Accepting request 920286 from Base:System

- bsc#1190146: Fix empty subid range
  Add shadow-4.9-useradd-subuid.patch
  https://github.com/shadow-maint/shadow/pull/399

- bsc#1190145: Fix double free in gpasswd:
  Add shadow-4.9-sgent-free.patch upstreamed as
  https://github.com/shadow-maint/shadow/pull/417

- Fix shadow-login_defs-check.sh:
  In the last update we switched from calling make to %make_build
  macro. Using sed to adapt the spec file now.

- libsubid-devel: add missing requires for libsubid3
- Remove README.changes-pwdutils, all distros you can upgrade from
  use already shadow

- login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to
  be compatible with other Linux distros and the other tools
  creating user accounts in use on openSUSE. Set HOME_MODE to 700
  for security reasons and compatibility. [bsc#1189139] [bsc#1182850]

- Update to 4.9:
  * Updated translations
  * Major salt updates
  * Various coverity and cleanup fixes
  * Consistently use 0 to disable PASS_MIN_DAYS in man
  * Implement NSS support for subids and a libsubid
  * setfcap: retain setfcap when mapping uid 0
  * login.defs: include HMAC_CRYPTO_ALGO key
  * selinux fixes

OBS-URL: https://build.opensuse.org/request/show/920286
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=44

README.changes-pwdutils

@@ -1,62 +0,0 @@
-This file lists changes between pwdutils used in the past and
-the shadow utils used now.
-
-General changes:
-================
-- No support to modify LDAP accounts anymore (-D and --service option)
-- No -P/--path option
-- /etc/default/passwd was removed. The configure options are
-  partly available in /etc/login.defs.
-
-/etc/login.defs:
-----------------
-SYSTEM_UID_MIN/SYSTEM_UID_MAX were renamed to SYS_UID_MIN/SYS_UID_MAX
-SYSTEM_GID_MIN/SYSTEM_GID_MAX were renamed to SYS_GID_MIN/SYS_GID_MAX
-
-chfn
-----
--m/--other has changed to -o/--other
--o/--office has changed to -r/--room.
--p/--phone has changed to -w/--work-phone
-
-chpasswd
---------
--c blowfish is now longer supported, instead SHA256 and SHA512 were added.
-
-chsh
-----
--l/--list-shells was removed.
-
-gpasswd
--------
--l/-u option are missing
-
-groupadd
---------
-/usr/sbin/groupadd.local is missing
---preferred-gid was removed
-
-groupmod
---------
--A/--add-user was removed
--R/--remove-user was removed
-
-passwd
-------
--f was dropped (use chfn instead)
--g was dropped (use gpasswd instead)
--s was dropped (use chsh instead)
-
-useradd
--------
--e/--expire has changed to -e/--expiredate (incompatible arguments!)
--U/--umask was removed, -U has now another meaning
---preferred-uid was removed
-
-userdel
--------
--r/--remove-home was renamed to -r/--remove
-
-usermod
--------
--e/--expire has changed to -e/--expiredate (incompatible arguments!)

chkname-regex.patch

@@ -2,23 +2,25 @@ Index: etc/login.defs
 ===================================================================
 --- etc/login.defs.orig
 +++ etc/login.defs
-@@ -299,3 +299,11 @@ USERGROUPS_ENAB yes
- # missing.
+@@ -329,6 +329,13 @@ USERGROUPS_ENAB yes
  #
  #FORCE_SHADOW    yes
-+
-+#
+ 
 +# User/group names must match the following regex expression.
 +# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?,
 +# but be aware that the result could depend on the locale settings.
 +#
 +#CHARACTER_CLASS                [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?
 +CHARACTER_CLASS         [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\?
++
+ #
+ # Allow newuidmap and newgidmap when running under an alternative
+ # primary group.
 Index: lib/getdef.c
 ===================================================================
 --- lib/getdef.c.orig
 +++ lib/getdef.c
-@@ -80,6 +80,7 @@ struct itemdef {
+@@ -91,6 +91,7 @@ struct itemdef {
  
  #define NUMDEFS	(sizeof(def_table)/sizeof(def_table[0]))
  static struct itemdef def_table[] = {

libsubid-build-fix.patch

@@ -0,0 +1,123 @@
+Fix build fails for libsubid (libtool:   error: cannot find name of link library for '../libsubid/libsubid.la').
+Consisting of following upstream commits:
+* f4a84efb468b8be21be124700ce35159c444e9d6
+* 537b8cd90be7b47b45c45cfd27765ef85eb0ebf1
+* fa986b1d73605ecca54a4f19249227aeab827bf6
+Index: shadow-4.9/configure.ac
+===================================================================
+--- shadow-4.9.orig/configure.ac
++++ shadow-4.9/configure.ac
+@@ -321,6 +321,8 @@ if test "$with_sha_crypt" = "yes"; then
+ 	AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
+ fi
+ 
++AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
++
+ AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
+ if test "$with_bcrypt" = "yes"; then
+ 	AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
+Index: shadow-4.9/lib/Makefile.am
+===================================================================
+--- shadow-4.9.orig/lib/Makefile.am
++++ shadow-4.9/lib/Makefile.am
+@@ -10,6 +10,8 @@ if HAVE_VENDORDIR
+ libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
+ endif
+ 
++libshadow_la_CPPFLAGS += -I$(top_srcdir)
++
+ libshadow_la_SOURCES = \
+ 	commonio.c \
+ 	commonio.h \
+Index: shadow-4.9/libmisc/Makefile.am
+===================================================================
+--- shadow-4.9.orig/libmisc/Makefile.am
++++ shadow-4.9/libmisc/Makefile.am
+@@ -1,7 +1,7 @@
+ 
+ EXTRA_DIST = .indent.pro xgetXXbyYY.c
+ 
+-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
++AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
+ 
+ noinst_LTLIBRARIES = libmisc.la
+ 
+Index: shadow-4.9/libsubid/Makefile.am
+===================================================================
+--- shadow-4.9.orig/libsubid/Makefile.am
++++ shadow-4.9/libsubid/Makefile.am
+@@ -1,6 +1,8 @@
+ lib_LTLIBRARIES = libsubid.la
++if ENABLE_SHARED
+ libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
+ 	-shared -version-info @LIBSUBID_ABI_MAJOR@
++endif
+ libsubid_la_SOURCES = api.c
+ 
+ pkginclude_HEADERS = subid.h
+@@ -16,11 +18,12 @@ MISCLIBS = \
+ 	$(LIBCRYPT) \
+ 	$(LIBACL) \
+ 	$(LIBATTR) \
+-	$(LIBTCB)
++	$(LIBTCB) \
++	$(LIBPAM)
+ 
+ libsubid_la_LIBADD = \
+-	$(top_srcdir)/lib/libshadow.la \
+-	$(top_srcdir)/libmisc/libmisc.la \
++	$(top_builddir)/lib/libshadow.la \
++	$(top_builddir)/libmisc/libmisc.la \
+ 	$(MISCLIBS) -ldl
+ 
+ AM_CPPFLAGS = \
+Index: shadow-4.9/src/Makefile.am
+===================================================================
+--- shadow-4.9.orig/src/Makefile.am
++++ shadow-4.9/src/Makefile.am
+@@ -10,6 +10,7 @@ sgidperms = 2755
+ AM_CPPFLAGS = \
+ 	-I${top_srcdir}/lib \
+ 	-I$(top_srcdir)/libmisc \
++	-I$(top_srcdir) \
+ 	-DLOCALEDIR=\"$(datadir)/locale\"
+ 
+ # XXX why are login and su in /bin anyway (other than for
+@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \
+ list_subid_ranges_CPPFLAGS = \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/libmisc \
++	-I$(top_srcdir) \
+ 	-I$(top_srcdir)/libsubid
+ 
+ get_subid_owners_LDADD = \
+@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \
+ get_subid_owners_CPPFLAGS = \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/libmisc \
++	-I$(top_srcdir) \
+ 	-I$(top_srcdir)/libsubid
+ 
+ new_subid_range_CPPFLAGS = \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/libmisc \
++	-I$(top_srcdir) \
+ 	-I$(top_srcdir)/libsubid
+ 
+ new_subid_range_LDADD = \
+@@ -210,6 +214,7 @@ new_subid_range_LDADD = \
+ free_subid_range_CPPFLAGS = \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/libmisc \
++	-I$(top_srcdir) \
+ 	-I$(top_srcdir)/libsubid
+ 
+ free_subid_range_LDADD = \
+@@ -220,6 +225,7 @@ free_subid_range_LDADD = \
+ 
+ check_subid_range_CPPFLAGS = \
+ 	-I$(top_srcdir)/lib \
++	-I$(top_srcdir) \
+ 	-I$(top_srcdir)/libmisc
+ 
+ check_subid_range_LDADD = \

shadow-4.1.5.1-logmsg.patch

@@ -1,11 +0,0 @@
---- src/useradd.c
-+++ src/useradd.c
-@@ -320,7 +320,7 @@ static void fail_exit (int code)
- 	              user_name, AUDIT_NO_ID,
- 	              SHADOW_AUDIT_FAILURE);
- #endif
--	SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
-+	SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
- 	exit (code);
- }
- 

shadow-4.1.5.1-userdel-helpfix.patch

@@ -1,14 +0,0 @@
---- src/userdel.c
-+++ src/userdel.c
-@@ -143,8 +143,9 @@ static void usage (int status)
- 	                  "\n"
- 	                  "Options:\n"),
- 	                Prog);
--	(void) fputs (_("  -f, --force                   force removal of files,\n"
--	                "                                even if not owned by user\n"),
-+	(void) fputs (_("  -f, --force                   force some actions that would fail otherwise\n"
-+			"                                e.g. removal of user still logged in\n"
-+			"                                or files, even if not owned by the user\n"),
- 	              usageout);
- 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
- 	(void) fputs (_("  -r, --remove                  remove home directory and mail spool\n"), usageout);

shadow-4.8.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62
-size 1611196

shadow-4.8.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAl4qDlEACgkQ6f7qBqhe
-P51Lfwf/b2gxtqo9WRUTOhau4kCy+zDbg3S/K7ZD/20I2t205FNCOyV+cR4Q/PRA
-+hBLFsA/WAVqZm0/3re09VDV0eaBpI7hgNF0JFODawIixKdLVff9mbfbLdgzy2Dl
-IvbNrUVDJV1wSlEJLIeUpUT4ClFaiExM/XaCvHSUUbRsJ5cutH2wt0neNC8mJHMu
-srXoCp8lb4fT+BDgRKoGA6RMvnJSkExBbhrRqaARWWCGnS++5oJiD7UwPAOu9Imb
-LtouVitkrjrpQncnQN+zCaKwyTGw/xlQyl0z86DXWbvhnTwUeeWZbyfRAglIsSkk
-DRpWh2m7ejcvf1pGt66UBuMNr0yb1w==
-=8I3q
------END PGP SIGNATURE-----

shadow-4.9-sgent-free.patch

@@ -0,0 +1,23 @@
+Index: shadow-4.9/src/gpasswd.c
+===================================================================
+--- shadow-4.9.orig/src/gpasswd.c
++++ shadow-4.9/src/gpasswd.c
+@@ -1207,11 +1207,13 @@ int main (int argc, char **argv)
+ 	sssd_flush_cache (SSSD_DB_GROUP);
+ 
+ #ifdef SHADOWGRP
+-	if (sgent.sg_adm) {
+-		xfree(sgent.sg_adm);
+-	}
+-	if (sgent.sg_mem) {
+-		xfree(sgent.sg_mem);
++	if(is_shadowgrp) {
++		if (sgent.sg_adm) {
++			xfree(sgent.sg_adm);
++		}
++		if (sgent.sg_mem) {
++			xfree(sgent.sg_mem);
++		}
+ 	}
+ #endif
+ 	if (grent.gr_mem) {

shadow-4.9-useradd-subuid.patch

@@ -0,0 +1,94 @@
+This patch contains:
+https://github.com/shadow-maint/shadow/commit/9dd720a28578eef5be8171697aae0906e4c53249#diff-9a7a2bfccabec64213bd054801b9efca8ad55636afbc49e0107714c0f8ffabbe
+and 
+https://github.com/shadow-maint/shadow/commit/049b08481acc2040e2079ae06e64d0bb36326528#
+Index: shadow-4.9/src/useradd.c
+===================================================================
+--- shadow-4.9.orig/src/useradd.c
++++ shadow-4.9/src/useradd.c
+@@ -146,9 +146,7 @@ static bool is_sub_gid = false;
+ static bool sub_uid_locked = false;
+ static bool sub_gid_locked = false;
+ static uid_t sub_uid_start;	/* New subordinate uid range */
+-static unsigned long sub_uid_count;
+ static gid_t sub_gid_start;	/* New subordinate gid range */
+-static unsigned long sub_gid_count;
+ #endif				/* ENABLE_SUBIDS */
+ static bool pw_locked = false;
+ static bool gr_locked = false;
+@@ -239,7 +237,7 @@ static void open_shadow (void);
+ static void faillog_reset (uid_t);
+ static void lastlog_reset (uid_t);
+ static void tallylog_reset (const char *);
+-static void usr_update (void);
++static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
+ static void create_home (void);
+ static void create_mail (void);
+ static void check_uid_range(int rflg, uid_t user_id);
+@@ -2118,7 +2116,7 @@ static void tallylog_reset (const char *
+  *	usr_update() creates the password file entries for this user
+  *	and will update the group entries if required.
+  */
+-static void usr_update (void)
++static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
+ {
+ 	struct passwd pwent;
+ 	struct spwd spent;
+@@ -2181,14 +2179,14 @@ static void usr_update (void)
+ 	}
+ #ifdef ENABLE_SUBIDS
+ 	if (is_sub_uid &&
+-	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
++		(sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to prepare the new %s entry\n"),
+ 		         Prog, sub_uid_dbname ());
+ 		fail_exit (E_SUB_UID_UPDATE);
+ 	}
+ 	if (is_sub_gid &&
+-	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
++	    (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
+ 		fprintf (stderr,
+ 		         _("%s: failed to prepare the new %s entry\n"),
+ 		         Prog, sub_uid_dbname ());
+@@ -2484,9 +2482,9 @@ int main (int argc, char **argv)
+ #ifdef ENABLE_SUBIDS
+ 	uid_t uid_min;
+ 	uid_t uid_max;
++#endif
+ 	unsigned long subuid_count;
+ 	unsigned long subgid_count;
+-#endif
+ 
+ 	/*
+ 	 * Get my name so that I can use it to report errors.
+@@ -2688,16 +2686,16 @@ int main (int argc, char **argv)
+ 	}
+ 
+ #ifdef ENABLE_SUBIDS
+-	if (is_sub_uid && sub_uid_count != 0) {
+-		if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
++	if (is_sub_uid && subuid_count != 0) {
++		if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
+ 			fprintf (stderr,
+ 			         _("%s: can't create subordinate user IDs\n"),
+ 			         Prog);
+ 			fail_exit(E_SUB_UID_UPDATE);
+ 		}
+ 	}
+-	if (is_sub_gid && sub_gid_count != 0) {
+-		if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
++	if (is_sub_gid && subgid_count != 0) {
++		if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
+ 			fprintf (stderr,
+ 			         _("%s: can't create subordinate group IDs\n"),
+ 			         Prog);
+@@ -2706,7 +2704,7 @@ int main (int argc, char **argv)
+ 	}
+ #endif				/* ENABLE_SUBIDS */
+ 
+-	usr_update ();
++	usr_update (subuid_count, subgid_count);
+ 
+ 	if (mflg) {
+ 		create_home ();

shadow-4.9.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:feec1f2ce9c1b62798afd35a7d1b04cefdfa3a0a30ff3e75d6965ba8978c9144
+size 1627008

shadow-4.9.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEE8dCNt3gYW/eEAC3/6f7qBqheP50FAmD5+dkACgkQ6f7qBqhe
+P53Qywf/ShkcKvecTDRIrKUNJUTIlP8iywZ1NXypfdDKG/J63awMAGrKMZwOkLUS
+AnImsvyoW3+XDIhdkeJd1Kv+8JDEt3oJ0ifHjfpXl4FzOervb1ZKtRPUcoJzzpnJ
+Szt/7f3Sd0VfbItgf5F6jgMi7iDA/ZIqJTXeI0kEfVVL7DT681jVRjpnoURlrEq1
+6SmIyAul50VmZjLXq1xJ35uktr7VclnaRu17acax95e+oekP4sdNMaV5E5DSeq2N
+db7kKCu80+lPvtQpj22vOO2w15ActH6f5Ec3P7OG8jL125q3yZNebVoh8FKxmFsh
+PssfXu0TL50qH/p7qNEeihDLpwoI7g==
+=6MLu
+-----END PGP SIGNATURE-----

shadow-fix-sigabrt.patch

@@ -0,0 +1,14 @@
+Upstream commit 4624e9fca1b02b64e25e8b2280a0186182ab73ba
+To fix SIGABRT: https://github.com/shadow-maint/shadow/issues/394
+Index: shadow-4.9/src/useradd.c
+===================================================================
+--- shadow-4.9.orig/src/useradd.c
++++ shadow-4.9/src/useradd.c
+@@ -420,7 +420,6 @@ static void get_defaults (void)
+ 			} else {
+ 				def_group = grp->gr_gid;
+ 				def_gname = xstrdup (grp->gr_name);
+-				gr_free(grp);
+ 			}
+ 		}
+ 

shadow-libeconf-include.patch

@@ -0,0 +1,17 @@
+Include libeconf to newuidmap and newgidmap
+Upstream commit: c6847011e8b656adacd9a0d2a78418cad0de34cb
+Index: shadow-4.9/src/Makefile.am
+===================================================================
+--- shadow-4.9.orig/src/Makefile.am
++++ shadow-4.9/src/Makefile.am
+@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
+ endif
+ 
+ chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
+-newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
+-newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
++newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
++newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
+ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)

shadow-login_defs-check.sh

@@ -66,13 +66,7 @@ if ! test -f shadow-login_defs-check-build/stamp ; then
 # In case of shadow, variables extraction is more complicated. The list
 # depends on configure options, so we have to perform a fake build and
 # extract variables from prepreocessed sources.
-		patch <<EOF
---- shadow.spec
-+++ shadow.spec
-@@ -133,1 +133,1 @@
--make %{?_smp_mflags} V=1
-+make %{?_smp_mflags} V=1 -k CPPFLAGS="-E"
-EOF
+        sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
 	fi
 
 	osc build "$@" || :

shadow-login_defs-suse.patch

@@ -14,7 +14,7 @@ Index: etc/login.defs
  
  #
  # Delay in seconds before being allowed another attempt after a login failure
-@@ -62,8 +65,8 @@ CONSOLE		/etc/securetty
+@@ -52,8 +55,8 @@ CONSOLE		/etc/securetty
  # If defined, ":" delimited list of "message of the day" files to
  # be displayed upon login.
  #
@@ -25,7 +25,7 @@ Index: etc/login.defs
  
  #
  # If set to "yes", login stops display content specified by MOTD_FILE after
-@@ -83,8 +85,8 @@ MOTD_FILE	/etc/motd
+@@ -73,8 +76,8 @@ MOTD_FILE	/etc/motd
  # user's name or shell are found in the file.  If not a full pathname, then
  # hushed mode will be enabled if the file exists in the user's home directory.
  #
@@ -36,7 +36,7 @@ Index: etc/login.defs
  
  # If this variable is set to "yes", hostname will be suppressed in the
  # login: prompt.
-@@ -103,9 +105,9 @@ HUSHLOGIN_FILE	.hushlogin
+@@ -93,9 +96,9 @@ HUSHLOGIN_FILE	.hushlogin
  # ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
  # (and falback for login).
  #
@@ -49,7 +49,7 @@ Index: etc/login.defs
  
  # If this variable is set to "yes" (default is "no"), su will always set
  # path. every su call will overwrite the PATH variable.
-@@ -115,7 +117,7 @@ ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/b
+@@ -105,7 +108,7 @@ ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/b
  # The recommended value is "yes". The default "no" behavior could have
  # a security implication in applications that use commands without path.
  #
@@ -58,7 +58,7 @@ Index: etc/login.defs
  
  #
  # Terminal permissions
-@@ -129,7 +131,7 @@ ALWAYS_SET_PATH	no
+@@ -119,7 +122,7 @@ ALWAYS_SET_PATH	no
  # set TTYPERM to either 622 or 600.
  #
  TTYGROUP	tty
@@ -67,7 +67,16 @@ Index: etc/login.defs
  
  # Default initial "umask" value used by login(1) on non-PAM enabled systems.
  # Default "umask" value for pam_umask(8) on PAM enabled systems.
-@@ -167,8 +169,8 @@ PASS_WARN_AGE	7
+@@ -125,7 +128,7 @@
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+ # home directories.
+ # If HOME_MODE is not set, the value of UMASK is used to create the mode.
+-#HOME_MODE	0700
++HOME_MODE	0700
+ 
+ #
+ # Password aging controls:
+@@ -157,8 +160,8 @@ PASS_WARN_AGE	7
  UID_MIN			 1000
  UID_MAX			60000
  # System accounts
@@ -78,7 +87,7 @@ Index: etc/login.defs
  # Extra per user uids
  SUB_UID_MIN		   100000
  SUB_UID_MAX		600100000
-@@ -185,8 +187,8 @@ SUB_UID_COUNT		    65536
+@@ -175,8 +178,8 @@ SUB_UID_COUNT		    65536
  GID_MIN			 1000
  GID_MAX			60000
  # System accounts
@@ -89,7 +98,7 @@ Index: etc/login.defs
  # Extra per user group ids
  SUB_GID_MIN		   100000
  SUB_GID_MAX		600100000
-@@ -195,7 +197,7 @@ SUB_GID_COUNT		    65536
+@@ -185,7 +188,7 @@ SUB_GID_COUNT		    65536
  #
  # Max number of login(1) retries if password is bad
  #
@@ -98,7 +107,7 @@ Index: etc/login.defs
  
  #
  # Max time in seconds for login(1)
-@@ -211,18 +213,9 @@ LOGIN_TIMEOUT		60
+@@ -201,18 +204,9 @@ LOGIN_TIMEOUT		60
  CHFN_RESTRICT		rwh
  
  #
@@ -119,7 +128,7 @@ Index: etc/login.defs
  
  #
  # If set to MD5, MD5-based algorithm will be used for encrypting password
-@@ -235,7 +228,7 @@ CHFN_RESTRICT		rwh
+@@ -227,7 +221,7 @@ CHFN_RESTRICT		rwh
  # Note: If you use PAM, it is recommended to use a value consistent with
  # the PAM modules configuration.
  #
@@ -128,7 +137,7 @@ Index: etc/login.defs
  
  #
  # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-@@ -311,7 +304,7 @@ USERDEL_POSTCMD         /usr/sbin/userde
+@@ -325,7 +319,7 @@ USERDEL_POSTCMD         /usr/sbin/userde
  #
  # This also enables userdel(8) to remove user groups if no members exist.
  #
@@ -137,19 +146,13 @@ Index: etc/login.defs
  
  #
  # If set to a non-zero number, the shadow utilities will make sure that
-@@ -330,13 +323,13 @@ USERGROUPS_ENAB yes
+@@ -344,7 +338,7 @@ USERGROUPS_ENAB yes
  # This option is overridden with the -M or -m flags on the useradd(8)
  # command-line.
  #
 -#CREATE_HOME     yes
-+CREATE_HOME     no
++CREATE_HOME     yes
  
  #
  # Force use shadow, even if shadow passwd & shadow group files are
- # missing.
- #
--#FORCE_SHADOW    yes
-+FORCE_SHADOW    no
- 
- #
- # User/group names must match the following regex expression.
+

shadow-login_defs-unused-by-pam.patch

@@ -149,7 +149,7 @@ Index: etc/login.defs
  
  # Default initial "umask" value used by login(1) on non-PAM enabled systems.
  # Default "umask" value for pam_umask(8) on PAM enabled systems.
-@@ -206,28 +120,13 @@ UMASK		022
+@@ -211,28 +125,13 @@ UMASK		022
  #
  #	PASS_MAX_DAYS	Maximum number of days a password may be used.
  #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
@@ -178,7 +178,7 @@ Index: etc/login.defs
  # Min/max values for automatic uid selection in useradd(8)
  #
  UID_MIN			 1000
-@@ -264,28 +163,6 @@ LOGIN_RETRIES		5
+@@ -269,28 +168,6 @@ LOGIN_RETRIES		5
  LOGIN_TIMEOUT		60
  
  #
@@ -207,7 +207,7 @@ Index: etc/login.defs
  # Which fields may be changed by regular users using chfn(1) - use
  # any combination of letters "frwh" (full name, room number, work
  # phone, home phone).  If not defined, no changes are allowed.
-@@ -294,13 +171,6 @@ CHFN_AUTH		yes
+@@ -299,13 +176,6 @@ CHFN_AUTH		yes
  CHFN_RESTRICT		rwh
  
  #
@@ -221,8 +221,8 @@ Index: etc/login.defs
  # Only works if compiled with MD5_CRYPT defined:
  # If set to "yes", new passwords will be encrypted using the MD5-based
  # algorithm compatible with the one used by recent releases of FreeBSD.
-@@ -361,29 +231,12 @@ CHFN_RESTRICT		rwh
- #BCRYPT_MAX_ROUNDS 13
+@@ -382,17 +252,6 @@ CHFN_RESTRICT		rwh
+ #YESCRYPT_COST_FACTOR 5
  
  #
 -# List of groups to add to the user's supplementary group set
@@ -239,7 +239,8 @@ Index: etc/login.defs
  # Should login be allowed if we can't cd to the home directory?
  # Default is no.
  #
- DEFAULT_HOME	yes
+@@ -407,12 +266,6 @@ DEFAULT_HOME	yes
+ NONEXISTENT	/nonexistent
  
  #
 -# If this file exists and is readable, login environment will be

shadow-passwd-handle-null.patch

@@ -0,0 +1,21 @@
+Upstream commit: adb83f779618674e5e96e27e3d48559d62e2c410
+To fix: https://github.com/shadow-maint/shadow/pull/398
+Index: shadow-4.9/src/passwd.c
+===================================================================
+--- shadow-4.9.orig/src/passwd.c
++++ shadow-4.9/src/passwd.c
+@@ -490,9 +490,12 @@ static void print_status (const struct p
+ 		               ((long long)sp->sp_max * SCALE) / DAY,
+ 		               ((long long)sp->sp_warn * SCALE) / DAY,
+ 		               ((long long)sp->sp_inact * SCALE) / DAY);
+-	} else {
++	} else if (NULL != pw->pw_passwd) {
+ 		(void) printf ("%s %s\n",
+-		               pw->pw_name, pw_status (pw->pw_passwd));
++				pw->pw_name, pw_status (pw->pw_passwd));
++	} else {
++		(void) fprintf(stderr, _("%s: malformed password data obtained for user %s\n"),
++				Prog, pw->pw_name);
+ 	}
+ }
+ 

shadow-util-linux.patch

@@ -113,7 +113,7 @@ Index: lib/getdef.c
 ===================================================================
 --- lib/getdef.c.orig
 +++ lib/getdef.c
-@@ -66,6 +66,7 @@ struct itemdef {
+@@ -67,6 +67,7 @@ struct itemdef {
  	{"LOGIN_STRING", NULL},			\
  	{"MAIL_CHECK_ENAB", NULL},		\
  	{"MOTD_FILE", NULL},			\
@@ -121,7 +121,7 @@ Index: lib/getdef.c
  	{"NOLOGINS_FILE", NULL},		\
  	{"OBSCURE_CHECKS_ENAB", NULL},		\
  	{"PASS_ALWAYS_WARN", NULL},		\
-@@ -80,6 +81,7 @@ struct itemdef {
+@@ -91,6 +92,7 @@ struct itemdef {
  
  #define NUMDEFS	(sizeof(def_table)/sizeof(def_table[0]))
  static struct itemdef def_table[] = {
@@ -129,7 +129,7 @@ Index: lib/getdef.c
  	{"CHARACTER_CLASS", NULL},
  	{"CHFN_RESTRICT", NULL},
  	{"CONSOLE_GROUPS", NULL},
-@@ -88,6 +90,7 @@ static struct itemdef def_table[] = {
+@@ -99,6 +101,7 @@ static struct itemdef def_table[] = {
  	{"DEFAULT_HOME", NULL},
  	{"ENCRYPT_METHOD", NULL},
  	{"ENV_PATH", NULL},
@@ -137,7 +137,7 @@ Index: lib/getdef.c
  	{"ENV_SUPATH", NULL},
  	{"ERASECHAR", NULL},
  	{"FAIL_DELAY", NULL},
-@@ -99,6 +102,7 @@ static struct itemdef def_table[] = {
+@@ -110,6 +113,7 @@ static struct itemdef def_table[] = {
  	{"KILLCHAR", NULL},
  	{"LASTLOG_UID_MAX", NULL},
  	{"LOGIN_RETRIES", NULL},

shadow.changes

@@ -1,3 +1,86 @@
+-------------------------------------------------------------------
+Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1190146: Fix empty subid range
+  Add shadow-4.9-useradd-subuid.patch
+  https://github.com/shadow-maint/shadow/pull/399
+
+-------------------------------------------------------------------
+Mon Sep 20 09:09:13 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1190145: Fix double free in gpasswd:
+  Add shadow-4.9-sgent-free.patch upstreamed as
+  https://github.com/shadow-maint/shadow/pull/417
+
+-------------------------------------------------------------------
+Tue Sep  7 15:08:19 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- Fix shadow-login_defs-check.sh:
+  In the last update we switched from calling make to %make_build
+  macro. Using sed to adapt the spec file now.
+
+-------------------------------------------------------------------
+Wed Aug 18 15:17:52 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- libsubid-devel: add missing requires for libsubid3
+- Remove README.changes-pwdutils, all distros you can upgrade from
+  use already shadow
+
+-------------------------------------------------------------------
+Wed Aug 18 14:59:15 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to
+  be compatible with other Linux distros and the other tools
+  creating user accounts in use on openSUSE. Set HOME_MODE to 700
+  for security reasons and compatibility. [bsc#1189139] [bsc#1182850]
+
+-------------------------------------------------------------------
+Tue Aug 17 15:08:09 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.9:
+  * Updated translations
+  * Major salt updates
+  * Various coverity and cleanup fixes
+  * Consistently use 0 to disable PASS_MIN_DAYS in man
+  * Implement NSS support for subids and a libsubid
+  * setfcap: retain setfcap when mapping uid 0
+  * login.defs: include HMAC_CRYPTO_ALGO key
+  * selinux fixes
+  * Fix path prefix path handling
+  * Manpage updates
+  * Treat an empty passwd field as invalid(Haelwenn Monnier)
+  * newxidmap: allow running under alternative gid
+  * usermod: check that shell is executable
+  * Add yescript support
+  * useradd memleak fixes
+  * useradd: use built-in settings by default
+  * getdefs: add foreign
+  * buffer overflow fixes
+  * Adding run-parts style for pre and post useradd/del
+- Refresh:
+  * shadow-login_defs-unused-by-pam.patch
+  * userdel-script.patch
+  * useradd-script.patch
+  * chkname-regex.patch
+  * useradd-default.patch: bbf4b79 stopped shipping default file.
+    change group in code now.
+  * shadow-login_defs-suse.patch
+  * useradd-userkeleton.patch
+- Remove because upstreamed:
+  * shadow-4.1.5.1-userdel-helpfix.patch
+  * shadow-4.1.5.1-logmsg.patch
+- Add libsubid-build-fix.patch:
+  See https://github.com/shadow-maint/shadow/issues/387
+- Add shadow-libeconf-include.patch:
+  See c6847011e8b656adacd9a0d2a78418cad0de34cb
+- Add shadow-fix-sigabrt.patch:
+  See https://github.com/shadow-maint/shadow/issues/394
+- Add shadow-passwd-handle-null.patch [bsc#1188307]:
+  See https://github.com/shadow-maint/shadow/pull/398
+- Remove %{_sysconfdir}/default/useradd: file not shipped anymore
+- Remove --disable-shared: Dont need it anymore
+  See https://github.com/shadow-maint/shadow/issues/336
+
 -------------------------------------------------------------------
 Thu Jul  1 11:51:39 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
 
@@ -7,7 +90,7 @@ Thu Jul  1 11:51:39 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
 -------------------------------------------------------------------
 Sat Jun  5 13:38:52 UTC 2021 - Maurizio Galli <maurizio.galli@gmail.com>
 
-- Enable shadowgrp so that we can set more secure group passwords 
+- Enable shadowgrp so that we can set more secure group passwords
   using shadow.
 
 -------------------------------------------------------------------
@@ -54,7 +137,7 @@ Mon Nov  2 15:54:02 UTC 2020 - Dr. Werner Fink <werner@suse.de>
 -------------------------------------------------------------------
 Fri Oct  9 13:12:11 UTC 2020 - Dr. Werner Fink <werner@suse.de>
 
-- Add support for /usr/etc/skel to useradd.local script (boo#1173321) 
+- Add support for /usr/etc/skel to useradd.local script (boo#1173321)
 
 -------------------------------------------------------------------
 Thu Oct  8 03:16:58 UTC 2020 - Stanislav Brabec <sbrabec@suse.com>
@@ -530,7 +613,7 @@ Tue Nov 13 17:31:50 CET 2012 - kukuk@suse.de
 -------------------------------------------------------------------
 Tue Nov 13 10:36:28 CET 2012 - kukuk@suse.de
 
-- Fix default group value in /etc/default/useradd 
+- Fix default group value in /etc/default/useradd
   (useradd-default.diff)
 
 -------------------------------------------------------------------

shadow.spec

@@ -21,23 +21,21 @@
 %else
   %define no_config 1
 %endif
-
 Name:           shadow
-Version:        4.8.1
+Version:        4.9
 Release:        0
 Summary:        Utilities to Manage User and Group Accounts
 License:        BSD-3-Clause AND GPL-2.0-or-later
 Group:          System/Base
 URL:            https://github.com/shadow-maint/shadow
-Source:         https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
+Source:         https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
 Source1:        pamd.tar.bz2
-Source2:        README.changes-pwdutils
 Source3:        useradd.local
 Source4:        userdel-pre.local
 Source5:        userdel-post.local
 Source6:        shadow.service
 Source7:        shadow.timer
-Source42:       https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
+Source42:       https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
 Source43:       %{name}.keyring
 # SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
 Source44:       shadow-login_defs-check.sh
@@ -53,40 +51,48 @@ Patch3:         chkname-regex.patch
 Patch4:         useradd-default.patch
 # PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
 Patch5:         shadow-util-linux.patch
-# PATCH-FEATURE-FEDORA shadow-4.1.5.1-userdel-helpfix.patch christian.brauner@mailbox.org -- Give a hint about what happens when you force the removal of a user.
-Patch6:         shadow-4.1.5.1-userdel-helpfix.patch
-# PATCH-FIX-FEDORA shadow-4.1.5.1-logmsg.patch kukuk@suse.com -- Fix error message.
-Patch7:         shadow-4.1.5.1-logmsg.patch
 # PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
-Patch13:        shadow-login_defs-comments.patch
+Patch6:         shadow-login_defs-comments.patch
 # PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
-Patch14:        shadow-login_defs-suse.patch
+Patch7:         shadow-login_defs-suse.patch
 # PATCH-FEATURE-SUSE Copy also skeleton files from /usr/etc/skel (boo#1173321)
-Patch15:        useradd-userkeleton.patch
+Patch8:         useradd-userkeleton.patch
 # PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
-Patch20:        disable_new_audit_function.patch
+Patch9:         disable_new_audit_function.patch
+# PATCH-FIX-UPSTREAM libsubid-build-fix.patch mvetter@suse.de -- Fix build with libsubid (f4a84e, 537b8c, fa986b)
+Patch10:        libsubid-build-fix.patch
+# PATCH-FIX-UPSTREAM shadow-libeconf-include.patch mvetter@suse.de -- Include libeconf to new*idmap (c68470)
+Patch11:        shadow-libeconf-include.patch
+# PATCH-FIX-UPSTREAM shadow-fix-sigabrt.patch mvetter@suse.de -- Fix SIGABRT https://github.com/shadow-maint/shadow/issues/394
+Patch12:        shadow-fix-sigabrt.patch
+# PATCH-FIX-UPSTREAM shadow-passwd-handle-null.patch mvetter@suse.de -- Fix passwd NULL handling https://github.com/shadow-maint/shadow/pull/398
+Patch13:        shadow-passwd-handle-null.patch
+# PATCH-FIX-UPSTREAM shadow-4.9-sgent-free.patch mvetter@suse.de -- Fix double free (boo#1190145)
+Patch14:        shadow-4.9-sgent-free.patch
+# PATCH-FIX-UPSTREAM shadow-4.9-useradd-subuid.patch mvetter@suse.de -- Fix generating empty subid range and undeclared subid_count (boo#1190146)
+Patch15:        shadow-4.9-useradd-subuid.patch
 BuildRequires:  audit-devel > 2.3
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libacl-devel
 BuildRequires:  libattr-devel
-# It should be %%if %%{defined no_config}, but OBS cannot handle it:
-%if 0%{?suse_version} >= 1550
-BuildRequires:  libeconf-devel
-%endif
 BuildRequires:  libselinux-devel
 BuildRequires:  libsemanage-devel
 BuildRequires:  libtool
 BuildRequires:  pam-devel
 BuildRequires:  xz
+Requires:       login_defs >= %{version}
 Requires(pre):  group(root)
 Requires(pre):  group(shadow)
 Requires(pre):  permissions
 Requires(pre):  user(root)
 Provides:       pwdutils = 3.2.20
 Obsoletes:      pwdutils <= 3.2.19
-Requires:       login_defs >= %{version}
 Provides:       useradd_or_adduser_dep
+# It should be %%if %%{defined no_config}, but OBS cannot handle it:
+%if 0%{?suse_version} >= 1550
+BuildRequires:  libeconf-devel
+%endif
 
 %description
 This package includes the necessary programs for converting plain
@@ -94,21 +100,36 @@ password files to the shadow password format and to manage user and
 group accounts.
 
 %package -n login_defs
-Summary:        login.defs configuration file
-Group:          System/Base
-BuildArch:      noarch
+Summary:        The login.defs configuration file
 # Virtual provides for supported variables in login.defs.
 # It prevents references to unknown variables.
 # Upgrade them only if shadow-util-linux.patch or
 # encryption_method_nis.patch has to be ported!
 # Call shadow-login_defs-check.sh before!
+Group:          System/Base
 Provides:       login_defs-support-for-pam = 1.3.1
 Provides:       login_defs-support-for-util-linux = 2.36
+BuildArch:      noarch
 
 %description -n login_defs
 This package contains the default login.defs configuration file
 as used by util-linux, pam and shadow.
 
+%package -n libsubid3
+Summary:        A library to manage subordinate uid and gid ranges
+Group:          System/Base
+
+%description -n libsubid3
+Utility library that provides a way to manage subid ranges.
+
+%package -n libsubid-devel
+Summary:        Development files for libsubid3
+Group:          System/Base
+Requires:       libsubid3 = %{version}
+
+%description -n libsubid-devel
+Development files for libsubid3.
+
 %prep
 %setup -q -a 1
 %patch0
@@ -119,12 +140,16 @@ as used by util-linux, pam and shadow.
 %patch5
 %patch6
 %patch7
-%patch13
-%patch14
-%patch15
+%patch8
 %if 0%{?suse_version} < 1330
-%patch20 -p1
+%patch9 -p1
 %endif
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 mv -v doc/HOWTO.utf8 doc/HOWTO
@@ -145,14 +170,15 @@ autoreconf -fvi
   --with-nscd \
   --with-selinux \
   --without-libcrack \
-  --disable-shared \
   --with-group-name-max-length=32 \
   --enable-vendordir=%{_distconfdir}
-make %{?_smp_mflags} V=1
+%make_build
+#  --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336
 
 %install
-cp %{SOURCE2} .
 %make_install gnulocaledir=%{buildroot}/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
+# Separate call to install man pages. See https://github.com/shadow-maint/shadow/issues/389
+%make_install -C man install-man
 
 # install useradd.local, userdel.local, ...
 install -m 0755 %{SOURCE3} %{buildroot}/%{_sbindir}/
@@ -221,6 +247,8 @@ rm %{buildroot}/%{_mandir}/*/man5/passwd.5*
 
 rm -rf %{buildroot}%{_mandir}/{??,??_??}
 
+rm %{buildroot}/%{_libdir}/libsubid.la
+
 # Move /etc to /usr/etc
 if [ ! -d %{buildroot}%{_distconfdir} ]; then
     mkdir -p %{buildroot}%{_distconfdir}
@@ -233,11 +261,11 @@ fi
 %pre
 %service_add_pre shadow.service shadow.timer
 for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
-  test -f /etc/${i}.rpmsave && mv -v /etc/${i}.rpmsave /etc/${i}.rpmsave.old ||:
+  test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
 done
 
 %pre -n login_defs
-test -f /etc/login.defs.rpmsave && mv -v /etc/login.defs.rpmsave /etc/login.defs.rpmsave.old ||:
+test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs.rpmsave.old ||:
 
 %post
 %set_permissions %{_bindir}/chage
@@ -273,7 +301,7 @@ test -f /etc/login.defs.rpmsave && mv -v /etc/login.defs.rpmsave /etc/login.defs
 %if %{defined no_config}
 # Migration to /usr/etc
 for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
-  test -f /etc/${i}.rpmsave && mv -v /etc/${i}.rpmsave /etc/${i} ||:
+  test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
 done
 %endif
 
@@ -281,12 +309,14 @@ done
 # rpmsave file can be created by
 # - change of owning package (SLE15 SP2->SP3, Leap 15.2->15.3)
 # - Migration to /usr/etc (after SLE15 and Leap 15)
-test -f /etc/login.defs.rpmsave && mv -v /etc/login.defs.rpmsave /etc/login.defs ||:
+test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs ||:
+
+%post -n libsubid3 -p /sbin/ldconfig
+%postun -n libsubid3 -p /sbin/ldconfig
 
 %files -f shadow.lang
 %license COPYING
-%doc NEWS doc/HOWTO README README.changes-pwdutils
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
+%doc NEWS doc/HOWTO README
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid
 %if %{defined no_config}
@@ -308,7 +338,6 @@ test -f /etc/login.defs.rpmsave && mv -v /etc/login.defs.rpmsave /etc/login.defs
 %config %{_sysconfdir}/pam.d/chfn
 %config %{_sysconfdir}/pam.d/chsh
 %config %{_sysconfdir}/pam.d/passwd
-%config %{_sysconfdir}/pam.d/useradd
 %config %{_sysconfdir}/pam.d/chpasswd
 %config %{_sysconfdir}/pam.d/groupadd
 %config %{_sysconfdir}/pam.d/groupdel
@@ -380,11 +409,19 @@ test -f /etc/login.defs.rpmsave && mv -v /etc/login.defs.rpmsave /etc/login.defs
 
 %files -n login_defs
 %if %{defined no_config}
-%dir /etc/login.defs.d
+%dir %{_sysconfdir}/login.defs.d
 %attr(0644,root,root) %{_distconfdir}/login.defs
 %else
 %attr(0644,root,root) %config %{_sysconfdir}/login.defs
 %endif
 %{_mandir}/man5/login.defs.5%{?ext_man}
 
+%files -n libsubid3
+%{_libdir}/libsubid.so.*
+
+%files -n libsubid-devel
+%dir %{_includedir}/shadow
+%{_includedir}/shadow/subid.h
+%{_libdir}/libsubid.so
+
 %changelog

useradd-default.patch

@@ -1,9 +1,13 @@
---- etc/useradd
-+++ etc/useradd
-@@ -1,5 +1,5 @@
- # useradd defaults file
--GROUP=1000
-+GROUP=100
- HOME=/home
- INACTIVE=-1
- EXPIRE=
+Index: src/useradd.c
+===================================================================
+--- src/useradd.c.orig
++++ src/useradd.c
+@@ -101,7 +101,7 @@ FILE *shadow_logfd = NULL;
+ /*
+  * These defaults are used if there is no defaults file.
+  */
+-static gid_t def_group = 1000;
++static gid_t def_group = 100;
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";
+ static const char *def_shell = "/bin/bash";

useradd-script.patch

@@ -4,10 +4,12 @@
  src/useradd.c  |   41 ++++++++++++++++++++++++++++++++++++++++-
  3 files changed, 48 insertions(+), 1 deletion(-)
 
---- etc/login.defs
-+++ etc/login.defs	2020-10-30 12:54:38.117849829 +0000
-@@ -242,6 +242,13 @@ CHFN_RESTRICT		rwh
- DEFAULT_HOME	yes
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -266,6 +266,13 @@ DEFAULT_HOME	yes
+ NONEXISTENT	/nonexistent
  
  #
 +# If defined, this command is run when adding a user.
@@ -20,9 +22,11 @@
  # If defined, this command is run when removing a user.
  # It should remove any at/cron/print jobs etc. owned by
  # the user to be removed (passed as the first argument).
---- lib/getdef.c
-+++ lib/getdef.c	2020-10-30 12:54:38.117849829 +0000
-@@ -134,6 +134,7 @@ static struct itemdef def_table[] = {
+Index: lib/getdef.c
+===================================================================
+--- lib/getdef.c.orig
++++ lib/getdef.c
+@@ -149,6 +149,7 @@ static struct itemdef def_table[] = {
  	{"UID_MAX", NULL},
  	{"UID_MIN", NULL},
  	{"UMASK", NULL},
@@ -30,11 +34,13 @@
  	{"USERDEL_CMD", NULL},
  	{"USERDEL_PRECMD", NULL},
  	{"USERDEL_POSTCMD", NULL},
---- src/useradd.c
-+++ src/useradd.c	2020-10-30 13:08:17.378336989 +0000
-@@ -2238,6 +2238,44 @@ static void create_mail (void)
- }
+Index: src/useradd.c
+===================================================================
+--- src/useradd.c.orig
++++ src/useradd.c
+@@ -2398,6 +2398,44 @@ static void check_uid_range(int rflg, ui
  
+ }
  /*
 + * call_script - call a script to do some work
 + *
@@ -77,7 +83,7 @@
   * main - useradd command
   */
  int main (int argc, char **argv)
-@@ -2514,6 +2552,7 @@ int main (int argc, char **argv)
+@@ -2691,6 +2729,7 @@ int main (int argc, char **argv)
  	nscd_flush_cache ("group");
  	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
  

useradd-userkeleton.patch

@@ -5,21 +5,11 @@ Copy also skeleton files from /usr/etc/skel (boo#1173321)
  src/useradd.c |   37 +++++++++++++++++++++++++++++++++++++
  2 files changed, 38 insertions(+)
 
-Index: etc/useradd
-===================================================================
---- etc/useradd.orig
-+++ etc/useradd
-@@ -5,4 +5,5 @@ INACTIVE=-1
- EXPIRE=
- SHELL=/bin/bash
- SKEL=/etc/skel
-+USRSKEL=/usr/etc/skel
- CREATE_MAIL_SPOOL=yes
 Index: src/useradd.c
 ===================================================================
 --- src/useradd.c.orig
 +++ src/useradd.c
-@@ -78,6 +78,9 @@
+@@ -82,6 +82,9 @@
  #ifndef SKEL_DIR
  #define SKEL_DIR "/etc/skel"
  #endif
@@ -29,15 +19,15 @@ Index: src/useradd.c
  #ifndef USER_DEFAULTS_FILE
  #define USER_DEFAULTS_FILE "/etc/default/useradd"
  #define NEW_USER_FILE "/etc/default/nuaddXXXXXX"
-@@ -101,6 +104,7 @@ static const char *def_gname = "other";
+@@ -106,6 +109,7 @@ static const char *def_gname = "other";
  static const char *def_home = "/home";
- static const char *def_shell = "";
+ static const char *def_shell = "/bin/bash";
  static const char *def_template = SKEL_DIR;
 +static const char *def_usrtemplate = USRSKELDIR;
- static const char *def_create_mail_spool = "no";
+ static const char *def_create_mail_spool = "yes";
  
  static long def_inactive = -1;
-@@ -202,6 +206,7 @@ static bool home_added = false;
+@@ -208,6 +212,7 @@ static bool home_added = false;
  #define DINACT			"INACTIVE="
  #define DEXPIRE			"EXPIRE="
  #define DSKEL			"SKEL="
@@ -45,7 +35,7 @@ Index: src/useradd.c
  #define DCREATE_MAIL_SPOOL	"CREATE_MAIL_SPOOL="
  
  /* local function prototypes */
-@@ -469,6 +474,29 @@ static void get_defaults (void)
+@@ -481,6 +486,29 @@ static void get_defaults (void)
  		}
  
  		/*
@@ -75,7 +65,7 @@ Index: src/useradd.c
  		 * Create by default user mail spool or not ?
  		 */
  		else if (MATCH (buf, DCREATE_MAIL_SPOOL)) {
-@@ -500,6 +528,7 @@ static void show_defaults (void)
+@@ -512,6 +540,7 @@ static void show_defaults (void)
  	printf ("EXPIRE=%s\n", def_expire);
  	printf ("SHELL=%s\n", def_shell);
  	printf ("SKEL=%s\n", def_template);
@@ -83,7 +73,7 @@ Index: src/useradd.c
  	printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool);
  }
  
-@@ -526,6 +555,7 @@ static int set_defaults (void)
+@@ -538,6 +567,7 @@ static int set_defaults (void)
  	bool out_expire = false;
  	bool out_shell = false;
  	bool out_skel = false;
@@ -91,7 +81,7 @@ Index: src/useradd.c
  	bool out_create_mail_spool = false;
  	size_t len;
  	int ret = -1;
-@@ -620,6 +650,9 @@ static int set_defaults (void)
+@@ -632,6 +662,9 @@ static int set_defaults (void)
  		} else if (!out_skel && MATCH (buf, DSKEL)) {
  			fprintf (ofp, DSKEL "%s\n", def_template);
  			out_skel = true;
@@ -101,7 +91,7 @@ Index: src/useradd.c
  		} else if (!out_create_mail_spool
  			   && MATCH (buf, DCREATE_MAIL_SPOOL)) {
  			fprintf (ofp,
-@@ -649,6 +682,8 @@ static int set_defaults (void)
+@@ -661,6 +694,8 @@ static int set_defaults (void)
  		fprintf (ofp, DSHELL "%s\n", def_shell);
  	if (!out_skel)
  		fprintf (ofp, DSKEL "%s\n", def_template);
@@ -110,7 +100,7 @@ Index: src/useradd.c
  
  	if (!out_create_mail_spool)
  		fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
-@@ -2507,6 +2542,8 @@ int main (int argc, char **argv)
+@@ -2679,6 +2714,8 @@ int main (int argc, char **argv)
  		if (home_added) {
  			copy_tree (def_template, prefix_user_home, false, false,
  			           (uid_t)-1, user_id, (gid_t)-1, user_gid);

userdel-script.patch

@@ -2,7 +2,7 @@ Index: lib/getdef.c
 ===================================================================
 --- lib/getdef.c.orig
 +++ lib/getdef.c
-@@ -127,6 +127,8 @@ static struct itemdef def_table[] = {
+@@ -150,6 +150,8 @@ static struct itemdef def_table[] = {
  	{"UID_MIN", NULL},
  	{"UMASK", NULL},
  	{"USERDEL_CMD", NULL},
@@ -15,7 +15,7 @@ Index: etc/login.defs
 ===================================================================
 --- etc/login.defs.orig
 +++ etc/login.defs
-@@ -216,9 +216,25 @@ DEFAULT_HOME	yes
+@@ -270,9 +270,25 @@ NONEXISTENT	/nonexistent
  # It should remove any at/cron/print jobs etc. owned by
  # the user to be removed (passed as the first argument).
  #
@@ -45,7 +45,7 @@ Index: src/userdel.c
 ===================================================================
 --- src/userdel.c.orig
 +++ src/userdel.c
-@@ -126,7 +126,7 @@ static void close_files (void);
+@@ -131,7 +131,7 @@ static void close_files (void);
  static void fail_exit (int);
  static void open_files (void);
  static void update_user (void);
@@ -54,7 +54,7 @@ Index: src/userdel.c
  
  #ifdef EXTRA_CHECK_HOME_DIR
  static bool path_prefix (const char *, const char *);
-@@ -768,13 +768,13 @@ static void update_user (void)
+@@ -774,13 +774,13 @@ static void update_user (void)
   *	cron, at, or print jobs.
   */
  
@@ -70,7 +70,7 @@ Index: src/userdel.c
  	if (NULL == cmd) {
  		return;
  	}
-@@ -1214,9 +1214,10 @@ int main (int argc, char **argv)
+@@ -1225,9 +1225,10 @@ int main (int argc, char **argv)
  	}
  
  	/*
@@ -83,7 +83,7 @@ Index: src/userdel.c
  	open_files ();
  	update_user ();
  	update_groups ();
-@@ -1337,7 +1338,7 @@ int main (int argc, char **argv)
+@@ -1348,7 +1349,7 @@ int main (int argc, char **argv)
  	 * the entry from /etc/passwd.
  	 */
  	if(prefix[0] == '\0')
@@ -91,8 +91,8 @@ Index: src/userdel.c
 +		call_script ("USERDEL_CMD", user_name);
  	close_files ();
  
- #ifdef WITH_TCB
-@@ -1348,6 +1349,9 @@ int main (int argc, char **argv)
+ 	if (run_parts ("/etc/shadow-maint/userdel-post.d", user_name, "userdel")) {
+@@ -1363,6 +1364,9 @@ int main (int argc, char **argv)
  	nscd_flush_cache ("group");
  	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);