--- /dev/null
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+\f
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+\f
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+\f
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+\f
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+\f
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- /dev/null
+Goal: Log login failures to the btmp file
+
+Notes:
+ * I'm not sure login should add an entry in the FTMP file when PAM is used.
+ (but nothing in /etc/login.defs indicates that the failure is not logged)
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -832,6 +832,24 @@
+ (void) puts ("");
+ (void) puts (_("Login incorrect"));
+
++ if (getdef_str("FTMP_FILE") != NULL) {
++#ifdef USE_UTMPX
++ struct utmpx *failent =
++ prepare_utmpx (failent_user,
++ tty,
++ /* FIXME: or fromhost? */hostname,
++ utent);
++#else /* !USE_UTMPX */
++ struct utmp *failent =
++ prepare_utmp (failent_user,
++ tty,
++ hostname,
++ utent);
++#endif /* !USE_UTMPX */
++ failtmp (failent_user, failent);
++ free (failent);
++ }
++
+ if (failcount >= retries) {
+ SYSLOG ((LOG_NOTICE,
+ "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -62,6 +62,7 @@
+ {"ERASECHAR", NULL},
+ {"FAIL_DELAY", NULL},
+ {"FAKE_SHELL", NULL},
++ {"FTMP_FILE", NULL},
+ {"GID_MAX", NULL},
+ {"GID_MIN", NULL},
+ {"HUSHLOGIN_FILE", NULL},
+@@ -103,7 +104,6 @@
+ {"ENVIRON_FILE", NULL},
+ {"ENV_TZ", NULL},
+ {"FAILLOG_ENAB", NULL},
+- {"FTMP_FILE", NULL},
+ {"ISSUE_FILE", NULL},
+ {"LASTLOG_ENAB", NULL},
+ {"LOGIN_STRING", NULL},
--- /dev/null
+Goal: Retrieve the PAM username in case a module changed the PAM_USER
+ item.
+
+According to Linux-PAM_ADG:
+ * Note, modules can change the values of PAM_USER and PAM_RUSER during
+ any of the pam_*() library calls. For this reason, the application
+ should take care to use the pam_get_item() every time it wishes to
+ establish who the authenticated user is (or will currently be).
+
+PAM_USER description:
+
+ The username of the entity under whose identity service will be given. That
+ is, following authentication, PAM_USER identifies the local entity that
+ gets to use the service. Note, this value can be mapped from something
+ (eg., "anonymous") to something else (eg. "guest119") by any module in the
+ PAM stack. As such an application should consult the value of PAM_USER
+ after each call to a PAM function.
+
+See also: https://www.redhat.com/archives/pam-list/2008-May/msg00009.html
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -325,6 +325,8 @@
+ char **envp = environ;
+ char *shellstr = NULL;
+ char *command = NULL;
++ char *tmp_name;
++ char **ptr_tmp_name = &tmp_name;
+
+ #ifdef USE_PAM
+ char **envcp;
+@@ -728,6 +730,14 @@
+ su_failure (tty);
+ }
+ }
++ ret = pam_get_item(pamh, PAM_USER, (const void **) ptr_tmp_name);
++ if (ret != PAM_SUCCESS) {
++ SYSLOG((LOG_ERR, "pam_get_item: internal PAM error\n"));
++ fprintf(stderr, "%s: Internal PAM error retrieving username\n", Prog);
++ (void) pam_end(pamh, ret);
++ su_failure(tty);
++ }
++ strncpy(name, tmp_name, sizeof(name) - 1);
+ #else /* !USE_PAM */
+ /*
+ * Set up a signal handler in case the user types QUIT.
--- /dev/null
+--- a/src/su.c
++++ b/src/su.c
+@@ -342,7 +342,7 @@
+ #endif
+ #endif /* !USE_PAM */
+
+- sanitize_env ();
++ /* sanitize_env (); */
+
+ (void) setlocale (LC_ALL, "");
+ (void) bindtextdomain (PACKAGE, LOCALEDIR);
--- /dev/null
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add cppw / cpgr
+
+@DPATCH@
+--- /dev/null
++++ b/src/cppw.c
+@@ -0,0 +1,199 @@
++/*
++ cppw, cpgr copy with locking given file over the password or group file
++ with -s will copy with locking given file over shadow or gshadow file
++
++ Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
++
++ Based on vipw, vigr by:
++ Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 2 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful, but
++ WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program; if not, write to the Free Software
++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++
++ */
++
++#include <config.h>
++#include "defines.h"
++
++#include <errno.h>
++#include <sys/stat.h>
++#include <unistd.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <sys/types.h>
++#include <signal.h>
++#include <utime.h>
++#include "prototypes.h"
++#include "pwio.h"
++#include "shadowio.h"
++#include "groupio.h"
++#include "sgroupio.h"
++
++
++static const char *progname, *filename, *filenewname;
++static int filelocked = 0;
++static int (*unlock)();
++
++/* local function prototypes */
++static int create_backup_file (FILE *, const char *, struct stat *);
++static void cppwexit (const char *, int, int);
++static void cppwcopy (const char *, const char *, int (*) (void), int (*) (void));
++int main (int, char **);
++
++static int
++create_backup_file(FILE *fp, const char *backup, struct stat *sb)
++{
++ struct utimbuf ub;
++ FILE *bkfp;
++ int c;
++ mode_t mask;
++
++ mask = umask(077);
++ bkfp = fopen(backup, "w");
++ umask(mask);
++ if (!bkfp) return -1;
++
++ rewind(fp);
++ while ((c = getc(fp)) != EOF) {
++ if (putc(c, bkfp) == EOF) break;
++ }
++
++ if (c != EOF || fflush(bkfp)) {
++ fclose(bkfp);
++ unlink(backup);
++ return -1;
++ }
++ if ( (fsync (fileno (bkfp)) != 0)
++ || (fclose(bkfp) != 0)) {
++ unlink(backup);
++ return -1;
++ }
++
++ ub.actime = sb->st_atime;
++ ub.modtime = sb->st_mtime;
++ if (utime(backup, &ub) ||
++ chmod(backup, sb->st_mode) ||
++ chown(backup, sb->st_uid, sb->st_gid)) {
++ unlink(backup);
++ return -1;
++ }
++ return 0;
++}
++
++static void
++cppwexit(const char *msg, int syserr, int ret)
++{
++ int err = errno;
++ if (filelocked) (*unlock)();
++ if (msg) fprintf(stderr, "%s: %s", progname, msg);
++ if (syserr) fprintf(stderr, ": %s", strerror(err));
++ fprintf(stderr, "\n%s: %s is unchanged\n", progname, filename);
++ exit(ret);
++}
++
++static void
++cppwcopy(const char *file, const char *in_file, int (*file_lock) (void), int (*file_unlock) (void))
++{
++ struct stat st1;
++ FILE *f;
++ char filenew[1024];
++
++ snprintf(filenew, sizeof filenew, "%s.new", file);
++ unlock = file_unlock;
++ filename = file;
++ filenewname = filenew;
++
++ if (access(file, F_OK)) cppwexit(file, 1, 1);
++ if (!file_lock()) cppwexit("Couldn't lock file", errno, 5);
++ filelocked = 1;
++
++ /* file to copy has same owners, perm */
++ if (stat(file, &st1)) cppwexit(file, 1, 1);
++ if (!(f = fopen(in_file, "r"))) cppwexit(file, 1, 1);
++ if (create_backup_file(f, filenew, &st1))
++ cppwexit("Couldn't make backup", errno, 1);
++
++ /* XXX - here we should check filenew for errors; if there are any,
++ fail w/ an appropriate error code and let the user manually fix
++ it. Use pwck or grpck to do the check. - Stephen (Shamelessly
++ stolen from '--marekm's comment) */
++
++ if (rename(filenew, file) == -1) {
++ fprintf(stderr, "%s: can't copy %s: %s)\n",
++ progname, filenew, strerror(errno));
++ cppwexit(0,0,1);
++ }
++
++ (*file_unlock)();
++}
++
++
++int
++main(int argc, char **argv)
++{
++ int flag;
++ int cpshadow = 0;
++ char *in_file;
++ char *c;
++ int e = 1;
++ int do_cppw;
++
++ progname = ((c = strrchr(*argv, '/')) ? c+1 : *argv);
++ do_cppw = (strcmp(progname, "cpgr") != 0);
++
++ while ((flag = getopt(argc, argv, "ghps")) != EOF) {
++ switch (flag) {
++ case 'p':
++ do_cppw = 1;
++ break;
++ case 'g':
++ do_cppw = 0;
++ break;
++ case 's':
++ cpshadow = 1;
++ break;
++ case 'h':
++ e = 0;
++ default:
++ printf("Usage:\n\
++`cppw <file>' copys over /etc/passwd `cppw -s <file>' copys over /etc/shadow\n\
++`cpgr <file>' copys over /etc/group `cpgr -s <file>' copys over /etc/gshadow\n\
++");
++ exit(e);
++ }
++ }
++
++ if (optind >= argc) {
++ cppwexit ("missing file argument, -h for usage",0,1);
++ }
++
++ in_file = argv[argc - 1];
++
++ if (do_cppw) {
++ if (cpshadow)
++ cppwcopy(SHADOW_FILE, in_file, spw_lock, spw_unlock);
++ else
++ cppwcopy(PASSWD_FILE, in_file, pw_lock, pw_unlock);
++ }
++ else {
++#ifdef SHADOWGRP
++ if (cpshadow)
++ cppwcopy(SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
++ else
++#endif
++ cppwcopy(GROUP_FILE, in_file, gr_lock, gr_unlock);
++ }
++
++ return 0;
++}
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -25,6 +25,7 @@
+ sbin_PROGRAMS = nologin
+ ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+ usbin_PROGRAMS = \
++ cppw \
+ chgpasswd \
+ chpasswd \
+ groupadd \
+@@ -75,6 +76,7 @@
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
++cppw_LDADD = $(LDADD) $(LIBSELINUX)
+ gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -79,6 +79,7 @@
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
++src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c
--- /dev/null
+Goal: Add selinux support to cppw
+
+Fix:
+
+Status wrt upstream: cppw is not available upstream.
+ The patch was made based on the
+ 302_vim_selinux_support patch. It needs to be
+ reviewed by an SE-Linux aware person.
+
+Depends on 401_cppw_src.dpatch
+
+--- a/src/cppw.c
++++ b/src/cppw.c
+@@ -34,6 +34,9 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <utime.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif
+ #include "prototypes.h"
+ #include "pwio.h"
+ #include "shadowio.h"
+@@ -115,6 +118,22 @@
+ filenewname = filenew;
+
+ if (access(file, F_OK)) cppwexit(file, 1, 1);
++#ifdef WITH_SELINUX
++ /* if SE Linux is enabled then set the context of all new files
++ to be the context of the file we are editing */
++ if (is_selinux_enabled ()) {
++ security_context_t passwd_context=NULL;
++ int ret = 0;
++ if (getfilecon (file, &passwd_context) < 0) {
++ cppwexit (_("Couldn't get file context"), errno, 1);
++ }
++ ret = setfscreatecon (passwd_context);
++ freecon (passwd_context);
++ if (0 != ret) {
++ cppwexit (_("setfscreatecon () failed"), errno, 1);
++ }
++ }
++#endif
+ if (!file_lock()) cppwexit("Couldn't lock file", errno, 5);
+ filelocked = 1;
+
+@@ -135,6 +154,15 @@
+ cppwexit(0,0,1);
+ }
+
++#ifdef WITH_SELINUX
++ /* unset the fscreatecon */
++ if (is_selinux_enabled ()) {
++ if (setfscreatecon (NULL)) {
++ cppwexit (_("setfscreatecon() failed"), errno, 1);
++ }
++ }
++#endif
++
+ (*file_unlock)();
+ }
+
--- /dev/null
+Goal: grpck now has an (otherwise undocumented) -p option, so that
+ shadowconfig can clean up the results of the above, so the config
+ script will fail randomly less often.
+Fixes: #103385
+
+Status wrt upstream: It could certainly be submitted to upstream.
+
+--- a/src/grpck.c
++++ b/src/grpck.c
+@@ -79,6 +79,7 @@
+ /* Options */
+ static bool read_only = false;
+ static bool sort_mode = false;
++static bool prune = false;
+
+ /* local function prototypes */
+ static void fail_exit (int status);
+@@ -178,7 +179,7 @@
+ /*
+ * Parse the command line arguments
+ */
+- while ((arg = getopt (argc, argv, "qrs")) != EOF) {
++ while ((arg = getopt (argc, argv, "qprs")) != EOF) {
+ switch (arg) {
+ case 'q':
+ /* quiet - ignored for now */
+@@ -189,6 +190,9 @@
+ case 's':
+ sort_mode = true;
+ break;
++ case 'p':
++ prune = true;
++ break;
+ default:
+ usage ();
+ }
+@@ -474,7 +478,12 @@
+ /*
+ * prompt the user to delete the entry or not
+ */
+- if (!yes_or_no (read_only)) {
++ if (!prune) {
++ if (!yes_or_no (read_only)) {
++ continue;
++ }
++ } else {
++ puts (_("Yes"));
+ continue;
+ }
+
--- /dev/null
+Goal: Re-enable logging and displaying failures on login when login is
+ compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
+ faillog file if it does not exist on postinst (as on Woody).
+Depends: 008_login_more_LOG_UNKFAIL_ENAB
+Fixes: #192849
+
+Note: It could be removed if pam_tally could report the number of failures
+ preceding a successful login.
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -131,9 +131,9 @@
+ const char *host,
+ /*@null@*/const struct utmp *utent);
+
+-#ifndef USE_PAM
+ static struct faillog faillog;
+
++#ifndef USE_PAM
+ static void bad_time_notify (void);
+ static void check_nologin (bool login_to_root);
+ #else
+@@ -792,6 +792,9 @@
+ SYSLOG ((LOG_NOTICE,
+ "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+ failcount, fromhost, failent_user));
++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++ failure (pwd->pw_uid, tty, &faillog);
++ }
+ fprintf(stderr,
+ _("Maximum number of tries exceeded (%u)\n"),
+ failcount);
+@@ -809,6 +812,14 @@
+ pam_strerror (pamh, retcode)));
+ failed = true;
+ }
++ if ( (NULL != pwd)
++ && getdef_bool("FAILLOG_ENAB")
++ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
++ SYSLOG((LOG_CRIT,
++ "exceeded failure limit for `%s' %s",
++ failent_user, fromhost));
++ failed = 1;
++ }
+
+ if (!failed) {
+ break;
+@@ -832,6 +843,10 @@
+ (void) puts ("");
+ (void) puts (_("Login incorrect"));
+
++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++ failure (pwd->pw_uid, tty, &faillog);
++ }
++
+ if (getdef_str("FTMP_FILE") != NULL) {
+ #ifdef USE_UTMPX
+ struct utmpx *failent =
+@@ -1282,6 +1297,7 @@
+ */
+ #ifndef USE_PAM
+ motd (); /* print the message of the day */
++#endif
+ if ( getdef_bool ("FAILLOG_ENAB")
+ && (0 != faillog.fail_cnt)) {
+ failprint (&faillog);
+@@ -1294,6 +1310,7 @@
+ username, (int) faillog.fail_cnt));
+ }
+ }
++#ifndef USE_PAM
+ if ( getdef_bool ("LASTLOG_ENAB")
+ && (ll.ll_time != 0)) {
+ time_t ll_time = ll.ll_time;
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -61,6 +61,7 @@
+ {"ENV_SUPATH", NULL},
+ {"ERASECHAR", NULL},
+ {"FAIL_DELAY", NULL},
++ {"FAILLOG_ENAB", NULL},
+ {"FAKE_SHELL", NULL},
+ {"FTMP_FILE", NULL},
+ {"GID_MAX", NULL},
+@@ -103,7 +104,6 @@
+ {"ENV_HZ", NULL},
+ {"ENVIRON_FILE", NULL},
+ {"ENV_TZ", NULL},
+- {"FAILLOG_ENAB", NULL},
+ {"ISSUE_FILE", NULL},
+ {"LASTLOG_ENAB", NULL},
+ {"LOGIN_STRING", NULL},
--- /dev/null
+Goal: Do not hardcode pam_fail_delay and let pam_unix do its
+ job to set a delay...or not
+
+Fixes: #87648
+
+Status wrt upstream: Forwarded but not applied yet
+
+Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -525,7 +525,6 @@
+ #if defined(HAVE_STRFTIME) && !defined(USE_PAM)
+ char ptime[80];
+ #endif
+- unsigned int delay;
+ unsigned int retries;
+ bool failed;
+ bool subroot = false;
+@@ -546,6 +545,7 @@
+ pid_t child;
+ char *pam_user = NULL;
+ #else
++ unsigned int delay;
+ struct spwd *spwd = NULL;
+ #endif
+ /*
+@@ -706,7 +706,6 @@
+ }
+
+ environ = newenvp; /* make new environment active */
+- delay = getdef_unum ("FAIL_DELAY", 1);
+ retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
+
+ #ifdef USE_PAM
+@@ -722,8 +721,7 @@
+
+ /*
+ * hostname & tty are either set to NULL or their correct values,
+- * depending on how much we know. We also set PAM's fail delay to
+- * ours.
++ * depending on how much we know.
+ *
+ * PAM_RHOST and PAM_TTY are used for authentication, only use
+ * information coming from login or from the caller (e.g. no utmp)
+@@ -732,10 +730,6 @@
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item (pamh, PAM_TTY, tty);
+ PAM_FAIL_CHECK;
+-#ifdef HAS_PAM_FAIL_DELAY
+- retcode = pam_fail_delay (pamh, 1000000 * delay);
+- PAM_FAIL_CHECK;
+-#endif
+ /* if fflg, then the user has already been authenticated */
+ if (!fflg) {
+ unsigned int failcount = 0;
+@@ -776,12 +770,6 @@
+ failed = false;
+
+ failcount++;
+-#ifdef HAS_PAM_FAIL_DELAY
+- if (delay > 0) {
+- retcode = pam_fail_delay(pamh, 1000000*delay);
+- PAM_FAIL_CHECK;
+- }
+-#endif
+
+ retcode = pam_authenticate (pamh, 0);
+
+@@ -1100,14 +1088,17 @@
+ free (username);
+ username = NULL;
+
++#ifndef USE_PAM
+ /*
+ * Wait a while (a la SVR4 /usr/bin/login) before attempting
+ * to login the user again. If the earlier alarm occurs
+ * before the sleep() below completes, login will exit.
+ */
++ delay = getdef_unum ("FAIL_DELAY", 1);
+ if (delay > 0) {
+ (void) sleep (delay);
+ }
++#endif
+
+ (void) puts (_("Login incorrect"));
+
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -60,7 +60,6 @@
+ {"ENV_PATH", NULL},
+ {"ENV_SUPATH", NULL},
+ {"ERASECHAR", NULL},
+- {"FAIL_DELAY", NULL},
+ {"FAILLOG_ENAB", NULL},
+ {"FAKE_SHELL", NULL},
+ {"FTMP_FILE", NULL},
+@@ -104,6 +103,7 @@
+ {"ENV_HZ", NULL},
+ {"ENVIRON_FILE", NULL},
+ {"ENV_TZ", NULL},
++ {"FAIL_DELAY", NULL},
+ {"ISSUE_FILE", NULL},
+ {"LASTLOG_ENAB", NULL},
+ {"LOGIN_STRING", NULL},
--- /dev/null
+Goal: shell's name must be -su when a su fakes a login
+
+Status wrt upstream: not reported yet
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -1001,7 +1001,7 @@
+ * Use the shell and create an argv
+ * with the rest of the command line included.
+ */
+- argv[-1] = shellstr;
++ argv[-1] = cp;
+ #ifndef USE_PAM
+ (void) execve (shellstr, &argv[-1], environ);
+ err = errno;
--- /dev/null
+Goal: save the [g]shadow files with the 'shadow' group and mode 0440
+
+Fixes: #166793
+
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -44,6 +44,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <signal.h>
++#include <grp.h>
+ #include "nscd.h"
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+@@ -868,13 +869,20 @@
+ goto fail;
+ }
+ } else {
++ struct group *grp;
+ /*
+ * Default permissions for new [g]shadow files.
+ * (passwd and group always exist...)
+ */
+- sb.st_mode = 0400;
++ sb.st_mode = 0440;
+ sb.st_uid = 0;
+- sb.st_gid = 0;
++ /*
++ * Try to retrieve the shadow's GID, and fall back to GID 0.
++ */
++ if ((grp = getgrnam("shadow")) != NULL)
++ sb.st_gid = grp->gr_gid;
++ else
++ sb.st_gid = 0;
+ }
+
+ snprintf (buf, sizeof buf, "%s+", db->filename);
--- /dev/null
+Goal: Relaxed usernames/groupnames checking patch.
+
+Status wrt upstream: Debian specific. Not to be used upstream
+
+Details:
+ Allows any non-empty user/grounames that don't contain ':' and '\n'
+ characters and don't start with '-'. This patch is more restrictive
+ than original Karl's version. closes: #264879
+ Also closes: #377844
+
+ Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
+
+ I can't come up with a good justification as to why characters other
+ than ':'s and '\0's should be disallowed in group and usernames (other
+ than '-' as the leading character). Thus, the maintenance tools don't
+ anymore. closes: #79682, #166798, #171179
+
+--- a/libmisc/chkname.c
++++ b/libmisc/chkname.c
+@@ -48,6 +48,7 @@
+
+ static bool is_valid_name (const char *name)
+ {
++#if 0
+ /*
+ * User/group names must match [a-z_][a-z0-9_-]*[$]
+ */
+@@ -66,6 +67,20 @@
+ return false;
+ }
+ }
++#endif
++ /*
++ * POSIX indicate that usernames are composed of characters from the
++ * portable filename character set [A-Za-z0-9._-], and that the hyphen
++ * should not be used as the first character of a portable user name.
++ *
++ * Allow more relaxed user/group names in Debian -- ^[^-:\s][^:\s]*$
++ */
++ if (!*name || isspace(*name))
++ return 0;
++ do
++ if (*name == ':' || isspace(*name))
++ return 0;
++ while (*++name);
+
+ return true;
+ }
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -607,12 +607,19 @@
+ </para>
+
+ <para>
+- Usernames must start with a lower case letter or an underscore,
++ It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
+ followed by lower case letters, digits, underscores, or dashes.
+ They can end with a dollar sign.
+ In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ </para>
+ <para>
++ On Debian, the only constraints are that usernames must neither start
++ with a dash ('-') nor contain a colon (':') or a whitespace (space: ' ',
++ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
++ ('/') may break the default algorithm for the definition of the
++ user's home directory.
++ </para>
++ <para>
+ Usernames may only be up to 32 characters long.
+ </para>
+ </refsect1>
+--- a/man/groupadd.8.xml
++++ b/man/groupadd.8.xml
+@@ -223,12 +223,17 @@
+ <refsect1 id='caveats'>
+ <title>CAVEATS</title>
+ <para>
+- Groupnames must start with a lower case letter or an underscore,
++ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
+ followed by lower case letters, digits, underscores, or dashes.
+ They can end with a dollar sign.
+ In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ </para>
+ <para>
++ On Debian, the only constraints are that groupnames must neither start
++ with a dash ('-') nor contain a colon (':') or a whitespace (space:' ',
++ end of line: '\n', tabulation: '\t', etc.).
++ </para>
++ <para>
+ Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+ </para>
+ <para>
--- /dev/null
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -22,7 +22,6 @@
+ # $prefix/bin and $prefix/sbin, no install-data hacks...)
+
+ bin_PROGRAMS = groups login su
+-sbin_PROGRAMS = nologin
+ ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+ usbin_PROGRAMS = \
+ cppw \
+@@ -37,6 +36,7 @@
+ grpunconv \
+ logoutd \
+ newusers \
++ nologin \
+ pwck \
+ pwconv \
+ pwunconv \
--- /dev/null
+Goal: Concatenate the non-su arguments and provide them to the shell with
+ the -c option
+Fixes: #317264
+ see also #276419
+
+Status wrt upstream: This is a Debian specific patch.
+
+Note: the fix of the man page is still missing.
+ (to be taken from the trunk)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -953,6 +953,35 @@
+ argv[0] = "-c";
+ argv[1] = command;
+ }
++ /* On Debian, the arguments are concatenated and the
++ * resulting string is always given to the shell with its
++ * -c option.
++ */
++ {
++ char **parg;
++ unsigned int cmd_len = 0;
++ char *cmd = NULL;
++ if (strcmp(argv[0], "-c") != 0) {
++ argv--;
++ argv[0] = "-c";
++ }
++ /* Now argv[0] is always -c, and other arguments
++ * can be concatenated
++ */
++ cmd_len = 1; /* finale '\0' */
++ for (parg = &argv[1]; *parg; parg++) {
++ cmd_len += strlen (*parg) + 1;
++ }
++ cmd = (char *) xmalloc (sizeof (char) * cmd_len);
++ cmd[0] = '\0';
++ for (parg = &argv[1]; *parg; parg++) {
++ strcat (cmd, " ");
++ strcat (cmd, *parg);
++ }
++ cmd[cmd_len - 1] = '\0';
++ argv[1] = &cmd[1]; /* do not take first space */
++ argv[2] = NULL;
++ }
+ /*
+ * Use the shell and create an argv
+ * with the rest of the command line included.
--- /dev/null
+Goal: Do not concatenate the additional arguments, and support an
+ environment variable to revert to the old Debian's su behavior.
+
+This patch needs the su_arguments_are_concatenated patch.
+
+This patch, and su_arguments_are_concatenated should be dropped after
+Etch.
+
+Status wrt upstream: This patch is Debian specific.
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -86,6 +86,19 @@
+ /* If nonzero, change some environment vars to indicate the user su'd to. */
+ static bool change_environment;
+
++/*
++ * If nonzero, keep the old Debian behavior:
++ * * concatenate all the arguments and provide them to the -c option of
++ * the shell
++ * * If there are some additional arguments, but no -c, add a -c
++ * argument anyway
++ * Drawbacks:
++ * * you can't provide options to the shell (other than -c)
++ * * you can't rely on the argument count
++ * See http://bugs.debian.org/276419
++ */
++static int old_debian_behavior;
++
+ #ifdef USE_PAM
+ static pam_handle_t *pamh = NULL;
+ static bool caught = false;
+@@ -344,6 +357,8 @@
+ #endif
+ #endif /* !USE_PAM */
+
++ old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL);
++
+ /* sanitize_env (); */
+
+ (void) setlocale (LC_ALL, "");
+@@ -957,7 +972,7 @@
+ * resulting string is always given to the shell with its
+ * -c option.
+ */
+- {
++ if (old_debian_behavior) {
+ char **parg;
+ unsigned int cmd_len = 0;
+ char *cmd = NULL;
--- /dev/null
+Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
+
+Note: useradd.8 needs to be regenerated.
+
+Status wrt upstream: not included as this is just specific
+ backward compatibility for Debian
+
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -300,6 +300,11 @@
+ <replaceable>UID_MIN</replaceable>=<replaceable>10</replaceable>,<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
+ doesn't work yet.
+ </para>
++ <para>
++ For the compatibility with previous Debian's
++ <command>useradd</command>, the <option>-O</option> option is
++ also supported.
++ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
--- /dev/null
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed. All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux. --marekm
+
+# REQUIRED for useradd/userdel/usermod
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
+# MAIL_DIR takes precedence.
+#
+# Essentially:
+# - MAIL_DIR defines the location of users mail spool files
+# (for mbox use) by appending the username to MAIL_DIR as defined
+# below.
+# - MAIL_FILE defines the location of the users mail spool files as the
+# fully-qualified filename obtained by prepending the user home
+# directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+# which is, starting from shadow 4.0.12-1 in Debian, entirely the
+# job of the pam_mail PAM modules
+# See default PAM configuration files provided for
+# login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR /var/mail
+#MAIL_FILE .mail
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+# This option conflicts with the pam_tally PAM module.
+#
+FAILLOG_ENAB yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE /var/log/btmp
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su". If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/usr/devel/usr/sbin:/opt/usr/devel/usr/bin:/opt/usr/devel/sbin:/opt/usr/devel/bin
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing
+# the "mesg y" command.
+
+TTYGROUP tty
+TTYPERM 0600
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# UMASK Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+#
+# UMASK usage is discouraged because it catches only some classes of user
+# entries to system, in fact only those made through login(1), while setting
+# umask in shell rc file will catch also logins through su, cron, ssh etc.
+#
+# At the same time, using shell rc to set umask won't catch entries which use
+# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp"
+# user and alike.
+#
+# Therefore the use of pam_umask is recommended as the solution which
+# catches all these cases on PAM-enabled systems.
+#
+# This avoids the confusion created by having the umask set
+# in two different places -- in login.defs and shell rc files (i.e.
+# /etc/profile).
+#
+# For discussion, see #314539 and #248150 as well as the thread starting at
+# http://lists.debian.org/debian-devel/2005/06/msg01598.html
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+# 022 is the "historical" value in Debian for UMASK when it was used
+# 027, or even 077, could be considered better for privacy
+# There is no One True Answer here : each sysadmin must make up his/her
+# mind.
+#UMASK 022
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_WARN_AGE 7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+#SYS_UID_MIN 100
+#SYS_UID_MAX 999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+#SYS_GID_MIN 100
+#SYS_GID_MAX 999
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT 60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# This enables userdel to remove user groups if no members exist.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, thus in Debian
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE /etc/consoles
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS floppy:audio:cdrom
+
+#
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+#ENCRYPT_METHOD DES
+
+#
+# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+################# OBSOLETED BY PAM ##############
+# #
+# These options are now handled by PAM. Please #
+# edit the appropriate file in /etc/pam.d/ to #
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+# #
+# These options are no more handled by shadow. #
+# #
+# Shadow utilities will display a warning if they #
+# still appear. #
+# #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR
+
+
+
--- /dev/null
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed. All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux. --marekm
+
+# REQUIRED for useradd/userdel/usermod
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
+# MAIL_DIR takes precedence.
+#
+# Essentially:
+# - MAIL_DIR defines the location of users mail spool files
+# (for mbox use) by appending the username to MAIL_DIR as defined
+# below.
+# - MAIL_FILE defines the location of the users mail spool files as the
+# fully-qualified filename obtained by prepending the user home
+# directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+# which is, starting from shadow 4.0.12-1 in Debian, entirely the
+# job of the pam_mail PAM modules
+# See default PAM configuration files provided for
+# login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR /var/mail
+#MAIL_FILE .mail
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+# This option conflicts with the pam_tally PAM module.
+#
+FAILLOG_ENAB yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE /var/log/btmp
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su". If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing
+# the "mesg y" command.
+
+TTYGROUP tty
+TTYPERM 0600
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# UMASK Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+#
+# UMASK usage is discouraged because it catches only some classes of user
+# entries to system, in fact only those made through login(1), while setting
+# umask in shell rc file will catch also logins through su, cron, ssh etc.
+#
+# At the same time, using shell rc to set umask won't catch entries which use
+# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp"
+# user and alike.
+#
+# Therefore the use of pam_umask is recommended as the solution which
+# catches all these cases on PAM-enabled systems.
+#
+# This avoids the confusion created by having the umask set
+# in two different places -- in login.defs and shell rc files (i.e.
+# /etc/profile).
+#
+# For discussion, see #314539 and #248150 as well as the thread starting at
+# http://lists.debian.org/debian-devel/2005/06/msg01598.html
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+# 022 is the "historical" value in Debian for UMASK when it was used
+# 027, or even 077, could be considered better for privacy
+# There is no One True Answer here : each sysadmin must make up his/her
+# mind.
+#UMASK 022
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_WARN_AGE 7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+#SYS_UID_MIN 100
+#SYS_UID_MAX 999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+#SYS_GID_MIN 100
+#SYS_GID_MAX 999
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT 60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# This enables userdel to remove user groups if no members exist.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, thus in Debian
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE /etc/consoles
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS floppy:audio:cdrom
+
+#
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+#ENCRYPT_METHOD DES
+
+#
+# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+################# OBSOLETED BY PAM ##############
+# #
+# These options are now handled by PAM. Please #
+# edit the appropriate file in /etc/pam.d/ to #
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+# #
+# These options are no more handled by shadow. #
+# #
+# Shadow utilities will display a warning if they #
+# still appear. #
+# #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR
+
+
+
--- /dev/null
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+s3c-console
+
+# Standard serial ports
+ttyS0
+ttyS1
+ttyS2
+ttyS3
+ttyS4
+ttyS5
+
+# USB dongles
+ttyUSB0
+ttyUSB1
+ttyUSB2
+
+# PowerMac
+ttyPZ0
+ttyPZ1
+ttyPZ2
+ttyPZ3
+
+# Embedded MPC platforms
+ttyPSC0
+ttyPSC1
+ttyPSC2
+ttyPSC3
+ttyPSC4
+ttyPSC5
+
+# PA-RISC mux ports
+ttyB0
+ttyB1
+
+# Standard hypervisor virtual console
+hvc0
+
+# Oldstyle Xen console
+xvc0
+
+# Standard consoles
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+tty8
+tty9
+tty10
+tty11
+tty12
+tty13
+tty14
+tty15
+tty16
+tty17
+tty18
+tty19
+tty20
+tty21
+tty22
+tty23
+tty24
+tty25
+tty26
+tty27
+tty28
+tty29
+tty30
+tty31
+tty32
+tty33
+tty34
+tty35
+tty36
+tty37
+tty38
+tty39
+tty40
+tty41
+tty42
+tty43
+tty44
+tty45
+tty46
+tty47
+tty48
+tty49
+tty50
+tty51
+tty52
+tty53
+tty54
+tty55
+tty56
+tty57
+tty58
+tty59
+tty60
+tty61
+tty62
+tty63
+
+# Local X displays (allows empty passwords with pam_unix's nullok_secure)
+:0
+:0.0
+:0.1
+:1
+:1.0
+:1.1
+:2
+:2.0
+:2.1
+:3
+:3.0
+:3.1
+
+# Embedded Freescale i.MX ports
+ttymxc0
+ttymxc1
+ttymxc2
+ttymxc3
+ttymxc4
+ttymxc5
+
+# Embedded Renesas SuperH ports
+ttySC0
+ttySC1
+ttySC2
+ttySC3
+ttySC4
+ttySC5
+
+
--- /dev/null
+diff -up shadow-4.1.4.1/libmisc/chkname.c.goodname shadow-4.1.4.1/libmisc/chkname.c
+--- shadow-4.1.4.1/libmisc/chkname.c.goodname 2009-04-28 21:14:04.000000000 +0200
++++ shadow-4.1.4.1/libmisc/chkname.c 2009-06-16 13:47:08.000000000 +0200
+@@ -49,20 +49,28 @@
+ static bool is_valid_name (const char *name)
+ {
+ /*
+- * User/group names must match [a-z_][a-z0-9_-]*[$]
+- */
+- if (('\0' == *name) ||
+- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
++ * User/group names must match gnu e-regex:
++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
++ *
++ * as a non-POSIX, extension, allow "$" as the last char for
++ * sake of Samba 3.x "add machine script"
++ */
++ if ( ('\0' == *name) ||
++ !((*name >= 'a' && *name <= 'z') ||
++ (*name >= 'A' && *name <= 'Z') ||
++ (*name >= '0' && *name <= '9') ||
++ (*name == '_') || (*name == '.')
++ )) {
+ return false;
+ }
+
+ while ('\0' != *++name) {
+- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
+- ( ('0' <= *name) && ('9' >= *name) ) ||
+- ('_' == *name) ||
+- ('-' == *name) ||
+- ( ('$' == *name) && ('\0' == *(name + 1)) )
+- )) {
++ if (!( (*name >= 'a' && *name <= 'z') ||
++ (*name >= 'A' && *name <= 'Z') ||
++ (*name >= '0' && *name <= '9') ||
++ (*name == '_') || (*name == '.') || (*name == '-') ||
++ (*name == '$' && *(name + 1) == '\0')
++ )) {
+ return false;
+ }
+ }
+diff -up shadow-4.1.4.1/man/groupadd.8.goodname shadow-4.1.4.1/man/groupadd.8
+--- shadow-4.1.4.1/man/groupadd.8.goodname 2009-05-22 15:56:08.000000000 +0200
++++ shadow-4.1.4.1/man/groupadd.8 2009-06-16 13:50:41.000000000 +0200
+@@ -153,9 +153,7 @@ Shadow password suite configuration\&.
+ .RE
+ .SH "CAVEATS"
+ .PP
+-Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]?
+-.PP
+-Groupnames may only be up to 16 characters long\&.
++Groupnames may only be up to 32 characters long\&.
+ .PP
+ You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&.
+ .PP
+diff -up shadow-4.1.4.1/man/useradd.8.goodname shadow-4.1.4.1/man/useradd.8
+--- shadow-4.1.4.1/man/useradd.8.goodname 2009-05-22 15:56:28.000000000 +0200
++++ shadow-4.1.4.1/man/useradd.8 2009-06-16 13:51:17.000000000 +0200
+@@ -405,8 +405,6 @@ Similarly, if the username already exist
+ \fBuseradd\fR
+ will deny the user account creation request\&.
+ .PP
+-Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]?
+-.PP
+ Usernames may only be up to 32 characters long\&.
+ .SH "CONFIGURATION"
+ .PP
--- /dev/null
+diff -up shadow-4.1.4.2/lib/commonio.c.fixes shadow-4.1.4.2/lib/commonio.c
+--- shadow-4.1.4.2/lib/commonio.c.fixes 2009-09-07 15:51:28.312139467 +0200
++++ shadow-4.1.4.2/lib/commonio.c 2009-09-07 15:52:00.788140456 +0200
+@@ -710,7 +710,7 @@ commonio_sort (struct commonio_db *db, i
+ db->tail->prev = entries[n - 1];
+ db->tail->next = NULL;
+
+- for (i = 1; i < n; i++) {
++ for (i = 1; i < (n-1); i++) {
+ entries[i]->prev = entries[i - 1];
+ entries[i]->next = entries[i + 1];
+ }
+diff -up shadow-4.1.4.2/libmisc/cleanup.c.fixes shadow-4.1.4.2/libmisc/cleanup.c
+--- shadow-4.1.4.2/libmisc/cleanup.c.fixes 2009-09-07 15:52:22.449035388 +0200
++++ shadow-4.1.4.2/libmisc/cleanup.c 2009-09-07 15:55:06.632033653 +0200
+@@ -107,7 +107,7 @@ void del_cleanup (cleanup_function pcf)
+ assert (i<CLEANUP_FUNCTIONS);
+
+ /* Move the rest of the cleanup functions */
+- for (; i<CLEANUP_FUNCTIONS; i++) {
++ for (; i<(CLEANUP_FUNCTIONS - 1); i++) {
+ /* Make sure the cleanup function was specified only once */
+ assert (cleanup_functions[i+1] != pcf);
+
+diff -up shadow-4.1.4.2/libmisc/limits.c.fixes shadow-4.1.4.2/libmisc/limits.c
+--- shadow-4.1.4.2/libmisc/limits.c.fixes 2009-09-07 15:55:38.734034494 +0200
++++ shadow-4.1.4.2/libmisc/limits.c 2009-09-07 15:56:10.545044166 +0200
+@@ -167,7 +167,7 @@ static int check_logins (const char *nam
+ * includes the user who is currently trying to log in.
+ */
+ if (count > limit) {
+- SYSLOG ((LOG_WARN, "Too many logins (max %d) for %s\n",
++ SYSLOG ((LOG_WARN, "Too many logins (max %lu) for %s\n",
+ limit, name));
+ return LOGIN_ERROR_LOGIN;
+ }
+diff -up shadow-4.1.4.2/libmisc/utmp.c.fixes shadow-4.1.4.2/libmisc/utmp.c
+--- shadow-4.1.4.2/libmisc/utmp.c.fixes 2009-09-07 15:56:30.534033865 +0200
++++ shadow-4.1.4.2/libmisc/utmp.c 2009-09-07 16:11:23.049069289 +0200
+@@ -56,7 +56,7 @@ static bool is_my_tty (const char *tty)
+ /* full_tty shall be at least sizeof utmp.ut_line + 5 */
+ char full_tty[200];
+ /* tmptty shall be bigger than full_tty */
+- static char tmptty[sizeof (full_tty)+1];
++ static char tmptty[sizeof (full_tty)+1] = "";
+
+ if ('/' != *tty) {
+ (void) snprintf (full_tty, sizeof full_tty, "/dev/%s", tty);
+@@ -71,7 +71,7 @@ static bool is_my_tty (const char *tty)
+ }
+ }
+
+- if (NULL == tmptty) {
++ if ('\0' == tmptty[0]) {
+ (void) puts (_("Unable to determine your tty name."));
+ exit (EXIT_FAILURE);
+ } else if (strncmp (tty, tmptty, sizeof (tmptty)) != 0) {
+@@ -200,7 +200,6 @@ static void updwtmpx (const char *filena
+ strcpy (hostname, host);
+ #ifdef HAVE_STRUCT_UTMP_UT_HOST
+ } else if ( (NULL != ut)
+- && (NULL != ut->ut_host)
+ && ('\0' != ut->ut_host[0])) {
+ hostname = (char *) xmalloc (sizeof (ut->ut_host) + 1);
+ strncpy (hostname, ut->ut_host, sizeof (ut->ut_host));
--- /dev/null
+diff -up shadow-4.1.4.2/lib/groupmem.c.leak shadow-4.1.4.2/lib/groupmem.c
+--- shadow-4.1.4.2/lib/groupmem.c.leak 2009-04-23 19:43:27.000000000 +0200
++++ shadow-4.1.4.2/lib/groupmem.c 2009-09-07 15:43:23.314129427 +0200
+@@ -51,10 +51,13 @@
+ *gr = *grent;
+ gr->gr_name = strdup (grent->gr_name);
+ if (NULL == gr->gr_name) {
++ free(gr);
+ return NULL;
+ }
+ gr->gr_passwd = strdup (grent->gr_passwd);
+ if (NULL == gr->gr_passwd) {
++ free(gr->gr_name);
++ free(gr);
+ return NULL;
+ }
+
+@@ -62,11 +65,21 @@
+
+ gr->gr_mem = (char **) malloc ((i + 1) * sizeof (char *));
+ if (NULL == gr->gr_mem) {
++ free(gr->gr_passwd);
++ free(gr->gr_name);
++ free(gr);
+ return NULL;
+ }
+ for (i = 0; grent->gr_mem[i]; i++) {
+ gr->gr_mem[i] = strdup (grent->gr_mem[i]);
+ if (NULL == gr->gr_mem[i]) {
++ int j;
++ for (j=0; j<i; j++)
++ free(gr->gr_mem[j]);
++ free(gr->gr_mem);
++ free(gr->gr_passwd);
++ free(gr->gr_name);
++ free(gr);
+ return NULL;
+ }
+ }
+diff -up shadow-4.1.4.2/libmisc/copydir.c.leak shadow-4.1.4.2/libmisc/copydir.c
+--- shadow-4.1.4.2/libmisc/copydir.c.leak 2009-05-22 12:16:14.000000000 +0200
++++ shadow-4.1.4.2/libmisc/copydir.c 2009-09-07 15:41:49.217192095 +0200
+@@ -443,6 +443,7 @@ static char *readlink_malloc (const char
+ nchars = readlink (filename, buffer, size);
+
+ if (nchars < 0) {
++ free(buffer);
+ return NULL;
+ }
+
+diff -up shadow-4.1.4.2/lib/pwmem.c.leak shadow-4.1.4.2/lib/pwmem.c
+--- shadow-4.1.4.2/lib/pwmem.c.leak 2009-04-23 19:43:27.000000000 +0200
++++ shadow-4.1.4.2/lib/pwmem.c 2009-09-07 15:41:49.218203063 +0200
+@@ -51,22 +51,37 @@
+ *pw = *pwent;
+ pw->pw_name = strdup (pwent->pw_name);
+ if (NULL == pw->pw_name) {
++ free(pw);
+ return NULL;
+ }
+ pw->pw_passwd = strdup (pwent->pw_passwd);
+ if (NULL == pw->pw_passwd) {
++ free(pw->pw_name);
++ free(pw);
+ return NULL;
+ }
+ pw->pw_gecos = strdup (pwent->pw_gecos);
+ if (NULL == pw->pw_gecos) {
++ free(pw->pw_passwd);
++ free(pw->pw_name);
++ free(pw);
+ return NULL;
+ }
+ pw->pw_dir = strdup (pwent->pw_dir);
+ if (NULL == pw->pw_dir) {
++ free(pw->pw_gecos);
++ free(pw->pw_passwd);
++ free(pw->pw_name);
++ free(pw);
+ return NULL;
+ }
+ pw->pw_shell = strdup (pwent->pw_shell);
+ if (NULL == pw->pw_shell) {
++ free(pw->pw_dir);
++ free(pw->pw_gecos);
++ free(pw->pw_passwd);
++ free(pw->pw_name);
++ free(pw);
+ return NULL;
+ }
+
+diff -up shadow-4.1.4.2/lib/shadowmem.c.leak shadow-4.1.4.2/lib/shadowmem.c
+--- shadow-4.1.4.2/lib/shadowmem.c.leak 2009-04-23 19:43:27.000000000 +0200
++++ shadow-4.1.4.2/lib/shadowmem.c 2009-09-07 15:41:49.218203063 +0200
+@@ -52,10 +52,13 @@
+ *sp = *spent;
+ sp->sp_namp = strdup (spent->sp_namp);
+ if (NULL == sp->sp_namp) {
++ free(sp);
+ return NULL;
+ }
+ sp->sp_pwdp = strdup (spent->sp_pwdp);
+ if (NULL == sp->sp_pwdp) {
++ free(sp->sp_namp);
++ free(sp);
+ return NULL;
+ }
+
--- /dev/null
+diff -up shadow-4.1.4.2/libmisc/find_new_gid.c.redhat shadow-4.1.4.2/libmisc/find_new_gid.c
+--- shadow-4.1.4.2/libmisc/find_new_gid.c.redhat 2009-07-18 01:53:42.000000000 +0200
++++ shadow-4.1.4.2/libmisc/find_new_gid.c 2009-09-07 16:34:26.640814090 +0200
+@@ -58,11 +58,11 @@ int find_new_gid (bool sys_group,
+ assert (gid != NULL);
+
+ if (!sys_group) {
+- gid_min = (gid_t) getdef_ulong ("GID_MIN", 1000UL);
++ gid_min = (gid_t) getdef_ulong ("GID_MIN", 500UL);
+ gid_max = (gid_t) getdef_ulong ("GID_MAX", 60000UL);
+ } else {
+- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+- gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
++ gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 201UL);
++ gid_max = (gid_t) getdef_ulong ("GID_MIN", 500UL) - 1;
+ gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
+ }
+ used_gids = alloca (sizeof (bool) * (gid_max +1));
+diff -up shadow-4.1.4.2/libmisc/find_new_uid.c.redhat shadow-4.1.4.2/libmisc/find_new_uid.c
+--- shadow-4.1.4.2/libmisc/find_new_uid.c.redhat 2009-07-18 01:53:43.000000000 +0200
++++ shadow-4.1.4.2/libmisc/find_new_uid.c 2009-09-07 16:34:19.695877000 +0200
+@@ -58,11 +58,11 @@ int find_new_uid (bool sys_user,
+ assert (uid != NULL);
+
+ if (!sys_user) {
+- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
++ uid_min = (uid_t) getdef_ulong ("UID_MIN", 500UL);
+ uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+ } else {
+- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
+- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1;
++ uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 201UL);
++ uid_max = (uid_t) getdef_ulong ("UID_MIN", 500UL) - 1;
+ uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max);
+ }
+ used_uids = alloca (sizeof (bool) * (uid_max +1));
+diff -up shadow-4.1.4.2/src/useradd.c.redhat shadow-4.1.4.2/src/useradd.c
+--- shadow-4.1.4.2/src/useradd.c.redhat 2009-06-06 00:16:58.000000000 +0200
++++ shadow-4.1.4.2/src/useradd.c 2009-09-07 16:34:01.402878101 +0200
+@@ -90,7 +90,7 @@ char *Prog;
+ static gid_t def_group = 100;
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";
+-static const char *def_shell = "";
++static const char *def_shell = "/sbin/nologin";
+ static const char *def_template = SKEL_DIR;
+ static const char *def_create_mail_spool = "no";
+
+@@ -102,7 +102,7 @@ static char def_file[] = USER_DEFAULTS_F
+ #define VALID(s) (strcspn (s, ":\n") == strlen (s))
+
+ static const char *user_name = "";
+-static const char *user_pass = "!";
++static const char *user_pass = "!!";
+ static uid_t user_id;
+ static gid_t user_gid;
+ static const char *user_comment = "";
+@@ -989,9 +989,9 @@ static void process_flags (int argc, cha
+ };
+ while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:",
++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:",
+ #else
+- "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U",
++ "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U",
+ #endif
+ long_options, NULL)) != -1) {
+ switch (c) {
+@@ -1141,6 +1141,7 @@ static void process_flags (int argc, cha
+ case 'M':
+ Mflg = true;
+ break;
++ case 'n':
+ case 'N':
+ Nflg = true;
+ break;
--- /dev/null
+diff -ruN shadow-4.1.4.2-orig/libmisc/loginprompt.c shadow-4.1.4.2/libmisc/loginprompt.c
+--- shadow-4.1.4.2-orig/libmisc/loginprompt.c 2012-12-03 19:11:51.416226723 +0900
++++ shadow-4.1.4.2/libmisc/loginprompt.c 2012-12-03 19:16:28.636237330 +0900
+@@ -158,10 +158,9 @@
+ envp[envc] = nvar;
+ } else {
+ size_t len = strlen (nvar) + 32;
+- int wlen;
+ envp[envc] = xmalloc (len);
+- wlen = snprintf (envp[envc], len, "L%d=%s", count++, nvar);
+- assert (wlen == (int) len -1);
++ (void) snprintf (envp[envc], len,
++ "L%d=%s", count++, nvar);
+ }
+ }
+ set_env (envc, envp);
+diff -ruN shadow-4.1.4.2-orig/libmisc/salt.c shadow-4.1.4.2/libmisc/salt.c
+--- shadow-4.1.4.2-orig/libmisc/salt.c 2012-12-03 19:11:51.412226719 +0900
++++ shadow-4.1.4.2/libmisc/salt.c 2012-12-03 19:15:11.840234397 +0900
+@@ -106,7 +106,7 @@
+ */
+ static /*@observer@*/const char *SHA_salt_rounds (/*@null@*/int *prefered_rounds)
+ {
+- static char rounds_prefix[18];
++ static char rounds_prefix[18]; /* Max size: rounds=999999999$ */
+ long rounds;
+
+ if (NULL == prefered_rounds) {
+@@ -152,11 +152,8 @@
+
+ snprintf (rounds_prefix, 18, "rounds=%ld$", rounds);
+
+- /* Sanity checks. That should not be necessary. */
+- rounds_prefix[17] = '\0';
+- if ('$' != rounds_prefix[16]) {
+- rounds_prefix[17] = '$';
+- }
++ (void) snprintf (rounds_prefix, sizeof rounds_prefix,
++ "rounds=%ld$", rounds);
+
+ return rounds_prefix;
+ }
--- /dev/null
+<manifest>
+ <request>
+ <domain name="_"/>
+ </request>
+ <assign>
+ <filesystem path="/bin/*" label="_" exec_label="none" />
+ <filesystem path="/sbin/*" label="_" exec_label="none" />
+ <filesystem path="/usr/bin/*" label="_" exec_label="none" />
+ <filesystem path="/usr/sbin/*" label="_" exec_label="none" />
+ </assign>
+</manifest>
--- /dev/null
+Summary: Utilities for managing accounts and shadow password files
+Name: shadow-utils
+Version: 4.1.4.2
+Release: 7
+URL: http://pkg-shadow.alioth.debian.org/
+License: BSD-2.0 and GPL-2.0+
+Group: System/Base
+
+Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.gz
+%if 0%{?tizen_build_binary_release_type_eng:1}
+Source1: login-eng.defs
+%else
+Source1: login.defs
+%endif
+Source2: securetty
+Source3: useradd.default
+Source1001: %{name}.manifest
+
+Patch0: 008_login_log_failure_in_FTMP
+Patch1: 008_su_get_PAM_username
+Patch2: 008_su_no_sanitize_env
+Patch3: 401_cppw_src.dpatch
+Patch4: 402_cppw_selinux
+Patch5: 428_grpck_add_prune_option
+Patch6: 429_login_FAILLOG_ENAB
+Patch7: 463_login_delay_obeys_to_PAM
+Patch8: 483_su_fakelogin_wrong_arg0
+Patch9: 501_commonio_group_shadow
+Patch10: 506_relaxed_usernames
+Patch11: 508_nologin_in_usr_sbin
+Patch12: 523_su_arguments_are_concatenated
+Patch13: 523_su_arguments_are_no_more_concatenated_by_default
+Patch14: 542_useradd-O_option
+Patch15: shadow-4.1.4.2-redhat.patch
+Patch16: shadow-4.1.4.1-goodname.patch
+Patch17: shadow-4.1.4.2-leak.patch
+Patch18: shadow-4.1.4.2-fixes.patch
+Patch19: shadow-4.1.4.2-rounds_prefix.patch
+
+Requires: setup
+
+%description
+The shadow package includes the necessary programs for
+converting UNIX password files to the shadow password format, plus
+programs for managing user and group accounts. The pwconv command
+converts passwords to the shadow password format. The pwunconv command
+unconverts shadow passwords and generates an npasswd file (a standard
+UNIX password file). The pwck command checks the integrity of password
+and shadow files. The lastlog command prints out the last login times
+for all users. The useradd, userdel, and usermod commands are used for
+managing user accounts. The groupadd, groupdel, and groupmod commands
+are used for managing group accounts.
+
+%prep
+%setup -q
+
+%patch0 -p1 -b .008_login_log_failure_in_FTMP
+%patch1 -p1 -b .008_su_get_PAM_username
+%patch2 -p1 -b .008_su_no_sanitize_env
+%patch3 -p1 -b .401_cppw_src.dpatch
+%patch4 -p1 -b .402_cppw_selinux
+%patch5 -p1 -b .428_grpck_add_prune_option
+%patch6 -p1 -b .429_login_FAILLOG_ENAB
+%patch7 -p1 -b .463_login_delay_obeys_to_PAM
+%patch8 -p1 -b .483_su_fakelogin_wrong_arg0
+%patch9 -p1 -b .501_commonio_group_shadow
+%patch10 -p1 -b .506_relaxed_usernames
+%patch11 -p1 -b .508_nologin_in_usr_sbin
+%patch12 -p1 -b .523_su_arguments_are_concatenated
+%patch13 -p1 -b .523_su_arguments_are_no_more_concatenated_by_default
+%patch14 -p1 -b .542_useradd-O_option
+%patch15 -p1 -b .redhat
+%patch16 -p1 -b .goodname
+%patch17 -p1 -b .leak
+%patch18 -p1 -b .fixes
+%patch19 -p1 -b .rounds_prefix
+
+%build
+cp %{SOURCE1001} .
+%configure --without-libcrack --without-audit --mandir=/usr/share/man --without-libpam --without-selinux --enable-shadowgrp --disable-man --disable-account-tools-setuid --with-group-name-max-length=32 --disable-nls
+
+make
+
+%install
+make install DESTDIR=%{buildroot}
+install -d %{buildroot}/%{_sysconfdir}/default
+install -c -m 444 %SOURCE1 %{buildroot}/%{_sysconfdir}/login.defs
+install -c -m 444 %SOURCE2 %{buildroot}/%{_sysconfdir}/
+install -c -m 644 %SOURCE3 %{buildroot}/%{_sysconfdir}/default/useradd
+install -d %{buildroot}/sbin
+
+chmod u+s %{buildroot}/%{_bindir}/su
+
+install -d %{buildroot}/bin
+mv %{buildroot}/%{_bindir}/su %{buildroot}/bin/
+mv %{buildroot}/%{_bindir}/login %{buildroot}/bin/
+
+# remove not needed files
+rm %{buildroot}/%{_sbindir}/logoutd
+rm %{buildroot}/%{_bindir}/groups
+rm %{buildroot}/%{_sysconfdir}/login.access
+rm %{buildroot}/%{_sysconfdir}/limits
+rm %{buildroot}/%{_sysconfdir}/securetty
+rm %{buildroot}/%{_bindir}/chfn
+rm %{buildroot}/%{_bindir}/chsh
+rm %{buildroot}/%{_bindir}/expiry
+rm %{buildroot}/%{_sbindir}/chgpasswd
+rm %{buildroot}/%{_sbindir}/grpck
+rm %{buildroot}/%{_sbindir}/grpconv
+rm %{buildroot}/%{_sbindir}/grpunconv
+rm %{buildroot}/%{_sbindir}/pwck
+rm %{buildroot}/%{_sbindir}/pwconv
+rm %{buildroot}/%{_sbindir}/pwunconv
+rm %{buildroot}/%{_sbindir}/vigr
+rm %{buildroot}/%{_sbindir}/vipw
+
+%remove_docs
+
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/license
+for keyword in LICENSE COPYING COPYRIGHT COPYING.GPL-v2.0+;
+do
+ for file in `find %{_builddir} -name $keyword`;
+ do
+ cat $file >> $RPM_BUILD_ROOT%{_datadir}/license/%{name};
+ echo "";
+ done;
+done
+
+%files
+%manifest %{name}.manifest
+%{_datadir}/license/%{name}
+%dir %{_sysconfdir}/default
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
+/bin/login
+%{_bindir}/faillog
+%{_bindir}/lastlog
+%{_bindir}/sg
+%{_sbindir}/chpasswd
+%{_sbindir}/groupadd
+%{_sbindir}/groupdel
+%{_sbindir}/groupmems
+%{_sbindir}/groupmod
+%{_sbindir}/newusers
+%{_sbindir}/nologin
+%{_sbindir}/useradd
+%{_sbindir}/userdel
+%{_sbindir}/usermod
+%if 0%{?tizen_build_binary_release_type_eng} == 1
+/bin/su
+%{_bindir}/chage
+%{_bindir}/gpasswd
+%{_bindir}/newgrp
+%{_bindir}/passwd
+%else
+%exclude /bin/su
+%exclude %{_bindir}/chage
+%exclude %{_bindir}/gpasswd
+%exclude %{_bindir}/newgrp
+%exclude %{_bindir}/passwd
+%endif
--- /dev/null
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+# Similar to DHSELL in adduser. However, we use "sh" here because
+# useradd is a low level utility and should be as general
+# as possible
+SHELL=/bin/sh
+#
+# The default group for users
+# 100=users on Debian systems
+# Same as USERS_GID in adduser
+# This argument is used when the -n flag is specified.
+# The default behavior (when -n and -g are not specified) is to create a
+# primary user group with the same name as the user being added to the
+# system.
+# GROUP=100
+#
+# The default home directory. Same as DHOME for adduser
+# HOME=/home
+#
+# The number of days after a password expires until the account
+# is permanently disabled
+# INACTIVE=-1
+#
+# The default expire date
+# EXPIRE=
+#
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+# SKEL=/etc/skel
+#
+# Defines whether the mail spool should be created while
+# creating the account
+# CREATE_MAIL_SPOOL=yes
+
projects / platform / upstream / shadow-utils.git / commitdiff