ELA 1:4.5-1.1+deb10u1

Breaks on old version to force lockstep upgrade, which should
really be a depends-new-version (and can be switched around
together with util-linux once the transition is finished).
Using Breaks/Depends the 'wrong' way around is to make apt
unpack things in the 'right' order (avoiding any gaps where
/bin/su is not available during the upgrade phase).

.gitignore

@@ -17,6 +17,8 @@ Makefile.in
 /ABOUT-NLS
 /aclocal.m4
 /autom4te.cache
+/compile
+/config.cache
 /config.guess
 /config.h
 /config.h.in
@@ -44,4 +46,5 @@ Makefile.in
 /po/stamp-po
 
 /shadow.spec
+/shadow-*.tar.*
 /libmisc/getdate.c

.travis.yml

@@ -0,0 +1,20 @@
+sudo: false
+
+language: c
+
+compiler:
+  - gcc
+  - clang
+
+addons:
+  apt:
+    packages:
+      - autopoint
+      - xsltproc
+
+script:
+ - ./autogen.sh --without-selinux --disable-man
+ - grep ENABLE_ config.status
+ - make
+
+# vim:et:ts=2:sw=2

ChangeLog

@@ -1,3 +1,84 @@
+2016-05-17  Serge Hallyn <serge@hallyn.com>
+
+	* Release 4.5
+
+2016-05-17  Serge Hallyn <serge@hallyn.com>
+
+	* Patch from Tobias Stoeckmann fixing regression in previous CVE fix
+	  preventing SIGTERM to su from being propagated to the job.
+	* Patch from Chris Lamb making sp_lstchg shadow field reproducible.
+	* Merge Russian translation updates from Yuri Kozlov
+	* Fix missing close of subuid file on error
+
+2016-02-23  Serge Hallyn <serge@hallyn.com>
+
+	* Merge patch by Tobias Stoeckmann <tobias@stoeckmann.org> to fix
+	  the equivalent of util-linux CVE-2017-2616.
+
+2016-02-08  Serge Hallyn <serge@hallyn.com>
+
+	* Update Kazakh translations
+	* Consult configuration before calculating subuids
+	* Remove misplaced semicolon
+
+2016-01-29  Serge Hallyn <serge@hallyn.com>
+
+	* Patch from Fedora to improve performance with SSSD, Winbind,
+	  or nss_ldap. (Tomas Mraz)
+	* Make sure knowndef_table is NULL-terminated.  (Bernhard Rosenkränzer)
+
+2016-12-21  Serge Hallyn <serge@hallyn.com>
+
+	* Drop leading underscore from _COMMONIO_H and _SHADOWIO_H
+	* Fix readability in usermod error messages.
+	* Reset user in tallylog
+	* Add audit support to su
+
+2016-12-02  Serge Hallyn <serge@hallyn.com>
+
+	* changes since 4.4
+	  - Use sizeof rather than hardcoding snprintf args
+	  - Fix useradd improper default loading
+	  - Update Vietnamese translations
+	  - Update Polish translations
+	  - Remove non-POSIX chmod option in Makefile
+	  - Fix suidubins assignments
+	  - Fix --add-subuids etc spelling in manpages
+	  - Audit homedir ownership change.
+	  - Print error on selinux file context update failure
+	  - Keep original file perms when creating a backup
+
+	* (henceforth we'll update Changelog with each commit
+	  and proper credit)
+
+2016-12-02  Serge Hallyn <serge@hallyn.com>
+
+	* Changes since 4.2.1:
+	  - Documentation, error report and translations updates
+	  - Replace path_max with 32
+	  - User namespace support fixes/updates including:
+	    - Correct sanity checks in newXidmap
+	    - Fix building without subuid support
+	    - Add /etc/subuid support for UID matching
+	    - Support subuid for nonlocal users
+	    - Default to 65536 subuid allocations
+	    - Respect -r
+	    - Check for range overflows
+	  - Add tests from svn tree
+	  - Use AC_CHECK_SIZEOF for uid_t size checks
+	  - Accomodate missing /etc and login.defs
+	  - Support FORCE_SHADOW
+	  - Be more robust in hostile environment
+	  - Allow removing a primary group
+	  - Clear passwords on __pw_dup errors
+	  - Memory leak fix in commonio_update and get_map_ranges
+	  - Fix resource leak in syslog_sg
+	  - Fix user busy error at userdel
+	  - Support set/clear lastlog record via lastlog command
+	  - Add --no-create-home as longopt for -M
+	  - Fix signal races
+	  - Reduce syslog priority of common usage events
+
 2013-08-25  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/vipw.c: After waitpid(), use errno only if waitpid returned

Makefile.am

@@ -2,7 +2,5 @@
 
 EXTRA_DIST = NEWS README TODO shadow.spec.in
 
-AUTOMAKE_OPTIONS = 1.5 dist-bzip2 foreign
-
 SUBDIRS = po man libmisc lib src \
 	contrib doc etc

README

@@ -117,5 +117,6 @@ Maintainers
 ===========
 
 Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
-Nicolas François <nicolas.francois@centraliens.net> (2007-now)
+Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
+Serge E. Hallyn <serge@hallyn.com> (2014-now)
 

configure.ac

@@ -1,6 +1,9 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_INIT
-AM_INIT_AUTOMAKE(shadow, 4.2)
+AC_PREREQ([2.64])
+AC_INIT([shadow], [4.5], [pkg-shadow-devel@lists.alioth.debian.org], [],
+	[https://github.com/shadow-maint/shadow])
+AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
+AM_SILENT_RULES([yes])
 AC_CONFIG_HEADERS([config.h])
 
 dnl Some hacks...
@@ -335,16 +338,10 @@ if test "$enable_subids" != "no"; then
 	dnl
 	dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
 	dnl
-	AC_RUN_IFELSE([AC_LANG_SOURCE([
-#include <sys/types.h>
-int main(void) {
-	uid_t u;
-	gid_t g;
-	return (sizeof u < 4) || (sizeof g < 4);
-}
-	])], [id32bit="yes"], [id32bit="no"])
+	AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
+	AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
 
-	if test "x$id32bit" = "xyes"; then
+	if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
 		AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
 		enable_subids="yes"
 	else

debian/Makefile

@@ -0,0 +1,16 @@
+PKG=shadow
+SITE=ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/
+
+deb:: check_cheese
+
+include /usr/share/quilt/quilt.debbuild.mk
+
+check_cheese:
+	@dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \
+		echo ""; \
+		echo " **                                  **"; \
+		echo " **  Warning: not a cheesy release!  **"; \
+		echo " **                                  **"; \
+		echo ""; \
+		exit 1; \
+	}

debian/NEWS

@@ -0,0 +1,36 @@
+shadow (1:4.0.15-5) unstable; urgency=low
+
+  * commands passed in argument to su must use su's -c option and must quote
+    the command if it contains a space, as in:
+        su - root -c "ls -l /"
+    The following commands won't work anymore:
+        su - root -c ls -l /
+        su - root "ls -l /"
+        su - root ls -l /
+
+ -- Christian Perrier <bubulle@debian.org>  Sat,  8 Apr 2006 20:11:38 +0200
+
+shadow (1:4.0.14-1) unstable; urgency=low
+
+  * passwd does not support the -f, -s, and -g options anymore. You should use
+    the chfn, chsh and gpasswd utilities instead.
+  * login now distributes the nologin utility, which can be used as a shell
+    to politely refuse a login
+
+ -- Christian Perrier <bubulle@debian.org>  Thu,  5 Jan 2006 08:47:44 +0100
+
+shadow (1:4.0.12-1) unstable; urgency=low
+
+  CLOSE_SESSIONS and other variables are not used anymore in
+  /etc/login/defs.
+  As shadow utilities which use this file now warn about unknown
+  entries there, administrators should remove such unknown entries.
+  The supplied login.defs file does not include them anymore.
+
+  dpasswd is no more distributed by upstream. Login do not support
+  dialup password anymore.  Re-introducing this functionality in
+  upstream is not trivial.
+
+
+ -- Christian Perrier <bubulle@debian.org>  Thu, 25 Aug 2005 08:38:47 +0200
+

debian/README.debian

@@ -0,0 +1,62 @@
+Read this file first for a brief overview of the new versions of login
+and passwd.
+
+
+---Shadow passwords
+
+The command `shadowconfig on' will turn on shadow password support.
+`shadowconfig off' will turn it back off.  If you turn on shadow
+password support, you'll gain the ability to set password ages and
+expirations with chage(1).
+
+NOTE: If you use the nscd package, you may have problems with a
+slight delay in updating the password information. You may notice
+this during upgrades of certain packages that try to add a system
+user and then access the users information immediately afterwards.
+To avoid this, it is suggested that you stop the nscd daemon before
+upgrades, then restart it again.
+
+---General configuration
+
+Most of the configuration for the shadow utilities is in
+/etc/login.defs.  See login.defs(5).  The defaults are quite
+reasonable.
+
+Also see the /etc/pam.d/* files for each program to configure the PAM
+support. PAM documentation is available in several formats in the
+libpam-doc package.
+
+
+---MD5 Encryption
+
+This is enabled now using the /etc/pam.d/* files. Examples are given.
+
+
+---Adding users and groups
+
+Though you may add users and groups with the SysV type commands,
+useradd and groupadd, I recommend you add them with Debian adduser
+version 3+.  adduser gives you more configuration and conforms to the
+Debian UID and GID allocation.
+
+Editing user and group parameters can be done with usermod and
+groupmod.  Removing users and groups can be done with userdel and
+groupdel.
+
+
+--- Group administration
+
+Local group allocation is much easier.  With gpasswd(1) you can
+designate users to administer groups.  They can then securely add or
+remove users from the group.
+
+
+--- What to read next?
+
+Read the manpages, the other files in this directory, and the Shadow
+Password HOWTO (included in the doc-linux package).  A large portion
+of these files deals with getting shadow installed.  You can, of
+course, ignore those parts.
+
+Also, the libpam-doc package will go a long way to allowing you to take
+full advantage of the PAM authentication scheme.

debian/README.source

@@ -0,0 +1,4 @@
+A testsuite is also available. Instruction on how to run this testsuite
+are available in tests/README
+
+ -- Balint Reczey <rbalint@ubuntu.com>, Sat, 12 Aug 2017 18:46:44 -0400

debian/TODO

@@ -0,0 +1,19 @@
+Things that should be done:
+ * Verify the files left in debian/tmp
+   + e.g. /etc/default/adduser should be installed
+ * Check the build system: rebuilding the package twoce in the same tree
+   doubles the size of the diff.gz file
+
+Other points (not related to the release of a syncronized shadow):
+ * compare the source with the usages and man pages
+   + probably add a sentence to chsh/chfn's manpages about authentication
+     required for ordinary users
+ * do something (a tool) for the variables in login.defs
+   In Debian, some tools are not compiled with the PAM support, so upstream
+   getdef.c won't be OK.
+   It should be nice to see in each man page the set of variables used.
+   The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
+   with the debugging informations. This may be used to extract the set of
+   variables used in Debian/for each tools.
+ * verify all the patches around (I've found patches for at least RedHat,
+   OWL, LFS, Mandriva, Gentoo; are they already applied?)

debian/bugs-usertags

@@ -0,0 +1,25 @@
+This described the usertags used by the team.
+
+For usertags documentation, see
+http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
+
+All bugs tagged by team members must be tagged with 
+"user pkg-shadow-devel@lists.alioth.debian.org"
+
+Tags list
+---------
+
+toclose:         This bug has been announced to be closed in case no more news
+                 or information is received from the bug submitter or someone
+                 else until the delay specified in the limits_YYYYMMDD tag
+
+limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
+                 bugs can be closed without other action in case no news 
+                 is received
+
+manpages-replace A bug reported angainst a manpages-xx package to indicate
+                 conflicting man pages. This tag can be used to tune the
+                 Replaces fields.
+
+su-transition:   This bug is related to the su transition (#276419)
+

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,78 @@
+Source: shadow
+Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Uploaders: Christian Perrier <bubulle@debian.org>,
+           Balint Reczey <rbalint@ubuntu.com>,
+           Serge Hallyn <serge@hallyn.com>
+Section: admin
+Priority: required
+Build-Depends: dh-autoreconf,
+               gettext,
+               libpam0g-dev,
+               debhelper (>= 10~),
+               quilt,
+               xsltproc,
+               docbook-xsl,
+               docbook-xml,
+               libxml2-utils,
+               cdbs,
+               libselinux1-dev [linux-any],
+               libsemanage1-dev [linux-any],
+               gnome-doc-utils,
+               bison,
+               libaudit-dev [linux-any]
+Standards-Version: 3.9.5
+Vcs-Browser: https://anonscm.debian.org/git/pkg-shadow/shadow.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-shadow/shadow.git
+Homepage: https://github.com/shadow-maint/shadow
+
+Package: passwd
+Architecture: any
+Multi-Arch: foreign
+Depends: ${shlibs:Depends},
+         ${misc:Depends},
+         libpam-modules
+Replaces: manpages-tr (<< 1.0.5),
+          manpages-zh (<< 1.5.1-1)
+Description: change and administer password and group data
+ This package includes passwd, chsh, chfn, and many other programs to
+ maintain password and group data.
+ .
+ Shadow passwords are supported.  See /usr/share/doc/passwd/README.Debian
+
+Package: login
+Architecture: any
+Essential: yes
+Pre-Depends: ${shlibs:Depends},
+             ${misc:Depends},
+             libpam-runtime,
+             libpam-modules (>= 1.1.8-1)
+Breaks: coreutils (<< 8.21~) [hurd-any],
+        passwd (<< 1:4.1.5.1-2~) [hurd-any],
+        hurd (<< 20140206~) [hurd-any],
+        util-linux (<< 2.32-0.2~)
+Conflicts: gnunet (<< 0.7.0c-2),
+           amavisd-new (<< 2.3.3-8),
+           python-4suite (<< 0.99cvs20060405-1),
+           backupninja (<< 0.9.3-5),
+           echolot (<< 2.1.8-4)
+Replaces: manpages-de (<< 0.5-3),
+          manpages-tr (<< 1.0.5),
+          manpages-zh (<< 1.5.1-1),
+          passwd (<< 1:4.1.5.1-2~) [hurd-any],
+          coreutils (<< 8.21~) [hurd-any],
+          hurd (<< 20140206~) [hurd-any]
+Description: system login tools
+ These tools are required to be able to login and use your system. The
+ login program invokes your user shell and enables command execution. The
+ newgrp program is used to change your effective group ID (useful for
+ workgroup type situations). The su program allows changing your effective
+ user ID (useful being able to execute commands as another user).
+
+Package: uidmap
+Architecture: any
+Priority: optional
+Depends: ${shlibs:Depends},
+         ${misc:Depends}
+Description: programs to help use subuids
+ These programs help unprivileged users to create uid and gid mappings in
+ user namespaces.

debian/copyright

@@ -0,0 +1,103 @@
+This is Debian GNU/Linux's prepackaged version of the shadow utilities.
+
+It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>. 
+As of May 2007, this site is no longer available.
+
+Copyright:
+
+Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
+All rights reserved.
+
+Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
+All rights reserved.
+
+Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
+All rights reserved.
+
+Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of Julianne F. Haugh nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+This source code is currently archived on ftp.uu.net in the
+comp.sources.misc portion of the USENET archives.  You may also contact
+the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
+any questions regarding this package.
+
+THIS SOFTWARE IS BEING DISTRIBUTED AS-IS.  THE AUTHORS DISCLAIM ALL
+LIABILITY FOR ANY CONSEQUENCES OF USE.  THE USER IS SOLELY RESPONSIBLE
+FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE.  THE AUTHORS ARE UNDER NO
+OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS.  THE USER IS
+ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
+LOSS OF INFORMATION OR MACHINE RESOURCES.
+
+Special thanks are due to Chip Rosenthal for his fine testing efforts;
+to Steve Simmons for his work in porting this code to BSD; and to Bill
+Kennedy for his contributions of LaserJet printer time and energies.
+Also, thanks for Dennis L. Mumaugh for the initial shadow password
+information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
+V Release 4 changes.  Effort in porting to SunOS has been contributed
+by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
+(mke@kaberd.rain.com).  Effort in porting to AT&T UNIX System V Release
+4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
+Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
+for taking over the Linux port of this software.
+
+Source files: login_access.c, login_desrpc.c, login_krb.c are derived
+from the logdaemon-5.0 package, which is under the following license:
+
+/************************************************************************
+* Copyright 1995 by Wietse Venema.  All rights reserved. Individual files
+* may be covered by other copyrights (as noted in the file itself.)
+*
+* This material was originally written and compiled by Wietse Venema at
+* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+* 1992, 1993, 1994 and 1995.
+*
+* Redistribution and use in source and binary forms are permitted
+* provided that this entire copyright notice is duplicated in all such
+* copies.  
+*
+* This software is provided "as is" and without any expressed or implied
+* warranties, including, without limitation, the implied warranties of
+* merchantibility and fitness for any particular purpose.
+************************************************************************/
+
+Some parts substantially in src/su.c derived from an ancestor of
+su for GNU.  Run a shell with substitute user and group IDs.
+Copyright (C) 1992-2003 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   On Debian GNU/Linux systems, the complete text of the GNU General Public
+   License can be found in '/usr/share/common-licenses/GPL-2'

debian/cpgr.8

@@ -0,0 +1 @@
+.so man8/cppw.8

debian/cppw.8

@@ -0,0 +1,27 @@
+.TH CPPW 8 "7 Apr 2005"
+.SH NAME
+cppw, cpgr \- copy with locking the given file to the password or group file
+.SH SYNOPSIS
+\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
+.br
+\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
+
+.SH DESCRIPTION
+.BR cppw " and " cpgr
+will copy, with locking, the given file to
+.IR /etc/passwd " and " /etc/group ", respectively."
+With the \fB\-s\fR flag, they will copy the shadow versions of those files,
+.IR /etc/shadow " and " /etc/gshadow ", respectively."
+
+With the \fB\-h\fR flag, the commands display a short help message and exit
+silently.
+.SH "SEE ALSO"
+.BR vipw (8),
+.BR vigr (8),
+.BR group (5),
+.BR passwd (5),
+.BR shadow (5),
+.BR gshadow (5)
+.SH AUTHOR
+\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
+\fBvipw\fR and \fBvigr\fR written by Guy Maor.

debian/dependencies

@@ -0,0 +1,94 @@
+Build-Depends:
+==============
+ * autoconf
+ * automake1.9
+   works with 1.7 or 1.9 (at least)
+ * libtool
+ * gettext
+   POT, PO, GMO regenerated?
+ * libpam0g-dev
+   OK
+ * debhelper (>= 4.1.16)
+ * po-debconf
+   OK
+ * quilt
+   patch system
+ * dpkg-dev (>= 1.13.5)
+ * xsltproc
+   used to generate the manpages
+ * docbook-xsl
+   needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
+ * docbook-xml
+   manpages/docbook.xsl includes html/docbook.xsl
+   (But it is not strictly needed. The generated manpages are identical.
+   Without it, a warning is generated.)
+   Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
+ * libxml2-utils
+   needed by the JH_CHECK_XML_CATALOG macros
+ * cdbs
+   used in debian/rules
+ * libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
+ * gnome-doc-utils (>= 0.4.3-1)
+   xml2po, 0.4.3-1 needed for the -l switch.
+
+passwd Depends:
+===============
+ * ${shlibs:Depends}
+   OK
+ * ${loginpam}
+   - hurd
+     login
+     libpam-modules (>= 0.72-5)
+   - other archs
+     + login (>= 970502-1)
+       login is needed because some passwd utils need /etc/login.defs
+       login is Essential, so this is just to enforce the version
+     + libpam-modules (>= 0.72-5)
+ * debianutils (>= 2.15.2)
+   After 1:4.0.12-6, {add,remove}-shell are distributed in debianutils (2.15)
+   /etc/shell was forgotten and introduced in debianutils in 2.15.2
+
+passwd Conflicts:
+=================
+
+passwd Replaces:
+================
+   Some of the passwd man pages are also distributed in some manpages* packages.
+   Look at the debian/02/run test to optimize these dependencies.
+   NOTE: Not all maintainers have been notified.
+ * manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3)
+   All those packages have been updated during sarge->etch. So these Replaces
+   should be removed after lenny release
+ * manpages-tr, manpages-zh
+   Those packages are still in etch, so the Replaces should be kept even
+   after lenny release
+
+login Pre-Depends:
+==================
+ * ${shlibs:Depends}
+ * libpam-runtime (>= 0.76-14)
+   sarge contained 0.76-22
+
+Why Pre-Depends? (because it's an essential package?)
+
+login Depends:
+==============
+ * libpam-modules (>= 0.72-5)
+   libpam-modules is needed.
+   potato contained 0.72-9
+
+login Conflicts:
+================
+
+login Replaces:
+===============
+ * Some of the login man pages are also distributed in some manpages* packages.
+   Look at the debian/02/run test to optimize these dependencies.
+   NOTE: Not all maintainers have been notified.
+   - manpages-fi, manpages-fr (<<1.64.0-1), manpages-hu, manpages-it, manpages-ko, manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15) 
+     Those are packages that have been updated during sarge->etch. These
+     Replaces should be removed after lenny
+   - manpages-tr, manpages-zh
+     Those packages are still in etch, so the Replaces should be kept even
+     after lenny release
+

debian/login.defs

@@ -0,0 +1,340 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed.  All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux.  --marekm
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+# This option conflicts with the pam_tally PAM module.
+#
+FAILLOG_ENAB		yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable. 
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE	/var/log/btmp
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing 
+# the "mesg y" command.
+
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#	UMASK		Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# 
+# UMASK is the default umask value for pam_umask and is used by
+# useradd and newusers to set the mode of the new home directories.
+# 022 is the "historical" value in Debian for UMASK
+# 027, or even 077, could be considered better for privacy
+# There is no One True Answer here : each sysadmin must make up his/her
+# mind.
+#
+# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
+# for private user groups, i. e. the uid is the same as gid, and username is
+# the same as the primary group name: for these, the user permissions will be
+# used as group permissions, e. g. 022 will become 002.
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+UMASK		022
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+#SYS_UID_MIN		  100
+#SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+#SYS_GID_MIN		  100
+#SYS_GID_MAX		  999
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE	/etc/consoles
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm.  Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB	no
+
+#
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD SHA512
+
+#
+# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+################# OBSOLETED BY PAM ##############
+#						#
+# These options are now handled by PAM. Please	#
+# edit the appropriate file in /etc/pam.d/ to	#
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+#						  #
+# These options are no more handled by shadow.    #
+#                                                 #
+# Shadow utilities will display a warning if they #
+# still appear.                                   #
+#                                                 #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR
+
+
+

debian/login.dirs

@@ -0,0 +1 @@
+usr/share/lintian/overrides

debian/login.install

@@ -0,0 +1,22 @@
+usr/share/locale/*/LC_MESSAGES/shadow.mo
+usr/share/man/*/man1/login.1
+usr/share/man/*/man1/newgrp.1
+usr/share/man/*/man1/sg.1
+usr/share/man/*/man5/faillog.5
+usr/share/man/*/man5/login.defs.5
+usr/share/man/*/man8/faillog.8
+usr/share/man/*/man8/lastlog.8
+usr/share/man/*/man8/nologin.8
+usr/share/man/man1/login.1
+usr/share/man/man1/newgrp.1
+usr/share/man/man1/sg.1
+usr/share/man/man5/faillog.5
+usr/share/man/man5/login.defs.5
+usr/share/man/man8/faillog.8
+usr/share/man/man8/lastlog.8
+usr/share/man/man8/nologin.8
+usr/sbin/nologin
+usr/bin/faillog
+usr/bin/lastlog
+usr/bin/newgrp
+bin/login

debian/login.links

@@ -0,0 +1 @@
+usr/bin/newgrp usr/bin/sg

debian/login.lintian-overrides

@@ -0,0 +1,3 @@
+login: setuid-binary usr/bin/newgrp 4755 root/root
+login: setuid-binary bin/su 4755 root/root
+login: possible-missing-colon-in-closes l667:closes bug 336321

debian/login.pam

@@ -0,0 +1,116 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password

debian/login.postinst

@@ -0,0 +1,56 @@
+#!/bin/sh
+
+set -e
+
+if test "$1" = configure
+then
+	if test -f /etc/init.d/logoutd
+	then 
+		if test "$(md5sum /etc/init.d/logoutd)" = "9080f92783dd53f6f2108e698c06bd53  /etc/init.d/logoutd"
+		then	
+			echo "removing logoutd cruft"
+			rm /etc/init.d/logoutd
+			update-rc.d logoutd remove
+		fi
+	fi
+fi
+rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
+
+if [ "$1" = "configure" ]; then
+	# Install faillog during initial installs only
+	if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
+		touch /var/log/faillog
+		chown root:root /var/log/faillog
+		chmod 644 /var/log/faillog
+	fi
+
+	# Create subuid/subgid if missing
+	if [ ! -e /etc/subuid ]; then
+		touch /etc/subuid
+		chown root:root /etc/subuid
+		chmod 644 /etc/subuid
+	fi
+
+	if [ ! -e /etc/subgid ]; then
+		touch /etc/subgid
+		chown root:root /etc/subgid
+		chmod 644 /etc/subgid
+	fi
+fi
+
+        # Create subuid/subgid if missing
+        if [ ! -e /etc/subuid ]; then
+                touch /etc/subuid
+                chown root:root /etc/subuid
+                chmod 644 /etc/subuid
+        fi
+
+        if [ ! -e /etc/subgid ]; then
+                touch /etc/subgid
+                chown root:root /etc/subgid
+                chmod 644 /etc/subgid
+        fi
+
+#DEBHELPER#
+
+exit 0

debian/login.preinst

@@ -0,0 +1,52 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
+		fi
+	    fi
+	    
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

debian/login.su.pam

@@ -0,0 +1,61 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "root" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+

debian/passwd.chage.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'chage' service
+#
+
+# This allows root to change password aging being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.chfn.pam

@@ -0,0 +1,16 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows root to change user infomation without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+

debian/passwd.chpasswd.pam

@@ -0,0 +1,5 @@
+# The PAM configuration file for the Shadow 'chpasswd' service
+#
+
+@include common-password
+

debian/passwd.chsh.pam

@@ -0,0 +1,20 @@
+#
+# The PAM configuration file for the Shadow `chsh' service
+#
+
+# This will not allow a user to change their shell unless
+# their current one is listed in /etc/shells. This keeps
+# accounts with special shells from changing them.
+auth       required   pam_shells.so
+
+# This allows root to change user shell without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+

debian/passwd.cron.daily

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+cd /var/backups || exit 0
+
+for FILE in passwd group shadow gshadow; do
+        test -f /etc/$FILE              || continue
+        cmp -s $FILE.bak /etc/$FILE     && continue
+        cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak
+done

debian/passwd.dirs

@@ -0,0 +1,2 @@
+usr/share/lintian/overrides
+etc/default

debian/passwd.examples

@@ -0,0 +1 @@
+debian/passwd.expire.cron

debian/passwd.expire.cron

@@ -0,0 +1,57 @@
+#!/usr/bin/perl
+#
+# passwd.expire.cron: sample expiry notification script for use as a cronjob
+#
+# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
+# for use, distribution, modification, etc.
+#
+# Usage:
+#	edit the listed options, including the actual email, then rename to
+#	/etc/cron.daily/passwd
+#
+#	If your users don't have a valid login shell (ie. they are ftp or mail
+#	users only), they will need some other way to change their password
+#	(telnet will work since login will handle password aging, or a poppasswd
+#	program, if they are mail users).
+
+# <CONFIG> #
+
+# should be same as /etc/adduser.conf
+$LOW_UID=1000;
+$HIGH_UID=29999;
+
+# this let's the MTA handle the domain,
+# set it manually if you want. Make sure
+# you also add the @ like "\@domain.com"
+$MAIL_DOM="";
+
+# </CONFIG> #
+
+# Set the current day reference
+$curdays = int(time() / (60 * 60 * 24));
+
+# Now go through the list
+
+open(SH, "< /etc/shadow");
+while (<SH>) {
+    @shent = split(':', $_);
+    @userent = getpwnam($shent[0]);
+    if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
+	if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
+		$shent[4] != -1 && $shent[4] != 0 &&
+		$shent[5] != -1 && $shent[5] != 0) {
+	    $daysleft = ($shent[2] + $shent[4]) - $curdays;
+	    if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
+            if ($daysleft < 0) { next; }
+	    open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
+	    print MAIL <<EOF;
+Your account will expire in $daysleft $days. Please change your password before
+then or your account will expire
+EOF
+	    close (MAIL);
+	    # This makes sure we also get a list of almost expired users
+	    print "$shent[0]'s account will expire in $daysleft days\n";
+	}
+    }
+    @userent = getpwent();
+}

debian/passwd.groupadd.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupadd' service
+#
+
+# This allows root to add groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.groupdel.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.groupmod.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupmod' service
+#
+
+# This allows root to modify groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.install

@@ -0,0 +1,80 @@
+usr/bin/chage
+usr/bin/chfn
+usr/bin/chsh
+usr/bin/expiry
+usr/bin/gpasswd
+usr/bin/passwd
+usr/sbin/chpasswd
+usr/sbin/chgpasswd
+usr/sbin/cppw
+usr/sbin/groupadd
+usr/sbin/groupdel
+usr/sbin/groupmod
+usr/sbin/groupmems
+usr/sbin/grpck
+usr/sbin/grpconv
+usr/sbin/grpunconv
+usr/sbin/newusers
+usr/sbin/pwck
+usr/sbin/pwconv
+usr/sbin/pwunconv
+usr/sbin/useradd
+usr/sbin/userdel
+usr/sbin/usermod
+usr/sbin/vipw
+usr/share/man/*/man1/chage.1
+usr/share/man/*/man1/chfn.1
+usr/share/man/*/man1/chsh.1
+usr/share/man/*/man1/expiry.1
+usr/share/man/*/man1/gpasswd.1
+usr/share/man/*/man1/passwd.1
+usr/share/man/*/man5/passwd.5
+usr/share/man/*/man5/shadow.5
+usr/share/man/*/man5/gshadow.5
+usr/share/man/*/man8/chpasswd.8
+usr/share/man/*/man8/groupadd.8
+usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/groupmems.8
+usr/share/man/*/man8/grpck.8
+usr/share/man/*/man8/grpconv.8
+usr/share/man/*/man8/grpunconv.8
+usr/share/man/*/man8/newusers.8
+usr/share/man/*/man8/pwck.8
+usr/share/man/*/man8/pwconv.8
+usr/share/man/*/man8/pwunconv.8
+usr/share/man/*/man8/useradd.8
+usr/share/man/*/man8/userdel.8
+usr/share/man/*/man8/usermod.8
+usr/share/man/*/man8/vigr.8
+usr/share/man/*/man8/vipw.8
+usr/share/man/man1/chage.1
+usr/share/man/man1/chfn.1
+usr/share/man/man1/chsh.1
+usr/share/man/man1/expiry.1
+usr/share/man/man1/gpasswd.1
+usr/share/man/man1/passwd.1
+usr/share/man/man5/passwd.5
+usr/share/man/man5/shadow.5
+usr/share/man/man5/gshadow.5
+usr/share/man/man5/subuid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subuid.5
+usr/share/man/man8/chgpasswd.8
+usr/share/man/man8/chpasswd.8
+usr/share/man/man8/groupadd.8
+usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmod.8
+usr/share/man/man8/grpck.8
+usr/share/man/man8/grpconv.8
+usr/share/man/man8/grpunconv.8
+usr/share/man/man8/newusers.8
+usr/share/man/man8/pwck.8
+usr/share/man/man8/pwconv.8
+usr/share/man/man8/pwunconv.8
+usr/share/man/man8/useradd.8
+usr/share/man/man8/userdel.8
+usr/share/man/man8/usermod.8
+usr/share/man/man8/vigr.8
+usr/share/man/man8/vipw.8

debian/passwd.links

@@ -0,0 +1,2 @@
+usr/sbin/vipw usr/sbin/vigr
+usr/sbin/cppw usr/sbin/cpgr

debian/passwd.lintian-overrides

@@ -0,0 +1,6 @@
+passwd: setgid-binary usr/bin/chage 2755 root/shadow
+passwd: setuid-binary usr/bin/chfn 4755 root/root
+passwd: setuid-binary usr/bin/chsh 4755 root/root
+passwd: setgid-binary usr/bin/expiry 2755 root/shadow
+passwd: setuid-binary usr/bin/gpasswd 4755 root/root
+passwd: setuid-binary usr/bin/passwd 4755 root/root

debian/passwd.newusers.pam

@@ -0,0 +1,5 @@
+# The PAM configuration file for the Shadow 'newusers' service
+#
+
+@include common-password
+

debian/passwd.passwd.pam

@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+
+@include common-password
+

debian/passwd.postinst

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+configure)
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+
+    rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
+	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
+	then
+		groupadd -g 42 shadow || (
+    			cat <<EOF
+Group ID 42 has been allocated for the shadow group.  You have either
+used 42 yourself or created a shadow group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+    			exit 1
+		)
+	fi
+    ;;
+esac
+
+# Run shadowconfig only on new installs
+[ -z "$2" ] && shadowconfig on
+
+#DEBHELPER#
+
+exit 0

debian/passwd.preinst

@@ -0,0 +1,51 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#]*[ \t]*password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/passwd 23a5d1465bbc1e39ca6e0c32f22a75c9
+	    fi
+	fi
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

debian/passwd.tmpfile

@@ -0,0 +1,8 @@
+# If a password operation is in progress and we lose power, stale lockfiles
+# can be left behind.  Clear them on boot.
+r! /etc/gshadow.lock
+r! /etc/shadow.lock
+r! /etc/passwd.lock
+r! /etc/group.lock
+r! /etc/subuid.lock
+r! /etc/subgid.lock

debian/passwd.useradd.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'useradd' service
+#
+
+# This allows root to add users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.userdel.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'userdel' service
+#
+
+# This allows root to remove users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.usermod.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/patches/0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch

@@ -0,0 +1,183 @@
+From 11fc74ffc7172c587bbd2a6399defbd53eab97c6 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ src/newgidmap.c | 89 ++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 80 insertions(+), 9 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index b1e33513..59a2e75c 100644
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+  */
+ const char *Prog;
+ 
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ 	/* An empty range is invalid */
+ 	if (range->count == 0)
+ 		return false;
+ 
+-	/* Test /etc/subgid */
+-	if (have_sub_gids(pw->pw_name, range->lower, range->count))
++	/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++	if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++		*allow_setgroups = true;
+ 		return true;
++	}
+ 
+-	/* Allow a process to map its own gid */
+-	if ((range->count == 1) && (pw->pw_gid == range->lower))
++	/* Allow a process to map its own gid. */
++	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++		/* noop -- if setgroups is enabled already we won't disable it. */
+ 		return true;
++	}
+ 
+ 	return false;
+ }
+ 
+ static void verify_ranges(struct passwd *pw, int ranges,
+-	struct map_range *mappings)
++	struct map_range *mappings, bool *allow_setgroups)
+ {
+ 	struct map_range *mapping;
+ 	int idx;
+ 
+ 	mapping = mappings;
+ 	for (idx = 0; idx < ranges; idx++, mapping++) {
+-		if (!verify_range(pw, mapping)) {
++		if (!verify_range(pw, mapping, allow_setgroups)) {
+ 			fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ 				Prog,
+ 				mapping->upper,
+@@ -89,6 +94,70 @@ static void usage(void)
+ 	exit(EXIT_FAILURE);
+ }
+ 
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++	int setgroups_fd;
++	char *policy, policy_buffer[4096];
++
++	/*
++	 * Default is "deny", and any "allow" will out-rank a "deny". We don't
++	 * forcefully write an "allow" here because the process we are writing
++	 * mappings for may have already set themselves to "deny" (and "allow"
++	 * is the default anyway). So allow_setgroups == true is a noop.
++	 */
++	policy = "deny\n";
++	if (allow_setgroups)
++		return;
++
++	setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++	if (setgroups_fd < 0) {
++		/*
++		 * If it's an ENOENT then we are on too old a kernel for the setgroups
++		 * code to exist. Emit a warning and bail on this.
++		 */
++		if (ENOENT == errno) {
++			fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++			goto out;
++		}
++		fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++	/*
++	 * Check whether the policy is already what we want. /proc/self/setgroups
++	 * is write-once, so attempting to write after it's already written to will
++	 * fail.
++	 */
++	if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++		fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (!strncmp(policy_buffer, policy, strlen(policy)))
++		goto out;
++
++	/* Write the policy. */
++	if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++		fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (dprintf(setgroups_fd, "%s", policy) < 0) {
++		fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++			Prog,
++			policy,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++out:
++	close(setgroups_fd);
++}
++
+ /*
+  * newgidmap - Set the gid_map for the specified process
+  */
+@@ -103,6 +172,7 @@ int main(int argc, char **argv)
+ 	struct stat st;
+ 	struct passwd *pw;
+ 	int written;
++	bool allow_setgroups = false;
+ 
+ 	Prog = Basename (argv[0]);
+ 
+@@ -145,7 +215,7 @@ int main(int argc, char **argv)
+ 				(unsigned long) getuid ()));
+ 		return EXIT_FAILURE;
+ 	}
+-	
++
+ 	/* Get the effective uid and effective gid of the target process */
+ 	if (fstat(proc_dir_fd, &st) < 0) {
+ 		fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -177,8 +247,9 @@ int main(int argc, char **argv)
+ 	if (!mappings)
+ 		usage();
+ 
+-	verify_ranges(pw, ranges, mappings);
++	verify_ranges(pw, ranges, mappings, &allow_setgroups);
+ 
++	write_setgroups(proc_dir_fd, allow_setgroups);
+ 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ 	sub_gid_close();
+ 
+-- 
+2.30.2
+

debian/patches/0002-gpasswd-1-Fix-password-leak.patch

@@ -0,0 +1,142 @@
+From cbfa2ff40ce629f55ddd67e3490c311dfcaa4462 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index c4a492b1..cbbd8068 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -917,6 +917,7 @@ static void change_passwd (struct group *gr)
+ 		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
+-- 
+2.30.2
+

debian/patches/0003-Added-control-character-check.patch

@@ -0,0 +1,45 @@
+From b42c60bc8f026b250810a75bafe865338d734ec3 Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 649fae17..b8f13ba7 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -44,9 +44,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -68,10 +68,13 @@ int valid_field (const char *field, const char *illegal)
+ 	}
+ 
+ 	if (0 == err) {
+-		/* Search if there are some non-printable characters */
++		/* Search if there are non-printable or control characters */
+ 		for (cp = field; '\0' != *cp; cp++) {
+ 			if (!isprint (*cp)) {
+ 				err = 1;
++			}
++			if (!iscntrl (*cp)) {
++				err = -1;
+ 				break;
+ 			}
+ 		}
+-- 
+2.30.2
+

debian/patches/0004-Overhaul-valid_field.patch

@@ -0,0 +1,61 @@
+From 261c9cd274f07361c304d3993e325fe29d4bad14 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index b8f13ba7..191257e8 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -60,26 +60,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are non-printable or control characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-			}
+-			if (!iscntrl (*cp)) {
+-				err = -1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 
+-- 
+2.30.2
+

debian/patches/008_login_log_failure_in_FTMP

@@ -0,0 +1,55 @@
+Goal: Log login failures to the btmp file
+
+Notes:
+ * I'm not sure login should add an entry in the FTMP file when PAM is used.
+   (but nothing in /etc/login.defs indicates that the failure is not logged)
+
+Index: shadow-4.4/src/login.c
+===================================================================
+--- shadow-4.4.orig/src/login.c
++++ shadow-4.4/src/login.c
+@@ -834,6 +834,24 @@ int main (int argc, char **argv)
+ 			(void) puts ("");
+ 			(void) puts (_("Login incorrect"));
+ 
++			if (getdef_str("FTMP_FILE") != NULL) {
++#ifdef USE_UTMPX
++				struct utmpx *failent =
++					prepare_utmpx (failent_user,
++					               tty,
++					/* FIXME: or fromhost? */hostname,
++					               utent);
++#else				/* !USE_UTMPX */
++				struct utmp *failent =
++					prepare_utmp (failent_user,
++					              tty,
++					              hostname,
++					              utent);
++#endif				/* !USE_UTMPX */
++				failtmp (failent_user, failent);
++				free (failent);
++			}
++
+ 			if (failcount >= retries) {
+ 				SYSLOG ((LOG_NOTICE,
+ 				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+Index: shadow-4.4/lib/getdef.c
+===================================================================
+--- shadow-4.4.orig/lib/getdef.c
++++ shadow-4.4/lib/getdef.c
+@@ -57,7 +57,6 @@ struct itemdef {
+ 	{"ENVIRON_FILE", NULL},			\
+ 	{"ENV_TZ", NULL},			\
+ 	{"FAILLOG_ENAB", NULL},			\
+-	{"FTMP_FILE", NULL},			\
+ 	{"ISSUE_FILE", NULL},			\
+ 	{"LASTLOG_ENAB", NULL},			\
+ 	{"LOGIN_STRING", NULL},			\
+@@ -88,6 +87,7 @@ static struct itemdef def_table[] = {
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
+ 	{"FAKE_SHELL", NULL},
++	{"FTMP_FILE", NULL},
+ 	{"GID_MAX", NULL},
+ 	{"GID_MIN", NULL},
+ 	{"HUSHLOGIN_FILE", NULL},

debian/patches/401_cppw_src.dpatch

@@ -0,0 +1,276 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 401_cppw_src.dpatch by  Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add cppw / cpgr
+
+@DPATCH@
+--- /dev/null
++++ b/src/cppw.c
+@@ -0,0 +1,238 @@
++/*
++  cppw, cpgr  copy with locking given file over the password or group file
++  with -s will copy with locking given file over shadow or gshadow file
++
++  Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
++
++  Based on vipw, vigr by:
++  Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
++
++  This program is free software; you can redistribute it and/or modify
++  it under the terms of the GNU General Public License as published by
++  the Free Software Foundation; either version 2 of the License, or
++  (at your option) any later version.
++
++  This program is distributed in the hope that it will be useful, but
++  WITHOUT ANY WARRANTY; without even the implied warranty of
++  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++  General Public License for more details.
++
++  You should have received a copy of the GNU General Public License
++  along with this program; if not, write to the Free Software
++  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++
++  */
++
++#include <config.h>
++#include "defines.h"
++
++#include <errno.h>
++#include <sys/stat.h>
++#include <unistd.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <sys/types.h>
++#include <signal.h>
++#include <utime.h>
++#include "exitcodes.h"
++#include "prototypes.h"
++#include "pwio.h"
++#include "shadowio.h"
++#include "groupio.h"
++#include "sgroupio.h"
++
++
++const char *Prog;
++
++const char *filename, *filenewname;
++static bool filelocked = false;
++static int (*unlock) (void);
++
++/* local function prototypes */
++static int create_copy (FILE *fp, const char *dest, struct stat *sb);
++static void cppwexit (const char *msg, int syserr, int ret);
++static void cppwcopy (const char *file,
++                      const char *in_file,
++                      int (*file_lock) (void),
++                      int (*file_unlock) (void));
++
++static int create_copy (FILE *fp, const char *dest, struct stat *sb)
++{
++	struct utimbuf ub;
++	FILE *bkfp;
++	int c;
++	mode_t mask;
++
++	mask = umask (077);
++	bkfp = fopen (dest, "w");
++	(void) umask (mask);
++	if (NULL == bkfp) {
++		return -1;
++	}
++
++	rewind (fp);
++	while ((c = getc (fp)) != EOF) {
++		if (putc (c, bkfp) == EOF) {
++			break;
++		}
++	}
++
++	if (   (c != EOF)
++	    || (fflush (bkfp) != 0)) {
++		(void) fclose (bkfp);
++		(void) unlink (dest);
++		return -1;
++	}
++	if (   (fsync (fileno (bkfp)) != 0)
++	    || (fclose (bkfp) != 0)) {
++		(void) unlink (dest);
++		return -1;
++	}
++
++	ub.actime = sb->st_atime;
++	ub.modtime = sb->st_mtime;
++	if (   (utime (dest, &ub) != 0)
++	    || (chmod (dest, sb->st_mode) != 0)
++	    || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
++		(void) unlink (dest);
++		return -1;
++	}
++	return 0;
++}
++
++static void cppwexit (const char *msg, int syserr, int ret)
++{
++	int err = errno;
++	if (filelocked) {
++		(*unlock) ();
++	}
++	if (NULL != msg) {
++		fprintf (stderr, "%s: %s", Prog, msg);
++		if (0 != syserr) {
++			fprintf (stderr, ": %s", strerror (err));
++		}
++		(void) fputs ("\n", stderr);
++	}
++	if (NULL != filename) {
++		fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
++	} else {
++		fprintf (stderr, _("%s: no changes\n"), Prog);
++	}
++
++	exit (ret);
++}
++
++static void cppwcopy (const char *file,
++                      const char *in_file,
++                      int (*file_lock) (void),
++                      int (*file_unlock) (void))
++{
++	struct stat st1;
++	FILE *f;
++	char filenew[1024];
++
++	snprintf (filenew, sizeof filenew, "%s.new", file);
++	unlock = file_unlock;
++	filename = file;
++	filenewname = filenew;
++
++	if (access (file, F_OK) != 0) {
++		cppwexit (file, 1, 1);
++	}
++	if (file_lock () == 0) {
++		cppwexit (_("Couldn't lock file"), 0, 5);
++	}
++	filelocked = true;
++
++	/* file to copy has same owners, perm */
++	if (stat (file, &st1) != 0) {
++		cppwexit (file, 1, 1);
++	}
++	f = fopen (in_file, "r");
++	if (NULL == f) {
++		cppwexit (in_file, 1, 1);
++	}
++	if (create_copy (f, filenew, &st1) != 0) {
++		cppwexit (_("Couldn't make copy"), errno, 1);
++	}
++
++	/* XXX - here we should check filenew for errors; if there are any,
++	 * fail w/ an appropriate error code and let the user manually fix
++	 * it. Use pwck or grpck to do the check.  - Stephen (Shamelessly
++	 * stolen from '--marekm's comment) */
++
++	if (rename (filenew, file) != 0) {
++		fprintf (stderr, _("%s: can't copy %s: %s)\n"),
++                         Prog, filenew, strerror (errno));
++		cppwexit (NULL,0,1);
++	}
++
++	(*file_unlock) ();
++}
++
++int main (int argc, char **argv)
++{
++	int flag;
++	bool cpshadow = false;
++	char *in_file;
++	int e = E_USAGE;
++	bool do_cppw = true;
++
++	(void) setlocale (LC_ALL, "");
++	(void) bindtextdomain (PACKAGE, LOCALEDIR);
++	(void) textdomain (PACKAGE);
++
++	Prog = Basename (argv[0]);
++	if (strcmp (Prog, "cpgr") == 0) {
++		do_cppw = false;
++	}
++
++	while ((flag = getopt (argc, argv, "ghps")) != EOF) {
++		switch (flag) {
++		case 'p':
++			do_cppw = true;
++			break;
++		case 'g':
++			do_cppw = false;
++			break;
++		case 's':
++			cpshadow = true;
++			break;
++		case 'h':
++			e = E_SUCCESS;
++			/*pass through*/
++		default:
++			(void) fputs (_("Usage:\n\
++`cppw <file>' copys over /etc/passwd   `cppw -s <file>' copys over /etc/shadow\n\
++`cpgr <file>' copys over /etc/group    `cpgr -s <file>' copys over /etc/gshadow\n\
++"), (E_SUCCESS != e) ? stderr : stdout);
++			exit (e);
++		}
++	}
++
++	if (argc != optind + 1) {
++		cppwexit (_("wrong number of arguments, -h for usage"),0,1);
++	}
++
++	in_file = argv[optind];
++
++	if (do_cppw) {
++		if (cpshadow) {
++			cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
++		} else {
++			cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
++		}
++	} else {
++#ifdef SHADOWGRP
++		if (cpshadow) {
++			cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
++		} else
++#endif				/* SHADOWGRP */
++		{
++			cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
++		}
++	}
++
++	return 0;
++}
++
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -30,6 +30,7 @@
+ ubin_PROGRAMS += newgidmap newuidmap
+ endif
+ usbin_PROGRAMS = \
++	cppw \
+ 	chgpasswd \
+ 	chpasswd \
+ 	groupadd \
+@@ -90,6 +91,7 @@
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
++cppw_LDADD     = $(LDADD) $(LIBSELINUX)
+ gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -85,6 +85,7 @@
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
++src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c

debian/patches/402_cppw_selinux

@@ -0,0 +1,64 @@
+Goal: Add selinux support to cppw
+
+Fix:
+
+Status wrt upstream: cppw is not available upstream.
+                     The patch was made based on the
+                     302_vim_selinux_support patch. It needs to be
+                     reviewed by an SE-Linux aware person.
+
+Depends on 401_cppw_src.dpatch
+
+Index: git/src/cppw.c
+===================================================================
+--- git.orig/src/cppw.c
++++ git/src/cppw.c
+@@ -34,6 +34,9 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <utime.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif				/* WITH_SELINUX */
+ #include "exitcodes.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+@@ -139,6 +142,22 @@
+ 	if (access (file, F_OK) != 0) {
+ 		cppwexit (file, 1, 1);
+ 	}
++#ifdef WITH_SELINUX
++	/* if SE Linux is enabled then set the context of all new files
++	 * to be the context of the file we are editing */
++	if (is_selinux_enabled () > 0) {
++		security_context_t passwd_context=NULL;
++		int ret = 0;
++		if (getfilecon (file, &passwd_context) < 0) {
++			cppwexit (_("Couldn't get file context"), errno, 1);
++		}
++		ret = setfscreatecon (passwd_context);
++		freecon (passwd_context);
++		if (0 != ret) {
++			cppwexit (_("setfscreatecon () failed"), errno, 1);
++		}
++	}
++#endif				/* WITH_SELINUX */
+ 	if (file_lock () == 0) {
+ 		cppwexit (_("Couldn't lock file"), 0, 5);
+ 	}
+@@ -167,6 +186,15 @@
+ 		cppwexit (NULL,0,1);
+ 	}
+ 
++#ifdef WITH_SELINUX
++	/* unset the fscreatecon */
++	if (is_selinux_enabled () > 0) {
++		if (setfscreatecon (NULL)) {
++		cppwexit (_("setfscreatecon() failed"), errno, 1);
++		}
++	}
++#endif				/* WITH_SELINUX */
++
+ 	(*file_unlock) ();
+ }
+ 

debian/patches/429_login_FAILLOG_ENAB

@@ -0,0 +1,88 @@
+Goal: Re-enable logging and displaying failures on login when login is
+      compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
+      faillog file if it does not exist on postinst (as on Woody).
+Depends: 008_login_more_LOG_UNKFAIL_ENAB
+Fixes: #192849
+
+Note: It could be removed if pam_tally could report the number of failures
+      preceding a successful login.
+
+Index: shadow-4.4/src/login.c
+===================================================================
+--- shadow-4.4.orig/src/login.c
++++ shadow-4.4/src/login.c
+@@ -131,9 +131,9 @@ static void update_utmp (const char *use
+                          const char *host,
+                          /*@null@*/const struct utmp *utent);
+ 
+-#ifndef USE_PAM
+ static struct faillog faillog;
+ 
++#ifndef USE_PAM
+ static void bad_time_notify (void);
+ static void check_nologin (bool login_to_root);
+ #else
+@@ -794,6 +794,9 @@ int main (int argc, char **argv)
+ 				SYSLOG ((LOG_NOTICE,
+ 				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+ 				         failcount, fromhost, failent_user));
++				if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++					failure (pwd->pw_uid, tty, &faillog);
++				}
+ 				fprintf (stderr,
+ 				         _("Maximum number of tries exceeded (%u)\n"),
+ 				         failcount);
+@@ -811,6 +814,14 @@ int main (int argc, char **argv)
+ 				         pam_strerror (pamh, retcode)));
+ 				failed = true;
+ 			}
++			if (   (NULL != pwd)
++			    && getdef_bool("FAILLOG_ENAB")
++			    && ! failcheck (pwd->pw_uid, &faillog, failed)) {
++				SYSLOG((LOG_CRIT,
++				        "exceeded failure limit for `%s' %s",
++				        failent_user, fromhost));
++				failed = 1;
++			}
+ 
+ 			if (!failed) {
+ 				break;
+@@ -834,6 +845,10 @@ int main (int argc, char **argv)
+ 			(void) puts ("");
+ 			(void) puts (_("Login incorrect"));
+ 
++			if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++				failure (pwd->pw_uid, tty, &faillog);
++			}
++
+ 			if (getdef_str("FTMP_FILE") != NULL) {
+ #ifdef USE_UTMPX
+ 				struct utmpx *failent =
+@@ -1288,6 +1303,7 @@ int main (int argc, char **argv)
+ 		 */
+ #ifndef USE_PAM
+ 		motd ();	/* print the message of the day */
++#endif
+ 		if (   getdef_bool ("FAILLOG_ENAB")
+ 		    && (0 != faillog.fail_cnt)) {
+ 			failprint (&faillog);
+@@ -1300,6 +1316,7 @@ int main (int argc, char **argv)
+ 				         username, (int) faillog.fail_cnt));
+ 			}
+ 		}
++#ifndef USE_PAM
+ 		if (   getdef_bool ("LASTLOG_ENAB")
+ 		    && (ll.ll_time != 0)) {
+ 			time_t ll_time = ll.ll_time;
+Index: shadow-4.4/lib/getdef.c
+===================================================================
+--- shadow-4.4.orig/lib/getdef.c
++++ shadow-4.4/lib/getdef.c
+@@ -86,6 +86,7 @@ static struct itemdef def_table[] = {
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
++	{"FAILLOG_ENAB", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"FTMP_FILE", NULL},
+ 	{"GID_MAX", NULL},

debian/patches/463_login_delay_obeys_to_PAM

@@ -0,0 +1,101 @@
+Goal: Do not hardcode pam_fail_delay and let pam_unix do its
+      job to set a delay...or not
+
+Fixes: #87648
+
+Status wrt upstream: Forwarded but not applied yet
+
+Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+
+Index: shadow-4.4/src/login.c
+===================================================================
+--- shadow-4.4.orig/src/login.c
++++ shadow-4.4/src/login.c
+@@ -525,7 +525,6 @@ int main (int argc, char **argv)
+ #if defined(HAVE_STRFTIME) && !defined(USE_PAM)
+ 	char ptime[80];
+ #endif
+-	unsigned int delay;
+ 	unsigned int retries;
+ 	bool subroot = false;
+ #ifndef USE_PAM
+@@ -546,6 +545,7 @@ int main (int argc, char **argv)
+ 	pid_t child;
+ 	char *pam_user = NULL;
+ #else
++	unsigned int delay;
+ 	struct spwd *spwd = NULL;
+ #endif
+ 	/*
+@@ -708,7 +708,6 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	environ = newenvp;	/* make new environment active */
+-	delay   = getdef_unum ("FAIL_DELAY", 1);
+ 	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
+ 
+ #ifdef USE_PAM
+@@ -724,8 +723,7 @@ int main (int argc, char **argv)
+ 
+ 	/*
+ 	 * hostname & tty are either set to NULL or their correct values,
+-	 * depending on how much we know. We also set PAM's fail delay to
+-	 * ours.
++	 * depending on how much we know.
+ 	 *
+ 	 * PAM_RHOST and PAM_TTY are used for authentication, only use
+ 	 * information coming from login or from the caller (e.g. no utmp)
+@@ -734,10 +732,6 @@ int main (int argc, char **argv)
+ 	PAM_FAIL_CHECK;
+ 	retcode = pam_set_item (pamh, PAM_TTY, tty);
+ 	PAM_FAIL_CHECK;
+-#ifdef HAS_PAM_FAIL_DELAY
+-	retcode = pam_fail_delay (pamh, 1000000 * delay);
+-	PAM_FAIL_CHECK;
+-#endif
+ 	/* if fflg, then the user has already been authenticated */
+ 	if (!fflg) {
+ 		unsigned int failcount = 0;
+@@ -778,12 +772,6 @@ int main (int argc, char **argv)
+ 			bool failed = false;
+ 
+ 			failcount++;
+-#ifdef HAS_PAM_FAIL_DELAY
+-			if (delay > 0) {
+-				retcode = pam_fail_delay(pamh, 1000000*delay);
+-				PAM_FAIL_CHECK;
+-			}
+-#endif
+ 
+ 			retcode = pam_authenticate (pamh, 0);
+ 
+@@ -1106,14 +1094,17 @@ int main (int argc, char **argv)
+ 		free (username);
+ 		username = NULL;
+ 
++#ifndef USE_PAM
+ 		/*
+ 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
+ 		 * to login the user again. If the earlier alarm occurs
+ 		 * before the sleep() below completes, login will exit.
+ 		 */
++		delay = getdef_unum ("FAIL_DELAY", 1);
+ 		if (delay > 0) {
+ 			(void) sleep (delay);
+ 		}
++#endif
+ 
+ 		(void) puts (_("Login incorrect"));
+ 
+Index: shadow-4.4/lib/getdef.c
+===================================================================
+--- shadow-4.4.orig/lib/getdef.c
++++ shadow-4.4/lib/getdef.c
+@@ -85,7 +85,6 @@ static struct itemdef def_table[] = {
+ 	{"ENV_PATH", NULL},
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+-	{"FAIL_DELAY", NULL},
+ 	{"FAILLOG_ENAB", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"FTMP_FILE", NULL},

debian/patches/501_commonio_group_shadow

@@ -0,0 +1,60 @@
+Goal: save the [g]shadow files with the 'shadow' group and mode 0440
+
+Fixes: #166793
+
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -44,6 +44,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <signal.h>
++#include <grp.h>
+ #include "nscd.h"
+ #ifdef WITH_TCB
+ #include <tcb.h>
+@@ -963,12 +964,23 @@
+ 			goto fail;
+ 		}
+ 	} else {
++		struct group *grp;
+ 		/*
+ 		 * Default permissions for new [g]shadow files.
+ 		 */
+ 		sb.st_mode = db->st_mode;
+ 		sb.st_uid = db->st_uid;
+ 		sb.st_gid = db->st_gid;
++
++		/*
++		 * Try to retrieve the shadow's GID, and fall back to GID 0.
++		 */
++		if (sb.st_gid == 0) {
++			if ((grp = getgrnam("shadow")) != NULL)
++				sb.st_gid = grp->gr_gid;
++			else
++				sb.st_gid = 0;
++		}
+ 	}
+ 
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -229,7 +229,7 @@
+ #ifdef WITH_SELINUX
+ 	NULL,			/* scontext */
+ #endif
+-	0400,                   /* st_mode */
++	0440,                   /* st_mode */
+ 	0,                      /* st_uid */
+ 	0,                      /* st_gid */
+ 	NULL,			/* head */
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -105,7 +105,7 @@
+ #ifdef WITH_SELINUX
+ 	NULL,			/* scontext */
+ #endif				/* WITH_SELINUX */
+-	0400,                   /* st_mode */
++	0440,                   /* st_mode */
+ 	0,                      /* st_uid */
+ 	0,                      /* st_gid */
+ 	NULL,			/* head */

debian/patches/503_shadowconfig.8

@@ -0,0 +1,201 @@
+Goal: Document the shadowconfig utility
+
+Status wrt upstream: The shadowconfig utility is debian specific.
+                     Its man page also (but it used to be distributed)
+
+Index: git/man/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/shadowconfig.8
+@@ -0,0 +1,41 @@
++.\"Generated by db2man.xsl. Don't modify this, modify the source.
++.de Sh \" Subsection
++.br
++.if t .Sp
++.ne 5
++.PP
++\fB\\$1\fR
++.PP
++..
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Ip \" List item
++.br
++.ie \\n(.$>=3 .ne \\$3
++.el .ne 3
++.IP "\\$1" \\$2
++..
++.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
++.SH NAME
++shadowconfig \- toggle shadow passwords on and off
++.SH "SYNOPSIS"
++.ad l
++.hy 0
++.HP 13
++\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
++.ad
++.hy
++
++.SH "DESCRIPTION"
++
++.PP
++\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
++
++.PP
++Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
++
++.PP
++Note that turning shadow passwords off and on again will lose all password aging information\&.
++
+Index: git/man/shadowconfig.8.xml
+===================================================================
+--- /dev/null
++++ git/man/shadowconfig.8.xml
+@@ -0,0 +1,52 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++		"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++<refentry id='shadowconfig.8'>
++  <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
++  <refentryinfo>
++    <date>19 Apr 1997</date>
++  </refentryinfo>
++  <refmeta>
++    <refentrytitle>shadowconfig</refentrytitle>
++    <manvolnum>8</manvolnum>
++    <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
++    <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
++  </refmeta>
++  <refnamediv id='name'>
++    <refname>shadowconfig</refname>
++    <refpurpose>toggle shadow passwords on and off</refpurpose>
++  </refnamediv>
++
++  <refsynopsisdiv id='synopsis'>
++    <cmdsynopsis>
++      <command>shadowconfig</command>
++      <group choice='plain'>
++        <arg choice='plain'><replaceable>on</replaceable></arg>
++        <arg choice='plain'><replaceable>off</replaceable></arg>
++      </group>
++    </cmdsynopsis>
++  </refsynopsisdiv>
++
++  <refsect1 id='description'>
++    <title>DESCRIPTION</title>
++    <para><command>shadowconfig</command> on will turn shadow passwords on;
++      <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
++      passwords off. <command>shadowconfig</command> will print an error
++      message and exit with a nonzero code if it finds anything awry. If
++      that happens, you should correct the error and run it again. Turning
++      shadow passwords on when they are already on, or off when they are
++      already off, is harmless.
++    </para>
++
++    <para>
++      Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
++      brief introduction
++      to shadow passwords and related features.
++    </para>
++
++    <para>Note that turning shadow passwords off and on again will lose all
++      password
++      aging information.
++    </para>
++  </refsect1>
++</refentry>
+Index: git/man/fr/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/fr/shadowconfig.8
+@@ -0,0 +1,26 @@
++.\" This file was generated with po4a. Translate the source file.
++.\"
++.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
++.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
++.SH NOM
++shadowconfig \- active ou désactive les mots de passe cachés
++.SH SYNOPSIS
++\fBshadowconfig\fP \fIon\fP | \fIoff\fP
++.SH DESCRIPTION
++.PP
++\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
++d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
++quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
++de recommencer.
++
++Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
++désactiver lorsqu'ils ne sont pas actifs est sans effet.
++
++Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
++mots de passe cachés et à leurs fonctionnalités.
++
++Notez que désactiver puis réactiver les mots de passe cachés aura pour
++conséquence la perte des informations d'âge sur les mots de passe.
++.SH TRADUCTION
++Nicolas FRANÇOIS, 2004.
++Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
+Index: git/man/ja/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/ja/shadowconfig.8
+@@ -0,0 +1,25 @@
++.\"     all right reserved,
++.\" Translated Tue Oct 30 11:59:11 JST 2001
++.\" by Maki KURODA <mkuroda@aisys-jp.com>
++.\"
++.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
++.SH 名前
++shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
++.SH 書式
++.B "shadowconfig"
++.IR on " | " off
++.SH 説明
++.PP
++.B shadowconfig on
++は shadow パスワードを有効にする。
++.B shadowconfig off
++は shadow パスワードを無効にする。
++.B shadowconfig
++は何らかの間違いがあると、エラーメッセージを表示し、
++ゼロではない返り値を返す。
++もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
++shadow パスワードの設定がすでにオンの場合にオンに設定したり、
++すでにオフの場合にオフに設定しても、何の影響もない。
++
++.I /usr/share/doc/passwd/README.debian.gz
++には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
+Index: git/man/pl/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/pl/shadowconfig.8
+@@ -0,0 +1,27 @@
++.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
++.\" {PTM/WK/1999-09-14}
++.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
++.SH NAZWA
++shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
++.SH SKŁADNIA
++.B "shadowconfig"
++.IR on " | " off
++.SH OPIS
++.PP
++.B shadowconfig on
++włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
++.B shadowconfig off
++wyłącza dodatkowe pliki haseł i grup.
++.B shadowconfig
++wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
++znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
++.\" if it finds anything awry.
++i uruchomić program ponownie.
++
++Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
++gdy jest wyłączona jest nieszkodliwe.
++
++Przeczytaj
++.IR /usr/share/doc/passwd/README.debian.gz ,
++gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
++plików haseł przesłanianych (shadow passwords) i związanych tematów.

debian/patches/505_useradd_recommend_adduser

@@ -0,0 +1,40 @@
+Goal: Recommend using adduser and deluser.
+
+Fixes: #406046
+
+Status wrt upstream: Debian specific patch.
+
+Index: git/man/useradd.8.xml
+===================================================================
+--- git.orig/man/useradd.8.xml
++++ git/man/useradd.8.xml
+@@ -105,6 +105,12 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+       <para>
++	<command>useradd</command> is a low level utility for adding
++	users.  On Debian, administrators should usually use
++	<citerefentry><refentrytitle>adduser</refentrytitle>
++	<manvolnum>8</manvolnum></citerefentry> instead.
++      </para>
++      <para>
+ 	When invoked without the <option>-D</option> option, the
+ 	<command>useradd</command> command creates a new user account using
+ 	the values specified on the command line plus the default values from
+Index: git/man/userdel.8.xml
+===================================================================
+--- git.orig/man/userdel.8.xml
++++ git/man/userdel.8.xml
+@@ -83,6 +83,12 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
++      <command>userdel</command> is a low level utility for removing
++      users.  On Debian, administrators should usually use
++      <citerefentry><refentrytitle>deluser</refentrytitle>
++      <manvolnum>8</manvolnum></citerefentry> instead.
++    </para>
++    <para>
+       The <command>userdel</command> command modifies the system account
+       files, deleting all entries that refer to the user name <emphasis
+       remap='I'>LOGIN</emphasis>. The named user must exist.

debian/patches/506_relaxed_usernames

@@ -0,0 +1,106 @@
+Goal: Relaxed usernames/groupnames checking patch.
+
+Status wrt upstream: Debian specific. Not to be used upstream
+
+Details:
+ Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
+ characters and don't start with '-', '+', or '~'. This patch is more
+ restrictive than original Karl's version. closes: #264879
+ Also closes: #377844
+ 
+ Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
+ 
+ I can't come up with a good justification as to why characters other
+ than ':'s and '\0's should be disallowed in group and usernames (other
+ than '-' as the leading character).  Thus, the maintenance tools don't
+ anymore.  closes: #79682, #166798, #171179
+
+Index: git/libmisc/chkname.c
+===================================================================
+--- git.orig/libmisc/chkname.c
++++ git/libmisc/chkname.c
+@@ -48,6 +48,7 @@
+ 
+ static bool is_valid_name (const char *name)
+ {
++#if 0
+ 	/*
+ 	 * User/group names must match [a-z_][a-z0-9_-]*[$]
+ 	 */
+@@ -66,6 +67,26 @@
+ 			return false;
+ 		}
+ 	}
++#endif
++	/*
++	 * POSIX indicate that usernames are composed of characters from the
++	 * portable filename character set [A-Za-z0-9._-], and that the hyphen
++	 * should not be used as the first character of a portable user name.
++	 *
++	 * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
++	 */
++	if (   ('\0' == *name)
++	    || ('-'  == *name)
++	    || ('~'  == *name)
++	    || ('+'  == *name)) {
++		return false;
++	}
++	do {
++		if ((':' == *name) || (',' == *name) || isspace(*name)) {
++			return false;
++		}
++		name++;
++	} while ('\0' != *name);
+ 
+ 	return true;
+ }
+Index: git/man/useradd.8.xml
+===================================================================
+--- git.orig/man/useradd.8.xml
++++ git/man/useradd.8.xml
+@@ -633,12 +633,20 @@
+     </para>
+ 
+     <para>
+-      Usernames must start with a lower case letter or an underscore,
++      It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
+       followed by lower case letters, digits, underscores, or dashes.
+       They can end with a dollar sign.
+       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+     </para>
+     <para>
++      On Debian, the only constraints are that usernames must neither start
++      with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++      colon (':'), a comma (','), or a whitespace (space: ' ',
++      end of line: '\n', tabulation: '\t', etc.). Note that using a slash
++      ('/') may break the default algorithm for the definition of the
++      user's home directory.
++    </para>
++    <para>
+       Usernames may only be up to 32 characters long.
+     </para>
+   </refsect1>
+Index: git/man/groupadd.8.xml
+===================================================================
+--- git.orig/man/groupadd.8.xml
++++ git/man/groupadd.8.xml
+@@ -256,12 +256,18 @@
+    <refsect1 id='caveats'>
+      <title>CAVEATS</title>
+      <para>
+-       Groupnames must start with a lower case letter or an underscore,
++       It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
+        followed by lower case letters, digits, underscores, or dashes.
+        They can end with a dollar sign.
+        In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+      </para>
+      <para>
++       On Debian, the only constraints are that groupnames must neither start
++       with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++       colon (':'), a comma (','), or a whitespace (space:' ',
++       end of line: '\n', tabulation: '\t', etc.).
++     </para>
++     <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+      </para>
+      <para>

debian/patches/508_nologin_in_usr_sbin

@@ -0,0 +1,18 @@
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -24,7 +24,6 @@
+ # $prefix/bin and $prefix/sbin, no install-data hacks...)
+ 
+ bin_PROGRAMS   = groups login su
+-sbin_PROGRAMS  = nologin
+ ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+ if ENABLE_SUBIDS
+ ubin_PROGRAMS += newgidmap newuidmap
+@@ -42,6 +41,7 @@
+ 	grpunconv \
+ 	logoutd \
+ 	newusers \
++	nologin \
+ 	pwck \
+ 	pwconv \
+ 	pwunconv \

debian/patches/542_useradd-O_option

@@ -0,0 +1,43 @@
+Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
+
+Note: useradd.8 needs to be regenerated.
+
+Status wrt upstream: not included as this is just specific 
+                     backward compatibility for Debian
+
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -329,6 +329,11 @@
+ 	    databases are reset to avoid reusing the entry from a previously
+ 	    deleted user.
+ 	  </para>
++          <para>
++            For the compatibility with previous Debian's
++            <command>useradd</command>, the <option>-O</option> option is
++            also supported.
++          </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -1059,9 +1059,9 @@
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
++		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:UZ:",
+ #else				/* !WITH_SELINUX */
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
++		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:U",
+ #endif				/* !WITH_SELINUX */
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
+@@ -1184,6 +1184,7 @@
+ 				kflg = true;
+ 				break;
+ 			case 'K':
++			case 'O': /* compatibility with previous Debian useradd */
+ 				/*
+ 				 * override login.defs defaults (-K name=value)
+ 				 * example: -K UID_MIN=100 -K UID_MAX=499

debian/patches/900_testsuite_groupmems

@@ -0,0 +1,81 @@
+--- a/debian/passwd.install
++++ b/debian/passwd.install
+@@ -9,6 +9,7 @@
+ usr/sbin/cppw
+ usr/sbin/groupadd
+ usr/sbin/groupdel
++usr/sbin/groupmems
+ usr/sbin/groupmod
+ usr/sbin/grpck
+ usr/sbin/grpconv
+@@ -33,6 +34,7 @@
+ usr/share/man/*/man8/chpasswd.8
+ usr/share/man/*/man8/groupadd.8
+ usr/share/man/*/man8/groupdel.8
++usr/share/man/*/man8/groupmems.8
+ usr/share/man/*/man8/groupmod.8
+ usr/share/man/*/man8/grpck.8
+ usr/share/man/*/man8/grpconv.8
+@@ -59,6 +61,7 @@
+ usr/share/man/man8/chpasswd.8
+ usr/share/man/man8/groupadd.8
+ usr/share/man/man8/groupdel.8
++usr/share/man/man8/groupmems.8
+ usr/share/man/man8/groupmod.8
+ usr/share/man/man8/grpck.8
+ usr/share/man/man8/grpconv.8
+--- a/debian/passwd.postinst
++++ b/debian/passwd.postinst
+@@ -31,6 +31,24 @@
+     			exit 1
+ 		)
+ 	fi
++	if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
++	then
++		groupadd -g 99 groupmems || (
++    			cat <<EOF
++************************  TESTSUITE  *****************************
++Group ID 99 has been allocated for the groupmems group.  You have either
++used 99 yourself or created a groupmems group with a different ID.
++Please correct this problem and reconfigure with ``dpkg --configure passwd''.
++
++Note that both user and group IDs in the range 0-99 are globally
++allocated by the Debian project and must be the same on every Debian
++system.
++EOF
++    			exit 1
++		)
++# FIXME
++		chgrp groupmems /usr/sbin/groupmems
++	fi
+     ;;
+ esac
+ 
+--- a/debian/rules
++++ b/debian/rules
+@@ -60,6 +60,7 @@
+ 	dh_installpam -p passwd --name=chsh
+ 	dh_installpam -p passwd --name=chpasswd
+ 	dh_installpam -p passwd --name=newusers
++	dh_installpam -p passwd --name=groupmems
+ ifeq ($(DEB_HOST_ARCH_OS),hurd)
+ # login is not built on The Hurd, but some utilities of passwd depends on
+ # /etc/login.defs.
+@@ -87,3 +88,6 @@
+ 	chgrp shadow debian/passwd/usr/bin/expiry
+ 	chmod g+s debian/passwd/usr/bin/chage
+ 	chmod g+s debian/passwd/usr/bin/expiry
++	chgrp groupmems debian/passwd/usr/sbin/groupmems
++	chmod u+s debian/passwd/usr/sbin/groupmems
++	chmod o-x debian/passwd/usr/sbin/groupmems
+--- /dev/null
++++ b/debian/passwd.groupmems.pam
+@@ -0,0 +1,8 @@
++# The PAM configuration file for the Shadow 'groupmod' service
++#
++
++# This allows root to modify groups without being prompted for a password
++auth		sufficient	pam_rootok.so
++
++@include common-auth
++@include common-account

debian/patches/901_testsuite_gcov

@@ -0,0 +1,76 @@
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -1,6 +1,8 @@
+ 
+ AUTOMAKE_OPTIONS = 1.0 foreign
+ 
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ DEFS = 
+ 
+ noinst_LTLIBRARIES = libshadow.la
+--- a/libmisc/Makefile.am
++++ b/libmisc/Makefile.am
+@@ -1,6 +1,8 @@
+ 
+ EXTRA_DIST = .indent.pro xgetXXbyYY.c
+ 
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ INCLUDES = -I$(top_srcdir)/lib
+ 
+ noinst_LIBRARIES = libmisc.a
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -7,6 +7,8 @@
+ suidperms = 4755
+ sgidperms = 2755
+ 
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ INCLUDES = \
+ 	-I${top_srcdir}/lib \
+ 	-I$(top_srcdir)/libmisc
+--- a/debian/rules
++++ b/debian/rules
+@@ -40,6 +40,12 @@
+ endif
+ export CFLAGS
+ 
++clean:: clean_gcov
++
++clean_gcov:
++	find . -name "*.gcda" -delete
++	find . -name "*.gcno" -delete
++
+ # Add extras to the install process:
+ binary-install/login::
+ 	dh_installpam -p login
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -174,23 +174,9 @@
+    trust the formatted time received from the unix domain (or worse,
+    UDP) socket.  -MM */
+ /* Avoid translated PAM error messages: Set LC_ALL to "C".
++ * This is disabled for coverage testing
+  * --Nekral */
+-#define SYSLOG(x)							\
+-	do {								\
+-		char *old_locale = setlocale (LC_ALL, NULL);		\
+-		char *saved_locale = NULL;				\
+-		if (NULL != old_locale) {				\
+-			saved_locale = strdup (old_locale);		\
+-		}							\
+-		if (NULL != saved_locale) {				\
+-			(void) setlocale (LC_ALL, "C");			\
+-		}							\
+-		syslog x ;						\
+-		if (NULL != saved_locale) {				\
+-			(void) setlocale (LC_ALL, saved_locale);	\
+-			free (saved_locale);				\
+-		}							\
+-	} while (false)
++#define SYSLOG(x) syslog x
+ #else				/* !ENABLE_NLS */
+ #define SYSLOG(x) syslog x
+ #endif				/* !ENABLE_NLS */

debian/patches/README.patches

@@ -0,0 +1,22 @@
+Small intro to the system for numbering the patches here...
+
+-The 00xx-... patches are forwarded to upstream's git repository
+
+-The 0xx_... series of patches are patches isolated from the latest
+ version of the shadow Debian package not using quilt in order to
+ separate upstream from Debian-specific stuff.
+
+ NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
+
+-The 4xx series are patches which have been applied to Debian's shadow
+ and have NOT been accepted and/or applied upstream. These patches MUST be kept
+ even after resynced with upstream
+
+-The 5xx series are patches which are applied to Debian's shadow
+ and will never be proposed upstream because they're too specific
+ This list SHOULD BE AS SHORT AS POSSIBLE
+
+In short, while we are working towards synchronisation with upstream,
+our goal is to make 0xx patches disappear by moving them either to 3xx
+series (things already implemented upstream) or to 4xx series
+(Debian-specific patches).

debian/patches/series

@@ -0,0 +1,20 @@
+# These patches are only for the testsuite:
+#900_testsuite_groupmems
+#901_testsuite_gcov
+
+503_shadowconfig.8
+008_login_log_failure_in_FTMP
+429_login_FAILLOG_ENAB
+401_cppw_src.dpatch
+# 402 should be merged in 401, but should be reviewed by SE Linux experts first
+402_cppw_selinux
+506_relaxed_usernames
+542_useradd-O_option
+463_login_delay_obeys_to_PAM
+508_nologin_in_usr_sbin
+505_useradd_recommend_adduser
+501_commonio_group_shadow
+0001-newgidmap-enforce-setgroups-deny-if-self-mapping-a-g.patch
+0002-gpasswd-1-Fix-password-leak.patch
+0003-Added-control-character-check.patch
+0004-Overhaul-valid_field.patch

debian/rules

@@ -0,0 +1,96 @@
+#!/usr/bin/make -f
+# -*- mode: makefile; coding: utf-8 -*-
+
+DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
+
+# Enable PIE, BINDNOW, and possible future flags.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
+# Call autoreconf since we need to regenerate all the autofoo files
+include /usr/share/cdbs/1/rules/autoreconf.mk
+include /usr/share/cdbs/1/rules/debhelper.mk
+# Specify where dh_install will find the files that it needs to move:
+DEB_DH_INSTALL_SOURCEDIR=debian/tmp
+# Specify the destination of shadow's "make install"
+# (This is only needed on The Hurd, where only one package is built. On
+# the other arch, DEB_DESTDIR already points to debian/tmp)
+DEB_DESTDIR=$(CURDIR)/debian/tmp
+
+include /usr/share/cdbs/1/class/autotools.mk
+
+# Adds extra options when calling the configure script:
+DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
+	--without-libcrack \
+	--mandir=/usr/share/man \
+	--with-libpam \
+	--enable-shadowgrp \
+	--enable-man \
+	--disable-account-tools-setuid \
+	--with-group-name-max-length=32 \
+	--without-acl \
+	--without-attr \
+	--without-tcb \
+	 SHELL=/bin/sh
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+  DEB_CONFIGURE_EXTRA_FLAGS += --host=$(DEB_HOST_GNU_TYPE)
+endif
+
+# Set the default editor for vipw/vigr
+CFLAGS += -DDEFAULT_EDITOR=\\\"sensible-editor\\\"
+
+# Add extras to the install process:
+binary-install/login::
+ifeq ($(DEB_HOST_ARCH_OS),hurd)
+	# /bin/login is provided by the hurd package.
+	rm -f debian/login/bin/login
+endif
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+	sed -i 's/session    optional   pam_keyinit.so/# Linux only # session    optional   pam_keyinit.so/' debian/login.pam
+endif
+	dh_installpam -p login
+	install -c -m 444 debian/login.defs debian/login/etc/login.defs
+	install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
+	dh_lintian -p login
+
+binary-install/passwd::
+	install -c -m 444 man/shadowconfig.8 debian/passwd/usr/share/man/man8
+	install -c -m 444 man/ja/shadowconfig.8 debian/passwd/usr/share/man/ja/man8
+	install -c -m 444 man/pl/shadowconfig.8 debian/passwd/usr/share/man/pl/man8
+	install -c -m 444 man/fr/shadowconfig.8 debian/passwd/usr/share/man/fr/man8
+	# Distribute the pam.d files; unless for the commands with disabled PAM
+	# support
+	dh_installpam -p passwd --name=passwd
+	dh_installpam -p passwd --name=chfn
+	dh_installpam -p passwd --name=chsh
+	dh_installpam -p passwd --name=chpasswd
+	dh_installpam -p passwd --name=newusers
+	install -c -m 644 debian/useradd.default debian/passwd/etc/default/useradd
+	install -d debian/passwd/sbin
+	install -c -m 555 debian/shadowconfig.sh debian/passwd/sbin/shadowconfig
+	install -c -m 444 debian/cpgr.8 debian/passwd/usr/share/man/man8
+	install -c -m 444 debian/cppw.8 debian/passwd/usr/share/man/man8
+	dh_lintian -p passwd
+
+binary-predeb/uidmap::
+	chmod u+s debian/uidmap/usr/bin/newuidmap
+	chmod u+s debian/uidmap/usr/bin/newgidmap
+
+binary-predeb/login::
+	# No real need for login to be setuid root
+	# chmod u+s debian/login/bin/login
+	chmod u+s debian/login/usr/bin/newgrp
+
+binary-predeb/passwd::
+	chmod u+s debian/passwd/usr/bin/chfn
+	chmod u+s debian/passwd/usr/bin/chsh
+	chmod u+s debian/passwd/usr/bin/gpasswd
+	chmod u+s debian/passwd/usr/bin/passwd
+	chgrp shadow debian/passwd/usr/bin/chage
+	chgrp shadow debian/passwd/usr/bin/expiry
+	chmod g+s debian/passwd/usr/bin/chage
+	chmod g+s debian/passwd/usr/bin/expiry
+
+clean::
+	sed -i 's/# Linux only # //' debian/login.pam

debian/securetty.hurd

@@ -0,0 +1,71 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# for people with serial port consoles
+com0
+
+# Standard consoles
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+tty8
+tty9
+tty10
+tty11
+tty12
+tty13
+tty14
+tty15
+tty16
+tty17
+tty18
+tty19
+tty20
+tty21
+tty22
+tty23
+tty24
+tty25
+tty26
+tty27
+tty28
+tty29
+tty30
+tty31
+tty32
+tty33
+tty34
+tty35
+tty36
+tty37
+tty38
+tty39
+tty40
+tty41
+tty42
+tty43
+tty44
+tty45
+tty46
+tty47
+tty48
+tty49
+tty50
+tty51
+tty52
+tty53
+tty54
+tty55
+tty56
+tty57
+tty58
+tty59
+tty60
+tty61
+tty62
+tty63

debian/securetty.kfreebsd

@@ -0,0 +1,24 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# for people with serial port consoles
+ttyd0
+ttyd1
+
+# Standard consoles
+ttyv0
+ttyv1
+ttyv2
+ttyv3
+ttyv4
+ttyv5
+ttyv6
+ttyv7
+ttyva
+ttyvb
+ttyvc
+ttyvd
+ttyve
+ttyvf
+

debian/securetty.knetbsd

@@ -0,0 +1,12 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# for people with serial port consoles
+tty00
+
+# Standard consoles
+ttyE0
+ttyE1
+ttyE2
+ttyE3

debian/securetty.linux

@@ -0,0 +1,412 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+
+console
+
+# Local X displays (allows empty passwords with pam_unix's nullok_secure)
+:0
+:0.0
+:0.1
+:1
+:1.0
+:1.1
+:2
+:2.0
+:2.1
+:3
+:3.0
+:3.1
+#...
+
+
+# ==========================================================
+#
+# TTYs sorted by major number according to Documentation/devices.txt
+#
+# ==========================================================
+
+# Virtual consoles
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+tty8
+tty9
+tty10
+tty11
+tty12
+tty13
+tty14
+tty15
+tty16
+tty17
+tty18
+tty19
+tty20
+tty21
+tty22
+tty23
+tty24
+tty25
+tty26
+tty27
+tty28
+tty29
+tty30
+tty31
+tty32
+tty33
+tty34
+tty35
+tty36
+tty37
+tty38
+tty39
+tty40
+tty41
+tty42
+tty43
+tty44
+tty45
+tty46
+tty47
+tty48
+tty49
+tty50
+tty51
+tty52
+tty53
+tty54
+tty55
+tty56
+tty57
+tty58
+tty59
+tty60
+tty61
+tty62
+tty63
+
+# UART serial ports
+ttyS0
+ttyS1
+ttyS2
+ttyS3
+ttyS4
+ttyS5
+#...ttyS191
+
+# Serial Mux devices	(Linux/PA-RISC only)
+ttyB0
+ttyB1
+#...
+
+# Chase serial card
+ttyH0
+ttyH1
+#...
+
+# Cyclades serial cards
+ttyC0
+ttyC1
+#...ttyC31
+
+# Digiboard serial cards
+ttyD0
+ttyD1
+#...
+
+# Stallion serial cards
+ttyE0
+ttyE1
+#...ttyE255
+
+# Specialix serial cards
+ttyX0
+ttyX1
+#...
+
+# Comtrol Rocketport serial cards
+ttyR0
+ttyR1
+#...
+
+# SDL RISCom serial cards
+ttyL0
+ttyL1
+#...
+
+# Hayes ESP serial card
+ttyP0
+ttyP1
+#...
+
+# Computone IntelliPort II serial card
+ttyF0
+ttyF1
+#...ttyF255
+
+# Specialix IO8+ serial card
+ttyW0
+ttyW1
+#...
+
+# Comtrol VS-1000 serial controller
+ttyV0
+ttyV1
+#...
+
+# ISI serial card
+ttyM0
+ttyM1
+#...
+
+# Technology Concepts serial card
+ttyT0
+ttyT1
+#...
+
+# Specialix RIO serial card
+ttySR0
+ttySR1
+#...ttySR511
+
+# Chase Research AT/PCI-Fast serial card
+ttyCH0
+ttyCH1
+#...ttyCH63
+
+# Moxa Intellio serial card
+ttyMX0
+ttyMX1
+#...ttyMX127
+
+# SmartIO serial card
+ttySI0
+ttySI1
+#...
+
+# USB dongles
+ttyUSB0
+ttyUSB1
+ttyUSB2
+#...
+
+# LinkUp Systems L72xx UARTs
+ttyLU0
+ttyLU1
+ttyLU2
+ttyLU3
+
+# StrongARM builtin serial ports
+ttySA0
+ttySA1
+ttySA2
+
+# SCI serial port (SuperH) ports and SC26xx serial ports
+ttySC0
+ttySC1
+ttySC2
+ttySC3
+ttySC4
+ttySC5
+ttySC6
+ttySC7
+ttySC8
+ttySC9
+
+# ARM "AMBA" serial ports
+ttyAM0
+ttyAM1
+ttyAM2
+ttyAM3
+ttyAM4
+ttyAM5
+ttyAM6
+ttyAM7
+ttyAM8
+ttyAM9
+ttyAM10
+ttyAM11
+ttyAM12
+ttyAM13
+ttyAM14
+ttyAM15
+
+# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
+ttyAMA0
+ttyAMA1
+ttyAMA2
+ttyAMA3
+
+# DataBooster serial ports
+ttyDB0
+ttyDB1
+ttyDB2
+ttyDB3
+ttyDB4
+ttyDB5
+ttyDB6
+ttyDB7
+
+# SGI Altix console ports
+ttySG0
+
+# Motorola i.MX ports
+ttySMX0
+ttySMX1
+ttySMX2
+
+# Marvell MPSC ports
+ttyMM0
+ttyMM1
+
+# PPC CPM (SCC or SMC) ports
+ttyCPM0
+ttyCPM1
+ttyCPM2
+ttyCPM3
+ttyCPM4
+ttyCPM5
+
+# Altix serial cards
+ttyIOC0
+ttyIOC1
+#...ttyIOC31
+
+# NEC VR4100 series SIU
+ttyVR0
+
+# NEC VR4100 series SSIU
+ttyVR1
+
+# Altix ioc4 serial cards
+ttyIOC84
+ttyIOC85
+#...ttyIOC115
+
+# Altix ioc3 serial cards
+ttySIOC0
+ttySIOC1
+#...ttySIOC31
+
+# PPC PSC ports
+ttyPSC0
+ttyPSC1
+ttyPSC2
+ttyPSC3
+ttyPSC4
+ttyPSC5
+
+# ATMEL serial ports
+ttyAT0
+ttyAT1
+#...ttyAT15
+
+# Hilscher netX serial port
+ttyNX0
+ttyNX1
+#...ttyNX15
+
+# Xilinx uartlite - port
+ttyUL0
+ttyUL1
+ttyUL2
+ttyUL3
+
+# Xen virtual console - port 0
+xvc0
+
+# pmac_zilog - port
+ttyPZ0
+ttyPZ1
+ttyPZ2
+ttyPZ3
+
+# TX39/49 serial port
+ttyTX0
+ttyTX1
+ttyTX2
+ttyTX3
+ttyTX4
+ttyTX5
+ttyTX6
+ttyTX7
+
+# SC26xx serial ports (see SCI serial ports (SuperH))
+
+# MAX3100 serial ports
+ttyMAX0
+ttyMAX1
+ttyMAX2
+ttyMAX3
+
+# OMAP serial ports
+ttyO0
+ttyO1
+ttyO2
+ttyO3
+
+# User space serial ports
+ttyU0
+ttyU1
+
+# A2232 serial card
+ttyY0
+ttyY1
+
+# IBM 3270 terminal Unix tty access
+3270/tty1
+3270/tty2
+#...
+
+# IBM iSeries/pSeries virtual console
+hvc0
+hvc1
+#...
+#IBM pSeries console ports
+hvsi0
+hvsi1
+hvsi2
+
+# Equinox SST multi-port serial boards
+ttyEQ0
+ttyEQ1
+#...ttyEQ1027
+
+# ==========================================================
+#
+# Not in Documentation/Devices.txt
+#
+# ==========================================================
+
+# Embedded Freescale i.MX ports
+ttymxc0
+ttymxc1
+ttymxc2
+ttymxc3
+ttymxc4
+ttymxc5
+
+# LXC (Linux Containers)
+lxc/console
+lxc/tty1
+lxc/tty2
+lxc/tty3
+lxc/tty4
+
+# Serial Console for MIPS Swarm
+duart0
+duart1
+
+# s390 and s390x ports in LPAR mode
+ttysclp0
+
+# ODROID XU4 serial console
+ttySAC0
+ttySAC1
+ttySAC2
+ttySAC3

debian/shadowconfig.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+# turn shadow passwords on or off on a Debian system
+
+set -e
+
+shadowon () {
+    set -e
+    pwck -q -r
+    grpck -r
+    pwconv
+    grpconv
+    chown root:root /etc/passwd /etc/group
+    chmod 644 /etc/passwd /etc/group
+    chown root:shadow /etc/shadow /etc/gshadow
+    chmod 640 /etc/shadow /etc/gshadow
+}
+
+shadowoff () {
+    set -e
+    pwck -q -r
+    grpck -r
+    pwunconv
+    grpunconv
+    # sometimes the passwd perms get munged
+    chown root:root /etc/passwd /etc/group
+    chmod 644 /etc/passwd /etc/group
+}
+
+case "$1" in
+    "on")
+	if shadowon ; then
+	    echo Shadow passwords are now on.
+	else
+	    echo Please correct the error and rerun \`$0 on\'
+	    exit 1
+	fi
+	;;
+    "off")
+	if shadowoff ; then
+	    echo Shadow passwords are now off.
+	else
+	    echo Please correct the error and rerun \`$0 off\'
+	    exit 1
+	fi
+	;;
+     *)
+	echo Usage: $0 on \| off
+	;;
+esac

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/uidmap.install

@@ -0,0 +1,4 @@
+usr/bin/newuidmap
+usr/bin/newgidmap
+usr/share/man/man1/newuidmap.1
+usr/share/man/man1/newgidmap.1

debian/uidmap.lintian-overrides

@@ -0,0 +1,2 @@
+uidmap: setuid-binary usr/bin/newgidmap 4755 root/root
+uidmap: setuid-binary usr/bin/newuidmap 4755 root/root

debian/useradd.default

@@ -0,0 +1,37 @@
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+# Similar to DHSELL in adduser. However, we use "sh" here because
+# useradd is a low level utility and should be as general
+# as possible
+SHELL=/bin/sh
+#
+# The default group for users
+# 100=users on Debian systems
+# Same as USERS_GID in adduser
+# This argument is used when the -n flag is specified.
+# The default behavior (when -n and -g are not specified) is to create a
+# primary user group with the same name as the user being added to the
+# system.
+# GROUP=100
+#
+# The default home directory. Same as DHOME for adduser
+# HOME=/home
+#
+# The number of days after a password expires until the account 
+# is permanently disabled
+# INACTIVE=-1
+#
+# The default expire date
+# EXPIRE=
+#
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+# SKEL=/etc/skel
+#
+# Defines whether the mail spool should be created while
+# creating the account
+# CREATE_MAIL_SPOOL=yes
+

debian/watch

@@ -0,0 +1,4 @@
+version=4
+opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%shadow-$1.tar.gz%" \
+   https://github.com/shadow-maint/shadow/tags \
+   (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate

etc/login.defs

@@ -229,7 +229,7 @@ SYS_UID_MAX		  999
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
-SUB_UID_COUNT		    10000
+SUB_UID_COUNT		    65536
 
 #
 # Min/max values for automatic gid selection in groupadd(8)
@@ -242,7 +242,7 @@ SYS_GID_MAX		  999
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
-SUB_GID_COUNT		    10000
+SUB_GID_COUNT		    65536
 
 #
 # Max number of login(1) retries if password is bad
@@ -393,3 +393,8 @@ USERGROUPS_ENAB yes
 #
 #CREATE_HOME     yes
 
+#
+# Force use shadow, even if shadow passwd & shadow group files are
+# missing.
+#
+#FORCE_SHADOW    yes

lib/commonio.c

@@ -301,15 +301,12 @@ static int create_backup (const char *backup, FILE * fp)
 	struct utimbuf ub;
 	FILE *bkfp;
 	int c;
-	mode_t mask;
 
 	if (fstat (fileno (fp), &sb) != 0) {
 		return -1;
 	}
 
-	mask = umask (077);
-	bkfp = fopen (backup, "w");
-	(void) umask (mask);
+	bkfp = fopen_set_perms (backup, "w", &sb);
 	if (NULL == bkfp) {
 		return -1;
 	}
@@ -754,16 +751,16 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
 	for (ptr = db->head;
 	        (NULL != ptr)
 #if KEEP_NIS_AT_END
-	     && (NULL != ptr->line)
-	     && (   ('+' != ptr->line[0])
-	         && ('-' != ptr->line[0]))
+	     && ((NULL == ptr->line)
+	         || (('+' != ptr->line[0])
+	             && ('-' != ptr->line[0])))
 #endif
 	     ;
 	     ptr = ptr->next) {
 		n++;
 	}
 #if KEEP_NIS_AT_END
-	if ((NULL != ptr) && (NULL != ptr->line)) {
+	if (NULL != ptr) {
 		nis = ptr;
 	}
 #endif
@@ -968,11 +965,10 @@ int commonio_close (struct commonio_db *db)
 	} else {
 		/*
 		 * Default permissions for new [g]shadow files.
-		 * (passwd and group always exist...)
 		 */
-		sb.st_mode = 0400;
-		sb.st_uid = 0;
-		sb.st_gid = 0;
+		sb.st_mode = db->st_mode;
+		sb.st_uid = db->st_uid;
+		sb.st_gid = db->st_gid;
 	}
 
 	snprintf (buf, sizeof buf, "%s+", db->filename);
@@ -1081,6 +1077,7 @@ int commonio_update (struct commonio_db *db, const void *eptr)
 	if (NULL != p) {
 		if (next_entry_by_name (db, p->next, db->ops->getname (eptr)) != NULL) {
 			fprintf (stderr, _("Multiple entries named '%s' in %s. Please fix this with pwck or grpck.\n"), db->ops->getname (eptr), db->filename);
+			db->ops->free (nentry);
 			return 0;
 		}
 		db->ops->free (p->eptr);

lib/commonio.h

@@ -31,8 +31,8 @@
  */
 
 /* $Id$ */
-#ifndef _COMMONIO_H
-#define _COMMONIO_H
+#ifndef COMMONIO_H
+#define COMMONIO_H
 
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
@@ -123,6 +123,12 @@ struct commonio_db {
 #ifdef WITH_SELINUX
 	/*@null@*/security_context_t scontext;
 #endif
+	/*
+	 * Default permissions and owner for newly created data file.
+         */
+	mode_t st_mode;
+	uid_t st_uid;
+	gid_t st_gid;
 	/*
 	 * Head, tail, current position in linked list.
 	 */

lib/getdef.c

@@ -49,6 +49,32 @@ struct itemdef {
 	/*@null@*/char *value;		/* value given, or NULL if no value     */
 };
 
+#define PAMDEFS					\
+	{"CHFN_AUTH", NULL},			\
+	{"CHSH_AUTH", NULL},			\
+	{"CRACKLIB_DICTPATH", NULL},		\
+	{"ENV_HZ", NULL},			\
+	{"ENVIRON_FILE", NULL},			\
+	{"ENV_TZ", NULL},			\
+	{"FAILLOG_ENAB", NULL},			\
+	{"FTMP_FILE", NULL},			\
+	{"ISSUE_FILE", NULL},			\
+	{"LASTLOG_ENAB", NULL},			\
+	{"LOGIN_STRING", NULL},			\
+	{"MAIL_CHECK_ENAB", NULL},		\
+	{"MOTD_FILE", NULL},			\
+	{"NOLOGINS_FILE", NULL},		\
+	{"OBSCURE_CHECKS_ENAB", NULL},		\
+	{"PASS_ALWAYS_WARN", NULL},		\
+	{"PASS_CHANGE_TRIES", NULL},		\
+	{"PASS_MAX_LEN", NULL},			\
+	{"PASS_MIN_LEN", NULL},			\
+	{"PORTTIME_CHECKS_ENAB", NULL},		\
+	{"QUOTAS_ENAB", NULL},			\
+	{"SU_WHEEL_ONLY", NULL},		\
+	{"ULIMIT", NULL},
+
+
 #define NUMDEFS	(sizeof(def_table)/sizeof(def_table[0]))
 static struct itemdef def_table[] = {
 	{"CHFN_RESTRICT", NULL},
@@ -102,29 +128,7 @@ static struct itemdef def_table[] = {
 	{"USERDEL_CMD", NULL},
 	{"USERGROUPS_ENAB", NULL},
 #ifndef USE_PAM
-	{"CHFN_AUTH", NULL},
-	{"CHSH_AUTH", NULL},
-	{"CRACKLIB_DICTPATH", NULL},
-	{"ENV_HZ", NULL},
-	{"ENVIRON_FILE", NULL},
-	{"ENV_TZ", NULL},
-	{"FAILLOG_ENAB", NULL},
-	{"FTMP_FILE", NULL},
-	{"ISSUE_FILE", NULL},
-	{"LASTLOG_ENAB", NULL},
-	{"LOGIN_STRING", NULL},
-	{"MAIL_CHECK_ENAB", NULL},
-	{"MOTD_FILE", NULL},
-	{"NOLOGINS_FILE", NULL},
-	{"OBSCURE_CHECKS_ENAB", NULL},
-	{"PASS_ALWAYS_WARN", NULL},
-	{"PASS_CHANGE_TRIES", NULL},
-	{"PASS_MAX_LEN", NULL},
-	{"PASS_MIN_LEN", NULL},
-	{"PORTTIME_CHECKS_ENAB", NULL},
-	{"QUOTAS_ENAB", NULL},
-	{"SU_WHEEL_ONLY", NULL},
-	{"ULIMIT", NULL},
+	PAMDEFS
 #endif
 #ifdef USE_SYSLOG
 	{"SYSLOG_SG_ENAB", NULL},
@@ -134,6 +138,15 @@ static struct itemdef def_table[] = {
 	{"TCB_AUTH_GROUP", NULL},
 	{"TCB_SYMLINKS", NULL},
 	{"USE_TCB", NULL},
+#endif
+	{"FORCE_SHADOW", NULL},
+	{NULL, NULL}
+};
+
+#define NUMKNOWNDEFS	(sizeof(knowndef_table)/sizeof(knowndef_table[0]))
+static struct itemdef knowndef_table[] = {
+#ifdef USE_PAM
+	PAMDEFS
 #endif
 	{NULL, NULL}
 };
@@ -397,10 +410,17 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
 	 * Item was never found.
 	 */
 
+	for (ptr = knowndef_table; NULL != ptr->name; ptr++) {
+		if (strcmp (ptr->name, name) == 0) {
+			goto out;
+		}
+	}
 	fprintf (stderr,
 	         _("configuration error - unknown item '%s' (notify administrator)\n"),
 	         name);
 	SYSLOG ((LOG_CRIT, "unknown configuration item `%s'", name));
+
+out:
 	return (struct itemdef *) NULL;
 }
 
@@ -416,23 +436,26 @@ static void def_load (void)
 	FILE *fp;
 	char buf[1024], *name, *value, *s;
 
+	/*
+	 * Set the initialized flag.
+	 * (do it early to prevent recursion in putdef_str())
+	 */
+	def_loaded = true;
+
 	/*
 	 * Open the configuration definitions file.
 	 */
 	fp = fopen (def_fname, "r");
 	if (NULL == fp) {
+		if (errno == ENOENT)
+			return;
+
 		int err = errno;
 		SYSLOG ((LOG_CRIT, "cannot open login definitions %s [%s]",
 		         def_fname, strerror (err)));
 		exit (EXIT_FAILURE);
 	}
 
-	/*
-	 * Set the initialized flag.
-	 * (do it early to prevent recursion in putdef_str())
-	 */
-	def_loaded = true;
-
 	/*
 	 * Go through all of the lines in the file.
 	 */

lib/getulong.c

@@ -44,22 +44,19 @@
  */
 int getulong (const char *numstr, /*@out@*/unsigned long int *result)
 {
-	long long int val;
+	unsigned long int val;
 	char *endptr;
 
 	errno = 0;
-	val = strtoll (numstr, &endptr, 0);
+	val = strtoul (numstr, &endptr, 0);
 	if (    ('\0' == *numstr)
 	     || ('\0' != *endptr)
 	     || (ERANGE == errno)
-	     /*@+ignoresigns@*/
-	     || (val != (unsigned long int)val)
-	     /*@=ignoresigns@*/
 	   ) {
 		return 0;
 	}
 
-	*result = (unsigned long int)val;
+	*result = val;
 	return 1;
 }
 

lib/groupio.c

@@ -130,6 +130,9 @@ static /*@owned@*/struct commonio_db group_db = {
 #ifdef WITH_SELINUX
 	NULL,			/* scontext */
 #endif
+	0644,                   /* st_mode */
+	0,                      /* st_uid */
+	0,                      /* st_gid */
 	NULL,			/* head */
 	NULL,			/* tail */
 	NULL,			/* cursor */
@@ -335,8 +338,7 @@ static /*@null@*/struct commonio_entry *merge_group_entries (
 		errno = ENOMEM;
 		return NULL;
 	}
-	snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line);
-	new_line[new_line_len] = '\0';
+	snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line);
 
 	/* Concatenate the 2 list of members */
 	for (i=0; NULL != gptr1->gr_mem[i]; i++);

lib/groupio.c~

@@ -1,458 +0,0 @@
-/*
- * Copyright (c) 1990 - 1994, Julianne Frances Haugh
- * Copyright (c) 1996 - 2000, Marek Michałkiewicz
- * Copyright (c) 2001       , Michał Moskal
- * Copyright (c) 2005       , Tomasz Kłoczko
- * Copyright (c) 2007 - 2010, Nicolas François
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the copyright holders or contributors may not be used to
- *    endorse or promote products derived from this software without
- *    specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
- * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <config.h>
-
-#ident "$Id$"
-
-#include <assert.h>
-#include <stdio.h>
-
-#include "prototypes.h"
-#include "defines.h"
-#include "commonio.h"
-#include "getdef.h"
-#include "groupio.h"
-
-static /*@null@*/struct commonio_entry *merge_group_entries (
-	/*@null@*/ /*@returned@*/struct commonio_entry *gr1,
-	/*@null@*/struct commonio_entry *gr2);
-static int split_groups (unsigned int max_members);
-static int group_open_hook (void);
-
-static /*@null@*/ /*@only@*/void *group_dup (const void *ent)
-{
-	const struct group *gr = ent;
-
-	return __gr_dup (gr);
-}
-
-static void group_free (/*@out@*/ /*@only@*/void *ent)
-{
-	struct group *gr = ent;
-
-	gr_free (gr);
-}
-
-static const char *group_getname (const void *ent)
-{
-	const struct group *gr = ent;
-
-	return gr->gr_name;
-}
-
-static void *group_parse (const char *line)
-{
-	return (void *) sgetgrent (line);
-}
-
-static int group_put (const void *ent, FILE * file)
-{
-	const struct group *gr = ent;
-
-	if (   (NULL == gr)
-	    || (valid_field (gr->gr_name, ":\n") == -1)
-	    || (valid_field (gr->gr_passwd, ":\n") == -1)
-	    || (gr->gr_gid == (gid_t)-1)) {
-		return -1;
-	}
-
-	/* FIXME: fail also if gr->gr_mem == NULL ?*/
-	if (NULL != gr->gr_mem) {
-		size_t i;
-		for (i = 0; NULL != gr->gr_mem[i]; i++) {
-			if (valid_field (gr->gr_mem[i], ",:\n") == -1) {
-				return -1;
-			}
-		}
-	}
-
-	return (putgrent (gr, file) == -1) ? -1 : 0;
-}
-
-static int group_close_hook (void)
-{
-	unsigned int max_members = getdef_unum("MAX_MEMBERS_PER_GROUP", 0);
-
-	if (0 == max_members) {
-		return 1;
-	}
-
-	return split_groups (max_members);
-}
-
-static struct commonio_ops group_ops = {
-	group_dup,
-	group_free,
-	group_getname,
-	group_parse,
-	group_put,
-	fgetsx,
-	fputsx,
-	group_open_hook,
-	group_close_hook
-};
-
-static /*@owned@*/struct commonio_db group_db = {
-	GROUP_FILE,		/* filename */
-	&group_ops,		/* ops */
-	NULL,			/* fp */
-#ifdef WITH_SELINUX
-	NULL,			/* scontext */
-#endif
-	NULL,			/* head */
-	NULL,			/* tail */
-	NULL,			/* cursor */
-	false,			/* changed */
-	false,			/* isopen */
-	false,			/* locked */
-	false			/* readonly */
-};
-
-int gr_setdbname (const char *filename)
-{
-	return commonio_setname (&group_db, filename);
-}
-
-/*@observer@*/const char *gr_dbname (void)
-{
-	return group_db.filename;
-}
-
-int gr_lock (void)
-{
-	return commonio_lock (&group_db);
-}
-
-int gr_open (int mode)
-{
-	return commonio_open (&group_db, mode);
-}
-
-/*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name)
-{
-	return commonio_locate (&group_db, name);
-}
-
-/*@observer@*/ /*@null@*/const struct group *gr_locate_gid (gid_t gid)
-{
-	const struct group *grp;
-
-	gr_rewind ();
-	while (   ((grp = gr_next ()) != NULL)
-	       && (grp->gr_gid != gid)) {
-	}
-
-	return grp;
-}
-
-int gr_update (const struct group *gr)
-{
-	return commonio_update (&group_db, (const void *) gr);
-}
-
-int gr_remove (const char *name)
-{
-	return commonio_remove (&group_db, name);
-}
-
-int gr_rewind (void)
-{
-	return commonio_rewind (&group_db);
-}
-
-/*@observer@*/ /*@null@*/const struct group *gr_next (void)
-{
-	return commonio_next (&group_db);
-}
-
-int gr_close (void)
-{
-	return commonio_close (&group_db);
-}
-
-int gr_unlock (void)
-{
-	return commonio_unlock (&group_db);
-}
-
-void __gr_set_changed (void)
-{
-	group_db.changed = true;
-}
-
-/*@dependent@*/ /*@null@*/struct commonio_entry *__gr_get_head (void)
-{
-	return group_db.head;
-}
-
-/*@observer@*/const struct commonio_db *__gr_get_db (void)
-{
-	return &group_db;
-}
-
-void __gr_del_entry (const struct commonio_entry *ent)
-{
-	commonio_del_entry (&group_db, ent);
-}
-
-static int gr_cmp (const void *p1, const void *p2)
-{
-	gid_t u1, u2;
-
-	if ((*(struct commonio_entry **) p1)->eptr == NULL) {
-		return 1;
-	}
-	if ((*(struct commonio_entry **) p2)->eptr == NULL) {
-		return -1;
-	}
-
-	u1 = ((struct group *) (*(struct commonio_entry **) p1)->eptr)->gr_gid;
-	u2 = ((struct group *) (*(struct commonio_entry **) p2)->eptr)->gr_gid;
-
-	if (u1 < u2) {
-		return -1;
-	} else if (u1 > u2) {
-		return 1;
-	} else {
-		return 0;
-	}
-}
-
-/* Sort entries by GID */
-int gr_sort ()
-{
-	return commonio_sort (&group_db, gr_cmp);
-}
-
-static int group_open_hook (void)
-{
-	unsigned int max_members = getdef_unum("MAX_MEMBERS_PER_GROUP", 0);
-	struct commonio_entry *gr1, *gr2;
-
-	if (0 == max_members) {
-		return 1;
-	}
-
-	for (gr1 = group_db.head; NULL != gr1; gr1 = gr1->next) {
-		for (gr2 = gr1->next; NULL != gr2; gr2 = gr2->next) {
-			struct group *g1 = (struct group *)gr1->eptr;
-			struct group *g2 = (struct group *)gr2->eptr;
-			if (NULL != g1 &&
-			    NULL != g2 &&
-			    0 == strcmp (g1->gr_name, g2->gr_name) &&
-			    0 == strcmp (g1->gr_passwd, g2->gr_passwd) &&
-			    g1->gr_gid == g2->gr_gid) {
-				/* Both group entries refer to the same
-				 * group. It is a split group. Merge the
-				 * members. */
-				gr1 = merge_group_entries (gr1, gr2);
-				if (NULL == gr1)
-					return 0;
-				/* Unlink gr2 */
-				if (NULL != gr2->next) {
-					gr2->next->prev = gr2->prev;
-				}
-				/* gr2 does not start with head */
-				assert (NULL != gr2->prev);
-				gr2->prev->next = gr2->next;
-			}
-		}
-		assert (NULL != gr1);
-	}
-
-	return 1;
-}
-
-/*
- * Merge the list of members of the two group entries.
- *
- * The commonio_entry arguments shall be group entries.
- *
- * You should not merge the members of two groups if they don't have the
- * same name, password and gid.
- *
- * It merge the members of the second entry in the first one, and return
- * the modified first entry on success, or NULL on failure (with errno
- * set).
- */
-static /*@null@*/struct commonio_entry *merge_group_entries (
-	/*@null@*/ /*@returned@*/struct commonio_entry *gr1,
-	/*@null@*/struct commonio_entry *gr2)
-{
-	struct group *gptr1;
-	struct group *gptr2;
-	char **new_members;
-	size_t members = 0;
-	char *new_line;
-	size_t new_line_len, i;
-	if (NULL == gr2 || NULL == gr1) {
-		errno = EINVAL;
-		return NULL;
-	}
-
-	gptr1 = (struct group *)gr1->eptr;
-	gptr2 = (struct group *)gr2->eptr;
-	if (NULL == gptr2 || NULL == gptr1) {
-		errno = EINVAL;
-		return NULL;
-	}
-
-	/* Concatenate the 2 lines */
-	new_line_len = strlen (gr1->line) + strlen (gr2->line) +2;
-	new_line = (char *)malloc ((new_line_len + 1) * sizeof(char*));
-	if (NULL == new_line) {
-		errno = ENOMEM;
-		return NULL;
-	}
-	snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line);
-	new_line[new_line_len] = '\0';
-
-	/* Concatenate the 2 list of members */
-	for (i=0; NULL != gptr1->gr_mem[i]; i++);
-	members += i;
-	for (i=0; NULL != gptr2->gr_mem[i]; i++) {
-		char **pmember = gptr1->gr_mem;
-		while (NULL != *pmember) {
-			if (0 == strcmp(*pmember, gptr2->gr_mem[i])) {
-				break;
-			}
-			pmember++;
-		}
-		if (NULL == *pmember) {
-			members++;
-		}
-	}
-	new_members = (char **)malloc ( (members+1) * sizeof(char*) );
-	if (NULL == new_members) {
-		free (new_line);
-		errno = ENOMEM;
-		return NULL;
-	}
-	for (i=0; NULL != gptr1->gr_mem[i]; i++) {
-		new_members[i] = gptr1->gr_mem[i];
-	}
-	members = i;
-	for (i=0; NULL != gptr2->gr_mem[i]; i++) {
-		char **pmember = new_members;
-		while (NULL != *pmember) {
-			if (0 == strcmp(*pmember, gptr2->gr_mem[i])) {
-				break;
-			}
-			pmember++;
-		}
-		if (NULL == *pmember) {
-			new_members[members] = gptr2->gr_mem[i];
-			members++;
-			new_members[members] = NULL;
-		}
-	}
-
-	gr1->line = new_line;
-	gptr1->gr_mem = new_members;
-
-	return gr1;
-}
-
-/*
- * Scan the group database and split the groups which have more members
- * than specified, if this is the result from a current change.
- *
- * Return 0 on failure (errno set) and 1 on success.
- */
-static int split_groups (unsigned int max_members)
-{
-	struct commonio_entry *gr;
-
-	for (gr = group_db.head; NULL != gr; gr = gr->next) {
-		struct group *gptr = (struct group *)gr->eptr;
-		struct commonio_entry *new;
-		struct group *new_gptr;
-		unsigned int members = 0;
-		unsigned int i;
-
-		/* Check if this group must be split */
-		if (!gr->changed) {
-			continue;
-		}
-		if (NULL == gptr) {
-			continue;
-		}
-		for (members = 0; NULL != gptr->gr_mem[members]; members++);
-		if (members <= max_members) {
-			continue;
-		}
-
-		new = (struct commonio_entry *) malloc (sizeof *new);
-		if (NULL == new) {
-			errno = ENOMEM;
-			return 0;
-		}
-		new->eptr = group_dup(gr->eptr);
-		if (NULL == new->eptr) {
-			free (new);
-			errno = ENOMEM;
-			return 0;
-		}
-		new_gptr = (struct group *)new->eptr;
-		new->line = NULL;
-		new->changed = true;
-
-		/* Enforce the maximum number of members on gptr */
-		for (i = max_members; NULL != gptr->gr_mem[i]; i++) {
-			free (gptr->gr_mem[i]);
-			gptr->gr_mem[i] = NULL;
-		}
-		/* Shift all the members */
-		/* The number of members in new_gptr will be check later */
-		for (i = 0; NULL != new_gptr->gr_mem[i + max_members]; i++) {
-			if (NULL != new_gptr->gr_mem[i]) {
-				free (new_gptr->gr_mem[i]);
-			}
-			new_gptr->gr_mem[i] = new_gptr->gr_mem[i + max_members];
-			new_gptr->gr_mem[i + max_members] = NULL;
-		}
-		for (; NULL != new_gptr->gr_mem[i]; i++) {
-			free (new_gptr->gr_mem[i]);
-			new_gptr->gr_mem[i] = NULL;
-		}
-
-		/* insert the new entry in the list */
-		new->prev = gr;
-		new->next = gr->next;
-		gr->next = new;
-	}
-
-	return 1;
-}
-

lib/groupmem.c

@@ -55,15 +55,14 @@
 	gr->gr_name = strdup (grent->gr_name);
 	/*@=mustfreeonly@*/
 	if (NULL == gr->gr_name) {
-		free(gr);
+		gr_free(gr);
 		return NULL;
 	}
 	/*@-mustfreeonly@*/
 	gr->gr_passwd = strdup (grent->gr_passwd);
 	/*@=mustfreeonly@*/
 	if (NULL == gr->gr_passwd) {
-		free(gr->gr_name);
-		free(gr);
+		gr_free(gr);
 		return NULL;
 	}
 
@@ -73,21 +72,13 @@
 	gr->gr_mem = (char **) malloc ((i + 1) * sizeof (char *));
 	/*@=mustfreeonly@*/
 	if (NULL == gr->gr_mem) {
-		free(gr->gr_passwd);
-		free(gr->gr_name);
-		free(gr);
+		gr_free(gr);
 		return NULL;
 	}
 	for (i = 0; grent->gr_mem[i]; i++) {
 		gr->gr_mem[i] = strdup (grent->gr_mem[i]);
 		if (NULL == gr->gr_mem[i]) {
-			int j;
-			for (j=0; j<i; j++)
-				free(gr->gr_mem[j]);
-			free(gr->gr_mem);
-			free(gr->gr_passwd);
-			free(gr->gr_name);
-			free(gr);
+			gr_free(gr);
 			return NULL;
 		}
 	}

lib/prototypes.h

@@ -179,6 +179,9 @@ extern int getrange (char *range,
                      unsigned long *min, bool *has_min,
                      unsigned long *max, bool *has_max);
 
+/* gettime.c */
+extern time_t gettime ();
+
 /* get_uid.c */
 extern int get_uid (const char *uidstr, uid_t *uid);
 

lib/pwio.c

@@ -105,6 +105,9 @@ static struct commonio_db passwd_db = {
 #ifdef WITH_SELINUX
 	NULL,			/* scontext */
 #endif
+	0644,                   /* st_mode */
+	0,                      /* st_uid */
+	0,                      /* st_gid */
 	NULL,			/* head */
 	NULL,			/* tail */
 	NULL,			/* cursor */

lib/pwmem.c

@@ -56,45 +56,35 @@
 	pw->pw_name = strdup (pwent->pw_name);
 	/*@=mustfreeonly@*/
 	if (NULL == pw->pw_name) {
-		free(pw);
+		pw_free(pw);
 		return NULL;
 	}
 	/*@-mustfreeonly@*/
 	pw->pw_passwd = strdup (pwent->pw_passwd);
 	/*@=mustfreeonly@*/
 	if (NULL == pw->pw_passwd) {
-		free(pw->pw_name);
-		free(pw);
+		pw_free(pw);
 		return NULL;
 	}
 	/*@-mustfreeonly@*/
 	pw->pw_gecos = strdup (pwent->pw_gecos);
 	/*@=mustfreeonly@*/
 	if (NULL == pw->pw_gecos) {
-		free(pw->pw_passwd);
-		free(pw->pw_name);
-		free(pw);
+		pw_free(pw);
 		return NULL;
 	}
 	/*@-mustfreeonly@*/
 	pw->pw_dir = strdup (pwent->pw_dir);
 	/*@=mustfreeonly@*/
 	if (NULL == pw->pw_dir) {
-		free(pw->pw_gecos);
-		free(pw->pw_passwd);
-		free(pw->pw_name);
-		free(pw);
+		pw_free(pw);
 		return NULL;
 	}
 	/*@-mustfreeonly@*/
 	pw->pw_shell = strdup (pwent->pw_shell);
 	/*@=mustfreeonly@*/
 	if (NULL == pw->pw_shell) {
-		free(pw->pw_dir);
-		free(pw->pw_gecos);
-		free(pw->pw_passwd);
-		free(pw->pw_name);
-		free(pw);
+		pw_free(pw);
 		return NULL;
 	}
 

lib/sgroupio.c

@@ -40,6 +40,7 @@
 #include "prototypes.h"
 #include "defines.h"
 #include "commonio.h"
+#include "getdef.h"
 #include "sgroupio.h"
 
 /*@null@*/ /*@only@*/struct sgrp *__sgr_dup (const struct sgrp *sgent)
@@ -228,6 +229,9 @@ static struct commonio_db gshadow_db = {
 #ifdef WITH_SELINUX
 	NULL,			/* scontext */
 #endif
+	0400,                   /* st_mode */
+	0,                      /* st_uid */
+	0,                      /* st_gid */
 	NULL,			/* head */
 	NULL,			/* tail */
 	NULL,			/* cursor */
@@ -249,6 +253,8 @@ int sgr_setdbname (const char *filename)
 
 bool sgr_file_present (void)
 {
+	if (getdef_bool ("FORCE_SHADOW"))
+		return true;
 	return commonio_present (&gshadow_db);
 }
 

lib/shadowio.c

@@ -40,6 +40,7 @@
 #include <shadow.h>
 #include <stdio.h>
 #include "commonio.h"
+#include "getdef.h"
 #include "shadowio.h"
 #ifdef WITH_TCB
 #include <tcb.h>
@@ -104,6 +105,9 @@ static struct commonio_db shadow_db = {
 #ifdef WITH_SELINUX
 	NULL,			/* scontext */
 #endif				/* WITH_SELINUX */
+	0400,                   /* st_mode */
+	0,                      /* st_uid */
+	0,                      /* st_gid */
 	NULL,			/* head */
 	NULL,			/* tail */
 	NULL,			/* cursor */
@@ -125,6 +129,8 @@ int spw_setdbname (const char *filename)
 
 bool spw_file_present (void)
 {
+	if (getdef_bool ("FORCE_SHADOW"))
+		return true;
 	return commonio_present (&shadow_db);
 }
 

lib/shadowio.h

@@ -31,8 +31,8 @@
  */
 
 /* $Id$ */
-#ifndef _SHADOWIO_H
-#define _SHADOWIO_H
+#ifndef SHADOWIO_H
+#define SHADOWIO_H
 
 #include "defines.h"
 

lib/subordinateio.c

@@ -11,6 +11,8 @@
 #include <stdio.h>
 #include "commonio.h"
 #include "subordinateio.h"
+#include <sys/types.h>
+#include <pwd.h>
 
 struct subordinate_range {
 	const char *owner;
@@ -189,6 +191,15 @@ static const struct subordinate_range *find_range(struct commonio_db *db,
 						  const char *owner, unsigned long val)
 {
 	const struct subordinate_range *range;
+
+	/*
+	 * Search for exact username/group specification
+	 *
+	 * This is the original method - go fast through the db, doing only
+	 * exact username/group string comparison. Therefore we leave it as-is
+	 * for the time being, in order to keep it equally fast as it was
+	 * before.
+	 */
 	commonio_rewind(db);
 	while ((range = commonio_next(db)) != NULL) {
 		unsigned long first = range->start;
@@ -200,6 +211,76 @@ static const struct subordinate_range *find_range(struct commonio_db *db,
 		if ((val >= first) && (val <= last))
 			return range;
 	}
+
+
+        /*
+         * We only do special handling for these two files
+         */
+        if ((0 != strcmp(db->filename, "/etc/subuid")) && (0 != strcmp(db->filename, "/etc/subgid")))
+                return NULL;
+
+        /*
+         * Search loop above did not produce any result. Let's rerun it,
+         * but this time try to matcha actual UIDs. The first entry that
+         * matches is considered a success.
+         * (It may be specified as literal UID or as another username which
+         * has the same UID as the username we are looking for.)
+         */
+        struct passwd *pwd;
+        uid_t          owner_uid;
+        char           owner_uid_string[33] = "";
+
+
+        /* Get UID of the username we are looking for */
+        pwd = getpwnam(owner);
+        if (NULL == pwd) {
+                /* Username not defined in /etc/passwd, or error occured during lookup */
+                return NULL;
+        }
+        owner_uid = pwd->pw_uid;
+        sprintf(owner_uid_string, "%lu", (unsigned long int)owner_uid);
+
+        commonio_rewind(db);
+        while ((range = commonio_next(db)) != NULL) {
+                unsigned long first = range->start;
+                unsigned long last = first + range->count - 1;
+
+                /* For performance reasons check range before using getpwnam() */
+                if ((val < first) || (val > last)) {
+                        continue;
+                }
+
+                /*
+                 * Range matches. Check if range owner is specified
+                 * as numeric UID and if it matches.
+                 */
+                if (0 == strcmp(range->owner, owner_uid_string)) {
+                        return range;
+                }
+
+                /*
+                 * Ok, this range owner is not specified as numeric UID
+                 * we are looking for. It may be specified as another
+                 * UID or as a literal username.
+                 *
+                 * If specified as another UID, the call to getpwnam()
+                 * will return NULL.
+                 *
+                 * If specified as literal username, we will get its
+                 * UID and compare that to UID we are looking for.
+                 */
+                const struct passwd *range_owner_pwd;
+
+                range_owner_pwd = getpwnam(range->owner);
+                if (NULL == range_owner_pwd) {
+                        continue;
+                }
+
+                if (owner_uid == range_owner_pwd->pw_uid) {
+                        return range;
+                }
+        }
+
 	return NULL;
 }
 
@@ -460,6 +541,9 @@ static struct commonio_db subordinate_uid_db = {
 #ifdef WITH_SELINUX
 	NULL,			/* scontext */
 #endif
+	0644,                   /* st_mode */
+	0,                      /* st_uid */
+	0,                      /* st_gid */
 	NULL,			/* head */
 	NULL,			/* tail */
 	NULL,			/* cursor */
@@ -538,6 +622,9 @@ static struct commonio_db subordinate_gid_db = {
 #ifdef WITH_SELINUX
 	NULL,			/* scontext */
 #endif
+	0644,                   /* st_mode */
+	0,                      /* st_uid */
+	0,                      /* st_gid */
 	NULL,			/* head */
 	NULL,			/* tail */
 	NULL,			/* cursor */

libmisc/Makefile.am

@@ -1,7 +1,7 @@
 
 EXTRA_DIST = .indent.pro xgetXXbyYY.c
 
-INCLUDES = -I$(top_srcdir)/lib
+AM_CPPFLAGS = -I$(top_srcdir)/lib
 
 noinst_LIBRARIES = libmisc.a
 
@@ -31,6 +31,7 @@ libmisc_a_SOURCES = \
 	getdate.y \
 	getgr_nam_gid.c \
 	getrange.c \
+	gettime.c \
 	hushed.c \
 	idmapping.h \
 	idmapping.c \

libmisc/find_new_gid.c

@@ -1,6 +1,7 @@
 /*
  * Copyright (c) 1991 - 1994, Julianne Frances Haugh
  * Copyright (c) 2008 - 2011, Nicolas François
+ * Copyright (c) 2014, Red Hat, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38,6 +39,117 @@
 #include "groupio.h"
 #include "getdef.h"
 
+/*
+ * get_ranges - Get the minimum and maximum ID ranges for the search
+ *
+ * This function will return the minimum and maximum ranges for IDs
+ *
+ * 0: The function completed successfully
+ * EINVAL: The provided ranges are impossible (such as maximum < minimum)
+ *
+ * preferred_min: The special-case minimum value for a specifically-
+ * requested ID, which may be lower than the standard min_id
+ */
+static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
+		       gid_t *preferred_min)
+{
+	gid_t gid_def_max = 0;
+
+	if (sys_group) {
+		/* System groups */
+
+		/* A requested ID is allowed to be below the autoselect range */
+		*preferred_min = (gid_t) 1;
+
+		/* Get the minimum ID range from login.defs or default to 101 */
+		*min_id = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+
+		/*
+		 * If SYS_GID_MAX is unspecified, we should assume it to be one
+		 * less than the GID_MIN (which is reserved for non-system accounts)
+		 */
+		gid_def_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
+		*max_id = (gid_t) getdef_ulong ("SYS_GID_MAX",
+				(unsigned long) gid_def_max);
+
+		/* Check that the ranges make sense */
+		if (*max_id < *min_id) {
+			(void) fprintf (stderr,
+                            _("%s: Invalid configuration: SYS_GID_MIN (%lu), "
+                              "GID_MIN (%lu), SYS_GID_MAX (%lu)\n"),
+                            Prog, (unsigned long) *min_id,
+                            getdef_ulong ("GID_MIN", 1000UL),
+                            (unsigned long) *max_id);
+			return EINVAL;
+		}
+	} else {
+		/* Non-system groups */
+
+		/* Get the values from login.defs or use reasonable defaults */
+		*min_id = (gid_t) getdef_ulong ("GID_MIN", 1000UL);
+		*max_id = (gid_t) getdef_ulong ("GID_MAX", 60000UL);
+
+		/*
+		 * The preferred minimum should match the standard ID minimum
+		 * for non-system groups.
+		 */
+		*preferred_min = *min_id;
+
+		/* Check that the ranges make sense */
+		if (*max_id < *min_id) {
+			(void) fprintf (stderr,
+					_("%s: Invalid configuration: GID_MIN (%lu), "
+					  "GID_MAX (%lu)\n"),
+					Prog, (unsigned long) *min_id,
+					(unsigned long) *max_id);
+			return EINVAL;
+		}
+	}
+
+	return 0;
+}
+
+/*
+ * check_gid - See if the requested GID is available
+ *
+ * On success, return 0
+ * If the ID is in use, return EEXIST
+ * If the ID is outside the range, return ERANGE
+ * In other cases, return errno from getgrgid()
+ */
+static int check_gid (const gid_t gid,
+		      const gid_t gid_min,
+		      const gid_t gid_max,
+		      bool *used_gids)
+{
+	/* First test that the preferred ID is in the range */
+	if (gid < gid_min || gid > gid_max) {
+		return ERANGE;
+	}
+
+	/*
+	 * Check whether we already detected this GID
+	 * using the gr_next() loop
+	 */
+	if (used_gids != NULL && used_gids[gid]) {
+		return EEXIST;
+	}
+	/* Check if the GID exists according to NSS */
+	errno = 0;
+	if (getgrgid (gid) != NULL) {
+		return EEXIST;
+	} else {
+		/* getgrgid() was NULL
+		 * we have to ignore errors as temporary
+		 * failures of remote user identity services
+		 * would completely block user/group creation
+		 */
+	}
+
+	/* If we've made it here, the GID must be available */
+	return 0;
+}
+
 /*
  * find_new_gid - Find a new unused GID.
  *
@@ -49,161 +161,338 @@
  * Return 0 on success, -1 if no unused GIDs are available.
  */
 int find_new_gid (bool sys_group,
-                  gid_t *gid,
-                  /*@null@*/gid_t const *preferred_gid)
+                 gid_t *gid,
+                 /*@null@*/gid_t const *preferred_gid)
 {
-	const struct group *grp;
-	gid_t gid_min, gid_max, group_id;
 	bool *used_gids;
+	const struct group *grp;
+	gid_t gid_min, gid_max, preferred_min;
+	gid_t group_id, id;
+	gid_t lowest_found, highest_found;
+	int result;
+	int nospam = 0;
 
-	assert (gid != NULL);
+	assert(gid != NULL);
 
-	if (!sys_group) {
-		gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL);
-		gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL);
-		if (gid_max < gid_min) {
-			(void) fprintf (stderr,
-			                _("%s: Invalid configuration: GID_MIN (%lu), GID_MAX (%lu)\n"),
-			                Prog, (unsigned long) gid_min, (unsigned long) gid_max);
-			return -1;
-		}
-	} else {
-		gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
-		gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
-		gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
-		if (gid_max < gid_min) {
-			(void) fprintf (stderr,
-			                _("%s: Invalid configuration: SYS_GID_MIN (%lu), GID_MIN (%lu), SYS_GID_MAX (%lu)\n"),
-			                Prog, (unsigned long) gid_min, getdef_ulong ("GID_MIN", 1000UL), (unsigned long) gid_max);
+	/*
+	 * First, figure out what ID range is appropriate for
+	 * automatic assignment
+	 */
+	result = get_ranges (sys_group, &gid_min, &gid_max, &preferred_min);
+	if (result == EINVAL) {
+		return -1;
+	}
+
+	/* Check if the preferred GID is available */
+	if (preferred_gid) {
+		result = check_gid (*preferred_gid, preferred_min, gid_max, NULL);
+		if (result == 0) {
+			/*
+			 * Make sure the GID isn't queued for use already
+			 */
+			if (gr_locate_gid (*preferred_gid) == NULL) {
+				*gid = *preferred_gid;
+				return 0;
+			}
+			/*
+			 * gr_locate_gid() found the GID in an as-yet uncommitted
+			 * entry. We'll proceed below and auto-set a GID.
+			 */
+		} else if (result == EEXIST || result == ERANGE) {
+			/*
+			 * Continue on below. At this time, we won't
+			 * treat these two cases differently.
+			 */
+		} else {
+			/*
+			 * An unexpected error occurred. We should report
+			 * this and fail the group creation.
+			 * This differs from the automatic creation
+			 * behavior below, since if a specific GID was
+			 * requested and generated an error, the user is
+			 * more likely to want to stop and address the
+			 * issue.
+			 */
+			fprintf (stderr,
+				_("%s: Encountered error attempting to use "
+				  "preferred GID: %s\n"),
+				Prog, strerror (result));
 			return -1;
 		}
 	}
+
+	/*
+	 * Search the entire group file,
+	 * looking for the next unused value.
+	 *
+	 * We first check the local database with gr_rewind/gr_next to find
+	 * all local values that are in use.
+	 *
+	 * We then compare the next free value to all databases (local and
+	 * remote) and iterate until we find a free one. If there are free
+	 * values beyond the lowest (system groups) or highest (non-system
+	 * groups), we will prefer those and avoid potentially reclaiming a
+	 * deleted group (which can be a security issue, since it may grant
+	 * access to files belonging to that former group).
+	 *
+	 * If there are no GIDs available at the end of the search, we will
+	 * have no choice but to iterate through the range looking for gaps.
+	 *
+	 */
+
+	/* Create an array to hold all of the discovered GIDs */
 	used_gids = malloc (sizeof (bool) * (gid_max +1));
 	if (NULL == used_gids) {
 		fprintf (stderr,
-		         _("%s: failed to allocate memory: %s\n"),
-		         Prog, strerror (errno));
+			 _("%s: failed to allocate memory: %s\n"),
+			 Prog, strerror (errno));
 		return -1;
 	}
 	memset (used_gids, false, sizeof (bool) * (gid_max + 1));
 
-	if (   (NULL != preferred_gid)
-	    && (*preferred_gid >= gid_min)
-	    && (*preferred_gid <= gid_max)
-	    /* Check if the user exists according to NSS */
-	    && (getgrgid (*preferred_gid) == NULL)
-	    /* Check also the local database in case of uncommitted
-	     * changes */
-	    && (gr_locate_gid (*preferred_gid) == NULL)) {
-		*gid = *preferred_gid;
-		free (used_gids);
-		return 0;
-	}
-
-
-	/*
-	 * Search the entire group file,
-	 * looking for the largest unused value.
-	 *
-	 * We check the list of groups according to NSS (setgrent/getgrent),
-	 * but we also check the local database (gr_rewind/gr_next) in case
-	 * some groups were created but the changes were not committed yet.
-	 */
-	if (sys_group) {
-		gid_t id;
-		/* setgrent / getgrent / endgrent can be very slow with
-		 * LDAP configurations (and many accounts).
-		 * Since there is a limited amount of IDs to be tested
-		 * for system accounts, we just check the existence
-		 * of IDs with getgrgid.
+	/* First look for the lowest and highest value in the local database */
+	(void) gr_rewind ();
+	highest_found = gid_min;
+	lowest_found = gid_max;
+	while ((grp = gr_next ()) != NULL) {
+		/*
+		 * Does this entry have a lower GID than the lowest we've found
+		 * so far?
 		 */
-		group_id = gid_max;
-		for (id = gid_max; id >= gid_min; id--) {
-			if (getgrgid (id) != NULL) {
-				group_id = id - 1;
-				used_gids[id] = true;
-			}
+		if ((grp->gr_gid <= lowest_found) && (grp->gr_gid >= gid_min)) {
+			lowest_found = grp->gr_gid - 1;
 		}
 
-		(void) gr_rewind ();
-		while ((grp = gr_next ()) != NULL) {
-			if ((grp->gr_gid <= group_id) && (grp->gr_gid >= gid_min)) {
-				group_id = grp->gr_gid - 1;
-			}
-			/* create index of used GIDs */
-			if (grp->gr_gid <= gid_max) {
-				used_gids[grp->gr_gid] = true;
-			}
+		/*
+		 * Does this entry have a higher GID than the highest we've found
+		 * so far?
+		 */
+		if ((grp->gr_gid >= highest_found) && (grp->gr_gid <= gid_max)) {
+			highest_found = grp->gr_gid + 1;
 		}
-	} else {
-		group_id = gid_min;
-		setgrent ();
-		while ((grp = getgrent ()) != NULL) {
-			if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
-				group_id = grp->gr_gid + 1;
-			}
-			/* create index of used GIDs */
-			if (grp->gr_gid <= gid_max) {
-				used_gids[grp->gr_gid] = true;
-			}
-		}
-		endgrent ();
 
-		(void) gr_rewind ();
-		while ((grp = gr_next ()) != NULL) {
-			if ((grp->gr_gid >= group_id) && (grp->gr_gid <= gid_max)) {
-				group_id = grp->gr_gid + 1;
-			}
-			/* create index of used GIDs */
-			if (grp->gr_gid <= gid_max) {
-				used_gids[grp->gr_gid] = true;
-			}
+		/* create index of used GIDs */
+		if (grp->gr_gid >= gid_min
+			&& grp->gr_gid <= gid_max) {
+
+			used_gids[grp->gr_gid] = true;
 		}
 	}
 
-	/*
-	 * If a group (resp. system group) with GID equal to GID_MAX (resp.
-	 * GID_MIN) exists, the above algorithm will give us GID_MAX+1
-	 * (resp. GID_MIN-1) even if not unique. Search for the first free
-	 * GID starting with GID_MIN (resp. GID_MAX).
-	 */
 	if (sys_group) {
-		if (group_id < gid_min) {
-			for (group_id = gid_max; group_id >= gid_min; group_id--) {
-				if (false == used_gids[group_id]) {
-					break;
-				}
-			}
-			if (group_id < gid_min) {
-				fprintf (stderr,
-				         _("%s: Can't get unique system GID (no more available GIDs)\n"),
-				         Prog);
-				SYSLOG ((LOG_WARN,
-				         "no more available GID on the system"));
+		/*
+		 * For system groups, we want to start from the
+		 * top of the range and work downwards.
+		 */
+
+		/*
+		 * At the conclusion of the gr_next() search, we will either
+		 * have a presumed-free GID or we will be at GID_MIN - 1.
+		 */
+		if (lowest_found < gid_min) {
+			/*
+			 * In this case, a GID is in use at GID_MIN.
+			 *
+			 * We will reset the search to GID_MAX and proceed down
+			 * through all the GIDs (skipping those we detected with
+			 * used_gids) for a free one. It is a known issue that
+			 * this may result in reusing a previously-deleted GID,
+			 * so administrators should be instructed to use this
+			 * auto-detection with care (and prefer to assign GIDs
+			 * explicitly).
+			 */
+			lowest_found = gid_max;
+		}
+
+		/* Search through all of the IDs in the range */
+		for (id = lowest_found; id >= gid_min; id--) {
+			result = check_gid (id, gid_min, gid_max, used_gids);
+			if (result == 0) {
+				/* This GID is available. Return it. */
+				*gid = id;
 				free (used_gids);
-				return -1;
+				return 0;
+			} else if (result == EEXIST) {
+				/* This GID is in use, we'll continue to the next */
+			} else {
+				/*
+				 * An unexpected error occurred.
+				 *
+				 * Only report it the first time to avoid spamming
+				 * the logs
+				 *
+				 */
+				if (!nospam) {
+					fprintf (stderr,
+						_("%s: Can't get unique system GID (%s). "
+						  "Suppressing additional messages.\n"),
+						Prog, strerror (result));
+					SYSLOG ((LOG_ERR,
+						"Error checking available GIDs: %s",
+						strerror (result)));
+					nospam = 1;
+				}
+				/*
+				 * We will continue anyway. Hopefully a later GID
+				 * will work properly.
+				 */
 			}
 		}
-	} else {
-		if (group_id > gid_max) {
-			for (group_id = gid_min; group_id <= gid_max; group_id++) {
-				if (false == used_gids[group_id]) {
-					break;
+
+		/*
+		 * If we get all the way through the loop, try again from GID_MAX,
+		 * unless that was where we previously started. (NOTE: the worst-case
+		 * scenario here is that we will run through (GID_MAX - GID_MIN - 1)
+		 * cycles *again* if we fall into this case with lowest_found as
+		 * GID_MAX - 1, all groups in the range in use and maintained by
+		 * network services such as LDAP.)
+		 */
+		if (lowest_found != gid_max) {
+			for (id = gid_max; id >= gid_min; id--) {
+				result = check_gid (id, gid_min, gid_max, used_gids);
+				if (result == 0) {
+					/* This GID is available. Return it. */
+					*gid = id;
+					free (used_gids);
+					return 0;
+				} else if (result == EEXIST) {
+					/* This GID is in use, we'll continue to the next */
+				} else {
+					/*
+					 * An unexpected error occurred.
+					 *
+					 * Only report it the first time to avoid spamming
+					 * the logs
+					 *
+					 */
+					if (!nospam) {
+						fprintf (stderr,
+							_("%s: Can't get unique system GID (%s). "
+							  "Suppressing additional messages.\n"),
+							Prog, strerror (result));
+						SYSLOG ((LOG_ERR,
+							"Error checking available GIDs: %s",
+							strerror (result)));
+						nospam = 1;
+					}
+					/*
+					 * We will continue anyway. Hopefully a later GID
+					 * will work properly.
+					 */
 				}
 			}
-			if (group_id > gid_max) {
-				fprintf (stderr,
-				         _("%s: Can't get unique GID (no more available GIDs)\n"),
-				         Prog);
-				SYSLOG ((LOG_WARN, "no more available GID on the system"));
+		}
+	} else { /* !sys_group */
+		/*
+		 * For non-system groups, we want to start from the
+		 * bottom of the range and work upwards.
+		 */
+
+		/*
+		 * At the conclusion of the gr_next() search, we will either
+		 * have a presumed-free GID or we will be at GID_MAX + 1.
+		 */
+		if (highest_found > gid_max) {
+			/*
+			 * In this case, a GID is in use at GID_MAX.
+			 *
+			 * We will reset the search to GID_MIN and proceed up
+			 * through all the GIDs (skipping those we detected with
+			 * used_gids) for a free one. It is a known issue that
+			 * this may result in reusing a previously-deleted GID,
+			 * so administrators should be instructed to use this
+			 * auto-detection with care (and prefer to assign GIDs
+			 * explicitly).
+			 */
+			highest_found = gid_min;
+		}
+
+		/* Search through all of the IDs in the range */
+		for (id = highest_found; id <= gid_max; id++) {
+			result = check_gid (id, gid_min, gid_max, used_gids);
+			if (result == 0) {
+				/* This GID is available. Return it. */
+				*gid = id;
 				free (used_gids);
-				return -1;
+				return 0;
+			} else if (result == EEXIST) {
+				/* This GID is in use, we'll continue to the next */
+			} else {
+				/*
+				 * An unexpected error occurred.
+				 *
+				 * Only report it the first time to avoid spamming
+				 * the logs
+				 *
+				 */
+				if (!nospam) {
+					fprintf (stderr,
+						_("%s: Can't get unique GID (%s). "
+						  "Suppressing additional messages.\n"),
+						Prog, strerror (result));
+					SYSLOG ((LOG_ERR,
+						"Error checking available GIDs: %s",
+						strerror (result)));
+					nospam = 1;
+				}
+				/*
+				 * We will continue anyway. Hopefully a later GID
+				 * will work properly.
+				 */
+			}
+		}
+
+		/*
+		 * If we get all the way through the loop, try again from GID_MIN,
+		 * unless that was where we previously started. (NOTE: the worst-case
+		 * scenario here is that we will run through (GID_MAX - GID_MIN - 1)
+		 * cycles *again* if we fall into this case with highest_found as
+		 * GID_MIN + 1, all groups in the range in use and maintained by
+		 * network services such as LDAP.)
+		 */
+		if (highest_found != gid_min) {
+			for (id = gid_min; id <= gid_max; id++) {
+				result = check_gid (id, gid_min, gid_max, used_gids);
+				if (result == 0) {
+					/* This GID is available. Return it. */
+					*gid = id;
+					free (used_gids);
+					return 0;
+				} else if (result == EEXIST) {
+					/* This GID is in use, we'll continue to the next */
+				} else {
+					/*
+					 * An unexpected error occurred.
+					 *
+					 * Only report it the first time to avoid spamming
+					 * the logs
+					 *
+					 */
+					if (!nospam) {
+						fprintf (stderr,
+							_("%s: Can't get unique GID (%s). "
+							  "Suppressing additional messages.\n"),
+							Prog, strerror (result));
+						SYSLOG ((LOG_ERR,
+							"Error checking available GIDs: %s",
+							strerror (result)));
+						nospam = 1;
+					}
+					/*
+					 * We will continue anyway. Hopefully a later GID
+					 * will work properly.
+					 */
+				}
 			}
 		}
 	}
 
+	/* The code reached here and found no available IDs in the range */
+	fprintf (stderr,
+		_("%s: Can't get unique GID (no more available GIDs)\n"),
+		Prog);
+	SYSLOG ((LOG_WARN, "no more available GIDs on the system"));
 	free (used_gids);
-	*gid = group_id;
-	return 0;
+	return -1;
 }