configure.ac and changelog: release 4.9

Signed-off-by: Serge Hallyn <serge@hallyn.com>

.github/workflows/main.yml

@@ -0,0 +1,43 @@
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: debug
+      run: |
+        id
+        which bash
+        whoami
+        env
+        ps -ef
+        pwd
+        cat /proc/self/uid_map
+        cat /proc/self/status
+        systemd-detect-virt
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install automake autopoint xsltproc gettext expect byacc libtool
+    - name: configure
+      run: |
+        ./autogen.sh --without-selinux --disable-man
+        grep ENABLE_ config.status
+    - run: make
+    - run: make install DESTDIR=${HOME}/rootfs
+    - run: sudo make install
+    - run: |
+        cd tests
+        sudo ./run_some
+        cat testsuite.log

.gitignore

@@ -48,3 +48,4 @@ Makefile.in
 /shadow.spec
 /shadow-*.tar.*
 /libmisc/getdate.c
+/libsubid/subid.h

AUTHORS.md

@@ -0,0 +1,89 @@
+Thanks to at least the following people for sending patches, bug
+reports and various comments. This list may be incomplete, I received
+a lot of mail...
+
+# Maintainers
+Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
+Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
+Serge E. Hallyn <serge@hallyn.com> (2014-now)
+Christian Brauner <christian@brauner.io> (2019-now)
+
+# Authors and contributors
+Adam Rudnicki <adam@v-lo.krakow.pl>
+Alan Curry <pacman@tardis.mars.net>
+Aleksa Sarai <cyphar@cyphar.com>
+Alexander O. Yuriev <alex@bach.cis.temple.edu>
+Algis Rudys <arudys@rice.edu>
+Andreas Jaeger <aj@arthur.rhein-neckar.de>
+Andy Zaugg <andy.zaugg@gmail.com>
+Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
+Anton Gluck <gluc@midway.uchicago.edu>
+Arkadiusz Miskiewicz <misiek@pld.org.pl>
+Ben Collins <bcollins@debian.org>
+Brian R. Gaeke <brg@dgate.org>
+Calle Karlsson <ckn@kash.se>
+Chip Rosenthal <chip@unicom.com>
+Chris Evans <lady0110@sable.ox.ac.uk>
+Chris Lamb <chris@chris-lamb.co.uk>
+Cristian Gafton <gafton@sorosis.ro>
+Dan Walsh <dwalsh@redhat.com>
+Darcy Boese <possum@chardonnay.niagara.com>
+Dave Hagewood <admin@arrowweb.com>
+David A. Holland <dholland@hcs.harvard.edu>
+David Frey <David.Frey@lugs.ch>
+Ed Carp <ecarp@netcom.com>
+Ed Neville <ed@s5h.net>
+Eric W. Biederman" <ebiederm@xmission.com>
+Floody <flood@evcom.net>
+Frank Denis <j@4u.net>
+George Kraft IV <gk4@us.ibm.com>
+Greg Mortensen <loki@world.std.com>
+Guido van Rooij
+Guy Maor <maor@debian.org>
+Hrvoje Dogan <hdogan@bjesomar.srce.hr>
+Iker Pedrosa <ipedrosa@redhat.com>
+Jakub Hrozek <jhrozek@redhat.com>
+Janos Farkas <chexum@bankinf.banki.hu>
+Jason Franklin <jason.franklin@quoininc.com>
+Jay Soffian <jay@lw.net>
+Jesse Thilo <Jesse.Thilo@pobox.com>
+Joey Hess <joey@kite.ml.org>
+John Adelsberger <jja@umr.edu>
+Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
+Jon Lewis <jlewis@lewis.org>
+Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
+Judd Bourgeois <shagboy@bluesky.net>
+Juergen Heinzl <unicorn@noris.net>
+Juha Virtanen <jiivee@iki.fi>
+Julian Pidancet <julian.pidancet@gmail.com>
+Julianne Frances Haugh <julie78787@gmail.com>
+Leonard N. Zubkoff <lnz@dandelion.com>
+Luca Berra <bluca@www.polimi.it>
+Lukáš Kuklínek <lkukline@redhat.com>
+Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
+Marc Ewing <marc@redhat.com>
+Martin Bene <mb@sime.com>
+Martin Mares <mj@gts.cz>
+Michael Meskes <meskes@topsystem.de>
+Michael Talbot-Wilson <mike@calypso.bns.com.au>
+Michael Vetter <jubalh@iodoru.org>
+Mike Frysinger <vapier@gentoo.org>
+Mike Pakovic <mpakovic@users.southeast.net>
+Nicolas François <nicolas.francois@centraliens.net>
+Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
+Pavel Machek <pavel@bug.ucw.cz>
+Peter Vrabec <pvrabec@redhat.com>
+Phillip Street
+Rafał Maszkowski <rzm@icm.edu.pl>
+Rani Chouha <ranibey@smartec.com>
+Sami Kerola <kerolasa@rocketmail.com>
+Scott Garman <scott.a.garman@intel.com>
+Sebastian Rick Rijkers <srrijkers@gmail.com>
+Seraphim Mellos <mellos@ceid.upatras.gr>
+Shane Watts <shane@nexus.mlckew.edu.au>
+Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
+Thorsten Kukuk <kukuk@suse.de>
+Tim Hockin <thockin@eagle.ais.net>
+Timo Karjalainen <timok@iki.fi>
+Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
+Werner Fink <werner@suse.de>

ChangeLog

@@ -1,3 +1,46 @@
+2021-12-19  Serge Hallyn <serge@hallyn.com>
+
+	Note: From this release forward, su from this package should be
+	considered deprecated.  Please replace any users of it with su from
+	util-linux.  Please open an issue if there is a problem with that.
+	We intend to remove it in an upcoming release.
+
+	* libsubid fixes (Xi Ruoyao, Serge Hallyn, Iker Pedrosa, Mike Gilbert,
+	  GalaxyMaster, and Luís Ferreira)
+	* Rename the test program list_subid_ranges to getsubids, write
+	  a manpage, so distros can ship it. (Iker Pedrosa)
+	* Add libeconf dep for new*idmap (Iker Pedrosa)
+	* Allow all group types with usermod -G (Iker Pedrosa)
+	* Avoid useradd generating empty subid range (Iker Pedrosa)
+	* Handle NULL pw_passwd (Jaroslav Jindrak)
+	* Fix default value SHA_get_salt_rounds (Mike Gilbert)
+	* Use https where possible in README (Paul Menzel)
+	* Update content and format of README (Iker Pedrosa)
+	* Translation updates (Balint Reczey, Frans Spiesschaert)
+	* Switch from xml2po to itstool in 'make dist' (Serge Hallyn)
+	* Fix double frees (Michael Vetter)
+	* Add LOG_INIT configurable to useradd (Andy Zaugg)
+	* Add CREATE_MAIL_SPOOL documentation (Andy Zaugg)
+	* Create a security.md
+	* Fix su never being SIGKILLd when trapping TERM (Ruihan li)
+	* Fix wrong SELinux labels in several possible cases (Iker Pedrosa)
+	* Fix missing chmod in chadowtb_move (GalaxyMaster)
+	* Handle malformed hushlogins entries (Tobias Stoeckmann)
+	* Fix groupdel segv when passwd does not exist (François Rigault)
+	* Fix covscan-found newgrp segfault (Iker Pedrosa)
+	* Remove trailing slash on hoedir (Ed Neville)
+	* Fix passwd -l message - it does not change expirey (Ed Neville)
+	* Fix SIGCHLD handling bugs in su and vipw (Tobias Stoeckmann)
+	* Remove special case for "" in usermod (Alejandro Colomar)
+	* Implement usermod -rG to remove a specific group
+	  (Andy Zaugg)
+	* call pam_end() after fork in child path for su and login
+	  (Björn Fischer)
+	* useradd: In absence of /etc/passwd, assume 0 == root
+	  (Ludwig Nussel)
+	* lib: check NULL before freeing data (Iker Pedrosa)
+	* Fix pwck segfault (Iker Pedrosa)
+
 2021-07-22  Serge Hallyn <serge@hallyn.com>
 
 	* Updated translations (Björn Esser, Juergen Hoetzel)

README

@@ -1,124 +0,0 @@
-Shadow SITES
-============
-
-Homepage
-	http://github.com/shadow-maint/shadow
-
-Issue tracker
-	http://github.com/shadow-maint/shadow/issues
-
-Releases
-	https://github.com/shadow-maint/shadow/releases
-
-Mailing lists
-	for general discuss: pkg-shadow-devel@alioth-lists.debian.net
-	commit list: pkg-shadow-commits@alioth-lists.debian.net
-
-Mailing lists subscription
-	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel
-	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-commits
-
-Mailing lists archives:
-	http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/
-	http://alioth-lists.debian.net/pipermail/pkg-shadow-commits/
-
-S/Key support:
-	Shadow can be built with S/Key support using the S/Key package from:
-
-	http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/
-	or
-	http://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2
-
-Authors and contributors
-========================
-
-Thanks to at least the following people for sending patches, bug
-reports and various comments.  This list may be incomplete, I received
-a lot of mail...
-
-
-Adam Rudnicki <adam@v-lo.krakow.pl>
-Alan Curry <pacman@tardis.mars.net>
-Aleksa Sarai <cyphar@cyphar.com>
-Alexander O. Yuriev <alex@bach.cis.temple.edu>
-Algis Rudys <arudys@rice.edu>
-Andreas Jaeger <aj@arthur.rhein-neckar.de>
-Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
-Anton Gluck <gluc@midway.uchicago.edu>
-Arkadiusz Miskiewicz <misiek@pld.org.pl>
-Ben Collins <bcollins@debian.org>
-Brian R. Gaeke <brg@dgate.org>
-Calle Karlsson <ckn@kash.se>
-Chip Rosenthal <chip@unicom.com>
-Chris Evans <lady0110@sable.ox.ac.uk>
-Chris Lamb <chris@chris-lamb.co.uk>
-Cristian Gafton <gafton@sorosis.ro>
-Dan Walsh <dwalsh@redhat.com>
-Darcy Boese <possum@chardonnay.niagara.com>
-Dave Hagewood <admin@arrowweb.com>
-David A. Holland <dholland@hcs.harvard.edu>
-David Frey <David.Frey@lugs.ch>
-Ed Carp <ecarp@netcom.com>
-Ed Neville <ed@s5h.net>
-Eric W. Biederman" <ebiederm@xmission.com>
-Floody <flood@evcom.net>
-Frank Denis <j@4u.net>
-George Kraft IV <gk4@us.ibm.com>
-Greg Mortensen <loki@world.std.com>
-Guido van Rooij
-Guy Maor <maor@debian.org>
-Hrvoje Dogan <hdogan@bjesomar.srce.hr>
-Jakub Hrozek <jhrozek@redhat.com>
-Janos Farkas <chexum@bankinf.banki.hu>
-Jason Franklin <jason.franklin@quoininc.com>
-Jay Soffian <jay@lw.net>
-Jesse Thilo <Jesse.Thilo@pobox.com>
-Joey Hess <joey@kite.ml.org>
-John Adelsberger <jja@umr.edu>
-Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
-Jon Lewis <jlewis@lewis.org>
-Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
-Judd Bourgeois <shagboy@bluesky.net>
-Juergen Heinzl <unicorn@noris.net>
-Juha Virtanen <jiivee@iki.fi>
-Julian Pidancet <julian.pidancet@gmail.com>
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
-Leonard N. Zubkoff <lnz@dandelion.com>
-Luca Berra <bluca@www.polimi.it>
-Lukáš Kuklínek <lkukline@redhat.com>
-Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
-Marc Ewing <marc@redhat.com>
-Martin Bene <mb@sime.com>
-Martin Mares <mj@gts.cz>
-Michael Meskes <meskes@topsystem.de>
-Michael Talbot-Wilson <mike@calypso.bns.com.au>
-Michael Vetter <jubalh@iodoru.org>
-Mike Frysinger <vapier@gentoo.org>
-Mike Pakovic <mpakovic@users.southeast.net>
-Nicolas François <nicolas.francois@centraliens.net>
-Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
-Pavel Machek <pavel@bug.ucw.cz>
-Peter Vrabec <pvrabec@redhat.com>
-Phillip Street
-Rafał Maszkowski <rzm@icm.edu.pl>
-Rani Chouha <ranibey@smartec.com>
-Sami Kerola <kerolasa@rocketmail.com>
-Scott Garman <scott.a.garman@intel.com>
-Sebastian Rick Rijkers <srrijkers@gmail.com>
-Seraphim Mellos <mellos@ceid.upatras.gr>
-Shane Watts <shane@nexus.mlckew.edu.au>
-Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
-Thorsten Kukuk <kukuk@suse.de>
-Tim Hockin <thockin@eagle.ais.net>
-Timo Karjalainen <timok@iki.fi>
-Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
-Werner Fink <werner@suse.de>
-
-Maintainers
-===========
-
-Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
-Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
-Serge E. Hallyn <serge@hallyn.com> (2014-now)
-Christian Brauner <christian@brauner.io> (2019-now)
-

README

@@ -0,0 +1 @@
+README.md

README.md

@@ -0,0 +1,36 @@
+# shadow-utils
+
+## Introduction
+The shadow-utils package includes the necessary programs for
+converting UNIX password files to the shadow password format, plus
+programs for managing user and group accounts. The pwconv command
+converts passwords to the shadow password format. The pwunconv command
+unconverts shadow passwords and generates a passwd file (a standard
+UNIX password file). The pwck command checks the integrity of password
+and shadow files. The lastlog command prints out the last login times
+for all users. The useradd, userdel, and usermod commands are used for
+managing user accounts. The groupadd, groupdel, and groupmod commands
+are used for managing group accounts.
+
+## Sites
+* [Homepage](https://github.com/shadow-maint/shadow)
+* [Issue tracker](https://github.com/shadow-maint/shadow/issues)
+* [Releases](https://github.com/shadow-maint/shadow/releases)
+
+## Contacts
+There are several ways to contact us:
+* [the general discussion mailing list](
+  https://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel)
+* the #shadow IRC channel on libera.chat:
+  * irc://irc.libera.chat/shadow
+
+### Mailing archives
+* [the general discussion mailing list archive](
+  https://alioth-lists.debian.net/pipermail/pkg-shadow-devel/)
+* [the commit mailing list archive](
+  https://alioth-lists-archive.debian.net/pipermail/pkg-shadow-commits/),
+  only used for historical purposes
+
+## Authors and maintainers
+Authors and maintainers are listed in [AUTHORS.md](
+https://github.com/shadow-maint/shadow/blob/master/AUTHORS.md).

SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Supported Versions
+
+At the moment only the latest release is supported.
+
+## Reporting a Vulnerability
+
+Security vulnerabilities may be reported to
+* Serge Hallyn <serge@hallyn.com> (B175CFA98F192AF2)
+* Christian Brauner <christian@brauner.io> (4880B8C9BD0E5106FC070F4F7B3C391EFEA93624)

configure.ac

@@ -1,10 +1,10 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ([2.69])
-m4_define([libsubid_abi_major], 3)
+m4_define([libsubid_abi_major], 4)
 m4_define([libsubid_abi_minor], 0)
 m4_define([libsubid_abi_micro], 0)
 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
-AC_INIT([shadow], [4.9], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_INIT([shadow], [4.10], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -321,6 +321,8 @@ if test "$with_sha_crypt" = "yes"; then
 	AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
 fi
 
+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
+
 AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
 if test "$with_bcrypt" = "yes"; then
 	AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
@@ -343,7 +345,7 @@ if test "$with_sssd" = "yes"; then
 	              [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
 fi
 
-AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])])
+AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su]))
 AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"])
 
 dnl Check for some functions in libc first, only if not found check for
@@ -739,6 +741,7 @@ AC_CONFIG_FILES([
 	libmisc/Makefile
 	lib/Makefile
 	libsubid/Makefile
+	libsubid/subid.h
 	src/Makefile
 	contrib/Makefile
 	etc/Makefile

doc/HOWTO

@@ -1311,7 +1311,7 @@
 
   This means that fred's password is valid, it was last changed on
   03/04/96, it can be changed at any time, it expires after 60 days,
-  fred will not be warned, and and the account won't be disabled when
+  fred will not be warned, and the account won't be disabled when
   the password expires.
 
   This simply means that if fred logs in after the password expires, he
@@ -1487,7 +1487,7 @@
 
   If a user logs into a line that is listed in /etc/dialups, and his
   shell is listed in the file /etc/d_passwd he will be allowed access
-  only by suppling the correct password.
+  only by supplying the correct password.
 
   Another useful purpose for using dial-up passwords might be to setup a
   line that only allows a certain type of connect (perhaps a PPP or UUCP

doc/README.limits

@@ -63,4 +63,3 @@ To completely disable limits for a user, a single dash (-) will do.
 Also, please note that all limit settings are set PER LOGIN.  They are
 not global, nor are they permanent.  Perhaps global limits will come, but
 for now this will have to do ;)
-

doc/README.skey

@@ -0,0 +1,4 @@
+# S/Key support
+shadow-utils can be built with S/Key support using the S/Key package from:
+* http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/ or
+* https://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2

doc/WISHLIST

@@ -37,4 +37,3 @@ New ideas to add to this list are welcome, too.  --marekm
   per-user configuration, to be executed with run-parts. Some hooks should
   be executed at package install time for existing users, likewise for
   package removal and possibly modification.  (Debian Bug#36019)
-

docs/index.html

@@ -1,4 +1,4 @@
-<HEAD>
+<head>
 <title>shadow - Welcome</title>
 </head>
 <body>

etc/login.defs

@@ -465,7 +465,6 @@ USERGROUPS_ENAB yes
 # Set to "yes" to prevent for all accounts
 # Set to "superuser" to prevent for UID 0 / root (default)
 # Set to "no" to not prevent for any account (dangerous, historical default)
-
 PREVENT_NO_AUTH superuser
 
 #

lib/Makefile.am

@@ -10,6 +10,8 @@ if HAVE_VENDORDIR
 libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
 endif
 
+libshadow_la_CPPFLAGS += -I$(top_srcdir)
+
 libshadow_la_SOURCES = \
 	commonio.c \
 	commonio.h \

lib/commonio.c

@@ -403,11 +403,11 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 	file_len = strlen(db->filename) + 11;/* %lu max size */
 	lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
 	file = (char*)malloc(file_len);
-	if(file == NULL) {
+	if (file == NULL) {
 		goto cleanup_ENOMEM;
 	}
 	lock = (char*)malloc(lock_file_len);
-	if(lock == NULL) {
+	if (lock == NULL) {
 		goto cleanup_ENOMEM;
 	}
 	snprintf (file, file_len, "%s.%lu",
@@ -419,9 +419,9 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 		err = 1;
 	}
 cleanup_ENOMEM:
-	if(file)
+	if (file)
 		free(file);
-	if(lock)
+	if (lock)
 		free(lock);
 	return err;
 }

lib/faillog.h

@@ -45,8 +45,8 @@
 struct faillog {
 	short fail_cnt;		/* failures since last success */
 	short fail_max;		/* failures before turning account off */
-	char fail_line[12];	/* last failure occured here */
+	char fail_line[12];	/* last failure occurred here */
-	time_t fail_time;	/* last failure occured then */
+	time_t fail_time;	/* last failure occurred then */
 	/*
 	 * If nonzero, the account will be re-enabled if there are no
 	 * failures for fail_locktime seconds since last failure.

lib/prototypes.h

@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
 /* selinux.c */
 #ifdef WITH_SELINUX
 extern int set_selinux_file_context (const char *dst_name, mode_t mode);
+extern void reset_selinux_handle (void);
 extern int reset_selinux_file_context (void);
 extern int check_selinux_permit (const char *perm_name);
 #endif

lib/pwauth.c

@@ -127,7 +127,7 @@ int pw_auth (const char *cipher,
 #ifdef	SKEY
 	/*
 	 * If the user has an S/KEY entry show them the pertinent info
-	 * and then we can try validating the created cyphertext and the SKEY.
+	 * and then we can try validating the created ciphertext and the SKEY.
 	 * If there is no SKEY information we default to not using SKEY.
 	 */
 

lib/pwmem.c

@@ -93,14 +93,16 @@
 
 void pw_free (/*@out@*/ /*@only@*/struct passwd *pwent)
 {
-	free (pwent->pw_name);
+	if (pwent != NULL) {
-	if (pwent->pw_passwd) {
+		free (pwent->pw_name);
-		memzero (pwent->pw_passwd, strlen (pwent->pw_passwd));
+		if (pwent->pw_passwd) {
-		free (pwent->pw_passwd);
+			memzero (pwent->pw_passwd, strlen (pwent->pw_passwd));
+			free (pwent->pw_passwd);
+		}
+		free (pwent->pw_gecos);
+		free (pwent->pw_dir);
+		free (pwent->pw_shell);
+		free (pwent);
 	}
-	free (pwent->pw_gecos);
-	free (pwent->pw_dir);
-	free (pwent->pw_shell);
-	free (pwent);
 }
 

lib/run_part.c

@@ -17,7 +17,7 @@ int run_part (char *script_path, char *name, char *action)
 	char *args[] = { script_path, NULL };
 
 	pid=fork();
-	if (pid==-1){
+	if (pid==-1) {
 		perror ("Could not fork");
 		return 1;
 	}

lib/selinux.c

@@ -50,6 +50,11 @@ static void cleanup(void)
 	}
 }
 
+void reset_selinux_handle (void)
+{
+    cleanup();
+}
+
 /*
  * set_selinux_file_context - Set the security context before any file or
  *                            directory creation.

lib/semanage.c

@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
 	}
 
 	ret = 0;
+	reset_selinux_handle();
 
 done:
 	semanage_seuser_key_free (key);

lib/sgetpwent.c

@@ -91,7 +91,7 @@ struct passwd *sgetpwent (const char *buf)
 	}
 
 	/* something at the end, columns over shot */
-	if( cp != NULL ) {
+	if ( cp != NULL ) {
 		return( NULL );
 	}
 

lib/shadowmem.c

@@ -79,11 +79,13 @@
 
 void spw_free (/*@out@*/ /*@only@*/struct spwd *spent)
 {
-	free (spent->sp_namp);
+	if (spent != NULL) {
-	if (NULL != spent->sp_pwdp) {
+		free (spent->sp_namp);
-		memzero (spent->sp_pwdp, strlen (spent->sp_pwdp));
+		if (NULL != spent->sp_pwdp) {
-		free (spent->sp_pwdp);
+			memzero (spent->sp_pwdp, strlen (spent->sp_pwdp));
+			free (spent->sp_pwdp);
+		}
+		free (spent);
 	}
-	free (spent);
 }
 

lib/subordinateio.c

@@ -224,7 +224,7 @@ static const struct subordinate_range *find_range(struct commonio_db *db,
         /* Get UID of the username we are looking for */
         pwd = getpwnam(owner);
         if (NULL == pwd) {
-                /* Username not defined in /etc/passwd, or error occured during lookup */
+                /* Username not defined in /etc/passwd, or error occurred during lookup */
                 return NULL;
         }
         owner_uid = pwd->pw_uid;
@@ -847,7 +847,7 @@ static int append_uids(uid_t **uids, const char *owner, int n)
 	} else {
 		struct passwd *pwd = getpwnam(owner);
 		if (NULL == pwd) {
-			/* Username not defined in /etc/passwd, or error occured during lookup */
+			/* Username not defined in /etc/passwd, or error occurred during lookup */
 			free(*uids);
 			*uids = NULL;
 			return -1;

lib/tcbfuncs.c

@@ -523,6 +523,12 @@ shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_
 		         Prog, tcbdir, strerror (errno));
 		goto out_free;
 	}
+	if (chmod (tcbdir, dirmode.st_mode & 07777) != 0) {
+		fprintf (shadow_logfd,
+		         _("%s: Cannot change mode of %s: %s\n"),
+		         Prog, tcbdir, strerror (errno));
+		goto out_free;
+	}
 	ret = SHADOWTCB_SUCCESS;
 out_free:
 	free (tcbdir);

libmisc/Makefile.am

@@ -1,7 +1,7 @@
 
 EXTRA_DIST = .indent.pro xgetXXbyYY.c
 
-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
+AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
 
 noinst_LTLIBRARIES = libmisc.la
 

libmisc/hushed.c

@@ -90,7 +90,7 @@ bool hushed (const char *username)
 		return false;
 	}
 	for (found = false; !found && (fgets (buf, (int) sizeof buf, fp) == buf);) {
-		buf[strlen (buf) - 1] = '\0';
+		buf[strcspn (buf, "\n")] = '\0';
 		found = (strcmp (buf, pw->pw_shell) == 0) ||
 		        (strcmp (buf, pw->pw_name) == 0);
 	}

libmisc/idmapping.c

@@ -209,7 +209,7 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
 	}
 #endif
 
-	bufsize = ranges * ((ULONG_DIGITS  + 1) * 3);
+	bufsize = ranges * ((ULONG_DIGITS + 1) * 3);
 	pos = buf = xmalloc(bufsize);
 
 	/* Build the mapping command */

libmisc/limits.c

@@ -202,7 +202,7 @@ static int check_logins (const char *name, const char *maxlogins)
 	return 0;
 }
 
-/* Function setup_user_limits - checks/set limits for the curent login
+/* Function setup_user_limits - checks/set limits for the current login
  * Original idea from Joel Katz's lshell. Ported to shadow-login
  * by Cristian Gafton - gafton@sorosis.ro
  *
@@ -404,7 +404,7 @@ static bool user_in_group (const char *uname, const char *gname)
 {
 	struct group *groupdata;
 
-	if (uname == NULL || gname == NULL){ 
+	if (uname == NULL || gname == NULL) {
 		return false;
 	}
 

libmisc/prefix_flag.c

@@ -176,10 +176,10 @@ extern struct group *prefix_getgrnam(const char *name)
 		struct group * grp = NULL;
 
 		fg = fopen(group_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((grp = fgetgrent(fg)) != NULL) {
+		while ((grp = fgetgrent(fg)) != NULL) {
-			if(!strcmp(name, grp->gr_name))
+			if (!strcmp(name, grp->gr_name))
 				break;
 		}
 		fclose(fg);
@@ -196,10 +196,10 @@ extern struct group *prefix_getgrgid(gid_t gid)
 		struct group * grp = NULL;
 
 		fg = fopen(group_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((grp = fgetgrent(fg)) != NULL) {
+		while ((grp = fgetgrent(fg)) != NULL) {
-			if(gid == grp->gr_gid)
+			if (gid == grp->gr_gid)
 				break;
 		}
 		fclose(fg);
@@ -216,10 +216,10 @@ extern struct passwd *prefix_getpwuid(uid_t uid)
 		struct passwd *pwd = NULL;
 
 		fg = fopen(passwd_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((pwd = fgetpwent(fg)) != NULL) {
+		while ((pwd = fgetpwent(fg)) != NULL) {
-			if(uid == pwd->pw_uid)
+			if (uid == pwd->pw_uid)
 				break;
 		}
 		fclose(fg);
@@ -236,10 +236,10 @@ extern struct passwd *prefix_getpwnam(const char* name)
 		struct passwd *pwd = NULL;
 
 		fg = fopen(passwd_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((pwd = fgetpwent(fg)) != NULL) {
+		while ((pwd = fgetpwent(fg)) != NULL) {
-			if(!strcmp(name, pwd->pw_name))
+			if (!strcmp(name, pwd->pw_name))
 				break;
 		}
 		fclose(fg);
@@ -256,10 +256,10 @@ extern struct spwd *prefix_getspnam(const char* name)
 		struct spwd *sp = NULL;
 
 		fg = fopen(spw_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((sp = fgetspent(fg)) != NULL) {
+		while ((sp = fgetspent(fg)) != NULL) {
-			if(!strcmp(name, sp->sp_namp))
+			if (!strcmp(name, sp->sp_namp))
 				break;
 		}
 		fclose(fg);
@@ -272,7 +272,7 @@ extern struct spwd *prefix_getspnam(const char* name)
 
 extern void prefix_setpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		setpwent();
 		return;
 	}
@@ -280,19 +280,22 @@ extern void prefix_setpwent()
 		fclose (fp_pwent);
 
 	fp_pwent = fopen(passwd_db_file, "rt");
-	if(!fp_pwent)
+	if (!fp_pwent)
 		return;
 }
 extern struct passwd* prefix_getpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		return getpwent();
 	}
+	if (!fp_pwent) {
+		return NULL;
+	}
 	return fgetpwent(fp_pwent);
 }
 extern void prefix_endpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		endpwent();
 		return;
 	}
@@ -303,7 +306,7 @@ extern void prefix_endpwent()
 
 extern void prefix_setgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		setgrent();
 		return;
 	}
@@ -311,19 +314,19 @@ extern void prefix_setgrent()
 		fclose (fp_grent);
 
 	fp_grent = fopen(group_db_file, "rt");
-	if(!fp_grent)
+	if (!fp_grent)
 		return;
 }
 extern struct group* prefix_getgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		return getgrent();
 	}
 	return fgetgrent(fp_grent);
 }
 extern void prefix_endgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		endgrent();
 		return;
 	}

libmisc/salt.c

@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
 		if ((-1 == min_rounds) && (-1 == max_rounds)) {
 			rounds = SHA_ROUNDS_DEFAULT;
 		}
+		else {
+			if (-1 == min_rounds) {
+				min_rounds = max_rounds;
+			}
 
-		if (-1 == min_rounds) {
+			if (-1 == max_rounds) {
-			min_rounds = max_rounds;
+				max_rounds = min_rounds;
+			}
+
+			if (min_rounds > max_rounds) {
+				max_rounds = min_rounds;
+			}
+
+			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 		}
-
-		if (-1 == max_rounds) {
-			max_rounds = min_rounds;
-		}
-
-		if (min_rounds > max_rounds) {
-			max_rounds = min_rounds;
-		}
-
-		rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 	} else if (0 == *prefered_rounds) {
 		rounds = SHA_ROUNDS_DEFAULT;
 	} else {

libsubid/Makefile.am

@@ -1,7 +1,10 @@
 lib_LTLIBRARIES = libsubid.la
+if ENABLE_SHARED
 libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
 	-shared -version-info @LIBSUBID_ABI_MAJOR@
+endif
 libsubid_la_SOURCES = api.c
+libsubid_la_LDFLAGS = -export-symbols-regex '^subid_'
 
 pkginclude_HEADERS = subid.h
 
@@ -9,6 +12,7 @@ MISCLIBS = \
 	$(LIBAUDIT) \
 	$(LIBSELINUX) \
 	$(LIBSEMANAGE) \
+	$(LIBCRACK) \
 	$(LIBCRYPT_NOPAM) \
 	$(LIBSKEY) \
 	$(LIBMD) \
@@ -16,11 +20,12 @@ MISCLIBS = \
 	$(LIBCRYPT) \
 	$(LIBACL) \
 	$(LIBATTR) \
-	$(LIBTCB)
+	$(LIBTCB) \
+	$(LIBPAM)
 
 libsubid_la_LIBADD = \
-	$(top_srcdir)/lib/libshadow.la \
+	$(top_builddir)/lib/libshadow.la \
-	$(top_srcdir)/libmisc/libmisc.la \
+	$(top_builddir)/libmisc/libmisc.la \
 	$(MISCLIBS) -ldl
 
 AM_CPPFLAGS = \

libsubid/api.c

@@ -39,10 +39,10 @@
 #include "idmapping.h"
 #include "subid.h"
 
-const char *Prog = "(libsubid)";
+static const char *Prog = "(libsubid)";
-FILE *shadow_logfd;
+static FILE *shadow_logfd;
 
-bool libsubid_init(const char *progname, FILE * logfd)
+bool subid_init(const char *progname, FILE * logfd)
 {
 	if (progname) {
 		progname = strdup(progname);
@@ -70,12 +70,12 @@ int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_ra
 	return list_owner_ranges(owner, id_type, ranges);
 }
 
-int get_subuid_ranges(const char *owner, struct subid_range **ranges)
+int subid_get_uid_ranges(const char *owner, struct subid_range **ranges)
 {
 	return get_subid_ranges(owner, ID_TYPE_UID, ranges);
 }
 
-int get_subgid_ranges(const char *owner, struct subid_range **ranges)
+int subid_get_gid_ranges(const char *owner, struct subid_range **ranges)
 {
 	return get_subid_ranges(owner, ID_TYPE_GID, ranges);
 }
@@ -86,12 +86,12 @@ int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
 	return find_subid_owners(id, id_type, owner);
 }
 
-int get_subuid_owners(uid_t uid, uid_t **owner)
+int subid_get_uid_owners(uid_t uid, uid_t **owner)
 {
 	return get_subid_owner((unsigned long)uid, ID_TYPE_UID, owner);
 }
 
-int get_subgid_owners(gid_t gid, uid_t **owner)
+int subid_get_gid_owners(gid_t gid, uid_t **owner)
 {
 	return get_subid_owner((unsigned long)gid, ID_TYPE_GID, owner);
 }
@@ -103,12 +103,12 @@ bool grant_subid_range(struct subordinate_range *range, bool reuse,
 	return new_subid_range(range, id_type, reuse);
 }
 
-bool grant_subuid_range(struct subordinate_range *range, bool reuse)
+bool subid_grant_uid_range(struct subordinate_range *range, bool reuse)
 {
 	return grant_subid_range(range, reuse, ID_TYPE_UID);
 }
 
-bool grant_subgid_range(struct subordinate_range *range, bool reuse)
+bool subid_grant_gid_range(struct subordinate_range *range, bool reuse)
 {
 	return grant_subid_range(range, reuse, ID_TYPE_GID);
 }
@@ -119,12 +119,12 @@ bool ungrant_subid_range(struct subordinate_range *range, enum subid_type id_typ
 	return release_subid_range(range, id_type);
 }
 
-bool ungrant_subuid_range(struct subordinate_range *range)
+bool subid_ungrant_uid_range(struct subordinate_range *range)
 {
 	return ungrant_subid_range(range, ID_TYPE_UID);
 }
 
-bool ungrant_subgid_range(struct subordinate_range *range)
+bool subid_ungrant_gid_range(struct subordinate_range *range)
 {
 	return ungrant_subid_range(range, ID_TYPE_GID);
 }

libsubid/subid.h.in

@@ -4,6 +4,10 @@
 
 #ifndef SUBID_RANGE_DEFINED
 #define SUBID_RANGE_DEFINED 1
+#define SUBID_ABI_VERSION @LIBSUBID_ABI_MAJOR@.@LIBSUBID_ABI_MINOR@.@LIBSUBID_ABI_MICRO@
+#define SUBID_ABI_MAJOR @LIBSUBID_ABI_MAJOR@
+#define SUBID_ABI_MINOR @LIBSUBID_ABI_MINOR@
+#define SUBID_ABI_MICRO @LIBSUBID_ABI_MICRO@
 
 /* subid_range is just a starting point and size of a range */
 struct subid_range {
@@ -32,7 +36,7 @@ enum subid_status {
 };
 
 /*
- * libsubid_init: initialize libsubid
+ * subid_init: initialize libsubid
  *
  * @progname: Name to display as program.  If NULL, then "(libsubid)" will be
  *            shown in error messages.
@@ -45,10 +49,10 @@ enum subid_status {
  *
  * Returns false if an error occurred.
  */
-bool libsubid_init(const char *progname, FILE *logfd);
+bool subid_init(const char *progname, FILE *logfd);
 
 /*
- * get_subuid_ranges: return a list of UID ranges for a user
+ * subid_get_uid_ranges: return a list of UID ranges for a user
  *
  * @owner: username being queried
  * @ranges: a pointer to an array of subid_range structs in which the result
@@ -58,10 +62,10 @@ bool libsubid_init(const char *progname, FILE *logfd);
  *
  * returns: number of ranges found, ir < 0 on error.
  */
-int get_subuid_ranges(const char *owner, struct subid_range **ranges);
+int subid_get_uid_ranges(const char *owner, struct subid_range **ranges);
 
 /*
- * get_subgid_ranges: return a list of GID ranges for a user
+ * subid_get_gid_ranges: return a list of GID ranges for a user
  *
  * @owner: username being queried
  * @ranges: a pointer to an array of subid_range structs in which the result
@@ -71,10 +75,10 @@ int get_subuid_ranges(const char *owner, struct subid_range **ranges);
  *
  * returns: number of ranges found, ir < 0 on error.
  */
-int get_subgid_ranges(const char *owner, struct subid_range **ranges);
+int subid_get_gid_ranges(const char *owner, struct subid_range **ranges);
 
 /*
- * get_subuid_owners: return a list of uids to which the given uid has been
+ * subid_get_uid_owners: return a list of uids to which the given uid has been
  *                    delegated.
  *
  * @uid: The subuid being queried
@@ -83,10 +87,10 @@ int get_subgid_ranges(const char *owner, struct subid_range **ranges);
  *
  * Returns the number of uids returned, or < 0 on error.
  */
-int get_subuid_owners(uid_t uid, uid_t **owner);
+int subid_get_uid_owners(uid_t uid, uid_t **owner);
 
 /*
- * get_subgid_owners: return a list of uids to which the given gid has been
+ * subid_get_gid_owners: return a list of uids to which the given gid has been
  *                    delegated.
  *
  * @uid: The subgid being queried
@@ -95,10 +99,10 @@ int get_subuid_owners(uid_t uid, uid_t **owner);
  *
  * Returns the number of uids returned, or < 0 on error.
  */
-int get_subgid_owners(gid_t gid, uid_t **owner);
+int subid_get_gid_owners(gid_t gid, uid_t **owner);
 
 /*
- * grant_subuid_range: assign a subuid range to a user
+ * subid_grant_uid_range: assign a subuid range to a user
  *
  * @range: pointer to a struct subordinate_range detailing the UID range
  *         to allocate.  ->owner must be the username, and ->count must be
@@ -109,10 +113,10 @@ int get_subgid_owners(gid_t gid, uid_t **owner);
  * then the range from (range->start, range->start + range->count) will
  * be delegated to range->owner.
  */
-bool grant_subuid_range(struct subordinate_range *range, bool reuse);
+bool subid_grant_uid_range(struct subordinate_range *range, bool reuse);
 
 /*
- * grant_subsid_range: assign a subgid range to a user
+ * subid_grant_gid_range: assign a subgid range to a user
  *
  * @range: pointer to a struct subordinate_range detailing the GID range
  *         to allocate.  ->owner must be the username, and ->count must be
@@ -123,10 +127,10 @@ bool grant_subuid_range(struct subordinate_range *range, bool reuse);
  * then the range from (range->start, range->start + range->count) will
  * be delegated to range->owner.
  */
-bool grant_subgid_range(struct subordinate_range *range, bool reuse);
+bool subid_grant_gid_range(struct subordinate_range *range, bool reuse);
 
 /*
- * ungrant_subuid_range: remove a subuid allocation.
+ * subid_ungrant_uid_range: remove a subuid allocation.
  *
  * @range: pointer to a struct subordinate_range detailing the UID allocation
  *         to remove.
@@ -134,10 +138,10 @@ bool grant_subgid_range(struct subordinate_range *range, bool reuse);
  * Returns true if successful, false if it failed, for instance if the
  * delegation did not exist.
  */
-bool ungrant_subuid_range(struct subordinate_range *range);
+bool subid_ungrant_uid_range(struct subordinate_range *range);
 
 /*
- * ungrant_subuid_range: remove a subgid allocation.
+ * subid_ungrant_gid_range: remove a subgid allocation.
  *
  * @range: pointer to a struct subordinate_range detailing the GID allocation
  *         to remove.
@@ -145,7 +149,7 @@ bool ungrant_subuid_range(struct subordinate_range *range);
  * Returns true if successful, false if it failed, for instance if the
  * delegation did not exist.
  */
-bool ungrant_subgid_range(struct subordinate_range *range);
+bool subid_ungrant_gid_range(struct subordinate_range *range);
 
 #define SUBID_NFIELDS 3
 #endif

man/Makefile.am

@@ -62,6 +62,7 @@ man_MANS += $(man_nopam)
 endif
 
 man_subids = \
+	man1/getsubids.1 \
 	man1/newgidmap.1 \
 	man1/newuidmap.1 \
 	man5/subgid.5 \
@@ -80,6 +81,7 @@ man_XMANS = \
 	expiry.1.xml \
 	faillog.5.xml \
 	faillog.8.xml \
+	getsubids.1.xml \
 	gpasswd.1.xml \
 	groupadd.8.xml \
 	groupdel.8.xml \

man/cs/man5/gshadow.5

@@ -1,4 +1,4 @@
-.TH "GSHADOW" "5" "11/05/2005" "File Formats and Conversions" "File Formats and Conversions"
+.TH "GSHADOW" "5" "11/05/2005" "File Formats and Configuration Files" "File Formats and Configuration Files"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)

man/faillog.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>faillog</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc"> File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc"> File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/getsubids.1.xml

@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+   Copyright (c) 2021 Iker Pedrosa
+   All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. The name of the copyright holders or contributors may not be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- SHADOW-CONFIG-HERE -->
+]>
+
+<refentry id='getsubids.1'>
+  <refentryinfo>
+    <author>
+      <firstname>Iker</firstname>
+      <surname>Pedrosa</surname>
+      <contrib>Creation, 2021</contrib>
+    </author>
+  </refentryinfo>
+  <refmeta>
+    <refentrytitle>getsubids</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo class="sectdesc">User Commands</refmiscinfo>
+    <refmiscinfo class="source">shadow-utils</refmiscinfo>
+    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
+  </refmeta>
+  <refnamediv id='name'>
+    <refname>getsubids</refname>
+    <refpurpose>get the subordinate id ranges for a user</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv id='synopsis'>
+    <cmdsynopsis>
+      <command>getsubids</command>
+      <arg choice='opt'>
+        <replaceable>options</replaceable>
+      </arg>
+      <arg choice='plain'>
+        <replaceable>USER</replaceable>
+      </arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <command>getsubids</command> command lists the subordinate user ID
+      ranges for a given user. The subordinate group IDs can be listed using
+      the <option>-g</option> option.
+    </para>
+  </refsect1>
+
+  <refsect1 id='options'>
+    <title>OPTIONS</title>
+    <para>
+      The options which apply to the <command>getsubids</command> command are:
+    </para>
+    <variablelist remap='IP'>
+      <varlistentry>
+        <term>
+          <option>-g</option>
+        </term>
+        <listitem>
+          <para>
+            List the subordinate group ID ranges.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>-h</option>
+        </term>
+        <listitem>
+          <para>
+            Display help message and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='example'>
+    <title>EXAMPLE</title>
+    <para>
+      For example, to obtain the subordinate UIDs of the testuser:
+    </para>
+    <para>
+<programlisting>
+$ getsubids testuser
+0: testuser 100000 65536
+</programlisting>
+    </para>
+    <para>
+      This command output provides (in order from left to right) the list
+      index, username, UID range start, and number of UIDs in range.
+    </para>
+  </refsect1>
+
+  <refsect1 id='see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+      <citerefentry>
+        <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+    </para>
+  </refsect1>
+</refentry>

man/gshadow.5.xml

@@ -45,7 +45,7 @@
   <refmeta>
     <refentrytitle>gshadow</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/ja/man1/chage.1

@@ -117,4 +117,4 @@ chage \- ユーザパスワードの有効期限情報を変更する。
 .BR passwd (5),
 .BR shadow (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/chfn.1

@@ -69,4 +69,4 @@ chfn は現在のユーザアカウントに対して動作する。
 .SH 関連項目
 .BR passwd (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/chsh.1

@@ -69,4 +69,4 @@ chsh \- ログインシェルを変更する
 .BR chfn (1),
 .BR passwd (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/groups.1

@@ -62,4 +62,4 @@ ID 値に対応する名前が \fI/etc/group\fR に登録されていなけれ
 .BR getgid (2),
 .BR getgroups (2)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/id.1

@@ -54,4 +54,4 @@ id \- 現在のユーザ ID 名とグループ ID 名を表示する
 .BR getgroups (2),
 .BR getuid (2)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/login.1

@@ -138,4 +138,4 @@ root が \fBlogin\fP を起動した場合にのみ用いる。
 .BR passwd (5),
 .BR getty (8)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/newgrp.1

@@ -89,4 +89,4 @@ sg の実行元となるであろうシェルのほとんどにおいて、
 .BR login (1),
 .BR su (1)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/passwd.1

@@ -214,4 +214,4 @@ NIS が動作していて、
 .BR passwd (5),
 .BR shadow (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/su.1

@@ -85,4 +85,4 @@ su \- ユーザIDを変更する。またはスーパーユーザになる
 .BR login.defs (5),
 .BR suauth (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man3/shadow.3

@@ -150,4 +150,4 @@ shadowされたパスワードファイルへのアクセスは制限されて
 .BR getpwent (3),
 .BR shadow (5)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man5/faillog.5

@@ -61,4 +61,4 @@ faillog \- ログイン失敗を記録するファイル
 .SH 関連項目
 .BR faillog (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man5/login.defs.5

@@ -188,6 +188,6 @@ shadow パスワード機能によって提供されてきた機能の大部分
 .BR shadow (5),
 .BR pam (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)
 .br
 Chip Rosenthal (chip@unicom.com)

man/ja/man5/passwd.5

@@ -110,4 +110,4 @@ ulimit= \- ulimit の初期設定値
 .BR pwunconv (8),
 .BR sulogin (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man5/porttime.5

@@ -90,4 +90,4 @@ porttime \- ポートアクセス時間設定ファイル
 .SH 関連項目
 .BR login (1)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man5/shadow.5

@@ -99,4 +99,4 @@ a から z、A から Z のアルファベット、
 .BR pwunconv (8),
 .BR sulogin (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/chpasswd.8

@@ -67,4 +67,4 @@
 .BR newusers (8),
 .BR useradd (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/faillog.8

@@ -94,4 +94,4 @@ faillog \- faillog を調べ、login 失敗の制限を設定する
 .BR login (1),
 .BR faillog (5)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/groupadd.8

@@ -65,4 +65,4 @@ groupadd \- 新しいグループを作成する
 .BR userdel (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/groupdel.8

@@ -62,4 +62,4 @@ groupdel \- グループを削除する
 .BR userdel (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/groupmod.8

@@ -67,4 +67,4 @@ groupmod \- グループを修正する
 .BR userdel (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/grpck.8

@@ -113,4 +113,4 @@ grpck \- グループファイルが正しいかどうか検査する
 .IP 5 5
 グループファイルを更新できない
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/lastlog.8

@@ -75,6 +75,6 @@ lastlog プログラムは長時間画面に何も出力しないまま
 UID が 171\-799 の間プログラムは何も出力しないので、
 ハングしたように見える)。
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)
 .BR
 Phillip Street

man/ja/man8/logoutd.8

@@ -52,4 +52,4 @@ logoutd \- ログイン時間の制限を実施する
 .br
 /etc/utmp \- 現在のログインセッション
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/newusers.8

@@ -68,4 +68,4 @@ newusers \- ユーザの新規作成や情報更新をバッチ処理で行う
 .BR passwd (1),
 .BR useradd (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/pwck.8

@@ -118,4 +118,4 @@ pwck \- パスワードファイルが正しいかどうか検査する
 .IP 5 5
 パスワードファイルを更新出来ない
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/sulogin.8

@@ -92,4 +92,4 @@ co:s:respawn:/etc/sulogin /dev/console
 .BR sh (1),
 .BR init (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/useradd.8

@@ -173,4 +173,4 @@ NIS のグループにユーザを加えてはならない。
 .BR userdel (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/userdel.8

@@ -74,4 +74,4 @@ NIS のクライアントからは、NIS の属性値は削除できない。
 .BR useradd (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/usermod.8

@@ -142,4 +142,4 @@ NIS に関する作業は NIS サーバ上で行なわなければならない
 .BR useradd (8),
 .BR userdel (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/limits.5.xml

@@ -58,7 +58,7 @@
   <refmeta>
     <refentrytitle>limits</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/login.access.5.xml

@@ -57,7 +57,7 @@
   <refmeta>
     <refentrytitle>login.access</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/login.defs.5.xml

@@ -125,7 +125,7 @@
   <refmeta>
     <refentrytitle>login.defs</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/login.defs.d/MAIL_DIR.xml

@@ -35,6 +35,8 @@
       The mail spool directory. This is needed to manipulate the mailbox
       when its corresponding user account is modified or deleted. If not
       specified, a compile-time default is used.
+      The parameter CREATE_MAIL_SPOOL in <filename>/etc/default/useradd</filename>
+      determines whether the mail spool should be created.
     </para>
   </listitem>
 </varlistentry><varlistentry>

man/passwd.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>passwd</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/po/Makefile.in

@@ -90,9 +90,17 @@ $(DOMAIN).pot-update: $(XMLFILES) $(srcdir)/XMLFILES remove-potcdate.sed
 	@set -e; tmpdir=`pwd`; \
 	echo "cd $(top_srcdir)/man"; \
 	cd $(top_srcdir)/man; \
-	echo "xml2po --expand-all-entities -o $$tmpdir/$(DOMAIN).po $(notdir $(XMLFILES))"; \
+	files=""; \
-	xml2po --expand-all-entities -o $$tmpdir/$(DOMAIN).po $(notdir $(XMLFILES)); \
+	for file in $(notdir $(XMLFILES)); do \
-	cd $$tmpdir
+		if grep -q SHADOW-CONFIG-HERE $$file ; then \
+			sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $$file > $$file.out; \
+		else \
+			sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $$file > $$file.out; \
+		fi; \
+		files="$$files $$file.out"; \
+	done; \
+	itstool -d -o $$tmpdir/$(DOMAIN).po $$files; \
+	cd $$tmpdir; \
 	test ! -f $(DOMAIN).po || { \
 	  if test -f $(srcdir)/$(DOMAIN).pot; then \
 	    sed -f remove-potcdate.sed < $(srcdir)/$(DOMAIN).pot > $(DOMAIN).1po && \

man/porttime.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>porttime</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/shadow.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>shadow</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/suauth.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>suauth</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/subgid.5.xml

@@ -47,7 +47,7 @@
   <refmeta>
     <refentrytitle>subgid</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/subuid.5.xml

@@ -47,7 +47,7 @@
   <refmeta>
     <refentrytitle>subuid</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/useradd.8.xml

@@ -343,6 +343,12 @@
 	    databases are reset to avoid reusing the entry from a previously
 	    deleted user.
 	  </para>
+	  <para>
+	    If this option is not specified, <command>useradd</command>
+	    will also consult the variable <option>LOG_INIT</option> in
+	    the <filename>/etc/default/useradd</filename> if set to no
+		the user will not be added to the lastlog and faillog databases.
+	  </para>
 	</listitem>
       </varlistentry>
       <varlistentry>

man/usermod.8.xml

@@ -326,6 +326,17 @@
 	  </para>
 	</listitem>
       </varlistentry>
+      <varlistentry>
+	<term>
+	  <option>-r</option>, <option>--remove</option>
+	</term>
+	<listitem>
+	  <para>
+	    Remove the user from named supplementary group(s). Use only with the
+	    <option>-G</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
       <varlistentry>
 	<term>
 	  <option>-R</option>, <option>--root</option>&nbsp;<replaceable>CHROOT_DIR</replaceable>

po/nb.po

@@ -1964,7 +1964,7 @@ msgstr ""
 
 msgid ""
 "  -l, --lock                    lock the password of the named account\n"
-msgstr "  -L, --lock                  lås passord for den valgt konto\n"
+msgstr "  -l, --lock                  lås passord for den valgt konto\n"
 
 msgid ""
 "  -n, --mindays MIN_DAYS        set minimum number of days before password\n"

po/nl.po

@@ -1,14 +1,14 @@
 # dutch po-file for shadow
 # Copyright (C) 2004 Free Software Foundation, Inc.
 # Bart Cornelis <cobaco@linux.be>, 2004, 2006.
-# Frans Spiesschaert <Frans.Spiesschaert@yucom.be>, 2014-2020.
+# Frans Spiesschaert <Frans.Spiesschaert@yucom.be>, 2014-2021.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: shadow_1_4.8.1-1\n"
+"Project-Id-Version: shadow 4.9\n"
 "Report-Msgid-Bugs-To: pkg-shadow-devel@lists.alioth.debian.org\n"
 "POT-Creation-Date: 2021-07-04 12:20+0200\n"
-"PO-Revision-Date: 2020-05-24 15:20+0200\n"
+"PO-Revision-Date: 2021-09-13 21:00+0200\n"
 "Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
 "Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
 "Language: nl\n"
@@ -559,7 +559,7 @@ msgstr "%s: chroot naar map %s lukt niet: %s\n"
 
 #, c-format
 msgid "Unable to obtain random bytes.\n"
-msgstr ""
+msgstr "Kan geen willekeurige bytes verkrijgen.\n"
 
 #, c-format
 msgid ""
@@ -575,6 +575,9 @@ msgid ""
 "ENCRYPT_METHOD and the corresponding configuration for your selected hash "
 "method.\n"
 msgstr ""
+"Kan geen salt genereren met instelling \"%s\", controleer uw instellingen in "
+"ENCRYPT_METHOD en de bijbehorende configuratie voor uw geselecteerde hash-"
+"methode.\n"
 
 #, c-format
 msgid "Unable to cd to '%s'\n"
@@ -915,16 +918,12 @@ msgstr ""
 "  -m, --md5                     het wachtwoord in klare tekst\n"
 "                                met het MD5-algoritme versleutelen\n"
 
-#, fuzzy
-#| msgid ""
-#| "  -s, --sha-rounds              number of rounds for the SHA or BCRYPT\n"
-#| "                                crypt algorithms\n"
 msgid ""
 "  -s, --sha-rounds              number of rounds for the SHA, BCRYPT\n"
 "                                or YESCRYPT crypt algorithms\n"
 msgstr ""
-"  -s, --sha-rounds              aantal rondes voor de SHA of BCRYPT\n"
+"  -s, --sha-rounds              aantal rondes voor de SHA, BCRYPT\n"
-"                                encryptie-algoritmes\n"
+"                                of YESCRYPT encryptie-algoritmes\n"
 
 #, c-format
 msgid "%s: %s flag is only allowed with the %s flag\n"
@@ -1237,20 +1236,17 @@ msgstr ""
 msgid "  -r, --system                  create a system account\n"
 msgstr "  -r, --system                  een systeem-account aanmaken\n"
 
-#, fuzzy
-#| msgid "  -P, --prefix PREFIX_DIR       directory prefix\n"
 msgid "  -P, --prefix PREFIX_DI        directory prefix\n"
 msgstr "  -P, --prefix PREFIX_MAP       map-prefix\n"
 
-#, fuzzy
 #| msgid "  -l, --list                    list the members of the group\n"
 msgid "  -U, --users USERS             list of user members of this group\n"
-msgstr "  -l, --list                    de leden van de groep weergeven\n"
+msgstr ""
+"  -U, --users GEBRUIKERS         lijst van leden-gebruikers van deze groep\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "invalid user name '%s'\n"
 msgid "Invalid member username %s\n"
-msgstr "ongeldige gebruikersnaam '%s'\n"
+msgstr "Ongeldige lid-gebruikersnaam %s\n"
 
 #, c-format
 msgid "%s: '%s' is not a valid group name\n"
@@ -1367,22 +1363,14 @@ msgstr "%s: uw groepsnaam komt niet overeen met uw gebruikersnaam\n"
 msgid "%s: only root can use the -g/--group option\n"
 msgstr "%s: enkel de systeembeheerder kan de optie -g/--group gebruiken\n"
 
-#, fuzzy
-#| msgid ""
-#| "  -a, --append                  append the user to the supplemental "
-#| "GROUPS\n"
-#| "                                mentioned by the -G option without "
-#| "removing\n"
-#| "                                the user from other groups\n"
 msgid ""
 "  -a, --append                  append the users mentioned by -U option to "
 "the group \n"
 "                                without removing existing user members\n"
 msgstr ""
-"  -a, --append                  gebruiker toevoegen aan de bijkomende "
+"  -a, --append                  de gebruikers, vermeld met de optie -U, \n"
-"GROEPEN,\n"
+"                                toevoegen aan de groep, zonder \n"
-"                                vermeld bij de optie -G, zonder hem/haar\n"
+"                                bestaande leden-gebruikers te verwijderen\n"
-"                                te verwijderen uit andere groepen\n"
 
 msgid "  -g, --gid GID                 change the group ID to GID\n"
 msgstr "  -g, --gid GID                 het groeps-ID naar GID veranderen\n"
@@ -1449,6 +1437,9 @@ msgstr "  -s, --sort                    elementen volgens UID sorteren\n"
 msgid ""
 "  -S, --silence-warnings        silence controversial/paranoid warnings\n"
 msgstr ""
+"  -S, --silence-warnings        geen controversiële/paranoïde\n"
+"                                waarschuwingen weergeven\n"
+"\n"
 
 #, c-format
 msgid "%s: -s and -r are incompatible\n"
@@ -1565,10 +1556,9 @@ msgid ""
 msgstr ""
 "  -u, --user GEBRUIKER          lastlog-informatie over GEBRUIKER tonen\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "Username                Port     Latest"
 msgid "Username         Port     From%*sLatest\n"
-msgstr "Gebruikersnaam          Poort    Laatste"
+msgstr "Gebruikersnaam   Poort    Van%*sLaatste\n"
 
 msgid "Username                Port     Latest"
 msgstr "Gebruikersnaam          Poort    Laatste"
@@ -1861,10 +1851,9 @@ msgstr "%s: regel %d: gebruiker '%s' bestaat niet in %s\n"
 msgid "%s: line %d: can't update password\n"
 msgstr "%s: regel %d: kan wachtwoord niet bijwerken\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: line %d: mkdir %s failed: %s\n"
 msgid "%s: line %d: homedir must be an absolute path\n"
-msgstr "%s: regel %d: mkdir %s is mislukt: %s\n"
+msgstr "%s: regel %d: thuismap moet een absoluut pad zijn\n"
 
 #, c-format
 msgid "%s: line %d: mkdir %s failed: %s\n"
@@ -2236,11 +2225,11 @@ msgstr ""
 
 #, c-format
 msgid "Password field is empty, this is forbidden for all accounts.\n"
-msgstr ""
+msgstr "Wachtwoordveld is leeg; dit is voor alle accounts verboden.\n"
 
 #, c-format
 msgid "Password field is empty, this is forbidden for super-user.\n"
-msgstr ""
+msgstr "Wachtwoordveld is leeg; dit is verboden voor de systeembeheerder.\n"
 
 #, c-format
 msgid "You are not authorized to su %s\n"
@@ -2338,10 +2327,9 @@ msgstr "%s: groep '%s' is een NIS-groep.\n"
 msgid "%s: too many groups specified (max %d).\n"
 msgstr "%s: te veel groepen gespecificeerd (max %d).\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: Out of memory. Cannot update %s.\n"
 msgid "%s: Out of memory. Cannot find group '%s'.\n"
-msgstr "%s: onvoldoende geheugen. Kan %s niet bijwerken.\n"
+msgstr "%s: onvoldoende geheugen. Kan groep '%s' niet vinden.\n"
 
 #, c-format
 msgid ""
@@ -2517,44 +2505,35 @@ msgstr "%s: -Z kan niet gebruikt worden met --prefix\n"
 msgid "%s: -Z requires SELinux enabled kernel\n"
 msgstr "%s: -Z vereist dat SELinux geactiveerd is in de kernel\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: invalid user name '%s'\n"
 msgid "%s: invalid user name '%s': use --badname to ignore\n"
-msgstr "%s: ongeldige gebruikersnaam '%s'\n"
+msgstr "%s: ongeldige gebruikersnaam '%s': gebruik --badname om te negeren\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: failed to reset the faillog entry of UID %lu: %s\n"
 msgid "%s: failed to open the faillog file for UID %lu: %s\n"
-msgstr ""
+msgstr "%s: openen van het faillog-bestand voor UID %lu is mislukt: %s\n"
-"%s: opnieuw instellen van het faillog-item voor UID %lu is mislukt: %s\n"
 
 #, c-format
 msgid "%s: failed to reset the faillog entry of UID %lu: %s\n"
 msgstr ""
 "%s: opnieuw instellen van het faillog-item voor UID %lu is mislukt: %s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: failed to reset the faillog entry of UID %lu: %s\n"
 msgid "%s: failed to close the faillog file for UID %lu: %s\n"
-msgstr ""
+msgstr "%s: sluiten van het faillog-bestand voor UID %lu is mislukt: %s\n"
-"%s: opnieuw instellen van het faillog-item voor UID %lu is mislukt: %s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgid "%s: failed to open the lastlog file for UID %lu: %s\n"
-msgstr ""
+msgstr "%s: openen van het lastlog-bestand voor UID %lu is mislukt: %s\n"
-"%s: opnieuw instellen van de lastlog-item voor UID %lu is mislukt: %s\n"
 
 #, c-format
 msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgstr ""
 "%s: opnieuw instellen van de lastlog-item voor UID %lu is mislukt: %s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: failed to reset the lastlog entry of UID %lu: %s\n"
 msgid "%s: failed to close the lastlog file for UID %lu: %s\n"
-msgstr ""
+msgstr "%s: sluiten van het lastlog-bestand voor UID %lu is mislukt: %s\n"
-"%s: opnieuw instellen van de lastlog-item voor UID %lu is mislukt: %s\n"
 
 #, c-format
 msgid "%s: failed to reset the tallylog entry of user \"%s\"\n"
@@ -2598,8 +2577,7 @@ msgstr "%s: waarschuwing: chown uitvoeren op `%s' is mislukt: %m\n"
 msgid "%s: warning: chmod on `%s' failed: %m\n"
 msgstr "%s: waarschuwing: chmod uitvoeren op `%s' is mislukt: %m\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: warning: chown on `%s' failed: %m\n"
 msgid "%s: warning: chown on '%s' failed: %m\n"
 msgstr "%s: waarschuwing: chown uitvoeren op `%s' is mislukt: %m\n"
 
@@ -2607,10 +2585,9 @@ msgstr "%s: waarschuwing: chown uitvoeren op `%s' is mislukt: %m\n"
 msgid "%s: cannot reset SELinux file creation context\n"
 msgstr "%s: kan SELinux-context voor bestandscreatie niet opnieuw instellen\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: cannot set SELinux context for home directory %s\n"
 msgid "%s: cannot set SELinux context for mailbox file %s\n"
-msgstr "%s: kan SELinux-context voor persoonlijke map %s niet instellen\n"
+msgstr "%s: kan SELinux-context voor postvakbestand %s niet instellen\n"
 
 msgid "Creating mailbox file"
 msgstr "Postvak-bestand wordt aangemaakt"
@@ -2629,11 +2606,15 @@ msgid ""
 "%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d "
 "range.\n"
 msgstr ""
+"%s waarschuwing: %s zijn/haar uid %d valt buiten het bereik SYS_UID_MIN %d "
+"en SYS_UID_MAX %d.\n"
 
 #, c-format
 msgid ""
 "%s warning: %s's uid %d outside of the UID_MIN %d and UID_MAX %d range.\n"
 msgstr ""
+"%s waarschuwing: %s zijn/haar uid %d valt buiten het bereik UID_MIN %d en "
+"UID_MAX %d.\n"
 
 #, c-format
 msgid "%s: user '%s' already exists\n"
@@ -2684,18 +2665,16 @@ msgstr ""
 "%s: waarschuwing: de koppeling van gebruikersnaam %s aan SELinux-gebruiker "
 "%s is mislukt.\n"
 
-#, fuzzy
-#| msgid ""
-#| "  -f, --force                   force removal of files,\n"
-#| "                                even if not owned by user\n"
 msgid ""
 "  -f, --force                   force some actions that would fail "
 "otherwise\n"
 "                                e.g. removal of user still logged in\n"
 "                                or files, even if not owned by the user\n"
 msgstr ""
-"  -f, --force                   geforceerde verwijdering van bestanden,\n"
+"  -f, --force                   sommige acties afdwingen die anders zouden\n"
-"                                ook als ze geen eigendom van gebruiker zijn\n"
+"                                mislukken, bijv. verwijderen van een nog\n"
+"                                aangemelde gebruiker of van bestanden\n"
+"                                zelfs als deze niet van de gebruker zijn\n"
 
 msgid "  -r, --remove                  remove home directory and mail spool\n"
 msgstr "  -r, --remove                  thuismap en postvak verwijderen\n"
@@ -2893,10 +2872,9 @@ msgstr ""
 msgid "%s: user '%s' already exists in %s\n"
 msgstr "%s: gebruiker '%s' bestaat al in %s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s: home directory \"%s\" must be mounted on BTRFS\n"
 msgid "%s: homedir must be an absolute path\n"
-msgstr "%s: persoonlijke map \"%s\" moet aangekoppeld zijn op BTRFS\n"
+msgstr "%s: persoonlijke map moet een absoluut pad zijn\n"
 
 #, c-format
 msgid "%s: invalid subordinate uid range '%s'\n"
@@ -3083,6 +3061,3 @@ msgstr "%s: kan %s niet herstellen: %s (uw aanpassingen staan in %s)\n"
 #, c-format
 msgid "%s: failed to find tcb directory for %s\n"
 msgstr "%s: tcb-map van %s vinden is mislukt\n"
-
-#~ msgid "Username         Port     From             Latest"
-#~ msgstr "Gebruikersnaam   Poort    Vanaf            Laatste"

src/.gitignore

@@ -34,6 +34,7 @@
 /usermod
 /vipw
 /get_subid_owners
-/list_subid_ranges
+/getsubids
 /new_subid_range
 /free_subid_range
+/check_subid_range

src/Makefile.am

@@ -10,6 +10,7 @@ sgidperms = 2755
 AM_CPPFLAGS = \
 	-I${top_srcdir}/lib \
 	-I$(top_srcdir)/libmisc \
+	-I$(top_srcdir) \
 	-DLOCALEDIR=\"$(datadir)/locale\"
 
 # XXX why are login and su in /bin anyway (other than for
@@ -95,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
 endif
 
 chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
-newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
+newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
-newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
+newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
 chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
 chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
@@ -157,8 +158,8 @@ if FCAPS
 	setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
 endif
 
-noinst_PROGRAMS += list_subid_ranges  \
+bin_PROGRAMS    +=  getsubids
-					get_subid_owners \
+noinst_PROGRAMS +=  get_subid_owners \
 					new_subid_range \
 					free_subid_range \
 					check_subid_range
@@ -174,15 +175,16 @@ MISCLIBS = \
 	$(LIBCRYPT) \
 	$(LIBTCB)
 
-list_subid_ranges_LDADD = \
+getsubids_LDADD = \
 	$(top_builddir)/lib/libshadow.la \
 	$(top_builddir)/libmisc/libmisc.la \
 	$(top_builddir)/libsubid/libsubid.la \
 	$(MISCLIBS) -ldl
 
-list_subid_ranges_CPPFLAGS = \
+getsubids_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
+	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 
 get_subid_owners_LDADD = \
@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \
 get_subid_owners_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
+	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 
 new_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
+	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 
 new_subid_range_LDADD = \
@@ -210,6 +214,7 @@ new_subid_range_LDADD = \
 free_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
+	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 
 free_subid_range_LDADD = \
@@ -220,6 +225,7 @@ free_subid_range_LDADD = \
 
 check_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
+	-I$(top_srcdir) \
 	-I$(top_srcdir)/libmisc
 
 check_subid_range_LDADD = \

src/chage.c

@@ -263,7 +263,7 @@ static void print_date (time_t date)
 	char buf[80];
 	char format[80];
 
-	if( iflg ) {
+	if (iflg) {
 		(void) snprintf (format, 80, "%%Y-%%m-%%d");
 	}
 	else {

src/chpasswd.c

@@ -515,7 +515,7 @@ int main (int argc, char **argv)
 		newpwd = cp;
 
 #ifdef USE_PAM
-		if (use_pam){
+		if (use_pam) {
 			if (do_pam_passwd_non_interactive ("chpasswd", name, newpwd) != 0) {
 				fprintf (stderr,
 				         _("%s: (line %d, user %s) password not changed\n"),

src/free_subid_range.c

@@ -39,9 +39,9 @@ int main(int argc, char *argv[])
 	range.start = atoi(argv[1]);
 	range.count = atoi(argv[2]);
 	if (group)
-		ok = ungrant_subgid_range(&range);
+		ok = subid_ungrant_gid_range(&range);
 	else
-		ok = ungrant_subuid_range(&range);
+		ok = subid_ungrant_uid_range(&range);
 
 	if (!ok) {
 		fprintf(stderr, "Failed freeing id range\n");

src/get_subid_owners.c

@@ -25,11 +25,11 @@ int main(int argc, char *argv[])
 		usage();
 	}
 	if (argc == 3 && strcmp(argv[1], "-g") == 0)
-		n = get_subgid_owners(atoi(argv[2]), &uids);
+		n = subid_get_gid_owners(atoi(argv[2]), &uids);
 	else if (argc == 2 && strcmp(argv[1], "-h") == 0)
 		usage();
 	else
-		n = get_subuid_owners(atoi(argv[1]), &uids);
+		n = subid_get_uid_owners(atoi(argv[1]), &uids);
 	if (n < 0) {
 		fprintf(stderr, "No owners found\n");
 		exit(1);

src/getsubids.c

@@ -1,6 +1,7 @@
 #include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
 #include "subid.h"
-#include "stdlib.h"
 #include "prototypes.h"
 
 const char *Prog;
@@ -27,11 +28,11 @@ int main(int argc, char *argv[])
 	owner = argv[1];
 	if (argc == 3 && strcmp(argv[1], "-g") == 0) {
 		owner = argv[2];
-		count = get_subgid_ranges(owner, &ranges);
+		count = subid_get_gid_ranges(owner, &ranges);
 	} else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
 		usage();
 	} else {
-		count = get_subuid_ranges(owner, &ranges);
+		count = subid_get_uid_ranges(owner, &ranges);
 	}
 	if (!ranges) {
 		fprintf(stderr, "Error fetching ranges\n");

src/gpasswd.c

@@ -1207,11 +1207,13 @@ int main (int argc, char **argv)
 	sssd_flush_cache (SSSD_DB_GROUP);
 
 #ifdef SHADOWGRP
-	if (sgent.sg_adm) {
+	if (is_shadowgrp) {
-		xfree(sgent.sg_adm);
+		if (sgent.sg_adm) {
-	}
+			xfree(sgent.sg_adm);
-	if (sgent.sg_mem) {
+		}
-		xfree(sgent.sg_mem);
+		if (sgent.sg_mem) {
+			xfree(sgent.sg_mem);
+		}
 	}
 #endif
 	if (grent.gr_mem) {

src/login.c

@@ -983,12 +983,12 @@ int main (int argc, char **argv)
 
 			if (strcmp (user_passwd, "") == 0) {
 				char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");
-				if(prevent_no_auth == NULL) {
+				if (prevent_no_auth == NULL) {
 					prevent_no_auth = "superuser";
 				}
-				if(strcmp(prevent_no_auth, "yes") == 0) {
+				if (strcmp(prevent_no_auth, "yes") == 0) {
 					failed = true;
-				} else if( (pwd->pw_uid == 0)
+				} else if ((pwd->pw_uid == 0)
 					&& (strcmp(prevent_no_auth, "superuser") == 0)) {
 					failed = true;
 				}
@@ -1288,6 +1288,7 @@ int main (int argc, char **argv)
 			env++;
 		}
 	}
+	(void) pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
 #endif
 
 	(void) setlocale (LC_ALL, "");

src/new_subid_range.c

@@ -45,9 +45,9 @@ int main(int argc, char *argv[])
 	if (argc > 1)
 		range.count = atoi(argv[1]);
 	if (group)
-		ok = grant_subgid_range(&range, !makenew);
+		ok = subid_grant_gid_range(&range, !makenew);
 	else
-		ok = grant_subuid_range(&range, !makenew);
+		ok = subid_grant_uid_range(&range, !makenew);
 
 	if (!ok) {
 		fprintf(stderr, "Failed creating new id range\n");

src/newgrp.c

@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
 	spwd = xgetspnam (pwd->pw_name);
 	if (NULL != spwd) {
 		pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
+		spw_free (spwd);
 	}
-	spw_free (spwd);
 
 	if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
 		needspasswd = true;

src/passwd.c

@@ -490,9 +490,12 @@ static void print_status (const struct passwd *pw)
 		               ((long long)sp->sp_max * SCALE) / DAY,
 		               ((long long)sp->sp_warn * SCALE) / DAY,
 		               ((long long)sp->sp_inact * SCALE) / DAY);
-	} else {
+	} else if (NULL != pw->pw_passwd) {
 		(void) printf ("%s %s\n",
 		               pw->pw_name, pw_status (pw->pw_passwd));
+	} else {
+		(void) fprintf(stderr, _("%s: malformed password data obtained for user %s\n"),
+		               Prog, pw->pw_name);
 	}
 }
 
@@ -1106,7 +1109,7 @@ int main (int argc, char **argv)
 			(void) printf (_("%s: password changed.\n"), Prog);
 #endif				/* USE_PAM */
 		} else {
-			(void) printf (_("%s: password expiry information changed.\n"), Prog);
+			(void) printf (_("%s: password changed.\n"), Prog);
 		}
 	}
 

src/pwck.c

@@ -857,6 +857,7 @@ int main (int argc, char **argv)
 	 * Get my name so that I can use it to report errors.
 	 */
 	Prog = Basename (argv[0]);
+	shadow_logfd = stderr;
 
 	(void) setlocale (LC_ALL, "");
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);

src/su.c

@@ -295,6 +295,21 @@ static void prepare_pam_close_session (void)
 	sigset_t ourset;
 	int status;
 	int ret;
+	struct sigaction action;
+
+	/* reset SIGCHLD handling to default */
+	action.sa_handler = SIG_DFL;
+	sigemptyset (&action.sa_mask);
+	action.sa_flags = 0;
+	if (0 == caught && sigaction (SIGCHLD, &action, NULL) != 0) {
+		fprintf (stderr,
+		         _("%s: signal masking malfunction\n"),
+		         Prog);
+		SYSLOG ((LOG_WARN, "Will not execute %s", shellstr));
+		closelog ();
+		exit (1);
+		/* Only the child returns. See above. */
+	}
 
 	pid_child = fork ();
 	if (pid_child == 0) {	/* child shell */
@@ -318,11 +333,7 @@ static void prepare_pam_close_session (void)
 		caught = SIGTERM;
 	}
 	if (0 == caught) {
-		struct sigaction action;
-
 		action.sa_handler = catch_signals;
-		sigemptyset (&action.sa_mask);
-		action.sa_flags = 0;
 		sigemptyset (&ourset);
 
 		if (   (sigaddset (&ourset, SIGTERM) != 0)
@@ -397,22 +408,28 @@ static void prepare_pam_close_session (void)
 		snprintf (kill_msg, sizeof kill_msg, _(" ...killed.\n"));
 		snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
 
+		/* Any signals other than SIGCHLD and SIGALRM will no longer have any effect,
+		 * so it's time to block all of them. */
+		sigfillset (&ourset);
+		if (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0) {
+			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+			kill_child (0);
+			/* Never reach (_exit called). */
+		}
+
+		/* Send SIGKILL to the child if it doesn't
+		 * exit within 2 seconds (after SIGTERM) */
 		(void) signal (SIGALRM, kill_child);
 		(void) signal (SIGCHLD, catch_signals);
 		(void) alarm (2);
 
-		sigemptyset (&ourset);
+		(void) sigdelset (&ourset, SIGALRM);
-		if ((sigaddset (&ourset, SIGALRM) != 0)
+		(void) sigdelset (&ourset, SIGCHLD);
-		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+
-			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+		while (0 == waitpid (pid_child, &status, WNOHANG)) {
-			kill_child (0);
+			sigsuspend (&ourset);
-		} else {
-			while (0 == waitpid (pid_child, &status, WNOHANG)) {
-				sigsuspend (&ourset);
-			}
-			pid_child = 0;
-			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
 		}
+		pid_child = 0;
 
 		(void) fputs (_(" ...terminated.\n"), stderr);
 	}
@@ -508,13 +525,13 @@ static void check_perms_nopam (const struct passwd *pw)
 
 	if (strcmp (pw->pw_passwd, "") == 0) {
 		char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");
-		if(prevent_no_auth == NULL) {
+		if (prevent_no_auth == NULL) {
 			prevent_no_auth = "superuser";
 		}
-		if(strcmp(prevent_no_auth, "yes") == 0) {
+		if (strcmp(prevent_no_auth, "yes") == 0) {
 			fprintf(stderr, _("Password field is empty, this is forbidden for all accounts.\n"));
 			exit(1);
-		} else if( (pw->pw_uid == 0)
+		} else if ((pw->pw_uid == 0)
 				&& (strcmp(prevent_no_auth, "superuser") == 0)) {
 			fprintf(stderr, _("Password field is empty, this is forbidden for super-user.\n"));
 			exit(1);
@@ -1156,12 +1173,9 @@ int main (int argc, char **argv)
 		}
 	}
 
-	/*
+#ifdef USE_PAM
-	 * PAM_DATA_SILENT is not supported by some modules, and
+	(void) pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
-	 * there is no strong need to clean up the process space's
+#endif
-	 * memory since we will either call exec or exit.
-	pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
-	 */
 
 	endpwent ();
 	endspent ();