Add Salsa-CI config

shadow (1:4.2-3+deb8u6) jessie-security; urgency=high
.
  * Non-maintainer upload by the ELTS Security Team.
  * CVE-2023-4641: When asking for a new password, shadow-utils asks the
    password twice. If the password fails on the second attempt,
    shadow-utils fails in cleaning the buffer used to store the first
    entry. This may allow an attacker with enough access to retrieve the
    password from the memory. (Closes: #1051062)
  * CVE-2023-29383: It is possible to inject control characters into
    fields provided to the SUID program chfn (change finger). Although it
    is not possible to exploit this directly (e.g., adding a new user
    fails because \n is in the block list), it is possible to misrepresent
    the /etc/passwd file when viewed. (Closes: #1034482)

.gitignore

@@ -17,7 +17,6 @@ Makefile.in
 /ABOUT-NLS
 /aclocal.m4
 /autom4te.cache
-/compile
 /config.guess
 /config.h
 /config.h.in

configure.in

@@ -1,6 +1,6 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_INIT
-AM_INIT_AUTOMAKE(shadow, 4.4)
+AM_INIT_AUTOMAKE(shadow, 4.2)
 AC_CONFIG_HEADERS([config.h])
 
 dnl Some hacks...
@@ -335,10 +335,16 @@ if test "$enable_subids" != "no"; then
 	dnl
 	dnl FIXME: check if 32 bit UIDs/GIDs are supported by libc
 	dnl
-	AC_CHECK_SIZEOF([uid_t],, [#include "sys/types.h"])
-	AC_CHECK_SIZEOF([gid_t],, [#include "sys/types.h"])
+	AC_RUN_IFELSE([AC_LANG_SOURCE([
+#include <sys/types.h>
+int main(void) {
+	uid_t u;
+	gid_t g;
+	return (sizeof u < 4) || (sizeof g < 4);
+}
+	])], [id32bit="yes"], [id32bit="no"])
 
-	if test "$ac_cv_sizeof_uid_t" -ge 4 && test "$ac_cv_sizeof_gid_t" -ge 4; then
+	if test "x$id32bit" = "xyes"; then
 		AC_DEFINE(ENABLE_SUBIDS, 1, [Define to support the subordinate IDs.])
 		enable_subids="yes"
 	else

debian/Makefile

@@ -0,0 +1,16 @@
+PKG=shadow
+SITE=ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/
+
+deb:: check_cheese
+
+include /usr/share/quilt/quilt.debbuild.mk
+
+check_cheese:
+	@dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \
+		echo ""; \
+		echo " **                                  **"; \
+		echo " **  Warning: not a cheesy release!  **"; \
+		echo " **                                  **"; \
+		echo ""; \
+		exit 1; \
+	}

debian/NEWS

@@ -0,0 +1,36 @@
+shadow (1:4.0.15-5) unstable; urgency=low
+
+  * commands passed in argument to su must use su's -c option and must quote
+    the command if it contains a space, as in:
+        su - root -c "ls -l /"
+    The following commands won't work anymore:
+        su - root -c ls -l /
+        su - root "ls -l /"
+        su - root ls -l /
+
+ -- Christian Perrier <bubulle@debian.org>  Sat,  8 Apr 2006 20:11:38 +0200
+
+shadow (1:4.0.14-1) unstable; urgency=low
+
+  * passwd does not support the -f, -s, and -g options anymore. You should use
+    the chfn, chsh and gpasswd utilities instead.
+  * login now distributes the nologin utility, which can be used as a shell
+    to politely refuse a login
+
+ -- Christian Perrier <bubulle@debian.org>  Thu,  5 Jan 2006 08:47:44 +0100
+
+shadow (1:4.0.12-1) unstable; urgency=low
+
+  CLOSE_SESSIONS and other variables are not used anymore in
+  /etc/login/defs.
+  As shadow utilities which use this file now warn about unknown
+  entries there, administrators should remove such unknown entries.
+  The supplied login.defs file does not include them anymore.
+
+  dpasswd is no more distributed by upstream. Login do not support
+  dialup password anymore.  Re-introducing this functionality in
+  upstream is not trivial.
+
+
+ -- Christian Perrier <bubulle@debian.org>  Thu, 25 Aug 2005 08:38:47 +0200
+

debian/README.debian

@@ -0,0 +1,62 @@
+Read this file first for a brief overview of the new versions of login
+and passwd.
+
+
+---Shadow passwords
+
+The command `shadowconfig on' will turn on shadow password support.
+`shadowconfig off' will turn it back off.  If you turn on shadow
+password support, you'll gain the ability to set password ages and
+expirations with chage(1).
+
+NOTE: If you use the nscd package, you may have problems with a
+slight delay in updating the password information. You may notice
+this during upgrades of certain packages that try to add a system
+user and then access the users information immediately afterwards.
+To avoid this, it is suggested that you stop the nscd daemon before
+upgrades, then restart it again.
+
+---General configuration
+
+Most of the configuration for the shadow utilities is in
+/etc/login.defs.  See login.defs(5).  The defaults are quite
+reasonable.
+
+Also see the /etc/pam.d/* files for each program to configure the PAM
+support. PAM documentation is available in several formats in the
+libpam-doc package.
+
+
+---MD5 Encryption
+
+This is enabled now using the /etc/pam.d/* files. Examples are given.
+
+
+---Adding users and groups
+
+Though you may add users and groups with the SysV type commands,
+useradd and groupadd, I recommend you add them with Debian adduser
+version 3+.  adduser gives you more configuration and conforms to the
+Debian UID and GID allocation.
+
+Editing user and group parameters can be done with usermod and
+groupmod.  Removing users and groups can be done with userdel and
+groupdel.
+
+
+--- Group administration
+
+Local group allocation is much easier.  With gpasswd(1) you can
+designate users to administer groups.  They can then securely add or
+remove users from the group.
+
+
+--- What to read next?
+
+Read the manpages, the other files in this directory, and the Shadow
+Password HOWTO (included in the doc-linux package).  A large portion
+of these files deals with getting shadow installed.  You can, of
+course, ignore those parts.
+
+Also, the libpam-doc package will go a long way to allowing you to take
+full advantage of the PAM authentication scheme.

debian/README.source

@@ -0,0 +1,17 @@
+This package uses quilt to patch the upstream source.
+
+You can find some info on how to generate the patched source, add a new
+modification, and remove an existing modification on:
+	/usr/share/doc/quilt/README.source
+
+================================================================================
+
+To package a new upstream release, you can use the Makefile:
+	svn://svn.debian.org/svn/pkg-shadow/debian/trunk/Makefile
+
+================================================================================
+
+A testsuite is also available. Instruction on how to run this testsuite
+are available on:
+	svn://svn.debian.org/svn/pkg-shadow/debian/trunk/tests/README
+

debian/TODO

@@ -0,0 +1,19 @@
+Things that should be done:
+ * Verify the files left in debian/tmp
+   + e.g. /etc/default/adduser should be installed
+ * Check the build system: rebuilding the package twoce in the same tree
+   doubles the size of the diff.gz file
+
+Other points (not related to the release of a syncronized shadow):
+ * compare the source with the usages and man pages
+   + probably add a sentence to chsh/chfn's manpages about authentication
+     required for ordinary users
+ * do something (a tool) for the variables in login.defs
+   In Debian, some tools are not compiled with the PAM support, so upstream
+   getdef.c won't be OK.
+   It should be nice to see in each man page the set of variables used.
+   The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
+   with the debugging informations. This may be used to extract the set of
+   variables used in Debian/for each tools.
+ * verify all the patches around (I've found patches for at least RedHat,
+   OWL, LFS, Mandriva, Gentoo; are they already applied?)

debian/bugs-usertags

@@ -0,0 +1,25 @@
+This described the usertags used by the team.
+
+For usertags documentation, see
+http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
+
+All bugs tagged by team members must be tagged with 
+"user pkg-shadow-devel@lists.alioth.debian.org"
+
+Tags list
+---------
+
+toclose:         This bug has been announced to be closed in case no more news
+                 or information is received from the bug submitter or someone
+                 else until the delay specified in the limits_YYYYMMDD tag
+
+limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
+                 bugs can be closed without other action in case no news 
+                 is received
+
+manpages-replace A bug reported angainst a manpages-xx package to indicate
+                 conflicting man pages. This tag can be used to tune the
+                 Replaces fields.
+
+su-transition:   This bug is related to the su transition (#276419)
+

debian/compat

@@ -0,0 +1 @@
+6

debian/control

@@ -0,0 +1,45 @@
+Source: shadow
+Section: admin
+Priority: required
+Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Standards-Version: 3.9.5
+Uploaders: Christian Perrier <bubulle@debian.org>,
+           Balint Reczey <balint@balintreczey.hu>
+Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any]
+ ,hardening-wrapper
+Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-shadow/shadow.git;a=summary
+Homepage: http://pkg-shadow.alioth.debian.org/
+
+Package: passwd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-modules, debianutils (>= 2.15.2)
+Replaces: manpages-tr (<<1.0.5), manpages-zh (<<1.5.1-1)
+Multi-Arch: foreign
+Description: change and administer password and group data
+ This package includes passwd, chsh, chfn, and many other programs to
+ maintain password and group data.
+ .
+ Shadow passwords are supported.  See /usr/share/doc/passwd/README.Debian
+
+Package: login
+Architecture: any
+Pre-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime, libpam-modules (>= 1.1.8-1)
+Conflicts: gnunet (<< 0.7.0c-2), amavisd-new (<<2.3.3-8), python-4suite (<< 0.99cvs20060405-1), backupninja (<< 0.9.3-5), echolot (<< 2.1.8-4)
+Breaks: coreutils (<< 8.21~) [hurd-any], passwd (<< 1:4.1.5.1-2~) [hurd-any], hurd (<< 20140206~) [hurd-any]
+Replaces: manpages-de (<< 0.5-3), manpages-tr (<<1.0.5), manpages-zh (<<1.5.1-1), passwd (<< 1:4.1.5.1-2~) [hurd-any], coreutils (<< 8.21~) [hurd-any], hurd (<< 20140206~) [hurd-any]
+Essential: yes
+Description: system login tools
+ These tools are required to be able to login and use your system. The
+ login program invokes your user shell and enables command execution. The
+ newgrp program is used to change your effective group ID (useful for
+ workgroup type situations). The su program allows changing your effective
+ user ID (useful being able to execute commands as another user).
+
+Package: uidmap
+Priority: optional
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Architecture: any
+Description: programs to help use subuids
+ These programs help unprivileged users to create uid and gid mappings in
+ user namespaces.

debian/copyright

@@ -0,0 +1,103 @@
+This is Debian GNU/Linux's prepackaged version of the shadow utilities.
+
+It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>. 
+As of May 2007, this site is no longer available.
+
+Copyright:
+
+Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
+All rights reserved.
+
+Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
+All rights reserved.
+
+Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
+All rights reserved.
+
+Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of Julianne F. Haugh nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+This source code is currently archived on ftp.uu.net in the
+comp.sources.misc portion of the USENET archives.  You may also contact
+the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
+any questions regarding this package.
+
+THIS SOFTWARE IS BEING DISTRIBUTED AS-IS.  THE AUTHORS DISCLAIM ALL
+LIABILITY FOR ANY CONSEQUENCES OF USE.  THE USER IS SOLELY RESPONSIBLE
+FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE.  THE AUTHORS ARE UNDER NO
+OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS.  THE USER IS
+ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
+LOSS OF INFORMATION OR MACHINE RESOURCES.
+
+Special thanks are due to Chip Rosenthal for his fine testing efforts;
+to Steve Simmons for his work in porting this code to BSD; and to Bill
+Kennedy for his contributions of LaserJet printer time and energies.
+Also, thanks for Dennis L. Mumaugh for the initial shadow password
+information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
+V Release 4 changes.  Effort in porting to SunOS has been contributed
+by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
+(mke@kaberd.rain.com).  Effort in porting to AT&T UNIX System V Release
+4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
+Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
+for taking over the Linux port of this software.
+
+Source files: login_access.c, login_desrpc.c, login_krb.c are derived
+from the logdaemon-5.0 package, which is under the following license:
+
+/************************************************************************
+* Copyright 1995 by Wietse Venema.  All rights reserved. Individual files
+* may be covered by other copyrights (as noted in the file itself.)
+*
+* This material was originally written and compiled by Wietse Venema at
+* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+* 1992, 1993, 1994 and 1995.
+*
+* Redistribution and use in source and binary forms are permitted
+* provided that this entire copyright notice is duplicated in all such
+* copies.  
+*
+* This software is provided "as is" and without any expressed or implied
+* warranties, including, without limitation, the implied warranties of
+* merchantibility and fitness for any particular purpose.
+************************************************************************/
+
+Some parts substantially in src/su.c derived from an ancestor of
+su for GNU.  Run a shell with substitute user and group IDs.
+Copyright (C) 1992-2003 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   On Debian GNU/Linux systems, the complete text of the GNU General Public
+   License can be found in '/usr/share/common-licenses/GPL-2'

debian/cpgr.8

@@ -0,0 +1 @@
+.so man8/cppw.8

debian/cppw.8

@@ -0,0 +1,27 @@
+.TH CPPW 8 "7 Apr 2005"
+.SH NAME
+cppw, cpgr \- copy with locking the given file to the password or group file
+.SH SYNOPSIS
+\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
+.br
+\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
+
+.SH DESCRIPTION
+.BR cppw " and " cpgr
+will copy, with locking, the given file to
+.IR /etc/passwd " and " /etc/group ", respectively."
+With the \fB\-s\fR flag, they will copy the shadow versions of those files,
+.IR /etc/shadow " and " /etc/gshadow ", respectively."
+
+With the \fB\-h\fR flag, the commands display a short help message and exit
+silently.
+.SH "SEE ALSO"
+.BR vipw (8),
+.BR vigr (8),
+.BR group (5),
+.BR passwd (5),
+.BR shadow (5),
+.BR gshadow (5)
+.SH AUTHOR
+\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
+\fBvipw\fR and \fBvigr\fR written by Guy Maor.

debian/dependencies

@@ -0,0 +1,94 @@
+Build-Depends:
+==============
+ * autoconf
+ * automake1.9
+   works with 1.7 or 1.9 (at least)
+ * libtool
+ * gettext
+   POT, PO, GMO regenerated?
+ * libpam0g-dev
+   OK
+ * debhelper (>= 4.1.16)
+ * po-debconf
+   OK
+ * quilt
+   patch system
+ * dpkg-dev (>= 1.13.5)
+ * xsltproc
+   used to generate the manpages
+ * docbook-xsl
+   needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
+ * docbook-xml
+   manpages/docbook.xsl includes html/docbook.xsl
+   (But it is not strictly needed. The generated manpages are identical.
+   Without it, a warning is generated.)
+   Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
+ * libxml2-utils
+   needed by the JH_CHECK_XML_CATALOG macros
+ * cdbs
+   used in debian/rules
+ * libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
+ * gnome-doc-utils (>= 0.4.3-1)
+   xml2po, 0.4.3-1 needed for the -l switch.
+
+passwd Depends:
+===============
+ * ${shlibs:Depends}
+   OK
+ * ${loginpam}
+   - hurd
+     login
+     libpam-modules (>= 0.72-5)
+   - other archs
+     + login (>= 970502-1)
+       login is needed because some passwd utils need /etc/login.defs
+       login is Essential, so this is just to enforce the version
+     + libpam-modules (>= 0.72-5)
+ * debianutils (>= 2.15.2)
+   After 1:4.0.12-6, {add,remove}-shell are distributed in debianutils (2.15)
+   /etc/shell was forgotten and introduced in debianutils in 2.15.2
+
+passwd Conflicts:
+=================
+
+passwd Replaces:
+================
+   Some of the passwd man pages are also distributed in some manpages* packages.
+   Look at the debian/02/run test to optimize these dependencies.
+   NOTE: Not all maintainers have been notified.
+ * manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3)
+   All those packages have been updated during sarge->etch. So these Replaces
+   should be removed after lenny release
+ * manpages-tr, manpages-zh
+   Those packages are still in etch, so the Replaces should be kept even
+   after lenny release
+
+login Pre-Depends:
+==================
+ * ${shlibs:Depends}
+ * libpam-runtime (>= 0.76-14)
+   sarge contained 0.76-22
+
+Why Pre-Depends? (because it's an essential package?)
+
+login Depends:
+==============
+ * libpam-modules (>= 0.72-5)
+   libpam-modules is needed.
+   potato contained 0.72-9
+
+login Conflicts:
+================
+
+login Replaces:
+===============
+ * Some of the login man pages are also distributed in some manpages* packages.
+   Look at the debian/02/run test to optimize these dependencies.
+   NOTE: Not all maintainers have been notified.
+   - manpages-fi, manpages-fr (<<1.64.0-1), manpages-hu, manpages-it, manpages-ko, manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15) 
+     Those are packages that have been updated during sarge->etch. These
+     Replaces should be removed after lenny
+   - manpages-tr, manpages-zh
+     Those packages are still in etch, so the Replaces should be kept even
+     after lenny release
+

debian/login.defs

@@ -139,6 +139,11 @@ TTYPERM		0600
 # There is no One True Answer here : each sysadmin must make up his/her
 # mind.
 #
+# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
+# for private user groups, i. e. the uid is the same as gid, and username is
+# the same as the primary group name: for these, the user permissions will be
+# used as group permissions, e. g. 022 will become 002.
+#
 # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
 #
 ERASECHAR	0177
@@ -164,10 +169,6 @@ UID_MAX			60000
 # System accounts
 #SYS_UID_MIN		  100
 #SYS_UID_MAX		  999
-# Per user subordinate UIDs
-SUB_UID_MAX		   100000
-SUB_UID_MIN		600100000
-SUB_UID_COUNT		    10000
 
 #
 # Min/max values for automatic gid selection in groupadd
@@ -177,10 +178,6 @@ GID_MAX			60000
 # System accounts
 #SYS_GID_MIN		  100
 #SYS_GID_MAX		  999
-# Per user subordinate GIDs
-#SUB_GID_MAX		   100000
-#SUB_GID_MIN		600100000
-#SUB_GID_COUNT		    10000
 
 #
 # Max number of login retries if password is bad. This will most likely be

debian/login.dirs

@@ -0,0 +1 @@
+usr/share/lintian/overrides

debian/login.install

@@ -0,0 +1,25 @@
+usr/share/locale/*/LC_MESSAGES/shadow.mo
+usr/share/man/*/man1/login.1
+usr/share/man/*/man1/newgrp.1
+usr/share/man/*/man1/sg.1
+usr/share/man/*/man1/su.1
+usr/share/man/*/man5/faillog.5
+usr/share/man/*/man5/login.defs.5
+usr/share/man/*/man8/faillog.8
+usr/share/man/*/man8/lastlog.8
+usr/share/man/*/man8/nologin.8
+usr/share/man/man1/login.1
+usr/share/man/man1/newgrp.1
+usr/share/man/man1/sg.1
+usr/share/man/man1/su.1
+usr/share/man/man5/faillog.5
+usr/share/man/man5/login.defs.5
+usr/share/man/man8/faillog.8
+usr/share/man/man8/lastlog.8
+usr/share/man/man8/nologin.8
+usr/sbin/nologin
+usr/bin/faillog
+usr/bin/lastlog
+usr/bin/newgrp
+bin/login
+bin/su

debian/login.links

@@ -0,0 +1 @@
+usr/bin/newgrp usr/bin/sg

debian/login.lintian-overrides

@@ -0,0 +1,3 @@
+login: setuid-binary usr/bin/newgrp 4755 root/root
+login: setuid-binary bin/su 4755 root/root
+login: possible-missing-colon-in-closes l667:closes bug 336321

debian/login.pam

@@ -35,10 +35,6 @@ auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
 # (Replaces the `NOLOGINS_FILE' option from login.defs)
 auth       requisite  pam_nologin.so
 
-# Added to support faillog
-auth     required       pam_tally.so per_user
-
-
 # SELinux needs to be the first session rule. This ensures that any 
 # lingering context has been cleared. Without out this it is possible 
 # that a module could execute code in the wrong domain.
@@ -84,8 +80,9 @@ session    required   pam_limits.so
 # (Replaces the `LASTLOG_ENAB' option from login.defs)
 session    optional   pam_lastlog.so
 
-# Prints the motd upon succesful login
+# Prints the message of the day upon succesful login.
 # (Replaces the `MOTD_FILE' option in login.defs)
+session    optional   pam_exec.so type=open_session stdout /bin/uname -snrvm
 session    optional   pam_motd.so
 
 # Prints the status of the user's mailbox upon succesful login
@@ -98,6 +95,9 @@ session    optional   pam_motd.so
 # See comments in /etc/login.defs
 session    optional   pam_mail.so standard
 
+# Sets the loginuid process attribute
+session    required     pam_loginuid.so
+
 # Standard Un*x account and session
 @include common-account
 @include common-session

debian/login.postinst

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+set -e
+
+if test "$1" = configure
+then
+	if test -f /etc/init.d/logoutd
+	then 
+		if test "$(md5sum /etc/init.d/logoutd)" = "9080f92783dd53f6f2108e698c06bd53  /etc/init.d/logoutd"
+		then	
+			echo "removing logoutd cruft"
+			rm /etc/init.d/logoutd
+			update-rc.d logoutd remove
+		fi
+	fi
+fi
+rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
+
+if [ "$1" = "configure" ] && [ "$2" = "" ]
+then
+	# Install faillog during initial installs only
+	if [ ! -f /var/log/faillog ] ; then
+		touch /var/log/faillog
+		chown root:root /var/log/faillog
+		chmod 644 /var/log/faillog
+	fi
+fi
+
+        # Create subuid/subgid if missing
+        if [ ! -e /etc/subuid ]; then
+                touch /etc/subuid
+                chown root:root /etc/subuid
+                chmod 644 /etc/subuid
+        fi
+
+        if [ ! -e /etc/subgid ]; then
+                touch /etc/subgid
+                chown root:root /etc/subgid
+                chmod 644 /etc/subgid
+        fi
+
+#DEBHELPER#
+
+exit 0

debian/login.preinst

@@ -0,0 +1,52 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
+		fi
+	    fi
+	    
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

debian/login.su.pam

@@ -0,0 +1,61 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "root" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+

debian/passwd.chage.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'chage' service
+#
+
+# This allows root to change password aging being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.chfn.pam

@@ -0,0 +1,16 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows root to change user infomation without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+

debian/passwd.cron.daily

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+cd /var/backups || exit 0
+
+for FILE in passwd group shadow gshadow; do
+        test -f /etc/$FILE              || continue
+        cmp -s $FILE.bak /etc/$FILE     && continue
+        cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak
+done

debian/passwd.dirs

@@ -0,0 +1,2 @@
+usr/share/lintian/overrides
+etc/default

debian/passwd.examples

@@ -0,0 +1 @@
+debian/passwd.expire.cron

debian/passwd.expire.cron

@@ -0,0 +1,57 @@
+#!/usr/bin/perl
+#
+# passwd.expire.cron: sample expiry notification script for use as a cronjob
+#
+# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
+# for use, distribution, modification, etc.
+#
+# Usage:
+#	edit the listed options, including the actual email, then rename to
+#	/etc/cron.daily/passwd
+#
+#	If your users don't have a valid login shell (ie. they are ftp or mail
+#	users only), they will need some other way to change their password
+#	(telnet will work since login will handle password aging, or a poppasswd
+#	program, if they are mail users).
+
+# <CONFIG> #
+
+# should be same as /etc/adduser.conf
+$LOW_UID=1000;
+$HIGH_UID=29999;
+
+# this let's the MTA handle the domain,
+# set it manually if you want. Make sure
+# you also add the @ like "\@domain.com"
+$MAIL_DOM="";
+
+# </CONFIG> #
+
+# Set the current day reference
+$curdays = int(time() / (60 * 60 * 24));
+
+# Now go through the list
+
+open(SH, "< /etc/shadow");
+while (<SH>) {
+    @shent = split(':', $_);
+    @userent = getpwnam($shent[0]);
+    if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
+	if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
+		$shent[4] != -1 && $shent[4] != 0 &&
+		$shent[5] != -1 && $shent[5] != 0) {
+	    $daysleft = ($shent[2] + $shent[4]) - $curdays;
+	    if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
+            if ($daysleft < 0) { next; }
+	    open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
+	    print MAIL <<EOF;
+Your account will expire in $daysleft $days. Please change your password before
+then or your account will expire
+EOF
+	    close (MAIL);
+	    # This makes sure we also get a list of almost expired users
+	    print "$shent[0]'s account will expire in $daysleft days\n";
+	}
+    }
+    @userent = getpwent();
+}

debian/passwd.groupadd.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupadd' service
+#
+
+# This allows root to add groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.groupdel.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.groupmod.pam

@@ -4,5 +4,5 @@
 # This allows root to modify groups without being prompted for a password
 auth		sufficient	pam_rootok.so
 
-@include common-auth
-@include common-account
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.install

@@ -0,0 +1,78 @@
+usr/bin/chage
+usr/bin/chfn
+usr/bin/chsh
+usr/bin/expiry
+usr/bin/gpasswd
+usr/bin/passwd
+usr/sbin/chpasswd
+usr/sbin/chgpasswd
+usr/sbin/cppw
+usr/sbin/groupadd
+usr/sbin/groupdel
+usr/sbin/groupmod
+usr/sbin/grpck
+usr/sbin/grpconv
+usr/sbin/grpunconv
+usr/sbin/newusers
+usr/sbin/pwck
+usr/sbin/pwconv
+usr/sbin/pwunconv
+usr/sbin/useradd
+usr/sbin/userdel
+usr/sbin/usermod
+usr/sbin/vipw
+usr/share/man/*/man1/chage.1
+usr/share/man/*/man1/chfn.1
+usr/share/man/*/man1/chsh.1
+usr/share/man/*/man1/expiry.1
+usr/share/man/*/man1/gpasswd.1
+usr/share/man/*/man1/passwd.1
+usr/share/man/*/man5/passwd.5
+usr/share/man/*/man5/shadow.5
+usr/share/man/*/man5/gshadow.5
+usr/share/man/*/man8/chpasswd.8
+usr/share/man/*/man8/groupadd.8
+usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/grpck.8
+usr/share/man/*/man8/grpconv.8
+usr/share/man/*/man8/grpunconv.8
+usr/share/man/*/man8/newusers.8
+usr/share/man/*/man8/pwck.8
+usr/share/man/*/man8/pwconv.8
+usr/share/man/*/man8/pwunconv.8
+usr/share/man/*/man8/useradd.8
+usr/share/man/*/man8/userdel.8
+usr/share/man/*/man8/usermod.8
+usr/share/man/*/man8/vigr.8
+usr/share/man/*/man8/vipw.8
+usr/share/man/man1/chage.1
+usr/share/man/man1/chfn.1
+usr/share/man/man1/chsh.1
+usr/share/man/man1/expiry.1
+usr/share/man/man1/gpasswd.1
+usr/share/man/man1/passwd.1
+usr/share/man/man5/passwd.5
+usr/share/man/man5/shadow.5
+usr/share/man/man5/gshadow.5
+usr/share/man/man5/subuid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man5/subuid.5
+usr/share/man/man8/chgpasswd.8
+usr/share/man/man8/chpasswd.8
+usr/share/man/man8/groupadd.8
+usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmod.8
+usr/share/man/man8/grpck.8
+usr/share/man/man8/grpconv.8
+usr/share/man/man8/grpunconv.8
+usr/share/man/man8/newusers.8
+usr/share/man/man8/pwck.8
+usr/share/man/man8/pwconv.8
+usr/share/man/man8/pwunconv.8
+usr/share/man/man8/useradd.8
+usr/share/man/man8/userdel.8
+usr/share/man/man8/usermod.8
+usr/share/man/man8/vigr.8
+usr/share/man/man8/vipw.8

debian/passwd.links

@@ -0,0 +1,2 @@
+usr/sbin/vipw usr/sbin/vigr
+usr/sbin/cppw usr/sbin/cpgr

debian/passwd.lintian-overrides

@@ -0,0 +1,6 @@
+passwd: setgid-binary usr/bin/chage 2755 root/shadow
+passwd: setuid-binary usr/bin/chfn 4755 root/root
+passwd: setuid-binary usr/bin/chsh 4755 root/root
+passwd: setgid-binary usr/bin/expiry 2755 root/shadow
+passwd: setuid-binary usr/bin/gpasswd 4755 root/root
+passwd: setuid-binary usr/bin/passwd 4755 root/root

debian/passwd.newusers.pam

@@ -0,0 +1,5 @@
+# The PAM configuration file for the Shadow 'newusers' service
+#
+
+@include common-password
+

debian/passwd.passwd.pam

@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+
+@include common-password
+

debian/passwd.postinst

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+configure)
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+
+    rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
+	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
+	then
+		groupadd -g 42 shadow || (
+    			cat <<EOF
+Group ID 42 has been allocated for the shadow group.  You have either
+used 42 yourself or created a shadow group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+    			exit 1
+		)
+	fi
+    ;;
+esac
+
+# Run shadowconfig only on new installs
+[ -z "$2" ] && shadowconfig on
+
+#DEBHELPER#
+
+exit 0

debian/passwd.preinst

@@ -0,0 +1,51 @@
+#! /bin/sh
+
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+remove_md5() {
+    if md5sum $1 2>/dev/null |grep -q $2; then
+	cp $1 $1.pre-upgrade
+	sed -e '/^[^#]*[ \t]*password[ \t]*required[ \t]*pam_unix.so/ s/ md5$//' $1 >$1.post-upgrade \
+	    && mv $1.post-upgrade $1
+    fi
+    }
+
+
+case "$1" in
+    install|upgrade)
+        if [ "x$2" != "x" ] ; then
+	    if dpkg --compare-versions $2 lt 1:4.0.3 ; then
+		remove_md5 /etc/pam.d/passwd 23a5d1465bbc1e39ca6e0c32f22a75c9
+	    fi
+	fi
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

debian/passwd.useradd.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'useradd' service
+#
+
+# This allows root to add users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.userdel.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'userdel' service
+#
+
+# This allows root to remove users without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/passwd.usermod.pam

@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth		sufficient	pam_rootok.so
+
+# checks for account validity
+account	required	pam_permit.so

debian/patches/008_login_log_failure_in_FTMP

@@ -0,0 +1,55 @@
+Goal: Log login failures to the btmp file
+
+Notes:
+ * I'm not sure login should add an entry in the FTMP file when PAM is used.
+   (but nothing in /etc/login.defs indicates that the failure is not logged)
+
+Index: git/src/login.c
+===================================================================
+--- git.orig/src/login.c
++++ git/src/login.c
+@@ -831,6 +831,24 @@
+ 			(void) puts ("");
+ 			(void) puts (_("Login incorrect"));
+ 
++			if (getdef_str("FTMP_FILE") != NULL) {
++#ifdef USE_UTMPX
++				struct utmpx *failent =
++					prepare_utmpx (failent_user,
++					               tty,
++					/* FIXME: or fromhost? */hostname,
++					               utent);
++#else				/* !USE_UTMPX */
++				struct utmp *failent =
++					prepare_utmp (failent_user,
++					              tty,
++					              hostname,
++					              utent);
++#endif				/* !USE_UTMPX */
++				failtmp (failent_user, failent);
++				free (failent);
++			}
++
+ 			if (failcount >= retries) {
+ 				SYSLOG ((LOG_NOTICE,
+ 				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+Index: git/lib/getdef.c
+===================================================================
+--- git.orig/lib/getdef.c
++++ git/lib/getdef.c
+@@ -62,6 +62,7 @@
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
+ 	{"FAKE_SHELL", NULL},
++	{"FTMP_FILE", NULL},
+ 	{"GID_MAX", NULL},
+ 	{"GID_MIN", NULL},
+ 	{"HUSHLOGIN_FILE", NULL},
+@@ -109,7 +110,6 @@
+ 	{"ENVIRON_FILE", NULL},
+ 	{"ENV_TZ", NULL},
+ 	{"FAILLOG_ENAB", NULL},
+-	{"FTMP_FILE", NULL},
+ 	{"ISSUE_FILE", NULL},
+ 	{"LASTLOG_ENAB", NULL},
+ 	{"LOGIN_STRING", NULL},

debian/patches/1000_configure_userns

@@ -0,0 +1,93 @@
+=== modified file 'etc/login.defs'
+Index: git/etc/login.defs
+===================================================================
+--- git.orig/etc/login.defs
++++ git/etc/login.defs
+@@ -229,7 +229,7 @@
+ # Extra per user uids
+ SUB_UID_MIN		   100000
+ SUB_UID_MAX		600100000
+-SUB_UID_COUNT		    10000
++SUB_UID_COUNT		    65536
+ 
+ #
+ # Min/max values for automatic gid selection in groupadd(8)
+@@ -242,7 +242,7 @@
+ # Extra per user group ids
+ SUB_GID_MIN		   100000
+ SUB_GID_MAX		600100000
+-SUB_GID_COUNT		    10000
++SUB_GID_COUNT		    65536
+ 
+ #
+ # Max number of login(1) retries if password is bad
+Index: git/src/newusers.c
+===================================================================
+--- git.orig/src/newusers.c
++++ git/src/newusers.c
+@@ -988,8 +988,8 @@
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+ #ifdef ENABLE_SUBIDS
+-	is_sub_uid = sub_uid_file_present ();
+-	is_sub_gid = sub_gid_file_present ();
++	is_sub_uid = sub_uid_file_present () && !rflg;
++	is_sub_gid = sub_gid_file_present () && !rflg;
+ #endif				/* ENABLE_SUBIDS */
+ 
+ 	open_files ();
+Index: git/src/useradd.c
+===================================================================
+--- git.orig/src/useradd.c
++++ git/src/useradd.c
+@@ -1994,6 +1994,10 @@
+ #endif				/* USE_PAM */
+ #endif				/* ACCT_TOOLS_SETUID */
+ 
++	/* Needed for userns check */
++	uid_t uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
++	uid_t uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
++
+ 	/*
+ 	 * Get my name so that I can use it to report errors.
+ 	 */
+@@ -2023,8 +2027,10 @@
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+ #ifdef ENABLE_SUBIDS
+-	is_sub_uid = sub_uid_file_present ();
+-	is_sub_gid = sub_gid_file_present ();
++	is_sub_uid = sub_uid_file_present () && !rflg &&
++	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
++	is_sub_gid = sub_gid_file_present () && !rflg &&
++	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+ #endif				/* ENABLE_SUBIDS */
+ 
+ 	get_defaults ();
+ 
+Index: git/libmisc/find_new_sub_uids.c
+===================================================================
+--- git.orig/libmisc/find_new_sub_uids.c
++++ git/libmisc/find_new_sub_uids.c
+@@ -58,7 +58,7 @@
+ 
+ 	min = getdef_ulong ("SUB_UID_MIN", 100000UL);
+ 	max = getdef_ulong ("SUB_UID_MAX", 600100000UL);
+-	count = getdef_ulong ("SUB_UID_COUNT", 10000);
++	count = getdef_ulong ("SUB_UID_COUNT", 65536);
+ 
+ 	if (min > max || count >= max || (min + count - 1) > max) {
+ 		(void) fprintf (stderr,
+Index: git/libmisc/find_new_sub_gids.c
+===================================================================
+--- git.orig/libmisc/find_new_sub_gids.c
++++ git/libmisc/find_new_sub_gids.c
+@@ -58,7 +58,7 @@
+ 
+ 	min = getdef_ulong ("SUB_GID_MIN", 100000UL);
+ 	max = getdef_ulong ("SUB_GID_MAX", 600100000UL);
+-	count = getdef_ulong ("SUB_GID_COUNT", 10000);
++	count = getdef_ulong ("SUB_GID_COUNT", 65536);
+ 
+ 	if (min > max || count >= max || (min + count - 1) > max) {
+ 		(void) fprintf (stderr,

debian/patches/1020_fix_user_busy_errors

@@ -0,0 +1,38 @@
+Description: Fix user_busy to not leave subuid open in case of error.
+Author: William Grant <wgrant@ubuntu.com>
+Bug: https://bugs.launchpad.net/ubuntu/vivid/+source/shadow/+bug/1436937
+
+Index: shadow-4.2/libmisc/user_busy.c
+===================================================================
+--- shadow-4.2.orig/libmisc/user_busy.c
++++ shadow-4.2/libmisc/user_busy.c
+@@ -175,6 +175,9 @@ static int user_busy_processes (const ch
+ 	if (stat ("/", &sbroot) != 0) {
+ 		perror ("stat (\"/\")");
+ 		(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++		sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 		return 0;
+ 	}
+ 
+@@ -212,6 +215,9 @@ static int user_busy_processes (const ch
+ 
+ 		if (check_status (name, tmp_d_name, uid) != 0) {
+ 			(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++			sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 			fprintf (stderr,
+ 			         _("%s: user %s is currently used by process %d\n"),
+ 			         Prog, name, pid);
+@@ -232,6 +238,9 @@ static int user_busy_processes (const ch
+ 				}
+ 				if (check_status (name, task_path+6, uid) != 0) {
+ 					(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++					sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 					fprintf (stderr,
+ 					         _("%s: user %s is currently used by process %d\n"),
+ 					         Prog, name, pid);

debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch

@@ -0,0 +1,59 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 

debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch

@@ -0,0 +1,46 @@
+From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-	long long int val;
++	unsigned long int val;
+ 	char *endptr;
+ 
+ 	errno = 0;
+-	val = strtoll (numstr, &endptr, 0);
++	val = strtoul (numstr, &endptr, 0);
+ 	if (    ('\0' == *numstr)
+ 	     || ('\0' != *endptr)
+ 	     || (ERANGE == errno)
+-	     /*@+ignoresigns@*/
+-	     || (val != (unsigned long int)val)
+-	     /*@=ignoresigns@*/
+ 	   ) {
+ 		return 0;
+ 	}
+ 
+-	*result = (unsigned long int)val;
++	*result = val;
+ 	return 1;
+ }
+ 
+-- 
+2.1.4
+

debian/patches/303-Reset-pid_child-only-if-waitpid-was-successful.patch

@@ -0,0 +1,29 @@
+From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 14 May 2017 17:58:10 +0200
+Subject: [PATCH] Reset pid_child only if waitpid was successful.
+
+Do not reset the pid_child to 0 if the child process is still
+running. This else-condition can be reached with pid being -1,
+therefore explicitly test this condition.
+
+This is a regression fix for CVE-2017-2616. If su receives a
+signal like SIGTERM, it is not propagated to the child.
+
+Reported-by: Radu Duta <raduduta@gmail.com>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/su.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+-			} else {
++			} else if (   (pid_t)-1 != pid) {
+ 				pid_child = 0;
+ 			}
+ 		} while (!stop);

debian/patches/401_cppw_src.dpatch

@@ -0,0 +1,282 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 401_cppw_src.dpatch by  Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add cppw / cpgr
+
+@DPATCH@
+Index: git/src/cppw.c
+===================================================================
+--- /dev/null
++++ git/src/cppw.c
+@@ -0,0 +1,238 @@
++/*
++  cppw, cpgr  copy with locking given file over the password or group file
++  with -s will copy with locking given file over shadow or gshadow file
++
++  Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
++
++  Based on vipw, vigr by:
++  Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
++
++  This program is free software; you can redistribute it and/or modify
++  it under the terms of the GNU General Public License as published by
++  the Free Software Foundation; either version 2 of the License, or
++  (at your option) any later version.
++
++  This program is distributed in the hope that it will be useful, but
++  WITHOUT ANY WARRANTY; without even the implied warranty of
++  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++  General Public License for more details.
++
++  You should have received a copy of the GNU General Public License
++  along with this program; if not, write to the Free Software
++  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++
++  */
++
++#include <config.h>
++#include "defines.h"
++
++#include <errno.h>
++#include <sys/stat.h>
++#include <unistd.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <sys/types.h>
++#include <signal.h>
++#include <utime.h>
++#include "exitcodes.h"
++#include "prototypes.h"
++#include "pwio.h"
++#include "shadowio.h"
++#include "groupio.h"
++#include "sgroupio.h"
++
++
++const char *Prog;
++
++const char *filename, *filenewname;
++static bool filelocked = false;
++static int (*unlock) (void);
++
++/* local function prototypes */
++static int create_copy (FILE *fp, const char *dest, struct stat *sb);
++static void cppwexit (const char *msg, int syserr, int ret);
++static void cppwcopy (const char *file,
++                      const char *in_file,
++                      int (*file_lock) (void),
++                      int (*file_unlock) (void));
++
++static int create_copy (FILE *fp, const char *dest, struct stat *sb)
++{
++	struct utimbuf ub;
++	FILE *bkfp;
++	int c;
++	mode_t mask;
++
++	mask = umask (077);
++	bkfp = fopen (dest, "w");
++	(void) umask (mask);
++	if (NULL == bkfp) {
++		return -1;
++	}
++
++	rewind (fp);
++	while ((c = getc (fp)) != EOF) {
++		if (putc (c, bkfp) == EOF) {
++			break;
++		}
++	}
++
++	if (   (c != EOF)
++	    || (fflush (bkfp) != 0)) {
++		(void) fclose (bkfp);
++		(void) unlink (dest);
++		return -1;
++	}
++	if (   (fsync (fileno (bkfp)) != 0)
++	    || (fclose (bkfp) != 0)) {
++		(void) unlink (dest);
++		return -1;
++	}
++
++	ub.actime = sb->st_atime;
++	ub.modtime = sb->st_mtime;
++	if (   (utime (dest, &ub) != 0)
++	    || (chmod (dest, sb->st_mode) != 0)
++	    || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
++		(void) unlink (dest);
++		return -1;
++	}
++	return 0;
++}
++
++static void cppwexit (const char *msg, int syserr, int ret)
++{
++	int err = errno;
++	if (filelocked) {
++		(*unlock) ();
++	}
++	if (NULL != msg) {
++		fprintf (stderr, "%s: %s", Prog, msg);
++		if (0 != syserr) {
++			fprintf (stderr, ": %s", strerror (err));
++		}
++		(void) fputs ("\n", stderr);
++	}
++	if (NULL != filename) {
++		fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
++	} else {
++		fprintf (stderr, _("%s: no changes\n"), Prog);
++	}
++
++	exit (ret);
++}
++
++static void cppwcopy (const char *file,
++                      const char *in_file,
++                      int (*file_lock) (void),
++                      int (*file_unlock) (void))
++{
++	struct stat st1;
++	FILE *f;
++	char filenew[1024];
++
++	snprintf (filenew, sizeof filenew, "%s.new", file);
++	unlock = file_unlock;
++	filename = file;
++	filenewname = filenew;
++
++	if (access (file, F_OK) != 0) {
++		cppwexit (file, 1, 1);
++	}
++	if (file_lock () == 0) {
++		cppwexit (_("Couldn't lock file"), 0, 5);
++	}
++	filelocked = true;
++
++	/* file to copy has same owners, perm */
++	if (stat (file, &st1) != 0) {
++		cppwexit (file, 1, 1);
++	}
++	f = fopen (in_file, "r");
++	if (NULL == f) {
++		cppwexit (in_file, 1, 1);
++	}
++	if (create_copy (f, filenew, &st1) != 0) {
++		cppwexit (_("Couldn't make copy"), errno, 1);
++	}
++
++	/* XXX - here we should check filenew for errors; if there are any,
++	 * fail w/ an appropriate error code and let the user manually fix
++	 * it. Use pwck or grpck to do the check.  - Stephen (Shamelessly
++	 * stolen from '--marekm's comment) */
++
++	if (rename (filenew, file) != 0) {
++		fprintf (stderr, _("%s: can't copy %s: %s)\n"),
++                         Prog, filenew, strerror (errno));
++		cppwexit (NULL,0,1);
++	}
++
++	(*file_unlock) ();
++}
++
++int main (int argc, char **argv)
++{
++	int flag;
++	bool cpshadow = false;
++	char *in_file;
++	int e = E_USAGE;
++	bool do_cppw = true;
++
++	(void) setlocale (LC_ALL, "");
++	(void) bindtextdomain (PACKAGE, LOCALEDIR);
++	(void) textdomain (PACKAGE);
++
++	Prog = Basename (argv[0]);
++	if (strcmp (Prog, "cpgr") == 0) {
++		do_cppw = false;
++	}
++
++	while ((flag = getopt (argc, argv, "ghps")) != EOF) {
++		switch (flag) {
++		case 'p':
++			do_cppw = true;
++			break;
++		case 'g':
++			do_cppw = false;
++			break;
++		case 's':
++			cpshadow = true;
++			break;
++		case 'h':
++			e = E_SUCCESS;
++			/*pass through*/
++		default:
++			(void) fputs (_("Usage:\n\
++`cppw <file>' copys over /etc/passwd   `cppw -s <file>' copys over /etc/shadow\n\
++`cpgr <file>' copys over /etc/group    `cpgr -s <file>' copys over /etc/gshadow\n\
++"), (E_SUCCESS != e) ? stderr : stdout);
++			exit (e);
++		}
++	}
++
++	if (argc != optind + 1) {
++		cppwexit (_("wrong number of arguments, -h for usage"),0,1);
++	}
++
++	in_file = argv[optind];
++
++	if (do_cppw) {
++		if (cpshadow) {
++			cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
++		} else {
++			cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
++		}
++	} else {
++#ifdef SHADOWGRP
++		if (cpshadow) {
++			cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
++		} else
++#endif				/* SHADOWGRP */
++		{
++			cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
++		}
++	}
++
++	return 0;
++}
++
+Index: git/src/Makefile.am
+===================================================================
+--- git.orig/src/Makefile.am
++++ git/src/Makefile.am
+@@ -29,6 +29,7 @@
+ ubin_PROGRAMS += newgidmap newuidmap
+ endif
+ usbin_PROGRAMS = \
++	cppw \
+ 	chgpasswd \
+ 	chpasswd \
+ 	groupadd \
+@@ -87,6 +88,7 @@
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
++cppw_LDADD     = $(LDADD) $(LIBSELINUX)
+ gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+Index: git/po/POTFILES.in
+===================================================================
+--- git.orig/po/POTFILES.in
++++ git/po/POTFILES.in
+@@ -85,6 +85,7 @@
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
++src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c

debian/patches/402_cppw_selinux

@@ -0,0 +1,64 @@
+Goal: Add selinux support to cppw
+
+Fix:
+
+Status wrt upstream: cppw is not available upstream.
+                     The patch was made based on the
+                     302_vim_selinux_support patch. It needs to be
+                     reviewed by an SE-Linux aware person.
+
+Depends on 401_cppw_src.dpatch
+
+Index: git/src/cppw.c
+===================================================================
+--- git.orig/src/cppw.c
++++ git/src/cppw.c
+@@ -34,6 +34,9 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <utime.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif				/* WITH_SELINUX */
+ #include "exitcodes.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+@@ -139,6 +142,22 @@
+ 	if (access (file, F_OK) != 0) {
+ 		cppwexit (file, 1, 1);
+ 	}
++#ifdef WITH_SELINUX
++	/* if SE Linux is enabled then set the context of all new files
++	 * to be the context of the file we are editing */
++	if (is_selinux_enabled () > 0) {
++		security_context_t passwd_context=NULL;
++		int ret = 0;
++		if (getfilecon (file, &passwd_context) < 0) {
++			cppwexit (_("Couldn't get file context"), errno, 1);
++		}
++		ret = setfscreatecon (passwd_context);
++		freecon (passwd_context);
++		if (0 != ret) {
++			cppwexit (_("setfscreatecon () failed"), errno, 1);
++		}
++	}
++#endif				/* WITH_SELINUX */
+ 	if (file_lock () == 0) {
+ 		cppwexit (_("Couldn't lock file"), 0, 5);
+ 	}
+@@ -167,6 +186,15 @@
+ 		cppwexit (NULL,0,1);
+ 	}
+ 
++#ifdef WITH_SELINUX
++	/* unset the fscreatecon */
++	if (is_selinux_enabled () > 0) {
++		if (setfscreatecon (NULL)) {
++		cppwexit (_("setfscreatecon() failed"), errno, 1);
++		}
++	}
++#endif				/* WITH_SELINUX */
++
+ 	(*file_unlock) ();
+ }
+ 

debian/patches/429_login_FAILLOG_ENAB

@@ -0,0 +1,96 @@
+Goal: Re-enable logging and displaying failures on login when login is
+      compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
+      faillog file if it does not exist on postinst (as on Woody).
+Depends: 008_login_more_LOG_UNKFAIL_ENAB
+Fixes: #192849
+
+Note: It could be removed if pam_tally could report the number of failures
+      preceding a successful login.
+
+Index: git/src/login.c
+===================================================================
+--- git.orig/src/login.c
++++ git/src/login.c
+@@ -131,9 +131,9 @@
+                          const char *host,
+                          /*@null@*/const struct utmp *utent);
+ 
+-#ifndef USE_PAM
+ static struct faillog faillog;
+ 
++#ifndef USE_PAM
+ static void bad_time_notify (void);
+ static void check_nologin (bool login_to_root);
+ #else
+@@ -791,6 +791,9 @@
+ 				SYSLOG ((LOG_NOTICE,
+ 				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+ 				         failcount, fromhost, failent_user));
++				if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++					failure (pwd->pw_uid, tty, &faillog);
++				}
+ 				fprintf (stderr,
+ 				         _("Maximum number of tries exceeded (%u)\n"),
+ 				         failcount);
+@@ -808,6 +811,14 @@
+ 				         pam_strerror (pamh, retcode)));
+ 				failed = true;
+ 			}
++			if (   (NULL != pwd)
++			    && getdef_bool("FAILLOG_ENAB")
++			    && ! failcheck (pwd->pw_uid, &faillog, failed)) {
++				SYSLOG((LOG_CRIT,
++				        "exceeded failure limit for `%s' %s",
++				        failent_user, fromhost));
++				failed = 1;
++			}
+ 
+ 			if (!failed) {
+ 				break;
+@@ -831,6 +842,10 @@
+ 			(void) puts ("");
+ 			(void) puts (_("Login incorrect"));
+ 
++			if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++				failure (pwd->pw_uid, tty, &faillog);
++			}
++
+ 			if (getdef_str("FTMP_FILE") != NULL) {
+ #ifdef USE_UTMPX
+ 				struct utmpx *failent =
+@@ -1285,6 +1300,7 @@
+ 		 */
+ #ifndef USE_PAM
+ 		motd ();	/* print the message of the day */
++#endif
+ 		if (   getdef_bool ("FAILLOG_ENAB")
+ 		    && (0 != faillog.fail_cnt)) {
+ 			failprint (&faillog);
+@@ -1297,6 +1313,7 @@
+ 				         username, (int) faillog.fail_cnt));
+ 			}
+ 		}
++#ifndef USE_PAM
+ 		if (   getdef_bool ("LASTLOG_ENAB")
+ 		    && (ll.ll_time != 0)) {
+ 			time_t ll_time = ll.ll_time;
+Index: git/lib/getdef.c
+===================================================================
+--- git.orig/lib/getdef.c
++++ git/lib/getdef.c
+@@ -61,6 +61,7 @@
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+ 	{"FAIL_DELAY", NULL},
++	{"FAILLOG_ENAB", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"FTMP_FILE", NULL},
+ 	{"GID_MAX", NULL},
+@@ -109,7 +110,6 @@
+ 	{"ENV_HZ", NULL},
+ 	{"ENVIRON_FILE", NULL},
+ 	{"ENV_TZ", NULL},
+-	{"FAILLOG_ENAB", NULL},
+ 	{"ISSUE_FILE", NULL},
+ 	{"LASTLOG_ENAB", NULL},
+ 	{"LOGIN_STRING", NULL},

debian/patches/463_login_delay_obeys_to_PAM

@@ -0,0 +1,109 @@
+Goal: Do not hardcode pam_fail_delay and let pam_unix do its
+      job to set a delay...or not
+
+Fixes: #87648
+
+Status wrt upstream: Forwarded but not applied yet
+
+Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+
+Index: git/src/login.c
+===================================================================
+--- git.orig/src/login.c
++++ git/src/login.c
+@@ -525,7 +525,6 @@
+ #if defined(HAVE_STRFTIME) && !defined(USE_PAM)
+ 	char ptime[80];
+ #endif
+-	unsigned int delay;
+ 	unsigned int retries;
+ 	bool subroot = false;
+ #ifndef USE_PAM
+@@ -545,6 +544,7 @@
+ 	pid_t child;
+ 	char *pam_user = NULL;
+ #else
++	unsigned int delay;
+ 	struct spwd *spwd = NULL;
+ #endif
+ 	/*
+@@ -705,7 +705,6 @@
+ 	}
+ 
+ 	environ = newenvp;	/* make new environment active */
+-	delay   = getdef_unum ("FAIL_DELAY", 1);
+ 	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
+ 
+ #ifdef USE_PAM
+@@ -721,8 +720,7 @@
+ 
+ 	/*
+ 	 * hostname & tty are either set to NULL or their correct values,
+-	 * depending on how much we know. We also set PAM's fail delay to
+-	 * ours.
++	 * depending on how much we know.
+ 	 *
+ 	 * PAM_RHOST and PAM_TTY are used for authentication, only use
+ 	 * information coming from login or from the caller (e.g. no utmp)
+@@ -731,10 +729,6 @@
+ 	PAM_FAIL_CHECK;
+ 	retcode = pam_set_item (pamh, PAM_TTY, tty);
+ 	PAM_FAIL_CHECK;
+-#ifdef HAS_PAM_FAIL_DELAY
+-	retcode = pam_fail_delay (pamh, 1000000 * delay);
+-	PAM_FAIL_CHECK;
+-#endif
+ 	/* if fflg, then the user has already been authenticated */
+ 	if (!fflg) {
+ 		unsigned int failcount = 0;
+@@ -775,12 +769,6 @@
+ 			bool failed = false;
+ 
+ 			failcount++;
+-#ifdef HAS_PAM_FAIL_DELAY
+-			if (delay > 0) {
+-				retcode = pam_fail_delay(pamh, 1000000*delay);
+-				PAM_FAIL_CHECK;
+-			}
+-#endif
+ 
+ 			retcode = pam_authenticate (pamh, 0);
+ 
+@@ -1103,14 +1091,17 @@
+ 		free (username);
+ 		username = NULL;
+ 
++#ifndef USE_PAM
+ 		/*
+ 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
+ 		 * to login the user again. If the earlier alarm occurs
+ 		 * before the sleep() below completes, login will exit.
+ 		 */
++		delay = getdef_unum ("FAIL_DELAY", 1);
+ 		if (delay > 0) {
+ 			(void) sleep (delay);
+ 		}
++#endif
+ 
+ 		(void) puts (_("Login incorrect"));
+ 
+Index: git/lib/getdef.c
+===================================================================
+--- git.orig/lib/getdef.c
++++ git/lib/getdef.c
+@@ -60,7 +60,6 @@
+ 	{"ENV_PATH", NULL},
+ 	{"ENV_SUPATH", NULL},
+ 	{"ERASECHAR", NULL},
+-	{"FAIL_DELAY", NULL},
+ 	{"FAILLOG_ENAB", NULL},
+ 	{"FAKE_SHELL", NULL},
+ 	{"FTMP_FILE", NULL},
+@@ -110,6 +109,7 @@
+ 	{"ENV_HZ", NULL},
+ 	{"ENVIRON_FILE", NULL},
+ 	{"ENV_TZ", NULL},
++	{"FAIL_DELAY", NULL},
+ 	{"ISSUE_FILE", NULL},
+ 	{"LASTLOG_ENAB", NULL},
+ 	{"LOGIN_STRING", NULL},

debian/patches/501_commonio_group_shadow

@@ -0,0 +1,39 @@
+Goal: save the [g]shadow files with the 'shadow' group and mode 0440
+
+Fixes: #166793
+
+Index: git/lib/commonio.c
+===================================================================
+--- git.orig/lib/commonio.c
++++ git/lib/commonio.c
+@@ -44,6 +44,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <signal.h>
++#include <grp.h>
+ #include "nscd.h"
+ #ifdef WITH_TCB
+ #include <tcb.h>
+@@ -966,13 +967,20 @@
+ 			goto fail;
+ 		}
+ 	} else {
++		struct group *grp;
+ 		/*
+ 		 * Default permissions for new [g]shadow files.
+ 		 * (passwd and group always exist...)
+ 		 */
+-		sb.st_mode = 0400;
++		sb.st_mode = 0440;
+ 		sb.st_uid = 0;
+-		sb.st_gid = 0;
++		/*
++		 * Try to retrieve the shadow's GID, and fall back to GID 0.
++		 */
++		if ((grp = getgrnam("shadow")) != NULL)
++			sb.st_gid = grp->gr_gid;
++		else
++			sb.st_gid = 0;
+ 	}
+ 
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);

debian/patches/503_shadowconfig.8

@@ -0,0 +1,201 @@
+Goal: Document the shadowconfig utility
+
+Status wrt upstream: The shadowconfig utility is debian specific.
+                     Its man page also (but it used to be distributed)
+
+Index: git/man/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/shadowconfig.8
+@@ -0,0 +1,41 @@
++.\"Generated by db2man.xsl. Don't modify this, modify the source.
++.de Sh \" Subsection
++.br
++.if t .Sp
++.ne 5
++.PP
++\fB\\$1\fR
++.PP
++..
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Ip \" List item
++.br
++.ie \\n(.$>=3 .ne \\$3
++.el .ne 3
++.IP "\\$1" \\$2
++..
++.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
++.SH NAME
++shadowconfig \- toggle shadow passwords on and off
++.SH "SYNOPSIS"
++.ad l
++.hy 0
++.HP 13
++\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
++.ad
++.hy
++
++.SH "DESCRIPTION"
++
++.PP
++\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
++
++.PP
++Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
++
++.PP
++Note that turning shadow passwords off and on again will lose all password aging information\&.
++
+Index: git/man/shadowconfig.8.xml
+===================================================================
+--- /dev/null
++++ git/man/shadowconfig.8.xml
+@@ -0,0 +1,52 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++		"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++<refentry id='shadowconfig.8'>
++  <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
++  <refentryinfo>
++    <date>19 Apr 1997</date>
++  </refentryinfo>
++  <refmeta>
++    <refentrytitle>shadowconfig</refentrytitle>
++    <manvolnum>8</manvolnum>
++    <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
++    <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
++  </refmeta>
++  <refnamediv id='name'>
++    <refname>shadowconfig</refname>
++    <refpurpose>toggle shadow passwords on and off</refpurpose>
++  </refnamediv>
++
++  <refsynopsisdiv id='synopsis'>
++    <cmdsynopsis>
++      <command>shadowconfig</command>
++      <group choice='plain'>
++        <arg choice='plain'><replaceable>on</replaceable></arg>
++        <arg choice='plain'><replaceable>off</replaceable></arg>
++      </group>
++    </cmdsynopsis>
++  </refsynopsisdiv>
++
++  <refsect1 id='description'>
++    <title>DESCRIPTION</title>
++    <para><command>shadowconfig</command> on will turn shadow passwords on;
++      <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
++      passwords off. <command>shadowconfig</command> will print an error
++      message and exit with a nonzero code if it finds anything awry. If
++      that happens, you should correct the error and run it again. Turning
++      shadow passwords on when they are already on, or off when they are
++      already off, is harmless.
++    </para>
++
++    <para>
++      Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
++      brief introduction
++      to shadow passwords and related features.
++    </para>
++
++    <para>Note that turning shadow passwords off and on again will lose all
++      password
++      aging information.
++    </para>
++  </refsect1>
++</refentry>
+Index: git/man/fr/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/fr/shadowconfig.8
+@@ -0,0 +1,26 @@
++.\" This file was generated with po4a. Translate the source file.
++.\"
++.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
++.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
++.SH NOM
++shadowconfig \- active ou désactive les mots de passe cachés
++.SH SYNOPSIS
++\fBshadowconfig\fP \fIon\fP | \fIoff\fP
++.SH DESCRIPTION
++.PP
++\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
++d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
++quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
++de recommencer.
++
++Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
++désactiver lorsqu'ils ne sont pas actifs est sans effet.
++
++Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
++mots de passe cachés et à leurs fonctionnalités.
++
++Notez que désactiver puis réactiver les mots de passe cachés aura pour
++conséquence la perte des informations d'âge sur les mots de passe.
++.SH TRADUCTION
++Nicolas FRANÇOIS, 2004.
++Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
+Index: git/man/ja/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/ja/shadowconfig.8
+@@ -0,0 +1,25 @@
++.\"     all right reserved,
++.\" Translated Tue Oct 30 11:59:11 JST 2001
++.\" by Maki KURODA <mkuroda@aisys-jp.com>
++.\"
++.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
++.SH 名前
++shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
++.SH 書式
++.B "shadowconfig"
++.IR on " | " off
++.SH 説明
++.PP
++.B shadowconfig on
++は shadow パスワードを有効にする。
++.B shadowconfig off
++は shadow パスワードを無効にする。
++.B shadowconfig
++は何らかの間違いがあると、エラーメッセージを表示し、
++ゼロではない返り値を返す。
++もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
++shadow パスワードの設定がすでにオンの場合にオンに設定したり、
++すでにオフの場合にオフに設定しても、何の影響もない。
++
++.I /usr/share/doc/passwd/README.debian.gz
++には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
+Index: git/man/pl/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/pl/shadowconfig.8
+@@ -0,0 +1,27 @@
++.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
++.\" {PTM/WK/1999-09-14}
++.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
++.SH NAZWA
++shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
++.SH SKŁADNIA
++.B "shadowconfig"
++.IR on " | " off
++.SH OPIS
++.PP
++.B shadowconfig on
++włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
++.B shadowconfig off
++wyłącza dodatkowe pliki haseł i grup.
++.B shadowconfig
++wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
++znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
++.\" if it finds anything awry.
++i uruchomić program ponownie.
++
++Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
++gdy jest wyłączona jest nieszkodliwe.
++
++Przeczytaj
++.IR /usr/share/doc/passwd/README.debian.gz ,
++gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
++plików haseł przesłanianych (shadow passwords) i związanych tematów.

debian/patches/505_useradd_recommend_adduser

@@ -0,0 +1,40 @@
+Goal: Recommend using adduser and deluser.
+
+Fixes: #406046
+
+Status wrt upstream: Debian specific patch.
+
+Index: git/man/useradd.8.xml
+===================================================================
+--- git.orig/man/useradd.8.xml
++++ git/man/useradd.8.xml
+@@ -105,6 +105,12 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+       <para>
++	<command>useradd</command> is a low level utility for adding
++	users.  On Debian, administrators should usually use
++	<citerefentry><refentrytitle>adduser</refentrytitle>
++	<manvolnum>8</manvolnum></citerefentry> instead.
++      </para>
++      <para>
+ 	When invoked without the <option>-D</option> option, the
+ 	<command>useradd</command> command creates a new user account using
+ 	the values specified on the command line plus the default values from
+Index: git/man/userdel.8.xml
+===================================================================
+--- git.orig/man/userdel.8.xml
++++ git/man/userdel.8.xml
+@@ -83,6 +83,12 @@
+   <refsect1 id='description'>
+     <title>DESCRIPTION</title>
+     <para>
++      <command>userdel</command> is a low level utility for removing
++      users.  On Debian, administrators should usually use
++      <citerefentry><refentrytitle>deluser</refentrytitle>
++      <manvolnum>8</manvolnum></citerefentry> instead.
++    </para>
++    <para>
+       The <command>userdel</command> command modifies the system account
+       files, deleting all entries that refer to the user name <emphasis
+       remap='I'>LOGIN</emphasis>. The named user must exist.

debian/patches/506_relaxed_usernames

@@ -0,0 +1,106 @@
+Goal: Relaxed usernames/groupnames checking patch.
+
+Status wrt upstream: Debian specific. Not to be used upstream
+
+Details:
+ Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
+ characters and don't start with '-', '+', or '~'. This patch is more
+ restrictive than original Karl's version. closes: #264879
+ Also closes: #377844
+ 
+ Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
+ 
+ I can't come up with a good justification as to why characters other
+ than ':'s and '\0's should be disallowed in group and usernames (other
+ than '-' as the leading character).  Thus, the maintenance tools don't
+ anymore.  closes: #79682, #166798, #171179
+
+Index: git/libmisc/chkname.c
+===================================================================
+--- git.orig/libmisc/chkname.c
++++ git/libmisc/chkname.c
+@@ -48,6 +48,7 @@
+ 
+ static bool is_valid_name (const char *name)
+ {
++#if 0
+ 	/*
+ 	 * User/group names must match [a-z_][a-z0-9_-]*[$]
+ 	 */
+@@ -66,6 +67,26 @@
+ 			return false;
+ 		}
+ 	}
++#endif
++	/*
++	 * POSIX indicate that usernames are composed of characters from the
++	 * portable filename character set [A-Za-z0-9._-], and that the hyphen
++	 * should not be used as the first character of a portable user name.
++	 *
++	 * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
++	 */
++	if (   ('\0' == *name)
++	    || ('-'  == *name)
++	    || ('~'  == *name)
++	    || ('+'  == *name)) {
++		return false;
++	}
++	do {
++		if ((':' == *name) || (',' == *name) || isspace(*name)) {
++			return false;
++		}
++		name++;
++	} while ('\0' != *name);
+ 
+ 	return true;
+ }
+Index: git/man/useradd.8.xml
+===================================================================
+--- git.orig/man/useradd.8.xml
++++ git/man/useradd.8.xml
+@@ -633,12 +633,20 @@
+     </para>
+ 
+     <para>
+-      Usernames must start with a lower case letter or an underscore,
++      It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
+       followed by lower case letters, digits, underscores, or dashes.
+       They can end with a dollar sign.
+       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+     </para>
+     <para>
++      On Debian, the only constraints are that usernames must neither start
++      with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++      colon (':'), a comma (','), or a whitespace (space: ' ',
++      end of line: '\n', tabulation: '\t', etc.). Note that using a slash
++      ('/') may break the default algorithm for the definition of the
++      user's home directory.
++    </para>
++    <para>
+       Usernames may only be up to 32 characters long.
+     </para>
+   </refsect1>
+Index: git/man/groupadd.8.xml
+===================================================================
+--- git.orig/man/groupadd.8.xml
++++ git/man/groupadd.8.xml
+@@ -256,12 +256,18 @@
+    <refsect1 id='caveats'>
+      <title>CAVEATS</title>
+      <para>
+-       Groupnames must start with a lower case letter or an underscore,
++       It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
+        followed by lower case letters, digits, underscores, or dashes.
+        They can end with a dollar sign.
+        In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+      </para>
+      <para>
++       On Debian, the only constraints are that groupnames must neither start
++       with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++       colon (':'), a comma (','), or a whitespace (space:' ',
++       end of line: '\n', tabulation: '\t', etc.).
++     </para>
++     <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+      </para>
+      <para>

debian/patches/508_nologin_in_usr_sbin

@@ -0,0 +1,20 @@
+Index: git/src/Makefile.am
+===================================================================
+--- git.orig/src/Makefile.am
++++ git/src/Makefile.am
+@@ -23,7 +23,6 @@
+ # $prefix/bin and $prefix/sbin, no install-data hacks...)
+ 
+ bin_PROGRAMS   = groups login su
+-sbin_PROGRAMS  = nologin
+ ubin_PROGRAMS  = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+ if ENABLE_SUBIDS
+ ubin_PROGRAMS += newgidmap newuidmap
+@@ -41,6 +40,7 @@
+ 	grpunconv \
+ 	logoutd \
+ 	newusers \
++	nologin \
+ 	pwck \
+ 	pwconv \
+ 	pwunconv \

debian/patches/523_su_arguments_are_concatenated

@@ -0,0 +1,48 @@
+Goal: Concatenate the non-su arguments and provide them to the shell with
+      the -c option
+Fixes: #317264
+       see also #276419
+
+Status wrt upstream: This is a Debian specific patch.
+
+Note: the fix of the man page is still missing.
+      (to be taken from the trunk)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -1167,6 +1167,35 @@
+ 			argv[0] = "-c";
+ 			argv[1] = command;
+ 		}
++		/* On Debian, the arguments are concatenated and the
++		 * resulting string is always given to the shell with its
++		 * -c option.
++		 */
++		{
++			char **parg;
++			unsigned int cmd_len = 0;
++			char *cmd = NULL;
++			if (strcmp(argv[0], "-c") != 0) {
++				argv--;
++				argv[0] = "-c";
++			}
++			/* Now argv[0] is always -c, and other arguments
++			 * can be concatenated
++			 */
++			cmd_len = 1; /* finale '\0' */
++			for (parg = &argv[1]; *parg; parg++) {
++				cmd_len += strlen (*parg) + 1;
++			}
++			cmd = (char *) xmalloc (sizeof (char) * cmd_len);
++			cmd[0] = '\0';
++			for (parg = &argv[1]; *parg; parg++) {
++				strcat (cmd, " ");
++				strcat (cmd, *parg);
++			}
++			cmd[cmd_len - 1] = '\0';
++			argv[1] = &cmd[1]; /* do not take first space */
++			argv[2] = NULL;
++		}
+ 		/*
+ 		 * Use the shell and create an argv
+ 		 * with the rest of the command line included.

debian/patches/523_su_arguments_are_no_more_concatenated_by_default

@@ -0,0 +1,50 @@
+Goal: Do not concatenate the additional arguments, and support an
+      environment variable to revert to the old Debian's su behavior.
+
+This patch needs the su_arguments_are_concatenated patch.
+
+This patch, and su_arguments_are_concatenated should be dropped after
+Etch.
+
+Status wrt upstream: This patch is Debian specific.
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -104,6 +104,19 @@
+ /* If nonzero, change some environment vars to indicate the user su'd to. */
+ static bool change_environment = true;
+ 
++/*
++ * If nonzero, keep the old Debian behavior:
++ *   * concatenate all the arguments and provide them to the -c option of
++ *     the shell
++ *   * If there are some additional arguments, but no -c, add a -c
++ *     argument anyway
++ * Drawbacks:
++ *   * you can't provide options to the shell (other than -c)
++ *   * you can't rely on the argument count
++ * See http://bugs.debian.org/276419
++ */
++static int old_debian_behavior;
++
+ #ifdef USE_PAM
+ static pam_handle_t *pamh = NULL;
+ static int caught = 0;
+@@ -964,6 +977,8 @@
+ 	int ret;
+ #endif				/* USE_PAM */
+ 
++	old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL);
++
+ 	(void) setlocale (LC_ALL, "");
+ 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
+ 	(void) textdomain (PACKAGE);
+@@ -1171,7 +1186,7 @@
+ 		 * resulting string is always given to the shell with its
+ 		 * -c option.
+ 		 */
+-		{
++		if (old_debian_behavior) {
+ 			char **parg;
+ 			unsigned int cmd_len = 0;
+ 			char *cmd = NULL;

debian/patches/542_useradd-O_option

@@ -0,0 +1,47 @@
+Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
+
+Note: useradd.8 needs to be regenerated.
+
+Status wrt upstream: not included as this is just specific 
+                     backward compatibility for Debian
+
+Index: git/man/useradd.8.xml
+===================================================================
+--- git.orig/man/useradd.8.xml
++++ git/man/useradd.8.xml
+@@ -329,6 +329,11 @@
+ 	    databases are resetted to avoid reusing the entry from a previously
+ 	    deleted user.
+ 	  </para>
++          <para>
++            For the compatibility with previous Debian's
++            <command>useradd</command>, the <option>-O</option> option is
++            also supported.
++          </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+Index: git/src/useradd.c
+===================================================================
+--- git.orig/src/useradd.c
++++ git/src/useradd.c
+@@ -1056,9 +1056,9 @@
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
++		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:UZ:",
+ #else				/* !WITH_SELINUX */
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
++		                         "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:U",
+ #endif				/* !WITH_SELINUX */
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
+@@ -1181,6 +1181,7 @@
+ 				kflg = true;
+ 				break;
+ 			case 'K':
++			case 'O': /* compatibility with previous Debian useradd */
+ 				/*
+ 				 * override login.defs defaults (-K name=value)
+ 				 * example: -K UID_MIN=100 -K UID_MAX=499

debian/patches/900_testsuite_groupmems

@@ -0,0 +1,81 @@
+--- a/debian/passwd.install
++++ b/debian/passwd.install
+@@ -9,6 +9,7 @@
+ usr/sbin/cppw
+ usr/sbin/groupadd
+ usr/sbin/groupdel
++usr/sbin/groupmems
+ usr/sbin/groupmod
+ usr/sbin/grpck
+ usr/sbin/grpconv
+@@ -33,6 +34,7 @@
+ usr/share/man/*/man8/chpasswd.8
+ usr/share/man/*/man8/groupadd.8
+ usr/share/man/*/man8/groupdel.8
++usr/share/man/*/man8/groupmems.8
+ usr/share/man/*/man8/groupmod.8
+ usr/share/man/*/man8/grpck.8
+ usr/share/man/*/man8/grpconv.8
+@@ -59,6 +61,7 @@
+ usr/share/man/man8/chpasswd.8
+ usr/share/man/man8/groupadd.8
+ usr/share/man/man8/groupdel.8
++usr/share/man/man8/groupmems.8
+ usr/share/man/man8/groupmod.8
+ usr/share/man/man8/grpck.8
+ usr/share/man/man8/grpconv.8
+--- a/debian/passwd.postinst
++++ b/debian/passwd.postinst
+@@ -31,6 +31,24 @@
+     			exit 1
+ 		)
+ 	fi
++	if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
++	then
++		groupadd -g 99 groupmems || (
++    			cat <<EOF
++************************  TESTSUITE  *****************************
++Group ID 99 has been allocated for the groupmems group.  You have either
++used 99 yourself or created a groupmems group with a different ID.
++Please correct this problem and reconfigure with ``dpkg --configure passwd''.
++
++Note that both user and group IDs in the range 0-99 are globally
++allocated by the Debian project and must be the same on every Debian
++system.
++EOF
++    			exit 1
++		)
++# FIXME
++		chgrp groupmems /usr/sbin/groupmems
++	fi
+     ;;
+ esac
+ 
+--- a/debian/rules
++++ b/debian/rules
+@@ -60,6 +60,7 @@
+ 	dh_installpam -p passwd --name=chsh
+ 	dh_installpam -p passwd --name=chpasswd
+ 	dh_installpam -p passwd --name=newusers
++	dh_installpam -p passwd --name=groupmems
+ ifeq ($(DEB_HOST_ARCH_OS),hurd)
+ # login is not built on The Hurd, but some utilities of passwd depends on
+ # /etc/login.defs.
+@@ -87,3 +88,6 @@
+ 	chgrp shadow debian/passwd/usr/bin/expiry
+ 	chmod g+s debian/passwd/usr/bin/chage
+ 	chmod g+s debian/passwd/usr/bin/expiry
++	chgrp groupmems debian/passwd/usr/sbin/groupmems
++	chmod u+s debian/passwd/usr/sbin/groupmems
++	chmod o-x debian/passwd/usr/sbin/groupmems
+--- /dev/null
++++ b/debian/passwd.groupmems.pam
+@@ -0,0 +1,8 @@
++# The PAM configuration file for the Shadow 'groupmod' service
++#
++
++# This allows root to modify groups without being prompted for a password
++auth		sufficient	pam_rootok.so
++
++@include common-auth
++@include common-account

debian/patches/901_testsuite_gcov

@@ -0,0 +1,76 @@
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -1,6 +1,8 @@
+ 
+ AUTOMAKE_OPTIONS = 1.0 foreign
+ 
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ DEFS = 
+ 
+ noinst_LTLIBRARIES = libshadow.la
+--- a/libmisc/Makefile.am
++++ b/libmisc/Makefile.am
+@@ -1,6 +1,8 @@
+ 
+ EXTRA_DIST = .indent.pro xgetXXbyYY.c
+ 
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ INCLUDES = -I$(top_srcdir)/lib
+ 
+ noinst_LIBRARIES = libmisc.a
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -7,6 +7,8 @@
+ suidperms = 4755
+ sgidperms = 2755
+ 
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ INCLUDES = \
+ 	-I${top_srcdir}/lib \
+ 	-I$(top_srcdir)/libmisc
+--- a/debian/rules
++++ b/debian/rules
+@@ -40,6 +40,12 @@
+ endif
+ export CFLAGS
+ 
++clean:: clean_gcov
++
++clean_gcov:
++	find . -name "*.gcda" -delete
++	find . -name "*.gcno" -delete
++
+ # Add extras to the install process:
+ binary-install/login::
+ 	dh_installpam -p login
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -174,23 +174,9 @@
+    trust the formatted time received from the unix domain (or worse,
+    UDP) socket.  -MM */
+ /* Avoid translated PAM error messages: Set LC_ALL to "C".
++ * This is disabled for coverage testing
+  * --Nekral */
+-#define SYSLOG(x)							\
+-	do {								\
+-		char *old_locale = setlocale (LC_ALL, NULL);		\
+-		char *saved_locale = NULL;				\
+-		if (NULL != old_locale) {				\
+-			saved_locale = strdup (old_locale);		\
+-		}							\
+-		if (NULL != saved_locale) {				\
+-			(void) setlocale (LC_ALL, "C");			\
+-		}							\
+-		syslog x ;						\
+-		if (NULL != saved_locale) {				\
+-			(void) setlocale (LC_ALL, saved_locale);	\
+-			free (saved_locale);				\
+-		}							\
+-	} while (false)
++#define SYSLOG(x) syslog x
+ #else				/* !ENABLE_NLS */
+ #define SYSLOG(x) syslog x
+ #endif				/* !ENABLE_NLS */

debian/patches/CVE-2017-12424.patch

@@ -0,0 +1,37 @@
+From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 31 Mar 2017 16:25:06 +0200
+Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
+
+If ptr->line == NULL for an entry, the first cycle will exit,
+but the second one will happily write past entries buffer.
+We actually do not want to exit the first cycle prematurely
+on ptr->line == NULL.
+Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
+---
+ lib/commonio.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -755,16 +755,16 @@
+ 	for (ptr = db->head;
+ 	        (NULL != ptr)
+ #if KEEP_NIS_AT_END
+-	     && (NULL != ptr->line)
+-	     && (   ('+' != ptr->line[0])
+-	         && ('-' != ptr->line[0]))
++	     && ((NULL == ptr->line)
++	         || (('+' != ptr->line[0])
++	             && ('-' != ptr->line[0])))
+ #endif
+ 	     ;
+ 	     ptr = ptr->next) {
+ 		n++;
+ 	}
+ #if KEEP_NIS_AT_END
+-	if ((NULL != ptr) && (NULL != ptr->line)) {
++	if (NULL != ptr) {
+ 		nis = ptr;
+ 	}
+ #endif

debian/patches/CVE-2018-7169.patch

@@ -0,0 +1,174 @@
+From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+  */
+ const char *Prog;
+ 
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ 	/* An empty range is invalid */
+ 	if (range->count == 0)
+ 		return false;
+ 
+-	/* Test /etc/subgid */
+-	if (have_sub_gids(pw->pw_name, range->lower, range->count))
++	/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++	if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++		*allow_setgroups = true;
+ 		return true;
++	}
+ 
+-	/* Allow a process to map it's own gid */
+-	if ((range->count == 1) && (pw->pw_gid == range->lower))
++	/* Allow a process to map its own gid. */
++	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++		/* noop -- if setgroups is enabled already we won't disable it. */
+ 		return true;
+ 
++	}
+ 	return false;
+ }
+ 
+ static void verify_ranges(struct passwd *pw, int ranges,
+-	struct map_range *mappings)
++	struct map_range *mappings, bool *allow_setgroups)
+ {
+ 	struct map_range *mapping;
+ 	int idx;
+ 
+ 	mapping = mappings;
+ 	for (idx = 0; idx < ranges; idx++, mapping++) {
+-		if (!verify_range(pw, mapping)) {
++		if (!verify_range(pw, mapping, allow_setgroups)) {
+ 			fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ 				Prog,
+ 				mapping->upper,
+@@ -89,6 +94,70 @@
+ 	exit(EXIT_FAILURE);
+ }
+ 
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++	int setgroups_fd;
++	char *policy, policy_buffer[4096];
++
++	/*
++	 * Default is "deny", and any "allow" will out-rank a "deny". We don't
++	 * forcefully write an "allow" here because the process we are writing
++	 * mappings for may have already set themselves to "deny" (and "allow"
++	 * is the default anyway). So allow_setgroups == true is a noop.
++	 */
++	policy = "deny\n";
++	if (allow_setgroups)
++		return;
++
++	setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++	if (setgroups_fd < 0) {
++		/*
++		 * If it's an ENOENT then we are on too old a kernel for the setgroups
++		 * code to exist. Emit a warning and bail on this.
++		 */
++		if (ENOENT == errno) {
++			fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++			goto out;
++		}
++		fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++	/*
++	 * Check whether the policy is already what we want. /proc/self/setgroups
++	 * is write-once, so attempting to write after it's already written to will
++	 * fail.
++	 */
++	if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++		fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (!strncmp(policy_buffer, policy, strlen(policy)))
++		goto out;
++
++	/* Write the policy. */
++	if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++		fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++			Prog,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (dprintf(setgroups_fd, "%s", policy) < 0) {
++		fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++			Prog,
++			policy,
++			strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++out:
++	close(setgroups_fd);
++}
++
+ /*
+  * newgidmap - Set the gid_map for the specified process
+  */
+@@ -103,6 +172,7 @@
+ 	struct stat st;
+ 	struct passwd *pw;
+ 	int written;
++	bool allow_setgroups = false;
+ 
+ 	Prog = Basename (argv[0]);
+ 
+@@ -144,7 +214,7 @@
+ 				(unsigned long) getuid ()));
+ 		return EXIT_FAILURE;
+ 	}
+-	
++
+ 	/* Get the effective uid and effective gid of the target process */
+ 	if (fstat(proc_dir_fd, &st) < 0) {
+ 		fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -174,8 +244,9 @@
+ 	if (!mappings)
+ 		usage();
+ 
+-	verify_ranges(pw, ranges, mappings);
++	verify_ranges(pw, ranges, mappings, &allow_setgroups);
+ 
++	write_setgroups(proc_dir_fd, allow_setgroups);
+ 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ 	sub_gid_close();
+ 

debian/patches/CVE-2023-29383.patch

@@ -0,0 +1,83 @@
+Origin: https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+Origin: https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2025-04-15
+
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+Index: shadow-4.2/lib/fields.c
+===================================================================
+--- shadow-4.2.orig/lib/fields.c
++++ shadow-4.2/lib/fields.c
+@@ -44,9 +44,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -60,23 +60,22 @@ int valid_field (const char *field, cons
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are some non-printable characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 

debian/patches/CVE-2023-4641.patch

@@ -0,0 +1,143 @@
+Origin: https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2025-04-15
+
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: shadow-4.2/src/gpasswd.c
+===================================================================
+--- shadow-4.2.orig/src/gpasswd.c
++++ shadow-4.2/src/gpasswd.c
+@@ -911,6 +911,7 @@ static void change_passwd (struct group
+ 	for (retries = 0; retries < RETRIES; retries++) {
+ 		cp = getpass (_("New Password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 

debian/patches/README.patches

@@ -0,0 +1,71 @@
+Small intro to the system for numbering the patches here...
+
+-The 0xx series of patches are patches isolated from the latest
+ version of the shadow Debian package not using quilt in order to
+ separate upstream from Debian-specific stuff.
+
+ NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
+
+-The 1xx series are l10n patches to upstream 4.0.18.1. As upstream has
+ adopted Debian translations, it is very likely that these patches
+ will become useless when we will have synced with upstream
+
+-The 2xx series are patches for manual pages translations to upstream
+ 4.0.18.1.
+
+-The 3xx series are patches which have been temporarily applied to 
+ Debian's shadow while we *know* they have been applied upstream as well
+ These patches should NOT be kept when we will sync with upstream
+
+-The 4xx series are patches which have been applied to Debian's shadow
+ and have NOT been accepted and/or applied upstream. These patches MUST be kept
+ even after resynced with upstream
+
+-The 5xx series are patches which are applied to Debian's shadow
+ and will never be proposed upstream because they're too specific
+ This list SHOULD BE AS SHORT AS POSSIBLE
+
+In short, while we are working towards synchronisation with upstream,
+our goal is to make 0xx patches disappear by moving them either to 3xx
+series (things already implemented upstream) or to 4xx series
+(Debian-specific patches).
+
+
+Short HOWTO for quilt
+=====================
+
+The quilt system can be assimilated to a Pile Of Patches management system.
+Patches live in debian/patches, the working directory is "."
+
+The basic commands are (abbreviation accepted):
+quilt push (asks to apply the next patch in the pile)
+quilt pop  (removes the current patch and go up in the pile)
+quilt refresh (take the current changes in tree onto the patch)
+
+When a file is changed by a patch, quilt saves it somewhere under .pc on
+application. This is how it can refresh it afterward (comparing the version
+in .pc and the one you currently have in your working dir).
+
+There are three common pitfalls with quilt:
+ - doing "quilt pop" without doing "quilt refresh". The version of current
+     dir is replaced with the version of the .pc dir. Your changes are lost.
+   Quilt wont let you do so, but you can force it with '-f' if you're fool.
+ - editing a file with is not in the patch yet. Quilt didn't do any previous
+     backup.
+   Use "quilt add" to add files to patches.
+   Set $EDITOR and use "quilt edit" to edit a file, and add it onto the
+     patch if needed.
+ - If you update your working directory, patches may not revert cleanly.
+   It is thus recommended to use "quilt pop -a" before updating with
+   "svn up".
+   If you forget (and run into trouble), you may want to remove the whole
+   shadow-?.?.? directory. If you use the makefile which is in the upper
+   directory (trunk/), shadow-?.?.?/debian/patches is a link to
+   debian/patches, so this dirctory does not contain any valuable info.
+
+The documentation is quite well done, I think. "quilt -h" will list you the
+commands. "quilt <cmd> -h" will give you some hints about it. "man quilt" is
+a reference documentation. /usr/share/doc/quilt/quilt.pdf.gz is a complete
+manual, with tutorial.
+
+

debian/patches/series

@@ -0,0 +1,45 @@
+# These patches are only for the testsuite:
+#900_testsuite_groupmems
+#901_testsuite_gcov
+
+503_shadowconfig.8
+008_login_log_failure_in_FTMP
+301-CVE-2017-2616-su-properly-clear-child-PID.patch
+302-CVE-2016-6252-fix-integer-overflow.patch
+303-Reset-pid_child-only-if-waitpid-was-successful.patch
+429_login_FAILLOG_ENAB
+401_cppw_src.dpatch
+# 402 should be merged in 401, but should be reviewed by SE Linux experts first
+402_cppw_selinux
+506_relaxed_usernames
+542_useradd-O_option
+501_commonio_group_shadow
+463_login_delay_obeys_to_PAM
+523_su_arguments_are_concatenated
+523_su_arguments_are_no_more_concatenated_by_default
+508_nologin_in_usr_sbin
+505_useradd_recommend_adduser
+#userns/01_userns_doc
+#userns/02_userns_doc_login.defs
+#userns/03_userns_implement_commonio_append
+#userns/04_userns_add_backend_support
+#userns/05_userns_implemend_find_new_sub_xids
+#userns/06_userns_userdel
+#userns/07_userns_useradd
+#userns/08_userns_detect_busy_subids
+#userns/09_userns_usermod
+#userns/10_userns_newusers
+#userns/11_userns_newxidmap
+#userns/12_userns_selinuxlibs
+#userns/13_subordinate_parse_static_buf
+#userns/14_fix_getopt
+#userns/manpagetypo
+#userns/16_add-argument-sanity-checking.patch
+1000_configure_userns
+1010_vietnamese_translation
+1020_fix_user_busy_errors
+CVE-2017-12424.patch
+CVE-2018-7169.patch
+
+CVE-2023-4641.patch
+CVE-2023-29383.patch

debian/patches/userns/01_userns_doc

@@ -0,0 +1,334 @@
+From ebiederm@xmission.com  Tue Jan 22 09:14:18 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id DAC33C80F4; Tue, 22 Jan 2013 09:14:18 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 274ACC80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:14:14 +0000 (UTC)
+Received: from out01.mta.xmission.com ([166.70.13.231])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZuB-0006Xm-N5; Tue, 22 Jan 2013 02:12:31 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZuA-0005NR-BQ; Tue, 22 Jan 2013 02:12:30 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZu7-0004Pj-Ec; Tue, 22 Jan 2013 02:12:30 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:12:23 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <877gn5shs8.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX18YouPWtKNAX3LovSW2+p/ONbuCHMFEQpM=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 01/11] Documentation for /etc/subuid and /etc/subgid
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2071                                                  
+Status: RO
+Content-Length: 9835
+Lines: 286
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ man/Makefile.am  |    4 ++
+ man/subgid.5.xml |  120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ man/subuid.5.xml |  120 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 244 insertions(+), 0 deletions(-)
+ create mode 100644 man/subgid.5.xml
+ create mode 100644 man/subuid.5.xml
+
+Index: shadow/man/Makefile.am
+===================================================================
+--- shadow.orig/man/Makefile.am	2013-02-01 15:26:14.428082026 -0600
++++ shadow/man/Makefile.am	2013-02-01 15:27:37.000000000 -0600
+@@ -43,6 +43,8 @@
+ 	man5/shadow.5 \
+ 	man1/su.1 \
+ 	man5/suauth.5 \
++	man5/subgid.5 \
++	man5/subuid.5 \
+ 	man8/useradd.8 \
+ 	man8/userdel.8 \
+ 	man8/usermod.8 \
+@@ -94,6 +96,8 @@
+ 	sg.1.xml \
+ 	su.1.xml \
+ 	suauth.5.xml \
++	subgid.5.xml \
++	subuid.5.xml \
+ 	useradd.8.xml \
+ 	userdel.8.xml \
+ 	usermod.8.xml \
+Index: shadow/man/subgid.5.xml
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/man/subgid.5.xml	2013-02-01 15:26:14.424082026 -0600
+@@ -0,0 +1,120 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!--
++   Copyright (c) 2013 Eric W. Biederman
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
++  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
++<!-- SHADOW-CONFIG-HERE -->
++]>
++<refentry id='subgid.5'>
++  <refmeta>
++    <refentrytitle>subgid</refentrytitle>
++    <manvolnum>5</manvolnum>
++    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
++    <refmiscinfo class="source">shadow-utils</refmiscinfo>
++    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
++  </refmeta>
++  <refnamediv id='name'>
++    <refname>subgid</refname>
++    <refpurpose>the subordinate gid file</refpurpose>
++  </refnamediv>
++
++  <refsect1 id='description'>
++    <title>DESCRIPTION</title>
++    <para>
++      Each line in <filename>/etc/subgid</filename> contains
++      a user id and a range of suboridinate user ids that user
++      is allowed to use.
++
++      This is specified with three fields delimited by colons
++      (<quote>:</quote>).
++      These fields are:
++    </para>
++    <itemizedlist mark='bullet'>
++      <listitem>
++	<para>login name</para>
++      </listitem>
++      <listitem>
++	<para>numerical subordinate user ID</para>
++      </listitem>
++      <listitem>
++	<para>numerical subordinate user ID count</para>
++      </listitem>
++    </itemizedlist>
++
++    <para>
++      This file specifies the group IDs to be that each user may use
++      with the <command>newgidmap</command> command that ordinary users can use to
++      configure gid mapping in a user namespace.
++    </para>
++
++    <para>
++      Multiple ranges may be specified per user ID.
++    </para>
++
++  </refsect1>
++
++  <refsect1 id='files'>
++    <title>FILES</title>
++    <variablelist>
++      <varlistentry>
++	<term><filename>/etc/subgid</filename></term>
++	<listitem>
++	  <para>Per user subordinate group IDs.</para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term><filename>/etc/subgid-</filename></term>
++	<listitem>
++	  <para>Backup file for /etc/subgid.</para>
++	</listitem>
++      </varlistentry>
++    </variablelist>
++  </refsect1>
++
++  <refsect1 id='see_also'>
++    <title>SEE ALSO</title>
++    <para>
++      <citerefentry>
++	<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>logindefs</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>,
++    </para>
++  </refsect1>
++</refentry>
+Index: shadow/man/subuid.5.xml
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/man/subuid.5.xml	2013-02-01 15:26:14.424082026 -0600
+@@ -0,0 +1,120 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!--
++   Copyright (c) 2013 Eric W. Biederman
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
++  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
++<!-- SHADOW-CONFIG-HERE -->
++]>
++<refentry id='subuid.5'>
++  <refmeta>
++    <refentrytitle>subuid</refentrytitle>
++    <manvolnum>5</manvolnum>
++    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
++    <refmiscinfo class="source">shadow-utils</refmiscinfo>
++    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
++  </refmeta>
++  <refnamediv id='name'>
++    <refname>subuid</refname>
++    <refpurpose>the subordinate uid file</refpurpose>
++  </refnamediv>
++
++  <refsect1 id='description'>
++    <title>DESCRIPTION</title>
++    <para>
++      Each line in <filename>/etc/subuid</filename> contains
++      a user id and a range of suboridinate user ids that user
++      is allowed to use.
++
++      This is specified with three fields delimited by colons
++      (<quote>:</quote>).
++      These fields are:
++    </para>
++    <itemizedlist mark='bullet'>
++      <listitem>
++	<para>login name</para>
++      </listitem>
++      <listitem>
++	<para>numerical subordinate user ID</para>
++      </listitem>
++      <listitem>
++	<para>numerical subordinate user ID count</para>
++      </listitem>
++    </itemizedlist>
++
++    <para>
++      This file specifies the user IDs to be that each user may use
++      with the <command>newuidmap</command> command that ordinary users can use to
++      configure uid mapping in a user namespace.
++    </para>
++
++    <para>
++      Multiple ranges may be specified per user ID.
++    </para>
++
++  </refsect1>
++
++  <refsect1 id='files'>
++    <title>FILES</title>
++    <variablelist>
++      <varlistentry>
++	<term><filename>/etc/subuid</filename></term>
++	<listitem>
++	  <para>Per user subordinate user IDs.</para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term><filename>/etc/subuid-</filename></term>
++	<listitem>
++	  <para>Backup file for /etc/subuid.</para>
++	</listitem>
++      </varlistentry>
++    </variablelist>
++  </refsect1>
++
++  <refsect1 id='see_also'>
++    <title>SEE ALSO</title>
++    <para>
++      <citerefentry>
++	<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>logindefs</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
++      </citerefentry>,
++      <citerefentry>
++	<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
++      </citerefentry>,
++    </para>
++  </refsect1>
++</refentry>

debian/patches/userns/02_userns_doc_login.defs

@@ -0,0 +1,218 @@
+From ebiederm@xmission.com  Tue Jan 22 09:14:55 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id 140DBC80F4; Tue, 22 Jan 2013 09:14:55 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 5D815C80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:14:50 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZum-0006il-0f; Tue, 22 Jan 2013 02:13:08 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZul-0004GF-Id; Tue, 22 Jan 2013 02:13:07 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZuf-0004T0-MS; Tue, 22 Jan 2013 02:13:07 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:12:58 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <871uddshr9.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX19iYyOCEx6dl2v1Ya/KIGpixG5+3MVA1bY=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 02/11] login.defs.5: Document the new variables in login.defs
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2072                                                  
+Status: RO
+Content-Length: 7615
+Lines: 170
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ man/Makefile.am                    |    2 +
+ man/login.defs.5.xml               |    8 ++++++
+ man/login.defs.d/SUB_GID_COUNT.xml |   46 ++++++++++++++++++++++++++++++++++++
+ man/login.defs.d/SUB_UID_COUNT.xml |   46 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 102 insertions(+), 0 deletions(-)
+ create mode 100644 man/login.defs.d/SUB_GID_COUNT.xml
+ create mode 100644 man/login.defs.d/SUB_UID_COUNT.xml
+
+Index: shadow/man/Makefile.am
+===================================================================
+--- shadow.orig/man/Makefile.am	2013-02-01 15:27:51.048080390 -0600
++++ shadow/man/Makefile.am	2013-02-01 15:27:51.040080390 -0600
+@@ -163,6 +163,8 @@
+ 	USERDEL_CMD.xml \
+ 	USERGROUPS_ENAB.xml \
+ 	USE_TCB.xml \
++	SUB_GID_COUNT.xml \
++	SUB_UID_COUNT.xml \
+ 	SYS_GID_MAX.xml \
+ 	SYS_UID_MAX.xml
+ 
+Index: shadow/man/login.defs.5.xml
+===================================================================
+--- shadow.orig/man/login.defs.5.xml	2013-02-01 15:27:51.048080390 -0600
++++ shadow/man/login.defs.5.xml	2013-02-01 15:27:51.044080390 -0600
+@@ -78,6 +78,8 @@
+ <!ENTITY SULOG_FILE            SYSTEM "login.defs.d/SULOG_FILE.xml">
+ <!ENTITY SU_NAME               SYSTEM "login.defs.d/SU_NAME.xml">
+ <!ENTITY SU_WHEEL_ONLY         SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
++<!ENTITY SUB_GID_COUNT         SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
++<!ENTITY SUB_UID_COUNT         SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
+ <!ENTITY SYS_GID_MAX           SYSTEM "login.defs.d/SYS_GID_MAX.xml">
+ <!ENTITY SYSLOG_SG_ENAB        SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml">
+ <!ENTITY SYSLOG_SU_ENAB        SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
+@@ -216,6 +218,8 @@
+       &SULOG_FILE;
+       &SU_NAME;
+       &SU_WHEEL_ONLY;
++      &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX -->
++      &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX -->
+       &SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
+       &SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
+       &SYSLOG_SG_ENAB;
+@@ -393,6 +397,8 @@
+ 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
+ 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+ 	    SHA_CRYPT_MIN_ROUNDS</phrase>
++	    SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
++	    SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
+ 	    SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
+ 	    UMASK
+ 	  </para>
+@@ -470,6 +476,8 @@
+ 	    GID_MAX GID_MIN
+ 	    MAIL_DIR MAX_MEMBERS_PER_GROUP
+ 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
++	    SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
++	    SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
+ 	    SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
+ 	    UMASK
+ 	    <phrase condition="tcb">TCB_AUTH_GROUP TCB_SYMLINK USE_TCB</phrase>
+Index: shadow/man/login.defs.d/SUB_GID_COUNT.xml
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/man/login.defs.d/SUB_GID_COUNT.xml	2013-02-01 15:27:51.044080390 -0600
+@@ -0,0 +1,46 @@
++<!--
++   Copyright (c) 2013, Eric W. Biederman
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<varlistentry>
++  <term><option>SUB_GID_MIN</option> (number)</term>
++  <term><option>SUB_GID_MAX</option> (number)</term>
++  <term><option>SUB_GID_COUNT</option> (number)</term>
++  <listitem>
++    <para>
++      The commands <command>useradd</command> and <command>newusers</command>
++      allocate <option>SUB_GID_COUNT</option> unused group IDs from the range
++      <option>SUB_GID_MIN</option> to <option>SUB_GID_MAX</option> for each
++      new user.
++    </para>
++    <para>
++      The default values for <option>SUB_GID_MAN</option>,
++      <option>SUB_GID_MIN</option>, <option>SUB_GID_COUNT</option>
++      are respectively 100000, 600100000 and 10000.
++    </para>
++  </listitem>
++</varlistentry>
+Index: shadow/man/login.defs.d/SUB_UID_COUNT.xml
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/man/login.defs.d/SUB_UID_COUNT.xml	2013-02-01 15:27:51.044080390 -0600
+@@ -0,0 +1,46 @@
++<!--
++   Copyright (c) 2013, Eric W. Biederman
++   All rights reserved.
++  
++   Redistribution and use in source and binary forms, with or without
++   modification, are permitted provided that the following conditions
++   are met:
++   1. Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++   2. Redistributions in binary form must reproduce the above copyright
++      notice, this list of conditions and the following disclaimer in the
++      documentation and/or other materials provided with the distribution.
++   3. The name of the copyright holders or contributors may not be used to
++      endorse or promote products derived from this software without
++      specific prior written permission.
++  
++   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++-->
++<varlistentry>
++  <term><option>SUB_UID_MIN</option> (number)</term>
++  <term><option>SUB_UID_MAX</option> (number)</term>
++  <term><option>SUB_UID_COUNT</option> (number)</term>
++  <listitem>
++    <para>
++      The commands <command>useradd</command> and <command>newusers</command>
++      allocate <option>SUB_UID_COUNT</option> unused user IDs from the range
++      <option>SUB_UID_MIN</option> to <option>SUB_UID_MAX</option> for each
++      new user.
++    </para>
++    <para>
++      The default values for <option>SUB_GID_MAN</option>,
++      <option>SUB_GID_MIN</option>, <option>SUB_GID_COUNT</option>
++      are respectively 100000, 600100000 and 10000.
++    </para>
++  </listitem>
++</varlistentry>

debian/patches/userns/03_userns_implement_commonio_append

@@ -0,0 +1,110 @@
+From ebiederm@xmission.com  Tue Jan 22 09:15:19 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id CAFA8C80F6; Tue, 22 Jan 2013 09:15:19 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 43FAEC80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:15:15 +0000 (UTC)
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZvA-0006sA-Pq; Tue, 22 Jan 2013 02:13:32 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZv8-0004VI-Fi; Tue, 22 Jan 2013 02:13:32 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:13:26 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87vcapr361.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1++0A/mQBimfZkeNedO095IfnCYGQfIolI=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 03/11] Implement commonio_append.
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2073                                                  
+Status: RO
+Content-Length: 1874
+Lines: 65
+
+
+To support files that do not have a simple unique key implement
+commonio_append to allow new entries to be added.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ lib/commonio.c |   30 ++++++++++++++++++++++++++++++
+ lib/commonio.h |    1 +
+ 2 files changed, 31 insertions(+), 0 deletions(-)
+
+Index: shadow/lib/commonio.c
+===================================================================
+--- shadow.orig/lib/commonio.c	2013-02-01 15:27:51.376080384 -0600
++++ shadow/lib/commonio.c	2013-02-01 15:27:51.368080384 -0600
+@@ -1121,6 +1121,36 @@
+ 	return 1;
+ }
+ 
++int commonio_append (struct commonio_db *db, const void *eptr)
++{
++	struct commonio_entry *p;
++	void *nentry;
++
++	if (!db->isopen || db->readonly) {
++		errno = EINVAL;
++		return 0;
++	}
++	nentry = db->ops->dup (eptr);
++	if (NULL == nentry) {
++		errno = ENOMEM;
++		return 0;
++	}
++	/* new entry */
++	p = (struct commonio_entry *) malloc (sizeof *p);
++	if (NULL == p) {
++		db->ops->free (nentry);
++		errno = ENOMEM;
++		return 0;
++	}
++
++	p->eptr = nentry;
++	p->line = NULL;
++	p->changed = true;
++	add_one_entry (db, p);
++
++	db->changed = true;
++	return 1;
++}
+ 
+ void commonio_del_entry (struct commonio_db *db, const struct commonio_entry *p)
+ {
+Index: shadow/lib/commonio.h
+===================================================================
+--- shadow.orig/lib/commonio.h	2013-02-01 15:27:51.376080384 -0600
++++ shadow/lib/commonio.h	2013-02-01 15:27:51.368080384 -0600
+@@ -146,6 +146,7 @@
+ extern int commonio_open (struct commonio_db *, int);
+ extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
+ extern int commonio_update (struct commonio_db *, const void *);
++extern int commonio_append (struct commonio_db *, const void *);
+ extern int commonio_remove (struct commonio_db *, const char *);
+ extern int commonio_rewind (struct commonio_db *);
+ extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);

debian/patches/userns/04_userns_add_backend_support

@@ -0,0 +1,685 @@
+From ebiederm@xmission.com  Tue Jan 22 09:16:29 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id AF9A9C80F4; Tue, 22 Jan 2013 09:16:29 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id EDF70C80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:16:24 +0000 (UTC)
+Received: from out01.mta.xmission.com ([166.70.13.231])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwI-0007HS-Mn; Tue, 22 Jan 2013 02:14:42 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwI-0005wP-8E; Tue, 22 Jan 2013 02:14:42 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwE-0004bA-Mv; Tue, 22 Jan 2013 02:14:42 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:14:35 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87liblr344.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/3QOlmT6VsAuzQbs/RJ/nb1IrpO++QYVA=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 04/11] Add backend support for suboridnate uids and gids
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2074                                                  
+Status: RO
+X-Status: A
+Content-Length: 15967
+Lines: 636
+
+
+These files list the set of subordinate uids and gids that users are allowed
+to use.   The expect use case is with the user namespace but other uses are
+allowed.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ etc/login.defs      |    8 +
+ lib/Makefile.am     |    2 +
+ lib/getdef.c        |    6 +
+ lib/subordinateio.c |  512 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/subordinateio.h |   38 ++++
+ 5 files changed, 566 insertions(+), 0 deletions(-)
+ create mode 100644 lib/subordinateio.c
+ create mode 100644 lib/subordinateio.h
+
+Index: shadow/etc/login.defs
+===================================================================
+--- shadow.orig/etc/login.defs	2013-02-01 15:27:51.684080379 -0600
++++ shadow/etc/login.defs	2013-02-01 15:27:51.676080379 -0600
+@@ -226,6 +226,10 @@
+ # System accounts
+ SYS_UID_MIN		  101
+ SYS_UID_MAX		  999
++# Extra per user uids
++SUB_UID_MIN		   100000
++SUB_UID_MAX		600100000
++SUB_UID_COUNT		    10000
+ 
+ #
+ # Min/max values for automatic gid selection in groupadd
+@@ -235,6 +239,10 @@
+ # System accounts
+ SYS_GID_MIN		  101
+ SYS_GID_MAX		  999
++# Extra per user group ids
++SUB_GID_MIN		   100000
++SUB_GID_MAX		600100000
++SUB_GID_COUNT		    10000
+ 
+ #
+ # Max number of login retries if password is bad
+Index: shadow/lib/Makefile.am
+===================================================================
+--- shadow.orig/lib/Makefile.am	2013-02-01 15:27:51.684080379 -0600
++++ shadow/lib/Makefile.am	2013-02-01 15:27:51.676080379 -0600
+@@ -39,6 +39,8 @@
+ 	pwio.c \
+ 	pwio.h \
+ 	pwmem.c \
++	subordinateio.h \
++	subordinateio.c \
+ 	selinux.c \
+ 	semanage.c \
+ 	sgetgrent.c \
+Index: shadow/lib/getdef.c
+===================================================================
+--- shadow.orig/lib/getdef.c	2013-02-01 15:27:51.684080379 -0600
++++ shadow/lib/getdef.c	2013-02-01 15:27:51.680080379 -0600
+@@ -82,6 +82,12 @@
+ 	{"SHA_CRYPT_MAX_ROUNDS", NULL},
+ 	{"SHA_CRYPT_MIN_ROUNDS", NULL},
+ #endif
++	{"SUB_GID_COUNT", NULL},
++	{"SUB_GID_MAX", NULL},
++	{"SUB_GID_MIN", NULL},
++	{"SUB_UID_COUNT", NULL},
++	{"SUB_UID_MAX", NULL},
++	{"SUB_UID_MIN", NULL},
+ 	{"SULOG_FILE", NULL},
+ 	{"SU_NAME", NULL},
+ 	{"SYS_GID_MAX", NULL},
+Index: shadow/lib/subordinateio.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/lib/subordinateio.c	2013-02-01 15:27:51.680080379 -0600
+@@ -0,0 +1,512 @@
++/*
++ * Copyright (c) 2012 - Eric Biederman
++ */
++
++#include <config.h>
++#include "prototypes.h"
++#include "defines.h"
++#include <stdio.h>
++#include "commonio.h"
++#include "subordinateio.h"
++
++struct subordinate_range {
++	const char *owner;
++	unsigned long start;
++	unsigned long count;
++};
++
++#define NFIELDS 3
++
++static /*@null@*/ /*@only@*/void *subordinate_dup (const void *ent)
++{
++	const struct subordinate_range *rangeent = ent;
++	struct subordinate_range *range;
++
++	range = (struct subordinate_range *) malloc (sizeof *range);
++	if (NULL == range) {
++		return NULL;
++	}
++	range->owner = strdup (rangeent->owner);
++	if (NULL == range->owner) {
++		free(range);
++		return NULL;
++	}
++	range->start = rangeent->start;
++	range->count = rangeent->count;
++
++	return range;
++}
++
++static void subordinate_free (/*@out@*/ /*@only@*/void *ent)
++{
++	struct subordinate_range *rangeent = ent;
++	
++	free ((void *)(rangeent->owner));
++	free (rangeent);
++}
++
++static void *subordinate_parse (const char *line)
++{
++	static struct subordinate_range range;
++	char rangebuf[1024];
++	int i;
++	char *cp;
++	char *fields[NFIELDS];
++
++	/*
++	 * Copy the string to a temporary buffer so the substrings can
++	 * be modified to be NULL terminated.
++	 */
++	if (strlen (line) >= sizeof rangebuf)
++		return NULL;	/* fail if too long */
++	strcpy (rangebuf, line);
++
++	/*
++	 * Save a pointer to the start of each colon separated
++	 * field.  The fields are converted into NUL terminated strings.
++	 */
++
++	for (cp = rangebuf, i = 0; (i < NFIELDS) && (NULL != cp); i++) {
++		fields[i] = cp;
++		while (('\0' != *cp) && (':' != *cp)) {
++			cp++;
++		}
++
++		if ('\0' != *cp) {
++			*cp = '\0';
++			cp++;
++		} else {
++			cp = NULL;
++		}
++	}
++
++	/*
++	 * There must be exactly NFIELDS colon separated fields or
++	 * the entry is invalid.  Also, fields must be non-blank.
++	 */
++	if (i != NFIELDS || *fields[0] == '\0' || *fields[1] == '\0' || *fields[2] == '\0')
++		return NULL;
++	range.owner = fields[0];
++	if (getulong (fields[1], &range.start) == 0)
++		return NULL;
++	if (getulong (fields[2], &range.count) == 0)
++		return NULL;
++
++	return &range;
++}
++
++static int subordinate_put (const void *ent, FILE * file)
++{
++	const struct subordinate_range *range = ent;
++
++	return fprintf(file, "%s:%lu:%lu\n",
++			       range->owner,
++			       range->start,
++			       range->count) < 0 ? -1  : 0;
++}
++
++static struct commonio_ops subordinate_ops = {
++	subordinate_dup,	/* dup */
++	subordinate_free,	/* free */
++	NULL,			/* getname */
++	subordinate_parse,	/* parse */
++	subordinate_put,	/* put */
++	fgets,			/* fgets */
++	fputs,			/* fputs */
++	NULL,			/* open_hook */
++	NULL,			/* close_hook */
++};
++
++static /*@observer@*/ /*@null*/const struct subordinate_range *subordinate_next(struct commonio_db *db)
++{
++	commonio_next (db);
++}
++
++static bool is_range_free(struct commonio_db *db, unsigned long start,
++			  unsigned long count)
++{
++	const struct subordinate_range *range;
++	unsigned long end = start + count - 1;
++
++	commonio_rewind(db);
++	while ((range = commonio_next(db)) != NULL) {
++		unsigned long first = range->start;
++		unsigned long last = first + range->count - 1;
++
++		if ((end >= first) && (start <= last))
++			return false;
++	}
++	return true;
++}
++
++static const bool range_exists(struct commonio_db *db, const char *owner)
++{
++	const struct subordinate_range *range;
++	commonio_rewind(db);
++	while ((range = commonio_next(db)) != NULL) {
++		unsigned long first = range->start;
++		unsigned long last = first + range->count - 1;
++
++		if (0 == strcmp(range->owner, owner))
++			return true;
++	}
++	return false;
++}
++
++static const struct subordinate_range *find_range(struct commonio_db *db,
++						  const char *owner, unsigned long val)
++{
++	const struct subordinate_range *range;
++	commonio_rewind(db);
++	while ((range = commonio_next(db)) != NULL) {
++		unsigned long first = range->start;
++		unsigned long last = first + range->count - 1;
++
++		if (0 != strcmp(range->owner, owner))
++			continue;
++
++		if ((val >= first) && (val <= last))
++			return range;
++	}
++	return NULL;
++}
++
++static bool have_range(struct commonio_db *db,
++		       const char *owner, unsigned long start, unsigned long count)
++{
++	const struct subordinate_range *range;
++	unsigned long end;
++
++	if (count == 0)
++		return false;
++
++	end = start + count - 1;
++	range = find_range (db, owner, start);
++	while (range) {
++		unsigned long last; 
++
++		last = range->start + range->count - 1;
++		if (last >= (start + count - 1))
++			return true;
++
++		count = end - last;
++		start = last + 1;
++		range = find_range(db, owner, start);
++	}
++	return false;
++}
++
++static int subordinate_range_cmp (const void *p1, const void *p2)
++{
++	struct subordinate_range *range1, *range2;
++
++	if ((*(struct commonio_entry **) p1)->eptr == NULL)
++		return 1;
++	if ((*(struct commonio_entry **) p2)->eptr == NULL)
++		return -1;
++
++	range1 = ((struct subordinate_range *) (*(struct commonio_entry **) p1)->eptr);
++	range2 = ((struct subordinate_range *) (*(struct commonio_entry **) p2)->eptr);
++
++	if (range1->start < range2->start)
++		return -1;
++	else if (range1->start > range2->start)
++		return 1;
++	else if (range1->count < range2->count)
++		return -1;
++	else if (range1->count > range2->count)
++		return 1;
++	else
++		return strcmp(range1->owner, range2->owner);
++}
++
++static unsigned long find_free_range(struct commonio_db *db,
++				     unsigned long min, unsigned long max,
++				     unsigned long count)
++{
++	const struct subordinate_range *range;
++	unsigned long low, high;
++
++	/* When given invalid parameters fail */
++	if ((count == 0) || (max <= min))
++		goto fail;
++
++	/* Sort by range than by owner */
++	commonio_sort (db, subordinate_range_cmp);
++	commonio_rewind(db);
++
++	low = min;
++	while ((range = commonio_next(db)) != NULL) {
++		unsigned long first = range->start;
++		unsigned long last = first + range->count - 1;
++
++		/* Find the top end of the hole before this range */
++		high = first;
++		if (high > max)
++			high = max;
++
++		/* Is the hole before this range large enough? */
++		if ((high > low) && (((high - low) + 1) >= count))
++			return low;
++
++		/* Compute the low end of the next hole */
++		if (low < (last + 1))
++			low = last + 1;
++		if (low > max)
++			goto fail;
++	}
++
++	/* Is the remaining unclaimed area large enough? */
++	if (((max - low) + 1) >= count)
++		return low;
++fail:
++	return ULONG_MAX;
++}
++
++static int add_range(struct commonio_db *db,
++	const char *owner, unsigned long start, unsigned long count)
++{
++	struct subordinate_range range;
++	range.owner = owner;
++	range.start = start;
++	range.count = count;
++
++	/* See if the range is already present */
++	if (have_range(db, owner, start, count))
++		return 1;
++
++	/* Oterwise append the range */
++	return commonio_append(db, &range);
++}
++
++static int remove_range(struct commonio_db *db,
++	const char *owner, unsigned long start, unsigned long count)
++{
++	struct commonio_entry *ent;
++	unsigned long end;
++
++	if (count == 0)
++		return 1;
++
++	end = start + count - 1;
++	for (ent = db->head; ent; ent = ent->next) {
++		struct subordinate_range *range = ent->eptr;
++		unsigned long first;
++		unsigned long last;
++
++		/* Skip unparsed entries */
++		if (!range)
++			continue;
++
++		first = range->start;
++		last = first + range->count - 1;
++
++		/* Skip entries with a different owner */
++		if (0 != strcmp(range->owner, owner))
++			continue;
++
++		/* Skip entries outside of the range to remove */
++		if ((end < first) || (start > last))
++			continue;
++
++		/* Is entry completely contained in the range to remove? */
++		if ((start <= first) && (end >= last)) {
++			commonio_del_entry (db, ent);
++		} 
++		/* Is just the start of the entry removed? */
++		else if ((start <= first) && (end < last)) {
++			range->start = end + 1;
++			range->count = (last - range->start) + 1;
++
++			ent->changed = true;
++		}
++		/* Is just the end of the entry removed? */
++		else if ((start > first) && (end >= last)) {
++			range->count = (start - range->start) + 1;
++
++			ent->changed = true;
++		}
++		/* The middle of the range is removed */
++		else {
++			struct subordinate_range tail;
++			tail.owner = range->owner;
++			tail.start = end + 1;
++			tail.count = (last - tail.start) + 1;
++
++			if (!commonio_append(db, &tail))
++				return 0;
++
++			range->count = (start - range->start) + 1;
++
++			ent->changed = true;
++		}
++	}
++
++	return 1;
++}
++
++static struct commonio_db subordinate_uid_db = {
++	"/etc/subuid",		/* filename */
++	&subordinate_ops,	/* ops */
++	NULL,			/* fp */
++#ifdef WITH_SELINUX
++	NULL,			/* scontext */
++#endif
++	NULL,			/* head */
++	NULL,			/* tail */
++	NULL,			/* cursor */
++	false,			/* changed */
++	false,			/* isopen */
++	false,			/* locked */
++	false			/* readonly */
++};
++
++int sub_uid_setdbname (const char *filename)
++{
++	return commonio_setname (&subordinate_uid_db, filename);
++}
++
++/*@observer@*/const char *sub_uid_dbname (void)
++{
++	return subordinate_uid_db.filename;
++}
++
++bool sub_uid_file_present (void)
++{
++	return commonio_present (&subordinate_uid_db);
++}
++
++int sub_uid_lock (void)
++{
++	return commonio_lock (&subordinate_uid_db);
++}
++
++int sub_uid_open (int mode)
++{
++	return commonio_open (&subordinate_uid_db, mode);
++}
++
++bool is_sub_uid_range_free(uid_t start, unsigned long count)
++{
++	return is_range_free (&subordinate_uid_db, start, count);
++}
++
++bool sub_uid_assigned(const char *owner)
++{
++	return range_exists (&subordinate_uid_db, owner);
++}
++
++bool have_sub_uids(const char *owner, uid_t start, unsigned long count)
++{
++	return have_range (&subordinate_uid_db, owner, start, count);
++}
++
++int sub_uid_add (const char *owner, uid_t start, unsigned long count)
++{
++	return add_range (&subordinate_uid_db, owner, start, count);
++}
++
++int sub_uid_remove (const char *owner, uid_t start, unsigned long count)
++{
++	return remove_range (&subordinate_uid_db, owner, start, count);
++}
++
++int sub_uid_close (void)
++{
++	return commonio_close (&subordinate_uid_db);
++}
++
++int sub_uid_unlock (void)
++{
++	return commonio_unlock (&subordinate_uid_db);
++}
++
++uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count)
++{
++	unsigned long start;
++	start = find_free_range (&subordinate_uid_db, min, max, count);
++	return start == ULONG_MAX ? (uid_t) -1 : start;
++}
++
++static struct commonio_db subordinate_gid_db = {
++	"/etc/subgid",		/* filename */
++	&subordinate_ops,	/* ops */
++	NULL,			/* fp */
++#ifdef WITH_SELINUX
++	NULL,			/* scontext */
++#endif
++	NULL,			/* head */
++	NULL,			/* tail */
++	NULL,			/* cursor */
++	false,			/* changed */
++	false,			/* isopen */
++	false,			/* locked */
++	false			/* readonly */
++};
++
++int sub_gid_setdbname (const char *filename)
++{
++	return commonio_setname (&subordinate_gid_db, filename);
++}
++
++/*@observer@*/const char *sub_gid_dbname (void)
++{
++	return subordinate_gid_db.filename;
++}
++
++bool sub_gid_file_present (void)
++{
++	return commonio_present (&subordinate_gid_db);
++}
++
++int sub_gid_lock (void)
++{
++	return commonio_lock (&subordinate_gid_db);
++}
++
++int sub_gid_open (int mode)
++{
++	return commonio_open (&subordinate_gid_db, mode);
++}
++
++bool is_sub_gid_range_free(gid_t start, unsigned long count)
++{
++	return is_range_free (&subordinate_gid_db, start, count);
++}
++
++bool have_sub_gids(const char *owner, gid_t start, unsigned long count)
++{
++	return have_range(&subordinate_gid_db, owner, start, count);
++}
++
++bool sub_gid_assigned(const char *owner)
++{
++	return range_exists (&subordinate_gid_db, owner);
++}
++
++int sub_gid_add (const char *owner, gid_t start, unsigned long count)
++{
++	return add_range (&subordinate_gid_db, owner, start, count);
++}
++
++int sub_gid_remove (const char *owner, gid_t start, unsigned long count)
++{
++	return remove_range (&subordinate_gid_db, owner, start, count);
++}
++
++int sub_gid_close (void)
++{
++	return commonio_close (&subordinate_gid_db);
++}
++
++int sub_gid_unlock (void)
++{
++	return commonio_unlock (&subordinate_gid_db);
++}
++
++gid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count)
++{
++	unsigned long start;
++	start = find_free_range (&subordinate_gid_db, min, max, count);
++	return start == ULONG_MAX ? (gid_t) -1 : start;
++}
+Index: shadow/lib/subordinateio.h
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/lib/subordinateio.h	2013-02-01 15:27:51.680080379 -0600
+@@ -0,0 +1,38 @@
++/*
++ * Copyright (c) 2012- Eric W. Biederman
++ */
++
++#ifndef _SUBORDINATEIO_H
++#define _SUBORDINATEIO_H
++
++#include <sys/types.h>
++
++extern int sub_uid_close(void);
++extern bool is_sub_uid_range_free(uid_t start, unsigned long count);
++extern bool have_sub_uids(const char *owner, uid_t start, unsigned long count);
++extern bool sub_uid_file_present (void);
++extern bool sub_uid_assigned(const char *owner);
++extern int sub_uid_lock (void);
++extern int sub_uid_setdbname (const char *filename);
++extern /*@observer@*/const char *sub_uid_dbname (void);
++extern int sub_uid_open (int mode);
++extern int sub_uid_unlock (void);
++extern int sub_uid_add (const char *owner, uid_t start, unsigned long count);
++extern int sub_uid_remove (const char *owner, uid_t start, unsigned long count);
++extern uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count);
++
++extern int sub_gid_close(void);
++extern bool is_sub_gid_range_free(gid_t start, unsigned long count);
++extern bool have_sub_gids(const char *owner, gid_t start, unsigned long count);
++extern bool sub_gid_file_present (void);
++extern bool sub_gid_assigned(const char *owner);
++extern int sub_gid_lock (void);
++extern int sub_gid_setdbname (const char *filename);
++extern /*@observer@*/const char *sub_gid_dbname (void);
++extern int sub_gid_open (int mode);
++extern int sub_gid_unlock (void);
++extern int sub_gid_add (const char *owner, gid_t start, unsigned long count);
++extern int sub_gid_remove (const char *owner, gid_t start, unsigned long count);
++extern uid_t sub_gid_find_free_range(gid_t min, gid_t max, unsigned long count);
++
++#endif

debian/patches/userns/05_userns_implemend_find_new_sub_xids

@@ -0,0 +1,283 @@
+From ebiederm@xmission.com  Tue Jan 22 09:17:02 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id 480ABC80F4; Tue, 22 Jan 2013 09:17:02 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 90ACFC80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:16:57 +0000 (UTC)
+Received: from out01.mta.xmission.com ([166.70.13.231])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwp-0007cg-9X; Tue, 22 Jan 2013 02:15:15 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwo-0006DN-OT; Tue, 22 Jan 2013 02:15:14 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZwj-0004g0-9e; Tue, 22 Jan 2013 02:15:14 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:15:05 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87fw1tr33a.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX19KHX5xUOkaLY5iIEqDVLxZKDTByyA0Xk8=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 05/11] Implement find_new_sub_uids find_new_sub_gids
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2075                                                  
+Status: RO
+Content-Length: 8108
+Lines: 235
+
+
+Functions for finding new subordinate uid and gids ranges for use
+with useradd.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ lib/prototypes.h            |    9 ++++
+ libmisc/Makefile.am         |    2 +
+ libmisc/find_new_sub_gids.c |   87 +++++++++++++++++++++++++++++++++++++++++++
+ libmisc/find_new_sub_uids.c |   87 +++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 185 insertions(+), 0 deletions(-)
+ create mode 100644 libmisc/find_new_sub_gids.c
+ create mode 100644 libmisc/find_new_sub_uids.c
+
+Index: shadow/lib/prototypes.h
+===================================================================
+--- shadow.orig/lib/prototypes.h	2013-02-01 15:27:52.044080373 -0600
++++ shadow/lib/prototypes.h	2013-02-01 15:27:52.040080373 -0600
+@@ -149,6 +149,15 @@
+                          uid_t *uid,
+                          /*@null@*/uid_t const *preferred_uid);
+ 
++/* find_new_sub_gids.c */
++extern int find_new_sub_gids (const char *owner,
++			      gid_t *range_start, unsigned long *range_count);
++
++/* find_new_sub_uids.c */
++extern int find_new_sub_uids (const char *owner,
++			      uid_t *range_start, unsigned long *range_count);
++
++
+ /* get_gid.c */
+ extern int get_gid (const char *gidstr, gid_t *gid);
+ 
+Index: shadow/libmisc/Makefile.am
+===================================================================
+--- shadow.orig/libmisc/Makefile.am	2013-02-01 15:27:52.044080373 -0600
++++ shadow/libmisc/Makefile.am	2013-02-01 15:27:52.040080373 -0600
+@@ -25,6 +25,8 @@
+ 	failure.h \
+ 	find_new_gid.c \
+ 	find_new_uid.c \
++	find_new_sub_gids.c \
++	find_new_sub_uids.c \
+ 	getdate.h \
+ 	getdate.y \
+ 	getgr_nam_gid.c \
+Index: shadow/libmisc/find_new_sub_gids.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/libmisc/find_new_sub_gids.c	2013-02-01 15:27:52.040080373 -0600
+@@ -0,0 +1,87 @@
++/*
++ * Copyright (c) 2012 Eric Biederman
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the copyright holders or contributors may not be used to
++ *    endorse or promote products derived from this software without
++ *    specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++ * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include <config.h>
++
++#include <assert.h>
++#include <stdio.h>
++#include <errno.h>
++
++#include "prototypes.h"
++#include "subordinateio.h"
++#include "getdef.h"
++
++/*
++ * find_new_sub_gids - Find a new unused range of GIDs.
++ *
++ * If successful, find_new_sub_gids provides a range of unused
++ * user IDs in the [SUB_GID_MIN:SUB_GID_MAX] range.
++ * 
++ * Return 0 on success, -1 if no unused GIDs are available.
++ */
++int find_new_sub_gids (const char *owner,
++		       gid_t *range_start, unsigned long *range_count)
++{
++	unsigned long min, max;
++	unsigned long count;
++	gid_t start;
++
++	assert (range_start != NULL);
++	assert (range_count != NULL);
++
++	min = getdef_ulong ("SUB_GID_MIN", 100000UL);
++	max = getdef_ulong ("SUB_GID_MAX", 600100000UL);
++	count = getdef_ulong ("SUB_GID_COUNT", 10000);
++
++	/* Is there a preferred range that works? */
++	if ((*range_count != 0) &&
++	    (*range_start >= min) &&
++	    (((*range_start) + (*range_count) - 1) <= max) &&
++	    is_sub_gid_range_free(*range_start, *range_count)) {
++		return 0;
++	}
++
++	if (max < (min + count)) {
++		(void) fprintf (stderr,
++				_("%s: Invalid configuration: SUB_GID_MIN (%lu), SUB_GID_MAX (%lu)\n"),
++			Prog, min, max);
++		return -1;
++	}
++	start = sub_gid_find_free_range(min, max, count);
++	if (start == (gid_t)-1) {
++		fprintf (stderr,
++		         _("%s: Can't get unique secondary GID range\n"),
++		         Prog);
++		SYSLOG ((LOG_WARN, "no more available secondary GIDs on the system"));
++		return -1;
++	}
++	*range_start = start;
++	*range_count = count;
++	return 0;
++}
++
+Index: shadow/libmisc/find_new_sub_uids.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ shadow/libmisc/find_new_sub_uids.c	2013-02-01 15:27:52.040080373 -0600
+@@ -0,0 +1,87 @@
++/*
++ * Copyright (c) 2012 Eric Biederman
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. The name of the copyright holders or contributors may not be used to
++ *    endorse or promote products derived from this software without
++ *    specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
++ * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include <config.h>
++
++#include <assert.h>
++#include <stdio.h>
++#include <errno.h>
++
++#include "prototypes.h"
++#include "subordinateio.h"
++#include "getdef.h"
++
++/*
++ * find_new_sub_uids - Find a new unused range of UIDs.
++ *
++ * If successful, find_new_sub_uids provides a range of unused
++ * user IDs in the [SUB_UID_MIN:SUB_UID_MAX] range.
++ * 
++ * Return 0 on success, -1 if no unused UIDs are available.
++ */
++int find_new_sub_uids (const char *owner,
++		       uid_t *range_start, unsigned long *range_count)
++{
++	unsigned long min, max;
++	unsigned long count;
++	uid_t start;
++
++	assert (range_start != NULL);
++	assert (range_count != NULL);
++
++	min = getdef_ulong ("SUB_UID_MIN", 100000UL);
++	max = getdef_ulong ("SUB_UID_MAX", 600100000UL);
++	count = getdef_ulong ("SUB_UID_COUNT", 10000);
++
++	/* Is there a preferred range that works? */
++	if ((*range_count != 0) &&
++	    (*range_start >= min) &&
++	    (((*range_start) + (*range_count) - 1) <= max) &&
++	    is_sub_uid_range_free(*range_start, *range_count)) {
++		return 0;
++	}
++
++	if (max < (min + count)) {
++		(void) fprintf (stderr,
++				_("%s: Invalid configuration: SUB_UID_MIN (%lu), SUB_UID_MAX (%lu)\n"),
++			Prog, min, max);
++		return -1;
++	}
++	start = sub_uid_find_free_range(min, max, count);
++	if (start == (uid_t)-1) {
++		fprintf (stderr,
++		         _("%s: Can't get unique secondary UID range\n"),
++		         Prog);
++		SYSLOG ((LOG_WARN, "no more available secondary UIDs on the system"));
++		return -1;
++	}
++	*range_start = start;
++	*range_count = count;
++	return 0;
++}
++

debian/patches/userns/06_userns_userdel

@@ -0,0 +1,236 @@
+From ebiederm@xmission.com  Tue Jan 22 09:18:47 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id F2E6AC80F6; Tue, 22 Jan 2013 09:18:46 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 996B1C80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:18:42 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZyW-0008Bi-3X; Tue, 22 Jan 2013 02:17:00 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZyU-0005NA-Qm; Tue, 22 Jan 2013 02:16:59 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZyQ-0004qs-T1; Tue, 22 Jan 2013 02:16:58 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:16:51 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <878v7lr30c.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/1l7dElNy9uNLAXx8eC28OMs/pxPM8NEo=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 06/11] userdel: Add support for removing subordinate user and group ids.
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2076                                        
+Status: O
+Content-Length: 5573
+Lines: 186
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ src/userdel.c |  115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 115 insertions(+), 0 deletions(-)
+
+Index: shadow/src/userdel.c
+===================================================================
+--- shadow.orig/src/userdel.c	2013-02-01 15:27:52.380080367 -0600
++++ shadow/src/userdel.c	2013-02-01 15:27:52.372080367 -0600
+@@ -65,6 +65,7 @@
+ #endif				/* WITH_TCB */
+ /*@-exitarg@*/
+ #include "exitcodes.h"
++#include "subordinateio.h"
+ 
+ /*
+  * exit status values
+@@ -75,6 +76,8 @@
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't remove home directory */
+ #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
++#define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
++#define E_SUB_GID_UPDATE 18	/* can't update the subordinate gid file */
+ 
+ /*
+  * Global variables
+@@ -96,9 +99,13 @@
+ static bool is_shadow_grp;
+ static bool sgr_locked = false;
+ #endif				/* SHADOWGRP */
++static bool is_sub_uid;
++static bool is_sub_gid;
+ static bool pw_locked  = false;
+ static bool gr_locked   = false;
+ static bool spw_locked  = false;
++static bool sub_uid_locked = false;
++static bool sub_gid_locked = false;
+ 
+ /* local function prototypes */
+ static void usage (int status);
+@@ -437,6 +444,34 @@
+ 		sgr_locked = false;
+ 	}
+ #endif				/* SHADOWGRP */
++
++	if (is_sub_uid) {
++		if (sub_uid_close () == 0) {
++			fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++		sub_uid_locked = false;
++	}
++
++	if (is_sub_gid) {
++		if (sub_gid_close () == 0) {
++			fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++		sub_gid_locked = false;
++	}
+ }
+ 
+ /*
+@@ -474,6 +509,20 @@
+ 		}
+ 	}
+ #endif				/* SHADOWGRP */
++	if (sub_uid_locked) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++	}
++	if (sub_gid_locked) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++	}
+ 
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_DEL_USER, Prog,
+@@ -595,6 +644,58 @@
+ 		}
+ 	}
+ #endif				/* SHADOWGRP */
++	if (is_sub_uid) {
++		if (sub_uid_lock () == 0) {
++			fprintf (stderr,
++				_("%s: cannot lock %s; try again later.\n"),
++				Prog, sub_uid_dbname ());
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_DEL_USER, Prog,
++				"locking subordinate user file",
++				user_name, (unsigned int) user_id,
++				SHADOW_AUDIT_FAILURE);
++#endif				/* WITH_AUDIT */
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		sub_uid_locked = true;
++		if (sub_uid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++				_("%s: cannot open %s\n"), Prog, sub_uid_dbname ());
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_DEL_USER, Prog,
++				"opening subordinate user file",
++				user_name, (unsigned int) user_id,
++				SHADOW_AUDIT_FAILURE);
++#endif				/* WITH_AUDIT */
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++	}
++	if (is_sub_gid) {
++		if (sub_gid_lock () == 0) {
++			fprintf (stderr,
++				_("%s: cannot lock %s; try again later.\n"),
++				Prog, sub_gid_dbname ());
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_DEL_USER, Prog,
++				"locking subordinate group file",
++				user_name, (unsigned int) user_id,
++				SHADOW_AUDIT_FAILURE);
++#endif				/* WITH_AUDIT */
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		sub_gid_locked = true;
++		if (sub_gid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++				_("%s: cannot open %s\n"), Prog, sub_gid_dbname ());
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_DEL_USER, Prog,
++				"opening subordinate group file",
++				user_name, (unsigned int) user_id,
++				SHADOW_AUDIT_FAILURE);
++#endif				/* WITH_AUDIT */
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++	}
+ }
+ 
+ /*
+@@ -619,6 +720,18 @@
+ 		         Prog, user_name, spw_dbname ());
+ 		fail_exit (E_PW_UPDATE);
+ 	}
++	if (is_sub_uid && sub_uid_remove(user_name, 0, ULONG_MAX) == 0) {
++		fprintf (stderr,
++			_("%s: cannot remove entry %lu from %s\n"),
++			Prog, (unsigned long)user_id, sub_uid_dbname ());
++		fail_exit (E_SUB_UID_UPDATE);
++	}
++	if (is_sub_gid && sub_gid_remove(user_name, 0, ULONG_MAX) == 0) {
++		fprintf (stderr,
++			_("%s: cannot remove entry %lu from %s\n"),
++			Prog, (unsigned long)user_id, sub_gid_dbname ());
++		fail_exit (E_SUB_GID_UPDATE);
++	}
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_DEL_USER, Prog,
+ 	              "deleting user entries",
+@@ -966,6 +1079,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif				/* SHADOWGRP */
++	is_sub_uid = sub_uid_file_present ();
++	is_sub_gid = sub_gid_file_present ();
+ 
+ 	/*
+ 	 * Start with a quick check to see if the user exists.

debian/patches/userns/07_userns_useradd

@@ -0,0 +1,285 @@
+From ebiederm@xmission.com  Tue Jan 22 09:19:29 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id 61652C80DB; Tue, 22 Jan 2013 09:19:29 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id E0ABBC80F4
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:19:23 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzB-0008QG-Kq; Tue, 22 Jan 2013 02:17:41 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZz7-0005Ui-1H; Tue, 22 Jan 2013 02:17:37 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZz4-0004tF-BP; Tue, 22 Jan 2013 02:17:36 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:17:30 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <8738xtr2z9.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/Jm5H2PcjgcLXEyKh9YL3DVs2WZBJhDB8=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 07/11] useradd: Add support for subordinate user identifiers
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2077                                                  
+Status: RO
+Content-Length: 6886
+Lines: 235
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ src/useradd.c |  141 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 140 insertions(+), 1 deletions(-)
+
+Index: shadow/src/useradd.c
+===================================================================
+--- shadow.orig/src/useradd.c	2013-02-01 15:27:52.668080362 -0600
++++ shadow/src/useradd.c	2013-02-01 15:27:52.660080362 -0600
+@@ -65,6 +65,7 @@
+ #include "sgroupio.h"
+ #endif
+ #include "shadowio.h"
++#include "subordinateio.h"
+ #ifdef WITH_TCB
+ #include "tcbfuncs.h"
+ #endif
+@@ -121,12 +122,20 @@
+ static bool is_shadow_grp;
+ static bool sgr_locked = false;
+ #endif
++static bool is_sub_uid = false;
++static bool is_sub_gid = false;
+ static bool pw_locked = false;
+ static bool gr_locked = false;
+ static bool spw_locked = false;
++static bool sub_uid_locked = false;
++static bool sub_gid_locked = false;
+ static char **user_groups;	/* NULL-terminated list */
+ static long sys_ngroups;
+ static bool do_grp_update = false;	/* group files need to be updated */
++static uid_t sub_uid_start;	/* New subordinate uid range */
++static unsigned long sub_uid_count;
++static gid_t sub_gid_start;	/* New subordinate gid range */
++static unsigned long sub_gid_count;
+ 
+ static bool
+     bflg = false,		/* new default root of home directory */
+@@ -168,6 +177,8 @@
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't create home directory */
+ #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
++#define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
++#define E_SUB_GID_UPDATE 18	/* can't update the subordinate gid file */
+ 
+ #define DGROUP			"GROUP="
+ #define DHOME			"HOME="
+@@ -268,6 +279,32 @@
+ 		}
+ 	}
+ #endif
++	if (sub_uid_locked) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++			              "unlocking subodinate user file",
++			              user_name, AUDIT_NO_ID,
++			              SHADOW_AUDIT_FAILURE);
++#endif
++			/* continue */
++		}
++	}
++	if (sub_gid_locked) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++			              "unlocking subodinate group file",
++			              user_name, AUDIT_NO_ID,
++			              SHADOW_AUDIT_FAILURE);
++#endif
++			/* continue */
++		}
++	}
+ 
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_ADD_USER, Prog,
+@@ -1379,6 +1416,18 @@
+ 		}
+ #endif
+ 	}
++	if (is_sub_uid  && (sub_uid_close () == 0)) {
++		fprintf (stderr,
++		         _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
++		fail_exit (E_SUB_UID_UPDATE);
++	}
++	if (is_sub_gid  && (sub_gid_close () == 0)) {
++		fprintf (stderr,
++		         _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
++		fail_exit (E_SUB_GID_UPDATE);
++	}
+ 	if (is_shadow_pwd) {
+ 		if (spw_unlock () == 0) {
+ 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
+@@ -1433,6 +1482,34 @@
+ 		sgr_locked = false;
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++				"unlocking subordinate user file",
++				user_name, AUDIT_NO_ID,
++				SHADOW_AUDIT_FAILURE);
++#endif
++			/* continue */
++		}
++		sub_uid_locked = false;
++	}
++	if (is_sub_gid) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++				"unlocking subordinate group file",
++				user_name, AUDIT_NO_ID,
++				SHADOW_AUDIT_FAILURE);
++#endif
++			/* continue */
++		}
++		sub_gid_locked = false;
++	}
+ }
+ 
+ /*
+@@ -1487,6 +1564,36 @@
+ 		}
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		sub_uid_locked = true;
++		if (sub_uid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++	}
++	if (is_sub_gid) {
++		if (sub_gid_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		sub_gid_locked = true;
++		if (sub_gid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++	}
+ }
+ 
+ static void open_shadow (void)
+@@ -1733,13 +1840,27 @@
+ #endif
+ 		fail_exit (E_PW_UPDATE);
+ 	}
++	if (is_sub_uid &&
++	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
++		fprintf (stderr,
++		         _("%s: failed to prepare the new %s entry\n"),
++		         Prog, sub_uid_dbname ());
++		fail_exit (E_SUB_UID_UPDATE);
++	}
++	if (is_sub_gid &&
++	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
++		fprintf (stderr,
++		         _("%s: failed to prepare the new %s entry\n"),
++		         Prog, sub_uid_dbname ());
++		fail_exit (E_SUB_GID_UPDATE);
++	}
++
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_ADD_USER, Prog,
+ 	              "adding user",
+ 	              user_name, (unsigned int) user_id,
+ 	              SHADOW_AUDIT_SUCCESS);
+ #endif
+-
+ 	/*
+ 	 * Do any group file updates for this user.
+ 	 */
+@@ -1885,6 +2006,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
++	is_sub_uid = sub_uid_file_present ();
++	is_sub_gid = sub_gid_file_present ();
+ 
+ 	get_defaults ();
+ 
+@@ -2035,6 +2158,22 @@
+ 		grp_add ();
+ 	}
+ 
++	if (is_sub_uid) {
++		if (find_new_sub_uids(user_name, &sub_uid_start, &sub_uid_count) < 0) {
++			fprintf (stderr,
++				_("%s: can't find subordinate user range\n"),
++				Prog);
++			fail_exit(E_SUB_UID_UPDATE);
++		}
++	}
++	if (is_sub_gid) {
++		if (find_new_sub_gids(user_name, &sub_gid_start, &sub_gid_count) < 0) {
++			fprintf (stderr,
++				_("%s: can't find subordinate group range\n"),
++				Prog);
++			fail_exit(E_SUB_GID_UPDATE);
++		}
++	}
+ 	usr_update ();
+ 
+ 	if (mflg) {

debian/patches/userns/08_userns_detect_busy_subids

@@ -0,0 +1,133 @@
+From ebiederm@xmission.com  Tue Jan 22 09:19:49 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id E0EA3C80F4; Tue, 22 Jan 2013 09:19:49 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=-2.2 required=8.0 tests=BAD_ENC_HEADER,BAYES_00,
+	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 1A2C7C80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:19:46 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzX-00006D-G7; Tue, 22 Jan 2013 02:18:03 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzV-0005Zh-Qq; Tue, 22 Jan 2013 02:18:02 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzN-0004ul-H6; Tue, 22 Jan 2013 02:18:01 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:17:50 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87y5flpoe9.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/ZWJZMWIVV2ekPIrRQjHLl4Oh/kdyWJUw=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 08/11] Add support for detecting busy subordinate user ids
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2078                                        
+Status: RO
+Content-Length: 2655
+Lines: 83
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ libmisc/user_busy.c |   18 +++++++++++++-----
+ 1 files changed, 13 insertions(+), 5 deletions(-)
+
+Index: shadow/libmisc/user_busy.c
+===================================================================
+--- shadow.orig/libmisc/user_busy.c	2013-02-01 15:27:52.952080357 -0600
++++ shadow/libmisc/user_busy.c	2013-02-01 15:27:52.948080357 -0600
+@@ -38,11 +38,13 @@
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <dirent.h>
++#include <fcntl.h>
+ #include "defines.h"
+ #include "prototypes.h"
++#include "subordinateio.h"
+ 
+ #ifdef __linux__
+-static int check_status (const char *sname, uid_t uid);
++static int check_status (const char *name, const char *sname, uid_t uid);
+ static int user_busy_processes (const char *name, uid_t uid);
+ #else				/* !__linux__ */
+ static int user_busy_utmp (const char *name);
+@@ -102,7 +104,7 @@
+ #endif				/* !__linux__ */
+ 
+ #ifdef __linux__
+-static int check_status (const char *sname, uid_t uid)
++static int check_status (const char *name, const char *sname, uid_t uid)
+ {
+ 	/* 40: /proc/xxxxxxxxxx/task/xxxxxxxxxx/status + \0 */
+ 	char status[40];
+@@ -125,7 +127,10 @@
+ 			            &ruid, &euid, &suid) == 3) {
+ 				if (   (ruid == (unsigned long) uid)
+ 				    || (euid == (unsigned long) uid)
+-				    || (suid == (unsigned long) uid)) {
++				    || (suid == (unsigned long) uid)
++				    || have_sub_uids(name, ruid, 1)
++				    || have_sub_uids(name, euid, 1)
++				    || have_sub_uids(name, suid, 1)) {
+ 					(void) fclose (sfile);
+ 					return 1;
+ 				}
+@@ -153,6 +158,8 @@
+ 	struct stat sbroot;
+ 	struct stat sbroot_process;
+ 
++	sub_uid_open (O_RDONLY);
++
+ 	proc = opendir ("/proc");
+ 	if (proc == NULL) {
+ 		perror ("opendir /proc");
+@@ -196,7 +203,7 @@
+ 			continue;
+ 		}
+ 
+-		if (check_status (tmp_d_name, uid) != 0) {
++		if (check_status (name, tmp_d_name, uid) != 0) {
+ 			(void) closedir (proc);
+ 			fprintf (stderr,
+ 			         _("%s: user %s is currently used by process %d\n"),
+@@ -216,7 +223,7 @@
+ 				if (tid == pid) {
+ 					continue;
+ 				}
+-				if (check_status (task_path+6, uid) != 0) {
++				if (check_status (name, task_path+6, uid) != 0) {
+ 					(void) closedir (proc);
+ 					fprintf (stderr,
+ 					         _("%s: user %s is currently used by process %d\n"),
+@@ -231,6 +238,7 @@
+ 	}
+ 
+ 	(void) closedir (proc);
++	sub_uid_close();
+ 	return 0;
+ }
+ #endif				/* __linux__ */

debian/patches/userns/09_userns_usermod

@@ -0,0 +1,536 @@
+From ebiederm@xmission.com  Tue Jan 22 09:20:27 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id 8625BC80F4; Tue, 22 Jan 2013 09:20:27 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=0.1 required=8.0 tests=BAD_ENC_HEADER,BAYES_00
+	autolearn=no version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id 69CACC80D1
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:20:23 +0000 (UTC)
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1Txa08-0000JL-Uo; Tue, 22 Jan 2013 02:18:41 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1TxZzw-0004wm-8g; Tue, 22 Jan 2013 02:18:40 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:18:24 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87sj5tpodb.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1/EkNiL4owL54HOscHbdbK8RucFTofOBo8=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 09/11] usermod: Add support for subordinate uids and gids.
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2079                                        
+Status: O
+Content-Length: 15455
+Lines: 491
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ man/usermod.8.xml |   80 +++++++++++++++++
+ src/usermod.c     |  255 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 332 insertions(+), 3 deletions(-)
+
+Index: shadow/man/usermod.8.xml
+===================================================================
+--- shadow.orig/man/usermod.8.xml	2013-02-01 15:27:53.240080352 -0600
++++ shadow/man/usermod.8.xml	2013-02-01 15:27:53.232080353 -0600
+@@ -391,6 +391,86 @@
+       </varlistentry>
+       <varlistentry>
+ 	<term>
++	  <option>-v</option>, <option>--add-sub-uids</option>
++	  <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    Add a range of subordinate uids to the users account. 
++	  </para>
++	  <para>
++	    This option may be specified multiple times to add multiple ranges to a users account.
++	  </para>
++	  <para>
++	     No checks will be performed with regard to
++	     <option>SUB_UID_MIN</option>, <option>SUB_UID_MAX</option>, or
++	     <option>SUB_UID_COUNT</option> from /etc/login.defs.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-V</option>, <option>--del-sub-uids</option>
++	  <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    Remove a range of subordinate uids from the users account.
++	  </para>
++	  <para>
++	    This option may be specified multiple times to remove multiple ranges to a users account.
++	    When both <option>--del-sub-uids</option> and <option>--add-sub-uids</option> are specified
++	    remove of all subordinate uid ranges happens before any subordinate uid ranges are added.
++	  </para>
++	  <para>
++	     No checks will be performed with regard to
++	     <option>SUB_UID_MIN</option>, <option>SUB_UID_MAX</option>, or
++	     <option>SUB_UID_COUNT</option> from /etc/login.defs.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-w</option>, <option>--add-sub-gids</option>
++	  <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    Add a range of subordinate gids to the users account.
++	  </para>
++	  <para>
++	    This option may be specified multiple times to add multiple ranges to a users account.
++	  </para>
++	  <para>
++	     No checks will be performed with regard to
++	     <option>SUB_GID_MIN</option>, <option>SUB_GID_MAX</option>, or
++	     <option>SUB_GID_COUNT</option> from /etc/login.defs.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-W</option>, <option>--del-sub-gids</option>
++	  <replaceable>FIRST</replaceable>-<replaceable>LAST</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    Remove a range of subordinate gids from the users account.
++	  </para>
++	  <para>
++	    This option may be specified multiple times to remove multiple ranges to a users account.
++	    When both <option>--del-sub-gids</option> and <option>--add-sub-gids</option> are specified
++	    remove of all subordinate gid ranges happens before any subordinate gid ranges are added.
++	  </para>
++	  <para>
++	     No checks will be performed with regard to
++	     <option>SUB_GID_MIN</option>, <option>SUB_GID_MAX</option>, or
++	     <option>SUB_GID_COUNT</option> from /etc/login.defs.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
+ 	  <option>-Z</option>, <option>--selinux-user</option>
+ 	  <replaceable>SEUSER</replaceable>
+ 	</term>
+Index: shadow/src/usermod.c
+===================================================================
+--- shadow.orig/src/usermod.c	2013-02-01 15:27:53.240080352 -0600
++++ shadow/src/usermod.c	2013-02-01 15:27:53.236080353 -0600
+@@ -63,6 +63,7 @@
+ #include "sgroupio.h"
+ #endif
+ #include "shadowio.h"
++#include "subordinateio.h"
+ #ifdef WITH_TCB
+ #include "tcbfuncs.h"
+ #endif
+@@ -86,6 +87,8 @@
+ /* #define E_NOSPACE	11	   insufficient space to move home dir */
+ #define E_HOMEDIR	12	/* unable to complete home dir move */
+ #define E_SE_UPDATE	13	/* can't update SELinux user mapping */
++#define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
++#define E_SUB_GID_UPDATE 18	/* can't update the subordinate gid file */
+ #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
+ /*
+  * Global variables
+@@ -133,7 +136,11 @@
+     Zflg = false,		/* new selinux user */
+ #endif
+     uflg = false,		/* specify new user ID */
+-    Uflg = false;		/* unlock the password */
++    Uflg = false,		/* unlock the password */
++    vflg = false,		/*    add subordinate uids */
++    Vflg = false,		/* delete subordinate uids */
++    wflg = false,		/*    add subordinate gids */
++    Wflg = false;		/* delete subordinate gids */
+ 
+ static bool is_shadow_pwd;
+ 
+@@ -141,12 +148,17 @@
+ static bool is_shadow_grp;
+ #endif
+ 
++static bool is_sub_uid = false;
++static bool is_sub_gid = false;
++
+ static bool pw_locked  = false;
+ static bool spw_locked = false;
+ static bool gr_locked  = false;
+ #ifdef SHADOWGRP
+ static bool sgr_locked = false;
+ #endif
++static bool sub_uid_locked = false;
++static bool sub_gid_locked = false;
+ 
+ 
+ /* local function prototypes */
+@@ -302,6 +314,69 @@
+ 	return 0;
+ }
+ 
++struct ulong_range
++{
++	unsigned long first;
++	unsigned long last;
++};
++
++static struct ulong_range getulong_range(const char *str)
++{
++	struct ulong_range result = { .first = ULONG_MAX, .last = 0 };
++	unsigned long long first, last;
++	char *pos;
++
++	errno = 0;
++	first = strtoll(str, &pos, 10);
++	if (('\0' == *str) || ('-' != *pos ) || (ERANGE == errno) ||
++	    (first != (unsigned long int)first))
++		goto out;
++
++	errno = 0;
++	last = strtoul(pos + 1, &pos, 10);
++	if (('\0' != *pos ) || (ERANGE == errno) ||
++	    (last != (unsigned long int)last))
++		goto out;
++
++	if (first > last)
++		goto out;
++
++	result.first = (unsigned long int)first;
++	result.last = (unsigned long int)last;
++out:
++	return result;
++	
++}
++
++struct ulong_range_list_entry {
++	struct ulong_range_list_entry *next;
++	struct ulong_range range;
++};
++
++static struct ulong_range_list_entry *add_sub_uids = NULL, *del_sub_uids = NULL;
++static struct ulong_range_list_entry *add_sub_gids = NULL, *del_sub_gids = NULL;
++
++static int prepend_range(const char *str, struct ulong_range_list_entry **head)
++{
++	struct ulong_range range;
++	struct ulong_range_list_entry *entry;
++	range = getulong_range(str);
++	if (range.first > range.last)
++		return 0;
++
++	entry = malloc(sizeof(*entry));
++	if (!entry) {
++		fprintf (stderr,
++			_("%s: failed to allocate memory: %s\n"),
++			Prog, strerror (errno));
++		return 0;
++	}
++	entry->next = *head;
++	entry->range = range;
++	*head = entry;
++	return 1;
++}
++
+ /*
+  * usage - display usage message and exit
+  */
+@@ -334,6 +409,10 @@
+ 	(void) fputs (_("  -s, --shell SHELL             new login shell for the user account\n"), usageout);
+ 	(void) fputs (_("  -u, --uid UID                 new UID for the user account\n"), usageout);
+ 	(void) fputs (_("  -U, --unlock                  unlock the user account\n"), usageout);
++	(void) fputs (_("  -v, --add-subuids FIRST-LAST  add range of subordinate uids\n"), usageout);
++	(void) fputs (_("  -V, --del-subuids FIRST-LAST  remvoe range of subordinate uids\n"), usageout);
++	(void) fputs (_("  -w, --add-subgids FIRST-LAST  add range of subordinate gids\n"), usageout);
++	(void) fputs (_("  -W, --del-subgids FIRST-LAST  remvoe range of subordinate gids\n"), usageout);
+ #ifdef WITH_SELINUX
+ 	(void) fputs (_("  -Z, --selinux-user SEUSER     new SELinux user mapping for the user account\n"), usageout);
+ #endif				/* WITH_SELINUX */
+@@ -590,6 +669,20 @@
+ 			/* continue */
+ 		}
+ 	}
++	if (sub_uid_locked) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++	}
++	if (sub_gid_locked) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++	}
+ 
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+@@ -889,6 +982,10 @@
+ 			{"shell",        required_argument, NULL, 's'},
+ 			{"uid",          required_argument, NULL, 'u'},
+ 			{"unlock",       no_argument,       NULL, 'U'},
++			{"add-subuids",  required_argument, NULL, 'v'},
++			{"del-subuids",  required_argument, NULL, 'V'},
++ 			{"add-subgids",  required_argument, NULL, 'w'},
++ 			{"del-subgids",  required_argument, NULL, 'W'},
+ #ifdef WITH_SELINUX
+ 			{"selinux-user", required_argument, NULL, 'Z'},
+ #endif				/* WITH_SELINUX */
+@@ -1018,6 +1115,41 @@
+ 			case 'U':
+ 				Uflg = true;
+ 				break;
++			case 'v':
++				if (prepend_range (optarg, &add_sub_uids) == 0) {
++					fprintf (stderr,
++						_("%s: invalid subordinate uid range '%s'\n"),
++						Prog, optarg);
++					exit(E_BAD_ARG);
++				}
++				vflg = true;
++				break;
++			case 'V':
++				if (prepend_range (optarg, &del_sub_uids) == 0) {
++					fprintf (stderr,
++						_("%s: invalid subordinate uid range '%s'\n"),
++						Prog, optarg);
++					exit(E_BAD_ARG);
++				}
++				Vflg = true;
++				break;
++			case 'w':
++				if (prepend_range (optarg, &add_sub_gids) == 0) {
++					fprintf (stderr,
++						_("%s: invalid subordinate gid range '%s'\n"),
++						Prog, optarg);
++					exit(E_BAD_ARG);
++				}
++				wflg = true;
++			case 'W':
++				if (prepend_range (optarg, &del_sub_gids) == 0) {
++					fprintf (stderr,
++						_("%s: invalid subordinate gid range '%s'\n"),
++						Prog, optarg);
++					exit(E_BAD_ARG);
++				}
++				Wflg = true;
++				break;
+ #ifdef WITH_SELINUX
+ 			case 'Z':
+ 				if (is_selinux_enabled () > 0) {
+@@ -1170,6 +1302,7 @@
+ 
+ 	if (!(Uflg || uflg || sflg || pflg || mflg || Lflg ||
+ 	      lflg || Gflg || gflg || fflg || eflg || dflg || cflg
++	      || vflg || Vflg || wflg || Wflg
+ #ifdef WITH_SELINUX
+ 	      || Zflg
+ #endif				/* WITH_SELINUX */
+@@ -1200,6 +1333,7 @@
+ 		         Prog, (unsigned long) user_newid);
+ 		exit (E_UID_IN_USE);
+ 	}
++
+ }
+ 
+ /*
+@@ -1248,6 +1382,10 @@
+ 				         sgr_dbname ()));
+ 				fail_exit (E_GRP_UPDATE);
+ 			}
++		}
++#endif
++#ifdef SHADOWGRP
++		if (is_shadow_grp) {
+ 			if (sgr_unlock () == 0) {
+ 				fprintf (stderr,
+ 				         _("%s: failed to unlock %s\n"),
+@@ -1296,6 +1434,33 @@
+ 	sgr_locked = false;
+ #endif
+ 
++	if (vflg || Vflg) {
++		if (!is_sub_uid || (sub_uid_close () == 0)) {
++			fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		if (!is_sub_uid || (sub_uid_unlock () == 0)) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++		sub_uid_locked = false;
++	}
++	if (wflg || Wflg) {
++		if (!is_sub_gid || (sub_gid_close () == 0)) {
++			fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		if (!is_sub_gid || (sub_gid_unlock () == 0)) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++		sub_gid_locked = false;
++	}
++
+ 	/*
+ 	 * Close the DBM and/or flat files
+ 	 */
+@@ -1375,6 +1540,36 @@
+ 		}
+ #endif
+ 	}
++	if (vflg || Vflg) {
++		if (!is_sub_uid || (sub_uid_lock () == 0)) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++		sub_uid_locked = true;
++		if (!is_sub_uid || (sub_uid_open (O_RDWR) == 0)) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (E_SUB_UID_UPDATE);
++		}
++	}
++	if (wflg || Wflg) {
++		if (!is_sub_gid || (sub_gid_lock () == 0)) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++		sub_gid_locked = true;
++		if (!is_sub_gid || (sub_gid_open (O_RDWR) == 0)) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (E_SUB_GID_UPDATE);
++		}
++	}
+ }
+ 
+ /*
+@@ -1476,6 +1671,58 @@
+ 			fail_exit (E_PW_UPDATE);
+ 		}
+ 	}
++	if (Vflg) {
++		struct ulong_range_list_entry *ptr;
++		for (ptr = del_sub_uids; ptr != NULL; ptr = ptr->next) {
++			unsigned long count = ptr->range.last - ptr->range.first + 1;
++			if (sub_uid_remove(user_name, ptr->range.first, count) == 0) {
++				fprintf (stderr,
++					_("%s: failed to remove uid range %lu-%lu from '%s'\n"),
++					Prog, ptr->range.first, ptr->range.last, 
++					sub_uid_dbname ());
++				fail_exit (E_SUB_UID_UPDATE);
++			}
++		}
++	}
++	if (vflg) {
++		struct ulong_range_list_entry *ptr;
++		for (ptr = add_sub_uids; ptr != NULL; ptr = ptr->next) {
++			unsigned long count = ptr->range.last - ptr->range.first + 1;
++			if (sub_uid_add(user_name, ptr->range.first, count) == 0) {
++				fprintf (stderr,
++					_("%s: failed to add uid range %lu-%lu from '%s'\n"),
++					Prog, ptr->range.first, ptr->range.last, 
++					sub_uid_dbname ());
++				fail_exit (E_SUB_UID_UPDATE);
++			}
++		}
++	}
++	if (Wflg) {
++		struct ulong_range_list_entry *ptr;
++		for (ptr = del_sub_gids; ptr != NULL; ptr = ptr->next) {
++			unsigned long count = ptr->range.last - ptr->range.first + 1;
++			if (sub_gid_remove(user_name, ptr->range.first, count) == 0) {
++				fprintf (stderr,
++					_("%s: failed to remove gid range %lu-%lu from '%s'\n"),
++					Prog, ptr->range.first, ptr->range.last, 
++					sub_gid_dbname ());
++				fail_exit (E_SUB_GID_UPDATE);
++			}
++		}
++	}
++	if (wflg) {
++		struct ulong_range_list_entry *ptr;
++		for (ptr = add_sub_gids; ptr != NULL; ptr = ptr->next) {
++			unsigned long count = ptr->range.last - ptr->range.first + 1;
++			if (sub_gid_add(user_name, ptr->range.first, count) == 0) {
++				fprintf (stderr,
++					_("%s: failed to add gid range %lu-%lu from '%s'\n"),
++					Prog, ptr->range.first, ptr->range.last, 
++					sub_gid_dbname ());
++				fail_exit (E_SUB_GID_UPDATE);
++			}
++		}
++	}
+ }
+ 
+ /*
+@@ -1811,6 +2058,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
++	is_sub_uid = sub_uid_file_present ();
++	is_sub_gid = sub_gid_file_present ();
+ 
+ 	process_flags (argc, argv);
+ 
+@@ -1818,7 +2067,7 @@
+ 	 * The home directory, the username and the user's UID should not
+ 	 * be changed while the user is logged in.
+ 	 */
+-	if (   (uflg || lflg || dflg)
++	if (   (uflg || lflg || dflg || Vflg || Wflg)
+ 	    && (user_busy (user_name, user_id) != 0)) {
+ 		exit (E_USER_BUSY);
+ 	}
+@@ -1871,7 +2120,7 @@
+ 	 */
+ 	open_files ();
+ 	if (   cflg || dflg || eflg || fflg || gflg || Lflg || lflg || pflg
+-	    || sflg || uflg || Uflg) {
++	    || sflg || uflg || Uflg || vflg || Vflg || wflg || Wflg) {
+ 		usr_update ();
+ 	}
+ 	if (Gflg || lflg) {

debian/patches/userns/10_userns_newusers

@@ -0,0 +1,256 @@
+From ebiederm@xmission.com  Tue Jan 22 09:21:21 2013
+Return-Path: <ebiederm@xmission.com>
+X-Original-To: serge@hallyn.com
+Delivered-To: serge@hallyn.com
+Received: by mail.hallyn.com (Postfix, from userid 5001)
+	id ADE59C80F5; Tue, 22 Jan 2013 09:21:21 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail
+X-Spam-Level: 
+X-Spam-Status: No, score=-2.2 required=8.0 tests=BAD_ENC_HEADER,BAYES_00,
+	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
+Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
+	(using TLSv1 with cipher AES256-SHA (256/256 bits))
+	(No client certificate requested)
+	by mail.hallyn.com (Postfix) with ESMTPS id D56AEC80DB
+	for <serge@hallyn.com>; Tue, 22 Jan 2013 09:21:17 +0000 (UTC)
+Received: from out03.mta.xmission.com ([166.70.13.233])
+	by out02.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1Txa11-0000bo-MQ; Tue, 22 Jan 2013 02:19:35 -0700
+Received: from in02.mta.xmission.com ([166.70.13.52])
+	by out03.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1Txa11-0005wx-1p; Tue, 22 Jan 2013 02:19:35 -0700
+Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.xmission.com)
+	by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
+	(Exim 4.76)
+	(envelope-from <ebiederm@xmission.com>)
+	id 1Txa0y-000519-2O; Tue, 22 Jan 2013 02:19:34 -0700
+From: ebiederm@xmission.com (Eric W. Biederman)
+To: Nicolas =?utf-8?Q?Fran=C3=A7ois?= <nicolas.francois@centraliens.net>
+Cc: <Pkg-shadow-devel@lists.alioth.debian.org>,  Linux Containers <containers@lists.linux-foundation.org>,  "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>,  "Serge E. Hallyn" <serge@hallyn.com>
+References: <87d2wxshu0.fsf@xmission.com>
+Date: Tue, 22 Jan 2013 01:19:28 -0800
+In-Reply-To: <87d2wxshu0.fsf@xmission.com> (Eric W. Biederman's message of
+	"Tue, 22 Jan 2013 01:11:19 -0800")
+Message-ID: <87k3r5pobj.fsf@xmission.com>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-XM-AID: U2FsdGVkX1+qhualZ5pxk+DVqanIJA7JrJwlPXicL8c=
+X-SA-Exim-Connect-IP: 98.207.153.68
+X-SA-Exim-Mail-From: ebiederm@xmission.com
+Subject: [PATCH 10/11] newusers: Add support for assiging subordinate uids and gids.
+X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
+X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
+X-UID: 2080                                        
+Status: O
+Content-Length: 5597
+Lines: 206
+
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ src/newusers.c |  124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 124 insertions(+), 0 deletions(-)
+
+Index: shadow/src/newusers.c
+===================================================================
+--- shadow.orig/src/newusers.c	2013-02-01 15:27:53.548080347 -0600
++++ shadow/src/newusers.c	2013-02-01 15:27:53.540080347 -0600
+@@ -65,6 +65,7 @@
+ #include "pwio.h"
+ #include "sgroupio.h"
+ #include "shadowio.h"
++#include "subordinateio.h"
+ #include "chkname.h"
+ 
+ /*
+@@ -82,6 +83,8 @@
+ #endif				/* USE_SHA_CRYPT */
+ #endif				/* !USE_PAM */
+ 
++static bool is_sub_uid = false;
++static bool is_sub_gid = false;
+ static bool is_shadow;
+ #ifdef SHADOWGRP
+ static bool is_shadow_grp;
+@@ -90,6 +93,8 @@
+ static bool pw_locked = false;
+ static bool gr_locked = false;
+ static bool spw_locked = false;
++static bool sub_uid_locked = false;
++static bool sub_gid_locked = false;
+ 
+ /* local function prototypes */
+ static void usage (int status);
+@@ -178,6 +183,20 @@
+ 		}
+ 	}
+ #endif
++	if (sub_uid_locked) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++	}
++	if (sub_gid_locked) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++	}
+ 
+ 	exit (code);
+ }
+@@ -732,6 +751,24 @@
+ 		sgr_locked = true;
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (EXIT_FAILURE);
++		}
++		sub_uid_locked = true;
++	}
++	if (is_sub_gid) {
++		if (sub_gid_lock () == 0) {
++			fprintf (stderr,
++			         _("%s: cannot lock %s; try again later.\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (EXIT_FAILURE);
++		}
++		sub_gid_locked = true;
++	}
+ 
+ 	if (pw_open (O_RDWR) == 0) {
+ 		fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ());
+@@ -751,6 +788,22 @@
+ 		fail_exit (EXIT_FAILURE);
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_uid_dbname ());
++			fail_exit (EXIT_FAILURE);
++		}
++	}
++	if (is_sub_gid) {
++		if (sub_gid_open (O_RDWR) == 0) {
++			fprintf (stderr,
++			         _("%s: cannot open %s\n"),
++			         Prog, sub_gid_dbname ());
++			fail_exit (EXIT_FAILURE);
++		}
++	}
+ }
+ 
+ /*
+@@ -795,6 +848,19 @@
+ 		SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
+ 		fail_exit (EXIT_FAILURE);
+ 	}
++	if (is_sub_uid  && (sub_uid_close () == 0)) {
++		fprintf (stderr,
++		         _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
++		fail_exit (EXIT_FAILURE);
++	}
++	if (is_sub_gid  && (sub_gid_close () == 0)) {
++		fprintf (stderr,
++		         _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
++		SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
++		fail_exit (EXIT_FAILURE);
++	}
++
+ 	if (gr_unlock () == 0) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to unlock %s\n"),
+@@ -823,6 +889,22 @@
+ 		sgr_locked = false;
+ 	}
+ #endif
++	if (is_sub_uid) {
++		if (sub_uid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
++			/* continue */
++		}
++		sub_uid_locked = false;
++	}
++	if (is_sub_gid) {
++		if (sub_gid_unlock () == 0) {
++			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
++			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
++			/* continue */
++		}
++		sub_gid_locked = false;
++	}
+ }
+ 
+ int main (int argc, char **argv)
+@@ -864,6 +946,8 @@
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
++	is_sub_uid = sub_uid_file_present ();
++	is_sub_gid = sub_gid_file_present ();
+ 
+ 	open_files ();
+ 
+@@ -1044,6 +1128,46 @@
+ 			errors++;
+ 			continue;
+ 		}
++
++		/*
++		 * Add subordinate uids if the user does not have them.
++		 */
++		if (is_sub_uid && !sub_uid_assigned(fields[0])) {
++			uid_t sub_uid_start = 0;
++			unsigned long sub_uid_count = 0;
++			if (find_new_sub_uids(fields[0], &sub_uid_start, &sub_uid_count) == 0) {
++				if (sub_uid_add(fields[0], sub_uid_start, sub_uid_count) == 0) {
++					fprintf (stderr,
++						_("%s: failed to prepare new %s entry\n"),
++						Prog, sub_uid_dbname ());
++				}
++			} else {
++				fprintf (stderr,
++					_("%s: can't find subordinate user range\n"),
++					Prog);
++				errors++;
++			}
++		}
++	
++		/*
++		 * Add subordinate gids if the user does not have them.
++		 */
++		if (is_sub_gid && !sub_gid_assigned(fields[0])) {
++			gid_t sub_gid_start = 0;
++			unsigned long sub_gid_count = 0;
++			if (find_new_sub_gids(fields[0], &sub_gid_start, &sub_gid_count) == 0) {
++				if (sub_gid_add(fields[0], sub_gid_start, sub_gid_count) == 0) {
++					fprintf (stderr,
++						_("%s: failed to prepare new %s entry\n"),
++						Prog, sub_uid_dbname ());
++				}
++			} else {
++				fprintf (stderr,
++					_("%s: can't find subordinate group range\n"),
++					Prog);
++				errors++;
++			}
++		}
+ 	}
+ 
+ 	/*

debian/patches/userns/12_userns_selinuxlibs

@@ -0,0 +1,13 @@
+Index: shadow-4.1.5.1/src/Makefile.am
+===================================================================
+--- shadow-4.1.5.1.orig/src/Makefile.am	2013-02-04 11:56:40.485335430 -0600
++++ shadow-4.1.5.1/src/Makefile.am	2013-02-04 11:57:49.525334261 -0600
+@@ -80,6 +80,8 @@
+ endif
+ 
+ chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
++newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
+ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)

debian/patches/userns/13_subordinate_parse_static_buf

@@ -0,0 +1,23 @@
+Description: subordinateio: Fix subordinate_parse to have an internal static buffer
+ subordinate_parse is supposed to return a static structure that
+ represents one line in /etc/subuid or /etc/subgid.  I goofed and
+ failed to make the variable rangebuf that holds the username of
+ in the returned structure static.
+ .
+ Add this missing static specification.
+Author: <Eric W. Biederman" <ebiederm@xmission.com>
+Origin: upstream
+Forwarded: no
+Index: shadow-4.1.5.1/lib/subordinateio.c
+===================================================================
+--- shadow-4.1.5.1.orig/lib/subordinateio.c	2013-02-04 11:56:40.265335433 -0600
++++ shadow-4.1.5.1/lib/subordinateio.c	2013-02-04 12:32:46.653298752 -0600
+@@ -48,7 +48,7 @@
+ static void *subordinate_parse (const char *line)
+ {
+ 	static struct subordinate_range range;
+-	char rangebuf[1024];
++	static char rangebuf[1024];
+ 	int i;
+ 	char *cp;
+ 	char *fields[NFIELDS];

debian/patches/userns/14_fix_getopt

@@ -0,0 +1,24 @@
+Index: shadow-userns/src/usermod.c
+===================================================================
+--- shadow-userns.orig/src/usermod.c	2013-02-05 16:35:10.608485591 +0000
++++ shadow-userns/src/usermod.c	2013-02-05 17:16:20.540485591 +0000
+@@ -993,9 +993,9 @@
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+-			                 "ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:",
++			                 "ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:v:w:V:W:",
+ #else				/* !WITH_SELINUX */
+-			                 "ac:d:e:f:g:G:hl:Lmop:R:s:u:U",
++			                 "ac:d:e:f:g:G:hl:Lmop:R:s:u:Uv:w:V:W:",
+ #endif				/* !WITH_SELINUX */
+ 			                 long_options, NULL)) != -1) {
+ 			switch (c) {
+@@ -1141,6 +1141,7 @@
+ 					exit(E_BAD_ARG);
+ 				}
+ 				wflg = true;
++                break;
+ 			case 'W':
+ 				if (prepend_range (optarg, &del_sub_gids) == 0) {
+ 					fprintf (stderr,

debian/patches/userns/16_add-argument-sanity-checking.patch

@@ -0,0 +1,80 @@
+From df3c8c1f7f47ceff607595067458f1d8e53eaab8 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge.hallyn@ubuntu.com>
+Date: Fri, 21 Jun 2013 11:47:36 -0500
+Subject: [PATCH 1/1] userns: add argument sanity checking
+
+In find_new_sub_{u,g}ids, check for min, count and max values.
+
+In idmapping.c:get_map_ranges(), make sure that the value passed
+in for ranges did not overflow.  Couldn't happen with the current
+code, but this is a sanity check for any future potential mis-uses.
+
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+---
+ libmisc/find_new_sub_gids.c |  8 ++++++++
+ libmisc/find_new_sub_uids.c |  8 ++++++++
+ libmisc/idmapping.c         | 10 ++++++++++
+ 3 files changed, 26 insertions(+)
+
+diff --git a/libmisc/find_new_sub_gids.c b/libmisc/find_new_sub_gids.c
+index 68046ac..fd44978 100644
+--- a/libmisc/find_new_sub_gids.c
++++ b/libmisc/find_new_sub_gids.c
+@@ -58,6 +58,14 @@ int find_new_sub_gids (const char *owner,
+ 	max = getdef_ulong ("SUB_GID_MAX", 600100000UL);
+ 	count = getdef_ulong ("SUB_GID_COUNT", 10000);
+ 
++	if (min >= max || count >= max || (min + count) >= max) {
++		(void) fprintf (stderr,
++				_("%s: Invalid configuration: SUB_GID_MIN (%lu),"
++				  " SUB_GID_MAX (%lu), SUB_GID_COUNT (%lu)\n"),
++			Prog, min, max, count);
++		return -1;
++	}
++
+ 	/* Is there a preferred range that works? */
+ 	if ((*range_count != 0) &&
+ 	    (*range_start >= min) &&
+diff --git a/libmisc/find_new_sub_uids.c b/libmisc/find_new_sub_uids.c
+index f1720f9..b608c59 100644
+--- a/libmisc/find_new_sub_uids.c
++++ b/libmisc/find_new_sub_uids.c
+@@ -58,6 +58,14 @@ int find_new_sub_uids (const char *owner,
+ 	max = getdef_ulong ("SUB_UID_MAX", 600100000UL);
+ 	count = getdef_ulong ("SUB_UID_COUNT", 10000);
+ 
++	if (min >= max || count >= max || (min + count) >= max) {
++		(void) fprintf (stderr,
++				_("%s: Invalid configuration: SUB_UID_MIN (%lu),"
++				  " SUB_UID_MAX (%lu), SUB_UID_COUNT (%lu)\n"),
++			Prog, min, max, count);
++		return -1;
++	}
++
+ 	/* Is there a preferred range that works? */
+ 	if ((*range_count != 0) &&
+ 	    (*range_start >= min) &&
+diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c
+index cb9e898..4147796 100644
+--- a/libmisc/idmapping.c
++++ b/libmisc/idmapping.c
+@@ -41,6 +41,16 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
+ 	struct map_range *mappings, *mapping;
+ 	int idx, argidx;
+ 
++	if (ranges < 0 || argc < 0) {
++		fprintf(stderr, "%s: error calculating number of arguments\n", Prog);
++		return NULL;
++	}
++
++	if (ranges != ((argc - 2) + 2) / 3) {
++		fprintf(stderr, "%s: ranges: %u is wrong for argc: %d\n", Prog, ranges, argc);
++		return NULL;
++	}
++
+ 	if ((ranges * 3) > argc) {
+ 		fprintf(stderr, "ranges: %u argc: %d\n",
+ 			ranges, argc);
+-- 
+1.8.1.2
+

debian/patches/userns/manpagetypo

@@ -0,0 +1,26 @@
+Index: shadow/man/subgid.5.xml
+===================================================================
+--- shadow.orig/man/subgid.5.xml	2013-03-06 15:19:23.848386200 -0600
++++ shadow/man/subgid.5.xml	2013-03-06 15:19:51.240386816 -0600
+@@ -104,7 +104,7 @@
+ 	<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+-	<refentrytitle>logindefs</refentrytitle><manvolnum>5</manvolnum>
++	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+ 	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
+Index: shadow/man/subuid.5.xml
+===================================================================
+--- shadow.orig/man/subuid.5.xml	2013-03-06 15:19:09.660385881 -0600
++++ shadow/man/subuid.5.xml	2013-03-06 15:19:44.956386675 -0600
+@@ -104,7 +104,7 @@
+ 	<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+-	<refentrytitle>logindefs</refentrytitle><manvolnum>5</manvolnum>
++	<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+       <citerefentry>
+ 	<refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>

debian/rules

@@ -0,0 +1,81 @@
+#!/usr/bin/make -f
+# -*- mode: makefile; coding: utf-8 -*-
+
+DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
+
+export DEB_BUILD_HARDENING=1
+
+# Enable PIE, BINDNOW, and possible future flags.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# Call autoreconf since we need to regenerate all the autofoo files
+include /usr/share/cdbs/1/rules/autoreconf.mk
+include /usr/share/cdbs/1/rules/debhelper.mk
+# Specify where dh_install will find the files that it needs to move:
+DEB_DH_INSTALL_SOURCEDIR=debian/tmp
+# Specify the destination of shadow's "make install"
+# (This is only needed on The Hurd, where only one package is built. On
+# the other arch, DEB_DESTDIR already points to debian/tmp)
+DEB_DESTDIR=$(CURDIR)/debian/tmp
+
+include /usr/share/cdbs/1/class/autotools.mk
+
+# Adds extra options when calling the configure script:
+DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared --without-libcrack --mandir=/usr/share/man --with-libpam --enable-shadowgrp --enable-man --disable-account-tools-setuid --with-group-name-max-length=32 --without-acl --without-attr --without-tcb
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+  DEB_CONFIGURE_EXTRA_FLAGS += --host=$(DEB_HOST_GNU_TYPE)
+endif
+
+# Set the default editor for vipw/vigr
+CFLAGS += -DDEFAULT_EDITOR=\\\"sensible-editor\\\"
+
+# Add extras to the install process:
+binary-install/login::
+ifeq ($(DEB_HOST_ARCH_OS),hurd)
+	# /bin/login is provided by the hurd package.
+	rm -f debian/login/bin/login
+endif
+	dh_installpam -p login
+	dh_installpam -p login --name=su
+	install -c -m 444 debian/login.defs debian/login/etc/login.defs
+	install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
+	dh_lintian -p login
+
+binary-install/passwd::
+	install -c -m 444 man/shadowconfig.8 debian/passwd/usr/share/man/man8
+	install -c -m 444 man/ja/shadowconfig.8 debian/passwd/usr/share/man/ja/man8
+	install -c -m 444 man/pl/shadowconfig.8 debian/passwd/usr/share/man/pl/man8
+	install -c -m 444 man/fr/shadowconfig.8 debian/passwd/usr/share/man/fr/man8
+	# Distribute the pam.d files; unless for the commands with disabled PAM
+	# support
+	dh_installpam -p passwd --name=passwd
+	dh_installpam -p passwd --name=chfn
+	dh_installpam -p passwd --name=chsh
+	dh_installpam -p passwd --name=chpasswd
+	dh_installpam -p passwd --name=newusers
+	install -c -m 644 debian/useradd.default debian/passwd/etc/default/useradd
+	install -d debian/passwd/sbin
+	install -c -m 555 debian/shadowconfig.sh debian/passwd/sbin/shadowconfig
+	install -c -m 444 debian/cpgr.8 debian/passwd/usr/share/man/man8
+	install -c -m 444 debian/cppw.8 debian/passwd/usr/share/man/man8
+	dh_lintian -p passwd
+
+binary-predeb/uidmap::
+	chmod u+s debian/uidmap/usr/bin/newuidmap
+	chmod u+s debian/uidmap/usr/bin/newgidmap
+
+binary-predeb/login::
+	# No real need for login to be setuid root
+	# chmod u+s debian/login/bin/login
+	chmod u+s debian/login/bin/su
+	chmod u+s debian/login/usr/bin/newgrp
+
+binary-predeb/passwd::
+	chmod u+s debian/passwd/usr/bin/chfn
+	chmod u+s debian/passwd/usr/bin/chsh
+	chmod u+s debian/passwd/usr/bin/gpasswd
+	chmod u+s debian/passwd/usr/bin/passwd
+	chgrp shadow debian/passwd/usr/bin/chage
+	chgrp shadow debian/passwd/usr/bin/expiry
+	chmod g+s debian/passwd/usr/bin/chage
+	chmod g+s debian/passwd/usr/bin/expiry

debian/salsa-ci.yml

@@ -0,0 +1,9 @@
+---
+# LTS/ELTS CI
+
+include:
+- https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/jessie.yml
+
+# These didn't work before LTS, not attempting to fix after freeze
+#blhc:
+#  allow_failure: true

debian/securetty.hurd

@@ -0,0 +1,71 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# for people with serial port consoles
+com0
+
+# Standard consoles
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+tty8
+tty9
+tty10
+tty11
+tty12
+tty13
+tty14
+tty15
+tty16
+tty17
+tty18
+tty19
+tty20
+tty21
+tty22
+tty23
+tty24
+tty25
+tty26
+tty27
+tty28
+tty29
+tty30
+tty31
+tty32
+tty33
+tty34
+tty35
+tty36
+tty37
+tty38
+tty39
+tty40
+tty41
+tty42
+tty43
+tty44
+tty45
+tty46
+tty47
+tty48
+tty49
+tty50
+tty51
+tty52
+tty53
+tty54
+tty55
+tty56
+tty57
+tty58
+tty59
+tty60
+tty61
+tty62
+tty63

debian/securetty.kfreebsd

@@ -0,0 +1,24 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# for people with serial port consoles
+ttyd0
+ttyd1
+
+# Standard consoles
+ttyv0
+ttyv1
+ttyv2
+ttyv3
+ttyv4
+ttyv5
+ttyv6
+ttyv7
+ttyva
+ttyvb
+ttyvc
+ttyvd
+ttyve
+ttyvf
+

debian/securetty.knetbsd

@@ -0,0 +1,12 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# for people with serial port consoles
+tty00
+
+# Standard consoles
+ttyE0
+ttyE1
+ttyE2
+ttyE3

debian/securetty.linux

@@ -373,7 +373,7 @@ ttyEQ1
 
 # ==========================================================
 #
-# Not in Documentation/Devicess.txt
+# Not in Documentation/Devices.txt
 #
 # ==========================================================
 
@@ -385,6 +385,16 @@ ttymxc3
 ttymxc4
 ttymxc5
 
+# LXC (Linux Containers)
+lxc/console
+lxc/tty1
+lxc/tty2
+lxc/tty3
+lxc/tty4
+
 # Serial Console for MIPS Swarm
 duart0
 duart1
+
+# s390 and s390x ports in LPAR mode
+ttysclp0

debian/shadowconfig.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+# turn shadow passwords on or off on a Debian system
+
+set -e
+
+shadowon () {
+    set -e
+    pwck -q -r
+    grpck -r
+    pwconv
+    grpconv
+    chown root:root /etc/passwd /etc/group
+    chmod 644 /etc/passwd /etc/group
+    chown root:shadow /etc/shadow /etc/gshadow
+    chmod 640 /etc/shadow /etc/gshadow
+}
+
+shadowoff () {
+    set -e
+    pwck -q -r
+    grpck -r
+    pwunconv
+    grpunconv
+    # sometimes the passwd perms get munged
+    chown root:root /etc/passwd /etc/group
+    chmod 644 /etc/passwd /etc/group
+}
+
+case "$1" in
+    "on")
+	if shadowon ; then
+	    echo Shadow passwords are now on.
+	else
+	    echo Please correct the error and rerun \`$0 on\'
+	    exit 1
+	fi
+	;;
+    "off")
+	if shadowoff ; then
+	    echo Shadow passwords are now off.
+	else
+	    echo Please correct the error and rerun \`$0 off\'
+	    exit 1
+	fi
+	;;
+     *)
+	echo Usage: $0 on \| off
+	;;
+esac

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/uidmap.install

@@ -0,0 +1,4 @@
+usr/bin/newuidmap
+usr/bin/newgidmap
+usr/share/man/man1/newuidmap.1
+usr/share/man/man1/newgidmap.1

debian/uidmap.lintian-overrides

@@ -0,0 +1,2 @@
+uidmap: setuid-binary usr/bin/newgidmap 4755 root/root
+uidmap: setuid-binary usr/bin/newuidmap 4755 root/root