varlistentry>
--- a/debian/Makefile
+++ b/debian/Makefile
@@ -0,0 +1,16 @@
+PKG=shadow
+SITE=ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/
+
+deb:: check_cheese
+
+include /usr/share/quilt/quilt.debbuild.mk
+
+check_cheese:
+	@dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \
+		echo ""; \
+		echo " **                                  **"; \
+		echo " **  Warning: not a cheesy release!  **"; \
+		echo " **                                  **"; \
+		echo ""; \
+		exit 1; \
+	}
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -0,0 +1,44 @@
+shadow (1:4.7-1) unstable; urgency=medium
+
+  * /etc/securetty is no longer shipped by this package and it is no longer
+    honored in login's PAM configuration by default. Please see #731656 for the
+    details.
+
+ -- Balint Reczey <rbalint@ubuntu.com>  Thu, 20 Jun 2019 13:46:52 +0200
+
+shadow (1:4.0.15-5) unstable; urgency=low
+
+  * commands passed in argument to su must use su's -c option and must quote
+    the command if it contains a space, as in:
+        su - root -c "ls -l /"
+    The following commands won't work anymore:
+        su - root -c ls -l /
+        su - root "ls -l /"
+        su - root ls -l /
+
+ -- Christian Perrier <bubulle@debian.org>  Sat,  8 Apr 2006 20:11:38 +0200
+
+shadow (1:4.0.14-1) unstable; urgency=low
+
+  * passwd does not support the -f, -s, and -g options anymore. You should use
+    the chfn, chsh and gpasswd utilities instead.
+  * login now distributes the nologin utility, which can be used as a shell
+    to politely refuse a login
+
+ -- Christian Perrier <bubulle@debian.org>  Thu,  5 Jan 2006 08:47:44 +0100
+
+shadow (1:4.0.12-1) unstable; urgency=low
+
+  CLOSE_SESSIONS and other variables are not used anymore in
+  /etc/login/defs.
+  As shadow utilities which use this file now warn about unknown
+  entries there, administrators should remove such unknown entries.
+  The supplied login.defs file does not include them anymore.
+
+  dpasswd is no more distributed by upstream. Login do not support
+  dialup password anymore.  Re-introducing this functionality in
+  upstream is not trivial.
+
+
+ -- Christian Perrier <bubulle@debian.org>  Thu, 25 Aug 2005 08:38:47 +0200
+
--- a/debian/README.debian
+++ b/debian/README.debian
@@ -0,0 +1,62 @@
+Read this file first for a brief overview of the new versions of login
+and passwd.
+
+
+---Shadow passwords
+
+The command `shadowconfig on' will turn on shadow password support.
+`shadowconfig off' will turn it back off.  If you turn on shadow
+password support, you'll gain the ability to set password ages and
+expirations with chage(1).
+
+NOTE: If you use the nscd package, you may have problems with a
+slight delay in updating the password information. You may notice
+this during upgrades of certain packages that try to add a system
+user and then access the users information immediately afterwards.
+To avoid this, it is suggested that you stop the nscd daemon before
+upgrades, then restart it again.
+
+---General configuration
+
+Most of the configuration for the shadow utilities is in
+/etc/login.defs.  See login.defs(5).  The defaults are quite
+reasonable.
+
+Also see the /etc/pam.d/* files for each program to configure the PAM
+support. PAM documentation is available in several formats in the
+libpam-doc package.
+
+
+---MD5 Encryption
+
+This is enabled now using the /etc/pam.d/* files. Examples are given.
+
+
+---Adding users and groups
+
+Though you may add users and groups with the SysV type commands,
+useradd and groupadd, I recommend you add them with Debian adduser
+version 3+.  adduser gives you more configuration and conforms to the
+Debian UID and GID allocation.
+
+Editing user and group parameters can be done with usermod and
+groupmod.  Removing users and groups can be done with userdel and
+groupdel.
+
+
+--- Group administration
+
+Local group allocation is much easier.  With gpasswd(1) you can
+designate users to administer groups.  They can then securely add or
+remove users from the group.
+
+
+--- What to read next?
+
+Read the manpages, the other files in this directory, and the Shadow
+Password HOWTO (included in the doc-linux package).  A large portion
+of these files deals with getting shadow installed.  You can, of
+course, ignore those parts.
+
+Also, the libpam-doc package will go a long way to allowing you to take
+full advantage of the PAM authentication scheme.
--- a/debian/README.source
+++ b/debian/README.source
@@ -0,0 +1,4 @@
+A testsuite is also available. Instruction on how to run this testsuite
+are available in tests/README
+
+ -- Balint Reczey <rbalint@ubuntu.com>, Sat, 12 Aug 2017 18:46:44 -0400
--- a/debian/TODO
+++ b/debian/TODO
@@ -0,0 +1,19 @@
+Things that should be done:
+ * Verify the files left in debian/tmp
+   + e.g. /etc/default/adduser should be installed
+ * Check the build system: rebuilding the package twoce in the same tree
+   doubles the size of the diff.gz file
+
+Other points (not related to the release of a syncronized shadow):
+ * compare the source with the usages and man pages
+   + probably add a sentence to chsh/chfn's manpages about authentication
+     required for ordinary users
+ * do something (a tool) for the variables in login.defs
+   In Debian, some tools are not compiled with the PAM support, so upstream
+   getdef.c won't be OK.
+   It should be nice to see in each man page the set of variables used.
+   The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
+   with the debugging informations. This may be used to extract the set of
+   variables used in Debian/for each tools.
+ * verify all the patches around (I've found patches for at least RedHat,
+   OWL, LFS, Mandriva, Gentoo; are they already applied?)
--- a/debian/bugs-usertags
+++ b/debian/bugs-usertags
@@ -0,0 +1,25 @@
+This described the usertags used by the team.
+
+For usertags documentation, see
+http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
+
+All bugs tagged by team members must be tagged with 
+"user pkg-shadow-devel@lists.alioth.debian.org"
+
+Tags list
+---------
+
+toclose:         This bug has been announced to be closed in case no more news
+                 or information is received from the bug submitter or someone
+                 else until the delay specified in the limits_YYYYMMDD tag
+
+limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
+                 bugs can be closed without other action in case no news 
+                 is received
+
+manpages-replace A bug reported angainst a manpages-xx package to indicate
+                 conflicting man pages. This tag can be used to tune the
+                 Replaces fields.
+
+su-transition:   This bug is related to the su transition (#276419)
+
--- a/debian/changelog
+++ b/debian/changelog
--- a/debian/control
+++ b/debian/control
@@ -0,0 +1,78 @@
+Source: shadow
+Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Uploaders: Balint Reczey <rbalint@ubuntu.com>,
+           Serge Hallyn <serge@hallyn.com>
+Section: admin
+Priority: required
+Build-Depends: debhelper-compat (= 12),
+               gettext,
+               libpam0g-dev,
+               quilt,
+               xsltproc,
+               docbook-xsl,
+               docbook-xml,
+               libxml2-utils,
+               libselinux1-dev [linux-any],
+               libsemanage1-dev [linux-any],
+               itstool,
+               bison,
+               libaudit-dev [linux-any]
+Standards-Version: 3.9.5
+Vcs-Git: https://salsa.debian.org/debian/shadow -b master
+Vcs-Browser: https://salsa.debian.org/debian/shadow
+Homepage: https://github.com/shadow-maint/shadow
+Rules-Requires-Root: binary-targets
+
+Package: passwd
+Architecture: any
+Multi-Arch: foreign
+Depends: ${shlibs:Depends},
+         ${misc:Depends},
+         libpam-modules
+Replaces: manpages-tr (<< 1.0.5),
+          manpages-zh (<< 1.5.1-1)
+Description: change and administer password and group data
+ This package includes passwd, chsh, chfn, and many other programs to
+ maintain password and group data.
+ .
+ Shadow passwords are supported.  See /usr/share/doc/passwd/README.Debian
+
+Package: login
+Architecture: any
+Multi-Arch: foreign
+Essential: yes
+Pre-Depends: ${shlibs:Depends},
+             ${misc:Depends},
+             libpam-runtime,
+             libpam-modules (>= 1.1.8-1)
+Breaks: coreutils (<< 8.21~) [hurd-any],
+        passwd (<< 1:4.1.5.1-2~) [hurd-any],
+        hurd (<< 20140206~) [hurd-any],
+        util-linux (<< 2.32-0.2~)
+Conflicts: gnunet (<< 0.7.0c-2),
+           amavisd-new (<< 2.3.3-8),
+           python-4suite (<< 0.99cvs20060405-1),
+           backupninja (<< 0.9.3-5),
+           echolot (<< 2.1.8-4)
+Replaces: manpages-de (<< 0.5-3),
+          manpages-tr (<< 1.0.5),
+          manpages-zh (<< 1.5.1-1),
+          passwd (<< 1:4.1.5.1-2~) [hurd-any],
+          coreutils (<< 8.21~) [hurd-any],
+          hurd (<< 20140206~) [hurd-any]
+Description: system login tools
+ This package provides some required infrastructure for logins and for
+ changing effective user or group IDs, including:
+  * login, the program that invokes a user shell on a virtual terminal;
+  * nologin, a dummy shell for disabled user accounts;
+  * su, a basic tool for executing commands as root or another user.
+
+Package: uidmap
+Architecture: any
+Multi-Arch: foreign
+Priority: optional
+Depends: ${shlibs:Depends},
+         ${misc:Depends}
+Description: programs to help use subuids
+ These programs help unprivileged users to create uid and gid mappings in
+ user namespaces.
--- a/debian/copyright
+++ b/debian/copyright
@@ -0,0 +1,103 @@
+This is Debian GNU/Linux's prepackaged version of the shadow utilities.
+
+It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>. 
+As of May 2007, this site is no longer available.
+
+Copyright:
+
+Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
+All rights reserved.
+
+Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
+All rights reserved.
+
+Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
+All rights reserved.
+
+Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of Julianne F. Haugh nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+This source code is currently archived on ftp.uu.net in the
+comp.sources.misc portion of the USENET archives.  You may also contact
+the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
+any questions regarding this package.
+
+THIS SOFTWARE IS BEING DISTRIBUTED AS-IS.  THE AUTHORS DISCLAIM ALL
+LIABILITY FOR ANY CONSEQUENCES OF USE.  THE USER IS SOLELY RESPONSIBLE
+FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE.  THE AUTHORS ARE UNDER NO
+OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS.  THE USER IS
+ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
+LOSS OF INFORMATION OR MACHINE RESOURCES.
+
+Special thanks are due to Chip Rosenthal for his fine testing efforts;
+to Steve Simmons for his work in porting this code to BSD; and to Bill
+Kennedy for his contributions of LaserJet printer time and energies.
+Also, thanks for Dennis L. Mumaugh for the initial shadow password
+information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
+V Release 4 changes.  Effort in porting to SunOS has been contributed
+by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
+(mke@kaberd.rain.com).  Effort in porting to AT&T UNIX System V Release
+4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
+Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
+for taking over the Linux port of this software.
+
+Source files: login_access.c, login_desrpc.c, login_krb.c are derived
+from the logdaemon-5.0 package, which is under the following license:
+
+/************************************************************************
+* Copyright 1995 by Wietse Venema.  All rights reserved. Individual files
+* may be covered by other copyrights (as noted in the file itself.)
+*
+* This material was originally written and compiled by Wietse Venema at
+* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+* 1992, 1993, 1994 and 1995.
+*
+* Redistribution and use in source and binary forms are permitted
+* provided that this entire copyright notice is duplicated in all such
+* copies.  
+*
+* This software is provided "as is" and without any expressed or implied
+* warranties, including, without limitation, the implied warranties of
+* merchantibility and fitness for any particular purpose.
+************************************************************************/
+
+Some parts substantially in src/su.c derived from an ancestor of
+su for GNU.  Run a shell with substitute user and group IDs.
+Copyright (C) 1992-2003 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   On Debian GNU/Linux systems, the complete text of the GNU General Public
+   License can be found in '/usr/share/common-licenses/GPL-2'
--- a/debian/cpgr.8
+++ b/debian/cpgr.8
@@ -0,0 +1 @@
+.so man8/cppw.8
--- a/debian/cppw.8
+++ b/debian/cppw.8
@@ -0,0 +1,27 @@
+.TH CPPW 8 "7 Apr 2005"
+.SH NAME
+cppw, cpgr \- copy with locking the given file to the password or group file
+.SH SYNOPSIS
+\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
+.br
+\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
+
+.SH DESCRIPTION
+.BR cppw " and " cpgr
+will copy, with locking, the given file to
+.IR /etc/passwd " and " /etc/group ", respectively."
+With the \fB\-s\fR flag, they will copy the shadow versions of those files,
+.IR /etc/shadow " and " /etc/gshadow ", respectively."
+
+With the \fB\-h\fR flag, the commands display a short help message and exit
+silently.
+.SH "SEE ALSO"
+.BR vipw (8),
+.BR vigr (8),
+.BR group (5),
+.BR passwd (5),
+.BR shadow (5),
+.BR gshadow (5)
+.SH AUTHOR
+\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
+\fBvipw\fR and \fBvigr\fR written by Guy Maor.
--- a/debian/default/useradd
+++ b/debian/default/useradd
@@ -0,0 +1,37 @@
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+# Similar to DSHELL in adduser. However, we use "sh" here because
+# useradd is a low level utility and should be as general
+# as possible
+SHELL=/bin/sh
+#
+# The default group for users
+# 100=users on Debian systems
+# Same as USERS_GID in adduser
+# This argument is used when the -n flag is specified.
+# The default behavior (when -n and -g are not specified) is to create a
+# primary user group with the same name as the user being added to the
+# system.
+# GROUP=100
+#
+# The default home directory. Same as DHOME for adduser
+# HOME=/home
+#
+# The number of days after a password expires until the account 
+# is permanently disabled
+# INACTIVE=-1
+#
+# The default expire date
+# EXPIRE=
+#
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+# SKEL=/etc/skel
+#
+# Defines whether the mail spool should be created while
+# creating the account
+# CREATE_MAIL_SPOOL=yes
+
--- a/debian/dependencies
+++ b/debian/dependencies
@@ -0,0 +1,94 @@
+Build-Depends:
+==============
+ * autoconf
+ * automake1.9
+   works with 1.7 or 1.9 (at least)
+ * libtool
+ * gettext
+   POT, PO, GMO regenerated?
+ * libpam0g-dev
+   OK
+ * debhelper (>= 4.1.16)
+ * po-debconf
+   OK
+ * quilt
+   patch system
+ * dpkg-dev (>= 1.13.5)
+ * xsltproc
+   used to generate the manpages
+ * docbook-xsl
+   needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
+ * docbook-xml
+   manpages/docbook.xsl includes html/docbook.xsl
+   (But it is not strictly needed. The generated manpages are identical.
+   Without it, a warning is generated.)
+   Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
+ * libxml2-utils
+   needed by the JH_CHECK_XML_CATALOG macros
+ * cdbs
+   used in debian/rules
+ * libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
+ * gnome-doc-utils (>= 0.4.3-1)
+   xml2po, 0.4.3-1 needed for the -l switch.
+
+passwd Depends:
+===============
+ * ${shlibs:Depends}
+   OK
+ * ${loginpam}
+   - hurd
+     login
+     libpam-modules (>= 0.72-5)
+   - other archs
+     + login (>= 970502-1)
+       login is needed because some passwd utils need /etc/login.defs
+       login is Essential, so this is just to enforce the version
+     + libpam-modules (>= 0.72-5)
+ * debianutils (>= 2.15.2)
+   After 1:4.0.12-6, {add,remove}-shell are distributed in debianutils (2.15)
+   /etc/shell was forgotten and introduced in debianutils in 2.15.2
+
+passwd Conflicts:
+=================
+
+passwd Replaces:
+================
+   Some of the passwd man pages are also distributed in some manpages* packages.
+   Look at the debian/02/run test to optimize these dependencies.
+   NOTE: Not all maintainers have been notified.
+ * manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3)
+   All those packages have been updated during sarge->etch. So these Replaces
+   should be removed after lenny release
+ * manpages-tr, manpages-zh
+   Those packages are still in etch, so the Replaces should be kept even
+   after lenny release
+
+login Pre-Depends:
+==================
+ * ${shlibs:Depends}
+ * libpam-runtime (>= 0.76-14)
+   sarge contained 0.76-22
+
+Why Pre-Depends? (because it's an essential package?)
+
+login Depends:
+==============
+ * libpam-modules (>= 0.72-5)
+   libpam-modules is needed.
+   potato contained 0.72-9
+
+login Conflicts:
+================
+
+login Replaces:
+===============
+ * Some of the login man pages are also distributed in some manpages* packages.
+   Look at the debian/02/run test to optimize these dependencies.
+   NOTE: Not all maintainers have been notified.
+   - manpages-fi, manpages-fr (<<1.64.0-1), manpages-hu, manpages-it, manpages-ko, manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15) 
+     Those are packages that have been updated during sarge->etch. These
+     Replaces should be removed after lenny
+   - manpages-tr, manpages-zh
+     Those packages are still in etch, so the Replaces should be kept even
+     after lenny release
+
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -0,0 +1,5 @@
+variables:
+ RELEASE: 'unstable'
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
--- a/debian/login.defs
+++ b/debian/login.defs
@@ -0,0 +1,340 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed.  All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux.  --marekm
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+# This option conflicts with the pam_tally PAM module.
+#
+FAILLOG_ENAB		yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable. 
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE	/var/log/btmp
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing 
+# the "mesg y" command.
+
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#	UMASK		Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# 
+# UMASK is the default umask value for pam_umask and is used by
+# useradd and newusers to set the mode of the new home directories.
+# 022 is the "historical" value in Debian for UMASK
+# 027, or even 077, could be considered better for privacy
+# There is no One True Answer here : each sysadmin must make up his/her
+# mind.
+#
+# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
+# for private user groups, i. e. the uid is the same as gid, and username is
+# the same as the primary group name: for these, the user permissions will be
+# used as group permissions, e. g. 022 will become 002.
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+UMASK		022
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+#SYS_UID_MIN		  100
+#SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+#SYS_GID_MIN		  100
+#SYS_GID_MAX		  999
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE	/etc/consoles
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm.  Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB	no
+
+#
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD SHA512
+
+#
+# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+################# OBSOLETED BY PAM ##############
+#						#
+# These options are now handled by PAM. Please	#
+# edit the appropriate file in /etc/pam.d/ to	#
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+#						  #
+# These options are no more handled by shadow.    #
+#                                                 #
+# Shadow utilities will display a warning if they #
+# still appear.                                   #
+#                                                 #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR
+
+
+
--- a/debian/login.dirs
+++ b/debian/login.dirs
@@ -0,0 +1 @@
+usr/share/lintian/overrides
--- a/debian/login.install
+++ b/debian/login.install
@@ -0,0 +1,23 @@
+debian/login.defs etc
+usr/share/locale/*/LC_MESSAGES/shadow.mo
+usr/share/man/*/man1/login.1
+usr/share/man/*/man1/newgrp.1
+usr/share/man/*/man1/sg.1
+usr/share/man/*/man5/faillog.5
+usr/share/man/*/man5/login.defs.5
+usr/share/man/*/man8/faillog.8
+usr/share/man/*/man8/lastlog.8
+usr/share/man/*/man8/nologin.8
+usr/share/man/man1/login.1
+usr/share/man/man1/newgrp.1
+usr/share/man/man1/sg.1
+usr/share/man/man5/faillog.5
+usr/share/man/man5/login.defs.5
+usr/share/man/man8/faillog.8
+usr/share/man/man8/lastlog.8
+usr/share/man/man8/nologin.8
+usr/sbin/nologin
+usr/bin/faillog
+usr/bin/lastlog
+usr/bin/newgrp
+bin/login
--- a/debian/login.links
+++ b/debian/login.links
@@ -0,0 +1 @@
+usr/bin/newgrp usr/bin/sg
--- a/debian/login.lintian-overrides
+++ b/debian/login.lintian-overrides
@@ -0,0 +1,2 @@
+login: setuid-binary usr/bin/newgrp 4755 root/root
+login: possible-missing-colon-in-closes l667:closes bug 336321
--- a/debian/login.maintscript
+++ b/debian/login.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/securetty 1:4.7-1~
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -0,0 +1,100 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password
--- a/debian/login.postinst
+++ b/debian/login.postinst
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+set -e
+
+if test "$1" = configure
+then
+	if test -f /etc/init.d/logoutd
+	then 
+		if test "$(md5sum /etc/init.d/logoutd)" = "9080f92783dd53f6f2108e698c06bd53  /etc/init.d/logoutd"
+		then	
+			echo "removing logoutd cruft"
+			rm /etc/init.d/logoutd
+			update-rc.d logoutd remove
+		fi
+	fi
+fi
+rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
+
+if [ "$1" = "configure" ]; then
+	# Install faillog during initial installs only
+	if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
+		touch /var/log/faillog
+		chown root:root /var/log/faillog
+		chmod 644 /var/log/faillog
+	fi
+
+	# Create subuid/subgid if missing
+	if [ ! -e /etc/subuid ]; then
+		touch /etc/subuid
+		chown root:root /etc/subuid
+		chmod 644 /etc/subuid
+	fi
+
+	if [ ! -e /etc/subgid ]; then
+		touch /etc/subgid
+		chown root:root /etc/subgid
+		chmod 644 /etc/subgid
+	fi
+fi
+
+        # Create subuid/subgid if missing
+        if [ ! -e /etc/subuid ]; then
+                touch /etc/subuid
+                chown root:root /etc/subuid
+                chmod 644 /etc/subuid
+        fi
+
+        if [ ! -e /etc/subgid ]; then
+                touch /etc/subgid
+                chown root:root /etc/subgid
+                chmod 644 /etc/subgid
+        fi
+
+#DEBHELPER#
+
+exit 0
--- a/debian/login.preinst
+++ b/debian/login.preinst
@@ -0,0 +1,52 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
+		fi
+	    fi
+	    
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
--- a/debian/passwd.chage.pam
+++ b/debian/passwd.chage.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'chage' service
+#
+
+# This allows root to change password aging being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.chfn.pam
+++ b/debian/passwd.chfn.pam
@@ -0,0 +1,16 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows root to change user infomation without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+
--- a/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/pam.d/chpasswd
+++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/pam.d/chpasswd
--- a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/chsh
+++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/chsh
--- a/debian/passwd.dirs
+++ b/debian/passwd.dirs
@@ -0,0 +1,2 @@
+usr/share/lintian/overrides
+etc/default
--- a/debian/passwd.examples
+++ b/debian/passwd.examples
@@ -0,0 +1 @@
+debian/passwd.expire.cron
--- a/debian/passwd.expire.cron
+++ b/debian/passwd.expire.cron
@@ -0,0 +1,57 @@
+#!/usr/bin/perl
+#
+# passwd.expire.cron: sample expiry notification script for use as a cronjob
+#
+# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
+# for use, distribution, modification, etc.
+#
+# Usage:
+#	edit the listed options, including the actual email, then rename to
+#	/etc/cron.daily/passwd
+#
+#	If your users don't have a valid login shell (ie. they are ftp or mail
+#	users only), they will need some other way to change their password
+#	(telnet will work since login will handle password aging, or a poppasswd
+#	program, if they are mail users).
+
+# <CONFIG> #
+
+# should be same as /etc/adduser.conf
+$LOW_UID=1000;
+$HIGH_UID=29999;
+
+# this let's the MTA handle the domain,
+# set it manually if you want. Make sure
+# you also add the @ like "\@domain.com"
+$MAIL_DOM="";
+
+# </CONFIG> #
+
+# Set the current day reference
+$curdays = int(time() / (60 * 60 * 24));
+
+# Now go through the list
+
+open(SH, "< /etc/shadow");
+while (<SH>) {
+    @shent = split(':', $_);
+    @userent = getpwnam($shent[0]);
+    if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
+	if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
+		$shent[4] != -1 && $shent[4] != 0 &&
+		$shent[5] != -1 && $shent[5] != 0) {
+	    $daysleft = ($shent[2] + $shent[4]) - $curdays;
+	    if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
+            if ($daysleft < 0) { next; }
+	    open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
+	    print MAIL <<EOF;
+Your account will expire in $daysleft $days. Please change your password before
+then or your account will expire
+EOF
+	    close (MAIL);
+	    # This makes sure we also get a list of almost expired users
+	    print "$shent[0]'s account will expire in $daysleft days\n";
+	}
+    }
+    @userent = getpwent();
+}
--- a/debian/passwd.groupadd.pam
+++ b/debian/passwd.groupadd.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupadd' service
+#
+
+# This allows root to add groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.groupdel.pam
+++ b/debian/passwd.groupdel.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.groupmod.pam
+++ b/debian/passwd.groupmod.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupmod' service
+#
+
+# This allows root to modify groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.install
+++ b/debian/passwd.install
@@ -0,0 +1,83 @@
+debian/default/useradd etc/default
+debian/shadowconfig sbin
+usr/bin/chage
+usr/bin/chfn
+usr/bin/chsh
+usr/bin/expiry
+usr/bin/gpasswd
+usr/bin/passwd
+usr/sbin/chpasswd
+usr/sbin/chgpasswd
+usr/sbin/cppw
+usr/sbin/groupadd
+usr/sbin/groupdel
+usr/sbin/groupmod
+usr/sbin/groupmems
+usr/sbin/grpck
+usr/sbin/grpconv
+usr/sbin/grpunconv
+usr/sbin/newusers
+usr/sbin/pwck
+usr/sbin/pwconv
+usr/sbin/pwunconv
+usr/sbin/useradd
+usr/sbin/userdel
+usr/sbin/usermod
+usr/sbin/vipw
+usr/share/man/*/man1/chage.1
+usr/share/man/*/man1/chfn.1
+usr/share/man/*/man1/chsh.1
+usr/share/man/*/man1/expiry.1
+usr/share/man/*/man1/gpasswd.1
+usr/share/man/*/man1/passwd.1
+usr/share/man/*/man5/passwd.5
+usr/share/man/*/man5/shadow.5
+usr/share/man/*/man5/gshadow.5
+usr/share/man/*/man8/chpasswd.8
+usr/share/man/*/man8/groupadd.8
+usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/groupmems.8
+usr/share/man/*/man8/grpck.8
+usr/share/man/*/man8/grpconv.8
+usr/share/man/*/man8/grpunconv.8
+usr/share/man/*/man8/newusers.8
+usr/share/man/*/man8/pwck.8
+usr/share/man/*/man8/pwconv.8
+usr/share/man/*/man8/pwunconv.8
+usr/share/man/*/man8/useradd.8
+usr/share/man/*/man8/userdel.8
+usr/share/man/*/man8/usermod.8
+usr/share/man/*/man8/vigr.8
+usr/share/man/*/man8/vipw.8
+usr/share/man/man1/chage.1
+usr/share/man/man1/chfn.1
+usr/share/man/man1/chsh.1
+usr/share/man/man1/expiry.1
+usr/share/man/man1/gpasswd.1
+usr/share/man/man1/passwd.1
+usr/share/man/man5/passwd.5
+usr/share/man/man5/shadow.5
+usr/share/man/man5/gshadow.5
+usr/share/man/man5/subuid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subuid.5
+usr/share/man/man8/chgpasswd.8
+usr/share/man/man8/chpasswd.8
+usr/share/man/man8/groupadd.8
+usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmems.8
+usr/share/man/man8/groupmod.8
+usr/share/man/man8/grpck.8
+usr/share/man/man8/grpconv.8
+usr/share/man/man8/grpunconv.8
+usr/share/man/man8/newusers.8
+usr/share/man/man8/pwck.8
+usr/share/man/man8/pwconv.8
+usr/share/man/man8/pwunconv.8
+usr/share/man/man8/useradd.8
+usr/share/man/man8/userdel.8
+usr/share/man/man8/usermod.8
+usr/share/man/man8/vigr.8
+usr/share/man/man8/vipw.8
--- a/debian/passwd.links
+++ b/debian/passwd.links
@@ -0,0 +1,2 @@
+usr/sbin/vipw usr/sbin/vigr
+usr/sbin/cppw usr/sbin/cpgr
--- a/debian/passwd.lintian-overrides
+++ b/debian/passwd.lintian-overrides
@@ -0,0 +1,8 @@
+passwd: setgid-binary usr/bin/chage 2755 root/shadow
+passwd: setuid-binary usr/bin/chfn 4755 root/root
+passwd: setuid-binary usr/bin/chsh 4755 root/root
+passwd: setgid-binary usr/bin/expiry 2755 root/shadow
+passwd: setuid-binary usr/bin/gpasswd 4755 root/root
+passwd: setuid-binary usr/bin/passwd 4755 root/root
+# Fixed in a0f09c4de7ad35b1a7c64cbe7024c9b7236ad491 but would add a Recommend: during LTS
+passwd: missing-depends-on-sensible-utils sensible-editor usr/sbin/vipw
--- a/debian/passwd.maintscript
+++ b/debian/passwd.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/cron.daily/passwd 1:4.7-2~
--- a/debian/passwd.manpages
+++ b/debian/passwd.manpages
@@ -0,0 +1,2 @@
+debian/cpgr.8
+debian/cppw.8
--- a/debian/passwd.newusers.pam
+++ b/debian/passwd.newusers.pam
@@ -0,0 +1,5 @@
+# The PAM configuration file for the Shadow 'newusers' service
+#
+
+@include common-password
+
--- a/debian/passwd.passwd.pam
+++ b/debian/passwd.passwd.pam
@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+
+@include common-password
+
--- a/debian/passwd.postinst
+++ b/debian/passwd.postinst
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+configure)
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+
+    rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
+	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
+	then
+		groupadd -g 42 shadow || (
+    			cat <<EOF
+Group ID 42 has been allocated for the shadow group.  You have either
+used 42 yourself or created a shadow group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+    			exit 1
+		)
+	fi
+    ;;
+esac
+
+# Run shadowconfig only on new installs
+[ -z "$2" ] && shadowconfig on
+
+#DEBHELPER#
+
+exit 0
--- a/debian/passwd.preinst
+++ b/debian/passwd.preinst
@@ -0,0 +1,51 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#]*[ \t]*password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/passwd 23a5d1465bbc1e39ca6e0c32f22a75c9
+	    fi
+	fi
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
--- a/debian/passwd.tmpfile
+++ b/debian/passwd.tmpfile
@@ -0,0 +1,8 @@
+# If a password operation is in progress and we lose power, stale lockfiles
+# can be left behind.  Clear them on boot.
+r! /etc/gshadow.lock
+r! /etc/shadow.lock
+r! /etc/passwd.lock
+r! /etc/group.lock
+r! /etc/subuid.lock
+r! /etc/subgid.lock
--- a/debian/passwd.useradd.pam
+++ b/debian/passwd.useradd.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'useradd' service
+#
+
+# This allows root to add users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.userdel.pam
+++ b/debian/passwd.userdel.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'userdel' service
+#
+
+# This allows root to remove users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.usermod.pam
+++ b/debian/passwd.usermod.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/patches/008_login_log_failure_in_FTMP
+++ b/debian/patches/008_login_log_failure_in_FTMP
@@ -0,0 +1,51 @@
+Goal: Log login failures to the btmp file
+
+Notes:
+ * I'm not sure login should add an entry in the FTMP file when PAM is used.
+   (but nothing in /etc/login.defs indicates that the failure is not logged)
+
+--- a/src/login.c
+++ b/src/login.c
+@@ -849,6 +849,24 @@
+ 			(void) puts ("");
+ 			(void) puts (_("Login incorrect"));
+ 
+			if (getdef_str("FTMP_FILE") != NULL) {
+#ifdef USE_UTMPX
+				struct utmpx *failent =
+					prepare_utmpx (failent_user,
+					               tty,
+					/* FIXME: or fromhost? */hostname,
+					               utent);
+#else				/* !USE_UTMPX */
+				struct utmp *failent =
+					prepare_utmp (failent_user,
+					              tty,
+					              hostname,
+					              utent);
+#endif				/* !USE_UTMPX */
+				failtmp (failent_user, failent);
+				free (failent);
+			}
+
+ 			if (failcount >= retries) {
+ 				SYSLOG ((LOG_NOTICE,
+ 				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+--- a/lib/getdef.c
+++ b/lib/getdef.c
+@@ -60,7 +60,6 @@
+ 	{"ENVIRON_FILE", NULL},			\
+ 	{"ENV_TZ", NULL},			\
+ 	{"FAILLOG_ENAB", NULL},			\
+-	{"FTMP_FILE", NULL},			\
+ 	{"ISSUE_FILE", NULL},			\
+ 	{"LASTLOG_ENAB", NULL},			\
+ 	{"LOGIN_STRING", NULL},			\
+@@ -91,6 +90,7 @@
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
+ 	{"FAKE_SHELL", NULL},
+	{"FTMP_FILE", NULL},
+ 	{"GID_MAX", NULL},
+ 	{"GID_MIN", NULL},
+ 	{"HOME_MODE", NULL},
--- a/debian/patches/401_cppw_src.dpatch
+++ b/debian/patches/401_cppw_src.dpatch
@@ -0,0 +1,276 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 401_cppw_src.dpatch by  Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add cppw / cpgr
+
+@DPATCH@
+--- /dev/null
+++ b/src/cppw.c
+@@ -0,0 +1,238 @@
+/*
+  cppw, cpgr  copy with locking given file over the password or group file
+  with -s will copy with locking given file over shadow or gshadow file
+
+  Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
+
+  Based on vipw, vigr by:
+  Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+  */
+
+#include <config.h>
+#include "defines.h"
+
+#include <errno.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <utime.h>
+#include "exitcodes.h"
+#include "prototypes.h"
+#include "pwio.h"
+#include "shadowio.h"
+#include "groupio.h"
+#include "sgroupio.h"
+
+
+const char *Prog;
+
+const char *filename, *filenewname;
+static bool filelocked = false;
+static int (*unlock) (void);
+
+/* local function prototypes */
+static int create_copy (FILE *fp, const char *dest, struct stat *sb);
+static void cppwexit (const char *msg, int syserr, int ret);
+static void cppwcopy (const char *file,
+                      const char *in_file,
+                      int (*file_lock) (void),
+                      int (*file_unlock) (void));
+
+static int create_copy (FILE *fp, const char *dest, struct stat *sb)
+{
+	struct utimbuf ub;
+	FILE *bkfp;
+	int c;
+	mode_t mask;
+
+	mask = umask (077);
+	bkfp = fopen (dest, "w");
+	(void) umask (mask);
+	if (NULL == bkfp) {
+		return -1;
+	}
+
+	rewind (fp);
+	while ((c = getc (fp)) != EOF) {
+		if (putc (c, bkfp) == EOF) {
+			break;
+		}
+	}
+
+	if (   (c != EOF)
+	    || (fflush (bkfp) != 0)) {
+		(void) fclose (bkfp);
+		(void) unlink (dest);
+		return -1;
+	}
+	if (   (fsync (fileno (bkfp)) != 0)
+	    || (fclose (bkfp) != 0)) {
+		(void) unlink (dest);
+		return -1;
+	}
+
+	ub.actime = sb->st_atime;
+	ub.modtime = sb->st_mtime;
+	if (   (utime (dest, &ub) != 0)
+	    || (chmod (dest, sb->st_mode) != 0)
+	    || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
+		(void) unlink (dest);
+		return -1;
+	}
+	return 0;
+}
+
+static void cppwexit (const char *msg, int syserr, int ret)
+{
+	int err = errno;
+	if (filelocked) {
+		(*unlock) ();
+	}
+	if (NULL != msg) {
+		fprintf (stderr, "%s: %s", Prog, msg);
+		if (0 != syserr) {
+			fprintf (stderr, ": %s", strerror (err));
+		}
+		(void) fputs ("\n", stderr);
+	}
+	if (NULL != filename) {
+		fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
+	} else {
+		fprintf (stderr, _("%s: no changes\n"), Prog);
+	}
+
+	exit (ret);
+}
+
+static void cppwcopy (const char *file,
+                      const char *in_file,
+                      int (*file_lock) (void),
+                      int (*file_unlock) (void))
+{
+	struct stat st1;
+	FILE *f;
+	char filenew[1024];
+
+	snprintf (filenew, sizeof filenew, "%s.new", file);
+	unlock = file_unlock;
+	filename = file;
+	filenewname = filenew;
+
+	if (access (file, F_OK) != 0) {
+		cppwexit (file, 1, 1);
+	}
+	if (file_lock () == 0) {
+		cppwexit (_("Couldn't lock file"), 0, 5);
+	}
+	filelocked = true;
+
+	/* file to copy has same owners, perm */
+	if (stat (file, &st1) != 0) {
+		cppwexit (file, 1, 1);
+	}
+	f = fopen (in_file, "r");
+	if (NULL == f) {
+		cppwexit (in_file, 1, 1);
+	}
+	if (create_copy (f, filenew, &st1) != 0) {
+		cppwexit (_("Couldn't make copy"), errno, 1);
+	}
+
+	/* XXX - here we should check filenew for errors; if there are any,
+	 * fail w/ an appropriate error code and let the user manually fix
+	 * it. Use pwck or grpck to do the check.  - Stephen (Shamelessly
+	 * stolen from '--marekm's comment) */
+
+	if (rename (filenew, file) != 0) {
+		fprintf (stderr, _("%s: can't copy %s: %s)\n"),
+                         Prog, filenew, strerror (errno));
+		cppwexit (NULL,0,1);
+	}
+
+	(*file_unlock) ();
+}
+
+int main (int argc, char **argv)
+{
+	int flag;
+	bool cpshadow = false;
+	char *in_file;
+	int e = E_USAGE;
+	bool do_cppw = true;
+
+	(void) setlocale (LC_ALL, "");
+	(void) bindtextdomain (PACKAGE, LOCALEDIR);
+	(void) textdomain (PACKAGE);
+
+	Prog = Basename (argv[0]);
+	if (strcmp (Prog, "cpgr") == 0) {
+		do_cppw = false;
+	}
+
+	while ((flag = getopt (argc, argv, "ghps")) != EOF) {
+		switch (flag) {
+		case 'p':
+			do_cppw = true;
+			break;
+		case 'g':
+			do_cppw = false;
+			break;
+		case 's':
+			cpshadow = true;
+			break;
+		case 'h':
+			e = E_SUCCESS;
+			/*pass through*/
+		default:
+			(void) fputs (_("Usage:\n\
+`cppw <file>' copys over /etc/passwd   `cppw -s <file>' copys over /etc/shadow\n\
+`cpgr <file>' copys over /etc/group    `cpgr -s <file>' copys over /etc/gshadow\n\
+"), (E_SUCCESS != e) ? stderr : stdout);
+			exit (e);
+		}
+	}
+
+	if (argc != optind + 1) {
+		cppwexit (_("wrong number of arguments, -h for usage"),0,1);
+	}
+
+	in_file = argv[optind];
+
+	if (do_cppw) {
+		if (cpshadow) {
+			cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
+		} else {
+			cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
+		}
+	} else {
+#ifdef SHADOWGRP
+		if (cpshadow) {
+			cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
+		} else
+#endif				/* SHADOWGRP */
+		{
+			cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
+		}
+	}
+
+	return 0;
+}
+
+--- a/src/Makefile.am
+++ b/src/Makefile.am
+@@ -33,6 +33,7 @@
+ bin_PROGRAMS  += su
+ endif
+ usbin_PROGRAMS = \
+	cppw \
+ 	chgpasswd \
+ 	chpasswd \
+ 	groupadd \
+@@ -101,6 +102,7 @@
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+cppw_LDADD     = $(LDADD) $(LIBSELINUX) $(LIBAUDIT)
+ expiry_LDADD = $(LDADD) $(LIBECONF)
+ gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
+--- a/po/POTFILES.in
+++ b/po/POTFILES.in
+@@ -90,6 +90,7 @@
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
+src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c
--- a/debian/patches/402_cppw_selinux
+++ b/debian/patches/402_cppw_selinux
@@ -0,0 +1,64 @@
+Goal: Add selinux support to cppw
+
+Fix:
+
+Status wrt upstream: cppw is not available upstream.
+                     The patch was made based on the
+                     302_vim_selinux_support patch. It needs to be
+                     reviewed by an SE-Linux aware person.
+
+Depends on 401_cppw_src.dpatch
+
+Index: git/src/cppw.c
+===================================================================
+--- git.orig/src/cppw.c
+++ git/src/cppw.c
+@@ -34,6 +34,9 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <utime.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif				/* WITH_SELINUX */
+ #include "exitcodes.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+@@ -139,6 +142,22 @@
+ 	if (access (file, F_OK) != 0) {
+ 		cppwexit (file, 1, 1);
+ 	}
+#ifdef WITH_SELINUX
+	/* if SE Linux is enabled then set the context of all new files
+	 * to be the context of the file we are editing */
+	if (is_selinux_enabled () > 0) {
+		security_context_t passwd_context=NULL;
+		int ret = 0;
+		if (getfilecon (file, &passwd_context) < 0) {
+			cppwexit (_("Couldn't get file context"), errno, 1);
+		}
+		ret = setfscreatecon (passwd_context);
+		freecon (passwd_context);
+		if (0 != ret) {
+			cppwexit (_("setfscreatecon () failed"), errno, 1);
+		}
+	}
+#endif				/* WITH_SELINUX */
+ 	if (file_lock () == 0) {
+ 		cppwexit (_("Couldn't lock file"), 0, 5);
+ 	}
+@@ -167,6 +186,15 @@
+ 		cppwexit (NULL,0,1);
+ 	}
+ 
+#ifdef WITH_SELINUX
+	/* unset the fscreatecon */
+	if (is_selinux_enabled () > 0) {
+		if (setfscreatecon (NULL)) {
+		cppwexit (_("setfscreatecon() failed"), errno, 1);
+		}
+	}
+#endif				/* WITH_SELINUX */
+
+ 	(*file_unlock) ();
+ }
+ 
--- a/debian/patches/429_login_FAILLOG_ENAB
+++ b/debian/patches/429_login_FAILLOG_ENAB
@@ -0,0 +1,84 @@
+Goal: Re-enable logging and displaying failures on login when login is
+      compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
+      faillog file if it does not exist on postinst (as on Woody).
+Depends: 008_login_more_LOG_UNKFAIL_ENAB
+Fixes: #192849
+
+Note: It could be removed if pam_tally could report the number of failures
+      preceding a successful login.
+
+--- a/src/login.c
+++ b/src/login.c
+@@ -136,9 +136,9 @@
+ #endif
+ 			);
+ 
+-#ifndef USE_PAM
+ static struct faillog faillog;
+ 
+#ifndef USE_PAM
+ static void bad_time_notify (void);
+ static void check_nologin (bool login_to_root);
+ #else
+@@ -809,6 +809,9 @@
+ 				SYSLOG ((LOG_NOTICE,
+ 				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+ 				         failcount, fromhost, failent_user));
+				if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
+					failure (pwd->pw_uid, tty, &faillog);
+				}
+ 				fprintf (stderr,
+ 				         _("Maximum number of tries exceeded (%u)\n"),
+ 				         failcount);
+@@ -826,6 +829,14 @@
+ 				         pam_strerror (pamh, retcode)));
+ 				failed = true;
+ 			}
+			if (   (NULL != pwd)
+			    && getdef_bool("FAILLOG_ENAB")
+			    && ! failcheck (pwd->pw_uid, &faillog, failed)) {
+				SYSLOG((LOG_CRIT,
+				        "exceeded failure limit for `%s' %s",
+				        failent_user, fromhost));
+				failed = 1;
+			}
+ 
+ 			if (!failed) {
+ 				break;
+@@ -849,6 +860,10 @@
+ 			(void) puts ("");
+ 			(void) puts (_("Login incorrect"));
+ 
+			if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
+				failure (pwd->pw_uid, tty, &faillog);
+			}
+
+ 			if (getdef_str("FTMP_FILE") != NULL) {
+ #ifdef USE_UTMPX
+ 				struct utmpx *failent =
+@@ -1305,6 +1320,7 @@
+ 		 */
+ #ifndef USE_PAM
+ 		motd ();	/* print the message of the day */
+#endif
+ 		if (   getdef_bool ("FAILLOG_ENAB")
+ 		    && (0 != faillog.fail_cnt)) {
+ 			failprint (&faillog);
+@@ -1317,6 +1333,7 @@
+ 				         username, (int) faillog.fail_cnt));
+ 			}
+ 		}
+#ifndef USE_PAM
+ 		if (   getdef_bool ("LASTLOG_ENAB")
+ 		    && pwd->pw_uid <= (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL)
+ 		    && (ll.ll_time != 0)) {
+--- a/lib/getdef.c
+++ b/lib/getdef.c
+@@ -89,6 +89,7 @@
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
+	{"FAILLOG_ENAB", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"FTMP_FILE", NULL},
+ 	{"GID_MAX", NULL},
--- a/debian/patches/463_login_delay_obeys_to_PAM
+++ b/debian/patches/463_login_delay_obeys_to_PAM
@@ -0,0 +1,97 @@
+Goal: Do not hardcode pam_fail_delay and let pam_unix do its
+      job to set a delay...or not
+
+Fixes: #87648
+
+Status wrt upstream: Forwarded but not applied yet
+
+Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+
+--- a/src/login.c
+++ b/src/login.c
+@@ -536,7 +536,6 @@
+ #if defined(HAVE_STRFTIME) && !defined(USE_PAM)
+ 	char ptime[80];
+ #endif
+-	unsigned int delay;
+ 	unsigned int retries;
+ 	bool subroot = false;
+ #ifndef USE_PAM
+@@ -561,6 +560,7 @@
+ 	pid_t child;
+ 	char *pam_user = NULL;
+ #else
+	unsigned int delay;
+ 	struct spwd *spwd = NULL;
+ #endif
+ 	/*
+@@ -723,7 +723,6 @@
+ 	}
+ 
+ 	environ = newenvp;	/* make new environment active */
+-	delay   = getdef_unum ("FAIL_DELAY", 1);
+ 	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
+ 
+ #ifdef USE_PAM
+@@ -739,8 +738,7 @@
+ 
+ 	/*
+ 	 * hostname & tty are either set to NULL or their correct values,
+-	 * depending on how much we know. We also set PAM's fail delay to
+-	 * ours.
+	 * depending on how much we know.
+ 	 *
+ 	 * PAM_RHOST and PAM_TTY are used for authentication, only use
+ 	 * information coming from login or from the caller (e.g. no utmp)
+@@ -749,10 +747,6 @@
+ 	PAM_FAIL_CHECK;
+ 	retcode = pam_set_item (pamh, PAM_TTY, tty);
+ 	PAM_FAIL_CHECK;
+-#ifdef HAS_PAM_FAIL_DELAY
+-	retcode = pam_fail_delay (pamh, 1000000 * delay);
+-	PAM_FAIL_CHECK;
+-#endif
+ 	/* if fflg, then the user has already been authenticated */
+ 	if (!fflg) {
+ 		unsigned int failcount = 0;
+@@ -793,12 +787,6 @@
+ 			bool failed = false;
+ 
+ 			failcount++;
+-#ifdef HAS_PAM_FAIL_DELAY
+-			if (delay > 0) {
+-				retcode = pam_fail_delay(pamh, 1000000*delay);
+-				PAM_FAIL_CHECK;
+-			}
+-#endif
+ 
+ 			retcode = pam_authenticate (pamh, 0);
+ 
+@@ -1121,14 +1109,17 @@
+ 		free (username);
+ 		username = NULL;
+ 
+#ifndef USE_PAM
+ 		/*
+ 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
+ 		 * to login the user again. If the earlier alarm occurs
+ 		 * before the sleep() below completes, login will exit.
+ 		 */
+		delay = getdef_unum ("FAIL_DELAY", 1);
+ 		if (delay > 0) {
+ 			(void) sleep (delay);
+ 		}
+#endif
+ 
+ 		(void) puts (_("Login incorrect"));
+ 
+--- a/lib/getdef.c
+++ b/lib/getdef.c
+@@ -88,7 +88,6 @@
+ 	{"ENV_PATH", NULL},
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+-	{"FAIL_DELAY", NULL},
+ 	{"FAILLOG_ENAB", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"FTMP_FILE", NULL},
--- a/debian/patches/501_commonio_group_shadow
+++ b/debian/patches/501_commonio_group_shadow
@@ -0,0 +1,60 @@
+Goal: save the [g]shadow files with the 'shadow' group and mode 0440
+
+Fixes: #166793
+
+--- a/lib/commonio.c
+++ b/lib/commonio.c
+@@ -44,6 +44,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <signal.h>
+#include <grp.h>
+ #include "nscd.h"
+ #include "sssd.h"
+ #ifdef WITH_TCB
+@@ -986,12 +987,23 @@
+ 			goto fail;
+ 		}
+ 	} else {
+		struct group *grp;
+ 		/*
+ 		 * Default permissions for new [g]shadow files.
+ 		 */
+ 		sb.st_mode = db->st_mode;
+ 		sb.st_uid = db->st_uid;
+ 		sb.st_gid = db->st_gid;
+
+		/*
+		 * Try to retrieve the shadow's GID, and fall back to GID 0.
+		 */
+		if (sb.st_gid == 0) {
+			if ((grp = getgrnam("shadow")) != NULL)
+				sb.st_gid = grp->gr_gid;
+			else
+				sb.st_gid = 0;
+		}
+ 	}
+ 
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);
+--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
+@@ -229,7 +229,7 @@
+ #ifdef WITH_SELINUX
+ 	NULL,			/* scontext */
+ #endif
+-	0400,                   /* st_mode */
+	0440,                   /* st_mode */
+ 	0,                      /* st_uid */
+ 	0,                      /* st_gid */
+ 	NULL,			/* head */
+--- a/lib/shadowio.c
+++ b/lib/shadowio.c
+@@ -105,7 +105,7 @@
+ #ifdef WITH_SELINUX
+ 	NULL,			/* scontext */
+ #endif				/* WITH_SELINUX */
+-	0400,                   /* st_mode */
+	0440,                   /* st_mode */
+ 	0,                      /* st_uid */
+ 	0,                      /* st_gid */
+ 	NULL,			/* head */
--- a/debian/patches/503_shadowconfig.8
+++ b/debian/patches/503_shadowconfig.8
@@ -0,0 +1,201 @@
+Goal: Document the shadowconfig utility
+
+Status wrt upstream: The shadowconfig utility is debian specific.
+                     Its man page also (but it used to be distributed)
+
+Index: git/man/shadowconfig.8
+===================================================================
+--- /dev/null
+++ git/man/shadowconfig.8
+@@ -0,0 +1,41 @@
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
+.SH NAME
+shadowconfig \- toggle shadow passwords on and off
+.SH "SYNOPSIS"
+.ad l
+.hy 0
+.HP 13
+\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
+.ad
+.hy
+
+.SH "DESCRIPTION"
+
+.PP
+\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
+
+.PP
+Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
+
+.PP
+Note that turning shadow passwords off and on again will lose all password aging information\&.
+
+Index: git/man/shadowconfig.8.xml
+===================================================================
+--- /dev/null
+++ git/man/shadowconfig.8.xml
+@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+		"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+<refentry id='shadowconfig.8'>
+  <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
+  <refentryinfo>
+    <date>19 Apr 1997</date>
+  </refentryinfo>
+  <refmeta>
+    <refentrytitle>shadowconfig</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
+    <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
+  </refmeta>
+  <refnamediv id='name'>
+    <refname>shadowconfig</refname>
+    <refpurpose>toggle shadow passwords on and off</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv id='synopsis'>
+    <cmdsynopsis>
+      <command>shadowconfig</command>
+      <group choice='plain'>
+        <arg choice='plain'><replaceable>on</replaceable></arg>
+        <arg choice='plain'><replaceable>off</replaceable></arg>
+      </group>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='description'>
+    <title>DESCRIPTION</title>
+    <para><command>shadowconfig</command> on will turn shadow passwords on;
+      <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
+      passwords off. <command>shadowconfig</command> will print an error
+      message and exit with a nonzero code if it finds anything awry. If
+      that happens, you should correct the error and run it again. Turning
+      shadow passwords on when they are already on, or off when they are
+      already off, is harmless.
+    </para>
+
+    <para>
+      Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
+      brief introduction
+      to shadow passwords and related features.
+    </para>
+
+    <para>Note that turning shadow passwords off and on again will lose all
+      password
+      aging information.
+    </para>
+  </refsect1>
+</refentry>
+Index: git/man/fr/shadowconfig.8
+===================================================================
+--- /dev/null
+++ git/man/fr/shadowconfig.8
+@@ -0,0 +1,26 @@
+.\" This file was generated with po4a. Translate the source file.
+.\"
+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
+.SH NOM
+shadowconfig \- active ou désactive les mots de passe cachés
+.SH SYNOPSIS
+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
+.SH DESCRIPTION
+.PP
+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
+de recommencer.
+
+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
+désactiver lorsqu'ils ne sont pas actifs est sans effet.
+
+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
+mots de passe cachés et à leurs fonctionnalités.
+
+Notez que désactiver puis réactiver les mots de passe cachés aura pour
+conséquence la perte des informations d'âge sur les mots de passe.
+.SH TRADUCTION
+Nicolas FRANÇOIS, 2004.
+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
+Index: git/man/ja/shadowconfig.8
+===================================================================
+--- /dev/null
+++ git/man/ja/shadowconfig.8
+@@ -0,0 +1,25 @@
+.\"     all right reserved,
+.\" Translated Tue Oct 30 11:59:11 JST 2001
+.\" by Maki KURODA <mkuroda@aisys-jp.com>
+.\"
+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
+.SH 名前
+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
+.SH 書式
+.B "shadowconfig"
+.IR on " | " off
+.SH 説明
+.PP
+.B shadowconfig on
+は shadow パスワードを有効にする。
+.B shadowconfig off
+は shadow パスワードを無効にする。
+.B shadowconfig
+は何らかの間違いがあると、エラーメッセージを表示し、
+ゼロではない返り値を返す。
+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
+すでにオフの場合にオフに設定しても、何の影響もない。
+
+.I /usr/share/doc/passwd/README.debian.gz
+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
+Index: git/man/pl/shadowconfig.8
+===================================================================
+--- /dev/null
+++ git/man/pl/shadowconfig.8
+@@ -0,0 +1,27 @@
+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
+.\" {PTM/WK/1999-09-14}
+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
+.SH NAZWA
+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
+.SH SKŁADNIA
+.B "shadowconfig"
+.IR on " | " off
+.SH OPIS
+.PP
+.B shadowconfig on
+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
+.B shadowconfig off
+wyłącza dodatkowe pliki haseł i grup.
+.B shadowconfig
+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
+.\" if it finds anything awry.
+i uruchomić program ponownie.
+
+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
+gdy jest wyłączona jest nieszkodliwe.
+
+Przeczytaj
+.IR /usr/share/doc/passwd/README.debian.gz ,
+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
+plików haseł przesłanianych (shadow passwords) i związanych tematów.
--- a/debian/patches/505_useradd_recommend_adduser
+++ b/debian/patches/505_useradd_recommend_adduser
@@ -0,0 +1,36 @@
+Goal: Recommend using adduser and deluser.
+
+Fixes: #406046
+
+Status wrt upstream: Debian specific patch.
+
+--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
+@@ -107,6 +107,12 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+       <para>
+	<command>useradd</command> is a low level utility for adding
+	users.  On Debian, administrators should usually use
+	<citerefentry><refentrytitle>adduser</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> instead.
+      </para>
+      <para>
+ 	When invoked without the <option>-D</option> option, the
+ 	<command>useradd</command> command creates a new user account using
+ 	the values specified on the command line plus the default values from
+--- a/man/userdel.8.xml
+++ b/man/userdel.8.xml
+@@ -83,6 +83,12 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
+      <command>userdel</command> is a low level utility for removing
+      users.  On Debian, administrators should usually use
+      <citerefentry><refentrytitle>deluser</refentrytitle>
+      <manvolnum>8</manvolnum></citerefentry> instead.
+    </para>
+    <para>
+       The <command>userdel</command> command modifies the system account
+       files, deleting all entries that refer to the user name <emphasis
+       remap='I'>LOGIN</emphasis>. The named user must exist.
--- a/debian/patches/506_relaxed_usernames
+++ b/debian/patches/506_relaxed_usernames
@@ -0,0 +1,100 @@
+Goal: Relaxed usernames/groupnames checking patch.
+
+Status wrt upstream: Debian specific. Not to be used upstream
+
+Details:
+ Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
+ characters and don't start with '-', '+', or '~'. This patch is more
+ restrictive than original Karl's version. closes: #264879
+ Also closes: #377844
+ 
+ Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
+ 
+ I can't come up with a good justification as to why characters other
+ than ':'s and '\0's should be disallowed in group and usernames (other
+ than '-' as the leading character).  Thus, the maintenance tools don't
+ anymore.  closes: #79682, #166798, #171179
+
+--- a/libmisc/chkname.c
+++ b/libmisc/chkname.c
+@@ -54,6 +54,7 @@
+ 		return true;
+ 	}
+ 
+#if 0
+ 	/*
+ 	 * User/group names must match [a-z_][a-z0-9_-]*[$]
+ 	 */
+@@ -73,6 +74,26 @@
+ 			return false;
+ 		}
+ 	}
+#endif
+	/*
+	 * POSIX indicate that usernames are composed of characters from the
+	 * portable filename character set [A-Za-z0-9._-], and that the hyphen
+	 * should not be used as the first character of a portable user name.
+	 *
+	 * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
+	 */
+	if (   ('\0' == *name)
+	    || ('-'  == *name)
+	    || ('~'  == *name)
+	    || ('+'  == *name)) {
+		return false;
+	}
+	do {
+		if ((':' == *name) || (',' == *name) || isspace(*name)) {
+			return false;
+		}
+		name++;
+	} while ('\0' != *name);
+ 
+ 	return true;
+ }
+--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
+@@ -662,12 +662,20 @@
+     </para>
+ 
+     <para>
+-      Usernames must start with a lower case letter or an underscore,
+      It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
+       followed by lower case letters, digits, underscores, or dashes.
+       They can end with a dollar sign.
+       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+     </para>
+     <para>
+      On Debian, the only constraints are that usernames must neither start
+      with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+      colon (':'), a comma (','), or a whitespace (space: ' ',
+      end of line: '\n', tabulation: '\t', etc.). Note that using a slash
+      ('/') may break the default algorithm for the definition of the
+      user's home directory.
+    </para>
+    <para>
+       Usernames may only be up to 32 characters long.
+     </para>
+   </refsect1>
+--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
+@@ -273,12 +273,18 @@
+    <refsect1 id='caveats'>
+      <title>CAVEATS</title>
+      <para>
+-       Groupnames must start with a lower case letter or an underscore,
+       It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
+        followed by lower case letters, digits, underscores, or dashes.
+        They can end with a dollar sign.
+        In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+      </para>
+      <para>
+       On Debian, the only constraints are that groupnames must neither start
+       with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+       colon (':'), a comma (','), or a whitespace (space:' ',
+       end of line: '\n', tabulation: '\t', etc.).
+     </para>
+     <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+      </para>
+      <para>
--- a/debian/patches/508_nologin_in_usr_sbin
+++ b/debian/patches/508_nologin_in_usr_sbin
@@ -0,0 +1,18 @@
+--- a/src/Makefile.am
+++ b/src/Makefile.am
+@@ -24,7 +24,6 @@
+ # $prefix/bin and $prefix/sbin, no install-data hacks...)
+ 
+ bin_PROGRAMS   = groups login
+-sbin_PROGRAMS  = nologin
+ ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+ if ENABLE_SUBIDS
+ ubin_PROGRAMS += newgidmap newuidmap
+@@ -45,6 +44,7 @@
+ 	grpunconv \
+ 	logoutd \
+ 	newusers \
+	nologin \
+ 	pwck \
+ 	pwconv \
+ 	pwunconv \
--- a/debian/patches/542_useradd-O_option
+++ b/debian/patches/542_useradd-O_option
@@ -0,0 +1,43 @@
+Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
+
+Note: useradd.8 needs to be regenerated.
+
+Status wrt upstream: not included as this is just specific 
+                     backward compatibility for Debian
+
+--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
+@@ -341,6 +341,11 @@
+ 	    databases are reset to avoid reusing the entry from a previously
+ 	    deleted user.
+ 	  </para>
+          <para>
+            For the compatibility with previous Debian's
+            <command>useradd</command>, the <option>-O</option> option is
+            also supported.
+          </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+--- a/src/useradd.c
+++ b/src/useradd.c
+@@ -1143,9 +1143,9 @@
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
+		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:UZ:",
+ #else				/* !WITH_SELINUX */
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
+		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:U",
+ #endif				/* !WITH_SELINUX */
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
+@@ -1274,6 +1274,7 @@
+ 				kflg = true;
+ 				break;
+ 			case 'K':
+			case 'O': /* compatibility with previous Debian useradd */
+ 				/*
+ 				 * override login.defs defaults (-K name=value)
+ 				 * example: -K UID_MIN=100 -K UID_MAX=499
--- a/debian/patches/900_testsuite_groupmems
+++ b/debian/patches/900_testsuite_groupmems
@@ -0,0 +1,81 @@
+--- a/debian/passwd.install
+++ b/debian/passwd.install
+@@ -9,6 +9,7 @@
+ usr/sbin/cppw
+ usr/sbin/groupadd
+ usr/sbin/groupdel
+usr/sbin/groupmems
+ usr/sbin/groupmod
+ usr/sbin/grpck
+ usr/sbin/grpconv
+@@ -33,6 +34,7 @@
+ usr/share/man/*/man8/chpasswd.8
+ usr/share/man/*/man8/groupadd.8
+ usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmems.8
+ usr/share/man/*/man8/groupmod.8
+ usr/share/man/*/man8/grpck.8
+ usr/share/man/*/man8/grpconv.8
+@@ -59,6 +61,7 @@
+ usr/share/man/man8/chpasswd.8
+ usr/share/man/man8/groupadd.8
+ usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmems.8
+ usr/share/man/man8/groupmod.8
+ usr/share/man/man8/grpck.8
+ usr/share/man/man8/grpconv.8
+--- a/debian/passwd.postinst
+++ b/debian/passwd.postinst
+@@ -31,6 +31,24 @@
+     			exit 1
+ 		)
+ 	fi
+	if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
+	then
+		groupadd -g 99 groupmems || (
+    			cat <<EOF
+************************  TESTSUITE  *****************************
+Group ID 99 has been allocated for the groupmems group.  You have either
+used 99 yourself or created a groupmems group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+    			exit 1
+		)
+# FIXME
+		chgrp groupmems /usr/sbin/groupmems
+	fi
+     ;;
+ esac
+ 
+--- a/debian/rules
+++ b/debian/rules
+@@ -60,6 +60,7 @@
+ 	dh_installpam -p passwd --name=chsh
+ 	dh_installpam -p passwd --name=chpasswd
+ 	dh_installpam -p passwd --name=newusers
+	dh_installpam -p passwd --name=groupmems
+ ifeq ($(DEB_HOST_ARCH_OS),hurd)
+ # login is not built on The Hurd, but some utilities of passwd depends on
+ # /etc/login.defs.
+@@ -87,3 +88,6 @@
+ 	chgrp shadow debian/passwd/usr/bin/expiry
+ 	chmod g+s debian/passwd/usr/bin/chage
+ 	chmod g+s debian/passwd/usr/bin/expiry
+	chgrp groupmems debian/passwd/usr/sbin/groupmems
+	chmod u+s debian/passwd/usr/sbin/groupmems
+	chmod o-x debian/passwd/usr/sbin/groupmems
+--- /dev/null
+++ b/debian/passwd.groupmems.pam
+@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupmod' service
+#
+
+# This allows root to modify groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+@include common-auth
+@include common-account
--- a/debian/patches/901_testsuite_gcov
+++ b/debian/patches/901_testsuite_gcov
@@ -0,0 +1,76 @@
+--- a/lib/Makefile.am
+++ b/lib/Makefile.am
+@@ -1,6 +1,8 @@
+ 
+ AUTOMAKE_OPTIONS = 1.0 foreign
+ 
+CFLAGS += -fprofile-arcs -ftest-coverage
+
+ DEFS = 
+ 
+ noinst_LTLIBRARIES = libshadow.la
+--- a/libmisc/Makefile.am
+++ b/libmisc/Makefile.am
+@@ -1,6 +1,8 @@
+ 
+ EXTRA_DIST = .indent.pro xgetXXbyYY.c
+ 
+CFLAGS += -fprofile-arcs -ftest-coverage
+
+ INCLUDES = -I$(top_srcdir)/lib
+ 
+ noinst_LIBRARIES = libmisc.a
+--- a/src/Makefile.am
+++ b/src/Makefile.am
+@@ -7,6 +7,8 @@
+ suidperms = 4755
+ sgidperms = 2755
+ 
+CFLAGS += -fprofile-arcs -ftest-coverage
+
+ INCLUDES = \
+ 	-I${top_srcdir}/lib \
+ 	-I$(top_srcdir)/libmisc
+--- a/debian/rules
+++ b/debian/rules
+@@ -40,6 +40,12 @@
+ endif
+ export CFLAGS
+ 
+clean:: clean_gcov
+
+clean_gcov:
+	find . -name "*.gcda" -delete
+	find . -name "*.gcno" -delete
+
+ # Add extras to the install process:
+ binary-install/login::
+ 	dh_installpam -p login
+--- a/lib/defines.h
+++ b/lib/defines.h
+@@ -174,23 +174,9 @@
+    trust the formatted time received from the unix domain (or worse,
+    UDP) socket.  -MM */
+ /* Avoid translated PAM error messages: Set LC_ALL to "C".
+ * This is disabled for coverage testing
+  * --Nekral */
+-#define SYSLOG(x)							\
+-	do {								\
+-		char *old_locale = setlocale (LC_ALL, NULL);		\
+-		char *saved_locale = NULL;				\
+-		if (NULL != old_locale) {				\
+-			saved_locale = strdup (old_locale);		\
+-		}							\
+-		if (NULL != saved_locale) {				\
+-			(void) setlocale (LC_ALL, "C");			\
+-		}							\
+-		syslog x ;						\
+-		if (NULL != saved_locale) {				\
+-			(void) setlocale (LC_ALL, saved_locale);	\
+-			free (saved_locale);				\
+-		}							\
+-	} while (false)
+#define SYSLOG(x) syslog x
+ #else				/* !ENABLE_NLS */
+ #define SYSLOG(x) syslog x
+ #endif				/* !ENABLE_NLS */
--- a/debian/patches/CVE-2023-29383.patch
+++ b/debian/patches/CVE-2023-29383.patch
@@ -0,0 +1,83 @@
+Origin: https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+Origin: https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2025-04-15
+
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+Index: shadow-4.8.1/lib/fields.c
+===================================================================
+--- shadow-4.8.1.orig/lib/fields.c
+++ shadow-4.8.1/lib/fields.c
+@@ -44,9 +44,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
+ *  + -1 is returned if an illegal or control character is present.
+ *  +  1 is returned if no illegal or control characters are present,
+ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -60,23 +60,22 @@ int valid_field (const char *field, cons
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
+	if (illegal && NULL != strpbrk (field, illegal)) {
+		return -1;
+	}
+
+	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
+		unsigned char c = *cp;
+		if (!isprint (c)) {
+			err = 1;
+		}
+		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are some non-printable characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 
--- a/debian/patches/CVE-2023-4641.patch
+++ b/debian/patches/CVE-2023-4641.patch
@@ -0,0 +1,143 @@
+Origin: https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2025-04-15
+
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: shadow-4.8.1/src/gpasswd.c
+===================================================================
+--- shadow-4.8.1.orig/src/gpasswd.c
+++ shadow-4.8.1/src/gpasswd.c
+@@ -911,6 +911,7 @@ static void change_passwd (struct group
+ 	for (retries = 0; retries < RETRIES; retries++) {
+ 		cp = getpass (_("New Password: "));
+ 		if (NULL == cp) {
+			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
--- a/debian/patches/README.patches
+++ b/debian/patches/README.patches
@@ -0,0 +1,22 @@
+Small intro to the system for numbering the patches here...
+
+-The 00xx-... patches are forwarded to upstream's git repository
+
+-The 0xx_... series of patches are patches isolated from the latest
+ version of the shadow Debian package not using quilt in order to
+ separate upstream from Debian-specific stuff.
+
+ NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
+
+-The 4xx series are patches which have been applied to Debian's shadow
+ and have NOT been accepted and/or applied upstream. These patches MUST be kept
+ even after resynced with upstream
+
+-The 5xx series are patches which are applied to Debian's shadow
+ and will never be proposed upstream because they're too specific
+ This list SHOULD BE AS SHORT AS POSSIBLE
+
+In short, while we are working towards synchronisation with upstream,
+our goal is to make 0xx patches disappear by moving them either to 3xx
+series (things already implemented upstream) or to 4xx series
+(Debian-specific patches).
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1,19 @@
+# These patches are only for the testsuite:
+#900_testsuite_groupmems
+#901_testsuite_gcov
+
+503_shadowconfig.8
+008_login_log_failure_in_FTMP
+429_login_FAILLOG_ENAB
+401_cppw_src.dpatch
+# 402 should be merged in 401, but should be reviewed by SE Linux experts first
+402_cppw_selinux
+506_relaxed_usernames
+542_useradd-O_option
+463_login_delay_obeys_to_PAM
+508_nologin_in_usr_sbin
+505_useradd_recommend_adduser
+501_commonio_group_shadow
+
+CVE-2023-4641.patch
+CVE-2023-29383.patch
--- a/debian/rules
+++ b/debian/rules
@@ -0,0 +1,87 @@
+#!/usr/bin/make -f
+# -*- mode: makefile; coding: utf-8 -*-
+
+# Enable PIE, BINDNOW, and possible future flags.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
+
+# TODO test if this can be dropped:
+# Specify where dh_install will find the files that it needs to move:
+DEB_DH_INSTALL_SOURCEDIR=debian/tmp
+# Specify the destination of shadow's "make install"
+# (This is only needed on The Hurd, where only one package is built. On
+# the other arch, DEB_DESTDIR already points to debian/tmp)
+DEB_DESTDIR=$(CURDIR)/debian/tmp
+
+# Adds extra options when calling the configure script:
+DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
+	--without-libcrack \
+	--mandir=/usr/share/man \
+	--with-libpam \
+	--enable-shadowgrp \
+	--enable-man \
+	--disable-account-tools-setuid \
+	--with-group-name-max-length=32 \
+	--without-acl \
+	--without-attr \
+	--without-su \
+	--without-tcb \
+	 SHELL=/bin/sh
+
+# Set the default editor for vipw/vigr
+CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
+
+%:
+	dh $@
+
+override_dh_auto_configure:
+	cp debian/HOME_MODE.xml man/login.defs.d/HOME_MODE.xml
+	dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_FLAGS)
+
+override_dh_install-arch:
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+	sed -i 's/session    optional   pam_keyinit.so/# Linux only # session    optional   pam_keyinit.so/' debian/login.pam
+endif
+	dh_install -a
+ifeq ($(DEB_HOST_ARCH_OS),hurd)
+	# /bin/login is provided by the hurd package.
+	rm -f debian/login/bin/login
+endif
+
+override_dh_installpam:
+	# Distribute the pam.d files; unless for the commands with disabled PAM
+	# support
+	dh_installpam -p login
+	dh_installpam -p passwd --name=passwd
+	dh_installpam -p passwd --name=chfn
+	dh_installpam -p passwd --name=chsh
+	dh_installpam -p passwd --name=chpasswd
+	dh_installpam -p passwd --name=newusers
+
+override_dh_builddeb-arch:
+	# uidmap
+	chmod u+s debian/uidmap/usr/bin/newuidmap
+	chmod u+s debian/uidmap/usr/bin/newgidmap
+	# login
+	# No real need for login to be setuid root
+	# chmod u+s debian/login/bin/login
+	chmod u+s debian/login/usr/bin/newgrp
+	# passwd
+	chmod u+s debian/passwd/usr/bin/chfn
+	chmod u+s debian/passwd/usr/bin/chsh
+	chmod u+s debian/passwd/usr/bin/gpasswd
+	chmod u+s debian/passwd/usr/bin/passwd
+	chgrp shadow debian/passwd/usr/bin/chage
+	chgrp shadow debian/passwd/usr/bin/expiry
+	chmod g+s debian/passwd/usr/bin/chage
+	chmod g+s debian/passwd/usr/bin/expiry
+	dh_builddeb -a
+
+override_dh_auto_clean:
+	sed -i 's/# Linux only # //' debian/login.pam
+	dh_auto_clean
+
+override_dh_clean:
+	dh_clean ./man/login.defs.d/HOME_MODE.xml
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -0,0 +1,13 @@
+---
+# LTS/ELTS CI
+
+include:
+- https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml
+
+# These didn't work before LTS, not attempting to fix after freeze
+#blhc:
+#  allow_failure: true
+
+# https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/275
+piuparts:
+  allow_failure: true
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`rm_conffile /etc/cron.daily/passwd 1:4.7-2~`