configure.ac and changelog: release 4.9

Signed-off-by: Serge Hallyn <serge@hallyn.com>

.github/workflows/main.yml

@@ -0,0 +1,43 @@
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: debug
+      run: |
+        id
+        which bash
+        whoami
+        env
+        ps -ef
+        pwd
+        cat /proc/self/uid_map
+        cat /proc/self/status
+        systemd-detect-virt
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install automake autopoint xsltproc gettext expect byacc libtool
+    - name: configure
+      run: |
+        ./autogen.sh --without-selinux --disable-man
+        grep ENABLE_ config.status
+    - run: make
+    - run: make install DESTDIR=${HOME}/rootfs
+    - run: sudo make install
+    - run: |
+        cd tests
+        sudo ./run_some
+        cat testsuite.log

.gitignore

@@ -48,3 +48,4 @@ Makefile.in
 /shadow.spec
 /shadow-*.tar.*
 /libmisc/getdate.c
+/libsubid/subid.h

AUTHORS.md

@@ -0,0 +1,89 @@
+Thanks to at least the following people for sending patches, bug
+reports and various comments. This list may be incomplete, I received
+a lot of mail...
+
+# Maintainers
+Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
+Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
+Serge E. Hallyn <serge@hallyn.com> (2014-now)
+Christian Brauner <christian@brauner.io> (2019-now)
+
+# Authors and contributors
+Adam Rudnicki <adam@v-lo.krakow.pl>
+Alan Curry <pacman@tardis.mars.net>
+Aleksa Sarai <cyphar@cyphar.com>
+Alexander O. Yuriev <alex@bach.cis.temple.edu>
+Algis Rudys <arudys@rice.edu>
+Andreas Jaeger <aj@arthur.rhein-neckar.de>
+Andy Zaugg <andy.zaugg@gmail.com>
+Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
+Anton Gluck <gluc@midway.uchicago.edu>
+Arkadiusz Miskiewicz <misiek@pld.org.pl>
+Ben Collins <bcollins@debian.org>
+Brian R. Gaeke <brg@dgate.org>
+Calle Karlsson <ckn@kash.se>
+Chip Rosenthal <chip@unicom.com>
+Chris Evans <lady0110@sable.ox.ac.uk>
+Chris Lamb <chris@chris-lamb.co.uk>
+Cristian Gafton <gafton@sorosis.ro>
+Dan Walsh <dwalsh@redhat.com>
+Darcy Boese <possum@chardonnay.niagara.com>
+Dave Hagewood <admin@arrowweb.com>
+David A. Holland <dholland@hcs.harvard.edu>
+David Frey <David.Frey@lugs.ch>
+Ed Carp <ecarp@netcom.com>
+Ed Neville <ed@s5h.net>
+Eric W. Biederman" <ebiederm@xmission.com>
+Floody <flood@evcom.net>
+Frank Denis <j@4u.net>
+George Kraft IV <gk4@us.ibm.com>
+Greg Mortensen <loki@world.std.com>
+Guido van Rooij
+Guy Maor <maor@debian.org>
+Hrvoje Dogan <hdogan@bjesomar.srce.hr>
+Iker Pedrosa <ipedrosa@redhat.com>
+Jakub Hrozek <jhrozek@redhat.com>
+Janos Farkas <chexum@bankinf.banki.hu>
+Jason Franklin <jason.franklin@quoininc.com>
+Jay Soffian <jay@lw.net>
+Jesse Thilo <Jesse.Thilo@pobox.com>
+Joey Hess <joey@kite.ml.org>
+John Adelsberger <jja@umr.edu>
+Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
+Jon Lewis <jlewis@lewis.org>
+Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
+Judd Bourgeois <shagboy@bluesky.net>
+Juergen Heinzl <unicorn@noris.net>
+Juha Virtanen <jiivee@iki.fi>
+Julian Pidancet <julian.pidancet@gmail.com>
+Julianne Frances Haugh <julie78787@gmail.com>
+Leonard N. Zubkoff <lnz@dandelion.com>
+Luca Berra <bluca@www.polimi.it>
+Lukáš Kuklínek <lkukline@redhat.com>
+Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
+Marc Ewing <marc@redhat.com>
+Martin Bene <mb@sime.com>
+Martin Mares <mj@gts.cz>
+Michael Meskes <meskes@topsystem.de>
+Michael Talbot-Wilson <mike@calypso.bns.com.au>
+Michael Vetter <jubalh@iodoru.org>
+Mike Frysinger <vapier@gentoo.org>
+Mike Pakovic <mpakovic@users.southeast.net>
+Nicolas François <nicolas.francois@centraliens.net>
+Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
+Pavel Machek <pavel@bug.ucw.cz>
+Peter Vrabec <pvrabec@redhat.com>
+Phillip Street
+Rafał Maszkowski <rzm@icm.edu.pl>
+Rani Chouha <ranibey@smartec.com>
+Sami Kerola <kerolasa@rocketmail.com>
+Scott Garman <scott.a.garman@intel.com>
+Sebastian Rick Rijkers <srrijkers@gmail.com>
+Seraphim Mellos <mellos@ceid.upatras.gr>
+Shane Watts <shane@nexus.mlckew.edu.au>
+Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
+Thorsten Kukuk <kukuk@suse.de>
+Tim Hockin <thockin@eagle.ais.net>
+Timo Karjalainen <timok@iki.fi>
+Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
+Werner Fink <werner@suse.de>

COPYING

@@ -17,7 +17,7 @@ which is held by Julianne Frances Haugh, may be copied, such that the
 copyright holder maintains some semblance of artistic control over the
 development of the package, while giving the users of the package the
 right to use and distribute the Package in a more-or-less customary
-fashion, plus the right to make reasonable modifications. 
+fashion, plus the right to make reasonable modifications.
 
 So there.
 
@@ -28,7 +28,7 @@ Definitions:
 
 A "Package" refers to the collection of files distributed by the
 Copyright Holder, and derivatives of that collection of files created
-through textual modification, or segments thereof. 
+through textual modification, or segments thereof.
 
 "Standard Version" refers to such a Package if it has not been modified,
 or has been modified in accordance with the wishes of the Copyright
@@ -100,12 +100,12 @@ Standard Version.
 d) make other distribution arrangements with the Copyright Holder.
 
 5.  You may charge a reasonable copying fee for any distribution of this
-Package.  You may charge any fee you choose for support of this Package. 
+Package.  You may charge any fee you choose for support of this Package.
 YOU MAY NOT CHARGE A FEE FOR THIS PACKAGE ITSELF.  However, you may
 distribute this Package in aggregate with other (possibly commercial)
 programs as part of a larger (possibly commercial) software distribution
 provided that YOU DO NOT ADVERTISE this package as a product of your
-own. 
+own.
 
 6.  The name of the Copyright Holder may not be used to endorse or
 promote products derived from this software without specific prior

ChangeLog

@@ -1,3 +1,46 @@
+2021-12-19  Serge Hallyn <serge@hallyn.com>
+
+	Note: From this release forward, su from this package should be
+	considered deprecated.  Please replace any users of it with su from
+	util-linux.  Please open an issue if there is a problem with that.
+	We intend to remove it in an upcoming release.
+
+	* libsubid fixes (Xi Ruoyao, Serge Hallyn, Iker Pedrosa, Mike Gilbert,
+	  GalaxyMaster, and Luís Ferreira)
+	* Rename the test program list_subid_ranges to getsubids, write
+	  a manpage, so distros can ship it. (Iker Pedrosa)
+	* Add libeconf dep for new*idmap (Iker Pedrosa)
+	* Allow all group types with usermod -G (Iker Pedrosa)
+	* Avoid useradd generating empty subid range (Iker Pedrosa)
+	* Handle NULL pw_passwd (Jaroslav Jindrak)
+	* Fix default value SHA_get_salt_rounds (Mike Gilbert)
+	* Use https where possible in README (Paul Menzel)
+	* Update content and format of README (Iker Pedrosa)
+	* Translation updates (Balint Reczey, Frans Spiesschaert)
+	* Switch from xml2po to itstool in 'make dist' (Serge Hallyn)
+	* Fix double frees (Michael Vetter)
+	* Add LOG_INIT configurable to useradd (Andy Zaugg)
+	* Add CREATE_MAIL_SPOOL documentation (Andy Zaugg)
+	* Create a security.md
+	* Fix su never being SIGKILLd when trapping TERM (Ruihan li)
+	* Fix wrong SELinux labels in several possible cases (Iker Pedrosa)
+	* Fix missing chmod in chadowtb_move (GalaxyMaster)
+	* Handle malformed hushlogins entries (Tobias Stoeckmann)
+	* Fix groupdel segv when passwd does not exist (François Rigault)
+	* Fix covscan-found newgrp segfault (Iker Pedrosa)
+	* Remove trailing slash on hoedir (Ed Neville)
+	* Fix passwd -l message - it does not change expirey (Ed Neville)
+	* Fix SIGCHLD handling bugs in su and vipw (Tobias Stoeckmann)
+	* Remove special case for "" in usermod (Alejandro Colomar)
+	* Implement usermod -rG to remove a specific group
+	  (Andy Zaugg)
+	* call pam_end() after fork in child path for su and login
+	  (Björn Fischer)
+	* useradd: In absence of /etc/passwd, assume 0 == root
+	  (Ludwig Nussel)
+	* lib: check NULL before freeing data (Iker Pedrosa)
+	* Fix pwck segfault (Iker Pedrosa)
+
 2021-07-22  Serge Hallyn <serge@hallyn.com>
 
 	* Updated translations (Björn Esser, Juergen Hoetzel)
@@ -285,7 +328,7 @@
 2013-08-15  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/usermod.c: Check early if /etc/subuid (/etc/subgid) exists
-	when option -v/-V (-w/-W) are provided. 
+	when option -v/-V (-w/-W) are provided.
 
 2013-08-15  Nicolas François  <nicolas.francois@centraliens.net>
 
@@ -662,8 +705,8 @@
 
 	* configure.in: Prepare for next point release 4.2.
 	* if using the static char* for pw_dir, strdup it so
-	  pw_free() can be used. (Closes: Debian#691459, alioth#313957) 
+	  pw_free() can be used. (Closes: Debian#691459, alioth#313957)
-	* Kill the child process group, rather than just the 
+	* Kill the child process group, rather than just the
 	  immediate child; this is needed now that su no
 	  longer starts a controlling terminal when not running an
 	  interactive shell (closes: Debian#713979)
@@ -890,7 +933,7 @@
 
 	* po/pt.po: Updated to 557t.
 
-2012-01-19  Holger Wansing  <linux@wansing-online.de> 
+2012-01-19  Holger Wansing  <linux@wansing-online.de>
 
 	* po/de.po: Updated to 557t.
 
@@ -1477,8 +1520,8 @@
 	* NEWS, src/chpasswd.c: Create a shadow entry if the password is
 	set to 'x' in passwd and there are no entry in shadow for the
 	user.
-	* NEWS, src/chgpasswd.c: Create a gshadow entry if the password is 
+	* NEWS, src/chgpasswd.c: Create a gshadow entry if the password is
-	set to 'x' in group and there are no entry in gshadow for the 
+	set to 'x' in group and there are no entry in gshadow for the
 	group.
 
 2011-07-28  Nicolas François  <nicolas.francois@centraliens.net>
@@ -1550,7 +1593,7 @@
 2011-07-22  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Fail in case of
-	invalid configuration. 
+	invalid configuration.
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Updated
 	comments.
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Be more strict
@@ -1787,7 +1830,7 @@
 	  man/login.defs.d/DEFAULT_HOME.xml,
 	  man/login.defs.d/LOGIN_RETRIES.xml,
 	  man/login.defs.d/MD5_CRYPT_ENAB.xml,
-	  man/login.defs.d/PORTTIME_CHECKS_ENAB.xml, 
+	  man/login.defs.d/PORTTIME_CHECKS_ENAB.xml,
 	  man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml:
 	  Fix typos
 	* man/po/de.po: German translation of manpages completed
@@ -1834,7 +1877,7 @@
 
 2011-03-30  YunQiang Su  <wzssyqa@gmail.com>
 
-	* man/po/zh_CN.po: convert Simplified Chinese translation 
+	* man/po/zh_CN.po: convert Simplified Chinese translation
 	  of manpages to gettext
 	* po/zh_CN.po: Simplified Chinese translation completed
 
@@ -1973,7 +2016,7 @@
 	boolean. safe_system last argument is a boolean.
 	* libmisc/system.c: Check return value of dup2.
 	* libmisc/system.c: Do not check *printf/*puts return value.
-	* libmisc/system.c: Do not check execve return value. 
+	* libmisc/system.c: Do not check execve return value.
 	* libmisc/salt.c: Do not check *printf/*puts return value.
 	* libmisc/loginprompt.c: Do not check gethostname return value.
 	* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Do not check
@@ -2126,7 +2169,7 @@
 2010-04-04  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/useradd.c: spool is a constant string.
-	* src/useradd.c: Set the new copy_tree's paramater 'copy_root' to false 
+	* src/useradd.c: Set the new copy_tree's paramater 'copy_root' to false
 
 2010-04-04  Nicolas François  <nicolas.francois@centraliens.net>
 
@@ -4975,7 +5018,7 @@
 	<sgrubb@redhat.com>
 	* src/groupadd.c: Log to audit with type AUDIT_ADD_GROUP instead
 	of AUDIT_USER_CHAUTHTOK.
-	* src/groupdel.c: Log to audit with type AUDIT_DEL_GROUP instead 
+	* src/groupdel.c: Log to audit with type AUDIT_DEL_GROUP instead
 	of AUDIT_USER_CHAUTHTOK.
 	* src/useradd.c: Log to audit with type AUDIT_ADD_USER /
 	AUDIT_ADD_GROUP / AUDIT_USYS_CONFIG instead of
@@ -5231,7 +5274,7 @@
 	* NEWS, src/gpasswd.c: Use getopt_long instead of getopt. Added
 	support for long options --add (-a), --delete (-d),
 	--remove-password (-r), --restrict (-R), --administrators (-A),
-	and --members (-M) 
+	and --members (-M)
 	* man/gpasswd.1.xml: Document the new long options.
 	* src/gpasswd.c: The sgrp structure is only used if SHADOWGRP is
 	defined.
@@ -7420,7 +7463,7 @@
 	to mimic useradd's behavior choices of UID and GID.
 	* src/newusers.c: Reuse the generic find_new_uid() and
 	find_new_gid() functions. This permits to respect the
-	UID_MIN/UID_MAX and GID_MIN/GID_MAX variables, should 
+	UID_MIN/UID_MAX and GID_MIN/GID_MAX variables, should
 	* src/newusers.c: Check if the user or group exist using the
 	external databases (with the libc getpwnam/getgrnam functions).
 	Refuse to update an user which exist in an external database but
@@ -9217,7 +9260,7 @@
 	Debian's patch 202_it_man_uses_gettext. Thanks to Giuseppe
 	Sacco who contributed the Italian translation.
 	* man/de/de.po: (nearly) complete German translation of man pages
-	Imported from Debian's patch 203_de-man-update. Thanks to 
+	Imported from Debian's patch 203_de-man-update. Thanks to
 	Simon Brandmair
 	* src/usermod.c: Clarify the online help of usermod for "-a"
 	Imported from Debian's patch 402-clarify_usermod_usage

Makefile.am

@@ -2,7 +2,7 @@
 
 EXTRA_DIST = NEWS README TODO shadow.spec.in
 
-SUBDIRS = libmisc lib 
+SUBDIRS = libmisc lib
 
 if ENABLE_SUBIDS
 SUBDIRS += libsubid

NEWS

@@ -15,7 +15,7 @@ shadow-4.1.5.1 -> shadow-4.2					UNRELEASED
 
 - su
   * When su receives a signal (SIGTERM, or SIGINT/SIGQUIT in non
-    interactive mode), kill the child process group, rather than just the 
+    interactive mode), kill the child process group, rather than just the
     immediate child.
   * Fix segmentation faults for users without a proper home or shell in
     their passwd entries.
@@ -622,7 +622,7 @@ shadow-4.0.18.2 -> shadow-4.1.0						09-12-2007
 - Add support for uClibc with no l64a().
 - userdel, usermod: Fix infinite loop caused by erroneous group file
   containing two entries with the same name. (The fix strategy differs
-  from 
+  from
   (https://bugzilla.redhat.com/show_bug.cgi?id=240915)
 - userdel: Abort if an error is detected while updating the passwd or group
   databases. The passwd or group files will not be written.
@@ -1001,9 +1001,9 @@ shadow-4.0.12 -> shadow-4.0.13						10-10-2005
 shadow-4.0.11.1 -> shadow-4.0.12					22-08-2005
 
 *** general:
-- newgrp, login: remove using login.defs::CLOSE_SESSIONS variable and always 
+- newgrp, login: remove using login.defs::CLOSE_SESSIONS variable and always
   close PAM session,
-- fixed configure.in: really enable shadow group support by default (pointed by 
+- fixed configure.in: really enable shadow group support by default (pointed by
   Greg Schafer <gschafer@zip.com.au> and Peter Vrabec <pvrabec@redhat.com>),
 - login.defs: removed handle QMAIL_DIR variable,
 - login: allow regular user to login on read-only root file system (not only for root)
@@ -1080,7 +1080,7 @@ shadow-4.0.10 -> shadow-4.0.11						18-07-2005
 - S/Key support is back,
 - usermod: added -a option. This flag can only be used in conjunction with the -G
   option. It cause usermod to append user to the current supplementary group list.
-  (patch by Peter Vrabec <pvrabec@redhat.com>) 
+  (patch by Peter Vrabec <pvrabec@redhat.com>)
 - chage: added missing \n in error messages,
 - useradd, groupadd: change -O option to -K and document it in man page,
 - su, sulogin, login: fixed erroneous warning messages when used with PAM about some
@@ -1130,7 +1130,7 @@ shadow-4.0.9 -> shadow-4.0.10						28-06-2005
   http://bugs.debian.org/53570 http://bugs.debian.org/195048 http://bugs.debian.org/211884
 - login: made login's -f option also able to use the username after -- if none
   was passed as it's optarg
-  http://bugs.debian.org/53702 
+  http://bugs.debian.org/53702
 - login: check for hushed login and pass PAM_SILENT if true,
   http://bugs.debian.org/48002
 - login: fixed username on succesful login (was using the normal username,
@@ -1208,7 +1208,7 @@ shadow-4.0.7 -> shadow-4.0.8						26-04-2005
 -- new: chage.1, chpasswd.8, expiry.1, faillog.5, faillog.8, getspnam.3,
    logoutd.8, porttime.5, pwck.8, shadow.3, shadowconfig.8, su.1,
 - passwd(1): fix #160477 Debian bug: improve -S output description,
-- newgrp(1): fix #251926, #166173, #113191 Debian bugs: explain why editing /etc/group   
+- newgrp(1): fix #251926, #166173, #113191 Debian bugs: explain why editing /etc/group
   (without gshadow) doesn't permit to use newgrp,
 - newgrp(1): newgrp uses /bin/sh (not bash),
 - faillog(8): updated after rewritten faillog command for use getopt_long(),
@@ -1238,7 +1238,7 @@ shadow-4.0.6 -> shadow-4.0.7						26-01-2005
 - chpasswd:
 -- switch chpasswd to use getopt_long() and adds a --md5 option
    (by Ian Gulliver <ian@penguinhosting.net>),
--- rewritten chpasswd(8) man page.  
+-- rewritten chpasswd(8) man page.
 
 shadow-4.0.5 -> shadow-4.0.6						08-11-2004
 
@@ -1309,7 +1309,7 @@ shadow-4.0.4 => shadow-4.0.4.1						14-01-2004
 - bug fixes in automake files for generate correct tar ball on "make dist":
   added missing "EXTRA_DIST = $(man_MANS)" in man/*/Makefile.am.
 
-shadow-4.0.3 => shadow-4.0.4						14-01-2004	
+shadow-4.0.3 => shadow-4.0.4						14-01-2004
 
 *** general:
 - added missing information about -f options in groupadd usage message
@@ -1408,7 +1408,7 @@ shadow-4.0.0 => shadow-4.0.1
 - fixes for handle/print correctly 32bit uid/gid (Thorsten Kukuk <kukuk@suse.de>),
 - implemented functions for better reloading the nscd cache (per NSS map)
   (Thorsten Kukuk <kukuk@suse.de>),
-- fixed warnings "not used but defined" on compile using gcc 3.0.x 
+- fixed warnings "not used but defined" on compile using gcc 3.0.x
   (bulletpr00ph <bullet@users.sourceforge.net>),
 - added ja, ko translations found in SuSE,
 - added symlinks: newgrp -> sg, vipw -> vigr,
@@ -1416,7 +1416,7 @@ shadow-4.0.0 => shadow-4.0.1
 - added sg(1) man page as roff .so link to newgrp(1),
 - installed fix for SEGV when using pwck -s on /etc/passwd file with
   empty lines in it.
-  
+
 shadow-20001016 => shadow-4.0.0						 06-01-2002
 
 - fix bug discovered and fixed by Marcel Ritter
@@ -1466,7 +1466,7 @@ shadow-20000902 => shadow-20001012
   overwrite previously existing groups in adduser,
 - added PAM support for chage (bind to "chage" PAM config file) also
   added PAM support for all other small tools like chpasswd, groupadd,
-  groupdel, groupmod, newusers, useradd, userdel, usermod (bind to common 
+  groupdel, groupmod, newusers, useradd, userdel, usermod (bind to common
   "shadow" PAM config file) - this modifications mainly based on
   modifications prepared by Janek Rękojarski <baggins@pld.org.pl>,
 - many small fixes and improvements in automake (mow "make dist"

README

@@ -1,124 +0,0 @@
-Shadow SITES
-============
-
-Homepage
-	http://github.com/shadow-maint/shadow
-
-Issue tracker
-	http://github.com/shadow-maint/shadow/issues
-
-Releases
-	https://github.com/shadow-maint/shadow/releases
-
-Mailing lists
-	for general discuss: pkg-shadow-devel@alioth-lists.debian.net
-	commit list: pkg-shadow-commits@alioth-lists.debian.net
-
-Mailing lists subscription
-	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel
-	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-commits
-
-Mailing lists archives:
-	http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/
-	http://alioth-lists.debian.net/pipermail/pkg-shadow-commits/
-
-S/Key support:
-	Shadow can be built with S/Key support using the S/Key package from:
-
-	http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/
-	or
-	http://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2
-
-Authors and contributors
-========================
-
-Thanks to at least the following people for sending patches, bug
-reports and various comments.  This list may be incomplete, I received
-a lot of mail...
-
-
-Adam Rudnicki <adam@v-lo.krakow.pl>
-Alan Curry <pacman@tardis.mars.net>
-Aleksa Sarai <cyphar@cyphar.com>
-Alexander O. Yuriev <alex@bach.cis.temple.edu>
-Algis Rudys <arudys@rice.edu>
-Andreas Jaeger <aj@arthur.rhein-neckar.de>
-Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
-Anton Gluck <gluc@midway.uchicago.edu>
-Arkadiusz Miskiewicz <misiek@pld.org.pl>
-Ben Collins <bcollins@debian.org>
-Brian R. Gaeke <brg@dgate.org>
-Calle Karlsson <ckn@kash.se>
-Chip Rosenthal <chip@unicom.com>
-Chris Evans <lady0110@sable.ox.ac.uk>
-Chris Lamb <chris@chris-lamb.co.uk>
-Cristian Gafton <gafton@sorosis.ro>
-Dan Walsh <dwalsh@redhat.com>
-Darcy Boese <possum@chardonnay.niagara.com>
-Dave Hagewood <admin@arrowweb.com>
-David A. Holland <dholland@hcs.harvard.edu>
-David Frey <David.Frey@lugs.ch>
-Ed Carp <ecarp@netcom.com>
-Ed Neville <ed@s5h.net>
-Eric W. Biederman" <ebiederm@xmission.com>
-Floody <flood@evcom.net>
-Frank Denis <j@4u.net>
-George Kraft IV <gk4@us.ibm.com>
-Greg Mortensen <loki@world.std.com>
-Guido van Rooij
-Guy Maor <maor@debian.org>
-Hrvoje Dogan <hdogan@bjesomar.srce.hr>
-Jakub Hrozek <jhrozek@redhat.com>
-Janos Farkas <chexum@bankinf.banki.hu>
-Jason Franklin <jason.franklin@quoininc.com>
-Jay Soffian <jay@lw.net>
-Jesse Thilo <Jesse.Thilo@pobox.com>
-Joey Hess <joey@kite.ml.org>
-John Adelsberger <jja@umr.edu>
-Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
-Jon Lewis <jlewis@lewis.org>
-Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
-Judd Bourgeois <shagboy@bluesky.net>
-Juergen Heinzl <unicorn@noris.net>
-Juha Virtanen <jiivee@iki.fi>
-Julian Pidancet <julian.pidancet@gmail.com>
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
-Leonard N. Zubkoff <lnz@dandelion.com>
-Luca Berra <bluca@www.polimi.it>
-Lukáš Kuklínek <lkukline@redhat.com>
-Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
-Marc Ewing <marc@redhat.com>
-Martin Bene <mb@sime.com>
-Martin Mares <mj@gts.cz>
-Michael Meskes <meskes@topsystem.de>
-Michael Talbot-Wilson <mike@calypso.bns.com.au>
-Michael Vetter <jubalh@iodoru.org>
-Mike Frysinger <vapier@gentoo.org>
-Mike Pakovic <mpakovic@users.southeast.net>
-Nicolas François <nicolas.francois@centraliens.net>
-Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
-Pavel Machek <pavel@bug.ucw.cz>
-Peter Vrabec <pvrabec@redhat.com>
-Phillip Street
-Rafał Maszkowski <rzm@icm.edu.pl>
-Rani Chouha <ranibey@smartec.com>
-Sami Kerola <kerolasa@rocketmail.com>
-Scott Garman <scott.a.garman@intel.com>
-Sebastian Rick Rijkers <srrijkers@gmail.com>
-Seraphim Mellos <mellos@ceid.upatras.gr>
-Shane Watts <shane@nexus.mlckew.edu.au>
-Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
-Thorsten Kukuk <kukuk@suse.de>
-Tim Hockin <thockin@eagle.ais.net>
-Timo Karjalainen <timok@iki.fi>
-Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
-Werner Fink <werner@suse.de>
-
-Maintainers
-===========
-
-Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
-Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
-Serge E. Hallyn <serge@hallyn.com> (2014-now)
-Christian Brauner <christian@brauner.io> (2019-now)
-

README

@@ -0,0 +1 @@
+README.md

README.md

@@ -0,0 +1,36 @@
+# shadow-utils
+
+## Introduction
+The shadow-utils package includes the necessary programs for
+converting UNIX password files to the shadow password format, plus
+programs for managing user and group accounts. The pwconv command
+converts passwords to the shadow password format. The pwunconv command
+unconverts shadow passwords and generates a passwd file (a standard
+UNIX password file). The pwck command checks the integrity of password
+and shadow files. The lastlog command prints out the last login times
+for all users. The useradd, userdel, and usermod commands are used for
+managing user accounts. The groupadd, groupdel, and groupmod commands
+are used for managing group accounts.
+
+## Sites
+* [Homepage](https://github.com/shadow-maint/shadow)
+* [Issue tracker](https://github.com/shadow-maint/shadow/issues)
+* [Releases](https://github.com/shadow-maint/shadow/releases)
+
+## Contacts
+There are several ways to contact us:
+* [the general discussion mailing list](
+  https://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel)
+* the #shadow IRC channel on libera.chat:
+  * irc://irc.libera.chat/shadow
+
+### Mailing archives
+* [the general discussion mailing list archive](
+  https://alioth-lists.debian.net/pipermail/pkg-shadow-devel/)
+* [the commit mailing list archive](
+  https://alioth-lists-archive.debian.net/pipermail/pkg-shadow-commits/),
+  only used for historical purposes
+
+## Authors and maintainers
+Authors and maintainers are listed in [AUTHORS.md](
+https://github.com/shadow-maint/shadow/blob/master/AUTHORS.md).

SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Supported Versions
+
+At the moment only the latest release is supported.
+
+## Reporting a Vulnerability
+
+Security vulnerabilities may be reported to
+* Serge Hallyn <serge@hallyn.com> (B175CFA98F192AF2)
+* Christian Brauner <christian@brauner.io> (4880B8C9BD0E5106FC070F4F7B3C391EFEA93624)

TODO

@@ -1,4 +1,4 @@
- * Create a common usage function that'd take the array of     
+ * Create a common usage function that'd take the array of
    long options and an array of descriptions and output that so things would
    be standardized across the utils.
    Usage strings should be normalized and split first.

configure.ac

@@ -1,10 +1,10 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ([2.69])
-m4_define([libsubid_abi_major], 3)
+m4_define([libsubid_abi_major], 4)
 m4_define([libsubid_abi_minor], 0)
 m4_define([libsubid_abi_micro], 0)
 m4_define([libsubid_abi], [libsubid_abi_major.libsubid_abi_minor.libsubid_abi_micro])
-AC_INIT([shadow], [4.9], [pkg-shadow-devel@lists.alioth.debian.org], [],
+AC_INIT([shadow], [4.10], [pkg-shadow-devel@lists.alioth.debian.org], [],
 	[https://github.com/shadow-maint/shadow])
 AM_INIT_AUTOMAKE([1.11 foreign dist-xz])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -321,6 +321,8 @@ if test "$with_sha_crypt" = "yes"; then
 	AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
 fi
 
+AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
+
 AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
 if test "$with_bcrypt" = "yes"; then
 	AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
@@ -343,7 +345,7 @@ if test "$with_sssd" = "yes"; then
 	              [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
 fi
 
-AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])])
+AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su]))
 AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"])
 
 dnl Check for some functions in libc first, only if not found check for
@@ -739,6 +741,7 @@ AC_CONFIG_FILES([
 	libmisc/Makefile
 	lib/Makefile
 	libsubid/Makefile
+	libsubid/subid.h
 	src/Makefile
 	contrib/Makefile
 	etc/Makefile

contrib/adduser-old.c

@@ -4,14 +4,14 @@
 ** --marekm
 **
 ** 02/26/96
-** modified to call shadow utils (useradd,chage,passwd) on shadowed 
+** modified to call shadow utils (useradd,chage,passwd) on shadowed
 ** systems - Cristian Gafton, gafton@sorosis.ro
 **
 ** 6/27/95
 ** shadow-adduser 1.4:
 **
-** now it copies the /etc/skel dir into the person's dir, 
+** now it copies the /etc/skel dir into the person's dir,
-** makes the mail folders, changed some defaults and made a 'make 
+** makes the mail folders, changed some defaults and made a 'make
 ** install' just for the hell of it.
 **
 ** Greg Gallagher
@@ -19,20 +19,20 @@
 **
 ** 1/28/95
 ** shadow-adduser 1.3:
-** 
+**
-** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart 
+** Basically a bug-fix on my additions in 1.2.  Thanks to Terry Stewart
 ** (stew@texas.net) for pointing out one of the many idiotic bugs I introduced.
 ** It was such a stupid bug that I would have never seen it myself.
 **
 **                                Brandon
 *****
 ** 01/27/95
-** 
+**
 ** shadow-adduser 1.2:
 ** I took the C source from adduser-shadow (credits are below) and made
 ** it a little more worthwhile.  Many small changes... Here's
 ** the ones I can remember:
-** 
+**
 ** Removed support for non-shadowed systems (if you don't have shadow,
 **     use the original adduser, don't get this shadow version!)
 ** Added support for the correct /etc/shadow fields (Min days before
@@ -56,7 +56,7 @@
 **                               Brandon
 **                                  photon@usis.com
 **
-***** 
+*****
 ** adduser 1.0: add a new user account (For systems not using shadow)
 ** With a nice little interface and a will to do all the work for you.
 **
@@ -119,14 +119,14 @@
 
 void main()
 {
-	char foo[32];			
+	char foo[32];
 	char uname[9],person[32],dir[32],shell[32];
 	unsigned int group,min_pass,max_pass,warn_pass,user_die;
 	/* the group and uid of the new user */
 	int bad=0,done=0,correct=0,gets_warning=0;
 	char cmd[255];
 	struct group *grp;
-	
+
 	/* flags, in order:
 	* bad to see if the username is in /etc/passwd, or if strange stuff has
 	* been typed if the user might be put in group 0
@@ -137,24 +137,24 @@ void main()
 	*/
 
 	/* The real program starts HERE! */
-  
+
 	if(geteuid()!=0)
 	{
 		printf("It seems you don't have access to add a new user.  Try\n");
 		printf("logging in as root or su root to gain super-user access.\n");
 		exit(1);
 	}
-  
+
 	/* Sanity checks
 	*/
-	
+
 	if (!(grp=getgrgid(DEFAULT_GROUP))){
 		printf("Error: the default group %d does not exist on this system!\n",
 				DEFAULT_GROUP);
 		printf("adduser must be recompiled.\n");
 		exit(1);
-	}; 
+	};
- 
+
 	while(!correct) {		/* loop until a "good" uname is chosen */
 		while(!done) {
 			printf("\nLogin to add (^C to quit): ");
@@ -178,19 +178,19 @@ void main()
 			} else
 				done=1;
 		}; /* done, we have a valid new user name */
-		
+
 		/* all set, get the rest of the stuff */
 		printf("\nEditing information for new user [%s]\n",uname);
-  
+
 		printf("\nFull Name [%s]: ",uname);
 		gets(person);
 		if (!strlen(person)) {
 			bzero(person,sizeof(person));
 			strcpy(person,uname);
 		};
-      
+
 		do {
-			bad=0; 
+			bad=0;
 			printf("GID [%d]: ",DEFAULT_GROUP);
 			gets(foo);
 			if (!strlen(foo))
@@ -220,7 +220,7 @@ void main()
 
 
 		fflush(stdin);
-      
+
 		printf("\nIf home dir ends with a / then [%s] will be appended to it\n",uname);
 		printf("Home Directory [%s/%s]: ",DEFAULT_HOME,uname);
 		fflush(stdout);
@@ -237,30 +237,30 @@ void main()
 		gets(shell);
 		if (!strlen(shell))
 			sprintf(shell,"%s",DEFAULT_SHELL);
-      
+
 		printf("\nMin. Password Change Days [0]: ");
 		gets(foo);
 		min_pass=atoi(foo);
-            
+
 		printf("Max. Password Change Days [%d]: ",DEFAULT_MAX_PASS);
 		gets(foo);
 		if (strlen(foo) > 1)
 			max_pass = atoi(foo);
 		else
 			max_pass = DEFAULT_MAX_PASS;
-            
+
 		printf("Password Warning Days [%d]: ",DEFAULT_WARN_PASS);
 		gets(foo);
 		warn_pass = atoi(foo);
 		if (warn_pass==0)
 			warn_pass = DEFAULT_WARN_PASS;
-            
+
 		printf("Days after Password Expiry for Account Locking [%d]: ",DEFAULT_USER_DIE);
 		gets(foo);
 		user_die = atoi(foo);
 		if (user_die == 0)
 			user_die = DEFAULT_USER_DIE;
-      
+
 		printf("\nInformation for new user [%s] [%s]:\n",uname,person);
 		printf("Home directory: [%s] Shell: [%s]\n",dir,shell);
 		printf("GID: [%d]\n",group);
@@ -279,7 +279,7 @@ void main()
 	bzero(cmd,sizeof(cmd));
 	sprintf(cmd,"%s -g %d -d %s -s %s -c \"%s\" -m -k /etc/skel %s",
 			USERADD_PATH,group,dir,shell,person,uname);
-	printf("Calling useradd to add new user:\n%s\n",cmd);  
+	printf("Calling useradd to add new user:\n%s\n",cmd);
 	if(system(cmd)){
 		printf("User add failed!\n");
 		exit(errno);

doc/HOWTO

@@ -1311,7 +1311,7 @@
 
   This means that fred's password is valid, it was last changed on
   03/04/96, it can be changed at any time, it expires after 60 days,
-  fred will not be warned, and and the account won't be disabled when
+  fred will not be warned, and the account won't be disabled when
   the password expires.
 
   This simply means that if fred logs in after the password expires, he
@@ -1487,7 +1487,7 @@
 
   If a user logs into a line that is listed in /etc/dialups, and his
   shell is listed in the file /etc/d_passwd he will be allowed access
-  only by suppling the correct password.
+  only by supplying the correct password.
 
   Another useful purpose for using dial-up passwords might be to setup a
   line that only allows a certain type of connect (perhaps a PPP or UUCP

doc/README.limits

@@ -63,4 +63,3 @@ To completely disable limits for a user, a single dash (-) will do.
 Also, please note that all limit settings are set PER LOGIN.  They are
 not global, nor are they permanent.  Perhaps global limits will come, but
 for now this will have to do ;)
-

doc/README.platforms

@@ -3,7 +3,7 @@
 # This is the current (still incomplete) list of platforms this
 # package has been verified to work on.  Additions (preferably
 # in the format as described below) are welcome.  Thanks!
-# 
+#
 # V: last version reported to work
 # H: host type
 # L: Linux libc version

doc/README.skey

@@ -0,0 +1,4 @@
+# S/Key support
+shadow-utils can be built with S/Key support using the S/Key package from:
+* http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/ or
+* https://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2

doc/WISHLIST

@@ -37,4 +37,3 @@ New ideas to add to this list are welcome, too.  --marekm
   per-user configuration, to be executed with run-parts. Some hooks should
   be executed at package install time for existing users, likewise for
   package removal and possibly modification.  (Debian Bug#36019)
-

docs/index.html

@@ -1,4 +1,4 @@
-<HEAD>
+<head>
 <title>shadow - Welcome</title>
 </head>
 <body>

etc/login.access

@@ -1,20 +1,20 @@
 # $Id$
 #
 # Login access control table.
-# 
+#
 # When someone logs in, the table is scanned for the first entry that
 # matches the (user, host) combination, or, in case of non-networked
 # logins, the first entry that matches the (user, tty) combination.  The
-# permissions field of that table entry determines whether the login will 
+# permissions field of that table entry determines whether the login will
 # be accepted or refused.
-# 
+#
 # Format of the login access control table is three fields separated by a
 # ":" character:
-# 
+#
 # 	permission : users : origins
-# 
+#
 # The first field should be a "+" (access granted) or "-" (access denied)
-# character. 
+# character.
 #
 # The second field should be a list of one or more login names, group
 # names, or ALL (always matches). A pattern of the form user@host is
@@ -37,7 +37,7 @@
 # listed: the program does not look at a user's primary group id value.
 #
 ##############################################################################
-# 
+#
 # Disallow console logins to all but a few accounts.
 #
 #-:ALL EXCEPT wheel shutdown sync:console

etc/login.defs

@@ -465,7 +465,6 @@ USERGROUPS_ENAB yes
 # Set to "yes" to prevent for all accounts
 # Set to "superuser" to prevent for UID 0 / root (default)
 # Set to "no" to not prevent for any account (dangerous, historical default)
-
 PREVENT_NO_AUTH superuser
 
 #

lib/Makefile.am

@@ -1,7 +1,7 @@
 
 AUTOMAKE_OPTIONS = 1.0 foreign
 
-DEFS = 
+DEFS =
 
 noinst_LTLIBRARIES = libshadow.la
 
@@ -10,6 +10,8 @@ if HAVE_VENDORDIR
 libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
 endif
 
+libshadow_la_CPPFLAGS += -I$(top_srcdir)
+
 libshadow_la_SOURCES = \
 	commonio.c \
 	commonio.h \

lib/commonio.c

@@ -403,11 +403,11 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 	file_len = strlen(db->filename) + 11;/* %lu max size */
 	lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
 	file = (char*)malloc(file_len);
-	if(file == NULL) {
+	if (file == NULL) {
 		goto cleanup_ENOMEM;
 	}
 	lock = (char*)malloc(lock_file_len);
-	if(lock == NULL) {
+	if (lock == NULL) {
 		goto cleanup_ENOMEM;
 	}
 	snprintf (file, file_len, "%s.%lu",
@@ -419,9 +419,9 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 		err = 1;
 	}
 cleanup_ENOMEM:
-	if(file)
+	if (file)
 		free(file);
-	if(lock)
+	if (lock)
 		free(lock);
 	return err;
 }

lib/faillog.h

@@ -45,8 +45,8 @@
 struct faillog {
 	short fail_cnt;		/* failures since last success */
 	short fail_max;		/* failures before turning account off */
-	char fail_line[12];	/* last failure occured here */
+	char fail_line[12];	/* last failure occurred here */
-	time_t fail_time;	/* last failure occured then */
+	time_t fail_time;	/* last failure occurred then */
 	/*
 	 * If nonzero, the account will be re-enabled if there are no
 	 * failures for fail_locktime seconds since last failure.

lib/prototypes.h

@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
 /* selinux.c */
 #ifdef WITH_SELINUX
 extern int set_selinux_file_context (const char *dst_name, mode_t mode);
+extern void reset_selinux_handle (void);
 extern int reset_selinux_file_context (void);
 extern int check_selinux_permit (const char *perm_name);
 #endif

lib/pwauth.c

@@ -127,7 +127,7 @@ int pw_auth (const char *cipher,
 #ifdef	SKEY
 	/*
 	 * If the user has an S/KEY entry show them the pertinent info
-	 * and then we can try validating the created cyphertext and the SKEY.
+	 * and then we can try validating the created ciphertext and the SKEY.
 	 * If there is no SKEY information we default to not using SKEY.
 	 */
 

lib/pwmem.c

@@ -93,14 +93,16 @@
 
 void pw_free (/*@out@*/ /*@only@*/struct passwd *pwent)
 {
-	free (pwent->pw_name);
+	if (pwent != NULL) {
-	if (pwent->pw_passwd) {
+		free (pwent->pw_name);
-		memzero (pwent->pw_passwd, strlen (pwent->pw_passwd));
+		if (pwent->pw_passwd) {
-		free (pwent->pw_passwd);
+			memzero (pwent->pw_passwd, strlen (pwent->pw_passwd));
+			free (pwent->pw_passwd);
+		}
+		free (pwent->pw_gecos);
+		free (pwent->pw_dir);
+		free (pwent->pw_shell);
+		free (pwent);
 	}
-	free (pwent->pw_gecos);
-	free (pwent->pw_dir);
-	free (pwent->pw_shell);
-	free (pwent);
 }
 

lib/run_part.c

@@ -17,7 +17,7 @@ int run_part (char *script_path, char *name, char *action)
 	char *args[] = { script_path, NULL };
 
 	pid=fork();
-	if (pid==-1){
+	if (pid==-1) {
 		perror ("Could not fork");
 		return 1;
 	}

lib/selinux.c

@@ -50,6 +50,11 @@ static void cleanup(void)
 	}
 }
 
+void reset_selinux_handle (void)
+{
+    cleanup();
+}
+
 /*
  * set_selinux_file_context - Set the security context before any file or
  *                            directory creation.

lib/semanage.c

@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
 	}
 
 	ret = 0;
+	reset_selinux_handle();
 
 done:
 	semanage_seuser_key_free (key);
@@ -331,7 +332,7 @@ int del_seuser (const char *login_name)
 
 	if (0 == exists) {
 		fprintf (shadow_logfd,
-		         _("Login mapping for %s is not defined, OK if default mapping was used\n"), 
+		         _("Login mapping for %s is not defined, OK if default mapping was used\n"),
 		         login_name);
 		ret = 0;  /* probably default mapping */
 		goto done;
@@ -346,7 +347,7 @@ int del_seuser (const char *login_name)
 
 	if (0 == exists) {
 		fprintf (shadow_logfd,
-		         _("Login mapping for %s is defined in policy, cannot be deleted\n"), 
+		         _("Login mapping for %s is defined in policy, cannot be deleted\n"),
 		         login_name);
 		ret = 0; /* Login mapping defined in policy can't be deleted */
 		goto done;

lib/sgetpwent.c

@@ -91,7 +91,7 @@ struct passwd *sgetpwent (const char *buf)
 	}
 
 	/* something at the end, columns over shot */
-	if( cp != NULL ) {
+	if ( cp != NULL ) {
 		return( NULL );
 	}
 

lib/shadowmem.c

@@ -79,11 +79,13 @@
 
 void spw_free (/*@out@*/ /*@only@*/struct spwd *spent)
 {
-	free (spent->sp_namp);
+	if (spent != NULL) {
-	if (NULL != spent->sp_pwdp) {
+		free (spent->sp_namp);
-		memzero (spent->sp_pwdp, strlen (spent->sp_pwdp));
+		if (NULL != spent->sp_pwdp) {
-		free (spent->sp_pwdp);
+			memzero (spent->sp_pwdp, strlen (spent->sp_pwdp));
+			free (spent->sp_pwdp);
+		}
+		free (spent);
 	}
-	free (spent);
 }
 

lib/subordinateio.c

@@ -53,7 +53,7 @@ static /*@null@*/ /*@only@*/void *subordinate_dup (const void *ent)
 static void subordinate_free (/*@out@*/ /*@only@*/void *ent)
 {
 	struct subordinate_range *rangeent = ent;
-	
+
 	free ((void *)(rangeent->owner));
 	free (rangeent);
 }
@@ -224,7 +224,7 @@ static const struct subordinate_range *find_range(struct commonio_db *db,
         /* Get UID of the username we are looking for */
         pwd = getpwnam(owner);
         if (NULL == pwd) {
-                /* Username not defined in /etc/passwd, or error occured during lookup */
+                /* Username not defined in /etc/passwd, or error occurred during lookup */
                 return NULL;
         }
         owner_uid = pwd->pw_uid;
@@ -296,7 +296,7 @@ static bool have_range(struct commonio_db *db,
 	end = start + count - 1;
 	range = find_range (db, owner, start);
 	while (range) {
-		unsigned long last; 
+		unsigned long last;
 
 		last = range->start + range->count - 1;
 		if (last >= (start + count - 1))
@@ -847,7 +847,7 @@ static int append_uids(uid_t **uids, const char *owner, int n)
 	} else {
 		struct passwd *pwd = getpwnam(owner);
 		if (NULL == pwd) {
-			/* Username not defined in /etc/passwd, or error occured during lookup */
+			/* Username not defined in /etc/passwd, or error occurred during lookup */
 			free(*uids);
 			*uids = NULL;
 			return -1;

lib/tcbfuncs.c

@@ -523,6 +523,12 @@ shadowtcb_status shadowtcb_move (/*@NULL@*/const char *user_newname, uid_t user_
 		         Prog, tcbdir, strerror (errno));
 		goto out_free;
 	}
+	if (chmod (tcbdir, dirmode.st_mode & 07777) != 0) {
+		fprintf (shadow_logfd,
+		         _("%s: Cannot change mode of %s: %s\n"),
+		         Prog, tcbdir, strerror (errno));
+		goto out_free;
+	}
 	ret = SHADOWTCB_SUCCESS;
 out_free:
 	free (tcbdir);

libmisc/Makefile.am

@@ -1,7 +1,7 @@
 
 EXTRA_DIST = .indent.pro xgetXXbyYY.c
 
-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
+AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
 
 noinst_LTLIBRARIES = libmisc.la
 

libmisc/audit_help.c

@@ -68,7 +68,7 @@ void audit_help_open (void)
  * This function will log a message to the audit system using a predefined
  * message format. Parameter usage is as follows:
  *
- * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account 
+ * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account
  *	  attributes.
  * pgname - program's name
  * op  -  operation. "adding user", "changing finger info", "deleting group"

libmisc/copydir.c

@@ -117,7 +117,7 @@ static void error_acl (struct error_context *ctx, const char *fmt, ...)
 {
 	va_list ap;
 
-	/* ignore the case when destination does not support ACLs 
+	/* ignore the case when destination does not support ACLs
 	 * or extended attributes */
 	if (ENOTSUP == errno) {
 		errno = 0;

libmisc/find_new_gid.c

@@ -157,7 +157,7 @@ static int check_gid (const gid_t gid,
  * [GID_MIN:GID_MAX] range.
  * This ID should be higher than all the used GID, but if not possible,
  * the lowest unused ID in the range will be returned.
- * 
+ *
  * Return 0 on success, -1 if no unused GIDs are available.
  */
 int find_new_gid (bool sys_group,

libmisc/find_new_sub_gids.c

@@ -43,7 +43,7 @@
  *
  * If successful, find_new_sub_gids provides a range of unused
  * user IDs in the [SUB_GID_MIN:SUB_GID_MAX] range.
- * 
+ *
  * Return 0 on success, -1 if no unused GIDs are available.
  */
 int find_new_sub_gids (gid_t *range_start, unsigned long *range_count)

libmisc/find_new_sub_uids.c

@@ -43,7 +43,7 @@
  *
  * If successful, find_new_sub_uids provides a range of unused
  * user IDs in the [SUB_UID_MIN:SUB_UID_MAX] range.
- * 
+ *
  * Return 0 on success, -1 if no unused UIDs are available.
  */
 int find_new_sub_uids (uid_t *range_start, unsigned long *range_count)

libmisc/find_new_uid.c

@@ -157,7 +157,7 @@ static int check_uid(const uid_t uid,
  * [UID_MIN:UID_MAX] range.
  * This ID should be higher than all the used UID, but if not possible,
  * the lowest unused ID in the range will be returned.
- * 
+ *
  * Return 0 on success, -1 if no unused UIDs are available.
  */
 int find_new_uid(bool sys_user,

libmisc/hushed.c

@@ -90,7 +90,7 @@ bool hushed (const char *username)
 		return false;
 	}
 	for (found = false; !found && (fgets (buf, (int) sizeof buf, fp) == buf);) {
-		buf[strlen (buf) - 1] = '\0';
+		buf[strcspn (buf, "\n")] = '\0';
 		found = (strcmp (buf, pw->pw_shell) == 0) ||
 		        (strcmp (buf, pw->pw_name) == 0);
 	}

libmisc/idmapping.c

@@ -209,7 +209,7 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
 	}
 #endif
 
-	bufsize = ranges * ((ULONG_DIGITS  + 1) * 3);
+	bufsize = ranges * ((ULONG_DIGITS + 1) * 3);
 	pos = buf = xmalloc(bufsize);
 
 	/* Build the mapping command */

libmisc/limits.c

@@ -202,7 +202,7 @@ static int check_logins (const char *name, const char *maxlogins)
 	return 0;
 }
 
-/* Function setup_user_limits - checks/set limits for the curent login
+/* Function setup_user_limits - checks/set limits for the current login
  * Original idea from Joel Katz's lshell. Ported to shadow-login
  * by Cristian Gafton - gafton@sorosis.ro
  *
@@ -404,7 +404,7 @@ static bool user_in_group (const char *uname, const char *gname)
 {
 	struct group *groupdata;
 
-	if (uname == NULL || gname == NULL){ 
+	if (uname == NULL || gname == NULL) {
 		return false;
 	}
 

libmisc/log.c

@@ -42,7 +42,7 @@
 #include <lastlog.h>
 #include "prototypes.h"
 
-/* 
+/*
  * dolastlog - create lastlog entry
  *
  *	A "last login" entry is created for the user being logged in.  The

libmisc/loginprompt.c

@@ -103,7 +103,7 @@ void login_prompt (const char *prompt, char *name, int namesize)
 		(void) fflush (stdout);
 	}
 
-	/* 
+	/*
 	 * Read the user's response.  The trailing newline will be
 	 * removed.
 	 */

libmisc/motd.c

@@ -29,7 +29,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
- 
+
 #include <config.h>
 
 #ident "$Id$"

libmisc/prefix_flag.c

@@ -176,10 +176,10 @@ extern struct group *prefix_getgrnam(const char *name)
 		struct group * grp = NULL;
 
 		fg = fopen(group_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((grp = fgetgrent(fg)) != NULL) {
+		while ((grp = fgetgrent(fg)) != NULL) {
-			if(!strcmp(name, grp->gr_name))
+			if (!strcmp(name, grp->gr_name))
 				break;
 		}
 		fclose(fg);
@@ -196,10 +196,10 @@ extern struct group *prefix_getgrgid(gid_t gid)
 		struct group * grp = NULL;
 
 		fg = fopen(group_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((grp = fgetgrent(fg)) != NULL) {
+		while ((grp = fgetgrent(fg)) != NULL) {
-			if(gid == grp->gr_gid)
+			if (gid == grp->gr_gid)
 				break;
 		}
 		fclose(fg);
@@ -216,10 +216,10 @@ extern struct passwd *prefix_getpwuid(uid_t uid)
 		struct passwd *pwd = NULL;
 
 		fg = fopen(passwd_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((pwd = fgetpwent(fg)) != NULL) {
+		while ((pwd = fgetpwent(fg)) != NULL) {
-			if(uid == pwd->pw_uid)
+			if (uid == pwd->pw_uid)
 				break;
 		}
 		fclose(fg);
@@ -236,10 +236,10 @@ extern struct passwd *prefix_getpwnam(const char* name)
 		struct passwd *pwd = NULL;
 
 		fg = fopen(passwd_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((pwd = fgetpwent(fg)) != NULL) {
+		while ((pwd = fgetpwent(fg)) != NULL) {
-			if(!strcmp(name, pwd->pw_name))
+			if (!strcmp(name, pwd->pw_name))
 				break;
 		}
 		fclose(fg);
@@ -256,10 +256,10 @@ extern struct spwd *prefix_getspnam(const char* name)
 		struct spwd *sp = NULL;
 
 		fg = fopen(spw_db_file, "rt");
-		if(!fg)
+		if (!fg)
 			return NULL;
-		while((sp = fgetspent(fg)) != NULL) {
+		while ((sp = fgetspent(fg)) != NULL) {
-			if(!strcmp(name, sp->sp_namp))
+			if (!strcmp(name, sp->sp_namp))
 				break;
 		}
 		fclose(fg);
@@ -272,7 +272,7 @@ extern struct spwd *prefix_getspnam(const char* name)
 
 extern void prefix_setpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		setpwent();
 		return;
 	}
@@ -280,19 +280,22 @@ extern void prefix_setpwent()
 		fclose (fp_pwent);
 
 	fp_pwent = fopen(passwd_db_file, "rt");
-	if(!fp_pwent)
+	if (!fp_pwent)
 		return;
 }
 extern struct passwd* prefix_getpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		return getpwent();
 	}
+	if (!fp_pwent) {
+		return NULL;
+	}
 	return fgetpwent(fp_pwent);
 }
 extern void prefix_endpwent()
 {
-	if(!passwd_db_file) {
+	if (!passwd_db_file) {
 		endpwent();
 		return;
 	}
@@ -303,7 +306,7 @@ extern void prefix_endpwent()
 
 extern void prefix_setgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		setgrent();
 		return;
 	}
@@ -311,19 +314,19 @@ extern void prefix_setgrent()
 		fclose (fp_grent);
 
 	fp_grent = fopen(group_db_file, "rt");
-	if(!fp_grent)
+	if (!fp_grent)
 		return;
 }
 extern struct group* prefix_getgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		return getgrent();
 	}
 	return fgetgrent(fp_grent);
 }
 extern void prefix_endgrent()
 {
-	if(!group_db_file) {
+	if (!group_db_file) {
 		endgrent();
 		return;
 	}

libmisc/salt.c

@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
 		if ((-1 == min_rounds) && (-1 == max_rounds)) {
 			rounds = SHA_ROUNDS_DEFAULT;
 		}
+		else {
+			if (-1 == min_rounds) {
+				min_rounds = max_rounds;
+			}
 
-		if (-1 == min_rounds) {
+			if (-1 == max_rounds) {
-			min_rounds = max_rounds;
+				max_rounds = min_rounds;
+			}
+
+			if (min_rounds > max_rounds) {
+				max_rounds = min_rounds;
+			}
+
+			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 		}
-
-		if (-1 == max_rounds) {
-			max_rounds = min_rounds;
-		}
-
-		if (min_rounds > max_rounds) {
-			max_rounds = min_rounds;
-		}
-
-		rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 	} else if (0 == *prefered_rounds) {
 		rounds = SHA_ROUNDS_DEFAULT;
 	} else {

libsubid/Makefile.am

@@ -1,7 +1,10 @@
 lib_LTLIBRARIES = libsubid.la
+if ENABLE_SHARED
 libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
 	-shared -version-info @LIBSUBID_ABI_MAJOR@
+endif
 libsubid_la_SOURCES = api.c
+libsubid_la_LDFLAGS = -export-symbols-regex '^subid_'
 
 pkginclude_HEADERS = subid.h
 
@@ -9,6 +12,7 @@ MISCLIBS = \
 	$(LIBAUDIT) \
 	$(LIBSELINUX) \
 	$(LIBSEMANAGE) \
+	$(LIBCRACK) \
 	$(LIBCRYPT_NOPAM) \
 	$(LIBSKEY) \
 	$(LIBMD) \
@@ -16,11 +20,12 @@ MISCLIBS = \
 	$(LIBCRYPT) \
 	$(LIBACL) \
 	$(LIBATTR) \
-	$(LIBTCB)
+	$(LIBTCB) \
+	$(LIBPAM)
 
 libsubid_la_LIBADD = \
-	$(top_srcdir)/lib/libshadow.la \
+	$(top_builddir)/lib/libshadow.la \
-	$(top_srcdir)/libmisc/libmisc.la \
+	$(top_builddir)/libmisc/libmisc.la \
 	$(MISCLIBS) -ldl
 
 AM_CPPFLAGS = \

libsubid/api.c

@@ -39,10 +39,10 @@
 #include "idmapping.h"
 #include "subid.h"
 
-const char *Prog = "(libsubid)";
+static const char *Prog = "(libsubid)";
-FILE *shadow_logfd;
+static FILE *shadow_logfd;
 
-bool libsubid_init(const char *progname, FILE * logfd)
+bool subid_init(const char *progname, FILE * logfd)
 {
 	if (progname) {
 		progname = strdup(progname);
@@ -70,12 +70,12 @@ int get_subid_ranges(const char *owner, enum subid_type id_type, struct subid_ra
 	return list_owner_ranges(owner, id_type, ranges);
 }
 
-int get_subuid_ranges(const char *owner, struct subid_range **ranges)
+int subid_get_uid_ranges(const char *owner, struct subid_range **ranges)
 {
 	return get_subid_ranges(owner, ID_TYPE_UID, ranges);
 }
 
-int get_subgid_ranges(const char *owner, struct subid_range **ranges)
+int subid_get_gid_ranges(const char *owner, struct subid_range **ranges)
 {
 	return get_subid_ranges(owner, ID_TYPE_GID, ranges);
 }
@@ -86,12 +86,12 @@ int get_subid_owner(unsigned long id, enum subid_type id_type, uid_t **owner)
 	return find_subid_owners(id, id_type, owner);
 }
 
-int get_subuid_owners(uid_t uid, uid_t **owner)
+int subid_get_uid_owners(uid_t uid, uid_t **owner)
 {
 	return get_subid_owner((unsigned long)uid, ID_TYPE_UID, owner);
 }
 
-int get_subgid_owners(gid_t gid, uid_t **owner)
+int subid_get_gid_owners(gid_t gid, uid_t **owner)
 {
 	return get_subid_owner((unsigned long)gid, ID_TYPE_GID, owner);
 }
@@ -103,12 +103,12 @@ bool grant_subid_range(struct subordinate_range *range, bool reuse,
 	return new_subid_range(range, id_type, reuse);
 }
 
-bool grant_subuid_range(struct subordinate_range *range, bool reuse)
+bool subid_grant_uid_range(struct subordinate_range *range, bool reuse)
 {
 	return grant_subid_range(range, reuse, ID_TYPE_UID);
 }
 
-bool grant_subgid_range(struct subordinate_range *range, bool reuse)
+bool subid_grant_gid_range(struct subordinate_range *range, bool reuse)
 {
 	return grant_subid_range(range, reuse, ID_TYPE_GID);
 }
@@ -119,12 +119,12 @@ bool ungrant_subid_range(struct subordinate_range *range, enum subid_type id_typ
 	return release_subid_range(range, id_type);
 }
 
-bool ungrant_subuid_range(struct subordinate_range *range)
+bool subid_ungrant_uid_range(struct subordinate_range *range)
 {
 	return ungrant_subid_range(range, ID_TYPE_UID);
 }
 
-bool ungrant_subgid_range(struct subordinate_range *range)
+bool subid_ungrant_gid_range(struct subordinate_range *range)
 {
 	return ungrant_subid_range(range, ID_TYPE_GID);
 }

libsubid/subid.h.in

@@ -4,6 +4,10 @@
 
 #ifndef SUBID_RANGE_DEFINED
 #define SUBID_RANGE_DEFINED 1
+#define SUBID_ABI_VERSION @LIBSUBID_ABI_MAJOR@.@LIBSUBID_ABI_MINOR@.@LIBSUBID_ABI_MICRO@
+#define SUBID_ABI_MAJOR @LIBSUBID_ABI_MAJOR@
+#define SUBID_ABI_MINOR @LIBSUBID_ABI_MINOR@
+#define SUBID_ABI_MICRO @LIBSUBID_ABI_MICRO@
 
 /* subid_range is just a starting point and size of a range */
 struct subid_range {
@@ -32,7 +36,7 @@ enum subid_status {
 };
 
 /*
- * libsubid_init: initialize libsubid
+ * subid_init: initialize libsubid
  *
  * @progname: Name to display as program.  If NULL, then "(libsubid)" will be
  *            shown in error messages.
@@ -45,10 +49,10 @@ enum subid_status {
  *
  * Returns false if an error occurred.
  */
-bool libsubid_init(const char *progname, FILE *logfd);
+bool subid_init(const char *progname, FILE *logfd);
 
 /*
- * get_subuid_ranges: return a list of UID ranges for a user
+ * subid_get_uid_ranges: return a list of UID ranges for a user
  *
  * @owner: username being queried
  * @ranges: a pointer to an array of subid_range structs in which the result
@@ -58,10 +62,10 @@ bool libsubid_init(const char *progname, FILE *logfd);
  *
  * returns: number of ranges found, ir < 0 on error.
  */
-int get_subuid_ranges(const char *owner, struct subid_range **ranges);
+int subid_get_uid_ranges(const char *owner, struct subid_range **ranges);
 
 /*
- * get_subgid_ranges: return a list of GID ranges for a user
+ * subid_get_gid_ranges: return a list of GID ranges for a user
  *
  * @owner: username being queried
  * @ranges: a pointer to an array of subid_range structs in which the result
@@ -71,10 +75,10 @@ int get_subuid_ranges(const char *owner, struct subid_range **ranges);
  *
  * returns: number of ranges found, ir < 0 on error.
  */
-int get_subgid_ranges(const char *owner, struct subid_range **ranges);
+int subid_get_gid_ranges(const char *owner, struct subid_range **ranges);
 
 /*
- * get_subuid_owners: return a list of uids to which the given uid has been
+ * subid_get_uid_owners: return a list of uids to which the given uid has been
  *                    delegated.
  *
  * @uid: The subuid being queried
@@ -83,10 +87,10 @@ int get_subgid_ranges(const char *owner, struct subid_range **ranges);
  *
  * Returns the number of uids returned, or < 0 on error.
  */
-int get_subuid_owners(uid_t uid, uid_t **owner);
+int subid_get_uid_owners(uid_t uid, uid_t **owner);
 
 /*
- * get_subgid_owners: return a list of uids to which the given gid has been
+ * subid_get_gid_owners: return a list of uids to which the given gid has been
  *                    delegated.
  *
  * @uid: The subgid being queried
@@ -95,10 +99,10 @@ int get_subuid_owners(uid_t uid, uid_t **owner);
  *
  * Returns the number of uids returned, or < 0 on error.
  */
-int get_subgid_owners(gid_t gid, uid_t **owner);
+int subid_get_gid_owners(gid_t gid, uid_t **owner);
 
 /*
- * grant_subuid_range: assign a subuid range to a user
+ * subid_grant_uid_range: assign a subuid range to a user
  *
  * @range: pointer to a struct subordinate_range detailing the UID range
  *         to allocate.  ->owner must be the username, and ->count must be
@@ -109,10 +113,10 @@ int get_subgid_owners(gid_t gid, uid_t **owner);
  * then the range from (range->start, range->start + range->count) will
  * be delegated to range->owner.
  */
-bool grant_subuid_range(struct subordinate_range *range, bool reuse);
+bool subid_grant_uid_range(struct subordinate_range *range, bool reuse);
 
 /*
- * grant_subsid_range: assign a subgid range to a user
+ * subid_grant_gid_range: assign a subgid range to a user
  *
  * @range: pointer to a struct subordinate_range detailing the GID range
  *         to allocate.  ->owner must be the username, and ->count must be
@@ -123,10 +127,10 @@ bool grant_subuid_range(struct subordinate_range *range, bool reuse);
  * then the range from (range->start, range->start + range->count) will
  * be delegated to range->owner.
  */
-bool grant_subgid_range(struct subordinate_range *range, bool reuse);
+bool subid_grant_gid_range(struct subordinate_range *range, bool reuse);
 
 /*
- * ungrant_subuid_range: remove a subuid allocation.
+ * subid_ungrant_uid_range: remove a subuid allocation.
  *
  * @range: pointer to a struct subordinate_range detailing the UID allocation
  *         to remove.
@@ -134,10 +138,10 @@ bool grant_subgid_range(struct subordinate_range *range, bool reuse);
  * Returns true if successful, false if it failed, for instance if the
  * delegation did not exist.
  */
-bool ungrant_subuid_range(struct subordinate_range *range);
+bool subid_ungrant_uid_range(struct subordinate_range *range);
 
 /*
- * ungrant_subuid_range: remove a subgid allocation.
+ * subid_ungrant_gid_range: remove a subgid allocation.
  *
  * @range: pointer to a struct subordinate_range detailing the GID allocation
  *         to remove.
@@ -145,7 +149,7 @@ bool ungrant_subuid_range(struct subordinate_range *range);
  * Returns true if successful, false if it failed, for instance if the
  * delegation did not exist.
  */
-bool ungrant_subgid_range(struct subordinate_range *range);
+bool subid_ungrant_gid_range(struct subordinate_range *range);
 
 #define SUBID_NFIELDS 3
 #endif

man/Makefile.am

@@ -62,6 +62,7 @@ man_MANS += $(man_nopam)
 endif
 
 man_subids = \
+	man1/getsubids.1 \
 	man1/newgidmap.1 \
 	man1/newuidmap.1 \
 	man5/subgid.5 \
@@ -80,6 +81,7 @@ man_XMANS = \
 	expiry.1.xml \
 	faillog.5.xml \
 	faillog.8.xml \
+	getsubids.1.xml \
 	gpasswd.1.xml \
 	groupadd.8.xml \
 	groupdel.8.xml \

man/cs/man5/gshadow.5

@@ -1,4 +1,4 @@
-.TH "GSHADOW" "5" "11/05/2005" "File Formats and Conversions" "File Formats and Conversions"
+.TH "GSHADOW" "5" "11/05/2005" "File Formats and Configuration Files" "File Formats and Configuration Files"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)

man/faillog.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>faillog</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc"> File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc"> File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/getsubids.1.xml

@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+   Copyright (c) 2021 Iker Pedrosa
+   All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. The name of the copyright holders or contributors may not be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- SHADOW-CONFIG-HERE -->
+]>
+
+<refentry id='getsubids.1'>
+  <refentryinfo>
+    <author>
+      <firstname>Iker</firstname>
+      <surname>Pedrosa</surname>
+      <contrib>Creation, 2021</contrib>
+    </author>
+  </refentryinfo>
+  <refmeta>
+    <refentrytitle>getsubids</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo class="sectdesc">User Commands</refmiscinfo>
+    <refmiscinfo class="source">shadow-utils</refmiscinfo>
+    <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
+  </refmeta>
+  <refnamediv id='name'>
+    <refname>getsubids</refname>
+    <refpurpose>get the subordinate id ranges for a user</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv id='synopsis'>
+    <cmdsynopsis>
+      <command>getsubids</command>
+      <arg choice='opt'>
+        <replaceable>options</replaceable>
+      </arg>
+      <arg choice='plain'>
+        <replaceable>USER</replaceable>
+      </arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id='description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The <command>getsubids</command> command lists the subordinate user ID
+      ranges for a given user. The subordinate group IDs can be listed using
+      the <option>-g</option> option.
+    </para>
+  </refsect1>
+
+  <refsect1 id='options'>
+    <title>OPTIONS</title>
+    <para>
+      The options which apply to the <command>getsubids</command> command are:
+    </para>
+    <variablelist remap='IP'>
+      <varlistentry>
+        <term>
+          <option>-g</option>
+        </term>
+        <listitem>
+          <para>
+            List the subordinate group ID ranges.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>-h</option>
+        </term>
+        <listitem>
+          <para>
+            Display help message and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='example'>
+    <title>EXAMPLE</title>
+    <para>
+      For example, to obtain the subordinate UIDs of the testuser:
+    </para>
+    <para>
+<programlisting>
+$ getsubids testuser
+0: testuser 100000 65536
+</programlisting>
+    </para>
+    <para>
+      This command output provides (in order from left to right) the list
+      index, username, UID range start, and number of UIDs in range.
+    </para>
+  </refsect1>
+
+  <refsect1 id='see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>newgidmap</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>newuidmap</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+      <citerefentry>
+        <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+    </para>
+  </refsect1>
+</refentry>

man/gshadow.5.xml

@@ -45,7 +45,7 @@
   <refmeta>
     <refentrytitle>gshadow</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/ja/man1/chage.1

@@ -117,4 +117,4 @@ chage \- ユーザパスワードの有効期限情報を変更する。
 .BR passwd (5),
 .BR shadow (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/chfn.1

@@ -69,4 +69,4 @@ chfn は現在のユーザアカウントに対して動作する。
 .SH 関連項目
 .BR passwd (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/chsh.1

@@ -69,4 +69,4 @@ chsh \- ログインシェルを変更する
 .BR chfn (1),
 .BR passwd (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/groups.1

@@ -62,4 +62,4 @@ ID 値に対応する名前が \fI/etc/group\fR に登録されていなけれ
 .BR getgid (2),
 .BR getgroups (2)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/id.1

@@ -54,4 +54,4 @@ id \- 現在のユーザ ID 名とグループ ID 名を表示する
 .BR getgroups (2),
 .BR getuid (2)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/login.1

@@ -138,4 +138,4 @@ root が \fBlogin\fP を起動した場合にのみ用いる。
 .BR passwd (5),
 .BR getty (8)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/newgrp.1

@@ -89,4 +89,4 @@ sg の実行元となるであろうシェルのほとんどにおいて、
 .BR login (1),
 .BR su (1)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/passwd.1

@@ -214,4 +214,4 @@ NIS が動作していて、
 .BR passwd (5),
 .BR shadow (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man1/su.1

@@ -85,4 +85,4 @@ su \- ユーザIDを変更する。またはスーパーユーザになる
 .BR login.defs (5),
 .BR suauth (5)
 .SH 著者
-Julianne Frances Haugh <jockgrrl@ix.netcom.com>
+Julianne Frances Haugh <julie78787@gmail.com>

man/ja/man3/shadow.3

@@ -150,4 +150,4 @@ shadowされたパスワードファイルへのアクセスは制限されて
 .BR getpwent (3),
 .BR shadow (5)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man5/faillog.5

@@ -61,4 +61,4 @@ faillog \- ログイン失敗を記録するファイル
 .SH 関連項目
 .BR faillog (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man5/login.defs.5

@@ -188,6 +188,6 @@ shadow パスワード機能によって提供されてきた機能の大部分
 .BR shadow (5),
 .BR pam (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)
 .br
 Chip Rosenthal (chip@unicom.com)

man/ja/man5/passwd.5

@@ -110,4 +110,4 @@ ulimit= \- ulimit の初期設定値
 .BR pwunconv (8),
 .BR sulogin (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man5/porttime.5

@@ -90,4 +90,4 @@ porttime \- ポートアクセス時間設定ファイル
 .SH 関連項目
 .BR login (1)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man5/shadow.5

@@ -99,4 +99,4 @@ a から z、A から Z のアルファベット、
 .BR pwunconv (8),
 .BR sulogin (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/chpasswd.8

@@ -67,4 +67,4 @@
 .BR newusers (8),
 .BR useradd (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/faillog.8

@@ -94,4 +94,4 @@ faillog \- faillog を調べ、login 失敗の制限を設定する
 .BR login (1),
 .BR faillog (5)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/groupadd.8

@@ -65,4 +65,4 @@ groupadd \- 新しいグループを作成する
 .BR userdel (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/groupdel.8

@@ -62,4 +62,4 @@ groupdel \- グループを削除する
 .BR userdel (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/groupmod.8

@@ -67,4 +67,4 @@ groupmod \- グループを修正する
 .BR userdel (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/grpck.8

@@ -113,4 +113,4 @@ grpck \- グループファイルが正しいかどうか検査する
 .IP 5 5
 グループファイルを更新できない
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/lastlog.8

@@ -75,6 +75,6 @@ lastlog プログラムは長時間画面に何も出力しないまま
 UID が 171\-799 の間プログラムは何も出力しないので、
 ハングしたように見える)。
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)
 .BR
 Phillip Street

man/ja/man8/logoutd.8

@@ -52,4 +52,4 @@ logoutd \- ログイン時間の制限を実施する
 .br
 /etc/utmp \- 現在のログインセッション
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/newusers.8

@@ -68,4 +68,4 @@ newusers \- ユーザの新規作成や情報更新をバッチ処理で行う
 .BR passwd (1),
 .BR useradd (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/pwck.8

@@ -118,4 +118,4 @@ pwck \- パスワードファイルが正しいかどうか検査する
 .IP 5 5
 パスワードファイルを更新出来ない
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/sulogin.8

@@ -92,4 +92,4 @@ co:s:respawn:/etc/sulogin /dev/console
 .BR sh (1),
 .BR init (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/useradd.8

@@ -173,4 +173,4 @@ NIS のグループにユーザを加えてはならない。
 .BR userdel (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/userdel.8

@@ -74,4 +74,4 @@ NIS のクライアントからは、NIS の属性値は削除できない。
 .BR useradd (8),
 .BR usermod (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/ja/man8/usermod.8

@@ -142,4 +142,4 @@ NIS に関する作業は NIS サーバ上で行なわなければならない
 .BR useradd (8),
 .BR userdel (8)
 .SH 著者
-Julianne Frances Haugh (jockgrrl@ix.netcom.com)
+Julianne Frances Haugh (julie78787@gmail.com)

man/limits.5.xml

@@ -58,7 +58,7 @@
   <refmeta>
     <refentrytitle>limits</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/login.access.5.xml

@@ -57,7 +57,7 @@
   <refmeta>
     <refentrytitle>login.access</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/login.defs.5.xml

@@ -125,7 +125,7 @@
   <refmeta>
     <refentrytitle>login.defs</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/login.defs.d/MAIL_DIR.xml

@@ -35,6 +35,8 @@
       The mail spool directory. This is needed to manipulate the mailbox
       when its corresponding user account is modified or deleted. If not
       specified, a compile-time default is used.
+      The parameter CREATE_MAIL_SPOOL in <filename>/etc/default/useradd</filename>
+      determines whether the mail spool should be created.
     </para>
   </listitem>
 </varlistentry><varlistentry>

man/passwd.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>passwd</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/po/Makefile.in

@@ -90,9 +90,17 @@ $(DOMAIN).pot-update: $(XMLFILES) $(srcdir)/XMLFILES remove-potcdate.sed
 	@set -e; tmpdir=`pwd`; \
 	echo "cd $(top_srcdir)/man"; \
 	cd $(top_srcdir)/man; \
-	echo "xml2po --expand-all-entities -o $$tmpdir/$(DOMAIN).po $(notdir $(XMLFILES))"; \
+	files=""; \
-	xml2po --expand-all-entities -o $$tmpdir/$(DOMAIN).po $(notdir $(XMLFILES)); \
+	for file in $(notdir $(XMLFILES)); do \
-	cd $$tmpdir
+		if grep -q SHADOW-CONFIG-HERE $$file ; then \
+			sed -e 's/^<!-- SHADOW-CONFIG-HERE -->/<!ENTITY % config SYSTEM "config.xml">%config;/' $$file > $$file.out; \
+		else \
+			sed -e 's/^\(<!DOCTYPE .*docbookx.dtd"\)>/\1 [<!ENTITY % config SYSTEM "config.xml">%config;]>/' $$file > $$file.out; \
+		fi; \
+		files="$$files $$file.out"; \
+	done; \
+	itstool -d -o $$tmpdir/$(DOMAIN).po $$files; \
+	cd $$tmpdir; \
 	test ! -f $(DOMAIN).po || { \
 	  if test -f $(srcdir)/$(DOMAIN).pot; then \
 	    sed -f remove-potcdate.sed < $(srcdir)/$(DOMAIN).pot > $(DOMAIN).1po && \

man/porttime.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>porttime</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/shadow.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>shadow</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/suauth.5.xml

@@ -56,7 +56,7 @@
   <refmeta>
     <refentrytitle>suauth</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/subgid.5.xml

@@ -47,7 +47,7 @@
   <refmeta>
     <refentrytitle>subgid</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/subuid.5.xml

@@ -47,7 +47,7 @@
   <refmeta>
     <refentrytitle>subuid</refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
+    <refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
     <refmiscinfo class="source">shadow-utils</refmiscinfo>
     <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
   </refmeta>

man/useradd.8.xml

@@ -343,6 +343,12 @@
 	    databases are reset to avoid reusing the entry from a previously
 	    deleted user.
 	  </para>
+	  <para>
+	    If this option is not specified, <command>useradd</command>
+	    will also consult the variable <option>LOG_INIT</option> in
+	    the <filename>/etc/default/useradd</filename> if set to no
+		the user will not be added to the lastlog and faillog databases.
+	  </para>
 	</listitem>
       </varlistentry>
       <varlistentry>

man/usermod.8.xml

@@ -326,6 +326,17 @@
 	  </para>
 	</listitem>
       </varlistentry>
+      <varlistentry>
+	<term>
+	  <option>-r</option>, <option>--remove</option>
+	</term>
+	<listitem>
+	  <para>
+	    Remove the user from named supplementary group(s). Use only with the
+	    <option>-G</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
       <varlistentry>
 	<term>
 	  <option>-R</option>, <option>--root</option>&nbsp;<replaceable>CHROOT_DIR</replaceable>