Sync from SUSE:SLFO:Main shadow revision ab29753a2cb22265ff261735245b461c

2024-05-04 00:38:12 +02:00 · 2024-05-04 00:38:12 +02:00 · 6a4d22a32d
commit 6a4d22a32d
16 changed files with 2829 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
 ## Default LFS
 *.7z filter=lfs diff=lfs merge=lfs -text
 *.bsp filter=lfs diff=lfs merge=lfs -text
 *.bz2 filter=lfs diff=lfs merge=lfs -text
 *.gem filter=lfs diff=lfs merge=lfs -text
 *.gz filter=lfs diff=lfs merge=lfs -text
 *.jar filter=lfs diff=lfs merge=lfs -text
 *.lz filter=lfs diff=lfs merge=lfs -text
 *.lzma filter=lfs diff=lfs merge=lfs -text
 *.obscpio filter=lfs diff=lfs merge=lfs -text
 *.oxt filter=lfs diff=lfs merge=lfs -text
 *.pdf filter=lfs diff=lfs merge=lfs -text
 *.png filter=lfs diff=lfs merge=lfs -text
 *.rpm filter=lfs diff=lfs merge=lfs -text
 *.tbz filter=lfs diff=lfs merge=lfs -text
 *.tbz2 filter=lfs diff=lfs merge=lfs -text
 *.tgz filter=lfs diff=lfs merge=lfs -text
 *.ttf filter=lfs diff=lfs merge=lfs -text
 *.txz filter=lfs diff=lfs merge=lfs -text
 *.whl filter=lfs diff=lfs merge=lfs -text
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
--- a/disable_new_audit_function.patch
+++ b/disable_new_audit_function.patch
@ -0,0 +1,28 @@
 Index: shadow-4.5/src/lastlog.c
 ===================================================================
 --- shadow-4.5.orig/src/lastlog.c
 +++ shadow-4.5/src/lastlog.c
@@ -221,12 +221,15 @@ static void update_one (/*@null@*/const
 		strcpy (ll.ll_host, "localhost");
 #endif
 		strcpy (ll.ll_line, "lastlog");
 +/*
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_ACCT_UNLOCK, Prog,
 			"clearing-lastlog",
 			pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
 #endif
 +*/
 	}
 +/*
 #ifdef WITH_AUDIT
 	else {
 		audit_logger (AUDIT_ACCT_UNLOCK, Prog,
@@ -234,6 +237,7 @@ static void update_one (/*@null@*/const
 			pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
 	}
 #endif
 +*/
 	if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) {
 			fprintf (stderr,
--- a/pamd.tar.bz2
+++ b/pamd.tar.bz2
--- a/shadow-4.15.1.tar.xz
+++ b/shadow-4.15.1.tar.xz
--- a/shadow-4.15.1.tar.xz.asc
+++ b/shadow-4.15.1.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEflbiwT+nfOMVWa3JfcJMNsM0HSAFAmX/ahcACgkQfcJMNsM0
 HSBW5BAAwtMZjHRGfS7R7SnydwSaW7sDP+QOl1108a6rDk0vuu5jCqCcenN66Bwb
 CfR9wmFXUtnnfVSj+z/ESsZOdp1gBkEj6updIQXHK+V2AKmCfe2U7Nuci5Yk1I2E
 6bBAIETHV1YijZMTHSeMWQEmqmOXbF6xhHjbKscqBA4KvnasFuE6hn3Omw/TNCSg
 uwVxapgtUv3RJ/nkQq4OIODKgyeQA4r4LkAQLbtAYmUnEhDQqeEa7tsIJATFYKNK
 7xDyZrqRHb8Rzd9pKRJtYTkYOD18hmOr/vZidZPBhZ0Am1QaYsiRbjuxc9iF/AeE
 pI+WeGKmAvHG1F6hRmjiLmH4gsozL9tZ7OGDWGSrVDGeraIiEYRguwdy6Fe96v0V
 EkwhtcwIl9z8Elo6bIHPiSweOH+e00yHTiBqnkdwpFuOahWsNvcXTigKAEv6KAfR
 bp1BacPRFuO5tgb2/S+Miyb+Fzim5E7Ch77fH2ggtHRNtqff/PqlznX0CchtAplE
 pgI/BGNlnpCecnS/vu8M+SFuES34kh+pz7x4hWL2JICsTVZnJz2SB1tL+Z6p0y0G
 Jt78+LdoJ4U6SKl2s+42RVqrvR0QU01IbWDEFdaQ2lkK1ecGQWNfoOYwzweJiG2M
 RNfUX179KTEbQ4edhY2GmiZif8JUbp+amv9u5qUPrS3ZEgwrYUw=
 =1W4Z
 -----END PGP SIGNATURE-----
--- a/shadow-login_defs-check.sh
+++ b/shadow-login_defs-check.sh
@ -0,0 +1,286 @@
 #!/bin/bash
 # login.defs and lib/getdef.c contain support for third party variables.
 # It also contains support for variables that are unusable in installations with PAM support enabled.
 # This script generates a list of used and unused variables in login.defs
 # with respect to the current configuration.
 # Arguments: arguments of osc build
 # If the shadow-login_defs-check-unused.lst is generated, you should
 # update login.defs.
 set -o errexit
 echo "Preparing..."
 # Check for required commands
 which quilt >/dev/null
 which osc >/dev/null
 # login.defs is shared with util-linux login, su and runuser.
 # Extract list of referenced variables.
 if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
 	echo "Checking out util-linux..."
 	if test -d ../util-linux ; then
 		echo -n "../util-linux found. Are you preparing new version? (y/N) "
 		read
 		if test "${REPLY:0:1}" = "y" ; then
 		mkdir -p openSUSE:Factory
 			cp -a ../util-linux openSUSE:Factory/
 		else
 			osc co openSUSE:Factory util-linux
 		fi
 	else
 		osc co openSUSE:Factory util-linux
 	fi
 	cd openSUSE:Factory/util-linux
 	quilt setup -d BUILD util-linux.spec
 	cd BUILD/*
 	quilt push -a
 	cd ../../../..
 fi
 echo "Extracting variables from util-linux..."
 cd openSUSE:Factory/util-linux/BUILD/*
 (
 	grep -rh getlogindefs . |
 		sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
 	grep -rh logindefs_setenv . |
 		sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
 ) |
 	LC_ALL=C sort -u >../../../../shadow-login_defs-check-util-linux.lst
 cd ../../../..
 # login.defs is shared pam_unix*.so, pam_faildelay.so and pam_umask.so.
 # Extract list of referenced variables.
 if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
 	echo "Checking out pam..."
 	if test -d ../pam ; then
 		echo -n "../pam found. Are you preparing new version? (y/N) "
 		read
 		if test "${REPLY:0:1}" = "y" ; then
 		mkdir -p openSUSE:Factory
 			cp -a ../pam openSUSE:Factory/
 		else
 			osc co openSUSE:Factory pam
 		fi
 	else
 		osc co openSUSE:Factory pam
 	fi
 	cd openSUSE:Factory/pam
 	quilt setup -d BUILD pam.spec
 	cd BUILD/*
 	quilt push -a
 	cd ../../../..
 fi
 echo "Extracting variables from pam..."
 cd openSUSE:Factory/pam/BUILD/*
 grep -rh LOGIN_DEFS . |
 	sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
 	LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
 cd ../../../..
 if ! test -f shadow-login_defs-check-build/stamp ; then
 	echo "Performing preprocessing of shadow by osc..."
 	if ! test -f shadow.spec.shadow-login_defs-check-save ; then
 		cp -a shadow.spec shadow.spec.shadow-login_defs-check-save
 # In case of shadow, variables extraction is more complicated. The list
 # depends on configure options, so we have to perform a fake build and
 # extract variables from prepreocessed sources.
 #		sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
 		sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec
 		if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then
 			echo "$0: Please fix sed expression modifying shadow.spec."
 			mv shadow.spec.shadow-login_defs-check-save shadow.spec
 			exit 1
 		fi
 	fi
 	if osc build "$@" ; then
 		echo "This build command was expected to fail, but it succeeded."
 		echo "$0: Please fix sed expression modifying shadow.spec."
 		mv shadow.spec.shadow-login_defs-check-save shadow.spec
 		exit 1
 	else
 		echo "This build command was expected to fail."
 		echo ""
 	fi
 	mv shadow.spec.shadow-login_defs-check-save shadow.spec
 	BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
 	BUILD_DIR=$(osc lbl | sed -n 's/^.* cd //p' | head -n1)
 	rm -rf shadow-login_defs-check-build
 	mkdir shadow-login_defs-check-build
 	cp -a "$BUILD_ROOT/$BUILD_DIR"/shadow-* shadow-login_defs-check-build/
 	touch shadow-login_defs-check-build/stamp
 fi
 echo "Extracting list of deleted binaries..."
 sed -n 's~rm %{buildroot}/%{_\(s\|\)bindir}/\(.*\)$~\2~p' <shadow.spec >shadow-login_defs-check-deleted.lst
 # The build above is optional only for case of failure or edits in the
 # code below. If any other build was performed, don't expect correct
 # results.
 cd shadow-login_defs-check-build/shadow-*
 echo "Extracting variables from etc/login.defs..."
 # Extract variables referenced in login.defs, both active and commented out.
 sed -n "s/^#//;s/\([A-Z0-9_]*\)\([[:space:]].*\|\)$/\1/p" <etc/login.defs | sed '/^$/d' | uniq | sed '/^$/d' >../../shadow-login_defs-check-login_defs.lst
 LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst
 echo "Extracting variables from lib/getdef.c..."
 # Extract variables referenced in lib/getdef.c using current defines.
 sed -n 's/^\(},\|\) {"\([A-Z0-9_]*\)", /\2/p' <lib/libshadow_la-getdef.o >../../shadow-login_defs-check-getdef.lst
 LC_ALL=C sort -u ../../shadow-login_defs-check-getdef.lst >../../shadow-login_defs-check-getdef-sorted.lst
 echo "Extracting variables from shadow..."
 # Extract variables referenced in preprocessed files.
 grep -r '\(getdef[a-z_]*\|call_script\|is_listed\) *( *"[A-Za-z0-9_]*"' |
 	grep '[^ ]*\.o:' >../../shadow-login_defs-check-shadow.log
 cd ../..
 export RC=0
 echo ""
 echo ""
 echo "Performing checks..."
 sed '
 	s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
 '  <shadow-login_defs-check-shadow.log | LC_ALL=C sort -u >../../shadow-login_defs-check-shadow-all.lst
 sed 's%^\(.*\)%/^.*\\\/\1\.o:/d%' <shadow-login_defs-check-deleted.lst >shadow-login_defs-check-deleted.sed
 sed -f shadow-login_defs-check-deleted.sed <shadow-login_defs-check-shadow.log |
 	sed '
 	s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
 ' | LC_ALL=C sort -u  >shadow-login_defs-check-shadow-used.lst
 if ! test -s shadow-login_defs-check-deleted.sed ; then
 	echo "  BUG: Empty shadow-login_defs-check-deleted.sed Results will be unreliable!"
 	if test $RC -le 4 ; then export RC=4 ; fi
 fi
 echo ""
 echo "Checking that variables in login.defs are referred only once..."
 if test $(wc -l shadow-login_defs-check-login_defs.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-login_defs-sorted.lst | sed 's/ .*//') ; then
 	echo "  ERROR: Some variable referred at more places of login.defs!"
 	LC_ALL=C sort shadow-login_defs-check-login_defs.lst >shadow-login_defs-check-login_defs-sorted-nu.lst
 	diff shadow-login_defs-check-login_defs-sorted-nu.lst shadow-login_defs-check-login_defs-sorted.lst
 	if test $RC -le 3 ; then export RC=3 ; fi
 fi
 echo ""
 echo "Checking that variables in lib/getdef.c are referred only once..."
 if test $(wc -l shadow-login_defs-check-getdef.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-getdef-sorted.lst | sed 's/ .*//') ; then
 	echo "  ERROR: Some variable referred at more places of lib/getdef.c!"
 	LC_ALL=C sort shadow-login_defs-check-getdef.lst >shadow-login_defs-check-getdef-sorted-nu.lst
 	diff shadow-login_defs-check-getdef-sorted-nu.lst shadow-login_defs-check-getdef-sorted.lst
 	if test $RC -le 3 ; then export RC=3 ; fi
 fi
 cat shadow-login_defs-check-shadow-used.lst shadow-login_defs-check-util-linux.lst shadow-login_defs-check-pam.lst | LC_ALL=C sort -u >shadow-login_defs-check-all-used.lst
 # RC inside pipe cannot be read directly. Use 3 for a real stdout inside the pipe, and use stdout for RC.
 exec 3>&1
 function report_packages() {
 	echo -n " ("
 	grep -l $1 shadow-login_defs-check-{shadow-used,util-linux,pam}.lst |
 		sed 's/shadow-login_defs-check-//;s/\.lst//;s/-used//;s/$/, /;$s/, $//' |
 		tr -d '\n'
 	echo -n ")"
 }
 # Extracting variables from shadow is not capable to identify compiled-but-unused library code.
 # This function will identify known false matches.
 function falsematch() {
 	case "$1" in
 # MAIL_* used by library call mailcheck() used only by login.c that is deleted in the spec.
 	MAIL_* ) return 0 ;;
 # FTMP_FILE used by library call failtmp() used only by login.c that is deleted in the spec.
 	FTMP_FILE ) return 0 ;;
 # ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
 	ISSUE_FILE ) return 0 ;;
 # PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec.
 	PREVENT_NO_AUTH ) return 0 ;;
 	* ) return 1 ;;
 	esac
 }
 echo ""
 echo "Checking that all used variables are covered by login.defs..."
 RC=$(cat shadow-login_defs-check-all-used.lst | (
 	while read ; do
 		if falsematch "$REPLY" ; then
 			echo "  FALSE MATCH: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
 			continue
 		fi
 		if ! grep -q -x "$REPLY" shadow-login_defs-check-login_defs-sorted.lst ; then
 			echo "  NOTICE: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
 			if test $RC -le 2 ; then RC=2 ; fi
 		fi
 	done
 	echo $RC
 ) )
 echo ""
 echo "Checking that all used variables are covered by lib/getdef.c..."
 RC=$(cat shadow-login_defs-check-all-used.lst | (
 	while read ; do
 		if falsematch "$REPLY" ; then continue ; fi
 		if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
 			echo "  ERROR: Variable $REPLY is missing in the parser$(report_packages $REPLY)" >&3
 			if test $RC -le 3 ; then RC=3 ; fi
 		fi
 	done
 	echo $RC
 ) )
 echo ""
 echo "Checking that all used variables referred in login.defs are valid..."
 RC=$(cat shadow-login_defs-check-login_defs.lst | (
 	while read ; do
 		if ! grep -q -x "$REPLY" shadow-login_defs-check-all-used.lst ; then
 			echo "  ERROR: Failed to find reference for $REPLY" >&3
 			if test $RC -le 3 ; then RC=3 ; fi
 		fi
 		if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
 			echo "  BUG: Parser does not contain reference for $REPLY" >&3
 			if test $RC -le 4 ; then RC=4 ; fi
 		fi
 	done
 	echo $RC
 ) )
 echo ""
 echo ""
 echo "All checks finished."
 echo -n "Result: "
 case $RC in
 0) echo "OK." ;;
 1) echo "Notices only. Action is optional." ;;
 2) echo "Warnings only. Evaluation is needed." ;;
 3) echo "Errors found. Fix is recommended." ;;
 4) echo "Fatal error. Fix has to be done." ;;
 esac
 if test $RC -ge 1 ; then
 	exit 1
 fi
 echo "
 If you ported shadow-util-linux.patch to the new util-linux version,
 please submit these updates:
 Change in util-linux.spec:"
 sed -n 's/^Version:[[:space:]]*/Requires:       login_defs-support-for-util-linux >= /p' <openSUSE\:Factory/util-linux/util-linux.spec
 echo "Change in shadow.spec:"
 sed -n 's/^Version:[[:space:]]*/Provides:       login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
 echo "
 If you ported shadow-login_defs-unused-by-pam.patch to the new pam version,
 please submit these updates:
 Change in pam.spec:"
 sed -n 's/^Version:[[:space:]]*/Requires:       login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
 echo "Change in shadow.spec:"
 sed -n 's/^Version:[[:space:]]*/Provides:       login_defs-support-for-pam = /p' <openSUSE\:Factory/pam/pam.spec
--- a/shadow-login_defs-comments.patch
+++ b/shadow-login_defs-comments.patch
@ -0,0 +1,72 @@
 Improve comments in login.defs.
 Index: etc/login.defs
 ===================================================================
 --- etc/login.defs.orig
 +++ etc/login.defs
@@ -3,8 +3,6 @@
 # Some variables are used by login(1), su(1) and runuser(1) from util-linux
 # package as well pam pam_unix(8) from pam package.
 #
 -#	$Id$
 -#
 #
 # Delay in seconds before being allowed another attempt after a login failure
@@ -99,11 +97,14 @@ ENV_PATH	/bin:/usr/bin
 ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
 #ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
 -# If this variable is set to "yes", su will always set path. every su
 -# call will overwrite the PATH variable.
 +# If this variable is set to "yes" (default is "no"), su will always set
 +# path. every su call will overwrite the PATH variable.
 #
 # Per default, only "su -" will set a new PATH.
 #
 +# The recommended value is "yes". The default "no" behavior could have
 +# a security implication in applications that use commands without path.
 +#
 ALWAYS_SET_PATH	no
 #
@@ -148,6 +149,11 @@ PASS_WARN_AGE	7
 #
 # Min/max values for automatic uid selection in useradd(8)
 #
 +# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
 +# UIDs for dynamically allocated administrative and system accounts.
 +# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
 +# allocated user accounts.
 +#
 UID_MIN			 1000
 UID_MAX			60000
 # System accounts
@@ -161,6 +167,11 @@ SUB_UID_COUNT		    65536
 #
 # Min/max values for automatic gid selection in groupadd(8)
 #
 +# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
 +# GIDs for dynamically allocated administrative and system groups.
 +# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
 +# allocated groups.
 +#
 GID_MIN			 1000
 GID_MAX			60000
 # System accounts
@@ -196,7 +207,6 @@ LOGIN_TIMEOUT		60
 CHFN_RESTRICT		rwh
 #
 -# Only works if compiled with MD5_CRYPT defined:
 # If set to "yes", new passwords will be encrypted using the MD5-based
 # algorithm compatible with the one used by recent releases of FreeBSD.
 # It supports passwords of unlimited length and longer salt strings.
@@ -211,7 +221,6 @@ CHFN_RESTRICT		rwh
 #MD5_CRYPT_ENAB	no
 #
 -# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
 # If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
--- a/shadow-login_defs-suse.patch
+++ b/shadow-login_defs-suse.patch
@ -0,0 +1,148 @@
 Set login.defs defaults for SUSE Linux.
 Index: etc/login.defs
 ===================================================================
 --- etc/login.defs.orig
 +++ etc/login.defs
@@ -3,6 +3,9 @@
 # Some variables are used by login(1), su(1) and runuser(1) from util-linux
 # package as well pam pam_unix(8) from pam package.
 #
 +# For more, see login.defs(5). Please note that SUSE supports only variables
 +# listed here! Not listed variables from login.defs(5) have no effect.
 +#
 #
 # Delay in seconds before being allowed another attempt after a login failure
@@ -52,8 +55,8 @@ CONSOLE		/etc/securetty
 # If defined, ":" delimited list of "message of the day" files to
 # be displayed upon login.
 #
 -MOTD_FILE	/etc/motd
 -#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
 +MOTD_FILE	""
 +#MOTD_FILE	/etc/motd:/usr/share/misc/motd
 #
 # If set to "yes", login stops display content specified by MOTD_FILE after
@@ -73,8 +76,8 @@ MOTD_FILE	/etc/motd
 # user's name or shell are found in the file.  If not a full pathname, then
 # hushed mode will be enabled if the file exists in the user's home directory.
 #
 -HUSHLOGIN_FILE	.hushlogin
 -#HUSHLOGIN_FILE	/etc/hushlogins
 +#HUSHLOGIN_FILE	.hushlogin
 +HUSHLOGIN_FILE	/etc/hushlogins
 # If this variable is set to "yes", hostname will be suppressed in the
 # login: prompt.
@@ -93,9 +96,9 @@ HUSHLOGIN_FILE	.hushlogin
 # ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
 # (and falback for login).
 #
 -ENV_PATH	/bin:/usr/bin
 -ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
 -#ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
 +ENV_PATH	/usr/local/bin:/bin:/usr/bin
 +ENV_ROOTPATH	/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 +#ENV_SUPATH	/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 # If this variable is set to "yes" (default is "no"), su will always set
 # path. every su call will overwrite the PATH variable.
@@ -105,7 +108,7 @@ ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/b
 # The recommended value is "yes". The default "no" behavior could have
 # a security implication in applications that use commands without path.
 #
 -ALWAYS_SET_PATH	no
 +ALWAYS_SET_PATH	yes
 #
 # Terminal permissions
@@ -119,7 +122,7 @@ ALWAYS_SET_PATH	no
 # set TTYPERM to either 622 or 600.
 #
 TTYGROUP	tty
 -TTYPERM		0600
 +TTYPERM		0620
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -133,7 +136,7 @@ UMASK		022
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
 # If HOME_MODE is not set, the value of UMASK is used to create the mode.
 -#HOME_MODE	0700
 +HOME_MODE	0700
 #
 # Password aging controls:
@@ -157,8 +160,8 @@ PASS_WARN_AGE	7
 UID_MIN			 1000
 UID_MAX			60000
 # System accounts
 -SYS_UID_MIN		  101
 -SYS_UID_MAX		  999
 +SYS_UID_MIN		  100
 +SYS_UID_MAX		  499
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
@@ -175,8 +178,8 @@ SUB_UID_COUNT		    65536
 GID_MIN			 1000
 GID_MAX			60000
 # System accounts
 -SYS_GID_MIN		  101
 -SYS_GID_MAX		  999
 +SYS_GID_MIN		  100
 +SYS_GID_MAX		  499
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
@@ -185,7 +188,7 @@ SUB_GID_COUNT		    65536
 #
 # Max number of login(1) retries if password is bad
 #
 -LOGIN_RETRIES		5
 +LOGIN_RETRIES		3
 #
 # Tell login to only re-prompt for the password if authentication
@@ -207,18 +210,9 @@ LOGIN_TIMEOUT		60
 CHFN_RESTRICT		rwh
 #
 -# If set to "yes", new passwords will be encrypted using the MD5-based
 -# algorithm compatible with the one used by recent releases of FreeBSD.
 -# It supports passwords of unlimited length and longer salt strings.
 -# Set to "no" if you need to copy encrypted passwords to other systems
 -# which don't understand the new algorithm.  Default is "no".
 -#
 -# Note: If you use PAM, it is recommended to use a value consistent with
 -# the PAM modules configuration.
 -#
 -# This variable is deprecated. You should use ENCRYPT_METHOD instead.
 +# This variable is deprecated. Use ENCRYPT_METHOD instead!
 #
 -#MD5_CRYPT_ENAB	no
 +#MD5_CRYPT_ENAB	DO_NOT_USE
 #
 # If set to MD5, MD5-based algorithm will be used for encrypting password
@@ -233,7 +227,7 @@ CHFN_RESTRICT		rwh
 # Note: If you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 -#ENCRYPT_METHOD DES
 +ENCRYPT_METHOD SHA512
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -322,7 +316,7 @@ USERGROUPS_ENAB yes
 # This option is overridden with the -M or -m flags on the useradd(8)
 # command-line.
 #
 -#CREATE_HOME     yes
 +CREATE_HOME     yes
 #
 # Force use shadow, even if shadow passwd & shadow group files are
--- a/shadow-login_defs-unused-by-pam.patch
+++ b/shadow-login_defs-unused-by-pam.patch
@ -0,0 +1,280 @@
 Remove variables that are present in login.defs, but shadow with the
 current configuration (e. g. with PAM) does not use them.
 It also includes variables used by the current configuration, but deleted
 in the spec file.
 shadow-login_defs-unused-check.sh makes possible to verify that it is
 still up to date.
 Index: etc/login.defs
 ===================================================================
 --- etc/login.defs.orig
 +++ etc/login.defs
@@ -12,11 +12,6 @@
 FAIL_DELAY		3
 #
 -# Enable logging and display of /var/log/faillog login(1) failure info.
 -#
 -FAILLOG_ENAB		yes
 -
 -#
 # Enable display of unknown usernames when login(1) failures are recorded.
 #
 LOG_UNKFAIL_ENAB	no
@@ -27,11 +22,6 @@ LOG_UNKFAIL_ENAB	no
 LOG_OK_LOGINS		no
 #
 -# Enable logging and display of /var/log/lastlog login(1) time info.
 -#
 -LASTLOG_ENAB		yes
 -
 -#
 # Limit the highest user ID number for which the lastlog entries should
 # be updated.
 #
@@ -41,29 +31,6 @@ LASTLOG_ENAB		yes
 #LASTLOG_UID_MAX
 #
 -# Enable checking and display of mailbox status upon login.
 -#
 -# Disable if the shell startup files already check for mail
 -# ("mailx -e" or equivalent).
 -#
 -MAIL_CHECK_ENAB		yes
 -
 -#
 -# Enable additional checks upon password changes.
 -#
 -OBSCURE_CHECKS_ENAB	yes
 -
 -#
 -# Enable checking of time restrictions specified in /etc/porttime.
 -#
 -PORTTIME_CHECKS_ENAB	yes
 -
 -#
 -# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
 -#
 -QUOTAS_ENAB		yes
 -
 -#
 # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
 # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
 #
@@ -91,46 +58,12 @@ MOTD_FILE	/etc/motd
 #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
 #
 -# If defined, this file will be output before each login(1) prompt.
 -#
 -#ISSUE_FILE	/etc/issue
 -
 -#
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
 #
 #TTYTYPE_FILE	/etc/ttytype
 #
 -# If defined, login(1) failures will be logged here in a utmp format.
 -# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
 -#
 -FTMP_FILE	/var/log/btmp
 -
 -#
 -# If defined, name of file whose presence will inhibit non-root
 -# logins.  The content of this file should be a message indicating
 -# why logins are inhibited.
 -#
 -NOLOGINS_FILE	/etc/nologin
 -
 -#
 -# If defined, the command name to display when running "su -".  For
 -# example, if this is defined as "su" then ps(1) will display the
 -# command as "-su".  If not defined, then ps(1) will display the
 -# name of the shell actually being run, e.g. something like "-sh".
 -#
 -SU_NAME		su
 -
 -#
 -# *REQUIRED*
 -#   Directory where mailboxes reside, _or_ name of file, relative to the
 -#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
 -#
 -MAIL_DIR	/var/spool/mail
 -#MAIL_FILE	.mail
 -
 -#
 # If defined, file which inhibits all the usual chatter during the login
 # sequence.  If a full pathname, then hushed mode will be enabled if the
 # user's name or shell are found in the file.  If not a full pathname, then
@@ -140,21 +73,6 @@ HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 #
 -# If defined, either a TZ environment parameter spec or the
 -# fully-rooted pathname of a file containing such a spec.
 -#
 -#ENV_TZ		TZ=CST6CDT
 -#ENV_TZ		/etc/tzname
 -
 -#
 -# If defined, an HZ environment parameter spec.
 -#
 -# for Linux/x86
 -ENV_HZ		HZ=100
 -# For Linux/Alpha...
 -#ENV_HZ		HZ=1024
 -
 -#
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
@@ -180,17 +98,13 @@ TTYPERM		0600
 #
 #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
 -#	ULIMIT		Default "ulimit" value.
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
 -# The ULIMIT is used only if the system supports it.
 -# (now it works with setrlimit too; ulimit is in 512-byte units)
 #
 # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
 #
 ERASECHAR	0177
 KILLCHAR	025
 -#ULIMIT		2097152
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -211,23 +125,13 @@ UMASK		022
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
 #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
 -#	PASS_MIN_LEN	Minimum acceptable password length.
 #	PASS_WARN_AGE	Number of days warning given before a password expires.
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
 -PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 #
 -# If "yes", the user must be listed as a member of the first gid 0 group
 -# in /etc/group (called "root" on most Linux systems) to be able to "su"
 -# to uid 0 accounts.  If the group doesn't exist or is empty, no one
 -# will be able to "su" to uid 0.
 -#
 -SU_WHEEL_ONLY	no
 -
 -#
 # Min/max values for automatic uid selection in useradd(8)
 #
 UID_MIN			 1000
@@ -264,28 +168,6 @@ LOGIN_RETRIES		5
 LOGIN_TIMEOUT		60
 #
 -# Maximum number of attempts to change password if rejected (too easy)
 -#
 -PASS_CHANGE_TRIES	5
 -
 -#
 -# Warn about weak passwords (but still allow them) if you are root.
 -#
 -PASS_ALWAYS_WARN	yes
 -
 -#
 -# Number of significant characters in the password for crypt().
 -# Default is 8, don't change unless your crypt() is better.
 -# Ignored if MD5_CRYPT_ENAB set to "yes".
 -#
 -#PASS_MAX_LEN		8
 -
 -#
 -# Require password before chfn(1)/chsh(1) can make any changes.
 -#
 -CHFN_AUTH		yes
 -
 -#
 # Which fields may be changed by regular users using chfn(1) - use
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
@@ -294,13 +176,6 @@ CHFN_AUTH		yes
 CHFN_RESTRICT		rwh
 #
 -# Password prompt (%s will be replaced by user name).
 -#
 -# XXX - it doesn't work correctly yet, for now leave it commented out
 -# to use the default which is just "Password: ".
 -#LOGIN_STRING		"%s's Password: "
 -
 -#
 # Only works if compiled with MD5_CRYPT defined:
 # If set to "yes", new passwords will be encrypted using the MD5-based
 # algorithm compatible with the one used by recent releases of FreeBSD.
@@ -349,45 +224,6 @@ CHFN_RESTRICT		rwh
 #SHA_CRYPT_MAX_ROUNDS 5000
 #
 -# Only works if ENCRYPT_METHOD is set to BCRYPT.
 -#
 -# Define the number of BCRYPT rounds.
 -# With a lot of rounds, it is more difficult to brute-force the password.
 -# However, more CPU resources will be needed to authenticate users if
 -# this value is increased.
 -#
 -# If not specified, 13 rounds will be attempted.
 -# If only one of the MIN or MAX values is set, then this value will be used.
 -# If MIN > MAX, the highest value will be used.
 -#
 -#BCRYPT_MIN_ROUNDS 13
 -#BCRYPT_MAX_ROUNDS 13
 -
 -#
 -# Only works if ENCRYPT_METHOD is set to YESCRYPT.
 -#
 -# Define the YESCRYPT cost factor.
 -# With a higher cost factor, it is more difficult to brute-force the password.
 -# However, more CPU time and more memory will be needed to authenticate users
 -# if this value is increased.
 -#
 -# If not specified, a cost factor of 5 will be used.
 -# The value must be within the 1-11 range.
 -#
 -#YESCRYPT_COST_FACTOR 5
 -
 -#
 -# List of groups to add to the user's supplementary group set
 -# when logging in from the console (as determined by the CONSOLE
 -# setting).  Default is none.
 -#
 -# Use with caution - it is possible for users to gain permanent
 -# access to these groups, even when not logged in from the console.
 -# How to do it is left as an exercise for the reader...
 -#
 -#CONSOLE_GROUPS		floppy:audio:cdrom
 -
 -#
 # Should login be allowed if we can't cd to the home directory?
 # Default is no.
 #
@@ -402,12 +238,6 @@ DEFAULT_HOME	yes
 NONEXISTENT	/nonexistent
 #
 -# If this file exists and is readable, login environment will be
 -# read from it.  Every line should be in the form name=value.
 -#
 -ENVIRON_FILE	/etc/environment
 -
 -#
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by
 # the user to be removed (passed as the first argument).
--- a/shadow-util-linux.patch
+++ b/shadow-util-linux.patch
@ -0,0 +1,139 @@
 Add variables referred by util-linux login, runuser and su, but not by
 shadow.
 Delete variables used by shadow implementation of login, su and runuser
 that has no use in util-linux implementation.
 Index: etc/login.defs
 ===================================================================
 --- etc/login.defs.orig
 +++ etc/login.defs
@@ -1,5 +1,7 @@
 #
 # /etc/login.defs - Configuration control definitions for the shadow package.
 +# Some variables are used by login(1), su(1) and runuser(1) from util-linux
 +# package as well pam pam_unix(8) from pam package.
 #
 #	$Id$
 #
@@ -17,9 +19,8 @@ FAIL_DELAY		3
 LOG_UNKFAIL_ENAB	no
 #
 -# Enable logging of successful logins
 +# Enable "syslog" logging of  newgrp(1) and sg(1) activity.
 #
 -LOG_OK_LOGINS		no
 #
 # Limit the highest user ID number for which the lastlog entries should
@@ -31,10 +32,9 @@ LOG_OK_LOGINS		no
 #LASTLOG_UID_MAX
 #
 -# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
 -# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
 +# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
 +# to sulog file logging.
 #
 -SYSLOG_SU_ENAB		yes
 SYSLOG_SG_ENAB		yes
 #
@@ -58,6 +58,12 @@ MOTD_FILE	/etc/motd
 #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
 #
 +# If set to "yes", login stops display content specified by MOTD_FILE after
 +# the first accessible item in the list.
 +#
 +#MOTD_FIRSTONLY	no
 +
 +#
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
 #
@@ -72,12 +78,33 @@ MOTD_FILE	/etc/motd
 HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 +# If this variable is set to "yes", hostname will be suppressed in the
 +# login: prompt.
 +#LOGIN_PLAIN_PROMPT	no
 +
 #
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
 -ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
 -ENV_PATH	PATH=/bin:/usr/bin
 +#
 +# ENV_PATH: The default PATH settings for non-root.
 +#
 +# ENV_ROOTPATH: The default PATH settings for root
 +# (used by login, su and runuser).
 +#
 +# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
 +# (and falback for login).
 +#
 +ENV_PATH	/bin:/usr/bin
 +ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
 +#ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
 +
 +# If this variable is set to "yes", su will always set path. every su
 +# call will overwrite the PATH variable.
 +#
 +# Per default, only "su -" will set a new PATH.
 +#
 +ALWAYS_SET_PATH	no
 #
 # Terminal permissions
@@ -93,19 +120,6 @@ ENV_PATH	PATH=/bin:/usr/bin
 TTYGROUP	tty
 TTYPERM		0600
 -#
 -# Login configuration initializations:
 -#
 -#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 -#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
 -#
 -# The ERASECHAR and KILLCHAR are used only on System V machines.
 -#
 -# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
 -#
 -ERASECHAR	0177
 -KILLCHAR	025
 -
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
@@ -163,6 +177,12 @@ SUB_GID_COUNT		    65536
 LOGIN_RETRIES		5
 #
 +# Tell login to only re-prompt for the password if authentication
 +# failed, but the username is valid. The default value is no.
 +#
 +LOGIN_KEEP_USERNAME	no
 +
 +#
 # Max time in seconds for login(1)
 #
 LOGIN_TIMEOUT		60
@@ -315,14 +335,6 @@ CHARACTER_CLASS         [ABCDEFGHIJKLMNO
 #GRANT_AUX_GROUP_SUBIDS yes
 #
 -# Prevents an empty password field to be interpreted as "no authentication
 -# required".
 -# Set to "yes" to prevent for all accounts
 -# Set to "superuser" to prevent for UID 0 / root (default)
 -# Set to "no" to not prevent for any account (dangerous, historical default)
 -PREVENT_NO_AUTH superuser
 -
 -#
 # Select the HMAC cryptography algorithm.
 # Used in pam_timestamp module to calculate the keyed-hash message
 # authentication code.
--- a/shadow.changes
+++ b/shadow.changes
--- a/shadow.keyring
+++ b/shadow.keyring
@ -0,0 +1,239 @@
 Serge Hallyn <sergeh@kernel.org>
 Serge Hallyn <serge@hallyn.com>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQENBE+oKZQBCACz5WylGAr+eitZjuSigzR+y30W3E+gkU0DSNlBB3WlorOtmzMX
 9F2d+z+ozJuez4NPqwfQ5y2ExKSbL8i1rwYmExZIzTDpm1Q6N3hG+vLbxwbrbsKT
 qW9rPiXriU5yRwuvVJl4NOU6T/Pau3/VD8iFN7U4mVpNFVPlB8vCvDJ+07Z0xIH9
 MXe8uaERG3v2EL7Mv8L5w05XEeuTT/CJiw6NdzwjZc1FymVoFjntetl8HaJ+5JCB
 2ylAbnw/wZJHORgsLxZhOL6/zrJRG8GvjgB+1l8izgl4n0DOqjyyoQIZJ+mfuHR0
 6wDqwvP5F9RZqCh8Md4hYujop5a0BKfAzLfdABEBAAG0IFNlcmdlIEhhbGx5biA8
 c2VyZ2VoQGtlcm5lbC5vcmc+iQFOBBMBCgA4FiEEZtA4fbhdMg+ECBZtsXXPqY8Z
 KvIFAl2r0d0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQsXXPqY8ZKvIM
 nAgAiTpLlXuzyD4C+9I/yCA9N/BqK43jnMfJOl/Ky56vgJ/WbrFJLuO3wubMlRLD
 3jurC6SK2g0TpygyoX2MjwZVT60Sq3ZcgIh71yyWHhtZ29NuUiKsKnajb9IlP+AM
 1V0g9py41YdDUmAuC/5crqyK+8u1CVrB/is7Eym598gIl9nyGvaZrzgjG1cRCjzf
 ZU8pRG+VPMr5Xla8rDKBZl+LcusV90eAUa0E/KVFS5N1dQ6HKckYXPSBN3DKHZy+
 qKa1k7Dq0CnkTjQmjaMu3j5sdOXg4QUfhCHeLDFAtadNdP04I6g5KZRvC44XdQ1A
 bxFMLyObhCsq/QxSh/nYrKsw0rQsU2VyZ2UgSGFsbHluIChrZXJuZWwub3JnKSA8
 c2VyZ2VAaGFsbHluLmNvbT6JATgEEwECACIFAk+oKZQCGwMGCwkIBwMCBhUIAgkK
 CwQWAgMBAh4BAheAAAoJELF1z6mPGSryYfEIAJviOHYwzXjnHWrsbQQ75rJq2wQ4
 NlM5FRljskufCXtIz/DUpKKT3aqG3y7ywtEwl4ePofJmLbC0O5bZF9blgSSCV02z
 zGdeUosAJsxumYHVi9CRHWsiAaNMX8gif9vePqz/iY/caPS4w4gBXJK8vLwvxToI
 4CZDwIlMkMov//3HQ5v5OKfeqbA1rnsGI74vUw9Zt/Sqgudz5bY65693OqeRRWU6
 tOH8zo4HkFew26Ydh80qAn1R7ALnk68zwfXj8vdyR9f05dEqbg/4thZWcjWC/Frn
 QOjcTwKu5DnUCE937a1MPzt4t1FCYUHrqcLN99uzGuOD42o9/S+JAa2HWhe5Ag0E
 Zb/8ygEQAPBwca/apgMnuaVqUSYOCz3qyQ9S65yyifznXrLRYjS3WwCl/yb8imer
 Hw5ykDij2WjlHQbod2j/pooCJuhOUfqg1JI5o2nNNFsLOxrYSGsScsK1pSDyOgA4
 Kg+wnAGzNAmW47fI05HfCILeK8CvHylxbpEHM0Ola/KivBmg9mqq7I/zTElL9oDT
 oOyyO7B0IHZUCbjjkApHZY8VH89kcyBsrXKh5o8BwjwyqiZKvt4uzEjOS58iUYts
 rxCDnyGLfp4MFsOWhQi2Z8mN+7iPEApUiKKu+Z4ESCq+/YUtjlIrmcAmw6aqlxLT
 /6RqEpoUj57zq+JuYZQKsnEJpnUayG/cFomrsPQuAz4pbWDb0Q/yXLqCw3QR1vjm
 kFmgaT8gtO4Idn2qfQ0Nnj8LCcSXjSsWBCaEPVF6Tq5TGMaJOjTwSCFWrW6AsNkw
 PI9G8OWfpUWB7ciF4sdGYnBpT11xhUeUg0UsBbOLWQCC8fVIs1gsrwDLbIxXx1lV
 XRncM9/6FYQ5IX95N8te2GBDkYzdpTpxgQAqaPHsHvbEoop10qn+HDem0zV66zT2
 6EAmD3w9PVlRFYqxGjiAjXC8nwsdnNxuGVBqrZjy2YFDI7JIk9k0qKVDrx3o7/L3
 tj0kPjg69Zg2QqgozBSLc4CCS2DzXKjeelxY7IAqfmXel4p5QHRnABEBAAGJA2wE
 GAEKACAWIQRm0Dh9uF0yD4QIFm2xdc+pjxkq8gUCZb/8ygIbAgJACRCxdc+pjxkq
 8sF0IAQZAQoAHRYhBH5W4sE/p3zjFVmtyX3CTDbDNB0gBQJlv/zKAAoJEH3CTDbD
 NB0gUxgQAMW3d6UYo3HdM56El7B8f1PiPKjNBU4A4rZTm/veZFvlr2hSlTQXxxgf
 5Y/Eh8VDal9yMhoI8VjfEsyDEmRBgv+KteDaC9YWv/WycImS1tcjF6ddX8s5sVLm
 yie1C+SZKxw0ExgWJJzQgJD0xCgEo/2ci4Xc14Et8ay4CiOscfONngAu0Su2WFSg
 dtFEcQcYtxR87E8wyPya34OtQuKpwS2+Om5m75/qi6odtnuaB84/TajMyFz/9Fvo
 lleUJ0HvnVOpbd2wdmprkTGP7lnhxrBYi2JCZTcaO32gvADZEY9m6zEimFx1fYJJ
 QPpl4mO5XhRHtImsg2BKSJZSKhp7IxWP4O2GkrL714c+BiOAYtXnGijBPW3K6h0P
 pToGS9DkNwBHJAULXQXydIbvy6knSvgrG44aOS/M1MnbgbfW8GuKOgYtOVyCRk/1
 463gsr92BkM1zHF/+Q0I88wB+ZiYjSyYXtJx1jtaUUUhio1GM76Z35YFCiZ9sdi3
 IA8hgc8WSW4FESFZq2hbaOc9j0uifPbsZY+uE1vcQN7niBGvdEidAzkKtroOhzBM
 I5qWDh3UxWj5pXeNntExucf4bhM9abb57NshNd1GFGE8uIIgiJAF45JAh922vHCr
 9T4NaKwf3MC7fGo+kBSTNNh7V35gxg96NTk+cq71eh13007l5GWy7B0H+gJ/V5J6
 5xXkUnIx04oUztD2a6YIPuWVRwuyRsHSCzpqFR8K2iRzJFBlrQdMslUSXQJ0kFcM
 W70cC0LO+nXF7G57mS5z3ZMILfEkLSFUIwHRdzFu0j9nDjQwcF9ws8ExBAgkAMi+
 2VzqMVHz4TekGMEgE/vP2RQSSR4T6JycYRI4gLyhDX9+uZsHBkb46Nn4nUGEqjJ1
 umVMYg1Ww6vJqzkKLjWnibkA0fKaUmhVJS2RZ1Dr6Xm+LFFFzSpHGGhy4vvik0FO
 RyTNv5jBmMwRcebLcodl8m22KpwjRTkSOOzx+cXlB9KOVlbLj1UxCxFirufHRqxy
 F9sprm3IKJxe4/65AQ0EXavhqwEIAMKECc/f8f0/CenKkz3wXGEtlG46YLjtTt2t
 WYXdt9Z04ihVaYePanFtvuujyO3I3jUQNv2foU1CtOuVyfZqX+TXqs0BUPXWwTCk
 MOyc/fEQ5u0BFJjWYtmr2sZY4Ag1juJsmzI7g3cnMLL9LbjpbHRruFIT5rnv9NwG
 7PURn1XnCt9tdZ/d0h7vEaNkD37j67rjy8UElVVcwVGhsCR8CkqwZ6ZwpQxE9wyq
 /Txb+v8qEJcohc5SWbYl70AtzHObokkW6cvRjNz+BcEpnPfu10lbPO/8a16B96VD
 djDGPj2shfNsFLaT8MtFfDAdjZRGlrfv3Wp4qFRlSUGrjInvOLMAEQEAAYkBNgQY
 AQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+GrAhsgAAoJELF1z6mPGSry
 W4wH/3Xk9x+WUxeJNtm+5hOfe/KBsXQUbBz+JHGFjd9YQw98jUvPNN1RfgtKf31b
 +FDKbk/cu+9bNLSfhKDz2AEREViogKRcVjJDy9XmmWQd1oo+M4GHNYhpIt5ZK1d3
 CROIiqisLQsih64/gl9gboMcsUuHRkc3hVKUb2umCZPG37hUdAvOmOMS7/0KCGS5
 pXnfsX+zegSKjps12siExYXiRpkxbF9MW7er6/6ukvHLx4jHpgiZ5Sjt/9OqUiAO
 gUSQfhpAUJlaLxe9E3nj+ABs7LV+FOjtI64skqgqbYo5VXobFSJhqFTog1+KmMzn
 fsdKaOZQuZh3v3TtGUzkxoMUHPe5AQ0EXavhYgEIAMd+iVOTx6FC3Ghv2PASeXsn
 xtb9Af+aBjNf0m8WKTLgIS9xQbxgNJctG6AEptkBfAStRLIA5qOa0iYIpkJynEPb
 onJ12qvtlJ6b6g1h3AThYXQBjTQ89X+rlFzVGQsieqanjI+fiSNbDarOLQUbeJOr
 kfFukr34o5xloKENL/kwu1lDG/Y2GMxZRLe1aVJUXQg4FiEiaE+LNFbrUHxdNR2P
 E4XuJHetneHEiT/zXpvEF4MCisjJTGAHEC43rl7OqHU/GDdcW0udyf9v33LCFWTR
 LlgKKHVyUrHVhVzbB2z1+xnxxh/bQXjgttIP3Zqn8LXiLnUNU5+ejJiuAwdwcn8A
 EQEAAYkBNgQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+FiAhsMAAoJ
 ELF1z6mPGSry9/UH/0vOoYu6b57UxsJNR5dCMhsPYV7FFIX9uj5XIDo/bQt2RTMa
 2PuKMbcDGINsDqHXqOFpZq5WDHhq0cEoIqhlkgj1uC77LLGw7mWyiaMbITQDlRzP
 9c9Qj3NkGNKW6FTwR7LPh43kgXygO1StVADIdHapiw9hI52rF8FrNYy4oNRXhUcD
 Pfn03akuIbF75saCHaYO/xoQeEqE+0qV82V/FT5tISMygkzgq+9zUhiA4XQjxiVh
 SK2cAi0iUTXZecyEueLk6zZ9vkD8JZagSirTFgxtLrnhVpUBJMOgffv5jmO/Sun4
 s+3JbAdicmsFqw90hWmGNwa0F5HZ20rEVAwkdt25AQ0EXavgpgEIAOk8dMgYu4Q7
 hU461EC/MtxIiwSD8i7lizUB8SzxFPnyWgkvG2Fik5lUiDJmEstLdCm3dpapiJud
 zcTgl9Abo4xgoq+VbKRCPk0017JE2bNSbF3TmxhaHAHiBvhU/U+kRz+lDnUE1Smh
 zGd1yn1kCvmG9MmWjiQPkG9vLx3d46DBnqHO6wn1AFeKiKuyCs1igvtT2qz+2+iz
 Y9tyd+s2O95+1CDQslqQ8IQNP00cFTJljsk3dmZXQb6SkxxTNG+E/2vMdUZhUbb7
 UIFUOmFekZvGZMIf9sNMJGCVIN+vyMMhE1MA17iJGxtAFVqeMN4wA9+MA4z5udke
 gdbxnWxLtg0AEQEAAYkCbAQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJd
 q+CmAhsCAUAJELF1z6mPGSrywHQgBBkBCgAdFiEEqb0/8XByttt4D8+UNXDaFycK
 ziQFAl2r4KYACgkQNXDaFycKziT2fAf+PgS08m9Uiks9LWAp9BpaiVn0SXx/XYhT
 JmRr78UrCHogZstAET2haLqWwMIoyOpie5Vutxi2WXQtzsJ1BHV9LB/NP3nFT/P9
 asZXzFtBBRQsDwxW5ii20hkHKG10M2+QGiC0ssfi1zjQFKbaOpxvou5Pi+zBQuT1
 RQ65NQrFYQI4zdyLbnniX2EZpDipLFJeGs881HQt7RjwSUtAjXW9M/pQQDp/JWEj
 p6D3R4ys0/Y4cJblCci5rM8Un/aVvXYGBqEpsddhH9xGpk0JTWtGAfw1a0ovRv39
 D1uwG8uXTQiUDTGGlllXhzpLkcJBtT8VeogiAGZC99pbNW5BU8cbFyOHB/9Q/HBm
 Iqmj5MYvQZCQ//cf9Af9gc+o2YA4/Kg2pSf9GKZizd3J8NO05O6YSsXqIsBr2lIG
 jw4klkE7GyRd/KVMQOxrFY9vFcdSxQuklnFUeiH73RFP3nsdzw+MRr4Hcpbm9F0f
 CnB6aU1gqf74e/6Qiv6d2pq7Dzyzx7ZCm8BRLT2HZbFeYQ6GsdOIYgWzWXqurk/6
 8rlE1D7Fo9KK9lmrLOwrr7ez1pOLHA8pPDhZhxI5D3ZhDsLUux3caCUfFdP/VpaJ
 ijGNc1HYt8mk4U1Qb6ZlafTYb75F9d61v8/M/HATZ5KpT9gr0aGkfwptzCwlBJ8y
 pcRI9AuUUDCTAXIGuQENBE+oKZQBCADc9sYSnWAj3y6QE9sGNDUFaKpAFUsprpQ8
 LeA05nh3RUxYDd75qc0ewtGR1+SlgpehKQfSXVQT254jM5lJanNDPYffk9k9lMwg
 SVoTP2QaszfDgir7WKKQuj3dBwnmYHdIY2mq+eaAh/1cCU//ggdaATo4ENQhKTAI
 iuviGKBpYX/zHAlPIvyFjERsBmq0woQKvDGsoQEObx1zu1GaTWeTSIEnHyRhajMQ
 rKUAxSCh9Th2Vj6xOhvx9TK6li+ecxYuuBVP0Xllg1GdoQBC8KWITDOrU18suj1v
 EGK4YOzQQPxANs6I81SvVddd2bh71cyAjhHr1kugw3PWQvLe4yHHABEBAAGJAR8E
 GAECAAkFAk+oKZQCGwwACgkQsXXPqY8ZKvJrVAgAi7CVXJt8mZiN+yzwiZVlzrkR
 QduB2cgvGZD6Hm3MJc1aVA3Gh0tJcLo+SdutCOzKSmPRSsnWT19EKxpDMrc9j97P
 i9SDrGyUOx7Bz8gKjTI6BcfPNAhAyIr5Gr9SDyTx6tUduSmmErrvjYWP1/Jz7spI
 nN2wQd5ZVRSvS/rNZGh1NU31oeWlbpkU0JpGbZkMXv4JIy+1caH5zzrcRMC9JFxf
 m/bYdaq+jHhMufnSy0Qa3QgJkKvzxzvlIG9BaUmuNeR+XoA9ISEMQzAYXqxJQSL2
 8Er9IVaNgtz5mqCMf8vuDTPGpkYyqGnOjtQNF695wiA7CAr3/WTeiEl6kKsBFg==
 =/+gu
 -----END PGP PUBLIC KEY BLOCK-----
 Alejandro Colomar <alx@kernel.org>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGI/tA8BEACYC5fPDOMDrT8SxNlsB9fRj9YAZt7okGtbCIlVuSPs81YMkeJm
 BxtPPnps5Vw2whZS13zaoyPykMg6k+komDWctWQKIF0VgpVYtIuezq4q8kMNmKLc
 MnHiZRKRh8dOqlK6jHcUlF8rBgQhk+RUBUPOqFEYeTveoZ9qqVmWhOVce5uUX01k
 iU2SjoGAGkNDBqmOkhhVUSQg/AVcc4web6Gu184VUbOXx7J5MPpRmXE610fAUeeJ
 1VzyB8U/hgPLrbZX3jQMJbcCSM+Qdxdr/gsptfx1XIm4NsvKXTUOpWg1DQFiQYTJ
 FN6Kz0NKN6MV/3AqbKGtWDqKhFt3u3a7T+uUP/qzi9jma+DruQuzQztI6xnthZCb
 RjFkQ/iUUtuGgmpOB14HrgwNaRjKWddzab+A7BL971Q3fFqDsvrntD+koYVUgTfq
 ErcQo9ZdGRAUL5icyyDg4cC6xgjdmYfnX1s4Rlo3cXJXTZpIOx5AvZV6HYNNm9pu
 EoPm5gjNtk4F+FENNjkB3c2ntFr2prpoxaN9ceNd8a1tkWAgh6ueFVA/tkd1hy+2
 bP7e5+Nk9NjsWLvnL2slep1cX38DU9hx91t21+x/8hCxN4gqtvDJY/eqUZ2d0uAR
 KhPEDZ8GzchxVtX9bGx1HSAVcdnkSzKIGFOJi3ivYqUEihXd5WQE57UovQARAQAB
 tCJBbGVqYW5kcm8gQ29sb21hciA8YWx4QGtlcm5lbC5vcmc+iQJOBBMBCgA4FiEE
 qTSFlM4xKDqCb73Y1XYz1EHiW7UFAmNDAAYCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
 HgECF4AACgkQ1XYz1EHiW7Vm4g/+NDfrYWHAHSMBkQnTZdhrOFCR1tJsWTLABwe1
 fMLBW7djLZMZweDMU76UBrucAEsarKkIHyhqpBES5EXwmlvKSnEhzPjXZ+PoHmM0
 M8Lq7QFZ5IEbrhuJbvpfTCa0gleHKIVYCCeaf2AUpgwX1XMkG2mmRdvUDQ2M8NMH
 ljM/OZ+6tBGpw7zvx1kYsSfBerlHxmLXlRxHrr9nWi7zXa+HrHZQAhopuufIb1we
 8lI/gdfywq7s/e5Xelk4dnr/pEFx56G1vh0bc+zU36+C9gX5IXOJv2WrTmOfG3Am
 gaJgWZapJQlPFEByk+2oJf5UOgPRhdX7qLR8mVnQ4EHM1sr9B6UGwcySZpVwag9n
 51WhjgdqYoSPt9dpPSNfNavLJDR+paM0aEHi3/t3mGJSyOPM4E6ejrYk7791fOJF
 0J3VhKr9KR1rMxQpE1kMs7qO1uUJvnF+opzrueMELffwTfDDyvY1bV/ZNou/MPi4
 EbUJyZDvsq2shaKj/NB4nzYJIoGbUzUrz008buTagf+WZ+uTDIdOJbaVPcUUjtzr
 21KifSWxcokNhqSIrsCLzCJkbiKEK7nUoOvl9q3Wl9L5CWAOflr5499iyGqxlJ+E
 7xzerWy1ZqgQHJ3Zp0wVMgHTKvPsmDvwaXBvEZkrUQ4PnInWTNJ2yiNxJU/we7Xx
 kxo4Qk20MUFsZWphbmRybyBDb2xvbWFyIEFuZHJlcyA8YWx4Lm1hbnBhZ2VzQGdt
 YWlsLmNvbT6JAk4EEwEKADgWIQSpNIWUzjEoOoJvvdjVdjPUQeJbtQUCYj+0DwIb
 AQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDVdjPUQeJbtTdsD/97XSXo3Dqb
 eaAWhjreKTwO9sPh9n79tS5CZMne44jvC7OCNGeFYq/MGyk0aDPcfN27dO4YSJXN
 d82t2K5vC85W5+tbnREN+OTNy8b6U4XxpeQhHP7jr5xeQt0aTkUH3Eo+0mzUq4fS
 hxMMch4FuDvMcohkOQs6LMKyvNo0jXAM3nE6nJeRipBjG5d8KKlx9dqmS5Zee9FA
 YayikSFp77aSGIvWFejTS3YDaN/APotN1SheEWHtGRY1zvbPbGKJKMy/k8O0b0TJ
 gGGe0RzFmPaQSCc/ZlpG2jk5BrnnspCDTq1I/2zcpgdwcR3/3Iuw2VAlOU48w7Qs
 fZecvYw+8zlrsJlB/NNU6s1YzeTi37jo43aqgyw4E7iev18f14W2ZQuIQY36hUmf
 4z49hAliWcoq7SZL6tsdmeQPjYWJb1lxds8s+iEH1PUsGObWUkjy1iIfJ+gXCe8E
 uKZKPGY7RWwYoSBliCVVXfgmD2XQja9i3pjRiJ6S7sYjZnugNwFaVbeptHE8NL4J
 Y3eRJpZdGizW58zTfxhvU/AjjDMhqqshW8ZSbAIRI05eGxzwk82qGq+cUVxsBeU8
 7i9DbqNOF50cYyltYVVJ9qPAxO+5sBtW6rq+yxkLArjTlpIRJsrXSiFJFqAp7FkC
 pUx66xvV8LgAVMKeD2o+Ae8mCTmYJfiCabkCDQRj2/4qARAAw4VXqcdlHsnCDqcC
 x5U+nHDOMsyEqG7F8mivt9covXkGUGoLI3ZlGU/5EoRwQB91uHJMU9zJwumQ4tLs
 szhOB/CNBSDZ4XTCcEej+dhQounRIdbY+DcXn4dVdx/mYCFPVb7OtUe68m6vyiai
 2KG288QbjnkzNA222caPQNDy6NsIGh8V5WDKCa7Jk0Zti+tTdi+vhkFjk7+brh5I
 qzahfuk/uVDWBUVT3OiNRywtouTBdfT33JhQyRqSMty6gjkkYyxX0QD5r5EIVrtr
 gre6aBWw3dy64pVs9nxVBhVCH4h6PwReXFB4kfjgw82Q1/DkF/ZMsH8bPPtvjI1N
 Yz+TMaLcUQX7fWlW7YbQSXSwF4mUSMYgdOZ8CTNQjKmpnpVhHYuL67cG26ev/+T4
 OrcT103j/InLipKvYUC3HwFMbq2P/9edqf85d/Nl1KMdByJ3qVVFMuXjiJr0uf1K
 oc7nfP3mqkPUHEdjsHnQnpNWZPBr5xs8iNtGmgltnJE2jacXFqtvJ6M9ugrMauoK
 s5sNMhqvf/zyZiLWkcZ8bWi6cGl/JD1RS66ViFFmVeg5xpVgspUAsADCZLneTCAW
 46DJ2Esq92afIVSz/AUtVjLUJyZIOBaVzY2JXR9s5/ePJAd4T42cg1Kdrdsi0dPY
 MOwPjQBpiuetA4dCWeL5qucnSAUAEQEAAYkCPAQYAQoAJhYhBKk0hZTOMSg6gm+9
 2NV2M9RB4lu1BQJj2/4qAhsMBQkB4TOAAAoJENV2M9RB4lu17J0P/3LN+ueOR4q4
 G5KOnLA5+u1y84d0LI16Z43iAm2NyAWCNkvjGj3RqQD8ZwFmckulf05mhvLOcwxE
 i8aAnEcsK4YfsGjgQRDJIChPnZCfssCkFVjfTyEcMgI4sr8hBjbp+ULL4LOnHu4B
 LjWjeWc48dtVQ7qcetVw7u9ZABfRBPxVBgY8Idxv1qVOQE13P2sPzbYKsFz+2mH5
 54VnMO64zqCbecxgV4NRFcTeNUaDgl6D7zNlNmh4j6c7sKjoEzYIVizApM4xMtOB
 syL4fGXRcNtenuBDc/1/PeHdDhqGGlZds1RmTLJm+gCzVio4z5EXPJMKjAVBHapM
 NMl4TiTay6gMG6QJMwkgVmS2F28wxj9KztkdnC+2YWJdWDeM07Le231X2hnRQE/D
 epN4MouHofOB3I3WY+sSR2KUik9WceL+ICIvUisCNk3GvXVg6hYXIukN8ZR4Sf3A
 rRPpePofDK0vZeWIGt6ZksVY9A3GQc0cMagqgCTK0gUxeDk/tPH8xyz/VvRZPGaC
 GlzeSQ1giSwgNXX1FDfnGOdn/rJh/aoDl1PzTBjyZcZ15s9HSPA6h36TMgCrSCai
 kWjbk8mOJhIhTbxclyI9JLu2AeKu+zP41Gi0AEEGkhFKZ9cG6cGG7AuSsiZ3OqOu
 sym/ZKz1uuXGo1iJJgkZ2yiq3ox7KHMZuQINBGI/t3UBEACr9ldxakkNdKp/Pc8+
 fRznR/+b29CfQWjOEv2njByhQa5CU18jMT6DIOokv2vU7xwaNJviBouaKWAIe5iy
 a3BWHhRpk6e2WnST/X3Zxmm8NjBZAMVl1JXS/vDEDhUu76y/Z82YcHZi52fRXRr3
 jwza/jGFyjLwem04G/CrS+tUHiWd3cbeh09LlQ/zN7cO8oOoYZWyoX0GNtXbUovy
 ssdUt1RODrSVde+8ec7AQm8fg7mRt3HCXhjwrdLxvqVRgG3wYCR3TnzL+rGuhYxa
 TEmbcjPLrKqSfZatsmVir1JJ2Cn8O9Ns5ROsqnulYa0foTo4LDwgqR82uel8mEaZ
 EQh4B7ob8mvqPLKBHbQXVeRTxuqLdyd3W/2yu5nIUi7kA6CIm5mdK8MT6CiHqYYx
 QD33HTN4OtFqrf3TbyjBG5wlzCD2mSrGB52FYgrkfSiKXBOxiqoFo++SpK1wSuHN
 a2ge1hkIdlE8wEPDBDSRqPta8t8ZazNPuc5tR6g0B/JUTIa6r8bDk5NgNj8jrGqv
 MvTWl+txcQ5uYo5OlvdiwHy2/YzEDhWcb1ls0faQQHn2CYFr6S9Ad9dOsMJZ2E29
 K4v/apGnGEjLqqqXWfIxPBq01bZY1pQI8fy+PJkp8IHZfQ2RrmUFaSOufLOgQE7c
 w8j/SxlSdbFrBZA7cMfGLPLT0QARAQABiQRsBBgBCgAgFiEEqTSFlM4xKDqCb73Y
 1XYz1EHiW7UFAmI/t3UCGwICQAkQ1XYz1EHiW7XBdCAEGQEKAB0WIQTqOofwpOug
 MORd8kCejBr7vv/bMgUCYj+3dQAKCRCejBr7vv/bMkq3D/48Y7jLfIB5jY9dzVCm
 ikbuexOAb0YDSZQS3Pt6GnPryIm1gLaRt0jw8HWVI80bMRvTKvJ7D7+kc6GCLK90
 MjxMBdlL/BfBFj8jNuVeaNfI7dTbon0kri56bMI3Ad/G7jryRcnPrRZo/nzGKcMD
 WxV3tgZkamh0pHYWjSttt0fr8t2qXzK74XO3PnU1RkGY1QAlMa89FJXUyW+veFpy
 AJWNW9zYVatjPKPyMLr8I7t9KLjviJBBWwE2fbXgvT58IqhqADKt+YJdXlNiD1Mn
 ZaBbbBCO7Mn+aG+yAJBJKPqmjoN1dOXy1FtuNrHHnTYIHyoRD/IR1DtEwlIYHlhZ
 +8uy2rXPMA/I8hSCxFgMEJaY8IzfP49sPvwFMfGgnEFk7jmTAczP7rwSeDuvRnWQ
 ztJqu9PQp3Wmek/ea7WV93rBmI6Vipl8P69m3CzQErnuIZUutsjP0BaiU+hENoXu
 ZmlV0MtnNix0j28sTIe49vtb5UTVRJjIwwI1BDGtM4Ukij9tNkDkntrTkpBE3MFk
 9SYi8aAN99kBCNmkwRdY0opwNhGFJwBEwycv7I7d7s/Y79ZSuZBrjB6nB5gU+Xh1
 tDdQZxzHLctnZ2cAjE8BcU2wrgZghWiRZ7YlI0bozXl6/VJaAVhZU7f6ebklXSYF
 JwTrCwam8VbcgoiukMsdv831NmkPD/4sjSJfoqdE4kGHHX/S/N/Q8LiflefYivLX
 X/WtGyRguuYH+8YDqGaCGco8IKmlRDhaME1achjMp/O808B2rxogpsLWu08AF4PJ
 97w01RfjBr8aA5qvZXnCfAnmpRzQjDrjIuNOle834dXvOAANugR22dBbjv7MRtOp
 Xn1whyAEJIwBeAgKe+p1zwWyQNv2Gq+9C0IQ2w4uJsodjNi6YzFnTvm3HulnNr4s
 L+x/i+24iuz0Gf2KbGiR2FtCyKIek0N2NAhPquoI7L0HEP2FKh3OeEH0aCdFcZf/
 Dw19fjqEROaJhVvSgTvXIVh3dnB4e7qlYsMSNQxqCcKQD4D79kjFrOygySU+6xMp
 vUQvOiF46MrPx8KtfiuPTuEji0Y0F9qz1u5vqwelsg5vpoa12h9qSdX/uWKbRqqQ
 x5gHERLoTXT7aMKYuDU3UAMxEEEOaXnOtWNlr3n4H7zMrZ3qvkTRRmGiH8iGkSFn
 w2WO3rr/flfIQAJLSUH5lTmR4j/XBNtOGSAWKaRU3N5cX2zHcS5YxkaBx3u4Ew+D
 qnBNL6oazpe1iaIoxsyC8MOFyoWHmv/ivv7FbpkWFHgN+R2nenIMiHuHQd/62/RC
 PVEoGmaL+XCfSpmstYz9phejRW7LacBt4BMCV7ghqD6vYCR0QBoENp0V5mKyXQ6P
 R2OsYRFGG7kCDQRiP7s5ARAAktZGlZIjclF0dkQxIpJ2cQ0FOEgzzG0hZzIfHzLW
 T7HvuY0XHWAI64yZbDSdHkKTSKbVnrToCayBDu0oISa3gZh+cd5a+Igf4NsIkGNR
 askGnmZYUM+RP1PzKPlVqdPIcXedZvTermRHIyO73f3p5kw+vDryGyubrt2n2IFb
 J7SopNed2kXIs5dyk89mvJ+muPCDD5wYHbdXfpEH+KznROMHOVHzwfHYQ++finuw
 2cjdJbAyZz6QSopAQeg46UEAk/aTGuI3cEFIzDq6cpqS8fvpbHGL5Oi657t2i1TL
 zUCo/4FK027ZLkTXpcB8hbmKFWhfWueDx3aRNvbloJn7kq97RhnE3tgewi+syJsK
 CrOlHc1rD8/JNL9lcr2yuSTmwY80QDVNU3U2ZeqLdxx47O31zR5VCpGu09Ro57bJ
 j5YaMukwmYLiPwTExkTqqryf7QsLq47Tgd+0YnUyq79XEv067ow+FCxbIoSNlQWB
 W2LbNi3JeNPCM0pWdgFuiQE2KFH0s4qulKxEbEtwpVXOH9fmUN23VkI1TnarfRlG
 XgSdOISRbXa0O9Ta85BF/NtoBXRU4CtDdcmT7343PjRPbAF1ixU+KOhDDuaDBUV5
 iD6BXqyHyL6rciYvqHQwmg2ztdFmTewapV112Vv2wpqvbyrzszTtMw8c92Y7Kfge
 fY8AEQEAAYkCPAQYAQoAJhYhBKk0hZTOMSg6gm+92NV2M9RB4lu1BQJiP7s5AhsM
 BQkB4TOAAAoJENV2M9RB4lu1mAsP/R/4E68Rt7oUI/30eTuiRb9C/Zx6EaZVIJBw
 G2cwKB9GkU4vGR2PU1f25vym92fywSP9OavWyDeVqtN8Ar4U4CbD/L9f2JgZMTXr
 HFgxU94uywKOxhLEL8ylgaU89l6af1BynBn3YU/mLQyMHAMTs0uaifjAedeNJq08
 XWP3bVdxRywj/rqAf52KA9Y/C59mCfx4vmYu2r2jbwCCVWOsL5sgWyThyGKuNv1A
 7+k0JYJlsJ8aro9sS0fjscvoyxajDX2u0Mq/dTbjFWiJQbdT2mWMgiOHxpGDGst9
 NH5+JbYZGV/TfeJFDIAW/Pw3gktKt40IP2t6y5vjyUCHEEn2E6pfnr1XmY6EOae5
 hPYJQNUbJw98RdpPPY3l4FY49M312v6dphAj2kBmMv7mbyLrIZoTsHw5Q++ig83V
 i/I1u4tTvZomFn2po3MO3+QL0FTqzwPjiTyUmSO4rMi5EZiLJF5ITSaESFXNGQb4
 UBTuXYgKXY4spWeYpSB2qREhrkXgXrDWEJBwIBJW4ppPI4hRhefGV6wHTRxF24No
 iVPz4ABaTQFkvZbpyTT+DT0CL8tHMwF7Tq3wFQ4Rr82LBS/fWxgzeyYTgZwXXUFY
 YqM7OXwJKVjlgC2B+OEwgXcdRxB4y5asd//D9wVeD0pfiWk+Ohmi/YF9WmFgmrWe
 vK53nZUH
 =V1ID
 -----END PGP PUBLIC KEY BLOCK-----
--- a/shadow.service
+++ b/shadow.service
@ -0,0 +1,23 @@
 [Unit]
 Description=Verify integrity of password and group files
 [Service]
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
 ProtectHome=read-only
 PrivateDevices=true
 ProtectHostname=true
 ProtectClock=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectKernelLogs=true
 ProtectControlGroups=true
 RestrictRealtime=true
 # end of automatic additions 
 Type=oneshot
 ExecStart=/usr/sbin/pwck -r
 ExecStart=/usr/sbin/grpck -r
 Nice=19
 IOSchedulingClass=best-effort
 IOSchedulingPriority=7
--- a/shadow.spec
+++ b/shadow.spec
@ -0,0 +1,388 @@
 #
 # spec file for package shadow
 #
 # Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 %if ! %{defined _distconfdir}
  %define _distconfdir %{_sysconfdir}
 %else
  %define no_config 1
 %endif
 Name:           shadow
 Version:        4.15.1
 Release:        0
 Summary:        Utilities to Manage User and Group Accounts
 License:        BSD-3-Clause AND GPL-2.0-or-later
 Group:          System/Base
 URL:            https://github.com/shadow-maint/shadow
 Source0:        https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
 Source1:        pamd.tar.bz2
 Source2:        https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
 Source3:        %{name}.keyring
 Source4:        shadow.service
 Source5:        shadow.timer
 # SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
 Source40:       shadow-login_defs-check.sh
 # PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM.
 Patch0:         shadow-login_defs-unused-by-pam.patch
 # PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
 Patch1:         useradd-default.patch
 # PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
 Patch2:         shadow-util-linux.patch
 # PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
 Patch3:         shadow-login_defs-comments.patch
 # PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
 Patch4:         shadow-login_defs-suse.patch
 # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
 Patch5:         disable_new_audit_function.patch
 BuildRequires:  audit-devel > 2.3
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libacl-devel
 BuildRequires:  libattr-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  libsemanage-devel
 BuildRequires:  libtool
 BuildRequires:  pam-devel
 BuildRequires:  xz
 # we depend on libbsd or glibc >= 2.38 for the strlcpy() (and readpassphrase()) functions
 BuildRequires:  glibc-devel >= 2.38
 Requires:       login_defs >= %{version}
 Requires(pre):  group(root)
 Requires(pre):  group(shadow)
 Requires(pre):  permissions
 Requires(pre):  user(root)
 Provides:       pwdutils = 3.2.20
 Obsoletes:      pwdutils <= 3.2.19
 Provides:       useradd_or_adduser_dep
 BuildRequires:  libeconf-devel
 %description
 This package includes the necessary programs for converting plain
 password files to the shadow password format and to manage user and
 group accounts.
 %package -n login_defs
 Summary:        The login.defs configuration file
 # Virtual provides for supported variables in login.defs.
 # It prevents references to unknown variables.
 # Upgrade them only if shadow-util-linux.patch or
 # encryption_method_nis.patch has to be ported!
 # Call shadow-login_defs-check.sh before!
 Group:          System/Base
 Provides:       login_defs-support-for-pam = 1.5.2
 Provides:       login_defs-support-for-util-linux = 2.37
 BuildArch:      noarch
 %description -n login_defs
 This package contains the default login.defs configuration file
 as used by util-linux, pam and shadow.
 %package -n libsubid4
 Summary:        A library to manage subordinate uid and gid ranges
 Group:          System/Base
 %description -n libsubid4
 Utility library that provides a way to manage subid ranges.
 %package -n libsubid-devel
 Summary:        Development files for libsubid4
 Group:          System/Base
 Requires:       libsubid4 = %{version}
 %description -n libsubid-devel
 Development files for libsubid4.
 %prep
 %setup -q -a 1
 %patch -P 0
 %patch -P 1
 %patch -P 2
 %patch -P 3
 %patch -P 4
 %if 0%{?suse_version} < 1330
 %patch -P 5 -p1
 %endif
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 mv -v doc/HOWTO.utf8 doc/HOWTO
 %build
 export CFLAGS="%{optflags} -fpie"
 export LDFLAGS="-pie"
 autoreconf -fvi
 %configure \
  --enable-shadowgrp \
  --enable-account-tools-setuid \
  --with-audit \
  --with-libpam \
  --with-sha-crypt \
  --with-acl \
  --with-attr \
  --with-nscd \
  --with-selinux \
  --without-libcrack \
  --without-libbsd \
  --with-group-name-max-length=32 \
  --enable-vendordir=%{_distconfdir}
 %make_build
 #  --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336
 %install
 %make_install gnulocaledir=%{buildroot}/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
 # Separate call to install man pages. See https://github.com/shadow-maint/shadow/issues/389
 %make_install -C man install-man
 install -Dm644 %{SOURCE4} %{buildroot}%{_unitdir}/shadow.service
 install -Dm644 %{SOURCE5} %{buildroot}%{_unitdir}/shadow.timer
 # add empty /etc/sub{u,g}id files
 touch %{buildroot}/%{_sysconfdir}/subuid
 touch %{buildroot}/%{_sysconfdir}/subgid
 # Remove binaries we don't use.
 rm %{buildroot}/%{_bindir}/groups
 rm %{buildroot}/%{_mandir}/man1/groups.*
 rm %{buildroot}/%{_mandir}/*/man1/groups.*
 rm %{buildroot}/%{_sbindir}/grpconv
 rm %{buildroot}/%{_mandir}/man8/grpconv.*
 rm %{buildroot}/%{_mandir}/*/man8/grpconv.*
 rm %{buildroot}/%{_sbindir}/grpunconv
 rm %{buildroot}/%{_mandir}/man8/grpunconv.*
 rm %{buildroot}/%{_mandir}/*/man8/grpunconv.*
 rm %{buildroot}/%{_sbindir}/groupmems
 rm %{buildroot}/%{_mandir}/man8/groupmems.*
 rm %{buildroot}/%{_mandir}/*/man8/groupmems.*
 rm %{buildroot}%{_sysconfdir}/pam.d/groupmems
 rm %{buildroot}/%{_bindir}/login
 rm %{buildroot}/%{_mandir}/man1/login.*
 rm %{buildroot}/%{_mandir}/*/man1/login.*
 rm %{buildroot}%{_sysconfdir}/pam.d/login
 rm %{buildroot}/%{_bindir}/su
 rm %{buildroot}/%{_mandir}/man1/su.*
 rm %{buildroot}/%{_mandir}/*/man1/su.*
 rm %{buildroot}/%{_mandir}/man5/suauth.*
 rm %{buildroot}/%{_mandir}/*/man5/suauth.*
 rm %{buildroot}%{_sysconfdir}/pam.d/su
 rm %{buildroot}/%{_bindir}/faillog
 rm %{buildroot}/%{_mandir}/man5/faillog.*
 rm %{buildroot}/%{_mandir}/*/man5/faillog.*
 rm %{buildroot}/%{_mandir}/man8/faillog.*
 rm %{buildroot}/%{_mandir}/*/man8/faillog.*
 rm %{buildroot}/%{_sbindir}/logoutd
 rm %{buildroot}/%{_mandir}/man8/logoutd.*
 rm %{buildroot}/%{_mandir}/*/man8/logoutd.*
 rm %{buildroot}/%{_sbindir}/nologin
 rm %{buildroot}/%{_mandir}/man8/nologin.*
 rm %{buildroot}/%{_mandir}/*/man8/nologin.*
 rm %{buildroot}/%{_sbindir}/chgpasswd
 rm %{buildroot}/%{_mandir}/man8/chgpasswd.*
 rm %{buildroot}/%{_mandir}/*/man8/chgpasswd.*
 rm %{buildroot}%{_sysconfdir}/pam.d/chgpasswd
 rm %{buildroot}/%{_mandir}/man3/getspnam.*
 rm %{buildroot}/%{_mandir}/*/man3/getspnam.*
 rm %{buildroot}/%{_mandir}/man5/gshadow.5*
 rm %{buildroot}/%{_mandir}/*/man5/gshadow.5*
 rm %{buildroot}/%{_mandir}/man5/passwd.5*
 rm %{buildroot}/%{_mandir}/*/man5/passwd.5*
 rm -rf %{buildroot}%{_mandir}/{??,??_??}
 rm %{buildroot}/%{_libdir}/libsubid.{la,a}
 # Move /etc to /usr/etc
 if [ ! -d %{buildroot}%{_distconfdir} ]; then
    mkdir -p %{buildroot}%{_distconfdir}
    mkdir -p %{buildroot}%{_pam_vendordir}
    mv %{buildroot}%{_sysconfdir}/login.defs %{buildroot}%{_distconfdir}
    mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/
 fi
 mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d
 %find_lang shadow
 %pre
 %service_add_pre shadow.service shadow.timer
 for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
  test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
 done
 %pre -n login_defs
 test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs.rpmsave.old ||:
 %post
 %set_permissions %{_bindir}/chage
 %set_permissions %{_bindir}/chfn
 %set_permissions %{_bindir}/chsh
 %set_permissions %{_bindir}/expiry
 %set_permissions %{_bindir}/gpasswd
 %set_permissions %{_bindir}/newgrp
 %set_permissions %{_bindir}/passwd
 %set_permissions %{_bindir}/newgidmap
 %set_permissions %{_bindir}/newuidmap
 %service_add_post shadow.service shadow.timer
 %verifyscript
 %verify_permissions %{_bindir}/chage
 %verify_permissions %{_bindir}/chfn
 %verify_permissions %{_bindir}/chsh
 %verify_permissions %{_bindir}/expiry
 %verify_permissions %{_bindir}/gpasswd
 %verify_permissions %{_bindir}/newgrp
 %verify_permissions %{_bindir}/passwd
 %verify_permissions %{_bindir}/newgidmap
 %verify_permissions %{_bindir}/newuidmap
 %preun
 %service_del_preun shadow.service shadow.timer
 %postun
 %service_del_postun shadow.service shadow.timer
 %posttrans
 %if %{defined no_config}
 # Migration to /usr/etc
 for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
  test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
 done
 %endif
 %posttrans -n login_defs
 # rpmsave file can be created by
 # - change of owning package (SLE15 SP2->SP3, Leap 15.2->15.3)
 # - Migration to /usr/etc (after SLE15 and Leap 15)
 test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs ||:
 %post -n libsubid4 -p /sbin/ldconfig
 %postun -n libsubid4 -p /sbin/ldconfig
 %files -f shadow.lang
 %license COPYING
 %doc NEWS doc/HOWTO README
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid
 %if %{defined no_config}
 %{_pam_vendordir}/chage
 %{_pam_vendordir}/chfn
 %{_pam_vendordir}/chsh
 %{_pam_vendordir}/passwd
 %{_pam_vendordir}/chpasswd
 %{_pam_vendordir}/groupadd
 %{_pam_vendordir}/groupdel
 %{_pam_vendordir}/groupmod
 %{_pam_vendordir}/newusers
 %{_pam_vendordir}/useradd
 %{_pam_vendordir}/userdel
 %{_pam_vendordir}/usermod
 %else
 %config %{_sysconfdir}/pam.d/chage
 %config %{_sysconfdir}/pam.d/chfn
 %config %{_sysconfdir}/pam.d/chsh
 %config %{_sysconfdir}/pam.d/passwd
 %config %{_sysconfdir}/pam.d/chpasswd
 %config %{_sysconfdir}/pam.d/groupadd
 %config %{_sysconfdir}/pam.d/groupdel
 %config %{_sysconfdir}/pam.d/groupmod
 %config %{_sysconfdir}/pam.d/newusers
 %config %{_sysconfdir}/pam.d/useradd
 %config %{_sysconfdir}/pam.d/userdel
 %config %{_sysconfdir}/pam.d/usermod
 %endif
 %verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/gpasswd
 %verify(not mode) %attr(4755,root,root) %{_bindir}/newgrp
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/newuidmap
 %{_bindir}/sg
 %{_bindir}/getsubids
 %attr(0755,root,root) %{_sbindir}/groupadd
 %attr(0755,root,root) %{_sbindir}/groupdel
 %attr(0755,root,root) %{_sbindir}/groupmod
 %{_sbindir}/grpck
 %{_sbindir}/pwck
 %attr(0755,root,root) %{_sbindir}/useradd
 %attr(0755,root,root) %{_sbindir}/userdel
 %attr(0755,root,root) %{_sbindir}/usermod
 %{_sbindir}/pwconv
 %{_sbindir}/pwunconv
 %attr(0755,root,root) %{_sbindir}/chpasswd
 %attr(0755,root,root) %{_sbindir}/newusers
 %{_sbindir}/vipw
 %{_sbindir}/vigr
 %{_mandir}/man1/chage.1%{?ext_man}
 %{_mandir}/man1/chfn.1%{?ext_man}
 %{_mandir}/man1/chsh.1%{?ext_man}
 %{_mandir}/man1/expiry.1%{?ext_man}
 %{_mandir}/man1/gpasswd.1%{?ext_man}
 %{_mandir}/man1/newgrp.1%{?ext_man}
 %{_mandir}/man1/passwd.1%{?ext_man}
 %{_mandir}/man1/sg.1%{?ext_man}
 %{_mandir}/man3/shadow.3%{?ext_man}
 %{_mandir}/man5/shadow.5%{?ext_man}
 %{_mandir}/man8/chpasswd.8%{?ext_man}
 %{_mandir}/man8/groupadd.8%{?ext_man}
 %{_mandir}/man8/groupdel.8%{?ext_man}
 %{_mandir}/man8/groupmod.8%{?ext_man}
 %{_mandir}/man8/grpck.8%{?ext_man}
 %{_mandir}/man8/newusers.8%{?ext_man}
 %{_mandir}/man8/pwck.8%{?ext_man}
 %{_mandir}/man8/pwconv.8%{?ext_man}
 %{_mandir}/man8/pwunconv.8%{?ext_man}
 %{_mandir}/man8/useradd.8%{?ext_man}
 %{_mandir}/man8/userdel.8%{?ext_man}
 %{_mandir}/man8/usermod.8%{?ext_man}
 %{_mandir}/man8/vigr.8%{?ext_man}
 %{_mandir}/man8/vipw.8%{?ext_man}
 %{_mandir}/man5/subuid.5%{?ext_man}
 %{_mandir}/man5/subgid.5%{?ext_man}
 %{_mandir}/man1/newgidmap.1%{?ext_man}
 %{_mandir}/man1/newuidmap.1%{?ext_man}
 %{_mandir}/man1/getsubids.1%{?ext_man}
 %{_unitdir}/*
 %files -n login_defs
 %dir %{_sysconfdir}/login.defs.d
 %if %{defined no_config}
 %attr(0644,root,root) %{_distconfdir}/login.defs
 %else
 %attr(0644,root,root) %config %{_sysconfdir}/login.defs
 %endif
 %{_mandir}/man5/login.defs.5%{?ext_man}
 %files -n libsubid4
 %{_libdir}/libsubid.so.*
 %files -n libsubid-devel
 %dir %{_includedir}/shadow
 %{_includedir}/shadow/subid.h
 %{_libdir}/libsubid.so
 %changelog
--- a/shadow.timer
+++ b/shadow.timer
@ -0,0 +1,7 @@
 [Unit]
 Description=Daily verification of password and group files
 [Timer]
 OnCalendar=daily
 AccuracySec=12h
 Persistent=true
--- a/useradd-default.patch
+++ b/useradd-default.patch
@ -0,0 +1,13 @@
 Index: src/useradd.c
 ===================================================================
 --- src/useradd.c.orig
 +++ src/useradd.c
@@ -87,7 +87,7 @@ const char *Prog;
 /*
  * These defaults are used if there is no defaults file.
  */
 -static gid_t def_group = 1000;
 +static gid_t def_group = 100;
 static const char *def_groups = "";
 static const char *def_gname = "other";
 static const char *def_home = "/home";