Accepting request 1328842 from Base:System

* Change lock mechanism #605 (bsc#1213189)
  * Send UID range warning to stderr (bsc#1230972)

OBS-URL: https://build.opensuse.org/request/show/1328842
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=83

shadow-4.17.2.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmeCkssACgkQNXDaFycK
-ziQhuwf/bcEJKV+x66isorvoeGbqdtW7oGz3ueu8501X2lO5OZgxo6oseq27ynfc
-xG6RBMnvkm94pjw3iCqEjYwyJ30js+HVWd6cN7T6GyAGdeYRMvHEfpww7IR1Py3n
-6ZgYR4hcLu0T6zVg3bwUNtn29QCINo1SdS7PtsCBBDkwm8WeR+xHsSU+eV3kvNF8
-CID4wvwMW7lCBetADbI+ZvbKBvDkfUBAkJWm/a/wLJrztwTw307xOvyR5P5QjoIn
-ZMtmcmsWL+5Y13OoUccdUm9jDOTPILYtC7Y7y2Nolh0qOsCnMKzD0D11KDIoPlfc
-Rymwesu4+adiSYUfKvqabkb3c/GrbA==
-=lu9c
------END PGP SIGNATURE-----

shadow-4.19.2.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f4b73a206169e426c13d418947a9b9ebce71117c108136e0846c4b7d88e41120
+size 2339472

shadow-4.19.2.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmluR10ACgkQNXDaFycK
+ziT3Qwf+NiRQgfHY3v1W8Ai3jukS9Kr/Wnoh+xnDoiDJhn0gHc4qFceJf37VHhuj
+K9h7BRzeQOfQV/6u8kaokvAx14xC+P5wlb/liM1cWLR3VKZb4/kIucMaRBUPw05z
+irUnf932fLXkSgmpvosWF3nmfmw7NW3/Cmke05udLcRpP9sjNnBJSmpFoxUfOE/h
+zVUwFfB0oKhEZmz3EoM5nHbRflglsGOFVEn78V4EmpANfMTtZjAa8ief1pLeRt4M
+JOaLaxZVyVR7FKxXpPxk0Fol4+O8fFyQD/r3dsawmMmvP1/OqikaaJLN1wBpTuZP
+RnvNZ0YPz+8+kITWZ/eaz9N8YCTgdA==
+=h7td
+-----END PGP SIGNATURE-----

shadow-login_defs-suse.patch

@@ -107,7 +107,7 @@ Index: etc/login.defs
  
  #
  # Tell login to only re-prompt for the password if authentication
-@@ -207,18 +210,9 @@ LOGIN_TIMEOUT		60
+@@ -207,20 +210,6 @@ LOGIN_TIMEOUT		60
  CHFN_RESTRICT		rwh
  
  #
@@ -117,19 +117,19 @@ Index: etc/login.defs
 -# Set to "no" if you need to copy encrypted passwords to other systems
 -# which don't understand the new algorithm.  Default is "no".
 -#
--# Note: If you use PAM, it is recommended to use a value consistent with
+-# Note: if you use PAM, it is recommended to use a value consistent with
 -# the PAM modules configuration.
 -#
 -# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-+# This variable is deprecated. Use ENCRYPT_METHOD instead!
- #
+-#
 -#MD5_CRYPT_ENAB	no
-+#MD5_CRYPT_ENAB	DO_NOT_USE
- 
- #
+-
+-#
  # If set to MD5, MD5-based algorithm will be used for encrypting password
-@@ -233,7 +227,7 @@ CHFN_RESTRICT		rwh
- # Note: If you use PAM, it is recommended to use a value consistent with
+ # If set to SHA256, SHA256-based algorithm will be used for encrypting password
+ # If set to SHA512, SHA512-based algorithm will be used for encrypting password
+@@ -233,7 +222,7 @@ CHFN_RESTRICT		rwh
+ # Note: if you use PAM, it is recommended to use a value consistent with
  # the PAM modules configuration.
  #
 -#ENCRYPT_METHOD DES
@@ -137,7 +137,7 @@ Index: etc/login.defs
  
  #
  # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
-@@ -299,7 +293,7 @@ USERGROUPS_ENAB yes
+@@ -299,7 +288,7 @@ USERGROUPS_ENAB yes
  # This option is overridden with the -M or -m flags on the useradd(8)
  # command-line.
  #

shadow-login_defs-unused-by-pam.patch

@@ -192,7 +192,7 @@ Index: etc/login.defs
 -#
 -# Number of significant characters in the password for crypt().
 -# Default is 8, don't change unless your crypt() is better.
--# Ignored if MD5_CRYPT_ENAB set to "yes".
+-# Only used for DES encryption algorithm.
 -#
 -#PASS_MAX_LEN		8
 -

shadow-util-linux.patch

@@ -148,15 +148,3 @@ Index: etc/login.defs
 +# environment variables HOME, SHELL and USER.
 +#LOGIN_ENV_SAFELIST
 +
-Index: lib/getdef.c
-===================================================================
---- lib/getdef.c.orig
-+++ lib/getdef.c
-@@ -76,6 +76,7 @@ struct itemdef {
- #define FOREIGNDEFS				\
- 	{"ALWAYS_SET_PATH", NULL},		\
- 	{"ENV_ROOTPATH", NULL},			\
-+	{"LOGIN_ENV_SAFELIST", NULL},		\
- 	{"LOGIN_KEEP_USERNAME", NULL},		\
- 	{"LOGIN_PLAIN_PROMPT", NULL},		\
- 	{"MOTD_FIRSTONLY", NULL},		\

shadow.changes

@@ -1,3 +1,183 @@
+-------------------------------------------------------------------
+Mon Jan 19 13:39:42 UTC 2026 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.19.2:
+  Regression fixes usermod(8):
+  * Revert an incorrect commit. See #1509 and #1510.
+
+-------------------------------------------------------------------
+Mon Jan 19 13:38:37 UTC 2026 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.19.1:
+  Regression fixes in chpasswd(8):
+  * Don't reject leading '!' in password hashes or a hash consisting
+    of "*". These were accidentally rejected in 4.19.0.
+    See #1483 and #1486.
+  * Don't reject a passwordless account ("" or "!").
+    See #1483 (comment) and #1505.
+
+-------------------------------------------------------------------
+Wed Dec 31 10:50:15 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.19.0:
+  Breaking changes:
+  * Remove support for escaped newlines in configuration files.
+    It never worked correctly.
+    b0a7ce5 (2025-12-05; "lib/, po/: Remove fgetsx() and fputsx()")
+  * Some user names and group names are too dangerous and are rejected,
+    even with --badname.
+    25aea74 (2025-12-25; "lib/chkname.c, src/: Strictly disallow really bad names")
+  Future breaking changes:
+  * SHA512 and SHA256 will be supported unconditionally in the next
+    release. The build-time flag '--with-sha-crypt' will be removed.
+    See #1452.
+  Support:
+  * Several years ago, there were talks about deprecating su(1) and
+    login(1), back when this project was maintained as part of Debian.
+    However, nothing was clearly stated, and there were doubts about the
+    status of these programs. Let's clarify them now.
+  * Our implementations of su(1) and login(1) are fully supported, and we
+    don't have any plans to remove them. They are NOT deprecated.
+    See #464.
+  Deprecations:
+  * groupmems(8)
+    The program will be removed in a future release.
+    See #1343.
+  * logoutd(8)
+    The program will be removed in the next release.
+    See #999,
+    and #1344.
+  * DES
+    This hashing algorithm has been deprecated for a long time,
+    and support for it will be removed in a future release.
+    See #1456
+  * MD5
+    This hashing algorithm has been deprecated for a long time,
+    and support for it will be removed in a future release.
+    See #1457
+  * login.defs(5): MD_CRYPT_ENAB
+    This feature had been deprecated for decades. It will be
+    removed in a future release.
+    The command-line equivalents (-m, --md5) of this feature in
+    chpasswd(8) and chgpasswd(8) will also be removed in a future
+    release.
+    See #1455.
+  * login.defs(5): PASS_MAX_LEN
+    This feature is ignored except for DES. Once DES is removed,
+    it makes no sense keeping it. It may be removed in a future
+    release.
+  * Password aging
+    Scientific research shows that periodic password expiration
+    leads to predictable password patterns, and that even in a
+    theoretical scenario where that wouldn't happen the gains in
+    security are mathematically negligible.
+    https://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
+  * Modern security standards, such as NIST SP 800-63B-4 in the USA,
+    prohibit periodic password expiration.
+    https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver
+    https://pages.nist.gov/800-63-FAQ/#q-b05
+    https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry
+  * To align with these, we're deprecating the ability to
+    periodically expire passwords. The specifics and long-term
+    roadmap are currently being discussed, and we invite feedback
+    from users, particularly from those in regulated environments.
+    See #1432.
+  * This deprecation includes the following programs and features:
+    + expiry(1)
+    + chage(1):
+         -I,--inactive (also the interactive version)
+         -m,--mindays (also the interactive version)
+         -M,--maxdays (also the interactive version)
+         -W,--warndays (also the interactive version)
+    + passwd(1):
+         -k,--keep-tokens
+         -n,--mindays
+         -x,--maxdays
+         -i,--inactive
+         -w,--warndays
+    + useradd(8):
+         -f,--inactive
+    + usermod(8):
+         -f,--inactive
+    + login.defs(5):
+         PASS_MIN_DAYS
+         PASS_MAX_DAYS
+         PASS_WARN_AGE
+    + /etc/default/useradd:
+         INACTIVE
+    + shadow(5):
+         sp_lstchg: Restrict to just the values 0 and empty.
+         sp_min
+         sp_max
+         sp_warn
+         sp_inact
+  * We recognize that many users operate in environments with
+    regulatory or contractual requirements that still mandate
+    password aging. To minimize disruption, these features will
+    remain functional for a significant period. However, we
+    encourage administrators to review their internal policies,
+    talk to their regulators if appropriate, and participate in the
+    roadmap discussion linked above.
+- Update patches:
+  * shadow-login_defs-suse.patch
+  * shadow-login_defs-unused-by-pam.patch
+
+-------------------------------------------------------------------
+Thu Dec 11 11:00:51 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Add permissions file for shadow-pw-mgmt
+  [bsc#1253052#c12], [bsc#1254844]
+
+-------------------------------------------------------------------
+Sat Nov  1 17:43:53 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Move chage, chfn, chsh, passwd and new?idmap into own 
+  pw-mgmt sub-package
+
+-------------------------------------------------------------------
+Wed Jun 25 04:20:14 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.18.0:
+  * CI: purge man-db #1241
+  * passwd: document exit code when PAM has errored #1244
+  * Man patches #1175
+  * Quick fix: define E_PAM_ERR in lib/pam_pass.c #1245
+  * Accept /usr/sbin/nologin as an alternate to /sbin/nologin #1246
+  * Add LOGIN_ENV_SAFELIST to FOREIGNDEFS #1248
+  * ci: add gawk as a fedora dependency #1252
+  * man/useradd.8.xml: fix the CREATE_HOME description #1251
+  * lib/getdate.y: Restrict the date formats that we support #1238
+  * newuidmap: better error logging on failure #1254
+  * Extend basic test cases to check shadow and gshadow entries #1237
+  * lib/sizeof.h: Make sure STRLEN() only accepts string literals #1260
+  * Add strprefix(), and use it instead of its pattern #1152
+  * src/: Simplify, using strpbrk(3) #1167
+  * lib/string/strdup/: STRNDUPA(): Reimplement in terms of strndupa(3) #1189
+  * Remove dead beef #1230
+  * lib/atoi/a2i/: Simplify these macros #1137
+  * strtolower(): Add API, and use it instead of its pattern #1211
+  * lib/: sget*ent(): Simplify #1146
+  * fields #1150
+  * yacc(1) is a dead language; bury it deep in the ground #1217
+  * Test expiration date #1233
+  * [scp] Add strcaseprefix(), and use it instead of its pattern #1262
+  * valid_field(): Improve readability #1208
+  * lib/, src/, tests/: Use the standard countof() instead of our NITEMS() #1259
+  * lib/fs/mkstemp/, src/: Move fmkomstemp() to separate files under
+    lib/fs/mkstemp/, and split into mkomstemp() #1139
+  * [x][v]aprintf(): Add APIs, and use them instead of [x][v]asprintf(3) #1168
+  * lib/get_pid.c: pid_t is a signed integer #1264
+  * src/newusers.c: Fix off-by-one benign bug in array declaration #1266
+  * Add some wrappers for usual loops around strsep(3) #1155
+  * lib/fs/readlink/areadlink.h: areadlink(): Avoid inconditionally using PATH_MAX #1222
+  * configure: Fix typo #1268
+  * Pre-release 4.18.0-rc1 #1270
+  * Update man pages for chage, shadow, passwd #1243
+  * contrib/: Burn it all #1274
+  * Pre-release 4.18.0-rc2 #1275
+  * Release 4.18.0 #1277
+- Update shadow-util-linux.patch: See #1248
+
 -------------------------------------------------------------------
 Wed Apr  9 00:05:49 UTC 2025 - Stanislav Brabec <sbrabec@suse.com>
 
@@ -8,6 +188,111 @@ Wed Apr  9 00:05:49 UTC 2025 - Stanislav Brabec <sbrabec@suse.com>
   multibuild file compatible with quilt. Make it working with new
   quilt.
 
+-------------------------------------------------------------------
+Thu Mar 20 06:48:16 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.17.4:
+  * Revert "lib/, src/: Use local time for human-readable dates"
+  * lib/getdate.y: Ignore time-zone information and use UTC
+  * src/chfn.c: Partially revert "lib/, src/: Use strsep(3) instead of its pattern"
+  * src/chfn.c: Use stpsep() instead of its pattern
+  * src/chfn.c: Add local variable to refer to the separated field
+  * src/chfn.c: copy_field(): Rename local variable
+  * lib/commonio.c: Rely on the POSIX.1-2008 behavior of realpath(3)
+  * lib/fs/readlink/: readlinknul(): Use ssize_t to simplify
+  * autogen.sh: Promote -Wsign-compare to an error
+  * lib/sizeof.h: ssizeof(): Add signed variant of sizeof
+  * src/lastlog.c: Use ssizeof() to avoid a -Wsign-compare diagnostic
+  * tests/unit/test_xasprintf.c: Fix sign-mismatch diagnostic
+  * configure.ac: stop checking for utmp location
+  * configure.ac: be deterministic about passwd location
+  * lib/, src/: update audit messages
+  * lib/: audit function for groups
+  * src/: update group audit messages
+  * doc/: Remove list of distributions
+
+-------------------------------------------------------------------
+Mon Feb 24 15:52:45 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.17.3:
+  * chsh: do not warn about blank shell
+  * lib/: Use strisdigit() instead of its pattern
+  * lib/string/ctype/strisascii/: strisdigit(): Add function
+  * lib/string/: Add comments expanding the letter-soup API names
+  * lib/basename.c: Basename(): Use stprcspn() instead of its pattern
+  * lib/string/strspn/, lib/, src/: stprspn(), strrspn_(): Split API into function and macro
+  * lib/string/strspn/, lib/, src/: Move *spn() APIs to separate subdir
+  * lib/string/strchr/: strrcspn(), stprcspn(): Add function and macro
+  * src/useradd.c: Use !strcaseeq() instead of its pattern
+  * lib/, src/: Use strcaseeq() instead of its pattern
+  * lib/string/strcmp/: strcaseeq(): Add function
+  * man/useradd.8.xml: Document new exit code 19 (E_BAD_NAME)
+  * src/useradd.c: E_BAD_NAME: Use a different error code for bad login names
+  * src/useradd.c: create_home(): Use !streq() instead of its pattern
+  * lib/chkname.c: is_valid_name(): Use streq() instead of its pattern
+  * configure.ac, lib/: Use __has_include(<gshadow.h>) instead of HAVE_GSHADOW_H
+  * configure.ac: Remove unused AC_CHECK_HEADERS() checks
+  * configure.ac, lib/: Use __has_include(<sys/capability.h>) instead of HAVE_SYS_CAPABILITY_H
+  * lib/idmapping.c: Unconditionally include <sys/prctl.h>
+  * lib/: Use __has_include(<security/openpam.h>) instead of HAVE_SECURITY_OPENPAM_H
+  * lib/: Use __has_include(<security/pam_misc.h>) instead of HAVE_SECURITY_PAM_MISC_H
+  * configure.ac, lib/: Use __has_include(<sys/random.h>) instead of HAVE_SYS_RANDOM_H
+  * configure.ac, lib/: Use __has_include(<crypt.h>) instead of HAVE_CRYPT_H
+  * lib/, src/: motd(): Report errors instead of exiting from library code
+  * lib/motd.c: motd(): Invert logic to reduce indentation
+  * lib/, src/, doc/: Remove pw_auth()'s $3 as dead code
+  * lib/pwauth.*: PW_{ADD,CHANGE,DELETE,FTP,REXEC}: Remove dead code
+  * lib/, src/, doc/: Remove dead code
+  * src/vipw.c: Restore the original terminal pgrp after editing
+  * lib/, src/: Use agetgroups() instead of its pattern
+  * lib/shadow/grp/: agetgroups(): Add function
+  * configure.ac, lib/, src/: Use gid_t instead of GETGROUPS_T
+  * lib/adds.h: addslN(): Use QSORT() instead of its pattern
+  * lib/search/sort/: QSORT(): Add macro
+  * lib/addgrps.c: add_groups(): Remove arbitrary limit
+  * lib/, src/: Rename variables
+  * lib/addgrps.c: add_groups(): Reallocate at once
+  * lib/string/strchr/: strchrscnt(): Add function
+  * lib/addgrps.c: add_groups(): Split variable to avoid sign-mismatch diagnostics
+  * lib/, src/: Use LSEARCH() instead of its pattern
+  * lib/search/l/: LSEARCH(): Add macro
+  * lib/, src/: Replace redundant checks by actual error handling
+  * lib/, src/: Unconditionally call setgroups(2)
+  * lib/addgrps.c: add_groups(): Simplify redundant code with a goto
+  * lib/addgrps.c: add_groups(): Allocate earlier
+  * lib/addgrps.c: add_groups(): Remove useless cast
+  * lib/, src/: Use LFIND() instead of open-coded search loops
+  * lib/search/l/: LFIND(): Add macro
+  * lib/search/cmp/, lib/, tests/: CMP(), cmp_*(): Add macro and functions
+  * lib/, src/: Simplify allocation of buffer
+  * lib/, src/: Un-spageticize code
+  * lib/, src/: Reduce scope of variables
+  * lib/gshadow_.h: Fix compatibility with libc's struct sgrp
+  * configure.ac, lib/gshadow.c: Presume working shadow group support in libc
+  * lib/: Include <gshadow.h> if it's available
+  * configure.ac, lib/: Assume initgroups(3) exists
+  * configure.ac, lib/, src/: Assume setgroups(2) exists
+  * lib/, src/: Turn error counters into flags
+  * src/gpasswd: Use correct preprocessor definition
+  * src/gpasswd: Clear password in more cases
+  * lib/encrypt.c: Do not exit in error case
+  * man/useradd.8.xml: wfix
+  * src/login_nopam.c: list_match(): Use iteration instead of recursion
+  * src/login_nopam.c: list_match(): Remove local variable
+  * src/login_nopam.c: list_match(): Move code around
+  * src/login_nopam.c: list_match(): '(match)' is always true here
+  * src/login_nopam.c: list_match(): Add superfluous else
+  * src/login_nopam.c: list_match(): Refactor conditional
+  * man/passwd.1.xml: -P disables PAM support
+  * chage: Drop PAM support
+  * src/newusers.c: Turn nusers into size_t
+  * src/: Make line number overflows less likely
+  * man/: Install suauth.5 only if feature exists
+  * add and use a login.defs.test with CREATE_HOME set
+  * Revert "etc/login.defs: enable CREATE_HOME"
+  * etc/login.defs: enable CREATE_HOME
+  * Tests: implement system test framework
+
 -------------------------------------------------------------------
 Mon Jan 20 10:20:31 UTC 2025 - Michael Vetter <mvetter@suse.com>
 
@@ -252,7 +537,7 @@ Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter <mvetter@suse.com>
   * lastlog: fix alignment of Latest header
   * Fix yescrypt support #748
   * chgpasswd: Fix segfault in command-line options
-  * gpasswd: Fix password leak
+  * gpasswd: Fix password leak (bsc#1214806, CVE-2023-4641)
   * Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
   * usermod: fix off-by-one issues #701
   * ch(g)passwd: Check selinux permissions upon startup #675
@@ -276,6 +561,7 @@ Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter <mvetter@suse.com>
   * chfn: new_fields: fix wrong fields printed
   * Allow supplementary groups to be added via config file #586
   * useradd: check if subid range exists for user #592 (rh#2012929)
+  * Change lock mechanism #605 (bsc#1213189)
 - Refresh useradd-default.patch
 - Remove upstreamed patches:
   * useradd-userkeleton.patch
@@ -679,6 +965,7 @@ Tue Aug 17 15:08:09 UTC 2021 - Michael Vetter <mvetter@suse.com>
   * getdefs: add foreign
   * buffer overflow fixes
   * Adding run-parts style for pre and post useradd/del
+  * Send UID range warning to stderr (bsc#1230972)
 - Refresh:
   * shadow-login_defs-unused-by-pam.patch
   * userdel-script.patch

shadow.permissions

@@ -0,0 +1,10 @@
+/usr/bin/chage                   root:shadow       2755
+/usr/bin/chfn                    root:shadow       4755
+/usr/bin/chsh                    root:shadow       4755
+/usr/bin/expiry                  root:shadow       4755
+/usr/bin/passwd                  root:shadow       4755
+# newgidmap / newuidmap (bsc#979282, bsc#1048645, bsc#1208309)
+/usr/bin/newgidmap               root:root         0755
+ +capabilities cap_setgid=ep
+/usr/bin/newuidmap               root:root         0755
+ +capabilities cap_setuid=ep

shadow.permissions.paranoid

@@ -0,0 +1,8 @@
+/usr/bin/chage                   root:shadow       0755
+/usr/bin/chfn                    root:shadow       0755
+/usr/bin/chsh                    root:shadow       0755
+/usr/bin/expiry                  root:shadow       0755
+/usr/bin/passwd                  root:shadow       0755
+# newgidmap / newuidmap (bsc#979282, bsc#1048645, bsc#1208309)
+/usr/bin/newgidmap               root:root         0755
+/usr/bin/newuidmap               root:root         0755

shadow.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package shadow
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
   %define no_config 1
 %endif
 Name:           shadow
-Version:        4.17.2
+Version:        4.19.2
 Release:        0
 Summary:        Utilities to Manage User and Group Accounts
 License:        BSD-3-Clause AND GPL-2.0-or-later
@@ -34,6 +34,8 @@ Source2:        https://github.com/shadow-maint/shadow/releases/download/%{versi
 Source3:        %{name}.keyring
 Source4:        shadow.service
 Source5:        shadow.timer
+Source6:        shadow.permissions
+Source7:        shadow.permissions.paranoid
 # SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
 Source40:       shadow-login_defs-check.sh
 # PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM.
@@ -57,6 +59,7 @@ BuildRequires:  libselinux-devel
 BuildRequires:  libsemanage-devel
 BuildRequires:  libtool
 BuildRequires:  pam-devel
+BuildRequires:  permissions-config
 BuildRequires:  xz
 # we depend on libbsd or glibc >= 2.38 for the strlcpy() (and readpassphrase()) functions
 BuildRequires:  glibc-devel >= 2.38
@@ -65,6 +68,8 @@ Requires(pre):  group(root)
 Requires(pre):  group(shadow)
 Requires(pre):  permissions
 Requires(pre):  user(root)
+Requires:       (account-utils or shadow-pw-mgmt = %{version})
+Suggests:       shadow-pw-mgmt
 Provides:       pwdutils = 3.2.20
 Obsoletes:      pwdutils <= 3.2.19
 Provides:       useradd_or_adduser_dep
@@ -106,6 +111,17 @@ Requires:       libsubid5 = %{version}
 %description -n libsubid-devel
 Development files for libsubid5.
 
+%package pw-mgmt
+Summary:        Tools to manage user account data
+Group:          System/Base
+Requires:       shadow
+Requires(pre):  permissions
+
+%description pw-mgmt
+This sub-package contains utilities to manage user account
+information like chage, chfn, chsh, expiry and passwd. This
+binaries all need setuid rights to work correct.
+
 %prep
 %setup -q -a 1
 %patch -P 0
@@ -138,6 +154,7 @@ autoreconf -fvi
   --with-selinux \
   --without-libcrack \
   --without-libbsd \
+  --disable-logind \
 %if 0%{?suse_version} >= 1600
   --without-sssd \
 %endif
@@ -153,6 +170,8 @@ autoreconf -fvi
 
 install -Dm644 %{SOURCE4} %{buildroot}%{_unitdir}/shadow.service
 install -Dm644 %{SOURCE5} %{buildroot}%{_unitdir}/shadow.timer
+install -Dm644 %{SOURCE6} %{buildroot}%{_datadir}/permissions/permissions.d/shadow
+install -Dm644 %{SOURCE7} %{buildroot}%{_datadir}/permissions/permissions.d/shadow.paranoid
 
 # add empty /etc/sub{u,g}id files
 touch %{buildroot}/%{_sysconfdir}/subuid
@@ -178,8 +197,6 @@ rm %{buildroot}%{_sysconfdir}/pam.d/login
 rm %{buildroot}/%{_bindir}/su
 rm %{buildroot}/%{_mandir}/man1/su.*
 rm %{buildroot}/%{_mandir}/*/man1/su.*
-rm %{buildroot}/%{_mandir}/man5/suauth.*
-rm %{buildroot}/%{_mandir}/*/man5/suauth.*
 rm %{buildroot}%{_sysconfdir}/pam.d/su
 
 rm %{buildroot}/%{_bindir}/faillog
@@ -224,7 +241,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d
 
 %pre
 %service_add_pre shadow.service shadow.timer
-for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
+for i in pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
   test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
 done
 
@@ -232,28 +249,33 @@ done
 test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs.rpmsave.old ||:
 
 %post
+%set_permissions %{_bindir}/gpasswd
+%set_permissions %{_bindir}/newgrp
+
+%post pw-mgmt
 %set_permissions %{_bindir}/chage
 %set_permissions %{_bindir}/chfn
 %set_permissions %{_bindir}/chsh
 %set_permissions %{_bindir}/expiry
-%set_permissions %{_bindir}/gpasswd
-%set_permissions %{_bindir}/newgrp
-%set_permissions %{_bindir}/passwd
 %set_permissions %{_bindir}/newgidmap
 %set_permissions %{_bindir}/newuidmap
+%set_permissions %{_bindir}/passwd
 
 %service_add_post shadow.service shadow.timer
 
 %verifyscript
+%verify_permissions %{_bindir}/gpasswd
+%verify_permissions %{_bindir}/newgrp
+
+%verifyscript pw-mgmt
 %verify_permissions %{_bindir}/chage
 %verify_permissions %{_bindir}/chfn
 %verify_permissions %{_bindir}/chsh
 %verify_permissions %{_bindir}/expiry
-%verify_permissions %{_bindir}/gpasswd
 %verify_permissions %{_bindir}/newgrp
-%verify_permissions %{_bindir}/passwd
 %verify_permissions %{_bindir}/newgidmap
 %verify_permissions %{_bindir}/newuidmap
+%verify_permissions %{_bindir}/passwd
 
 %preun
 %service_del_preun shadow.service shadow.timer
@@ -264,7 +286,7 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %posttrans
 %if %{defined no_config}
 # Migration to /usr/etc
-for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
+for i in pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
   test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
 done
 %endif
@@ -284,10 +306,6 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid
 %if %{defined no_config}
-%{_pam_vendordir}/chage
-%{_pam_vendordir}/chfn
-%{_pam_vendordir}/chsh
-%{_pam_vendordir}/passwd
 %{_pam_vendordir}/chpasswd
 %{_pam_vendordir}/groupadd
 %{_pam_vendordir}/groupdel
@@ -297,10 +315,6 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %{_pam_vendordir}/userdel
 %{_pam_vendordir}/usermod
 %else
-%config %{_sysconfdir}/pam.d/chage
-%config %{_sysconfdir}/pam.d/chfn
-%config %{_sysconfdir}/pam.d/chsh
-%config %{_sysconfdir}/pam.d/passwd
 %config %{_sysconfdir}/pam.d/chpasswd
 %config %{_sysconfdir}/pam.d/groupadd
 %config %{_sysconfdir}/pam.d/groupdel
@@ -310,15 +324,8 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %config %{_sysconfdir}/pam.d/userdel
 %config %{_sysconfdir}/pam.d/usermod
 %endif
-%verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry
 %verify(not mode) %attr(4755,root,shadow) %{_bindir}/gpasswd
 %verify(not mode) %attr(4755,root,root) %{_bindir}/newgrp
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap
-%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newuidmap
 %{_bindir}/sg
 %{_bindir}/getsubids
 %attr(0755,root,root) %{_sbindir}/groupadd
@@ -335,13 +342,8 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %attr(0755,root,root) %{_sbindir}/newusers
 %{_sbindir}/vipw
 %{_sbindir}/vigr
-%{_mandir}/man1/chage.1%{?ext_man}
-%{_mandir}/man1/chfn.1%{?ext_man}
-%{_mandir}/man1/chsh.1%{?ext_man}
-%{_mandir}/man1/expiry.1%{?ext_man}
 %{_mandir}/man1/gpasswd.1%{?ext_man}
 %{_mandir}/man1/newgrp.1%{?ext_man}
-%{_mandir}/man1/passwd.1%{?ext_man}
 %{_mandir}/man1/sg.1%{?ext_man}
 %{_mandir}/man3/shadow.3%{?ext_man}
 %{_mandir}/man5/shadow.5%{?ext_man}
@@ -361,12 +363,38 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %{_mandir}/man8/vipw.8%{?ext_man}
 %{_mandir}/man5/subuid.5%{?ext_man}
 %{_mandir}/man5/subgid.5%{?ext_man}
-%{_mandir}/man1/newgidmap.1%{?ext_man}
-%{_mandir}/man1/newuidmap.1%{?ext_man}
 %{_mandir}/man1/getsubids.1%{?ext_man}
 
 %{_unitdir}/*
 
+%files pw-mgmt
+%license COPYING
+%if %{defined no_config}
+%{_pam_vendordir}/chfn
+%{_pam_vendordir}/chsh
+%{_pam_vendordir}/passwd
+%else
+%config %{_sysconfdir}/pam.d/chfn
+%config %{_sysconfdir}/pam.d/chsh
+%config %{_sysconfdir}/pam.d/passwd
+%endif
+%verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry
+%verify(not mode) %attr(4755,root,root) %{_bindir}/newgidmap
+%verify(not mode) %attr(4755,root,root) %{_bindir}/newuidmap
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd
+%{_datadir}/permissions/permissions.d/shadow
+%{_datadir}/permissions/permissions.d/shadow.paranoid
+%{_mandir}/man1/chage.1%{?ext_man}
+%{_mandir}/man1/chfn.1%{?ext_man}
+%{_mandir}/man1/chsh.1%{?ext_man}
+%{_mandir}/man1/expiry.1%{?ext_man}
+%{_mandir}/man1/newgidmap.1%{?ext_man}
+%{_mandir}/man1/newuidmap.1%{?ext_man}
+%{_mandir}/man1/passwd.1%{?ext_man}
+
 %files -n login_defs
 %dir %{_sysconfdir}/login.defs.d
 %if %{defined no_config}