Accepting request 1328842 from Base:System

* Change lock mechanism #605 (bsc#1213189)
  * Send UID range warning to stderr (bsc#1230972)

OBS-URL: https://build.opensuse.org/request/show/1328842
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=83

shadow-4.18.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmhbDFQACgkQNXDaFycK
-ziQBNQgAzFSwyCM6MpR9au15EeF3dw0auq6iI9ibL2ZLfZQII+tT0Mzv+LY5ioLR
-qf4DVDqCyZWz3FMfmM93aXtKg+Vb8ukkhmhIFmWZjJDb2yZIh4bQOo+rVlQa+GBk
-kCMftuNPE/58AhH030nt917EXE6Yz4JkyX0UDcJkqWKdTPWfl9OjHQfiFXuGHlsr
-HJT4OVZSkAOKtZtKvjqD00dEvSsQ0GpeCTLgtQ2RgWS1Sfwvmrsc2nIHQXhkWmKx
-sTfhiHGL10v9rDHgtK3KccdfkqtSdPqDDO6T0DQVg0gwqawB7b0WhixVqrGxGAfh
-aOVD1Sy9qcQlSBT8kJIuXyAotTB75w==
-=FJBB
------END PGP SIGNATURE-----

shadow-4.19.2.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f4b73a206169e426c13d418947a9b9ebce71117c108136e0846c4b7d88e41120
+size 2339472

shadow-4.19.2.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmluR10ACgkQNXDaFycK
+ziT3Qwf+NiRQgfHY3v1W8Ai3jukS9Kr/Wnoh+xnDoiDJhn0gHc4qFceJf37VHhuj
+K9h7BRzeQOfQV/6u8kaokvAx14xC+P5wlb/liM1cWLR3VKZb4/kIucMaRBUPw05z
+irUnf932fLXkSgmpvosWF3nmfmw7NW3/Cmke05udLcRpP9sjNnBJSmpFoxUfOE/h
+zVUwFfB0oKhEZmz3EoM5nHbRflglsGOFVEn78V4EmpANfMTtZjAa8ief1pLeRt4M
+JOaLaxZVyVR7FKxXpPxk0Fol4+O8fFyQD/r3dsawmMmvP1/OqikaaJLN1wBpTuZP
+RnvNZ0YPz+8+kITWZ/eaz9N8YCTgdA==
+=h7td
+-----END PGP SIGNATURE-----

shadow-login_defs-suse.patch

@@ -107,7 +107,7 @@ Index: etc/login.defs
  
  #
  # Tell login to only re-prompt for the password if authentication
-@@ -207,18 +210,9 @@ LOGIN_TIMEOUT		60
+@@ -207,20 +210,6 @@ LOGIN_TIMEOUT		60
  CHFN_RESTRICT		rwh
  
  #
@@ -117,19 +117,19 @@ Index: etc/login.defs
 -# Set to "no" if you need to copy encrypted passwords to other systems
 -# which don't understand the new algorithm.  Default is "no".
 -#
--# Note: If you use PAM, it is recommended to use a value consistent with
+-# Note: if you use PAM, it is recommended to use a value consistent with
 -# the PAM modules configuration.
 -#
 -# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-+# This variable is deprecated. Use ENCRYPT_METHOD instead!
- #
+-#
 -#MD5_CRYPT_ENAB	no
-+#MD5_CRYPT_ENAB	DO_NOT_USE
- 
- #
+-
+-#
  # If set to MD5, MD5-based algorithm will be used for encrypting password
-@@ -233,7 +227,7 @@ CHFN_RESTRICT		rwh
- # Note: If you use PAM, it is recommended to use a value consistent with
+ # If set to SHA256, SHA256-based algorithm will be used for encrypting password
+ # If set to SHA512, SHA512-based algorithm will be used for encrypting password
+@@ -233,7 +222,7 @@ CHFN_RESTRICT		rwh
+ # Note: if you use PAM, it is recommended to use a value consistent with
  # the PAM modules configuration.
  #
 -#ENCRYPT_METHOD DES
@@ -137,7 +137,7 @@ Index: etc/login.defs
  
  #
  # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-@@ -299,7 +293,7 @@ USERGROUPS_ENAB yes
+@@ -299,7 +288,7 @@ USERGROUPS_ENAB yes
  # This option is overridden with the -M or -m flags on the useradd(8)
  # command-line.
  #

shadow-login_defs-unused-by-pam.patch

@@ -192,7 +192,7 @@ Index: etc/login.defs
 -#
 -# Number of significant characters in the password for crypt().
 -# Default is 8, don't change unless your crypt() is better.
--# Ignored if MD5_CRYPT_ENAB set to "yes".
+-# Only used for DES encryption algorithm.
 -#
 -#PASS_MAX_LEN		8
 -

shadow.changes

@@ -1,3 +1,139 @@
+-------------------------------------------------------------------
+Mon Jan 19 13:39:42 UTC 2026 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.19.2:
+  Regression fixes usermod(8):
+  * Revert an incorrect commit. See #1509 and #1510.
+
+-------------------------------------------------------------------
+Mon Jan 19 13:38:37 UTC 2026 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.19.1:
+  Regression fixes in chpasswd(8):
+  * Don't reject leading '!' in password hashes or a hash consisting
+    of "*". These were accidentally rejected in 4.19.0.
+    See #1483 and #1486.
+  * Don't reject a passwordless account ("" or "!").
+    See #1483 (comment) and #1505.
+
+-------------------------------------------------------------------
+Wed Dec 31 10:50:15 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.19.0:
+  Breaking changes:
+  * Remove support for escaped newlines in configuration files.
+    It never worked correctly.
+    b0a7ce5 (2025-12-05; "lib/, po/: Remove fgetsx() and fputsx()")
+  * Some user names and group names are too dangerous and are rejected,
+    even with --badname.
+    25aea74 (2025-12-25; "lib/chkname.c, src/: Strictly disallow really bad names")
+  Future breaking changes:
+  * SHA512 and SHA256 will be supported unconditionally in the next
+    release. The build-time flag '--with-sha-crypt' will be removed.
+    See #1452.
+  Support:
+  * Several years ago, there were talks about deprecating su(1) and
+    login(1), back when this project was maintained as part of Debian.
+    However, nothing was clearly stated, and there were doubts about the
+    status of these programs. Let's clarify them now.
+  * Our implementations of su(1) and login(1) are fully supported, and we
+    don't have any plans to remove them. They are NOT deprecated.
+    See #464.
+  Deprecations:
+  * groupmems(8)
+    The program will be removed in a future release.
+    See #1343.
+  * logoutd(8)
+    The program will be removed in the next release.
+    See #999,
+    and #1344.
+  * DES
+    This hashing algorithm has been deprecated for a long time,
+    and support for it will be removed in a future release.
+    See #1456
+  * MD5
+    This hashing algorithm has been deprecated for a long time,
+    and support for it will be removed in a future release.
+    See #1457
+  * login.defs(5): MD_CRYPT_ENAB
+    This feature had been deprecated for decades. It will be
+    removed in a future release.
+    The command-line equivalents (-m, --md5) of this feature in
+    chpasswd(8) and chgpasswd(8) will also be removed in a future
+    release.
+    See #1455.
+  * login.defs(5): PASS_MAX_LEN
+    This feature is ignored except for DES. Once DES is removed,
+    it makes no sense keeping it. It may be removed in a future
+    release.
+  * Password aging
+    Scientific research shows that periodic password expiration
+    leads to predictable password patterns, and that even in a
+    theoretical scenario where that wouldn't happen the gains in
+    security are mathematically negligible.
+    https://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
+  * Modern security standards, such as NIST SP 800-63B-4 in the USA,
+    prohibit periodic password expiration.
+    https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver
+    https://pages.nist.gov/800-63-FAQ/#q-b05
+    https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry
+  * To align with these, we're deprecating the ability to
+    periodically expire passwords. The specifics and long-term
+    roadmap are currently being discussed, and we invite feedback
+    from users, particularly from those in regulated environments.
+    See #1432.
+  * This deprecation includes the following programs and features:
+    + expiry(1)
+    + chage(1):
+         -I,--inactive (also the interactive version)
+         -m,--mindays (also the interactive version)
+         -M,--maxdays (also the interactive version)
+         -W,--warndays (also the interactive version)
+    + passwd(1):
+         -k,--keep-tokens
+         -n,--mindays
+         -x,--maxdays
+         -i,--inactive
+         -w,--warndays
+    + useradd(8):
+         -f,--inactive
+    + usermod(8):
+         -f,--inactive
+    + login.defs(5):
+         PASS_MIN_DAYS
+         PASS_MAX_DAYS
+         PASS_WARN_AGE
+    + /etc/default/useradd:
+         INACTIVE
+    + shadow(5):
+         sp_lstchg: Restrict to just the values 0 and empty.
+         sp_min
+         sp_max
+         sp_warn
+         sp_inact
+  * We recognize that many users operate in environments with
+    regulatory or contractual requirements that still mandate
+    password aging. To minimize disruption, these features will
+    remain functional for a significant period. However, we
+    encourage administrators to review their internal policies,
+    talk to their regulators if appropriate, and participate in the
+    roadmap discussion linked above.
+- Update patches:
+  * shadow-login_defs-suse.patch
+  * shadow-login_defs-unused-by-pam.patch
+
+-------------------------------------------------------------------
+Thu Dec 11 11:00:51 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Add permissions file for shadow-pw-mgmt
+  [bsc#1253052#c12], [bsc#1254844]
+
+-------------------------------------------------------------------
+Sat Nov  1 17:43:53 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Move chage, chfn, chsh, passwd and new?idmap into own 
+  pw-mgmt sub-package
+
 -------------------------------------------------------------------
 Wed Jun 25 04:20:14 UTC 2025 - Michael Vetter <mvetter@suse.com>
 
@@ -401,7 +537,7 @@ Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter <mvetter@suse.com>
   * lastlog: fix alignment of Latest header
   * Fix yescrypt support #748
   * chgpasswd: Fix segfault in command-line options
-  * gpasswd: Fix password leak
+  * gpasswd: Fix password leak (bsc#1214806, CVE-2023-4641)
   * Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
   * usermod: fix off-by-one issues #701
   * ch(g)passwd: Check selinux permissions upon startup #675
@@ -425,6 +561,7 @@ Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter <mvetter@suse.com>
   * chfn: new_fields: fix wrong fields printed
   * Allow supplementary groups to be added via config file #586
   * useradd: check if subid range exists for user #592 (rh#2012929)
+  * Change lock mechanism #605 (bsc#1213189)
 - Refresh useradd-default.patch
 - Remove upstreamed patches:
   * useradd-userkeleton.patch
@@ -828,6 +965,7 @@ Tue Aug 17 15:08:09 UTC 2021 - Michael Vetter <mvetter@suse.com>
   * getdefs: add foreign
   * buffer overflow fixes
   * Adding run-parts style for pre and post useradd/del
+  * Send UID range warning to stderr (bsc#1230972)
 - Refresh:
   * shadow-login_defs-unused-by-pam.patch
   * userdel-script.patch

shadow.permissions

@@ -0,0 +1,10 @@
+/usr/bin/chage                   root:shadow       2755
+/usr/bin/chfn                    root:shadow       4755
+/usr/bin/chsh                    root:shadow       4755
+/usr/bin/expiry                  root:shadow       4755
+/usr/bin/passwd                  root:shadow       4755
+# newgidmap / newuidmap (bsc#979282, bsc#1048645, bsc#1208309)
+/usr/bin/newgidmap               root:root         0755
+ +capabilities cap_setgid=ep
+/usr/bin/newuidmap               root:root         0755
+ +capabilities cap_setuid=ep

shadow.permissions.paranoid

@@ -0,0 +1,8 @@
+/usr/bin/chage                   root:shadow       0755
+/usr/bin/chfn                    root:shadow       0755
+/usr/bin/chsh                    root:shadow       0755
+/usr/bin/expiry                  root:shadow       0755
+/usr/bin/passwd                  root:shadow       0755
+# newgidmap / newuidmap (bsc#979282, bsc#1048645, bsc#1208309)
+/usr/bin/newgidmap               root:root         0755
+/usr/bin/newuidmap               root:root         0755

shadow.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package shadow
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
   %define no_config 1
 %endif
 Name:           shadow
-Version:        4.18.0
+Version:        4.19.2
 Release:        0
 Summary:        Utilities to Manage User and Group Accounts
 License:        BSD-3-Clause AND GPL-2.0-or-later
@@ -34,6 +34,8 @@ Source2:        https://github.com/shadow-maint/shadow/releases/download/%{versi
 Source3:        %{name}.keyring
 Source4:        shadow.service
 Source5:        shadow.timer
+Source6:        shadow.permissions
+Source7:        shadow.permissions.paranoid
 # SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
 Source40:       shadow-login_defs-check.sh
 # PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM.
@@ -57,6 +59,7 @@ BuildRequires:  libselinux-devel
 BuildRequires:  libsemanage-devel
 BuildRequires:  libtool
 BuildRequires:  pam-devel
+BuildRequires:  permissions-config
 BuildRequires:  xz
 # we depend on libbsd or glibc >= 2.38 for the strlcpy() (and readpassphrase()) functions
 BuildRequires:  glibc-devel >= 2.38
@@ -65,6 +68,8 @@ Requires(pre):  group(root)
 Requires(pre):  group(shadow)
 Requires(pre):  permissions
 Requires(pre):  user(root)
+Requires:       (account-utils or shadow-pw-mgmt = %{version})
+Suggests:       shadow-pw-mgmt
 Provides:       pwdutils = 3.2.20
 Obsoletes:      pwdutils <= 3.2.19
 Provides:       useradd_or_adduser_dep
@@ -106,6 +111,17 @@ Requires:       libsubid5 = %{version}
 %description -n libsubid-devel
 Development files for libsubid5.
 
+%package pw-mgmt
+Summary:        Tools to manage user account data
+Group:          System/Base
+Requires:       shadow
+Requires(pre):  permissions
+
+%description pw-mgmt
+This sub-package contains utilities to manage user account
+information like chage, chfn, chsh, expiry and passwd. This
+binaries all need setuid rights to work correct.
+
 %prep
 %setup -q -a 1
 %patch -P 0
@@ -138,6 +154,7 @@ autoreconf -fvi
   --with-selinux \
   --without-libcrack \
   --without-libbsd \
+  --disable-logind \
 %if 0%{?suse_version} >= 1600
   --without-sssd \
 %endif
@@ -153,6 +170,8 @@ autoreconf -fvi
 
 install -Dm644 %{SOURCE4} %{buildroot}%{_unitdir}/shadow.service
 install -Dm644 %{SOURCE5} %{buildroot}%{_unitdir}/shadow.timer
+install -Dm644 %{SOURCE6} %{buildroot}%{_datadir}/permissions/permissions.d/shadow
+install -Dm644 %{SOURCE7} %{buildroot}%{_datadir}/permissions/permissions.d/shadow.paranoid
 
 # add empty /etc/sub{u,g}id files
 touch %{buildroot}/%{_sysconfdir}/subuid
@@ -230,28 +249,33 @@ done
 test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs.rpmsave.old ||:
 
 %post
+%set_permissions %{_bindir}/gpasswd
+%set_permissions %{_bindir}/newgrp
+
+%post pw-mgmt
 %set_permissions %{_bindir}/chage
 %set_permissions %{_bindir}/chfn
 %set_permissions %{_bindir}/chsh
 %set_permissions %{_bindir}/expiry
-%set_permissions %{_bindir}/gpasswd
-%set_permissions %{_bindir}/newgrp
-%set_permissions %{_bindir}/passwd
 %set_permissions %{_bindir}/newgidmap
 %set_permissions %{_bindir}/newuidmap
+%set_permissions %{_bindir}/passwd
 
 %service_add_post shadow.service shadow.timer
 
 %verifyscript
+%verify_permissions %{_bindir}/gpasswd
+%verify_permissions %{_bindir}/newgrp
+
+%verifyscript pw-mgmt
 %verify_permissions %{_bindir}/chage
 %verify_permissions %{_bindir}/chfn
 %verify_permissions %{_bindir}/chsh
 %verify_permissions %{_bindir}/expiry
-%verify_permissions %{_bindir}/gpasswd
 %verify_permissions %{_bindir}/newgrp
-%verify_permissions %{_bindir}/passwd
 %verify_permissions %{_bindir}/newgidmap
 %verify_permissions %{_bindir}/newuidmap
+%verify_permissions %{_bindir}/passwd
 
 %preun
 %service_del_preun shadow.service shadow.timer
@@ -282,9 +306,6 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid
 %if %{defined no_config}
-%{_pam_vendordir}/chfn
-%{_pam_vendordir}/chsh
-%{_pam_vendordir}/passwd
 %{_pam_vendordir}/chpasswd
 %{_pam_vendordir}/groupadd
 %{_pam_vendordir}/groupdel
@@ -294,9 +315,6 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %{_pam_vendordir}/userdel
 %{_pam_vendordir}/usermod
 %else
-%config %{_sysconfdir}/pam.d/chfn
-%config %{_sysconfdir}/pam.d/chsh
-%config %{_sysconfdir}/pam.d/passwd
 %config %{_sysconfdir}/pam.d/chpasswd
 %config %{_sysconfdir}/pam.d/groupadd
 %config %{_sysconfdir}/pam.d/groupdel
@@ -306,15 +324,8 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %config %{_sysconfdir}/pam.d/userdel
 %config %{_sysconfdir}/pam.d/usermod
 %endif
-%verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/gpasswd
 %verify(not mode) %attr(4755,root,root) %{_bindir}/newgrp
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newuidmap
 %{_bindir}/sg
 %{_bindir}/getsubids
 %attr(0755,root,root) %{_sbindir}/groupadd
@@ -331,13 +342,8 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %attr(0755,root,root) %{_sbindir}/newusers
 %{_sbindir}/vipw
 %{_sbindir}/vigr
-%{_mandir}/man1/chage.1%{?ext_man}
-%{_mandir}/man1/chfn.1%{?ext_man}
-%{_mandir}/man1/chsh.1%{?ext_man}
-%{_mandir}/man1/expiry.1%{?ext_man}
 %{_mandir}/man1/gpasswd.1%{?ext_man}
 %{_mandir}/man1/newgrp.1%{?ext_man}
-%{_mandir}/man1/passwd.1%{?ext_man}
 %{_mandir}/man1/sg.1%{?ext_man}
 %{_mandir}/man3/shadow.3%{?ext_man}
 %{_mandir}/man5/shadow.5%{?ext_man}
@@ -357,12 +363,38 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %{_mandir}/man8/vipw.8%{?ext_man}
 %{_mandir}/man5/subuid.5%{?ext_man}
 %{_mandir}/man5/subgid.5%{?ext_man}
-%{_mandir}/man1/newgidmap.1%{?ext_man}
-%{_mandir}/man1/newuidmap.1%{?ext_man}
 %{_mandir}/man1/getsubids.1%{?ext_man}
 
 %{_unitdir}/*
 
+%files pw-mgmt
+%license COPYING
+%if %{defined no_config}
+%{_pam_vendordir}/chfn
+%{_pam_vendordir}/chsh
+%{_pam_vendordir}/passwd
+%else
+%config %{_sysconfdir}/pam.d/chfn
+%config %{_sysconfdir}/pam.d/chsh
+%config %{_sysconfdir}/pam.d/passwd
+%endif
+%verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry
+%verify(not mode) %attr(4755,root,root) %{_bindir}/newgidmap
+%verify(not mode) %attr(4755,root,root) %{_bindir}/newuidmap
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd
+%{_datadir}/permissions/permissions.d/shadow
+%{_datadir}/permissions/permissions.d/shadow.paranoid
+%{_mandir}/man1/chage.1%{?ext_man}
+%{_mandir}/man1/chfn.1%{?ext_man}
+%{_mandir}/man1/chsh.1%{?ext_man}
+%{_mandir}/man1/expiry.1%{?ext_man}
+%{_mandir}/man1/newgidmap.1%{?ext_man}
+%{_mandir}/man1/newuidmap.1%{?ext_man}
+%{_mandir}/man1/passwd.1%{?ext_man}
+
 %files -n login_defs
 %dir %{_sysconfdir}/login.defs.d
 %if %{defined no_config}