Add Build-Depends: libcmocka-dev to run build-time tests

Update changelog for 1:4.15.3-1 release
Fix setup of test libsubid-04_nss
2024-07-06 23:57:40 +02:00 · 2024-07-06 23:51:09 +02:00 · 2024-07-06 23:37:02 +02:00 · 2024-07-06 23:30:23 +02:00 · 2024-07-06 23:30:00 +02:00 · 2024-07-06 23:28:49 +02:00
1036 changed files with 33414 additions and 47017 deletions
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,12 +1,14 @@
 ## Process this file with automake to produce Makefile.in

+EXTRA_DIST = NEWS README
+
 SUBDIRS = lib

 if ENABLE_SUBIDS
 SUBDIRS += libsubid
 endif

-SUBDIRS += src po doc etc tests/unit
+SUBDIRS += src po contrib doc etc tests/unit

 if ENABLE_REGENERATE_MAN
 SUBDIRS += man
@@ -14,7 +16,7 @@ endif

 CLEANFILES = man/8.out man/po/remove-potcdate.* man/*/login.defs.d man/*/*.mo

-EXTRA_DIST = NEWS README tests/
+EXTRA_DIST = tests/

 dist-hook:
 	chmod -R u+w $(distdir)/tests
--- a/Makefile.in
+++ b/Makefile.in
@@ -163,7 +163,7 @@ am__define_uniq_tagged_files = \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
-DIST_SUBDIRS = lib libsubid src po doc etc tests/unit man
+DIST_SUBDIRS = lib libsubid src po contrib doc etc tests/unit man
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
 	$(top_srcdir)/man/po/Makefile.in ABOUT-NLS AUTHORS.md COPYING \
 	ChangeLog NEWS README compile config.guess config.rpath \
@@ -334,6 +334,8 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
@@ -388,10 +390,10 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-SUBDIRS = lib $(am__append_1) src po doc etc tests/unit \
+EXTRA_DIST = tests/
+SUBDIRS = lib $(am__append_1) src po contrib doc etc tests/unit \
 	$(am__append_2)
 CLEANFILES = man/8.out man/po/remove-potcdate.* man/*/login.defs.d man/*/*.mo
-EXTRA_DIST = NEWS README tests/
 all: config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive

--- a/config.h.in
+++ b/config.h.in
@@ -20,6 +20,10 @@
 /* Path for faillog file. */
 #undef FAILLOG_FILE

+/* Define to the type of elements in the array set by `getgroups'. Usually
+   this is either `int' or `gid_t'. */
+#undef GETGROUPS_T
+
 /* max group name length */
 #undef GROUP_NAME_MAX_LENGTH

@@ -49,6 +53,9 @@
   the CoreFoundation framework. */
 #undef HAVE_CFPREFERENCESCOPYAPPVALUE

+/* Define to 1 if you have the <crypt.h> header file. */
+#undef HAVE_CRYPT_H
+
 /* Define if the GNU dcgettext() function is already present or preinstalled.
   */
 #undef HAVE_DCGETTEXT
@@ -91,27 +98,45 @@
 /* Defined to 1 if you have the declaration of 'fgetpwent_r' */
 #undef HAVE_FGETPWENT_R

+/* Define to 1 if you have the `futimes' function. */
+#undef HAVE_FUTIMES
+
 /* Define to 1 if you have the `getentropy' function. */
 #undef HAVE_GETENTROPY

 /* Define to 1 if you have the `getrandom' function. */
 #undef HAVE_GETRANDOM

+/* Define to 1 if you have the `getspnam' function. */
+#undef HAVE_GETSPNAM
+
 /* Define to 1 if you have the `getspnam_r' function. */
 #undef HAVE_GETSPNAM_R

 /* Define if the GNU gettext() function is already present or preinstalled. */
 #undef HAVE_GETTEXT

+/* Define to 1 if you have the `getusershell' function. */
+#undef HAVE_GETUSERSHELL
+
+/* Define to 1 if you have the <gshadow.h> header file. */
+#undef HAVE_GSHADOW_H
+
 /* Define if you have the iconv() function and it works. */
 #undef HAVE_ICONV

+/* Define to 1 if you have the `initgroups' function. */
+#undef HAVE_INITGROUPS
+
 /* Define to 1 if you have the `innetgr' function. */
 #undef HAVE_INNETGR

 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H

+/* Define to 1 if you have the <lastlog.h> header file. */
+#undef HAVE_LASTLOG_H
+
 /* Define to 1 if you have the `lckpwdf' function. */
 #undef HAVE_LCKPWDF

@@ -139,6 +164,9 @@
 /* Define to 1 if you have the <minix/config.h> header file. */
 #undef HAVE_MINIX_CONFIG_H

+/* Define to 1 if you have the <paths.h> header file. */
+#undef HAVE_PATHS_H
+
 /* Define to 1 if you have the `putgrent' function. */
 #undef HAVE_PUTGRENT

@@ -151,6 +179,9 @@
 /* Define to 1 if you have the <readpassphrase.h> header file. */
 #undef HAVE_READPASSPHRASE_H

+/* Define to 1 if you have the <rpc/key_prot.h> header file. */
+#undef HAVE_RPC_KEY_PROT_H
+
 /* Define to 1 if you have the `rpmatch' function. */
 #undef HAVE_RPMATCH

@@ -166,6 +197,9 @@
 /* Define to 1 if you have the <semanage/semanage.h> header file. */
 #undef HAVE_SEMANAGE_SEMANAGE_H

+/* Define to 1 if you have the `setgroups' function. */
+#undef HAVE_SETGROUPS
+
 /* Define to 1 if you have the `sgetgrent' function. */
 #undef HAVE_SGETGRENT

@@ -175,6 +209,12 @@
 /* Define to 1 if you have the `sgetspent' function. */
 #undef HAVE_SGETSPENT

+/* Define to 1 if you have the <sgtty.h> header file. */
+#undef HAVE_SGTTY_H
+
+/* Have working shadow group support in libc */
+#undef HAVE_SHADOWGRP
+
 /* Define if you have the shl_load function. */
 #undef HAVE_SHL_LOAD

@@ -220,6 +260,15 @@
 /* Define to 1 if `ut_xtime' is a member of `struct utmpx'. */
 #undef HAVE_STRUCT_UTMPX_UT_XTIME

+/* Define to 1 if you have the <sys/capability.h> header file. */
+#undef HAVE_SYS_CAPABILITY_H
+
+/* Define to 1 if you have the <sys/ioctl.h> header file. */
+#undef HAVE_SYS_IOCTL_H
+
+/* Define to 1 if you have the <sys/random.h> header file. */
+#undef HAVE_SYS_RANDOM_H
+
 /* Define to 1 if you have the <sys/statfs.h> header file. */
 #undef HAVE_SYS_STATFS_H

@@ -232,6 +281,9 @@
 /* Define to 1 if you have the <tcb.h> header file. */
 #undef HAVE_TCB_H

+/* Define to 1 if you have the <termio.h> header file. */
+#undef HAVE_TERMIO_H
+
 /* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H

@@ -244,6 +296,9 @@
 /* Define to 1 if `utime(file, NULL)' sets file's timestamp to the present. */
 #undef HAVE_UTIME_NULL

+/* Define to 1 if you have the <utmp.h> header file. */
+#undef HAVE_UTMP_H
+
 /* Define to support vendor settings. */
 #undef HAVE_VENDORDIR

@@ -286,6 +341,12 @@
 /* Path to passwd program. */
 #undef PASSWD_PROGRAM

+/* Define if login should support the -r flag for rlogind. */
+#undef RLOGIN
+
+/* Define to the ruserok() "success" return value (0 or 1). */
+#undef RUSEROK
+
 /* Define to support the shadow group file. */
 #undef SHADOWGRP

@@ -457,5 +518,14 @@
 /* Define for large files, on AIX-style hosts. */
 #undef _LARGE_FILES

+/* Path for utmp file. */
+#undef _UTMP_FILE
+
 /* Path for wtmp file. */
 #undef _WTMP_FILE
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef gid_t
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef uid_t
--- a/753
+++ b/753
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for shadow 4.18.0.
+# Generated by GNU Autoconf 2.71 for shadow 4.15.3.
 #
 # Report bugs to <pkg-shadow-devel@lists.alioth.debian.org>.
 #
@@ -621,8 +621,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='shadow'
 PACKAGE_TARNAME='shadow'
-PACKAGE_VERSION='4.18.0'
-PACKAGE_STRING='shadow 4.18.0'
+PACKAGE_VERSION='4.15.3'
+PACKAGE_STRING='shadow 4.15.3'
 PACKAGE_BUGREPORT='pkg-shadow-devel@lists.alioth.debian.org'
 PACKAGE_URL='https://github.com/shadow-maint/shadow'

@@ -671,7 +671,6 @@ INTLLIBS
 LTLIBICONV
 LIBICONV
 INTL_MACOSX_LIBS
-CPP
 XGETTEXT_EXTRA_OPTIONS
 MSGMERGE
 XGETTEXT_015
@@ -745,6 +744,7 @@ USE_SHA_CRYPT_FALSE
 USE_SHA_CRYPT_TRUE
 GROUP_NAME_MAX_LENGTH
 LIBOBJS
+CPP
 LIBADD_DL
 LT_DLPREOPEN
 LIBADD_DLD_LINK
@@ -781,6 +781,8 @@ build_vendor
 build_cpu
 build
 LIBTOOL
+YFLAGS
+YACC
 LN_S
 MAINT
 MAINTAINER_MODE_FALSE
@@ -928,15 +930,17 @@ CFLAGS
 LDFLAGS
 LIBS
 CPPFLAGS
+YACC
+YFLAGS
 LT_SYS_LIBRARY_PATH
+CPP
 PKG_CONFIG
 PKG_CONFIG_PATH
 PKG_CONFIG_LIBDIR
 CMOCKA_CFLAGS
 CMOCKA_LIBS
 LIBBSD_CFLAGS
-LIBBSD_LIBS
-CPP'
+LIBBSD_LIBS'


 # Initialize some variables set by options.
@@ -1485,7 +1489,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures shadow 4.18.0 to adapt to many kinds of systems.
+\`configure' configures shadow 4.15.3 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@@ -1556,7 +1560,7 @@ fi

 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of shadow 4.18.0:";;
+     short | recursive ) echo "Configuration of shadow 4.15.3:";;
   esac
  cat <<\_ACEOF

@@ -1646,8 +1650,15 @@ Some influential environment variables:
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
+  YACC        The `Yet Another Compiler Compiler' implementation to use.
+              Defaults to the first program found out of: `bison -y', `byacc',
+              `yacc'.
+  YFLAGS      The list of arguments that will be passed by default to $YACC.
+              This script will default YFLAGS to the empty string to avoid a
+              default value of `-d' given by some make applications.
  LT_SYS_LIBRARY_PATH
              User-defined run-time library search path.
+  CPP         C preprocessor
  PKG_CONFIG  path to pkg-config utility
  PKG_CONFIG_PATH
              directories to add to pkg-config's search path
@@ -1659,7 +1670,6 @@ Some influential environment variables:
  LIBBSD_CFLAGS
              C compiler flags for LIBBSD, overriding pkg-config
  LIBBSD_LIBS linker flags for LIBBSD, overriding pkg-config
-  CPP         C preprocessor

 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -1729,7 +1739,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-shadow configure 4.18.0
+shadow configure 4.15.3
 generated by GNU Autoconf 2.71

 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2036,6 +2046,44 @@ printf "%s\n" "$ac_res" >&6; }

 } # ac_fn_c_check_member

+# ac_fn_c_try_cpp LINENO
+# ----------------------
+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_cpp ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if { { ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+printf "%s\n" "$ac_try_echo"; } >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } > conftest.i && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }
+then :
+  ac_retval=0
+else $as_nop
+  printf "%s\n" "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+    ac_retval=1
+fi
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_cpp
+
 # ac_fn_c_try_run LINENO
 # ----------------------
 # Try to run conftest.$ac_ext, and return whether this succeeded. Assumes that
@@ -2267,44 +2315,6 @@ rm -f conftest.val
  as_fn_set_status $ac_retval

 } # ac_fn_c_compute_int
-
-# ac_fn_c_try_cpp LINENO
-# ----------------------
-# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_cpp ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  if { { ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-printf "%s\n" "$ac_try_echo"; } >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
-  ac_status=$?
-  if test -s conftest.err; then
-    grep -v '^ *+' conftest.err >conftest.er1
-    cat conftest.er1 >&5
-    mv -f conftest.er1 conftest.err
-  fi
-  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } > conftest.i && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }
-then :
-  ac_retval=0
-else $as_nop
-  printf "%s\n" "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-    ac_retval=1
-fi
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-  as_fn_set_status $ac_retval
-
-} # ac_fn_c_try_cpp
 ac_configure_args_raw=
 for ac_arg
 do
@@ -2329,7 +2339,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.

-It was created by shadow $as_me 4.18.0, which was
+It was created by shadow $as_me 4.15.3, which was
 generated by GNU Autoconf 2.71.  Invocation command line was

  $ $0$ac_configure_args_raw
@@ -3602,7 +3612,7 @@ fi

 # Define the identity of the package.
 PACKAGE='shadow'
- VERSION='4.18.0'
+ VERSION='4.15.3'


 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -3836,13 +3846,13 @@ AM_BACKSLASH='\'
 ac_config_headers="$ac_config_headers config.h"


-LIBSUBID_ABI_MAJOR=5
+LIBSUBID_ABI_MAJOR=4

 LIBSUBID_ABI_MINOR=0

 LIBSUBID_ABI_MICRO=0

-LIBSUBID_ABI=5.0.0
+LIBSUBID_ABI=4.0.0


 test "$prefix" = "NONE" && prefix="/usr"
@@ -6291,6 +6301,54 @@ else
 printf "%s\n" "no, using $LN_S" >&6; }
 fi

+for ac_prog in 'bison -y' byacc
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+printf %s "checking for $ac_word... " >&6; }
+if test ${ac_cv_prog_YACC+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test -n "$YACC"; then
+  ac_cv_prog_YACC="$YACC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  case $as_dir in #(((
+    '') as_dir=./ ;;
+    */) ;;
+    *) as_dir=$as_dir/ ;;
+  esac
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
+    ac_cv_prog_YACC="$ac_prog"
+    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+YACC=$ac_cv_prog_YACC
+if test -n "$YACC"; then
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $YACC" >&5
+printf "%s\n" "$YACC" >&6; }
+else
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+fi
+
+
+  test -n "$YACC" && break
+done
+test -n "$YACC" || YACC="yacc"
+
 case `pwd` in
  *\ * | *\	*)
    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5
@@ -14777,6 +14835,92 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu



+ac_fn_c_check_header_compile "$LINENO" "crypt.h" "ac_cv_header_crypt_h" "$ac_includes_default"
+if test "x$ac_cv_header_crypt_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_CRYPT_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "utmp.h" "ac_cv_header_utmp_h" "$ac_includes_default"
+if test "x$ac_cv_header_utmp_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_UTMP_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "termio.h" "ac_cv_header_termio_h" "$ac_includes_default"
+if test "x$ac_cv_header_termio_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_TERMIO_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "sgtty.h" "ac_cv_header_sgtty_h" "$ac_includes_default"
+if test "x$ac_cv_header_sgtty_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_SGTTY_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "sys/ioctl.h" "ac_cv_header_sys_ioctl_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_ioctl_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_SYS_IOCTL_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "paths.h" "ac_cv_header_paths_h" "$ac_includes_default"
+if test "x$ac_cv_header_paths_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_PATHS_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_capability_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_SYS_CAPABILITY_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "sys/random.h" "ac_cv_header_sys_random_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_random_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_SYS_RANDOM_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "gshadow.h" "ac_cv_header_gshadow_h" "$ac_includes_default"
+if test "x$ac_cv_header_gshadow_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_GSHADOW_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "lastlog.h" "ac_cv_header_lastlog_h" "$ac_includes_default"
+if test "x$ac_cv_header_lastlog_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_LASTLOG_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "rpc/key_prot.h" "ac_cv_header_rpc_key_prot_h" "$ac_includes_default"
+if test "x$ac_cv_header_rpc_key_prot_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_RPC_KEY_PROT_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "acl/libacl.h" "ac_cv_header_acl_libacl_h" "$ac_includes_default"
+if test "x$ac_cv_header_acl_libacl_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_ACL_LIBACL_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "attr/libattr.h" "ac_cv_header_attr_libattr_h" "$ac_includes_default"
+if test "x$ac_cv_header_attr_libattr_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_ATTR_LIBATTR_H 1" >>confdefs.h
+
+fi
+ac_fn_c_check_header_compile "$LINENO" "attr/error_context.h" "ac_cv_header_attr_error_context_h" "$ac_includes_default"
+if test "x$ac_cv_header_attr_error_context_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_ATTR_ERROR_CONTEXT_H 1" >>confdefs.h
+
+fi
+
+
 ac_fn_c_check_header_compile "$LINENO" "shadow.h" "ac_cv_header_shadow_h" "$ac_includes_default"
 if test "x$ac_cv_header_shadow_h" = xyes
 then :
@@ -14791,6 +14935,12 @@ if test "x$ac_cv_func_arc4random_buf" = xyes
 then :
  printf "%s\n" "#define HAVE_ARC4RANDOM_BUF 1" >>confdefs.h

+fi
+ac_fn_c_check_func "$LINENO" "futimes" "ac_cv_func_futimes"
+if test "x$ac_cv_func_futimes" = xyes
+then :
+  printf "%s\n" "#define HAVE_FUTIMES 1" >>confdefs.h
+
 fi
 ac_fn_c_check_func "$LINENO" "getentropy" "ac_cv_func_getentropy"
 if test "x$ac_cv_func_getentropy" = xyes
@@ -14803,6 +14953,24 @@ if test "x$ac_cv_func_getrandom" = xyes
 then :
  printf "%s\n" "#define HAVE_GETRANDOM 1" >>confdefs.h

+fi
+ac_fn_c_check_func "$LINENO" "getspnam" "ac_cv_func_getspnam"
+if test "x$ac_cv_func_getspnam" = xyes
+then :
+  printf "%s\n" "#define HAVE_GETSPNAM 1" >>confdefs.h
+
+fi
+ac_fn_c_check_func "$LINENO" "getusershell" "ac_cv_func_getusershell"
+if test "x$ac_cv_func_getusershell" = xyes
+then :
+  printf "%s\n" "#define HAVE_GETUSERSHELL 1" >>confdefs.h
+
+fi
+ac_fn_c_check_func "$LINENO" "initgroups" "ac_cv_func_initgroups"
+if test "x$ac_cv_func_initgroups" = xyes
+then :
+  printf "%s\n" "#define HAVE_INITGROUPS 1" >>confdefs.h
+
 fi
 ac_fn_c_check_func "$LINENO" "lckpwdf" "ac_cv_func_lckpwdf"
 if test "x$ac_cv_func_lckpwdf" = xyes
@@ -14815,6 +14983,12 @@ if test "x$ac_cv_func_lutimes" = xyes
 then :
  printf "%s\n" "#define HAVE_LUTIMES 1" >>confdefs.h

+fi
+ac_fn_c_check_func "$LINENO" "setgroups" "ac_cv_func_setgroups"
+if test "x$ac_cv_func_setgroups" = xyes
+then :
+  printf "%s\n" "#define HAVE_SETGROUPS 1" >>confdefs.h
+
 fi
 ac_fn_c_check_func "$LINENO" "updwtmpx" "ac_cv_func_updwtmpx"
 if test "x$ac_cv_func_updwtmpx" = xyes
@@ -15136,6 +15310,240 @@ printf "%s\n" "#define HAVE_STRUCT_UTMPX_UT_XTIME 1" >>confdefs.h
 fi


+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
+printf %s "checking how to run the C preprocessor... " >&6; }
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+  if test ${ac_cv_prog_CPP+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+      # Double quotes because $CC needs to be expanded
+    for CPP in "$CC -E" "$CC -E -traditional-cpp" cpp /lib/cpp
+    do
+      ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <limits.h>
+		     Syntax error
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"
+then :
+
+else $as_nop
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"
+then :
+  # Broken: success on invalid input.
+continue
+else $as_nop
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.i conftest.err conftest.$ac_ext
+if $ac_preproc_ok
+then :
+  break
+fi
+
+    done
+    ac_cv_prog_CPP=$CPP
+
+fi
+  CPP=$ac_cv_prog_CPP
+else
+  ac_cv_prog_CPP=$CPP
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
+printf "%s\n" "$CPP" >&6; }
+ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <limits.h>
+		     Syntax error
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"
+then :
+
+else $as_nop
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"
+then :
+  # Broken: success on invalid input.
+continue
+else $as_nop
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.i conftest.err conftest.$ac_ext
+if $ac_preproc_ok
+then :
+
+else $as_nop
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5
+printf %s "checking for uid_t in sys/types.h... " >&6; }
+if test ${ac_cv_type_uid_t+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <sys/types.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "uid_t" >/dev/null 2>&1
+then :
+  ac_cv_type_uid_t=yes
+else $as_nop
+  ac_cv_type_uid_t=no
+fi
+rm -rf conftest*
+
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5
+printf "%s\n" "$ac_cv_type_uid_t" >&6; }
+if test $ac_cv_type_uid_t = no; then
+
+printf "%s\n" "#define uid_t int" >>confdefs.h
+
+
+printf "%s\n" "#define gid_t int" >>confdefs.h
+
+fi
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking type of array argument to getgroups" >&5
+printf %s "checking type of array argument to getgroups... " >&6; }
+if test ${ac_cv_type_getgroups+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test "$cross_compiling" = yes
+then :
+  ac_cv_type_getgroups=cross
+else $as_nop
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+/* Thanks to Mike Rendell for this test.  */
+$ac_includes_default
+#define NGID 256
+#undef MAX
+#define MAX(x, y) ((x) > (y) ? (x) : (y))
+
+int
+main (void)
+{
+  gid_t gidset[NGID];
+  int i, n;
+  union { gid_t gval; long int lval; }  val;
+
+  val.lval = -1;
+  for (i = 0; i < NGID; i++)
+    gidset[i] = val.gval;
+  n = getgroups (sizeof (gidset) / MAX (sizeof (int), sizeof (gid_t)) - 1,
+		 gidset);
+  /* Exit non-zero if getgroups seems to require an array of ints.  This
+     happens when gid_t is short int but getgroups modifies an array
+     of ints.  */
+  return n > 0 && gidset[n] != val.gval;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"
+then :
+  ac_cv_type_getgroups=gid_t
+else $as_nop
+  ac_cv_type_getgroups=int
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+if test $ac_cv_type_getgroups = cross; then
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <unistd.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "getgroups.*int.*gid_t" >/dev/null 2>&1
+then :
+  ac_cv_type_getgroups=gid_t
+else $as_nop
+  ac_cv_type_getgroups=int
+fi
+rm -rf conftest*
+
+fi
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_getgroups" >&5
+printf "%s\n" "$ac_cv_type_getgroups" >&6; }
+
+printf "%s\n" "#define GETGROUPS_T $ac_cv_type_getgroups" >>confdefs.h
+
+


 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether utime accepts a null argument" >&5
@@ -15286,6 +15694,56 @@ printf "%s\n" "#define HAS_SECURE_GETENV 1" >>confdefs.h
 fi


+if test "$ac_cv_header_shadow_h" = "yes"; then
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working shadow group support" >&5
+printf %s "checking for working shadow group support... " >&6; }
+if test ${ac_cv_libc_shadowgrp+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test "$cross_compiling" = yes
+then :
+  ac_cv_libc_shadowgrp=no
+
+else $as_nop
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+				#include <shadow.h>
+				#ifdef HAVE_GSHADOW_H
+				#include <gshadow.h>
+				#endif
+				int
+				main()
+				{
+					struct sgrp *sg = sgetsgent("test:x::");
+					/* NYS libc on Red Hat 3.0.3 has broken shadow group support */
+					return !sg || !sg->sg_adm || !sg->sg_mem;
+				}
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"
+then :
+  ac_cv_libc_shadowgrp=yes
+else $as_nop
+  ac_cv_libc_shadowgrp=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_libc_shadowgrp" >&5
+printf "%s\n" "$ac_cv_libc_shadowgrp" >&6; }
+
+	if test "$ac_cv_libc_shadowgrp" = "yes"; then
+
+printf "%s\n" "#define HAVE_SHADOWGRP 1" >>confdefs.h
+
+	fi
+fi
+
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking location of shared mail directory" >&5
 printf %s "checking location of shared mail directory... " >&6; }
 if test ${shadow_cv_maildir+y}
@@ -15326,6 +15784,28 @@ printf "%s\n" "#define MAIL_SPOOL_FILE \"$shadow_cv_mailfile\"" >>confdefs.h

 fi

+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking location of utmp" >&5
+printf %s "checking location of utmp... " >&6; }
+if test ${shadow_cv_utmpdir+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  for shadow_cv_utmpdir in /var/run /var/adm /usr/adm /etc none; do
+	if test -f $shadow_cv_utmpdir/utmp; then
+		break
+	fi
+done
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $shadow_cv_utmpdir" >&5
+printf "%s\n" "$shadow_cv_utmpdir" >&6; }
+if test "$shadow_cv_utmpdir" = "none"; then
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: utmp file not found" >&5
+printf "%s\n" "$as_me: WARNING: utmp file not found" >&2;}
+fi
+
+printf "%s\n" "#define _UTMP_FILE \"$shadow_cv_utmpdir/utmp\"" >>confdefs.h
+
+
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking location of faillog/lastlog/wtmp" >&5
 printf %s "checking location of faillog/lastlog/wtmp... " >&6; }
 if test ${shadow_cv_logdir+y}
@@ -15350,10 +15830,33 @@ printf "%s\n" "#define LASTLOG_FILE \"$shadow_cv_logdir/lastlog\"" >>confdefs.h
 printf "%s\n" "#define FAILLOG_FILE \"$shadow_cv_logdir/faillog\"" >>confdefs.h


+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking location of the passwd program" >&5
+printf %s "checking location of the passwd program... " >&6; }
+if test ${shadow_cv_passwd_dir+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  if test -f /usr/bin/passwd; then
+	shadow_cv_passwd_dir=/usr/bin
+else
+	shadow_cv_passwd_dir=/bin
+fi
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $shadow_cv_passwd_dir" >&5
+printf "%s\n" "$shadow_cv_passwd_dir" >&6; }

-printf "%s\n" "#define PASSWD_PROGRAM \"$exec_prefix/bin/passwd\"" >>confdefs.h
+printf "%s\n" "#define PASSWD_PROGRAM \"$shadow_cv_passwd_dir/passwd\"" >>confdefs.h


+if test "$ac_cv_func_ruserok" = "yes"; then
+
+printf "%s\n" "#define RLOGIN 1" >>confdefs.h
+
+
+printf "%s\n" "#define RUSEROK 0" >>confdefs.h
+
+fi
+
 # Check whether --enable-shadowgrp was given.
 if test ${enable_shadowgrp+y}
 then :
@@ -16332,7 +16835,7 @@ printf "%s\n" "#define ENABLE_LASTLOG 1" >>confdefs.h
 		enable_lastlog="yes"
 	else
 		as_fn_error $? "Cannot enable support for lastlog on systems where the data structures aren't available" "$LINENO" 5
-		enable_lastlog="no"
+		enable_subids="no"
 	fi
 fi
 if test "x$enable_lastlog" != "xno"; then
@@ -17727,7 +18230,7 @@ if test "x$ac_cv_lib_skey_skeychallenge" = xyes
 then :
  LIBSKEY=-lskey
 else $as_nop
-  as_fn_error $? "libskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2" "$LINENO" 5
+  as_fn_error $? "liskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2" "$LINENO" 5
 fi


@@ -18253,139 +18756,6 @@ else $as_nop
 fi


-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
-printf %s "checking how to run the C preprocessor... " >&6; }
-# On Suns, sometimes $CPP names a directory.
-if test -n "$CPP" && test -d "$CPP"; then
-  CPP=
-fi
-if test -z "$CPP"; then
-  if test ${ac_cv_prog_CPP+y}
-then :
-  printf %s "(cached) " >&6
-else $as_nop
-      # Double quotes because $CC needs to be expanded
-    for CPP in "$CC -E" "$CC -E -traditional-cpp" cpp /lib/cpp
-    do
-      ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#include <limits.h>
-		     Syntax error
-_ACEOF
-if ac_fn_c_try_cpp "$LINENO"
-then :
-
-else $as_nop
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.i conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if ac_fn_c_try_cpp "$LINENO"
-then :
-  # Broken: success on invalid input.
-continue
-else $as_nop
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-rm -f conftest.err conftest.i conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.i conftest.err conftest.$ac_ext
-if $ac_preproc_ok
-then :
-  break
-fi
-
-    done
-    ac_cv_prog_CPP=$CPP
-
-fi
-  CPP=$ac_cv_prog_CPP
-else
-  ac_cv_prog_CPP=$CPP
-fi
-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
-printf "%s\n" "$CPP" >&6; }
-ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#include <limits.h>
-		     Syntax error
-_ACEOF
-if ac_fn_c_try_cpp "$LINENO"
-then :
-
-else $as_nop
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.i conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether nonexistent headers
-  # can be detected and how.
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if ac_fn_c_try_cpp "$LINENO"
-then :
-  # Broken: success on invalid input.
-continue
-else $as_nop
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-rm -f conftest.err conftest.i conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.i conftest.err conftest.$ac_ext
-if $ac_preproc_ok
-then :
-
-else $as_nop
-  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details" "$LINENO" 5; }
-fi
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-


  acl_libdirstem=lib
@@ -20011,7 +20381,7 @@ else
 fi


-ac_config_files="$ac_config_files Makefile po/Makefile.in doc/Makefile man/Makefile man/config.xml man/po/Makefile man/cs/Makefile man/da/Makefile man/de/Makefile man/es/Makefile man/fi/Makefile man/fr/Makefile man/hu/Makefile man/id/Makefile man/it/Makefile man/ja/Makefile man/ko/Makefile man/pl/Makefile man/pt_BR/Makefile man/ru/Makefile man/sv/Makefile man/tr/Makefile man/uk/Makefile man/zh_CN/Makefile man/zh_TW/Makefile lib/Makefile libsubid/Makefile libsubid/subid.h src/Makefile etc/Makefile etc/pam.d/Makefile etc/shadow-maint/Makefile tests/unit/Makefile"
+ac_config_files="$ac_config_files Makefile po/Makefile.in doc/Makefile man/Makefile man/config.xml man/po/Makefile man/cs/Makefile man/da/Makefile man/de/Makefile man/es/Makefile man/fi/Makefile man/fr/Makefile man/hu/Makefile man/id/Makefile man/it/Makefile man/ja/Makefile man/ko/Makefile man/pl/Makefile man/pt_BR/Makefile man/ru/Makefile man/sv/Makefile man/tr/Makefile man/uk/Makefile man/zh_CN/Makefile man/zh_TW/Makefile lib/Makefile libsubid/Makefile libsubid/subid.h src/Makefile contrib/Makefile etc/Makefile etc/pam.d/Makefile etc/shadow-maint/Makefile tests/unit/Makefile"

 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -20620,7 +20990,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by shadow $as_me 4.18.0, which was
+This file was extended by shadow $as_me 4.15.3, which was
 generated by GNU Autoconf 2.71.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
@@ -20689,7 +21059,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-shadow config.status 4.18.0
+shadow config.status 4.15.3
 configured by $0, generated by GNU Autoconf 2.71,
  with options \\"\$ac_cs_config\\"

@@ -21143,6 +21513,7 @@ do
    "libsubid/Makefile") CONFIG_FILES="$CONFIG_FILES libsubid/Makefile" ;;
    "libsubid/subid.h") CONFIG_FILES="$CONFIG_FILES libsubid/subid.h" ;;
    "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
+    "contrib/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/Makefile" ;;
    "etc/Makefile") CONFIG_FILES="$CONFIG_FILES etc/Makefile" ;;
    "etc/pam.d/Makefile") CONFIG_FILES="$CONFIG_FILES etc/pam.d/Makefile" ;;
    "etc/shadow-maint/Makefile") CONFIG_FILES="$CONFIG_FILES etc/shadow-maint/Makefile" ;;
--- a/configure.ac
+++ b/configure.ac
@@ -1,10 +1,10 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ([2.69])
-m4_define([libsubid_abi_major], 5)
+m4_define([libsubid_abi_major], 4)
 m4_define([libsubid_abi_minor], 0)
 m4_define([libsubid_abi_micro], 0)
 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
-AC_INIT([shadow], [4.18.0], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_INIT([shadow], [4.15.3], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz subdir-objects tar-pax])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -30,18 +30,26 @@ AM_MAINTAINER_MODE
 dnl Checks for programs.
 AC_PROG_CC
 AC_PROG_LN_S
+AC_PROG_YACC
 LT_INIT
 LT_LIB_DLLOAD

 dnl Checks for libraries.

+dnl Checks for header files.
+AC_CHECK_HEADERS(crypt.h utmp.h \
+	termio.h sgtty.h sys/ioctl.h paths.h \
+	sys/capability.h sys/random.h \
+	gshadow.h lastlog.h rpc/key_prot.h acl/libacl.h \
+	attr/libattr.h attr/error_context.h)
+
 dnl shadow now uses the libc's shadow implementation
 AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])

-AC_CHECK_FUNCS(arc4random_buf \
-	getentropy getrandom \
-	lckpwdf lutimes \
-	updwtmpx innetgr \
+AC_CHECK_FUNCS(arc4random_buf futimes \
+	getentropy getrandom getspnam getusershell \
+	initgroups lckpwdf lutimes \
+	setgroups updwtmpx innetgr \
 	getspnam_r \
 	rpmatch \
 	memset_explicit explicit_bzero stpecpy stpeprintf)
@@ -58,6 +66,7 @@ AC_CHECK_MEMBERS([struct utmpx.ut_name,
                  struct utmpx.ut_xtime],,,[[#include <utmpx.h>]])

 dnl Checks for library functions.
+AC_TYPE_GETGROUPS
 AC_FUNC_UTIME_NULL
 AC_REPLACE_FUNCS(putgrent putpwent putspent)
 AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
@@ -67,6 +76,33 @@ AC_CHECK_FUNC(secure_getenv, [AC_DEFINE(HAS_SECURE_GETENV,
                                        1,
                                        [Defined to 1 if you have the declaration of 'secure_getenv'])])

+if test "$ac_cv_header_shadow_h" = "yes"; then
+	AC_CACHE_CHECK(for working shadow group support,
+		ac_cv_libc_shadowgrp,
+		AC_RUN_IFELSE([AC_LANG_SOURCE([
+				#include <shadow.h>
+				#ifdef HAVE_GSHADOW_H
+				#include <gshadow.h>
+				#endif
+				int
+				main()
+				{
+					struct sgrp *sg = sgetsgent("test:x::");
+					/* NYS libc on Red Hat 3.0.3 has broken shadow group support */
+					return !sg || !sg->sg_adm || !sg->sg_mem;
+				}]
+			)],
+			[ac_cv_libc_shadowgrp=yes],
+			[ac_cv_libc_shadowgrp=no],
+			[ac_cv_libc_shadowgrp=no]
+		)
+	)
+
+	if test "$ac_cv_libc_shadowgrp" = "yes"; then
+		AC_DEFINE(HAVE_SHADOWGRP, 1, [Have working shadow group support in libc])
+	fi
+fi
+
 AC_CACHE_CHECK([location of shared mail directory], shadow_cv_maildir,
 [for shadow_cv_maildir in /var/mail /var/spool/mail /usr/spool/mail /usr/mail none; do
 	if test -d $shadow_cv_maildir; then
@@ -89,6 +125,18 @@ if test $shadow_cv_mailfile != none; then
 		[Name of user's mail spool file if stored in user's home directory.])
 fi

+AC_CACHE_CHECK([location of utmp], shadow_cv_utmpdir,
+[for shadow_cv_utmpdir in /var/run /var/adm /usr/adm /etc none; do
+	if test -f $shadow_cv_utmpdir/utmp; then
+		break
+	fi
+done])
+if test "$shadow_cv_utmpdir" = "none"; then
+	AC_MSG_WARN(utmp file not found)
+fi
+AC_DEFINE_UNQUOTED(_UTMP_FILE, "$shadow_cv_utmpdir/utmp",
+	[Path for utmp file.])
+
 AC_CACHE_CHECK([location of faillog/lastlog/wtmp], shadow_cv_logdir,
 [for shadow_cv_logdir in /var/log /var/adm /usr/adm /etc; do
 	if test -d $shadow_cv_logdir; then
@@ -102,9 +150,22 @@ AC_DEFINE_UNQUOTED(LASTLOG_FILE, "$shadow_cv_logdir/lastlog",
 AC_DEFINE_UNQUOTED(FAILLOG_FILE, "$shadow_cv_logdir/faillog",
 	[Path for faillog file.])

-AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$exec_prefix/bin/passwd",
+AC_CACHE_CHECK([location of the passwd program], shadow_cv_passwd_dir,
+[if test -f /usr/bin/passwd; then
+	shadow_cv_passwd_dir=/usr/bin
+else
+	shadow_cv_passwd_dir=/bin
+fi])
+AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd",
 	[Path to passwd program.])

+dnl XXX - quick hack, should disappear before anyone notices :).
+dnl XXX - I just read the above message :).
+if test "$ac_cv_func_ruserok" = "yes"; then
+	AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for rlogind.])
+	AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value (0 or 1).])
+fi
+
 AC_ARG_ENABLE(shadowgrp,
 	[AS_HELP_STRING([--enable-shadowgrp], [enable shadow group support @<:@default=yes@:>@])],
 	[case "${enableval}" in
@@ -330,7 +391,7 @@ if test "$enable_lastlog" = "yes" && test "$ac_cv_header_lastlog_h" = "yes"; the
 		enable_lastlog="yes"
 	else
 		AC_MSG_ERROR([Cannot enable support for lastlog on systems where the data structures aren't available])
-		enable_lastlog="no"
+		enable_subids="no"
 	fi
 fi
 AM_CONDITIONAL(ENABLE_LASTLOG, test "x$enable_lastlog" != "xno")
@@ -635,7 +696,7 @@ AC_SUBST(LIBMD)
 if test "$with_skey" = "yes"; then
 	AC_CHECK_LIB(md, MD5Init, [LIBMD=-lmd])
 	AC_CHECK_LIB(skey, skeychallenge, [LIBSKEY=-lskey],
-		[AC_MSG_ERROR([libskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2])])
+		[AC_MSG_ERROR([liskey missing. You can download S/Key source code from http://rsync1.it.gentoo.org/gentoo/distfiles/skey-1.1.5.tar.bz2])])
 	AC_DEFINE(SKEY, 1, [Define to support S/Key logins.])
 	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 		#include <stdio.h>
@@ -683,6 +744,7 @@ AC_CONFIG_FILES([
 	libsubid/Makefile
 	libsubid/subid.h
 	src/Makefile
+	contrib/Makefile
 	etc/Makefile
 	etc/pam.d/Makefile
 	etc/shadow-maint/Makefile
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -0,0 +1,4 @@
+# This is a dummy Makefile.am to get automake work flawlessly,
+# and also cooperate to make a distribution for `make dist'
+
+EXTRA_DIST = README adduser.c adduser.sh adduser2.sh
--- a/contrib/Makefile.in
+++ b/contrib/Makefile.in
@@ -0,0 +1,508 @@
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# This is a dummy Makefile.am to get automake work flawlessly,
+# and also cooperate to make a distribution for `make dist'
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = contrib
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(srcdir)/Makefile.in README
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
+CMOCKA_LIBS = @CMOCKA_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+ECONF_CPPFLAGS = @ECONF_CPPFLAGS@
+EGREP = @EGREP@
+ETAGS = @ETAGS@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+FILECMD = @FILECMD@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+GROUP_NAME_MAX_LENGTH = @GROUP_NAME_MAX_LENGTH@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LIBACL = @LIBACL@
+LIBADD_DL = @LIBADD_DL@
+LIBADD_DLD_LINK = @LIBADD_DLD_LINK@
+LIBADD_DLOPEN = @LIBADD_DLOPEN@
+LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@
+LIBATTR = @LIBATTR@
+LIBAUDIT = @LIBAUDIT@
+LIBBSD = @LIBBSD@
+LIBBSD_CFLAGS = @LIBBSD_CFLAGS@
+LIBBSD_LIBS = @LIBBSD_LIBS@
+LIBCRYPT = @LIBCRYPT@
+LIBECONF = @LIBECONF@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBMD = @LIBMD@
+LIBOBJS = @LIBOBJS@
+LIBPAM = @LIBPAM@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBSEMANAGE = @LIBSEMANAGE@
+LIBSKEY = @LIBSKEY@
+LIBSUBID_ABI = @LIBSUBID_ABI@
+LIBSUBID_ABI_MAJOR = @LIBSUBID_ABI_MAJOR@
+LIBSUBID_ABI_MICRO = @LIBSUBID_ABI_MICRO@
+LIBSUBID_ABI_MINOR = @LIBSUBID_ABI_MINOR@
+LIBSYSTEMD = @LIBSYSTEMD@
+LIBTCB = @LIBTCB@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LIYESCRYPT = @LIYESCRYPT@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+LT_DLLOADERS = @LT_DLLOADERS@
+LT_DLPREOPEN = @LT_DLPREOPEN@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VENDORDIR = @VENDORDIR@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
+XMLCATALOG = @XMLCATALOG@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+capcmd = @capcmd@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+EXTRA_DIST = README adduser.c adduser.sh adduser2.sh
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign contrib/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign contrib/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	cscopelist-am ctags-am distclean distclean-generic \
+	distclean-libtool distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags-am uninstall uninstall-am
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
--- a/contrib/README
+++ b/contrib/README
@@ -0,0 +1,7 @@
+People keep sending various adduser programs and scripts...  They are
+all in this directory.  I haven't tested them, use at your own risk.
+Anyway, the best one I've seen so far is adduser-3.x from Debian.
+
+udbachk.tgz is a passwd/group/shadow file integrity checker.
+
+--marekm
--- a/contrib/adduser.c
+++ b/contrib/adduser.c
@@ -0,0 +1,502 @@
+/****
+** 04/21/96
+** hacked even more, replaced gets() with something slightly harder to buffer
+** overflow. Added support for setting a default quota on new account, with
+** edquota -p. Other cleanups for security, I let some users run adduser suid
+** root to add new accounts. (overflow checks, clobber environment, valid 
+** shell checks, restrictions on gid + home dir settings).
+
+** Added max. username length. Used syslog() a bit for important events. 
+** Support to immediately expire account with passwd -e.
+
+** Called it version 2.0! Because I felt like it!
+
+** -- Chris, chris@ferret.lmh.ox.ac.uk
+
+** 03/17/96
+** hacked a bit more, removed unused code, cleaned up for gcc -Wall.
+** --marekm
+**
+** 02/26/96
+** modified to call shadow utils (useradd,chage,passwd) on shadowed 
+** systems - Cristian Gafton, gafton@sorosis.ro
+**
+** 6/27/95
+** shadow-adduser 1.4:
+**
+** now it copies the /etc/skel dir into the person's dir, 
+** makes the mail folders, changed some defaults and made a 'make 
+** install' just for the hell of it.
+**
+** Greg Gallagher
+** CIN.Net
+**
+** 1/28/95
+** shadow-adduser 1.3:
+** 
+** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart 
+** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
+** It was such a stupid bug that I would have never seen it myself.
+**
+**                                Brandon
+*****
+** 01/27/95
+** 
+** shadow-adduser 1.2:
+** I took the C source from adduser-shadow (credits are below) and made
+** it a little more worthwhile.  Many small changes... Here's
+** the ones I can remember:
+** 
+** Removed support for non-shadowed systems (if you don't have shadow,
+**     use the original adduser, don't get this shadow version!)
+** Added support for the correct /etc/shadow fields (Min days before
+**     password change, max days before password change, Warning days,
+**     and how many days from expiry date does the account go invalid)
+**     The previous version just left all of those fields blank.
+**     There is still one field left (expiry date for the account, period)
+**     which I have left blank because I do not use it and didn't want to
+**     spend any more time on this.  I'm sure someone will put it in and
+**     tack another plethora of credits on here. :)
+** Added in the password date field, which should always reflect the last
+**     date the password was changed, for expiry purposes.  "passwd" always
+**     updates this field, so the adduser program should set it up right
+**     initially (or a user could keep their initial password forever ;)
+**     The number is in days since Jan 1st, 1970.
+**
+**                       Have fun with it, and someone please make
+**                       a real version(this is still just a hack)
+**                       for us all to use (and Email it to me???)
+**
+**                               Brandon
+**                                  photon@usis.com
+**
+***** 
+** adduser 1.0: add a new user account (For systems not using shadow)
+** With a nice little interface and a will to do all the work for you.
+**
+** Craig Hagan
+** hagan@opine.cs.umass.edu
+**
+** Modified to really work, look clean, and find unused uid by Chris Cappuccio
+** chris@slinky.cs.umass.edu
+**
+*****
+**
+** 01/19/95
+**
+** FURTHER modifications to enable shadow passwd support (kludged, but
+** no more so than the original)  by Dan Crowson - dcrowson@mo.net
+**
+** Search on DAN for all changes...
+**
+*****
+**
+** cc -O -o adduser adduser.c
+** Use gcc if you have it... (political reasons beyond my control) (chris)
+**
+** I've gotten this program to work with success under Linux (without
+** shadow) and SunOS 4.1.3. I would assume it should work pretty well
+** on any system that uses no shadow. (chris)
+**
+** If you have no crypt() then try
+** cc -DNO_CRYPT -O -o adduser adduser.c xfdes.c
+** I'm not sure how login operates with no crypt()... I guess
+** the same way we're doing it here.
+*/
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <pwd.h>
+#include <grp.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/timeb.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <syslog.h>
+
+#define IMMEDIATE_CHANGE	/* Expire newly created password, must be changed
+				 * immediately upon next login */
+#define HAVE_QUOTAS		/* Obvious */
+#define EXPIRE_VALS_SET		/* If defined, 'normal' users can't change 
+				 * password expiry values (if running suid root) */
+
+#define HAVE_GETUSERSHELL	/* FIXME: Isn't this defined in config.h too? */
+#define LOGGING			/* If we want to log various things to syslog */
+#define MAX_USRNAME  8		/* Longer usernames seem to work on my system....
+				 * But they're probably a poor idea */
+
+
+#define DEFAULT_SHELL	"/bin/bash"	/* because BASH is your friend */
+#define DEFAULT_HOME	"/home"
+#define USERADD_PATH	"/usr/sbin/useradd"
+#define CHAGE_PATH	"/usr/bin/chage"
+#define PASSWD_PATH	"/usr/bin/passwd"
+#define EDQUOTA_PATH	"/usr/sbin/edquota"
+#define QUOTA_DEFAULT	"defuser"
+#define DEFAULT_GROUP	100
+
+#define DEFAULT_MIN_PASS 0
+#define DEFAULT_MAX_PASS 100
+#define DEFAULT_WARN_PASS 14
+#define DEFAULT_USER_DIE 366
+
+void safeget (char *, int);
+
+void 
+main (void)
+{
+  char foo[32];
+  char usrname[32], person[32], dir[32], shell[32];
+  unsigned int group, min_pass, max_pass, warn_pass, user_die;
+  /* the group and uid of the new user */
+  int bad = 0, done = 0, correct = 0, olduid;
+  char cmd[255];
+  struct group *grp;
+
+  /* flags, in order:
+   * bad to see if the username is in /etc/passwd, or if strange stuff has
+   * been typed if the user might be put in group 0
+   * done allows the program to exit when a user has been added
+   * correct loops until a username is found that isn't in /etc/passwd
+   */
+
+  /* The real program starts HERE! */
+
+  if (geteuid () != 0)
+    {
+      printf ("It seems you don't have access to add a new user.  Try\n");
+      printf ("logging in as root or su root to gain superuser access.\n");
+      exit (1);
+    }
+
+  /* Sanity checks
+   */
+
+#ifdef LOGGING
+  openlog ("adduser", LOG_PID | LOG_CONS | LOG_NOWAIT, LOG_AUTH);
+  syslog (LOG_INFO, "invoked by user %s\n", getpwuid (getuid ())->pw_name);
+#endif
+
+  if (!(grp = getgrgid (DEFAULT_GROUP)))
+    {
+      printf ("Error: the default group %d does not exist on this system!\n",
+	      DEFAULT_GROUP);
+      printf ("adduser must be recompiled.\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "warning: failed. no such default group\n");
+      closelog ();
+#endif
+      exit (1);
+    };
+
+  while (!correct)
+    {				/* loop until a "good" usrname is chosen */
+      while (!done)
+	{
+	  printf ("\nLogin to add (^C to quit): ");
+	  fflush (stdout);
+
+	  safeget (usrname, sizeof (usrname));
+
+	  if (!strlen (usrname))
+	    {
+	      printf ("Empty input.\n");
+	      done = 0;
+	      continue;
+	    };
+
+	  /* what I saw here before made me think maybe I was running DOS */
+	  /* might this be a solution? (chris) */
+	  if (strlen (usrname) > MAX_USRNAME)
+	    {
+	      printf ("That name is longer than the maximum of %d characters. Choose another.\n", MAX_USRNAME);
+	      done = 0;
+	    }
+	  else if (getpwnam (usrname) != NULL)
+	    {
+	      printf ("That name is in use, choose another.\n");
+	      done = 0;
+	    }
+	  else if (strchr (usrname, ' ') != NULL)
+	    {
+	      printf ("No spaces in username!!\n");
+	      done = 0;
+	    }
+	  else
+	    done = 1;
+	};			/* done, we have a valid new user name */
+
+      /* all set, get the rest of the stuff */
+      printf ("\nEditing information for new user [%s]\n", usrname);
+
+      printf ("\nFull Name [%s]: ", usrname);
+      fflush (stdout);
+      safeget (person, sizeof (person));
+      if (!strlen (person))
+	{
+	  bzero (person, sizeof (person));
+	  strcpy (person, usrname);
+	};
+
+      if (getuid () == 0)
+	{
+	  do
+	    {
+	      bad = 0;
+	      printf ("GID [%d]: ", DEFAULT_GROUP);
+	      fflush (stdout);
+	      safeget (foo, sizeof (foo));
+	      if (!strlen (foo))
+		group = DEFAULT_GROUP;
+	      else if (isdigit (*foo))
+		{
+		  group = atoi (foo);
+		  if (!(grp = getgrgid (group)))
+		    {
+		      printf ("unknown gid %s\n", foo);
+		      group = DEFAULT_GROUP;
+		      bad = 1;
+		    };
+		}
+	      else if ((grp = getgrnam (foo)))
+		group = grp->gr_gid;
+	      else
+		{
+		  printf ("unknown group %s\n", foo);
+		  group = DEFAULT_GROUP;
+		  bad = 1;
+		}
+	      if (group == 0)
+		{		/* You're not allowed to make root group users! */
+		  printf ("Creation of root group users not allowed (must be done by hand)\n");
+		  group = DEFAULT_GROUP;
+		  bad = 1;
+		};
+	    }
+	  while (bad);
+	}
+      else
+	{
+	  printf ("Group will be default of: %d\n", DEFAULT_GROUP);
+	  group = DEFAULT_GROUP;
+	}
+
+      if (getuid () == 0)
+	{
+	  printf ("\nIf home dir ends with a / then '%s' will be appended to it\n", usrname);
+	  printf ("Home Directory [%s/%s]: ", DEFAULT_HOME, usrname);
+	  fflush (stdout);
+	  safeget (dir, sizeof (dir));
+	  if (!strlen (dir))
+	    {			/* hit return */
+	      sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
+	    }
+	  else if (dir[strlen (dir) - 1] == '/')
+	    sprintf (dir+strlen(dir), "%s", usrname);
+	}
+      else
+	{
+	  printf ("\nHome directory will be %s/%s\n", DEFAULT_HOME, usrname);
+	  sprintf (dir, "%s/%s", DEFAULT_HOME, usrname);
+	}
+
+      printf ("\nShell [%s]: ", DEFAULT_SHELL);
+      fflush (stdout);
+      safeget (shell, sizeof (shell));
+      if (!strlen (shell))
+	sprintf (shell, "%s", DEFAULT_SHELL);
+      else
+	{
+	  char *sh;
+	  int ok = 0;
+#ifdef HAVE_GETUSERSHELL
+	  setusershell ();
+	  while ((sh = getusershell ()) != NULL)
+	    if (!strcmp (shell, sh))
+	      ok = 1;
+	  endusershell ();
+#endif
+	  if (!ok)
+	    {
+	      if (getuid () == 0)
+		printf ("Warning: root allowed non standard shell\n");
+	      else
+		{
+		  printf ("Shell NOT in /etc/shells, DEFAULT used\n");
+		  sprintf (shell, "%s", DEFAULT_SHELL);
+		}
+	    }
+	}
+
+#ifdef EXPIRE_VALS_SET
+      if (getuid () == 0)
+	{
+#endif
+	  printf ("\nMin. Password Change Days [%d]: ", DEFAULT_MIN_PASS);
+	  fflush (stdout);
+	  safeget (foo, sizeof (foo));
+	  if (strlen (foo) > 1)
+	    min_pass = DEFAULT_MIN_PASS;
+	  else
+	    min_pass = atoi (foo);
+
+	  printf ("Max. Password Change Days [%d]: ", DEFAULT_MAX_PASS);
+	  fflush (stdout);
+	  safeget (foo, sizeof (foo));
+	  if (strlen (foo) > 1)
+	    max_pass = atoi (foo);
+	  else
+	    max_pass = DEFAULT_MAX_PASS;
+
+	  printf ("Password Warning Days [%d]: ", DEFAULT_WARN_PASS);
+	  fflush (stdout);
+	  safeget (foo, sizeof (foo));
+	  warn_pass = atoi (foo);
+	  if (warn_pass == 0)
+
+	    warn_pass = DEFAULT_WARN_PASS;
+
+	  printf ("Days after Password Expiry for Account Locking [%d]: ", DEFAULT_USER_DIE);
+	  fflush (stdout);
+	  safeget (foo, sizeof (foo));
+	  user_die = atoi (foo);
+	  if (user_die == 0)
+	    user_die = DEFAULT_USER_DIE;
+
+#ifdef EXPIRE_VALS_SET
+	}
+      else
+	{
+	  printf ("\nSorry, account expiry values are set.\n");
+	  user_die = DEFAULT_USER_DIE;
+	  warn_pass = DEFAULT_WARN_PASS;
+	  max_pass = DEFAULT_MAX_PASS;
+	  min_pass = DEFAULT_MIN_PASS;
+	}
+#endif
+
+      printf ("\nInformation for new user [%s] [%s]:\n", usrname, person);
+      printf ("Home directory: [%s] Shell: [%s]\n", dir, shell);
+      printf ("GID: [%d]\n", group);
+      printf ("MinPass: [%d] MaxPass: [%d] WarnPass: [%d] UserExpire: [%d]\n",
+	      min_pass, max_pass, warn_pass, user_die);
+      printf ("\nIs this correct? [y/N]: ");
+      fflush (stdout);
+      safeget (foo, sizeof (foo));
+
+      done = bad = correct = (foo[0] == 'y' || foo[0] == 'Y');
+
+      if (bad != 1)
+	printf ("\nUser [%s] not added\n", usrname);
+    }
+
+  /* Clobber the environment, I run this suid root sometimes to let 
+   * non root privileged accounts add users --chris */
+
+  *environ = NULL;
+
+  bzero (cmd, sizeof (cmd));
+  sprintf (cmd, "%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
+	   USERADD_PATH, group, dir, shell, person, usrname);
+  printf ("Calling useradd to add new user:\n%s\n", cmd);
+  if (system (cmd))
+    {
+      printf ("User add failed!\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "could not add new user\n");
+      closelog ();
+#endif
+      exit (errno);
+    };
+
+  olduid = getuid ();	/* chage, passwd, edquota etc. require ruid = root
+			 */
+  setuid (0);
+
+  bzero (cmd, sizeof (cmd));
+
+  /* Chage runs suid root. => we need ruid root to run it with
+   * anything other than chage -l
+   */
+
+  sprintf (cmd, "%s -m %d -M %d -W %d -I %d %s", CHAGE_PATH,
+	   min_pass, max_pass, warn_pass, user_die, usrname);
+  printf ("%s\n", cmd);
+  if (system (cmd))
+    {
+      printf ("There was an error setting password expire values\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "password expire values could not be set\n");
+#endif
+    };
+
+  /* I want to add a user completely with one easy command --chris */
+
+#ifdef HAVE_QUOTAS
+  bzero (cmd, sizeof (cmd));
+  sprintf (cmd, "%s -p %s -u %s", EDQUOTA_PATH, QUOTA_DEFAULT, usrname);
+  printf ("%s\n", cmd);
+  if (system (cmd))
+    {
+      printf ("\nWarning: error setting quota\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "warning: account created but NO quotas set!\n");
+#endif /* LOGGING */
+    }
+  else
+    printf ("\nDefault quota set.\n");
+#endif /* HAVE_QUOTAS */
+
+  bzero (cmd, sizeof (cmd));
+  sprintf (cmd, "%s %s", PASSWD_PATH, usrname);
+  if (system (cmd))
+    {
+      printf ("\nWarning: error setting password\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "warning: password set failed!\n");
+#endif
+    }
+#ifdef IMMEDIATE_CHANGE
+  bzero (cmd, sizeof (cmd));
+  sprintf (cmd, "%s -e %s", PASSWD_PATH, usrname);
+  if (system (cmd))
+    {
+      printf ("\nWarning: error expiring password\n");
+#ifdef LOGGING
+      syslog (LOG_ERR, "warning: password expire failed!\n");
+#endif /* LOGGING */
+    }
+#endif /* IMMEDIATE_CHANGE */
+
+  setuid (olduid);
+
+#ifdef LOGGING
+  closelog ();
+#endif
+
+  printf ("\nDone.\n");
+}
+
+void 
+safeget (char *buf, int maxlen)
+{
+  int c, i = 0, bad = 0;
+  char *bstart = buf;
+  while ((c = getc (stdin)) != EOF && (c != '\n') && (++i < maxlen))
+    {
+      bad = (!isalnum (c) && (c != '_') && (c != ' '));
+      *(buf++) = c;
+    }
+  *buf = '\0';
+
+  if (bad)
+    {
+      printf ("\nString contained banned character. Please stick to alphanumerics.\n");
+      *bstart = '\0';
+    }
+}
+
--- a/contrib/adduser.sh
+++ b/contrib/adduser.sh
@@ -0,0 +1,90 @@
+#!/bin/sh
+# adduser script for use with shadow passwords and useradd command.
+# by Hrvoje Dogan <hdogan@student.math.hr>, Dec 1995.
+
+echo -n "Login name for new user []:"
+read LOGIN
+if [ -z $LOGIN ]
+then echo "Come on, man, you can't leave the login field empty...";exit
+fi
+echo
+echo -n "User id for $LOGIN [ defaults to next available]:"
+read ID
+GUID="-u $ID"
+if [ -z $ID ] 
+then GUID=""
+fi
+
+echo
+echo -n "Initial group for $LOGIN [users]:"
+read GID
+GGID="-g $GID"
+if [ -z $GID ]
+then GGID=""
+fi
+
+echo
+echo -n "Additional groups for $LOGIN []:"
+read AGID
+GAGID="-G $AGID"
+if [ -z $AGID ]
+then GAGID=""
+fi
+
+echo
+echo -n "$LOGIN's home directory [/home/$LOGIN]:"
+read HME
+GHME="-d $HME"
+if [ -z $HME ]
+then GHME=""
+fi
+
+echo
+echo -n "$LOGIN's shell [/bin/bash]:"
+read SHL
+GSHL="-s $SHL"
+if [ -z $SHL ]
+then GSHL=""
+fi
+
+echo
+echo -n "$LOGIN's account expiry date (MM/DD/YY) []:"
+read EXP
+GEXP="-e $EXP"
+if [ -z $EXP ]
+then GEXP=""
+fi
+echo
+echo OK, I'm about to make a new account. Here's what you entered so far:
+echo New login name: $LOGIN
+if [ -z $GUID ] 
+then echo New UID: [Next available]
+else echo New UID: $UID
+fi
+if [ -z $GGID ]
+then echo Initial group: users
+else echo Initial group: $GID
+fi
+if [ -z $GAGID ]
+then echo Additional groups: [none]
+else echo Additional groups: $AGID
+fi
+if [ -z $GHME ]
+then echo Home directory: /home/$LOGIN
+else echo Home directory: $HME
+fi
+if [ -z $GSHL ]
+then echo Shell: /bin/bash
+else echo Shell: $SHL
+fi
+if [ -z $GEXP ]
+then echo Expiry date: [no expiration]
+else echo Expiry date: $EXP
+fi
+echo "This is it... if you want to bail out, you'd better do it now."
+read FOO
+echo Making new account...
+/usr/sbin/useradd $GHME -m $GEXP $GGID $GAGID $GSHL $GUID $LOGIN
+/usr/bin/chfn $LOGIN
+/usr/bin/passwd $LOGIN
+echo "Done..."
--- a/contrib/adduser2.sh
+++ b/contrib/adduser2.sh
@@ -0,0 +1,743 @@
+#!/bin/bash
+#
+#  adduser			Interactive user adding program.
+#
+#  Copyright (C) 1996		Petri Mattila, Prihateam Networks
+#				petri@prihateam.fi
+#	
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2, or (at your option)
+#  any later version.
+#
+# Changes:
+#	220496	v0.01	Initial version
+#	230496	v0.02	More checks, embolden summary
+#	240496		Even more checks
+#	250496 		Help with ?
+#	040596	v0.03	Cleanups
+#	050596	v0.04	Bug fixes, expire date checks
+#	070596	v0.05	Iso-latin-1 names
+#
+
+## Defaults
+
+# default groups
+def_group="users"
+def_other_groups=""
+
+# default home directory
+def_home_dir=/home/users
+
+# default shell
+def_shell=/bin/tcsh
+
+# Default expiration date (mm/dd/yy)
+def_expire=""
+
+# default dates
+def_pwd_min=0
+def_pwd_max=90
+def_pwd_warn=14
+def_pwd_iact=14
+
+
+# possible UIDs
+uid_low=1000
+uid_high=64000
+
+# skel directory
+skel=/etc/skel
+
+# default mode for home directory
+def_mode=711
+
+# Regex, that the login name must meet, only ANSI characters
+login_regex='^[0-9a-zA-Z_-]*$'
+
+# Regex, that the user name must meet
+# ANSI version
+##name_regex='^[0-9a-zA-Z_-\ ]*$'
+# ISO-LATIN-1 version
+name_regex='^[0-9a-zA-ZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõöùúûüýþÿ_-\ ]*$'
+
+# set PATH
+export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
+
+# Some special characters
+case "$TERM" in
+   vt*|ansi*|con*|xterm*|linux*)
+	S='[1m'	# start embolden
+	E='[m'	# end embolden
+	;;
+   *)	
+	S=''
+	E=''
+	;;
+esac
+
+
+## Functions
+
+check_root() {
+	if test "$EUID" -ne 0
+	then
+		echo "You must be root to run this program."
+		exit 1
+	fi
+}
+
+check_user() {
+	local usr pwd uid gid name home sh
+
+	cat /etc/passwd | (
+		while IFS=":" read usr pwd uid gid name home sh
+		do
+			if test "$1" = "${usr}"
+			then
+				return 1
+			fi
+		done
+		return 0
+	)
+}
+
+check_group() {
+	local read grp pwd gid members
+
+	cat /etc/group | (
+		while IFS=":" read grp pwd gid members
+		do
+			if test "$1" = "${grp}"
+			then
+				return 1
+			fi
+		done
+		return 0
+	)
+}
+
+check_other_groups() {
+	local grp check IFS
+
+	check="$1"
+	IFS=","
+
+	set ${check}
+	for grp
+	do
+		if check_group "${grp}"
+		then
+			echo "Group ${grp} does not exist."
+			return 1
+		fi
+	done
+	return 0
+}		
+
+check_uid() {
+	local usr pwd uid gid name home sh
+	
+	cat /etc/passwd | (
+		while IFS=":" read usr pwd uid gid name home sh
+		do
+			if test "$1" = "${uid}"
+			then
+				return 1
+			fi
+		done
+		return 0
+	)
+}
+
+read_yn() {
+	local ans ynd
+	
+	ynd="$1"
+	
+	while :
+	do
+		read ans	
+		case "${ans}" in
+		      "") return ${ynd} ;;
+		    [nN]) return 1 ;;
+		    [yY]) return 0 ;;
+		       *) echo -n "Y or N, please ? " ;;
+		esac
+	done
+}
+
+read_login() {
+	echo
+	while :
+	do
+		echo -n "Login: ${def_login:+[${def_login}] }"
+		read login
+		
+		if test "${login}" = '?'
+		then
+			less /etc/passwd
+			echo
+			continue
+		fi
+
+		if test -z "${login}" -a -n "${def_login}"
+		then
+			login="${def_login}"
+			echo "Using ${login}"
+			return
+		fi
+		
+		if test "${#login}" -gt 8
+		then
+			echo "Login must be at most 8 characters long"
+			continue
+		fi
+		
+		if test "${#login}" -lt 2
+		then
+			echo "Login must be at least 2 characters long"
+			continue
+		fi
+		
+		if ! expr "${login}" : "${login_regex}" &> /dev/null
+		then
+			echo "Please use letters, numbers and special characters _-,."
+			continue
+		fi
+		
+		if ! check_user "${login}"
+		then
+			echo "Username ${login} is already in use"
+			continue
+		fi
+		
+		def_login="${login}"
+		return
+	done
+}
+
+read_name () {
+	echo
+	while :
+	do
+		echo -n "Real name: ${def_name:+[${def_name}] }"
+		read name
+		
+		if test "${name}" = '?'
+		then
+			less /etc/passwd
+			echo
+			continue
+		fi
+
+		if test -z "${name}" -a -n "${def_name}"
+		then
+			name="${def_name}"
+			echo "Using ${name}"
+		fi
+
+		if test "${#name}" -gt 32
+		then
+			echo "Name should be at most 32 characters long"
+			continue
+		fi
+
+		if ! expr "${name}" : "${name_regex}" &> /dev/null
+		then
+			echo "Please use letters, numbers, spaces and special characters ,._-"
+			continue
+		fi
+		
+		def_name="${name}"
+		return
+	done
+}
+
+read_home() {
+	local x
+	
+	echo
+	while :
+	do
+		echo -n "Home Directory: [${def_home_dir}/${login}] "
+		read home
+		
+		if test -z "${home}"
+		then
+			home="${def_home_dir}/${login}"
+			echo "Using ${home}"
+		fi
+		
+		if ! expr "${home}" : '^[0-9a-zA-Z,._-\/]*$' &> /dev/null
+		then
+			echo "Please use letters, numbers, spaces and special characters ,._-/"
+			continue
+		fi
+		
+		x="$(basename ${home})"
+		if test "${x}" != "${login}"
+		then
+			echo "Warning: you are about to use different login name and home directory."
+		fi
+		
+		x="$(dirname ${home})"
+		if ! test -d "${x}"
+		then
+			echo "Directory ${x} does not exist."
+			echo "If you still want to use it, please make it manually."
+			continue
+		fi
+		
+		def_home_dir="${x}"
+		return
+	done
+}
+
+read_shell () {
+	local x
+
+	echo
+	while :
+	do
+		echo -n "Shell: [${def_shell}] "
+		read shell
+		
+		if test -z "${shell}"
+		then
+			shell="${def_shell}"
+			echo "Using ${shell}"
+		fi
+		
+		for x in $(cat /etc/shells)
+		do
+			if test "${x}" = "${shell}"
+			then
+				def_shell="${shell}"
+				return
+			fi
+		done
+
+		echo "Possible shells are:"
+		cat /etc/shells
+	done
+}
+
+read_group () {
+	echo
+	while :
+	do
+		echo -n "Group: [${def_group}] "
+		read group
+		
+		if test -z "${group}"
+		then
+			group="${def_group}"
+			echo "Using ${group}"
+		fi
+		
+		if test "${group}" = '?'
+		then
+			less /etc/group
+			echo
+			continue
+		fi
+
+		if check_group "${group}"
+		then
+			echo "Group ${group} does not exist."
+			continue
+		fi
+		
+		def_group="${group}"
+		return
+	done
+}
+
+read_other_groups () {
+	echo
+	while :
+	do
+		echo -n "Other groups: [${def_og:-none}] "
+		read other_groups
+		
+		if test "${other_groups}" = '?'
+		then
+			less /etc/group
+			echo
+			continue
+		fi
+
+		if test -z "${other_groups}"
+		then
+			if test -n "${def_og}"
+			then
+				other_groups="${def_og}"
+				echo "Using ${other_groups}"
+			else	
+				echo "No other groups"
+				return
+			fi
+		fi
+		
+		
+		if ! check_other_groups "${other_groups}"
+		then
+			continue
+		fi
+		
+		def_og="${other_groups}"
+		return
+	done
+}
+
+read_uid () {
+	echo
+	while :
+	do
+		echo -n "uid: [first free] "
+		read uid
+			
+		if test -z "${uid}"
+		then
+			echo "Using first free UID."
+			return
+		fi
+		
+		if test "${uid}" = '?'
+		then
+			less /etc/passwd
+			echo
+			continue
+		fi
+
+		if ! expr "${uid}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${uid}" -lt "${uid_low}"
+		then
+			echo "UID must be greater than ${uid_low}"
+			continue
+		fi
+		if test "${uid}" -gt "${uid_high}"
+		then
+			echo "UID must be smaller than ${uid_high}"
+			continue
+		fi
+		if ! check_uid "${uid}"
+		then
+			echo "UID ${uid} is already in use"
+			continue
+		fi
+		
+		return
+	done
+}
+
+read_max_valid_days() {
+	echo
+	while :
+	do
+		echo -en "Maximum days between password changes: [${def_pwd_max}] "
+		read max_days
+		
+		if test -z "${max_days}"
+		then
+			max_days="${def_pwd_max}"
+			echo "Using ${max_days}"
+			return
+		fi
+		
+		if ! expr "${max_days}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${max_days}" -lt 7
+		then
+			echo "Warning: you are using a value shorter than a week."
+		fi
+		
+		def_pwd_max="${max_days}"
+		return	
+	done
+}
+
+read_min_valid_days() {
+	echo
+	while :
+	do
+		echo -en "Minimum days between password changes: [${def_pwd_min}] "
+		read min_days
+		
+		if test -z "${min_days}"
+		then
+			min_days="${def_pwd_min}"
+			echo "Using ${min_days}"
+			return
+		fi
+		
+		if ! expr "${min_days}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${min_days}" -gt 7
+		then
+			echo "Warning: you are using a value longer than a week."
+		fi
+		
+		def_pwd_min="${min_days}"
+		return	
+	done
+}
+
+read_warning_days() {
+	echo
+	while :
+	do
+		echo -en "Number of warning days before password expires: [${def_pwd_warn}] "
+		read warn_days
+		
+		if test -z "${warn_days}"
+		then
+			warn_days="${def_pwd_warn}"
+			echo "Using ${warn_days}"
+		fi
+
+		if ! expr "${warn_days}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${warn_days}" -gt 14
+		then
+			echo "Warning: you are using a value longer than two week."
+		fi
+		
+		def_pwd_warn="${warn_days}"
+		return	
+	done
+}
+
+
+read_inactive_days() {
+	echo
+	while :
+	do
+		echo -en "Number of usable days after expiration: [${def_pwd_iact}] "
+		read iact_days
+		
+		if test -z "${iact_days}"
+		then
+			iact_days="${def_pwd_iact}"
+			echo "Using ${iact_days}"
+			return
+		fi
+		if ! expr "${iact_days}" : '^[0-9]+$' &> /dev/null
+		then
+			echo "Please use numbers only."
+			continue
+		fi
+		if test "${iact_days}" -gt 14
+		then
+			echo "Warning: you are using a value that is more than two weeks."
+		fi
+		
+		def_pwd_iact="${iact_days}"
+		return	
+	done
+}
+
+read_expire_date() {
+	local ans
+	
+	echo
+	while :
+	do
+		echo -en "Expire date of this account (mm/dd/yy): [${def_expire:-never}] "
+		read ans
+		
+		if test -z "${ans}"
+		then
+			if test -z "${def_expire}"
+			then
+				ans="never"
+			else
+				ans="${def_expire}"
+				echo "Using ${def_expire}"
+			fi
+		fi
+		
+		if test "${ans}" = "never"
+		then
+			echo "Account will never expire."
+			def_expire=""
+			expire=""
+			return
+		fi
+
+		if ! expr "${ans}" : '^[0-9][0-9]/[0-9][0-9]/[0-9][0-9]$' &> /dev/null
+		then
+			echo "Please use format mm/dd/yy"
+			continue
+		fi
+		
+		if ! expire_date="$(date -d ${ans} '+%A, %B %d %Y')"
+		then
+			continue
+		fi
+		
+		def_expire="${expire}"
+		return	
+	done
+}
+
+read_passwd_yn() {
+	echo -en "\nDo you want to set password [Y/n] ? "
+	if read_yn 0
+	then
+		set_pwd="YES"
+	else
+		set_pwd=""
+	fi
+}
+
+
+print_values() {
+
+clear
+cat << EOM
+
+Login:        ${S}${login}${E}
+Group:        ${S}${group}${E}
+Other groups: ${S}${other_groups:-[none]}${E}
+
+Real Name:    ${S}${name}${E}
+
+uid:          ${S}${uid:-[first free]}${E}
+home:         ${S}${home}${E}
+shell:        ${S}${shell}${E}
+
+Account expiration date:                   ${S}${expire_date:-never}${E}
+Minimum days between password changes:     ${S}${min_days}${E}
+Maximum days between password changes:     ${S}${max_days}${E}
+Number of usable days after expiration:    ${S}${iact_days}${E}
+Number of warning days before expiration:  ${S}${warn_days}${E}
+
+${S}${set_pwd:+Set password for this account.}${E}
+
+EOM
+}
+
+set_user() {
+	if ! useradd \
+		-c "${name}" \
+		-d "${home}" \
+		-g "${group}" \
+		-s "${shell}" \
+		${expire:+-e ${expire}} \
+		${uid:+-u ${uid}} \
+		${other_groups:+-G ${other_groups}} \
+		${login}
+	then
+		echo "Error ($?) in useradd...exiting..."
+		exit 1
+	fi
+}
+
+set_aging() {
+	if ! passwd \
+		-x ${max_days} \
+		-n ${min_days} \
+		-w ${warn_days} \
+		-i ${iact_days} \
+		${login}
+	then
+		echo "Error ($?) in setting password aging...exiting..." 
+		exit 1
+	fi
+}
+
+set_password() {
+	if test -n "${set_pwd}"
+	then
+		echo
+		passwd ${login}
+		echo
+	fi
+}	
+
+set_system() {
+	if test -d "${home}"
+	then
+		echo "Directory ${home} already exists."
+		echo "Skeleton files not copied."
+		return
+	fi
+	
+	echo -n "Copying skeleton files..."
+	( 
+	  mkdir ${home}
+	  cd ${skel} && cp -af . ${home}
+	  chmod ${def_mode} ${home}
+	  chown -R ${login}:${group} ${home}
+	)
+	echo "done."
+
+	## Add your own stuff here:
+	echo -n "Setting up other files..."
+	(
+	  mailbox="/var/spool/mail/${login}"
+	  touch ${mailbox}
+	  chown "${login}:mail" ${mailbox}
+	  chmod 600 ${mailbox}
+	)
+	echo "done."
+}
+
+
+read_values() {
+	clear
+	echo -e "\nPlease answer the following questions about the new user to be added."
+	
+	while :
+	do
+		read_login
+		read_name
+		read_group
+		read_other_groups
+		read_home
+		read_shell
+		read_uid
+		read_expire_date
+		read_max_valid_days
+		read_min_valid_days
+		read_warning_days
+		read_inactive_days
+		read_passwd_yn
+
+		print_values
+		
+		echo -n "Is this correct [N/y] ? "
+		read_yn 1 && return
+	done
+}
+
+
+main() {
+	check_root
+	read_values
+	set_user
+	set_aging
+	set_system
+	set_password
+}
+
+
+## Run it 8-)
+main
+
+# End.
--- a/debian/Makefile
+++ b/debian/Makefile
@@ -0,0 +1,16 @@
+PKG=shadow
+SITE=ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/
+
+deb:: check_cheese
+
+include /usr/share/quilt/quilt.debbuild.mk
+
+check_cheese:
+	@dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \
+		echo ""; \
+		echo " **                                  **"; \
+		echo " **  Warning: not a cheesy release!  **"; \
+		echo " **                                  **"; \
+		echo ""; \
+		exit 1; \
+	}
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -0,0 +1,62 @@
+shadow (1:4.13+dfsg1-2) unstable; urgency=medium
+
+  The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
+  affects authentication.  The historical default of letting all users with
+  empty password field in without authentication is still in effect.
+
+ -- Balint Reczey <balint@balintreczey.hu>  Mon, 25 Sep 2023 17:04:09 +0200
+
+shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
+
+  Login now prevents an empty password field to be interpreted as
+  "no authentication required" for UID 0 (root account).
+  The historical default of letting all users with empty password field
+  in without authentication can be restored in /etc/login.defs setting
+  PREVENT_NO_AUTH to "no".
+
+ -- Balint Reczey <balint@balintreczey.hu>  Sun, 07 Nov 2021 21:51:46 +0100
+
+shadow (1:4.7-1) unstable; urgency=medium
+
+  * /etc/securetty is no longer shipped by this package and it is no longer
+    honored in login's PAM configuration by default. Please see #731656 for the
+    details.
+
+ -- Balint Reczey <rbalint@ubuntu.com>  Thu, 20 Jun 2019 13:46:52 +0200
+
+shadow (1:4.0.15-5) unstable; urgency=low
+
+  * commands passed in argument to su must use su's -c option and must quote
+    the command if it contains a space, as in:
+        su - root -c "ls -l /"
+    The following commands won't work anymore:
+        su - root -c ls -l /
+        su - root "ls -l /"
+        su - root ls -l /
+
+ -- Christian Perrier <bubulle@debian.org>  Sat,  8 Apr 2006 20:11:38 +0200
+
+shadow (1:4.0.14-1) unstable; urgency=low
+
+  * passwd does not support the -f, -s, and -g options anymore. You should use
+    the chfn, chsh and gpasswd utilities instead.
+  * login now distributes the nologin utility, which can be used as a shell
+    to politely refuse a login
+
+ -- Christian Perrier <bubulle@debian.org>  Thu,  5 Jan 2006 08:47:44 +0100
+
+shadow (1:4.0.12-1) unstable; urgency=low
+
+  CLOSE_SESSIONS and other variables are not used anymore in
+  /etc/login/defs.
+  As shadow utilities which use this file now warn about unknown
+  entries there, administrators should remove such unknown entries.
+  The supplied login.defs file does not include them anymore.
+
+  dpasswd is no more distributed by upstream. Login do not support
+  dialup password anymore.  Re-introducing this functionality in
+  upstream is not trivial.
+
+
+ -- Christian Perrier <bubulle@debian.org>  Thu, 25 Aug 2005 08:38:47 +0200
+
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -0,0 +1,62 @@
+Read this file first for a brief overview of the new versions of login
+and passwd.
+
+
+---Shadow passwords
+
+The command `shadowconfig on' will turn on shadow password support.
+`shadowconfig off' will turn it back off.  If you turn on shadow
+password support, you'll gain the ability to set password ages and
+expirations with chage(1).
+
+NOTE: If you use the nscd package, you may have problems with a
+slight delay in updating the password information. You may notice
+this during upgrades of certain packages that try to add a system
+user and then access the users information immediately afterwards.
+To avoid this, it is suggested that you stop the nscd daemon before
+upgrades, then restart it again.
+
+---General configuration
+
+Most of the configuration for the shadow utilities is in
+/etc/login.defs.  See login.defs(5).  The defaults are quite
+reasonable.
+
+Also see the /etc/pam.d/* files for each program to configure the PAM
+support. PAM documentation is available in several formats in the
+libpam-doc package.
+
+
+---MD5 Encryption
+
+This is enabled now using the /etc/pam.d/* files. Examples are given.
+
+
+---Adding users and groups
+
+Though you may add users and groups with the SysV type commands,
+useradd and groupadd, I recommend you add them with Debian adduser
+version 3+.  adduser gives you more configuration and conforms to the
+Debian UID and GID allocation.
+
+Editing user and group parameters can be done with usermod and
+groupmod.  Removing users and groups can be done with userdel and
+groupdel.
+
+
+--- Group administration
+
+Local group allocation is much easier.  With gpasswd(1) you can
+designate users to administer groups.  They can then securely add or
+remove users from the group.
+
+
+--- What to read next?
+
+Read the manpages, the other files in this directory, and the Shadow
+Password HOWTO (included in the doc-linux package).  A large portion
+of these files deals with getting shadow installed.  You can, of
+course, ignore those parts.
+
+Also, the libpam-doc package will go a long way to allowing you to take
+full advantage of the PAM authentication scheme.
--- a/debian/README.source
+++ b/debian/README.source
@@ -0,0 +1,8 @@
+If you update the translation of upsteam files (thank you for that!) please
+submit a pull request upstream instead of filing a bug in the Debian BTS
+to get it reviewed and accepted faster.
+
+A testsuite is also available. Instruction on how to run this testsuite
+are available in tests/README
+
+ -- Balint Reczey <balint@balintreczey.hu>, Mon, 31 Jan 2022 14:07:11 +0100
--- a/debian/TODO
+++ b/debian/TODO
@@ -0,0 +1,19 @@
+Things that should be done:
+ * Verify the files left in debian/tmp
+   + e.g. /etc/default/adduser should be installed
+ * Check the build system: rebuilding the package twoce in the same tree
+   doubles the size of the diff.gz file
+
+Other points (not related to the release of a syncronized shadow):
+ * compare the source with the usages and man pages
+   + probably add a sentence to chsh/chfn's manpages about authentication
+     required for ordinary users
+ * do something (a tool) for the variables in login.defs
+   In Debian, some tools are not compiled with the PAM support, so upstream
+   getdef.c won't be OK.
+   It should be nice to see in each man page the set of variables used.
+   The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
+   with the debugging informations. This may be used to extract the set of
+   variables used in Debian/for each tools.
+ * verify all the patches around (I've found patches for at least RedHat,
+   OWL, LFS, Mandriva, Gentoo; are they already applied?)
--- a/debian/bugs-usertags
+++ b/debian/bugs-usertags
@@ -0,0 +1,25 @@
+This described the usertags used by the team.
+
+For usertags documentation, see
+http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
+
+All bugs tagged by team members must be tagged with 
+"user pkg-shadow-devel@lists.alioth.debian.org"
+
+Tags list
+---------
+
+toclose:         This bug has been announced to be closed in case no more news
+                 or information is received from the bug submitter or someone
+                 else until the delay specified in the limits_YYYYMMDD tag
+
+limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
+                 bugs can be closed without other action in case no news 
+                 is received
+
+manpages-replace A bug reported angainst a manpages-xx package to indicate
+                 conflicting man pages. This tag can be used to tune the
+                 Replaces fields.
+
+su-transition:   This bug is related to the su transition (#276419)
+
--- a/debian/changelog
+++ b/debian/changelog
--- a/debian/control
+++ b/debian/control
@@ -0,0 +1,102 @@
+Source: shadow
+Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Uploaders:
+ Serge Hallyn <serge@hallyn.com>,
+ Chris Hofstaedtler <zeha@debian.org>
+Section: admin
+Priority: required
+Build-Depends:
+ bison,
+ debhelper-compat (= 13),
+ dh-package-notes,
+ dh-sequence-zz-debputy-rrr (>= 0.1.23~),
+ docbook-xml <!nodoc>,
+ docbook-xsl <!nodoc>,
+ gettext,
+ itstool <!nodoc>,
+ libacl1-dev,
+ libattr1-dev,
+ libaudit-dev [linux-any],
+ libbsd-dev,
+ libcrypt-dev,
+ libcmocka-dev <!nocheck>,
+ libltdl-dev,
+ libpam0g-dev,
+ libselinux1-dev [linux-any],
+ libsemanage-dev [linux-any],
+ libsystemd-dev [linux-any],
+ libxml2-utils <!nodoc>,
+ pkgconf,
+ quilt,
+ systemd-dev [linux-any],
+ xsltproc <!nodoc>
+Standards-Version: 4.7.0
+Vcs-Git: https://salsa.debian.org/debian/shadow.git -b master
+Vcs-Browser: https://salsa.debian.org/debian/shadow
+Homepage: https://github.com/shadow-maint/shadow
+Rules-Requires-Root: no
+
+Package: passwd
+Architecture: any
+Multi-Arch: foreign
+Depends:
+ base-passwd (>= 3.6.4),
+ libpam-modules,
+ login
+Recommends:
+ sensible-utils
+Description: change and administer password and group data
+ This package includes passwd, chsh, chfn, and many other programs to
+ maintain password and group data.
+ .
+ Shadow passwords are supported.  See /usr/share/doc/passwd/README.Debian
+
+Package: login
+Architecture: any
+Multi-Arch: foreign
+Protected: yes
+Depends:
+ libpam-modules,
+ libpam-runtime
+Breaks:
+ hurd (<< 20140206~) [hurd-any]
+Conflicts:
+ python-4suite (<< 0.99cvs20060405-1)
+Replaces:
+ hurd (<< 20140206~) [hurd-any]
+Description: system login tools
+ This package provides support for console-based logins and for
+ changing effective user or group IDs, including:
+  * login, the program that invokes a user shell on a virtual terminal;
+  * nologin, a dummy shell for disabled user accounts;
+
+Package: uidmap
+Architecture: any
+Multi-Arch: foreign
+Priority: optional
+Description: programs to help use subuids
+ These programs help unprivileged users to create uid and gid mappings in
+ user namespaces.
+
+Package: libsubid4
+Section: libs
+Priority: optional
+Architecture: any
+Multi-Arch: same
+Description: subordinate id handling library -- shared library
+ The library provides an interface for querying, granding and ungranting
+ subordinate user and group ids.
+
+Package: libsubid-dev
+Section: libdevel
+Priority: optional
+Architecture: any
+Multi-Arch: same
+Depends:
+ libsubid4 (= ${binary:Version})
+Description: subordinate id handling library -- shared library
+ The library provides an interface for querying, granding and ungranting
+ subordinate user and group ids.
+ .
+ This package contains the C header files that are
+ needed for applications to use the libsubid4 library.
--- a/debian/copyright
+++ b/debian/copyright
@@ -0,0 +1,191 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Shadow
+Source: https://github.com/shadow-maint/shadow
+
+Files: *
+Copyright: 1989-1994, Julianne Frances Haugh
+           2016-2022, Serge Hallyn <serge@hallyn.com>
+License: BSD-3-clause
+
+Files: man/po/da.po
+       man/po/de.po
+       man/tr/man1/su.1
+       po/da.po
+       po/de.po
+       po/es.po
+       po/eu.po
+       po/fi.po
+       po/gl.po
+       po/it.po
+       po/kk.po
+       po/nb.po
+       po/nl.po
+       po/nn.po
+       po/pl.po
+       po/pt_BR.po
+       po/ru.po
+       po/sq.po
+       po/sv.po
+       po/vi.po
+Copyright: 1999-2015, Free Software Foundation, Inc
+License: BSD-3-clause
+
+Files: man/fi/man1/chfn.1
+       man/id/man1/*
+       man/ko/man1/chfn.1
+       man/ko/man1/chsh.1
+       man/tr/man1/chfn.1
+       man/zh_TW/man1/chfn.1
+       man/zh_TW/man1/chsh.1
+Copyright: 1994, salvatore valente <svalente@athena.mit.edu>
+License: GPL-1
+
+Files: man/pt_BR/man8/*
+       man/zh_TW/man8/usermod.8
+Copyright: 1991-1994, Julianne Frances Haugh
+License: BSD-3-clause
+
+Files: man/hu/man1/gpasswd.1
+       man/ja/man1/gpasswd.1
+       man/pt_BR/man1/*
+Copyright: 1996, Rafal Maszkowski <rzm@pdi.net>
+License: BSD-3-clause
+
+Files: man/id/man1/login.1
+       man/ko/man1/login.1
+       man/tr/man1/login.1
+Copyright: 1993, Rickard E. Faith <faith@cs.unc.edu>
+License: BSD-3-clause
+
+Files: man/ja/man1/groups.1
+       man/ja/man5/limits.5
+       man/ja/man8/vipw.8
+Copyright: 2001, Maki KURODA
+License: BSD-3-clause
+
+Files: man/pt_BR/man5/passwd.5
+       man/tr/man5/passwd.5
+Copyright: 1993, Michael Haardt <michael@moria.de>
+License: GPL-2+
+
+Files: man/ja/man1/chage.1
+       man/ja/man5/suauth.5
+Copyright: 1997, Kazuyoshi Furutaka
+License: BSD-3-clause
+
+Files: man/po/fr.po
+       po/fr.po
+Copyright: 2011-2013, Debian French l10n team <debian-l10n-french@lists.debian.org>
+License: BSD-3-clause
+
+Files: man/zh_TW/man5/*
+Copyright: 1993, Michael Haardt <michael@moria.de>
+           1993, Scorpio, www.linuxforum.net
+License: GPL-2+
+
+Files: man/hu/man5/*
+Copyright: 1993, Michael Haardt <u31b3hs@pool.informatik.rwth-aachen.de>
+License: GPL-2+
+
+Files: contrib/adduser2.sh
+Copyright: 1996, Petri Mattila, Prihateam Networks <petri@prihateam.fi>
+License: GPL-2+
+
+Files: lib/subordinateio.h
+Copyright: 2012, Eric W. Biederman
+License: BSD-3-clause
+
+Files: man/hu/man1/su.1
+Copyright: 1999, Ragnar Hojland Espinosa <ragnar@macula.net>
+License: BSD-3-clause
+
+Files: man/ja/man1/id.1
+Copyright: 2000, ISHIKAWA Keisuke
+License: BSD-3-clause
+
+Files: man/ja/man8/pwconv.8
+Copyright: 2001, Yuichi SATO
+License: BSD-3-clause
+
+Files: src/login_nopam.c
+Copyright: 1995, Wietse Venema
+License: BSD-3-clause
+
+Files: src/su.c
+Copyright: 1989 - 1994, Julianne Frances Haugh
+           1996 - 2000, Marek Michałkiewicz
+           2000 - 2006, Tomasz Kłoczko
+           2007 - 2013, Nicolas François
+License: GPL-2+
+
+Files: src/vipw.c
+Copyright: 1997, Guy Maor <maor@ece.utexas.edu>
+           1999 - 2000, Marek Michałkiewicz
+           2002 - 2006, Tomasz Kłoczko
+           2007 - 2013, Nicolas François
+License: GPL-2+
+
+Files: man/ko/man5/*
+Copyright: 2000, ASPLINUX <man@asp-linux.co.kr>
+License: GPL-2+
+
+Files: debian/*
+Copyright: 1999-2001, Ben Collins <bcollins@debian.org>
+           2001-2004 Karl Ramm <kcr@debian.org>
+           2004-2014 Christian Perrier <bubulle@debian.org>
+           2006-2012 Nicolas Francois (Nekral) <nicolas.francois@centraliens.net>
+           2017-2022 Balint Reczey <balint@balintreczey.hu>
+License: BSD-3-clause
+
+Files: debian/patches/cppw-Add-tool.patch
+Copyright: 1997, Guy Maor <maor@ece.utexas.edu>
+           1999, Stephen Frost <sfrost@snowman.net>
+License: GPL-2+
+
+Files: debian/passwd.expire.cron
+Copyright: 1999, Ben Collins <bcollins@debian.org>
+License: BSD-3-clause
+
+License: BSD-3-clause
+ All rights reserved.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the University nor the names of its contributors
+    may be used to endorse or promote products derived from this software
+    without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+License: GPL-1
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 1
+ .
+ On Debian systems, the complete text of version 1 of the GNU General
+ Public License can be found in '/usr/share/common-licenses/GPL-1'.
+
+License: GPL-2+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 dated June, 1991, or (at
+ your option) any later version.
+ .
+ On Debian systems, the complete text of version 2 of the GNU General
+ Public License can be found in '/usr/share/common-licenses/GPL-2'.
--- a/debian/cpgr.8
+++ b/debian/cpgr.8
@@ -0,0 +1 @@
+.so man8/cppw.8
--- a/debian/cppw.8
+++ b/debian/cppw.8
@@ -0,0 +1,27 @@
+.TH CPPW 8 "7 Apr 2005"
+.SH NAME
+cppw, cpgr \- copy with locking the given file to the password or group file
+.SH SYNOPSIS
+\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
+.br
+\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
+
+.SH DESCRIPTION
+.BR cppw " and " cpgr
+will copy, with locking, the given file to
+.IR /etc/passwd " and " /etc/group ", respectively."
+With the \fB\-s\fR flag, they will copy the shadow versions of those files,
+.IR /etc/shadow " and " /etc/gshadow ", respectively."
+
+With the \fB\-h\fR flag, the commands display a short help message and exit
+silently.
+.SH "SEE ALSO"
+.BR vipw (8),
+.BR vigr (8),
+.BR group (5),
+.BR passwd (5),
+.BR shadow (5),
+.BR gshadow (5)
+.SH AUTHOR
+\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
+\fBvipw\fR and \fBvigr\fR written by Guy Maor.
--- a/debian/debputy.manifest
+++ b/debian/debputy.manifest
@@ -0,0 +1,37 @@
+manifest-version: '0.1'
+packages:
+  passwd:
+    transformations:
+    - path-metadata:
+        path: usr/bin/chfn
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/chsh
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/gpasswd
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/passwd
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/chage
+        group: "shadow"
+        mode: "u=rwx,go=rxs"
+    - path-metadata:
+        path: usr/bin/expiry
+        group: "shadow"
+        mode: "u=rwx,go=rxs"
+  login:
+    transformations:
+    - path-metadata:
+        path: usr/bin/newgrp
+        mode: "u=rwxs,go=rx"
+  uidmap:
+    transformations:
+    - path-metadata:
+        path: usr/bin/newgidmap
+        mode: "u=rwxs,go=rx"
+    - path-metadata:
+        path: usr/bin/newuidmap
+        mode: "u=rwxs,go=rx"
--- a/debian/default/useradd
+++ b/debian/default/useradd
@@ -0,0 +1,37 @@
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+# Similar to DSHELL in adduser. However, we use "sh" here because
+# useradd is a low level utility and should be as general
+# as possible
+SHELL=/bin/sh
+#
+# The default group for users
+# 100=users on Debian systems
+# Same as USERS_GID in adduser
+# This argument is used when the -n flag is specified.
+# The default behavior (when -n and -g are not specified) is to create a
+# primary user group with the same name as the user being added to the
+# system.
+# GROUP=100
+#
+# The default home directory. Same as DHOME for adduser
+# HOME=/home
+#
+# The number of days after a password expires until the account 
+# is permanently disabled
+# INACTIVE=-1
+#
+# The default expire date
+# EXPIRE=
+#
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+# SKEL=/etc/skel
+#
+# Defines whether the mail spool should be created while
+# creating the account
+# CREATE_MAIL_SPOOL=no
+
--- a/debian/dependencies
+++ b/debian/dependencies
@@ -0,0 +1,94 @@
+Build-Depends:
+==============
+ * autoconf
+ * automake1.9
+   works with 1.7 or 1.9 (at least)
+ * libtool
+ * gettext
+   POT, PO, GMO regenerated?
+ * libpam0g-dev
+   OK
+ * debhelper (>= 4.1.16)
+ * po-debconf
+   OK
+ * quilt
+   patch system
+ * dpkg-dev (>= 1.13.5)
+ * xsltproc
+   used to generate the manpages
+ * docbook-xsl
+   needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
+ * docbook-xml
+   manpages/docbook.xsl includes html/docbook.xsl
+   (But it is not strictly needed. The generated manpages are identical.
+   Without it, a warning is generated.)
+   Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
+ * libxml2-utils
+   needed by the JH_CHECK_XML_CATALOG macros
+ * cdbs
+   used in debian/rules
+ * libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
+ * gnome-doc-utils (>= 0.4.3-1)
+   xml2po, 0.4.3-1 needed for the -l switch.
+
+passwd Depends:
+===============
+ * ${shlibs:Depends}
+   OK
+ * ${loginpam}
+   - hurd
+     login
+     libpam-modules (>= 0.72-5)
+   - other archs
+     + login (>= 970502-1)
+       login is needed because some passwd utils need /etc/login.defs
+       login is Essential, so this is just to enforce the version
+     + libpam-modules (>= 0.72-5)
+ * debianutils (>= 2.15.2)
+   After 1:4.0.12-6, {add,remove}-shell are distributed in debianutils (2.15)
+   /etc/shell was forgotten and introduced in debianutils in 2.15.2
+
+passwd Conflicts:
+=================
+
+passwd Replaces:
+================
+   Some of the passwd man pages are also distributed in some manpages* packages.
+   Look at the debian/02/run test to optimize these dependencies.
+   NOTE: Not all maintainers have been notified.
+ * manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3)
+   All those packages have been updated during sarge->etch. So these Replaces
+   should be removed after lenny release
+ * manpages-tr, manpages-zh
+   Those packages are still in etch, so the Replaces should be kept even
+   after lenny release
+
+login Pre-Depends:
+==================
+ * ${shlibs:Depends}
+ * libpam-runtime (>= 0.76-14)
+   sarge contained 0.76-22
+
+Why Pre-Depends? (because it's an essential package?)
+
+login Depends:
+==============
+ * libpam-modules (>= 0.72-5)
+   libpam-modules is needed.
+   potato contained 0.72-9
+
+login Conflicts:
+================
+
+login Replaces:
+===============
+ * Some of the login man pages are also distributed in some manpages* packages.
+   Look at the debian/02/run test to optimize these dependencies.
+   NOTE: Not all maintainers have been notified.
+   - manpages-fi, manpages-fr (<<1.64.0-1), manpages-hu, manpages-it, manpages-ko, manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15) 
+     Those are packages that have been updated during sarge->etch. These
+     Replaces should be removed after lenny
+   - manpages-tr, manpages-zh
+     Those packages are still in etch, so the Replaces should be kept even
+     after lenny release
+
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -0,0 +1,7 @@
+variables:
+  RELEASE: 'unstable'
+  # workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
+  SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
--- a/debian/libsubid-dev.install
+++ b/debian/libsubid-dev.install
@@ -0,0 +1,3 @@
+usr/include/*
+usr/lib/*/libsubid.a
+usr/lib/*/libsubid.so
--- a/debian/libsubid4.install
+++ b/debian/libsubid4.install
@@ -0,0 +1 @@
+usr/lib/*/libsubid.so.*
--- a/debian/libsubid4.symbols
+++ b/debian/libsubid4.symbols
@@ -0,0 +1,10 @@
+libsubid.so.4 libsubid4 #MINVER#
+ subid_get_gid_owners@Base 1:4.11.1
+ subid_get_gid_ranges@Base 1:4.11.1
+ subid_get_uid_owners@Base 1:4.11.1
+ subid_get_uid_ranges@Base 1:4.11.1
+ subid_grant_gid_range@Base 1:4.11.1
+ subid_grant_uid_range@Base 1:4.11.1
+ subid_init@Base 1:4.11.1
+ subid_ungrant_gid_range@Base 1:4.11.1
+ subid_ungrant_uid_range@Base 1:4.11.1
--- a/debian/login.defs
+++ b/debian/login.defs
@@ -0,0 +1,324 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed.  All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux.  --marekm
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable. 
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing 
+# the "mesg y" command.
+
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# 
+ERASECHAR	0177
+KILLCHAR	025
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+HOME_MODE	0700
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+#SYS_UID_MIN		  100
+#SYS_UID_MAX		  999
+# Extra per user uids
+SUB_UID_MIN		   100000
+SUB_UID_MAX		600100000
+SUB_UID_COUNT		    65536
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+#SYS_GID_MIN		  100
+#SYS_GID_MAX		  999
+# Extra per user group ids
+SUB_GID_MIN		   100000
+SUB_GID_MAX		600100000
+SUB_GID_COUNT		    65536
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE	/etc/consoles
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD YESCRYPT
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist.  Some system accounts intentionally do
+# not have a home directory.  Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT	/nonexistent
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+#HMAC_CRYPTO_ALGO SHA512
+
+################# OBSOLETED BY PAM ##############
+#						#
+# These options are now handled by PAM. Please	#
+# edit the appropriate file in /etc/pam.d/ to	#
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+#						  #
+# These options are no more handled by shadow.    #
+#                                                 #
+# Shadow utilities will display a warning if they #
+# still appear.                                   #
+#                                                 #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR
+
+
+
--- a/debian/login.dirs
+++ b/debian/login.dirs
@@ -0,0 +1 @@
+usr/share/lintian/overrides
--- a/debian/login.install
+++ b/debian/login.install
@@ -0,0 +1,5 @@
+bin/login usr/bin
+debian/login.defs etc
+sbin/nologin usr/sbin
+usr/bin/newgrp
+usr/share/locale/*/LC_MESSAGES/shadow.mo
--- a/debian/login.links
+++ b/debian/login.links
@@ -0,0 +1 @@
+usr/bin/newgrp usr/bin/sg
--- a/debian/login.lintian-overrides
+++ b/debian/login.lintian-overrides
@@ -0,0 +1 @@
+login: elevated-privileges 4755 root/root [usr/bin/newgrp]
--- a/debian/login.maintscript
+++ b/debian/login.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/securetty 1:4.7-1~
--- a/debian/login.manpages
+++ b/debian/login.manpages
@@ -0,0 +1,10 @@
+usr/share/man/*/man1/login.1
+usr/share/man/*/man1/newgrp.1
+usr/share/man/*/man1/sg.1
+usr/share/man/*/man5/login.defs.5
+usr/share/man/*/man8/nologin.8
+usr/share/man/man1/login.1
+usr/share/man/man1/newgrp.1
+usr/share/man/man1/sg.1
+usr/share/man/man5/login.defs.5
+usr/share/man/man8/nologin.8
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -0,0 +1,96 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables can also be set in /etc/default/locale
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password
--- a/debian/not-installed
+++ b/debian/not-installed
@@ -0,0 +1,40 @@
+bin/groups
+etc/login.defs
+etc/pam.d/chfn
+etc/pam.d/chage
+etc/pam.d/chpasswd
+etc/pam.d/chsh
+etc/pam.d/groupadd
+etc/pam.d/groupdel
+etc/pam.d/groupmems
+etc/pam.d/groupmod
+etc/pam.d/login
+etc/pam.d/newusers
+etc/pam.d/passwd
+etc/pam.d/useradd
+etc/pam.d/userdel
+etc/pam.d/usermod
+usr/bin/faillog
+usr/bin/sg
+usr/lib/*/libsubid.la
+usr/sbin/logoutd
+usr/sbin/vigr
+usr/share/man/*/man1/groups.1
+usr/share/man/*/man1/logoutd.1
+usr/share/man/*/man1/su.1
+usr/share/man/*/man3/getspnam.3
+usr/share/man/*/man3/shadow.3
+usr/share/man/*/man5/faillog.5
+usr/share/man/*/man5/suauth.5
+usr/share/man/*/man8/faillog.8
+usr/share/man/*/man8/logoutd.8
+usr/share/man/man1/groups.1
+usr/share/man/man1/logoutd.1
+usr/share/man/man1/su.1
+usr/share/man/man3/getspnam.3
+usr/share/man/man3/shadow.3
+usr/share/man/man5/faillog.5
+usr/share/man/man5/suauth.5
+usr/share/man/man8/faillog.8
+usr/share/man/man8/logoutd.8
+
--- a/debian/passwd.chage.pam
+++ b/debian/passwd.chage.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'chage' service
+#
+
+# This allows root to change password aging being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.chfn.pam
+++ b/debian/passwd.chfn.pam
@@ -0,0 +1,16 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows root to change user infomation without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+
--- a/debian/passwd.chpasswd.pam
+++ b/debian/passwd.chpasswd.pam
@@ -0,0 +1,5 @@
+# The PAM configuration file for the Shadow 'chpasswd' service
+#
+
+@include common-password
+
--- a/debian/passwd.chsh.pam
+++ b/debian/passwd.chsh.pam
@@ -0,0 +1,20 @@
+#
+# The PAM configuration file for the Shadow `chsh' service
+#
+
+# This will not allow a user to change their shell unless
+# their current one is listed in /etc/shells. This keeps
+# accounts with special shells from changing them.
+auth       required   pam_shells.so
+
+# This allows root to change user shell without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
--- a/debian/passwd.dirs
+++ b/debian/passwd.dirs
@@ -0,0 +1,2 @@
+etc/default
+usr/share/lintian/overrides
--- a/debian/passwd.examples
+++ b/debian/passwd.examples
@@ -0,0 +1 @@
+debian/passwd.expire.cron
--- a/debian/passwd.expire.cron
+++ b/debian/passwd.expire.cron
@@ -0,0 +1,57 @@
+#!/usr/bin/perl
+#
+# passwd.expire.cron: sample expiry notification script for use as a cronjob
+#
+# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
+# for use, distribution, modification, etc.
+#
+# Usage:
+#	edit the listed options, including the actual email, then rename to
+#	/etc/cron.daily/passwd
+#
+#	If your users don't have a valid login shell (ie. they are ftp or mail
+#	users only), they will need some other way to change their password
+#	(telnet will work since login will handle password aging, or a poppasswd
+#	program, if they are mail users).
+
+# <CONFIG> #
+
+# should be same as /etc/adduser.conf
+$LOW_UID=1000;
+$HIGH_UID=29999;
+
+# this let's the MTA handle the domain,
+# set it manually if you want. Make sure
+# you also add the @ like "\@domain.com"
+$MAIL_DOM="";
+
+# </CONFIG> #
+
+# Set the current day reference
+$curdays = int(time() / (60 * 60 * 24));
+
+# Now go through the list
+
+open(SH, "< /etc/shadow");
+while (<SH>) {
+    @shent = split(':', $_);
+    @userent = getpwnam($shent[0]);
+    if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
+	if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
+		$shent[4] != -1 && $shent[4] != 0 &&
+		$shent[5] != -1 && $shent[5] != 0) {
+	    $daysleft = ($shent[2] + $shent[4]) - $curdays;
+	    if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
+            if ($daysleft < 0) { next; }
+	    open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
+	    print MAIL <<EOF;
+Your account will expire in $daysleft $days. Please change your password before
+then or your account will expire
+EOF
+	    close (MAIL);
+	    # This makes sure we also get a list of almost expired users
+	    print "$shent[0]'s account will expire in $daysleft days\n";
+	}
+    }
+    @userent = getpwent();
+}
--- a/debian/passwd.groupadd.pam
+++ b/debian/passwd.groupadd.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupadd' service
+#
+
+# This allows root to add groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.groupdel.pam
+++ b/debian/passwd.groupdel.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.groupmod.pam
+++ b/debian/passwd.groupmod.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupmod' service
+#
+
+# This allows root to modify groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.install
+++ b/debian/passwd.install
@@ -0,0 +1,26 @@
+debian/default/useradd etc/default
+debian/shadowconfig usr/sbin
+usr/bin/chage
+usr/bin/chfn
+usr/bin/chsh
+usr/bin/expiry
+usr/bin/gpasswd
+usr/bin/passwd
+usr/sbin/chgpasswd
+usr/sbin/chpasswd
+usr/sbin/cppw
+usr/sbin/groupadd
+usr/sbin/groupdel
+usr/sbin/groupmems
+usr/sbin/groupmod
+usr/sbin/grpck
+usr/sbin/grpconv
+usr/sbin/grpunconv
+usr/sbin/newusers
+usr/sbin/pwck
+usr/sbin/pwconv
+usr/sbin/pwunconv
+usr/sbin/useradd
+usr/sbin/userdel
+usr/sbin/usermod
+usr/sbin/vipw
--- a/debian/passwd.links
+++ b/debian/passwd.links
@@ -0,0 +1,2 @@
+usr/sbin/cppw usr/sbin/cpgr
+usr/sbin/vipw usr/sbin/vigr
--- a/debian/passwd.lintian-overrides
+++ b/debian/passwd.lintian-overrides
@@ -0,0 +1,6 @@
+passwd: elevated-privileges 2755 root/shadow [usr/bin/chage]
+passwd: elevated-privileges 4755 root/root [usr/bin/chfn]
+passwd: elevated-privileges 4755 root/root [usr/bin/chsh]
+passwd: elevated-privileges 2755 root/shadow [usr/bin/expiry]
+passwd: elevated-privileges 4755 root/root [usr/bin/gpasswd]
+passwd: elevated-privileges 4755 root/root [usr/bin/passwd]
--- a/debian/passwd.maintscript
+++ b/debian/passwd.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/cron.daily/passwd 1:4.7-2~
--- a/debian/passwd.manpages
+++ b/debian/passwd.manpages
@@ -0,0 +1,62 @@
+debian/cpgr.8
+debian/cppw.8
+usr/share/man/*/man1/chage.1
+usr/share/man/*/man1/chfn.1
+usr/share/man/*/man1/chsh.1
+usr/share/man/*/man1/expiry.1
+usr/share/man/*/man1/gpasswd.1
+usr/share/man/*/man1/passwd.1
+usr/share/man/*/man5/gshadow.5
+usr/share/man/*/man5/passwd.5
+usr/share/man/*/man5/shadow.5
+usr/share/man/*/man5/subgid.5
+usr/share/man/*/man5/subuid.5
+usr/share/man/*/man8/chgpasswd.8
+usr/share/man/*/man8/chpasswd.8
+usr/share/man/*/man8/groupadd.8
+usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmems.8
+usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/grpck.8
+usr/share/man/*/man8/grpconv.8
+usr/share/man/*/man8/grpunconv.8
+usr/share/man/*/man8/newusers.8
+usr/share/man/*/man8/pwck.8
+usr/share/man/*/man8/pwconv.8
+usr/share/man/*/man8/pwunconv.8
+usr/share/man/*/man8/shadowconfig.8
+usr/share/man/*/man8/useradd.8
+usr/share/man/*/man8/userdel.8
+usr/share/man/*/man8/usermod.8
+usr/share/man/*/man8/vigr.8
+usr/share/man/*/man8/vipw.8
+usr/share/man/man1/chage.1
+usr/share/man/man1/chfn.1
+usr/share/man/man1/chsh.1
+usr/share/man/man1/expiry.1
+usr/share/man/man1/gpasswd.1
+usr/share/man/man1/passwd.1
+usr/share/man/man5/gshadow.5
+usr/share/man/man5/passwd.5
+usr/share/man/man5/shadow.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subuid.5
+usr/share/man/man8/chgpasswd.8
+usr/share/man/man8/chpasswd.8
+usr/share/man/man8/groupadd.8
+usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmems.8
+usr/share/man/man8/groupmod.8
+usr/share/man/man8/grpck.8
+usr/share/man/man8/grpconv.8
+usr/share/man/man8/grpunconv.8
+usr/share/man/man8/newusers.8
+usr/share/man/man8/pwck.8
+usr/share/man/man8/pwconv.8
+usr/share/man/man8/pwunconv.8
+usr/share/man/man8/shadowconfig.8
+usr/share/man/man8/useradd.8
+usr/share/man/man8/userdel.8
+usr/share/man/man8/usermod.8
+usr/share/man/man8/vigr.8
+usr/share/man/man8/vipw.8
--- a/debian/passwd.newusers.pam
+++ b/debian/passwd.newusers.pam
@@ -0,0 +1,5 @@
+# The PAM configuration file for the Shadow 'newusers' service
+#
+
+@include common-password
+
--- a/debian/passwd.passwd.pam
+++ b/debian/passwd.passwd.pam
@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+
+@include common-password
+
--- a/debian/passwd.postinst
+++ b/debian/passwd.postinst
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+configure)
+	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
+	then
+		groupadd -g 42 shadow || (
+    			cat <<EOF
+Group ID 42 has been allocated for the shadow group.  You have either
+used 42 yourself or created a shadow group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+    			exit 1
+		)
+	fi
+    ;;
+esac
+
+# Run shadowconfig only on new installs
+[ -z "$2" ] && shadowconfig on
+
+#DEBHELPER#
+
+exit 0
--- a/debian/passwd.tmpfiles
+++ b/debian/passwd.tmpfiles
@@ -0,0 +1,8 @@
+# If a password operation is in progress and we lose power, stale lockfiles
+# can be left behind.  Clear them on boot.
+r! /etc/gshadow.lock
+r! /etc/shadow.lock
+r! /etc/passwd.lock
+r! /etc/group.lock
+r! /etc/subuid.lock
+r! /etc/subgid.lock
--- a/debian/passwd.useradd.pam
+++ b/debian/passwd.useradd.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'useradd' service
+#
+
+# This allows root to add users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.userdel.pam
+++ b/debian/passwd.userdel.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'userdel' service
+#
+
+# This allows root to remove users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/passwd.usermod.pam
+++ b/debian/passwd.usermod.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so
--- a/debian/patches/debian/Document-the-shadowconfig-utility.patch
+++ b/debian/patches/debian/Document-the-shadowconfig-utility.patch
@@ -0,0 +1,280 @@
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Document the shadowconfig utility
+
+Status wrt upstream: The shadowconfig utility is debian specific.
+Its man page also (but it used to be distributed)
+---
+ man/Makefile.am            |  2 ++
+ man/fr/Makefile.am         |  1 +
+ man/fr/man8/shadowconfig.8 | 26 +++++++++++++++++++++++
+ man/ja/Makefile.am         |  1 +
+ man/ja/man8/shadowconfig.8 | 25 ++++++++++++++++++++++
+ man/pl/Makefile.am         |  1 +
+ man/pl/man8/shadowconfig.8 | 27 ++++++++++++++++++++++++
+ man/shadowconfig.8         | 41 ++++++++++++++++++++++++++++++++++++
+ man/shadowconfig.8.xml     | 52 ++++++++++++++++++++++++++++++++++++++++++++++
+ 9 files changed, 176 insertions(+)
+ create mode 100644 man/fr/man8/shadowconfig.8
+ create mode 100644 man/ja/man8/shadowconfig.8
+ create mode 100644 man/pl/man8/shadowconfig.8
+ create mode 100644 man/shadowconfig.8
+ create mode 100644 man/shadowconfig.8.xml
+
+diff --git a/man/Makefile.am b/man/Makefile.am
+index 83b1d68..dab98f4 100644
+--- a/man/Makefile.am
+++ b/man/Makefile.am
+@@ -37,6 +37,7 @@ man_MANS = \
+ 	man8/pwck.8 \
+ 	man8/pwconv.8 \
+ 	man8/pwunconv.8 \
+	man8/shadowconfig.8 \
+ 	man1/sg.1 \
+ 	man3/shadow.3 \
+ 	man5/shadow.5 \
+@@ -108,6 +109,7 @@ man_XMANS = \
+ 	porttime.5.xml \
+ 	pwck.8.xml \
+ 	pwconv.8.xml \
+	shadowconfig.8.xml \
+ 	shadow.3.xml \
+ 	shadow.5.xml \
+ 	sg.1.xml \
+diff --git a/man/fr/Makefile.am b/man/fr/Makefile.am
+index 335e029..78aee9a 100644
+--- a/man/fr/Makefile.am
+++ b/man/fr/Makefile.am
+@@ -32,6 +32,7 @@ man_MANS = \
+ 	man8/pwck.8 \
+ 	man8/pwconv.8 \
+ 	man8/pwunconv.8 \
+	man8/shadowconfig.8 \
+ 	man1/sg.1 \
+ 	man3/shadow.3 \
+ 	man5/shadow.5 \
+diff --git a/man/fr/man8/shadowconfig.8 b/man/fr/man8/shadowconfig.8
+new file mode 100644
+index 0000000..784da70
+--- /dev/null
+++ b/man/fr/man8/shadowconfig.8
+@@ -0,0 +1,26 @@
+.\" This file was generated with po4a. Translate the source file.
+.\"
+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
+.SH NOM
+shadowconfig \- active ou désactive les mots de passe cachés
+.SH SYNOPSIS
+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
+.SH DESCRIPTION
+.PP
+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
+de recommencer.
+
+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
+désactiver lorsqu'ils ne sont pas actifs est sans effet.
+
+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
+mots de passe cachés et à leurs fonctionnalités.
+
+Notez que désactiver puis réactiver les mots de passe cachés aura pour
+conséquence la perte des informations d'âge sur les mots de passe.
+.SH TRADUCTION
+Nicolas FRANÇOIS, 2004.
+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
+diff --git a/man/ja/Makefile.am b/man/ja/Makefile.am
+index 13f18da..c72097f 100644
+--- a/man/ja/Makefile.am
+++ b/man/ja/Makefile.am
+@@ -27,6 +27,7 @@ man_MANS = \
+ 	man8/pwck.8 \
+ 	man8/pwconv.8 \
+ 	man8/pwunconv.8 \
+	man8/shadowconfig.8 \
+ 	man1/sg.1 \
+ 	man5/shadow.5 \
+ 	man1/su.1 \
+diff --git a/man/ja/man8/shadowconfig.8 b/man/ja/man8/shadowconfig.8
+new file mode 100644
+index 0000000..a75c6f7
+--- /dev/null
+++ b/man/ja/man8/shadowconfig.8
+@@ -0,0 +1,25 @@
+.\"     all right reserved,
+.\" Translated Tue Oct 30 11:59:11 JST 2001
+.\" by Maki KURODA <mkuroda@aisys-jp.com>
+.\"
+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
+.SH 名前
+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
+.SH 書式
+.B "shadowconfig"
+.IR on " | " off
+.SH 説明
+.PP
+.B shadowconfig on
+は shadow パスワードを有効にする。
+.B shadowconfig off
+は shadow パスワードを無効にする。
+.B shadowconfig
+は何らかの間違いがあると、エラーメッセージを表示し、
+ゼロではない返り値を返す。
+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
+すでにオフの場合にオフに設定しても、何の影響もない。
+
+.I /usr/share/doc/passwd/README.debian.gz
+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
+diff --git a/man/pl/Makefile.am b/man/pl/Makefile.am
+index b2f096f..aa79af2 100644
+--- a/man/pl/Makefile.am
+++ b/man/pl/Makefile.am
+@@ -18,6 +18,7 @@ man_MANS = \
+ 	man8/logoutd.8 \
+ 	man1/newgrp.1 \
+ 	man1/sg.1 \
+	man8/shadowconfig.8 \
+ 	man3/shadow.3 \
+ 	man8/userdel.8 \
+ 	man8/usermod.8 \
+diff --git a/man/pl/man8/shadowconfig.8 b/man/pl/man8/shadowconfig.8
+new file mode 100644
+index 0000000..2016c9f
+--- /dev/null
+++ b/man/pl/man8/shadowconfig.8
+@@ -0,0 +1,27 @@
+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
+.\" {PTM/WK/1999-09-14}
+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
+.SH NAZWA
+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
+.SH SKŁADNIA
+.B "shadowconfig"
+.IR on " | " off
+.SH OPIS
+.PP
+.B shadowconfig on
+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
+.B shadowconfig off
+wyłącza dodatkowe pliki haseł i grup.
+.B shadowconfig
+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
+.\" if it finds anything awry.
+i uruchomić program ponownie.
+
+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
+gdy jest wyłączona jest nieszkodliwe.
+
+Przeczytaj
+.IR /usr/share/doc/passwd/README.debian.gz ,
+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
+plików haseł przesłanianych (shadow passwords) i związanych tematów.
+diff --git a/man/shadowconfig.8 b/man/shadowconfig.8
+new file mode 100644
+index 0000000..c0ee0af
+--- /dev/null
+++ b/man/shadowconfig.8
+@@ -0,0 +1,41 @@
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
+.SH NAME
+shadowconfig \- toggle shadow passwords on and off
+.SH "SYNOPSIS"
+.ad l
+.hy 0
+.HP 13
+\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
+.ad
+.hy
+
+.SH "DESCRIPTION"
+
+.PP
+\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
+
+.PP
+Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
+
+.PP
+Note that turning shadow passwords off and on again will lose all password aging information\&.
+
+diff --git a/man/shadowconfig.8.xml b/man/shadowconfig.8.xml
+new file mode 100644
+index 0000000..b4080ea
+--- /dev/null
+++ b/man/shadowconfig.8.xml
+@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+		"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+<refentry id='shadowconfig.8'>
+  <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
+  <refentryinfo>
+    <date>19 Apr 1997</date>
+  </refentryinfo>
+  <refmeta>
+    <refentrytitle>shadowconfig</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
+    <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
+  </refmeta>
+  <refnamediv id='name'>
+    <refname>shadowconfig</refname>
+    <refpurpose>toggle shadow passwords on and off</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv id='synopsis'>
+    <cmdsynopsis>
+      <command>shadowconfig</command>
+      <group choice='plain'>
+        <arg choice='plain'><replaceable>on</replaceable></arg>
+        <arg choice='plain'><replaceable>off</replaceable></arg>
+      </group>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='description'>
+    <title>DESCRIPTION</title>
+    <para><command>shadowconfig</command> on will turn shadow passwords on;
+      <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
+      passwords off. <command>shadowconfig</command> will print an error
+      message and exit with a nonzero code if it finds anything awry. If
+      that happens, you should correct the error and run it again. Turning
+      shadow passwords on when they are already on, or off when they are
+      already off, is harmless.
+    </para>
+
+    <para>
+      Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
+      brief introduction
+      to shadow passwords and related features.
+    </para>
+
+    <para>Note that turning shadow passwords off and on again will lose all
+      password
+      aging information.
+    </para>
+  </refsect1>
+</refentry>
--- a/debian/patches/debian/Keep-using-Debian-adduser-defaults.patch
+++ b/debian/patches/debian/Keep-using-Debian-adduser-defaults.patch
@@ -0,0 +1,52 @@
+From: Balint Reczey <balint@balintreczey.hu>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Keep using Debian's adduser defaults
+
+Bug: https://github.com/shadow-maint/shadow/issues/501
+Bug-Debian: https://bugs.debian.org/1004710
+Forwarded: not-needed
+
+Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit
+in 4.9 merged those values from upstream's default configuration file
+which is not shipped in Debian.
+This patch keeps the program's compiled in defaults in sync with the
+configuration files shipped in Debian (debian/default/useradd).
+---
+ man/useradd.8.xml | 2 +-
+ src/useradd.c     | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 001e7d1..4888100 100644
+--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
+@@ -248,7 +248,7 @@
+ 	    command line), useradd will set the primary group of the new
+ 	    user to the value specified by the <option>GROUP</option>
+ 	    variable in <filename>/etc/default/useradd</filename>, or
+-	    1000 by default.
+	    100 by default.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+diff --git a/src/useradd.c b/src/useradd.c
+index 347334a..ac43edd 100644
+--- a/src/useradd.c
+++ b/src/useradd.c
+@@ -91,14 +91,14 @@ static const char Prog[] = "useradd";
+ /*
+  * These defaults are used if there is no defaults file.
+  */
+-static gid_t def_group = 1000;
+static gid_t def_group = 100;
+ static const char *def_groups = "";
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";
+ static const char *def_shell = "/bin/bash";
+ static const char *def_template = SKEL_DIR;
+ static const char *def_usrtemplate = USRSKELDIR;
+-static const char *def_create_mail_spool = "yes";
+static const char *def_create_mail_spool = "no";
+ static const char *def_log_init = "yes";
+ 
+ static long def_inactive = -1;
--- a/debian/patches/debian/Let-pam_unix-handle-login-failure-delays.patch
+++ b/debian/patches/debian/Let-pam_unix-handle-login-failure-delays.patch
@@ -0,0 +1,106 @@
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Let pam_unix handle login failure delays
+
+Fixes: #87648
+
+Status wrt upstream: Forwarded but not applied yet
+
+Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+---
+ lib/getdef.c |  1 -
+ src/login.c  | 19 +++++--------------
+ 2 files changed, 5 insertions(+), 15 deletions(-)
+
+diff --git a/lib/getdef.c b/lib/getdef.c
+index 30f54ba..21307bb 100644
+--- a/lib/getdef.c
+++ b/lib/getdef.c
+@@ -84,7 +84,6 @@ static struct itemdef def_table[] = {
+ 	{"ENV_PATH", NULL},
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+-	{"FAIL_DELAY", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"GID_MAX", NULL},
+ 	{"GID_MIN", NULL},
+diff --git a/src/login.c b/src/login.c
+index 9fed7b3..a5512d1 100644
+--- a/src/login.c
+++ b/src/login.c
+@@ -490,7 +490,6 @@ int main (int argc, char **argv)
+ 	const char     *tmptty;
+ 	const char     *cp;
+ 	const char     *tmp;
+-	unsigned int   delay;
+ 	unsigned int   retries;
+ 	unsigned int   timeout;
+ 	struct passwd  *pwd = NULL;
+@@ -500,6 +499,7 @@ int main (int argc, char **argv)
+ 	char           *pam_user = NULL;
+ 	pid_t          child;
+ #else
+	unsigned int   delay;
+ 	bool is_console;
+ 	struct spwd *spwd = NULL;
+ # if defined(ENABLE_LASTLOG)
+@@ -669,7 +669,6 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	environ = newenvp;	/* make new environment active */
+-	delay   = getdef_unum ("FAIL_DELAY", 1);
+ 	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
+ 
+ #ifdef USE_PAM
+@@ -685,8 +684,7 @@ int main (int argc, char **argv)
+ 
+ 	/*
+ 	 * hostname & tty are either set to NULL or their correct values,
+-	 * depending on how much we know. We also set PAM's fail delay to
+-	 * ours.
+	 * depending on how much we know.
+ 	 *
+ 	 * PAM_RHOST and PAM_TTY are used for authentication, only use
+ 	 * information coming from login or from the caller (e.g. no utmp)
+@@ -695,10 +693,6 @@ int main (int argc, char **argv)
+ 	PAM_FAIL_CHECK;
+ 	retcode = pam_set_item (pamh, PAM_TTY, tty);
+ 	PAM_FAIL_CHECK;
+-#ifdef HAS_PAM_FAIL_DELAY
+-	retcode = pam_fail_delay (pamh, 1000000 * delay);
+-	PAM_FAIL_CHECK;
+-#endif
+ 	/* if fflg, then the user has already been authenticated */
+ 	if (!fflg) {
+ 		char          hostn[256];
+@@ -736,12 +730,6 @@ int main (int argc, char **argv)
+ 			bool failed = false;
+ 
+ 			failcount++;
+-#ifdef HAS_PAM_FAIL_DELAY
+-			if (delay > 0) {
+-				retcode = pam_fail_delay(pamh, 1000000*delay);
+-				PAM_FAIL_CHECK;
+-			}
+-#endif
+ 
+ 			retcode = pam_authenticate (pamh, 0);
+ 
+@@ -1032,14 +1020,17 @@ int main (int argc, char **argv)
+ 		free (username);
+ 		username = NULL;
+ 
+#ifndef USE_PAM
+ 		/*
+ 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
+ 		 * to login the user again. If the earlier alarm occurs
+ 		 * before the sleep() below completes, login will exit.
+ 		 */
+		delay = getdef_unum ("FAIL_DELAY", 1);
+ 		if (delay > 0) {
+ 			(void) sleep (delay);
+ 		}
+#endif
+ 
+ 		(void) puts (_("Login incorrect"));
+ 
--- a/debian/patches/debian/Recommend-using-adduser-and-deluser.patch
+++ b/debian/patches/debian/Recommend-using-adduser-and-deluser.patch
@@ -0,0 +1,46 @@
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Recommend using adduser and deluser
+
+Fixes: #406046
+
+Status wrt upstream: Debian specific patch.
+---
+ man/useradd.8.xml | 6 ++++++
+ man/userdel.8.xml | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 4888100..17987a6 100644
+--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
+@@ -82,6 +82,12 @@
+ 
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+      <para>
+	<command>useradd</command> is a low level utility for adding
+	users.  On Debian, administrators should usually use
+	<citerefentry><refentrytitle>adduser</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> instead.
+      </para>
+       <para>
+ 	When invoked without the <option>-D</option> option, the
+ 	<command>useradd</command> command creates a new user account using
+diff --git a/man/userdel.8.xml b/man/userdel.8.xml
+index 5bd2981..384cc86 100644
+--- a/man/userdel.8.xml
+++ b/man/userdel.8.xml
+@@ -58,6 +58,12 @@
+ 
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+    <para>
+      <command>userdel</command> is a low level utility for removing
+      users.  On Debian, administrators should usually use
+      <citerefentry><refentrytitle>deluser</refentrytitle>
+      <manvolnum>8</manvolnum></citerefentry> instead.
+    </para>
+     <para>
+       The <command>userdel</command> command modifies the system account
+       files, deleting all entries that refer to the user name <emphasis
--- a/debian/patches/debian/Relax-usernames-groupnames-checking.patch
+++ b/debian/patches/debian/Relax-usernames-groupnames-checking.patch
@@ -0,0 +1,123 @@
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Relax usernames/groupnames checking
+
+Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
+characters and don't start with '-', '+', or '~'. This patch is more
+restrictive than original Karl's version. closes: #264879
+Also closes: #377844
+
+Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
+
+I can't come up with a good justification as to why characters other
+than ':'s and '\0's should be disallowed in group and usernames (other
+than '-' as the leading character).  Thus, the maintenance tools don't
+anymore.  closes: #79682, #166798, #171179
+
+Status wrt upstream: Debian specific. Not to be used upstream
+---
+ lib/chkname.c      | 47 +++++++++++++++--------------------------------
+ man/groupadd.8.xml |  6 ++++++
+ man/useradd.8.xml  |  8 ++++++++
+ 3 files changed, 29 insertions(+), 32 deletions(-)
+
+diff --git a/lib/chkname.c b/lib/chkname.c
+index 995562f..d9678c6 100644
+--- a/lib/chkname.c
+++ b/lib/chkname.c
+@@ -54,44 +54,27 @@ static bool is_valid_name (const char *name)
+ 	}
+ 
+ 	/*
+-         * User/group names must match BRE regex:
+-         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
+-         *
+-         * as a non-POSIX, extension, allow "$" as the last char for
+-         * sake of Samba 3.x "add machine script"
+-         *
+-         * Also do not allow fully numeric names or just "." or "..".
+-         */
+-	int numeric;
+-
+-	if ('\0' == *name ||
+-	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+-			      '\0' == name[1])) ||
+-	    !((*name >= 'a' && *name <= 'z') ||
+-	      (*name >= 'A' && *name <= 'Z') ||
+-	      (*name >= '0' && *name <= '9') ||
+-	      *name == '_' ||
+-	      *name == '.')) {
+	 * POSIX indicate that usernames are composed of characters from the
+	 * portable filename character set [A-Za-z0-9._-], and that the hyphen
+	 * should not be used as the first character of a portable user name.
+	 *
+	 * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
+	 */
+	if (   ('\0' == *name)
+	    || ('-'  == *name)
+	    || ('~'  == *name)
+	    || ('+'  == *name)) {
+ 		return false;
+ 	}
+ 
+-	numeric = isdigit(*name);
+-
+-	while ('\0' != *++name) {
+-		if (!((*name >= 'a' && *name <= 'z') ||
+-		      (*name >= 'A' && *name <= 'Z') ||
+-		      (*name >= '0' && *name <= '9') ||
+-		      *name == '_' ||
+-		      *name == '.' ||
+-		      *name == '-' ||
+-		      (*name == '$' && name[1] == '\0')
+-		     )) {
+	do {
+		if ((':' == *name) || (',' == *name) || isspace(*name)) {
+ 			return false;
+ 		}
+-		numeric &= isdigit(*name);
+-	}
+		name++;
+	} while ('\0' != *name);
+ 
+-	return !numeric;
+	return true;
+ }
+ 
+ 
+diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml
+index 61a548f..d472bd0 100644
+--- a/man/groupadd.8.xml
+++ b/man/groupadd.8.xml
+@@ -71,6 +71,12 @@
+        Fully numeric groupnames and groupnames . or .. are
+        also disallowed.
+      </para>
+     <para>
+       On Debian, the only constraints are that groupnames must neither start
+       with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+       colon (':'), a comma (','), or a whitespace (space:' ',
+       end of line: '\n', tabulation: '\t', etc.).
+     </para>
+      <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+      </para>
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index 17987a6..c98b214 100644
+--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
+@@ -735,6 +735,14 @@
+     <para>
+       Usernames may only be up to 256 characters long.
+     </para>
+    <para>
+      On Debian, the only constraints are that usernames must neither start
+      with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
+      colon (':'), a comma (','), or a whitespace (space: ' ',
+      end of line: '\n', tabulation: '\t', etc.). Note that using a slash
+      ('/') may break the default algorithm for the definition of the
+      user's home directory.
+    </para>
+   </refsect1>
+ 
+   <refsect1 id='configuration'>
--- a/debian/patches/debian/Set-group-and-mode-for-g-shadow-files.patch
+++ b/debian/patches/debian/Set-group-and-mode-for-g-shadow-files.patch
@@ -0,0 +1,75 @@
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: Set group and mode for [g]shadow files
+
+Set group 'shadow' and mode 0400.
+
+Fixes: #166793
+---
+ lib/commonio.c | 12 ++++++++++++
+ lib/sgroupio.c |  2 +-
+ lib/shadowio.c |  2 +-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 01a26c9..72e53b0 100644
+--- a/lib/commonio.c
+++ b/lib/commonio.c
+@@ -21,6 +21,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <signal.h>
+#include <grp.h>
+ 
+ #include "alloc.h"
+ #include "memzero.h"
+@@ -956,12 +957,23 @@ int commonio_close (struct commonio_db *db)
+ 		if (errors != 0)
+ 			goto fail;
+ 	} else {
+		struct group *grp;
+ 		/*
+ 		 * Default permissions for new [g]shadow files.
+ 		 */
+ 		sb.st_mode = db->st_mode;
+ 		sb.st_uid = db->st_uid;
+ 		sb.st_gid = db->st_gid;
+
+		/*
+		 * Try to retrieve the shadow's GID, and fall back to GID 0.
+		 */
+		if (sb.st_gid == 0) {
+			if ((grp = getgrnam("shadow")) != NULL)
+				sb.st_gid = grp->gr_gid;
+			else
+				sb.st_gid = 0;
+		}
+ 	}
+ 
+ 	if (SNPRINTF(buf, "%s+", db->filename) == -1)
+diff --git a/lib/sgroupio.c b/lib/sgroupio.c
+index 0297df4..107b1e5 100644
+--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
+@@ -209,7 +209,7 @@ static struct commonio_db gshadow_db = {
+ #ifdef WITH_SELINUX
+ 	NULL,			/* scontext */
+ #endif
+-	0400,                   /* st_mode */
+	0440,                   /* st_mode */
+ 	0,                      /* st_uid */
+ 	0,                      /* st_gid */
+ 	NULL,			/* head */
+diff --git a/lib/shadowio.c b/lib/shadowio.c
+index d2c3b47..53dac0b 100644
+--- a/lib/shadowio.c
+++ b/lib/shadowio.c
+@@ -85,7 +85,7 @@ static struct commonio_db shadow_db = {
+ #ifdef WITH_SELINUX
+ 	NULL,			/* scontext */
+ #endif				/* WITH_SELINUX */
+-	0400,                   /* st_mode */
+	0440,                   /* st_mode */
+ 	0,                      /* st_uid */
+ 	0,                      /* st_gid */
+ 	NULL,			/* head */
--- a/debian/patches/debian/cppw-Add-tool.patch
+++ b/debian/patches/debian/cppw-Add-tool.patch
@@ -0,0 +1,287 @@
+From: Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: cppw: Add tool
+
+---
+ po/POTFILES.in  |   1 +
+ src/Makefile.am |   2 +
+ src/cppw.c      | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 241 insertions(+)
+ create mode 100644 src/cppw.c
+
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 9ff6100..a60c93e 100644
+--- a/po/POTFILES.in
+++ b/po/POTFILES.in
+@@ -86,6 +86,7 @@ src/chfn.c
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
+src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c
+diff --git a/src/Makefile.am b/src/Makefile.am
+index b6cb09e..c86ba52 100644
+--- a/src/Makefile.am
+++ b/src/Makefile.am
+@@ -39,6 +39,7 @@ if WITH_SU
+ bin_PROGRAMS  += su
+ endif
+ usbin_PROGRAMS = \
+	cppw \
+ 	chgpasswd \
+ 	chpasswd \
+ 	groupadd \
+@@ -104,6 +105,7 @@ newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -l
+ newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
+ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+cppw_LDADD     = $(LDADD) $(LIBAUDIT) $(LIBSELINUX)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl
+ expiry_LDADD = $(LDADD) $(LIBECONF)
+diff --git a/src/cppw.c b/src/cppw.c
+new file mode 100644
+index 0000000..beb4c36
+--- /dev/null
+++ b/src/cppw.c
+@@ -0,0 +1,238 @@
+/*
+  cppw, cpgr  copy with locking given file over the password or group file
+  with -s will copy with locking given file over shadow or gshadow file
+
+  Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
+
+  Based on vipw, vigr by:
+  Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+  */
+
+#include <config.h>
+#include "defines.h"
+
+#include <errno.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <utime.h>
+#include "exitcodes.h"
+#include "prototypes.h"
+#include "pwio.h"
+#include "shadowio.h"
+#include "groupio.h"
+#include "sgroupio.h"
+
+
+const char *Prog;
+
+const char *filename, *filenewname;
+static bool filelocked = false;
+static int (*unlock) (void);
+
+/* local function prototypes */
+static int create_copy (FILE *fp, const char *dest, struct stat *sb);
+static void cppwexit (const char *msg, int syserr, int ret);
+static void cppwcopy (const char *file,
+                      const char *in_file,
+                      int (*file_lock) (void),
+                      int (*file_unlock) (void));
+
+static int create_copy (FILE *fp, const char *dest, struct stat *sb)
+{
+	struct utimbuf ub;
+	FILE *bkfp;
+	int c;
+	mode_t mask;
+
+	mask = umask (077);
+	bkfp = fopen (dest, "w");
+	(void) umask (mask);
+	if (NULL == bkfp) {
+		return -1;
+	}
+
+	rewind (fp);
+	while ((c = getc (fp)) != EOF) {
+		if (putc (c, bkfp) == EOF) {
+			break;
+		}
+	}
+
+	if (   (c != EOF)
+	    || (fflush (bkfp) != 0)) {
+		(void) fclose (bkfp);
+		(void) unlink (dest);
+		return -1;
+	}
+	if (   (fsync (fileno (bkfp)) != 0)
+	    || (fclose (bkfp) != 0)) {
+		(void) unlink (dest);
+		return -1;
+	}
+
+	ub.actime = sb->st_atime;
+	ub.modtime = sb->st_mtime;
+	if (   (utime (dest, &ub) != 0)
+	    || (chmod (dest, sb->st_mode) != 0)
+	    || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
+		(void) unlink (dest);
+		return -1;
+	}
+	return 0;
+}
+
+static void cppwexit (const char *msg, int syserr, int ret)
+{
+	int err = errno;
+	if (filelocked) {
+		(*unlock) ();
+	}
+	if (NULL != msg) {
+		fprintf (stderr, "%s: %s", Prog, msg);
+		if (0 != syserr) {
+			fprintf (stderr, ": %s", strerror (err));
+		}
+		(void) fputs ("\n", stderr);
+	}
+	if (NULL != filename) {
+		fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
+	} else {
+		fprintf (stderr, _("%s: no changes\n"), Prog);
+	}
+
+	exit (ret);
+}
+
+static void cppwcopy (const char *file,
+                      const char *in_file,
+                      int (*file_lock) (void),
+                      int (*file_unlock) (void))
+{
+	struct stat st1;
+	FILE *f;
+	char filenew[1024];
+
+	snprintf (filenew, sizeof filenew, "%s.new", file);
+	unlock = file_unlock;
+	filename = file;
+	filenewname = filenew;
+
+	if (access (file, F_OK) != 0) {
+		cppwexit (file, 1, 1);
+	}
+	if (file_lock () == 0) {
+		cppwexit (_("Couldn't lock file"), 0, 5);
+	}
+	filelocked = true;
+
+	/* file to copy has same owners, perm */
+	if (stat (file, &st1) != 0) {
+		cppwexit (file, 1, 1);
+	}
+	f = fopen (in_file, "r");
+	if (NULL == f) {
+		cppwexit (in_file, 1, 1);
+	}
+	if (create_copy (f, filenew, &st1) != 0) {
+		cppwexit (_("Couldn't make copy"), errno, 1);
+	}
+
+	/* XXX - here we should check filenew for errors; if there are any,
+	 * fail w/ an appropriate error code and let the user manually fix
+	 * it. Use pwck or grpck to do the check.  - Stephen (Shamelessly
+	 * stolen from '--marekm's comment) */
+
+	if (rename (filenew, file) != 0) {
+		fprintf (stderr, _("%s: can't copy %s: %s)\n"),
+                         Prog, filenew, strerror (errno));
+		cppwexit (NULL,0,1);
+	}
+
+	(*file_unlock) ();
+}
+
+int main (int argc, char **argv)
+{
+	int flag;
+	bool cpshadow = false;
+	char *in_file;
+	int e = E_USAGE;
+	bool do_cppw = true;
+
+	(void) setlocale (LC_ALL, "");
+	(void) bindtextdomain (PACKAGE, LOCALEDIR);
+	(void) textdomain (PACKAGE);
+
+	Prog = Basename (argv[0]);
+	if (strcmp (Prog, "cpgr") == 0) {
+		do_cppw = false;
+	}
+
+	while ((flag = getopt (argc, argv, "ghps")) != EOF) {
+		switch (flag) {
+		case 'p':
+			do_cppw = true;
+			break;
+		case 'g':
+			do_cppw = false;
+			break;
+		case 's':
+			cpshadow = true;
+			break;
+		case 'h':
+			e = E_SUCCESS;
+			/*pass through*/
+		default:
+			(void) fputs (_("Usage:\n\
+`cppw <file>' copys over /etc/passwd   `cppw -s <file>' copys over /etc/shadow\n\
+`cpgr <file>' copys over /etc/group    `cpgr -s <file>' copys over /etc/gshadow\n\
+"), (E_SUCCESS != e) ? stderr : stdout);
+			exit (e);
+		}
+	}
+
+	if (argc != optind + 1) {
+		cppwexit (_("wrong number of arguments, -h for usage"),0,1);
+	}
+
+	in_file = argv[optind];
+
+	if (do_cppw) {
+		if (cpshadow) {
+			cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
+		} else {
+			cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
+		}
+	} else {
+#ifdef SHADOWGRP
+		if (cpshadow) {
+			cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
+		} else
+#endif				/* SHADOWGRP */
+		{
+			cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
+		}
+	}
+
+	return 0;
+}
+
--- a/debian/patches/debian/cppw-add-selinux-support.patch
+++ b/debian/patches/debian/cppw-add-selinux-support.patch
@@ -0,0 +1,63 @@
+From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Date: Sat, 22 Jun 2024 17:39:41 +0200
+Subject: cppw: add selinux support
+
+Status wrt upstream: cppw is not available upstream.
+Needs to be reviewed by an SE-Linux aware person.
+---
+ src/cppw.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/src/cppw.c b/src/cppw.c
+index beb4c36..2cbbbc0 100644
+--- a/src/cppw.c
+++ b/src/cppw.c
+@@ -34,6 +34,9 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <utime.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif				/* WITH_SELINUX */
+ #include "exitcodes.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+@@ -139,6 +142,22 @@ static void cppwcopy (const char *file,
+ 	if (access (file, F_OK) != 0) {
+ 		cppwexit (file, 1, 1);
+ 	}
+#ifdef WITH_SELINUX
+	/* if SE Linux is enabled then set the context of all new files
+	 * to be the context of the file we are editing */
+	if (is_selinux_enabled () > 0) {
+		security_context_t passwd_context=NULL;
+		int ret = 0;
+		if (getfilecon (file, &passwd_context) < 0) {
+			cppwexit (_("Couldn't get file context"), errno, 1);
+		}
+		ret = setfscreatecon (passwd_context);
+		freecon (passwd_context);
+		if (0 != ret) {
+			cppwexit (_("setfscreatecon () failed"), errno, 1);
+		}
+	}
+#endif				/* WITH_SELINUX */
+ 	if (file_lock () == 0) {
+ 		cppwexit (_("Couldn't lock file"), 0, 5);
+ 	}
+@@ -167,6 +186,15 @@ static void cppwcopy (const char *file,
+ 		cppwexit (NULL,0,1);
+ 	}
+ 
+#ifdef WITH_SELINUX
+	/* unset the fscreatecon */
+	if (is_selinux_enabled () > 0) {
+		if (setfscreatecon (NULL)) {
+		cppwexit (_("setfscreatecon() failed"), errno, 1);
+		}
+	}
+#endif				/* WITH_SELINUX */
+
+ 	(*file_unlock) ();
+ }
+ 
--- a/debian/patches/debian/tests-disable-su.patch
+++ b/debian/patches/debian/tests-disable-su.patch
@@ -0,0 +1,89 @@
+From: Serge Hallyn <serge@hallyn.com>
+Date: Thu, 27 Jun 2024 01:23:05 +0200
+Subject: upstream testsuite: disable su tests
+
+Debian uses su from util-linux, pointless/impossible to test shadow's su
+here.
+---
+ tests/run_some | 68 ----------------------------------------------------------
+ 1 file changed, 68 deletions(-)
+
+diff --git a/tests/run_some b/tests/run_some
+index c58f59b..46317eb 100755
+--- a/tests/run_some
+++ b/tests/run_some
+@@ -79,74 +79,6 @@ echo "-: test failed"
+ find "${build_path}" -name "*.gcda" -delete
+ # ignore the result of the first test.  ~magic~
+ run_test ./su/01/su_user.test ignore_failure
+-run_test ./su/01/su_user.test
+-run_test ./su/01/su_root.test
+-find "${build_path}" -name "*.gcda" -exec chmod a+rw {} \;
+-run_test ./su/02/env_FOO-options_--login
+-run_test ./su/02/env_FOO-options_--login_bash
+-run_test ./su/02/env_FOO-options_--preserve-environment
+-run_test ./su/02/env_FOO-options_--preserve-environment_bash
+-run_test ./su/02/env_FOO-options_-
+-run_test ./su/02/env_FOO-options_-_bash
+-run_test ./su/02/env_FOO-options_-l-m
+-run_test ./su/02/env_FOO-options_-l-m_bash
+-run_test ./su/02/env_FOO-options_-l
+-run_test ./su/02/env_FOO-options_-l_bash
+-run_test ./su/02/env_FOO-options_-m_bash
+-run_test ./su/02/env_FOO-options_-m
+-run_test ./su/02/env_FOO-options_-p
+-run_test ./su/02/env_FOO-options_-p_bash
+-run_test ./su/02/env_FOO-options__bash
+-run_test ./su/02/env_FOO-options_
+-run_test ./su/02/env_FOO-options_-p-
+-run_test ./su/02/env_FOO-options_-p-_bash
+-run_test ./su/02/env_special-options_-l-p
+-run_test ./su/02/env_special-options_-l
+-run_test ./su/02/env_special-options_-l-p_bash
+-run_test ./su/02/env_special-options_-l_bash
+-run_test ./su/02/env_special-options_-p
+-run_test ./su/02/env_special-options_-p_bash
+-run_test ./su/02/env_special-options_
+-run_test ./su/02/env_special-options__bash
+-run_test ./su/02/env_special_root-options_-l-p
+-run_test ./su/02/env_special_root-options_-l-p_bash
+-run_test ./su/02/env_special_root-options_-l
+-run_test ./su/02/env_special_root-options_-l_bash
+-run_test ./su/02/env_special_root-options_-p
+-run_test ./su/02/env_special_root-options_-p_bash
+-run_test ./su/02/env_special_root-options_
+-run_test ./su/02/env_special_root-options__bash
+-run_test ./su/03/su_run_command01.test
+-run_test ./su/03/su_run_command02.test
+-run_test ./su/03/su_run_command03.test
+-run_test ./su/03/su_run_command04.test
+-run_test ./su/03/su_run_command05.test
+-run_test ./su/03/su_run_command06.test
+-run_test ./su/03/su_run_command07.test
+-run_test ./su/03/su_run_command08.test
+-run_test ./su/03/su_run_command09.test
+-run_test ./su/03/su_run_command10.test
+-run_test ./su/03/su_run_command11.test
+-run_test ./su/03/su_run_command12.test
+-run_test ./su/03/su_run_command13.test
+-run_test ./su/03/su_run_command14.test
+-run_test ./su/03/su_run_command15.test
+-run_test ./su/03/su_run_command16.test
+-run_test ./su/03/su_run_command17.test
+-run_test ./su/04/su_wrong_user.test
+-run_test ./su/04/su_user_wrong_passwd.test
+-run_test ./su/04/su_user_wrong_passwd_syslog.test
+-run_test ./su/05/su_user_wrong_passwd_syslog.test
+-run_test ./su/06/su_user_syslog.test
+-run_test ./su/07/su_user_syslog.test
+-run_test ./su/08/env_special-options_
+-run_test ./su/08/env_special_root-options_
+-run_test ./su/09/env_special-options_
+-run_test ./su/09/env_special_root-options_
+-run_test ./su/10_su_sulog_success/su.test
+-run_test ./su/11_su_sulog_failure/su.test
+-run_test ./su/12_su_child_failure/su.test
+-run_test ./su/13_su_child_success/su.test
+ run_test ./libsubid/01_list_ranges/list_ranges.test
+ run_test ./libsubid/02_get_subid_owners/get_subid_owners.test
+ run_test ./libsubid/03_add_remove/add_remove_subids.test
--- a/debian/patches/debian/tests-libsubid-04_nss-fix-setting-basedir.patch
+++ b/debian/patches/debian/tests-libsubid-04_nss-fix-setting-basedir.patch
@@ -0,0 +1,22 @@
+From: Chris Hofstaedtler <zeha@debian.org>
+Date: Sat, 6 Jul 2024 23:35:51 +0200
+Subject: tests/libsubid/04_nss: fix setting basedir
+
+---
+ tests/libsubid/04_nss/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/libsubid/04_nss/Makefile b/tests/libsubid/04_nss/Makefile
+index 7d7ae3e..3fbf989 100644
+--- a/tests/libsubid/04_nss/Makefile
+++ b/tests/libsubid/04_nss/Makefile
+@@ -1,7 +1,7 @@
+ all: test_nss libsubid_zzz.so
+ 
+-BASE_TEST_DIR ?= $(shell git rev-parse --show-toplevel)
+-basedir := $(BASE_TEST_DIR)
+BUILD_BASE_DIR ?= $(shell git rev-parse --show-toplevel)
+basedir := $(BUILD_BASE_DIR)
+ 
+ test_nss: test_nss.c $(basedir)/lib/nss.c
+ 	gcc -c -I$(basedir)/lib/ -I$(basedir) -o test_nss.o test_nss.c
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1,10 @@
+debian/cppw-Add-tool.patch
+debian/cppw-add-selinux-support.patch
+debian/Let-pam_unix-handle-login-failure-delays.patch
+debian/Set-group-and-mode-for-g-shadow-files.patch
+debian/Keep-using-Debian-adduser-defaults.patch
+debian/Document-the-shadowconfig-utility.patch
+debian/Recommend-using-adduser-and-deluser.patch
+debian/Relax-usernames-groupnames-checking.patch
+debian/tests-disable-su.patch
+debian/tests-libsubid-04_nss-fix-setting-basedir.patch
--- a/debian/rules
+++ b/debian/rules
@@ -0,0 +1,69 @@
+#!/usr/bin/make -f
+# -*- mode: makefile; coding: utf-8 -*-
+
+# Enable PIE, BINDNOW, and possible future flags.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+include /usr/share/debhelper/dh_package_notes/package-notes.mk
+
+# Adds extra options when calling the configure script:
+DEB_CONFIGURE_EXTRA_FLAGS := \
+	--mandir=/usr/share/man \
+	--with-libpam \
+	--with-yescrypt \
+	--enable-shadowgrp \
+	--enable-subordinate-ids \
+	--enable-lastlog=no \
+	--enable-man \
+	--disable-account-tools-setuid \
+	--with-group-name-max-length=32 \
+	--with-acl \
+	--with-attr \
+	--without-su \
+	--without-tcb \
+
+
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+DEB_CONFIGURE_EXTRA_FLAGS += --enable-logind
+DEB_CONFIGURE_EXTRA_FLAGS += --with-audit
+endif
+
+ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
+DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
+endif
+
+DEB_CONFIGURE_EXTRA_FLAGS += SHELL=/bin/sh
+
+# Set the default editor for vipw/vigr
+CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
+
+%:
+	dh $@
+
+override_dh_auto_configure:
+	dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_FLAGS)
+
+override_dh_install-arch:
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+	sed -i 's/session    optional   pam_keyinit.so/# Linux only # session    optional   pam_keyinit.so/' debian/login.pam
+endif
+	dh_install -a
+ifeq ($(DEB_HOST_ARCH_OS),hurd)
+	# /bin/login is provided by the hurd package.
+	rm -f debian/login/usr/bin/login
+endif
+
+override_dh_installpam:
+	# Distribute the pam.d files; unless for the commands with disabled PAM
+	# support
+	dh_installpam -p login
+	dh_installpam -p passwd --name=passwd
+	dh_installpam -p passwd --name=chfn
+	dh_installpam -p passwd --name=chsh
+	dh_installpam -p passwd --name=chpasswd
+	dh_installpam -p passwd --name=newusers
+
+override_dh_auto_clean:
+	sed -i 's/# Linux only # //' debian/login.pam
+	dh_auto_clean
--- a/debian/shadowconfig
+++ b/debian/shadowconfig
@@ -0,0 +1,70 @@
+#!/bin/sh
+# turn shadow passwords on or off on a Debian system
+
+set -e
+
+shadowon () {
+    set -e
+
+    if [ -n "$DPKG_ROOT" ] \
+        && cmp "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/usr/share/base-passwd/passwd.master" 2>/dev/null \
+        && cmp "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/usr/share/base-passwd/group.master" 2>/dev/null; then
+        # If dpkg is run with --force-script-chrootless and if /etc/passwd
+        # and /etc/group are unchanged, we avoid the chroot() call by manually
+        # processing the files. This produces bit-by-bit identical results
+        # compared to the normal case as shown by the CI setup at
+        # https://salsa.debian.org/helmutg/dpkg-root-demo/-/jobs
+        for f in passwd group; do
+            cp -a "${DPKG_ROOT}/etc/$f" "${DPKG_ROOT}/etc/$f-"
+        done
+        chmod 600 "${DPKG_ROOT}/etc/passwd-"
+        sed -i 's/^\([^:]\+\):\*:/\1:x:/' "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/etc/passwd"
+        [ -n "$SOURCE_DATE_EPOCH" ] && epoch=$SOURCE_DATE_EPOCH || epoch=$(date +%s)
+        sed "s/^\([^:]\+\):.*/\1:*:$((epoch/60/60/24)):0:99999:7:::/" "${DPKG_ROOT}/etc/passwd" > "${DPKG_ROOT}/etc/shadow"
+        sed "s/^\([^:]\+\):.*/\1:*::/" "${DPKG_ROOT}/etc/group" > "${DPKG_ROOT}/etc/gshadow"
+        touch "${DPKG_ROOT}/etc/.pwd.lock"
+        chmod 600 "${DPKG_ROOT}/etc/.pwd.lock"
+    else
+        pwck -q -r
+        grpck -r
+        pwconv
+        grpconv
+    fi
+    chown root:root "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+    chmod 644 "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+    chown root:shadow "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
+    chmod 640 "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
+}
+
+shadowoff () {
+    set -e
+    pwck -q -r
+    grpck -r
+    pwunconv
+    grpunconv
+    # sometimes the passwd perms get munged
+    chown root:root /etc/passwd /etc/group
+    chmod 644 /etc/passwd /etc/group
+}
+
+case "$1" in
+    "on")
+	if shadowon ; then
+	    echo Shadow passwords are now on.
+	else
+	    echo Please correct the error and rerun \`$0 on\'
+	    exit 1
+	fi
+	;;
+    "off")
+	if shadowoff ; then
+	    echo Shadow passwords are now off.
+	else
+	    echo Please correct the error and rerun \`$0 off\'
+	    exit 1
+	fi
+	;;
+     *)
+	echo Usage: $0 on \| off
+	;;
+esac
--- a/debian/shlibs.local
+++ b/debian/shlibs.local
@@ -0,0 +1 @@
+deb: libsubid 4 libsubid4 (= ${binary:Version})
--- a/debian/source/format
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -0,0 +1,10 @@
+Tests: smoke
+Restrictions: needs-root, superficial
+
+Tests: upstream
+Depends:
+ expect,
+ procps,
+ @,
+ @builddeps@
+Restrictions: needs-root, build-needed, breaks-testbed, allow-stderr, isolation-machine
--- a/debian/tests/smoke
+++ b/debian/tests/smoke
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+echo "Adding an user works"
+useradd shadow-test-user
+grep '^shadow-test-user:x:' /etc/passwd
+grep '^shadow-test-user:!:' /etc/shadow
+
+echo "Removing an user works"
+userdel shadow-test-user
+! grep 'shadow-test-user' /etc/passwd
+! grep 'shadow-test-user' /etc/shadow
--- a/debian/tests/upstream
+++ b/debian/tests/upstream
@@ -0,0 +1,15 @@
+#!/bin/sh
+useradd ubuntu
+
+export BUILD_BASE_DIR=$(pwd)
+
+cd tests
+
+cleanup() {
+  cp testsuite.log $AUTOPKGTEST_ARTIFACTS/
+  cat testsuite.log
+}
+
+trap cleanup TERM EXIT
+
+./run_some 2>&1
--- a/debian/uidmap.install
+++ b/debian/uidmap.install
@@ -0,0 +1,3 @@
+bin/getsubids usr/bin
+usr/bin/newgidmap
+usr/bin/newuidmap
--- a/debian/uidmap.lintian-overrides
+++ b/debian/uidmap.lintian-overrides
@@ -0,0 +1,2 @@
+uidmap: elevated-privileges 4755 root/root [usr/bin/newgidmap]
+uidmap: elevated-privileges 4755 root/root [usr/bin/newuidmap]
--- a/debian/uidmap.manpages
+++ b/debian/uidmap.manpages
@@ -0,0 +1,5 @@
+usr/share/man/*/man1/newgidmap.1
+usr/share/man/*/man1/newuidmap.1
+usr/share/man/man1/getsubids.1
+usr/share/man/man1/newgidmap.1
+usr/share/man/man1/newuidmap.1
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@@ -0,0 +1,4 @@
+---
+Bug-Database: https://github.com/shadow-maint/shadow/issues
+Bug-Submit: https://github.com/shadow-maint/shadow/issues/new
+Repository-Browse: https://github.com/shadow-maint/shadow
--- a/debian/upstream/signing-key.asc
+++ b/debian/upstream/signing-key.asc
--- a/debian/watch
+++ b/debian/watch
@@ -0,0 +1,7 @@
+version=4
+opts=downloadurlmangle=s/archive\/refs\/tags\/(.*)\.tar\.gz/releases\/download\/$1\/@PACKAGE@-$1\.tar\.xz/,\
+    pgpsigurlmangle=s/$/.asc/,\
+    versionmangle=s/-(alpha|beta|rc)/~$1/,\
+    dversionmangle=s/\+dfsg1//,repacksuffix=+dfsg1 \
+    https://github.com/shadow-maint/@PACKAGE@/tags \
+    /shadow-maint/@PACKAGE@/archive/refs/tags/([^v].*)\.tar\.gz
--- a/doc/HOWTO
+++ b/doc/HOWTO
@@ -471,12 +471,12 @@

  The Shadow Suite contains replacement programs for:

-  su, login, passwd, newgrp, chfn, chsh
+  su, login, passwd, newgrp, chfn, chsh, and id

  The package also contains the new programs:

  chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod,
-  groupadd, groupdel, groupmod, pwck, grpck, lastlog, pwconv,
+  groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv,
  and pwunconv

  Additionally, the library: libshadow.a is included for writing and/or
@@ -586,6 +586,8 @@

  ·  /usr/bin/chsh

+  ·  /usr/bin/id
+
  The BETA package has a save target in the Makefile, but it's commented
  out because different distributions place the programs in different
  places.
@@ -635,6 +637,8 @@

  ·  /usr/man/man1/chsh.1.gz

+  ·  /usr/man/man1/id.1.gz
+
  ·  /usr/man/man1/login.1.gz

  ·  /usr/man/man1/passwd.1.gz
@@ -1373,7 +1377,7 @@
  users or changing the group password, the /etc/gshadow file will be
  changed.

-  The programs groupadd, groupmod, and groupdel are provided as
+  The programs groups, groupadd, groupmod, and groupdel are provided as
  part of the Shadow Suite to modify groups.

  The format of the /etc/group file is as follows:
@@ -1751,7 +1755,7 @@
      }
  #ifdef HAS_SHADOW
      if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
-           && pw_auth(pw->pw_passwd+1, pw->pw_name))
+           && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_LOGIN, NULL))
          || !valid (passwd, pw)) {
          return (UPAP_AUTHNAK);
      }
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -252,6 +252,8 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
--- a/etc/Makefile.in
+++ b/etc/Makefile.in
@@ -341,6 +341,8 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
--- a/etc/pam.d/Makefile.am
+++ b/etc/pam.d/Makefile.am
@@ -11,6 +11,7 @@ pamd_files = \
 	passwd

 pamd_acct_tools_files = \
+	chage \
 	chgpasswd \
 	groupadd \
 	groupdel \
--- a/etc/pam.d/Makefile.in
+++ b/etc/pam.d/Makefile.in
@@ -284,6 +284,8 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
@@ -341,6 +343,7 @@ top_srcdir = @top_srcdir@
 pamd_files = chpasswd chfn chsh groupmems login newusers passwd \
 	$(am__append_2)
 pamd_acct_tools_files = \
+	chage \
 	chgpasswd \
 	groupadd \
 	groupdel \
--- a/etc/pam.d/chage
+++ b/etc/pam.d/chage
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
--- a/etc/shadow-maint/Makefile.in
+++ b/etc/shadow-maint/Makefile.in
@@ -249,6 +249,8 @@ XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
 XMLCATALOG = @XMLCATALOG@
 XML_CATALOG_FILE = @XML_CATALOG_FILE@
 XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -29,44 +29,16 @@ libshadow_la_SOURCES = \
 	age.c \
 	agetpass.c \
 	agetpass.h \
-	alloc/calloc.c \
-	alloc/calloc.h \
-	alloc/malloc.c \
-	alloc/malloc.h \
-	alloc/realloc.c \
-	alloc/realloc.h \
-	alloc/reallocf.c \
-	alloc/reallocf.h \
-	alloc/x/xcalloc.c \
-	alloc/x/xcalloc.h \
-	alloc/x/xmalloc.c \
-	alloc/x/xmalloc.h \
-	alloc/x/xrealloc.c \
-	alloc/x/xrealloc.h \
-	atoi/a2i/a2i.c \
-	atoi/a2i/a2i.h \
-	atoi/a2i/a2s.c \
-	atoi/a2i/a2s.h \
-	atoi/a2i/a2s_c.c \
-	atoi/a2i/a2s_c.h \
-	atoi/a2i/a2s_nc.c \
-	atoi/a2i/a2s_nc.h \
-	atoi/a2i/a2u.c \
-	atoi/a2i/a2u.h \
-	atoi/a2i/a2u_c.c \
-	atoi/a2i/a2u_c.h \
-	atoi/a2i/a2u_nc.c \
-	atoi/a2i/a2u_nc.h \
-	atoi/getnum.c \
-	atoi/getnum.h \
+	alloc.c \
+	alloc.h \
+	atoi/a2i.c \
+	atoi/a2i.h \
 	atoi/str2i.c \
 	atoi/str2i.h \
-	atoi/strtoi/strtoi.c \
-	atoi/strtoi/strtoi.h \
-	atoi/strtoi/strtou.c \
-	atoi/strtoi/strtou.h \
-	atoi/strtoi/strtou_noneg.c \
-	atoi/strtoi/strtou_noneg.h \
+	atoi/strtoi.c \
+	atoi/strtoi.h \
+	atoi/strtou_noneg.c \
+	atoi/strtou_noneg.h \
 	attr.h \
 	audit_help.c \
 	basename.c \
@@ -94,21 +66,16 @@ libshadow_la_SOURCES = \
 	failure.h \
 	fd.c \
 	fields.c \
-	fields.h \
 	find_new_gid.c \
 	find_new_uid.c \
 	find_new_sub_gids.c \
 	find_new_sub_uids.c \
 	fputsx.c \
-	fs/mkstemp/fmkomstemp.c \
-	fs/mkstemp/fmkomstemp.h \
-	fs/mkstemp/mkomstemp.c \
-	fs/mkstemp/mkomstemp.h \
-	fs/readlink/areadlink.c \
-	fs/readlink/areadlink.h \
-	fs/readlink/readlinknul.c \
-	fs/readlink/readlinknul.h \
+	get_gid.c \
 	get_pid.c \
+	get_uid.c \
+	getdate.h \
+	getdate.y \
 	getdef.c \
 	getdef.h \
 	getgr_nam_gid.c \
@@ -127,7 +94,10 @@ libshadow_la_SOURCES = \
 	lockpw.c \
 	loginprompt.c \
 	mail.c \
+	memzero.c \
+	memzero.h \
 	motd.c \
+	must_be.h \
 	myname.c \
 	nss.c \
 	nscd.c \
@@ -149,18 +119,11 @@ libshadow_la_SOURCES = \
 	pwdcheck.c \
 	pwmem.c \
 	remove_tree.c \
+	rlogin.c \
 	root_flag.c \
 	run_part.h \
 	run_part.c \
 	salt.c \
-	search/cmp/cmp.c \
-	search/cmp/cmp.h \
-	search/l/lfind.c \
-	search/l/lfind.h \
-	search/l/lsearch.c \
-	search/l/lsearch.h \
-	search/sort/qsort.c \
-	search/sort/qsort.h \
 	selinux.c \
 	semanage.c \
 	setugid.c \
@@ -170,8 +133,7 @@ libshadow_la_SOURCES = \
 	sgetspent.c \
 	sgroupio.c \
 	sgroupio.h\
-	shadow/grp/agetgroups.c \
-	shadow/grp/agetgroups.h \
+	shadow.c \
 	shadowio.c \
 	shadowio.h \
 	shadowlog.c \
@@ -183,74 +145,18 @@ libshadow_la_SOURCES = \
 	spawn.c \
 	sssd.c \
 	sssd.h \
-	string/ctype/strchrisascii/strchriscntrl.c \
-	string/ctype/strchrisascii/strchriscntrl.h \
-	string/ctype/strisascii/strisdigit.c \
-	string/ctype/strisascii/strisdigit.h \
-	string/ctype/strisascii/strisprint.c \
-	string/ctype/strisascii/strisprint.h \
-	string/ctype/strtoascii/strtolower.c \
-	string/ctype/strtoascii/strtolower.h \
-	string/memset/memzero.c \
-	string/memset/memzero.h \
-	string/sprintf/aprintf.c \
-	string/sprintf/aprintf.h \
-	string/sprintf/snprintf.c \
-	string/sprintf/snprintf.h \
-	string/sprintf/stpeprintf.c \
-	string/sprintf/stpeprintf.h \
-	string/sprintf/xaprintf.c \
-	string/sprintf/xaprintf.h \
-	string/strchr/strchrcnt.c \
-	string/strchr/strchrcnt.h \
-	string/strchr/strchrscnt.c \
-	string/strchr/strchrscnt.h \
-	string/strchr/strnul.c \
-	string/strchr/strnul.h \
-	string/strcmp/strcaseeq.c \
-	string/strcmp/strcaseeq.h \
-	string/strcmp/strcaseprefix.c \
-	string/strcmp/strcaseprefix.h \
-	string/strcmp/streq.c \
-	string/strcmp/streq.h \
-	string/strcmp/strprefix.c \
-	string/strcmp/strprefix.h \
-	string/strcpy/stpecpy.c \
-	string/strcpy/stpecpy.h \
-	string/strcpy/strncat.c \
-	string/strcpy/strncat.h \
-	string/strcpy/strncpy.c \
-	string/strcpy/strncpy.h \
-	string/strcpy/strtcpy.c \
-	string/strcpy/strtcpy.h \
-	string/strdup/strndupa.c \
-	string/strdup/strndupa.h \
-	string/strdup/xstrdup.c \
-	string/strdup/xstrdup.h \
-	string/strdup/xstrndup.c \
-	string/strdup/xstrndup.h \
+	string/sprintf.c \
+	string/sprintf.h \
+	string/stpecpy.c \
+	string/stpecpy.h \
+	string/stpeprintf.c \
+	string/stpeprintf.h \
 	string/strftime.c \
 	string/strftime.h \
-	string/strspn/stpspn.c \
-	string/strspn/stpspn.h \
-	string/strspn/stprcspn.c \
-	string/strspn/stprcspn.h \
-	string/strspn/stprspn.c \
-	string/strspn/stprspn.h \
-	string/strspn/strrcspn.c \
-	string/strspn/strrcspn.h \
-	string/strspn/strrspn.c \
-	string/strspn/strrspn.h \
-	string/strtok/stpsep.c \
-	string/strtok/stpsep.h \
-	string/strtok/astrsep2ls.c \
-	string/strtok/astrsep2ls.h \
-	string/strtok/strsep2arr.c \
-	string/strtok/strsep2arr.h \
-	string/strtok/strsep2ls.c \
-	string/strtok/strsep2ls.h \
-	string/strtok/xastrsep2ls.c \
-	string/strtok/xastrsep2ls.h \
+	string/strncpy.h \
+	string/strtcpy.c \
+	string/strtcpy.h \
+	string/zustr2stp.h \
 	strtoday.c \
 	sub.c \
 	subordinateio.h \
@@ -259,7 +165,6 @@ libshadow_la_SOURCES = \
 	time/day_to_str.c \
 	time/day_to_str.h \
 	ttytype.c \
-	typetraits.h \
 	tz.c \
 	ulimit.c \
 	user_busy.c \
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
--- a/lib/addgrps.c
+++ b/lib/addgrps.c
@@ -1,81 +1,114 @@
-// SPDX-FileCopyrightText: 1989-1994, Julianne Frances Haugh
-// SPDX-FileCopyrightText: 1996-1998, Marek Michałkiewicz
-// SPDX-FileCopyrightText: 2001-2006, Tomasz Kłoczko
-// SPDX-FileCopyrightText: 2007-2009, Nicolas François
-// SPDX-FileCopyrightText: 2024, Alejandro Colomar <alx@kernel.org>
-// SPDX-License-Identifier: BSD-3-Clause
-
+/*
+ * SPDX-FileCopyrightText: 1989 - 1994, Julianne Frances Haugh
+ * SPDX-FileCopyrightText: 1996 - 1998, Marek Michałkiewicz
+ * SPDX-FileCopyrightText: 2001 - 2006, Tomasz Kłoczko
+ * SPDX-FileCopyrightText: 2007 - 2009, Nicolas François
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */

 #include <config.h>

-#if !defined(USE_PAM)
+#if defined (HAVE_SETGROUPS) && ! defined (USE_PAM)

 #include "prototypes.h"
 #include "defines.h"

-#include <errno.h>
-#include <grp.h>
 #include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
+#include <grp.h>
+#include <errno.h>

-#include "alloc/reallocf.h"
-#include "search/l/lsearch.h"
-#include "shadow/grp/agetgroups.h"
+#include "alloc.h"
 #include "shadowlog.h"
-#include "string/strchr/strchrscnt.h"

+#ident "$Id$"

+#define SEP ",:"
 /*
 * Add groups with names from LIST (separated by commas or colons)
 * to the supplementary group set.  Silently ignore groups which are
- * already there.
+ * already there.  Warning: uses strtok().
 */
-int
-add_groups(const char *list)
+int add_groups (const char *list)
 {
-	char    *g, *p, *dup;
+	GETGROUPS_T *grouplist;
+	size_t i;
+	int ngroups;
+	bool added;
+	char *token;
+	char buf[1024];
+	int ret;
 	FILE *shadow_logfd = log_get_logfd();
-	gid_t   *gids;
-	size_t  n;

-	gids = agetgroups(&n);
-	if (gids == NULL)
+	if (strlen (list) >= sizeof (buf)) {
+		errno = EINVAL;
 		return -1;
+	}
+	strcpy (buf, list);

-	gids = REALLOCF(gids, n + strchrscnt(list, ",:") + 1, gid_t);
-	if (gids == NULL)
+	i = 16;
+	for (;;) {
+		grouplist = MALLOC(i, GETGROUPS_T);
+		if (NULL == grouplist) {
+			return -1;
+		}
+		ngroups = getgroups (i, grouplist);
+		if (   (   (-1 == ngroups)
+		        && (EINVAL != errno))
+		    || (i > (size_t)ngroups)) {
+			/* Unexpected failure of getgroups or successful
+			 * reception of the groups */
+			break;
+		}
+		/* not enough room, so try allocating a larger buffer */
+		free (grouplist);
+		i *= 2;
+	}
+	if (ngroups < 0) {
+		free (grouplist);
 		return -1;
+	}

-	p = dup = strdup(list);
-	if (dup == NULL)
-		goto free_gids;
+	added = false;
+	for (token = strtok (buf, SEP); NULL != token; token = strtok (NULL, SEP)) {
+		struct group *grp;

-	while (NULL != (g = strsep(&p, ",:"))) {
-		struct group  *grp;
-
-		grp = getgrnam(g); /* local, no need for xgetgrnam */
+		grp = getgrnam (token); /* local, no need for xgetgrnam */
 		if (NULL == grp) {
-			fprintf(shadow_logfd, _("Warning: unknown group %s\n"), g);
+			fprintf (shadow_logfd, _("Warning: unknown group %s\n"),
+				 token);
 			continue;
 		}

-		LSEARCH(&grp->gr_gid, gids, &n);
-	}
-	free(dup);
+		for (i = 0; i < (size_t)ngroups && grouplist[i] != grp->gr_gid; i++);

-	if (setgroups(n, gids) == -1) {
-		fprintf(shadow_logfd, "setgroups: %s\n", strerror(errno));
-		goto free_gids;
+		if (i < (size_t)ngroups) {
+			continue;
+		}
+
+		if (ngroups >= sysconf (_SC_NGROUPS_MAX)) {
+			fputs (_("Warning: too many groups\n"), shadow_logfd);
+			break;
+		}
+		grouplist = REALLOCF(grouplist, (size_t) ngroups + 1, GETGROUPS_T);
+		if (grouplist == NULL) {
+			return -1;
+		}
+		grouplist[ngroups] = grp->gr_gid;
+		ngroups++;
+		added = true;
 	}

-	free(gids);
+	if (added) {
+		ret = setgroups (ngroups, grouplist);
+		free (grouplist);
+		return ret;
+	}
+
+	free (grouplist);
 	return 0;
-
-free_gids:
-	free(gids);
-	return -1;
 }
-#else				/* !USE_PAM */
+#else				/* HAVE_SETGROUPS && !USE_PAM */
 extern int ISO_C_forbids_an_empty_translation_unit;
-#endif				/* !USE_PAM */
+#endif				/* HAVE_SETGROUPS && !USE_PAM */
+
--- a/lib/adds.c
+++ b/lib/adds.c
@@ -11,3 +11,5 @@

 extern inline long addsl2(long a, long b);
 extern inline long addslN(size_t n, long addend[n]);
+
+extern inline int cmpl(const void *p1, const void *p2);
--- a/lib/adds.h
+++ b/lib/adds.h
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
+// SPDX-FileCopyrightText: 2023, Alejandro Colomar <alx@kernel.org>
 // SPDX-License-Identifier: BSD-3-Clause


@@ -11,8 +11,8 @@
 #include <errno.h>
 #include <limits.h>
 #include <stddef.h>
+#include <stdlib.h>

-#include "search/sort/qsort.h"
 #include "sizeof.h"


@@ -20,13 +20,15 @@
 ({                                                                            \
 	long  addend_[] = {a, b, __VA_ARGS__};                                \
                                                                              \
-	addslN(countof(addend_), addend_);                                    \
+	addslN(NITEMS(addend_), addend_);                                     \
 })


 inline long addsl2(long a, long b);
 inline long addslN(size_t n, long addend[n]);

+inline int cmpl(const void *p1, const void *p2);
+

 inline long
 addsl2(long a, long b)
@@ -55,7 +57,7 @@ addslN(size_t n, long addend[n])

 	e = errno;
 	while (n > 1) {
-		QSORT(addend, n);
+		qsort(addend, n, sizeof(addend[0]), cmpl);

 		errno = 0;
 		addend[0] = addsl2(addend[0], addend[--n]);
@@ -67,4 +69,18 @@ addslN(size_t n, long addend[n])
 }


+inline int
+cmpl(const void *p1, const void *p2)
+{
+	const long  *l1 = p1;
+	const long  *l2 = p2;
+
+	if (*l1 < *l2)
+		return -1;
+	if (*l1 > *l2)
+		return +1;
+	return 0;
+}
+
+
 #endif  // include guard
--- a/lib/age.c
+++ b/lib/age.c
@@ -106,7 +106,7 @@ int expire (const struct passwd *pw, /*@null@*/const struct spwd *sp)
 		 * passwd to work just like it would had they executed
 		 * it from the command line while logged in.
 		 */
-#if !defined(USE_PAM)
+#if defined(HAVE_INITGROUPS) && ! defined(USE_PAM)
 		if (setup_uid_gid (pw, false) != 0)
 #else
 		if (setup_uid_gid (pw) != 0)
--- a/lib/agetpass.c
+++ b/lib/agetpass.c
@@ -16,7 +16,7 @@

 #ident "$Id$"

-#include "alloc/malloc.h"
+#include "alloc.h"

 #if WITH_LIBBSD == 0
 #include "freezero.h"
--- a/lib/alloc.c
+++ b/lib/alloc.c
@@ -0,0 +1,73 @@
+/*
+ * SPDX-FileCopyrightText: 1990 - 1994, Julianne Frances Haugh
+ * SPDX-FileCopyrightText: 1996 - 1998, Marek Michałkiewicz
+ * SPDX-FileCopyrightText: 2003 - 2006, Tomasz Kłoczko
+ * SPDX-FileCopyrightText: 2008       , Nicolas François
+ * SPDX-FileCopyrightText: 2023       , Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/* Replacements for malloc and strdup with error checking.  Too trivial
+   to be worth copyrighting :-).  I did that because a lot of code used
+   malloc and strdup without checking for NULL pointer, and I like some
+   message better than a core dump...  --marekm
+
+   Yeh, but.  Remember that bailing out might leave the system in some
+   bizarre state.  You really want to put in error checking, then add
+   some back-out failure recovery code. -- jfh */
+
+#include <config.h>
+
+#ident "$Id$"
+
+#include "alloc.h"
+
+#include <errno.h>
+#include <stddef.h>
+#include <stdio.h>
+
+#include "defines.h"
+#include "prototypes.h"
+#include "shadowlog.h"
+
+
+extern inline void *xmalloc(size_t size);
+extern inline void *xmallocarray(size_t nmemb, size_t size);
+extern inline void *mallocarray(size_t nmemb, size_t size);
+extern inline void *reallocarrayf(void *p, size_t nmemb, size_t size);
+extern inline char *xstrdup(const char *str);
+
+
+void *
+xcalloc(size_t nmemb, size_t size)
+{
+	void  *p;
+
+	p = calloc(nmemb, size);
+	if (p == NULL)
+		goto x;
+
+	return p;
+
+x:
+	fprintf(log_get_logfd(), _("%s: %s\n"),
+	        log_get_progname(), strerror(errno));
+	exit(13);
+}
+
+
+void *
+xreallocarray(void *p, size_t nmemb, size_t size)
+{
+	p = reallocarrayf(p, nmemb, size);
+	if (p == NULL)
+		goto x;
+
+	return p;
+
+x:
+	fprintf(log_get_logfd(), _("%s: %s\n"),
+	        log_get_progname(), strerror(errno));
+	exit(13);
+}
--- a/lib/alloc.h
+++ b/lib/alloc.h
@@ -0,0 +1,101 @@
+// SPDX-FileCopyrightText: 2023-2024, Alejandro Colomar <alx@kernel.org>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#ifndef SHADOW_INCLUDE_LIB_MALLOC_H_
+#define SHADOW_INCLUDE_LIB_MALLOC_H_
+
+
+#include <config.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "attr.h"
+#include "defines.h"
+
+
+#define CALLOC(n, type)   ((type *) calloc(n, sizeof(type)))
+#define XCALLOC(n, type)  ((type *) xcalloc(n, sizeof(type)))
+#define MALLOC(n, type)   ((type *) mallocarray(n, sizeof(type)))
+#define XMALLOC(n, type)  ((type *) xmallocarray(n, sizeof(type)))
+
+#define REALLOC(ptr, n, type)                                                 \
+(                                                                             \
+	_Generic(ptr, type *:  (type *) reallocarray(ptr, n, sizeof(type)))   \
+)
+
+#define REALLOCF(ptr, n, type)                                                \
+(                                                                             \
+	_Generic(ptr, type *:  (type *) reallocarrayf(ptr, n, sizeof(type)))  \
+)
+
+#define XREALLOC(ptr, n, type)                                                \
+(                                                                             \
+	_Generic(ptr, type *:  (type *) xreallocarray(ptr, n, sizeof(type)))  \
+)
+
+
+ATTR_MALLOC(free)
+inline void *xmalloc(size_t size);
+ATTR_MALLOC(free)
+inline void *xmallocarray(size_t nmemb, size_t size);
+ATTR_MALLOC(free)
+inline void *mallocarray(size_t nmemb, size_t size);
+ATTR_MALLOC(free)
+inline void *reallocarrayf(void *p, size_t nmemb, size_t size);
+ATTR_MALLOC(free)
+inline char *xstrdup(const char *str);
+
+ATTR_MALLOC(free)
+void *xcalloc(size_t nmemb, size_t size);
+ATTR_MALLOC(free)
+void *xreallocarray(void *p, size_t nmemb, size_t size);
+
+
+inline void *
+xmalloc(size_t size)
+{
+	return xmallocarray(1, size);
+}
+
+
+inline void *
+xmallocarray(size_t nmemb, size_t size)
+{
+	return xreallocarray(NULL, nmemb, size);
+}
+
+
+inline void *
+mallocarray(size_t nmemb, size_t size)
+{
+	return reallocarray(NULL, nmemb, size);
+}
+
+
+inline void *
+reallocarrayf(void *p, size_t nmemb, size_t size)
+{
+	void  *q;
+
+	q = reallocarray(p, nmemb, size);
+
+	/* realloc(p, 0) is equivalent to free(p);  avoid double free.  */
+	if (q == NULL && nmemb != 0 && size != 0)
+		free(p);
+	return q;
+}
+
+
+inline char *
+xstrdup(const char *str)
+{
+	return strcpy(XMALLOC(strlen(str) + 1, char), str);
+}
+
+
+#endif  // include guard
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`login: elevated-privileges 4755 root/root [usr/bin/newgrp]`
				`@@ -0,0 +1 @@`
				`rm_conffile /etc/cron.daily/passwd 1:4.7-2~`
				`@@ -0,0 +1 @@`
				`deb: libsubid 4 libsubid4 (= ${binary:Version})`