From 975cbcc7b243bff095af736f78ec548dccc5ab18438ac0612d9f9f125f590831 Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Sat, 10 Aug 2024 04:34:41 +0000
Subject: [PATCH] - Disable flushing sssd caches. The sssd's files provider is
 no   longer available.

OBS-URL: https://build.opensuse.org/package/show/Base:System/shadow?expand=0&rev=182
---
 .gitattributes                        |   23 +
 .gitignore                            |    1 +
 disable_new_audit_function.patch      |   28 +
 pamd.tar.bz2                          |    3 +
 shadow-4.16.0.tar.xz                  |    3 +
 shadow-4.16.0.tar.xz.asc              |   16 +
 shadow-login_defs-check.sh            |  286 ++++++
 shadow-login_defs-comments.patch      |   72 ++
 shadow-login_defs-suse.patch          |  148 +++
 shadow-login_defs-unused-by-pam.patch |  280 ++++++
 shadow-util-linux.patch               |  139 +++
 shadow.changes                        | 1187 +++++++++++++++++++++++++
 shadow.keyring                        |  239 +++++
 shadow.service                        |   23 +
 shadow.spec                           |  392 ++++++++
 shadow.timer                          |    7 +
 useradd-default.patch                 |   13 +
 17 files changed, 2860 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 disable_new_audit_function.patch
 create mode 100644 pamd.tar.bz2
 create mode 100644 shadow-4.16.0.tar.xz
 create mode 100644 shadow-4.16.0.tar.xz.asc
 create mode 100644 shadow-login_defs-check.sh
 create mode 100644 shadow-login_defs-comments.patch
 create mode 100644 shadow-login_defs-suse.patch
 create mode 100644 shadow-login_defs-unused-by-pam.patch
 create mode 100644 shadow-util-linux.patch
 create mode 100644 shadow.changes
 create mode 100644 shadow.keyring
 create mode 100644 shadow.service
 create mode 100644 shadow.spec
 create mode 100644 shadow.timer
 create mode 100644 useradd-default.patch

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/disable_new_audit_function.patch b/disable_new_audit_function.patch
new file mode 100644
index 0000000..cb167f9
--- /dev/null
+++ b/disable_new_audit_function.patch
@@ -0,0 +1,28 @@
+Index: shadow-4.5/src/lastlog.c
+===================================================================
+--- shadow-4.5.orig/src/lastlog.c
++++ shadow-4.5/src/lastlog.c
+@@ -221,12 +221,15 @@ static void update_one (/*@null@*/const
+ 		strcpy (ll.ll_host, "localhost");
+ #endif
+ 		strcpy (ll.ll_line, "lastlog");
++/*
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_ACCT_UNLOCK, Prog,
+ 			"clearing-lastlog",
+ 			pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
+ #endif
++*/
+ 	}
++/*
+ #ifdef WITH_AUDIT
+ 	else {
+ 		audit_logger (AUDIT_ACCT_UNLOCK, Prog,
+@@ -234,6 +237,7 @@ static void update_one (/*@null@*/const
+ 			pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
+ 	}
+ #endif
++*/
+ 
+ 	if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) {
+ 			fprintf (stderr,
diff --git a/pamd.tar.bz2 b/pamd.tar.bz2
new file mode 100644
index 0000000..a8fae08
--- /dev/null
+++ b/pamd.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:63473938aff16f2bae3d68468d00f02d4a2172f9aa02d5642f47b501b25bc50e
+size 979
diff --git a/shadow-4.16.0.tar.xz b/shadow-4.16.0.tar.xz
new file mode 100644
index 0000000..99c6692
--- /dev/null
+++ b/shadow-4.16.0.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b78e3921a95d53282a38e90628880624736bf6235e36eea50c50835f59a3530b
+size 2204832
diff --git a/shadow-4.16.0.tar.xz.asc b/shadow-4.16.0.tar.xz.asc
new file mode 100644
index 0000000..68f476d
--- /dev/null
+++ b/shadow-4.16.0.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEflbiwT+nfOMVWa3JfcJMNsM0HSAFAmZyBfQACgkQfcJMNsM0
+HSA4PxAA57RSvccAbXTTmp2sHMZVPbzizydThuGgqY/4F9egRvywUUlNy0vz/QAA
+e0u8ja+paKhLjXg4HvA/Ejy+gtAE5NuvNCr/ihL8Xii6s/GH6OaW8EDcL0509j7L
+PchWYkHYSqwdqdjLoy6NroaaEEllAzVEeNp2UzN9F7jllteF8gDjqY2j8SLqrkmm
+Xb15kzk6mbqk5BxAOoZmgoRRDw+YRCBA2EzN0ztwR0h1rjwoCjebQk3E/qV+fM1t
+pKKYVTnLRmb9E2tvPR1Oibzercisi/+6Z7br+Xh1Gz/mfZ++4CiOQrJndUTBj9zU
+v7GEHMEdV8qz/Qzvh1eyxA7KX5zZqbXT3I/+kRvX01CJtI64MVdEOOqSeup794fr
+QlaptfoAfe+ZS6exe1SwY2tZkoX4qXeeUNQXRBo8GJlG9auMA46U2CjtRGgyK6BK
+cf/YkzUr9aTWExL3d2tZJzvEX80AHSR+MF2kW8UzIQI8hch1Pncp8an6NfLFbmsl
+nyz5+GqrSuc1gNe7wnz5Lkxk3q4epmvdPcyrb16XDr42k3dP0IWZE50c8Caf05Nq
+9zJC+It75nX7PFbGcZnNgE6sjsc6MB28O2wUb4Z51IU+s8hzthk2P4v0gq30TgrZ
+vKTXxIYwp+yLii1sSTWUdE8a6vNK93cQki5uuB3R6VeNVBMZJA0=
+=bB1D
+-----END PGP SIGNATURE-----
diff --git a/shadow-login_defs-check.sh b/shadow-login_defs-check.sh
new file mode 100644
index 0000000..2e0377f
--- /dev/null
+++ b/shadow-login_defs-check.sh
@@ -0,0 +1,286 @@
+#!/bin/bash
+
+# login.defs and lib/getdef.c contain support for third party variables.
+# It also contains support for variables that are unusable in installations with PAM support enabled.
+# This script generates a list of used and unused variables in login.defs
+# with respect to the current configuration.
+# Arguments: arguments of osc build
+# If the shadow-login_defs-check-unused.lst is generated, you should
+# update login.defs.
+
+set -o errexit
+
+echo "Preparing..."
+
+# Check for required commands
+which quilt >/dev/null
+which osc >/dev/null
+
+# login.defs is shared with util-linux login, su and runuser.
+# Extract list of referenced variables.
+if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
+	echo "Checking out util-linux..."
+	if test -d ../util-linux ; then
+		echo -n "../util-linux found. Are you preparing new version? (y/N) "
+		read
+		if test "${REPLY:0:1}" = "y" ; then
+		mkdir -p openSUSE:Factory
+			cp -a ../util-linux openSUSE:Factory/
+		else
+			osc co openSUSE:Factory util-linux
+		fi
+	else
+		osc co openSUSE:Factory util-linux
+	fi
+	cd openSUSE:Factory/util-linux
+	quilt setup -d BUILD util-linux.spec
+	cd BUILD/*
+	quilt push -a
+	cd ../../../..
+fi
+
+echo "Extracting variables from util-linux..."
+cd openSUSE:Factory/util-linux/BUILD/*
+(
+	grep -rh getlogindefs . |
+		sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
+	grep -rh logindefs_setenv . |
+		sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
+) |
+	LC_ALL=C sort -u >../../../../shadow-login_defs-check-util-linux.lst
+cd ../../../..
+
+# login.defs is shared pam_unix*.so, pam_faildelay.so and pam_umask.so.
+# Extract list of referenced variables.
+if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
+	echo "Checking out pam..."
+	if test -d ../pam ; then
+		echo -n "../pam found. Are you preparing new version? (y/N) "
+		read
+		if test "${REPLY:0:1}" = "y" ; then
+		mkdir -p openSUSE:Factory
+			cp -a ../pam openSUSE:Factory/
+		else
+			osc co openSUSE:Factory pam
+		fi
+	else
+		osc co openSUSE:Factory pam
+	fi
+	cd openSUSE:Factory/pam
+	quilt setup -d BUILD pam.spec
+	cd BUILD/*
+	quilt push -a
+	cd ../../../..
+fi
+
+echo "Extracting variables from pam..."
+cd openSUSE:Factory/pam/BUILD/*
+grep -rh LOGIN_DEFS . |
+	sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
+	LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst
+cd ../../../..
+
+if ! test -f shadow-login_defs-check-build/stamp ; then
+	echo "Performing preprocessing of shadow by osc..."
+	if ! test -f shadow.spec.shadow-login_defs-check-save ; then
+		cp -a shadow.spec shadow.spec.shadow-login_defs-check-save
+
+# In case of shadow, variables extraction is more complicated. The list
+# depends on configure options, so we have to perform a fake build and
+# extract variables from prepreocessed sources.
+#		sed -i '/^%make_build/i\_smp_mpflags="%{?_smp_mpflags} -k CPPFLAGS=\\"-E\\""' shadow.spec
+		sed -i 's/^%make_build/%make_build -k CPPFLAGS=\\"-E\\"/' shadow.spec
+		if cmp -s shadow.spec shadow.spec.shadow-login_defs-check-save ; then
+			echo "$0: Please fix sed expression modifying shadow.spec."
+			mv shadow.spec.shadow-login_defs-check-save shadow.spec
+			exit 1
+		fi
+	fi
+
+	if osc build "$@" ; then
+		echo "This build command was expected to fail, but it succeeded."
+		echo "$0: Please fix sed expression modifying shadow.spec."
+		mv shadow.spec.shadow-login_defs-check-save shadow.spec
+		exit 1
+	else
+		echo "This build command was expected to fail."
+		echo ""
+	fi
+	mv shadow.spec.shadow-login_defs-check-save shadow.spec
+
+	BUILD_ROOT=$(osc lbl | sed -n 's/^.*Using BUILD_ROOT=//p')
+	BUILD_DIR=$(osc lbl | sed -n 's/^.* cd //p' | head -n1)
+	rm -rf shadow-login_defs-check-build
+	mkdir shadow-login_defs-check-build
+	cp -a "$BUILD_ROOT/$BUILD_DIR"/shadow-* shadow-login_defs-check-build/
+	touch shadow-login_defs-check-build/stamp
+fi
+
+echo "Extracting list of deleted binaries..."
+sed -n 's~rm %{buildroot}/%{_\(s\|\)bindir}/\(.*\)$~\2~p' <shadow.spec >shadow-login_defs-check-deleted.lst
+
+# The build above is optional only for case of failure or edits in the
+# code below. If any other build was performed, don't expect correct
+# results.
+
+cd shadow-login_defs-check-build/shadow-*
+
+echo "Extracting variables from etc/login.defs..."
+# Extract variables referenced in login.defs, both active and commented out.
+sed -n "s/^#//;s/\([A-Z0-9_]*\)\([[:space:]].*\|\)$/\1/p" <etc/login.defs | sed '/^$/d' | uniq | sed '/^$/d' >../../shadow-login_defs-check-login_defs.lst
+LC_ALL=C sort -u ../../shadow-login_defs-check-login_defs.lst >../../shadow-login_defs-check-login_defs-sorted.lst
+
+echo "Extracting variables from lib/getdef.c..."
+# Extract variables referenced in lib/getdef.c using current defines.
+sed -n 's/^\(},\|\) {"\([A-Z0-9_]*\)", /\2/p' <lib/libshadow_la-getdef.o >../../shadow-login_defs-check-getdef.lst
+LC_ALL=C sort -u ../../shadow-login_defs-check-getdef.lst >../../shadow-login_defs-check-getdef-sorted.lst
+
+echo "Extracting variables from shadow..."
+# Extract variables referenced in preprocessed files.
+grep -r '\(getdef[a-z_]*\|call_script\|is_listed\) *( *"[A-Za-z0-9_]*"' |
+	grep '[^ ]*\.o:' >../../shadow-login_defs-check-shadow.log
+
+cd ../..
+
+export RC=0
+echo ""
+echo ""
+echo "Performing checks..."
+
+sed '
+	s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
+'  <shadow-login_defs-check-shadow.log | LC_ALL=C sort -u >../../shadow-login_defs-check-shadow-all.lst
+
+sed 's%^\(.*\)%/^.*\\\/\1\.o:/d%' <shadow-login_defs-check-deleted.lst >shadow-login_defs-check-deleted.sed
+sed -f shadow-login_defs-check-deleted.sed <shadow-login_defs-check-shadow.log |
+	sed '
+	s/^.*\(getdef[a-z_]*\|call_script\|is_listed*\) *( *"\([A-Za-z0-9_]*\)".*$/\2/
+' | LC_ALL=C sort -u  >shadow-login_defs-check-shadow-used.lst
+
+if ! test -s shadow-login_defs-check-deleted.sed ; then
+	echo "  BUG: Empty shadow-login_defs-check-deleted.sed Results will be unreliable!"
+	if test $RC -le 4 ; then export RC=4 ; fi
+fi
+
+echo ""
+echo "Checking that variables in login.defs are referred only once..."
+if test $(wc -l shadow-login_defs-check-login_defs.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-login_defs-sorted.lst | sed 's/ .*//') ; then
+	echo "  ERROR: Some variable referred at more places of login.defs!"
+	LC_ALL=C sort shadow-login_defs-check-login_defs.lst >shadow-login_defs-check-login_defs-sorted-nu.lst
+	diff shadow-login_defs-check-login_defs-sorted-nu.lst shadow-login_defs-check-login_defs-sorted.lst
+	if test $RC -le 3 ; then export RC=3 ; fi
+fi
+
+echo ""
+echo "Checking that variables in lib/getdef.c are referred only once..."
+if test $(wc -l shadow-login_defs-check-getdef.lst | sed 's/ .*//') != $(wc -l shadow-login_defs-check-getdef-sorted.lst | sed 's/ .*//') ; then
+	echo "  ERROR: Some variable referred at more places of lib/getdef.c!"
+	LC_ALL=C sort shadow-login_defs-check-getdef.lst >shadow-login_defs-check-getdef-sorted-nu.lst
+	diff shadow-login_defs-check-getdef-sorted-nu.lst shadow-login_defs-check-getdef-sorted.lst
+	if test $RC -le 3 ; then export RC=3 ; fi
+fi
+
+cat shadow-login_defs-check-shadow-used.lst shadow-login_defs-check-util-linux.lst shadow-login_defs-check-pam.lst | LC_ALL=C sort -u >shadow-login_defs-check-all-used.lst
+# RC inside pipe cannot be read directly. Use 3 for a real stdout inside the pipe, and use stdout for RC.
+exec 3>&1
+function report_packages() {
+	echo -n " ("
+	grep -l $1 shadow-login_defs-check-{shadow-used,util-linux,pam}.lst |
+		sed 's/shadow-login_defs-check-//;s/\.lst//;s/-used//;s/$/, /;$s/, $//' |
+		tr -d '\n'
+	echo -n ")"
+}
+
+# Extracting variables from shadow is not capable to identify compiled-but-unused library code.
+# This function will identify known false matches.
+function falsematch() {
+	case "$1" in
+# MAIL_* used by library call mailcheck() used only by login.c that is deleted in the spec.
+	MAIL_* ) return 0 ;;
+# FTMP_FILE used by library call failtmp() used only by login.c that is deleted in the spec.
+	FTMP_FILE ) return 0 ;;
+# ISSUE_FILE used by library call login_prompt() used only by login.c that is deleted in the spec.
+	ISSUE_FILE ) return 0 ;;
+# PREVENT_NO_AUTH us used only by login.c and su.c that are deleted in the spec.
+	PREVENT_NO_AUTH ) return 0 ;;
+	* ) return 1 ;;
+	esac
+}
+
+echo ""
+echo "Checking that all used variables are covered by login.defs..."
+RC=$(cat shadow-login_defs-check-all-used.lst | (
+	while read ; do
+		if falsematch "$REPLY" ; then
+			echo "  FALSE MATCH: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
+			continue
+		fi
+		if ! grep -q -x "$REPLY" shadow-login_defs-check-login_defs-sorted.lst ; then
+			echo "  NOTICE: Variable $REPLY is not present in login.defs$(report_packages $REPLY)" >&3
+			if test $RC -le 2 ; then RC=2 ; fi
+		fi
+	done
+	echo $RC
+) )
+
+echo ""
+echo "Checking that all used variables are covered by lib/getdef.c..."
+RC=$(cat shadow-login_defs-check-all-used.lst | (
+	while read ; do
+		if falsematch "$REPLY" ; then continue ; fi
+		if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
+			echo "  ERROR: Variable $REPLY is missing in the parser$(report_packages $REPLY)" >&3
+			if test $RC -le 3 ; then RC=3 ; fi
+		fi
+	done
+	echo $RC
+) )
+
+echo ""
+echo "Checking that all used variables referred in login.defs are valid..."
+RC=$(cat shadow-login_defs-check-login_defs.lst | (
+	while read ; do
+		if ! grep -q -x "$REPLY" shadow-login_defs-check-all-used.lst ; then
+			echo "  ERROR: Failed to find reference for $REPLY" >&3
+			if test $RC -le 3 ; then RC=3 ; fi
+		fi
+		if ! grep -q -x "$REPLY" shadow-login_defs-check-getdef.lst ; then
+			echo "  BUG: Parser does not contain reference for $REPLY" >&3
+			if test $RC -le 4 ; then RC=4 ; fi
+		fi
+	done
+	echo $RC
+) )
+
+
+echo ""
+echo ""
+echo "All checks finished."
+echo -n "Result: "
+case $RC in
+0) echo "OK." ;;
+1) echo "Notices only. Action is optional." ;;
+2) echo "Warnings only. Evaluation is needed." ;;
+3) echo "Errors found. Fix is recommended." ;;
+4) echo "Fatal error. Fix has to be done." ;;
+esac
+
+if test $RC -ge 1 ; then
+	exit 1
+fi
+
+echo "
+If you ported shadow-util-linux.patch to the new util-linux version,
+please submit these updates:
+Change in util-linux.spec:"
+sed -n 's/^Version:[[:space:]]*/Requires:       login_defs-support-for-util-linux >= /p' <openSUSE\:Factory/util-linux/util-linux.spec
+echo "Change in shadow.spec:"
+sed -n 's/^Version:[[:space:]]*/Provides:       login_defs-support-for-util-linux = /p' <openSUSE\:Factory/util-linux/util-linux.spec
+
+echo "
+If you ported shadow-login_defs-unused-by-pam.patch to the new pam version,
+please submit these updates:
+Change in pam.spec:"
+sed -n 's/^Version:[[:space:]]*/Requires:       login_defs-support-for-pam >= /p' <openSUSE\:Factory/pam/pam.spec
+echo "Change in shadow.spec:"
+sed -n 's/^Version:[[:space:]]*/Provides:       login_defs-support-for-pam = /p' <openSUSE\:Factory/pam/pam.spec
diff --git a/shadow-login_defs-comments.patch b/shadow-login_defs-comments.patch
new file mode 100644
index 0000000..67411fe
--- /dev/null
+++ b/shadow-login_defs-comments.patch
@@ -0,0 +1,72 @@
+Improve comments in login.defs.
+
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -3,8 +3,6 @@
+ # Some variables are used by login(1), su(1) and runuser(1) from util-linux
+ # package as well pam pam_unix(8) from pam package.
+ #
+-#	$Id$
+-#
+ 
+ #
+ # Delay in seconds before being allowed another attempt after a login failure
+@@ -99,11 +97,14 @@ ENV_PATH	/bin:/usr/bin
+ ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
+ #ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
+ 
+-# If this variable is set to "yes", su will always set path. every su
+-# call will overwrite the PATH variable.
++# If this variable is set to "yes" (default is "no"), su will always set
++# path. every su call will overwrite the PATH variable.
+ #
+ # Per default, only "su -" will set a new PATH.
+ #
++# The recommended value is "yes". The default "no" behavior could have
++# a security implication in applications that use commands without path.
++#
+ ALWAYS_SET_PATH	no
+ 
+ #
+@@ -148,6 +149,11 @@ PASS_WARN_AGE	7
+ #
+ # Min/max values for automatic uid selection in useradd(8)
+ #
++# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
++# UIDs for dynamically allocated administrative and system accounts.
++# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
++# allocated user accounts.
++#
+ UID_MIN			 1000
+ UID_MAX			60000
+ # System accounts
+@@ -161,6 +167,11 @@ SUB_UID_COUNT		    65536
+ #
+ # Min/max values for automatic gid selection in groupadd(8)
+ #
++# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
++# GIDs for dynamically allocated administrative and system groups.
++# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
++# allocated groups.
++#
+ GID_MIN			 1000
+ GID_MAX			60000
+ # System accounts
+@@ -196,7 +207,6 @@ LOGIN_TIMEOUT		60
+ CHFN_RESTRICT		rwh
+ 
+ #
+-# Only works if compiled with MD5_CRYPT defined:
+ # If set to "yes", new passwords will be encrypted using the MD5-based
+ # algorithm compatible with the one used by recent releases of FreeBSD.
+ # It supports passwords of unlimited length and longer salt strings.
+@@ -211,7 +221,6 @@ CHFN_RESTRICT		rwh
+ #MD5_CRYPT_ENAB	no
+ 
+ #
+-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+ # If set to MD5, MD5-based algorithm will be used for encrypting password
+ # If set to SHA256, SHA256-based algorithm will be used for encrypting password
+ # If set to SHA512, SHA512-based algorithm will be used for encrypting password
diff --git a/shadow-login_defs-suse.patch b/shadow-login_defs-suse.patch
new file mode 100644
index 0000000..10e059e
--- /dev/null
+++ b/shadow-login_defs-suse.patch
@@ -0,0 +1,148 @@
+Set login.defs defaults for SUSE Linux.
+
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -3,6 +3,9 @@
+ # Some variables are used by login(1), su(1) and runuser(1) from util-linux
+ # package as well pam pam_unix(8) from pam package.
+ #
++# For more, see login.defs(5). Please note that SUSE supports only variables
++# listed here! Not listed variables from login.defs(5) have no effect.
++#
+ 
+ #
+ # Delay in seconds before being allowed another attempt after a login failure
+@@ -52,8 +55,8 @@ CONSOLE		/etc/securetty
+ # If defined, ":" delimited list of "message of the day" files to
+ # be displayed upon login.
+ #
+-MOTD_FILE	/etc/motd
+-#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
++MOTD_FILE	""
++#MOTD_FILE	/etc/motd:/usr/share/misc/motd
+ 
+ #
+ # If set to "yes", login stops display content specified by MOTD_FILE after
+@@ -73,8 +76,8 @@ MOTD_FILE	/etc/motd
+ # user's name or shell are found in the file.  If not a full pathname, then
+ # hushed mode will be enabled if the file exists in the user's home directory.
+ #
+-HUSHLOGIN_FILE	.hushlogin
+-#HUSHLOGIN_FILE	/etc/hushlogins
++#HUSHLOGIN_FILE	.hushlogin
++HUSHLOGIN_FILE	/etc/hushlogins
+ 
+ # If this variable is set to "yes", hostname will be suppressed in the
+ # login: prompt.
+@@ -93,9 +96,9 @@ HUSHLOGIN_FILE	.hushlogin
+ # ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
+ # (and falback for login).
+ #
+-ENV_PATH	/bin:/usr/bin
+-ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
+-#ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
++ENV_PATH	/usr/local/bin:/bin:/usr/bin
++ENV_ROOTPATH	/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
++#ENV_SUPATH	/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+ 
+ # If this variable is set to "yes" (default is "no"), su will always set
+ # path. every su call will overwrite the PATH variable.
+@@ -105,7 +108,7 @@ ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/b
+ # The recommended value is "yes". The default "no" behavior could have
+ # a security implication in applications that use commands without path.
+ #
+-ALWAYS_SET_PATH	no
++ALWAYS_SET_PATH	yes
+ 
+ #
+ # Terminal permissions
+@@ -119,7 +122,7 @@ ALWAYS_SET_PATH	no
+ # set TTYPERM to either 622 or 600.
+ #
+ TTYGROUP	tty
+-TTYPERM		0600
++TTYPERM		0620
+ 
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
+@@ -133,7 +136,7 @@ UMASK		022
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+ # home directories.
+ # If HOME_MODE is not set, the value of UMASK is used to create the mode.
+-#HOME_MODE	0700
++HOME_MODE	0700
+ 
+ #
+ # Password aging controls:
+@@ -157,8 +160,8 @@ PASS_WARN_AGE	7
+ UID_MIN			 1000
+ UID_MAX			60000
+ # System accounts
+-SYS_UID_MIN		  101
+-SYS_UID_MAX		  999
++SYS_UID_MIN		  100
++SYS_UID_MAX		  499
+ # Extra per user uids
+ SUB_UID_MIN		   100000
+ SUB_UID_MAX		600100000
+@@ -175,8 +178,8 @@ SUB_UID_COUNT		    65536
+ GID_MIN			 1000
+ GID_MAX			60000
+ # System accounts
+-SYS_GID_MIN		  101
+-SYS_GID_MAX		  999
++SYS_GID_MIN		  100
++SYS_GID_MAX		  499
+ # Extra per user group ids
+ SUB_GID_MIN		   100000
+ SUB_GID_MAX		600100000
+@@ -185,7 +188,7 @@ SUB_GID_COUNT		    65536
+ #
+ # Max number of login(1) retries if password is bad
+ #
+-LOGIN_RETRIES		5
++LOGIN_RETRIES		3
+ 
+ #
+ # Tell login to only re-prompt for the password if authentication
+@@ -207,18 +210,9 @@ LOGIN_TIMEOUT		60
+ CHFN_RESTRICT		rwh
+ 
+ #
+-# If set to "yes", new passwords will be encrypted using the MD5-based
+-# algorithm compatible with the one used by recent releases of FreeBSD.
+-# It supports passwords of unlimited length and longer salt strings.
+-# Set to "no" if you need to copy encrypted passwords to other systems
+-# which don't understand the new algorithm.  Default is "no".
+-#
+-# Note: If you use PAM, it is recommended to use a value consistent with
+-# the PAM modules configuration.
+-#
+-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
++# This variable is deprecated. Use ENCRYPT_METHOD instead!
+ #
+-#MD5_CRYPT_ENAB	no
++#MD5_CRYPT_ENAB	DO_NOT_USE
+ 
+ #
+ # If set to MD5, MD5-based algorithm will be used for encrypting password
+@@ -233,7 +227,7 @@ CHFN_RESTRICT		rwh
+ # Note: If you use PAM, it is recommended to use a value consistent with
+ # the PAM modules configuration.
+ #
+-#ENCRYPT_METHOD DES
++ENCRYPT_METHOD SHA512
+ 
+ #
+ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+@@ -299,7 +293,7 @@ USERGROUPS_ENAB yes
+ # This option is overridden with the -M or -m flags on the useradd(8)
+ # command-line.
+ #
+-#CREATE_HOME     yes
++CREATE_HOME     yes
+ 
+ #
+ # Force use shadow, even if shadow passwd & shadow group files are
diff --git a/shadow-login_defs-unused-by-pam.patch b/shadow-login_defs-unused-by-pam.patch
new file mode 100644
index 0000000..62e6b57
--- /dev/null
+++ b/shadow-login_defs-unused-by-pam.patch
@@ -0,0 +1,280 @@
+Remove variables that are present in login.defs, but shadow with the
+current configuration (e. g. with PAM) does not use them.
+
+It also includes variables used by the current configuration, but deleted
+in the spec file.
+
+shadow-login_defs-unused-check.sh makes possible to verify that it is
+still up to date.
+
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -12,11 +12,6 @@
+ FAIL_DELAY		3
+ 
+ #
+-# Enable logging and display of /var/log/faillog login(1) failure info.
+-#
+-FAILLOG_ENAB		yes
+-
+-#
+ # Enable display of unknown usernames when login(1) failures are recorded.
+ #
+ LOG_UNKFAIL_ENAB	no
+@@ -27,11 +22,6 @@ LOG_UNKFAIL_ENAB	no
+ LOG_OK_LOGINS		no
+ 
+ #
+-# Enable logging and display of /var/log/lastlog login(1) time info.
+-#
+-LASTLOG_ENAB		yes
+-
+-#
+ # Limit the highest user ID number for which the lastlog entries should
+ # be updated.
+ #
+@@ -41,29 +31,6 @@ LASTLOG_ENAB		yes
+ #LASTLOG_UID_MAX
+ 
+ #
+-# Enable checking and display of mailbox status upon login.
+-#
+-# Disable if the shell startup files already check for mail
+-# ("mailx -e" or equivalent).
+-#
+-MAIL_CHECK_ENAB		yes
+-
+-#
+-# Enable additional checks upon password changes.
+-#
+-OBSCURE_CHECKS_ENAB	yes
+-
+-#
+-# Enable checking of time restrictions specified in /etc/porttime.
+-#
+-PORTTIME_CHECKS_ENAB	yes
+-
+-#
+-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
+-#
+-QUOTAS_ENAB		yes
+-
+-#
+ # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
+ # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
+ #
+@@ -91,46 +58,12 @@ MOTD_FILE	/etc/motd
+ #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
+ 
+ #
+-# If defined, this file will be output before each login(1) prompt.
+-#
+-#ISSUE_FILE	/etc/issue
+-
+-#
+ # If defined, file which maps tty line to TERM environment parameter.
+ # Each line of the file is in a format similar to "vt100  tty01".
+ #
+ #TTYTYPE_FILE	/etc/ttytype
+ 
+ #
+-# If defined, login(1) failures will be logged here in a utmp format.
+-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
+-#
+-FTMP_FILE	/var/log/btmp
+-
+-#
+-# If defined, name of file whose presence will inhibit non-root
+-# logins.  The content of this file should be a message indicating
+-# why logins are inhibited.
+-#
+-NOLOGINS_FILE	/etc/nologin
+-
+-#
+-# If defined, the command name to display when running "su -".  For
+-# example, if this is defined as "su" then ps(1) will display the
+-# command as "-su".  If not defined, then ps(1) will display the
+-# name of the shell actually being run, e.g. something like "-sh".
+-#
+-SU_NAME		su
+-
+-#
+-# *REQUIRED*
+-#   Directory where mailboxes reside, _or_ name of file, relative to the
+-#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+-#
+-MAIL_DIR	/var/spool/mail
+-#MAIL_FILE	.mail
+-
+-#
+ # If defined, file which inhibits all the usual chatter during the login
+ # sequence.  If a full pathname, then hushed mode will be enabled if the
+ # user's name or shell are found in the file.  If not a full pathname, then
+@@ -140,21 +73,6 @@ HUSHLOGIN_FILE	.hushlogin
+ #HUSHLOGIN_FILE	/etc/hushlogins
+ 
+ #
+-# If defined, either a TZ environment parameter spec or the
+-# fully-rooted pathname of a file containing such a spec.
+-#
+-#ENV_TZ		TZ=CST6CDT
+-#ENV_TZ		/etc/tzname
+-
+-#
+-# If defined, an HZ environment parameter spec.
+-#
+-# for Linux/x86
+-ENV_HZ		HZ=100
+-# For Linux/Alpha...
+-#ENV_HZ		HZ=1024
+-
+-#
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+ # (they are minimal, add the rest in the shell startup files)
+@@ -180,17 +98,13 @@ TTYPERM		0600
+ #
+ #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+ #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+-#	ULIMIT		Default "ulimit" value.
+ #
+ # The ERASECHAR and KILLCHAR are used only on System V machines.
+-# The ULIMIT is used only if the system supports it.
+-# (now it works with setrlimit too; ulimit is in 512-byte units)
+ #
+ # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+ #
+ ERASECHAR	0177
+ KILLCHAR	025
+-#ULIMIT		2097152
+ 
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
+@@ -211,23 +125,13 @@ UMASK		022
+ #
+ #	PASS_MAX_DAYS	Maximum number of days a password may be used.
+ #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+-#	PASS_MIN_LEN	Minimum acceptable password length.
+ #	PASS_WARN_AGE	Number of days warning given before a password expires.
+ #
+ PASS_MAX_DAYS	99999
+ PASS_MIN_DAYS	0
+-PASS_MIN_LEN	5
+ PASS_WARN_AGE	7
+ 
+ #
+-# If "yes", the user must be listed as a member of the first gid 0 group
+-# in /etc/group (called "root" on most Linux systems) to be able to "su"
+-# to uid 0 accounts.  If the group doesn't exist or is empty, no one
+-# will be able to "su" to uid 0.
+-#
+-SU_WHEEL_ONLY	no
+-
+-#
+ # Min/max values for automatic uid selection in useradd(8)
+ #
+ UID_MIN			 1000
+@@ -264,28 +168,6 @@ LOGIN_RETRIES		5
+ LOGIN_TIMEOUT		60
+ 
+ #
+-# Maximum number of attempts to change password if rejected (too easy)
+-#
+-PASS_CHANGE_TRIES	5
+-
+-#
+-# Warn about weak passwords (but still allow them) if you are root.
+-#
+-PASS_ALWAYS_WARN	yes
+-
+-#
+-# Number of significant characters in the password for crypt().
+-# Default is 8, don't change unless your crypt() is better.
+-# Ignored if MD5_CRYPT_ENAB set to "yes".
+-#
+-#PASS_MAX_LEN		8
+-
+-#
+-# Require password before chfn(1)/chsh(1) can make any changes.
+-#
+-CHFN_AUTH		yes
+-
+-#
+ # Which fields may be changed by regular users using chfn(1) - use
+ # any combination of letters "frwh" (full name, room number, work
+ # phone, home phone).  If not defined, no changes are allowed.
+@@ -294,13 +176,6 @@ CHFN_AUTH		yes
+ CHFN_RESTRICT		rwh
+ 
+ #
+-# Password prompt (%s will be replaced by user name).
+-#
+-# XXX - it doesn't work correctly yet, for now leave it commented out
+-# to use the default which is just "Password: ".
+-#LOGIN_STRING		"%s's Password: "
+-
+-#
+ # Only works if compiled with MD5_CRYPT defined:
+ # If set to "yes", new passwords will be encrypted using the MD5-based
+ # algorithm compatible with the one used by recent releases of FreeBSD.
+@@ -349,45 +224,6 @@ CHFN_RESTRICT		rwh
+ #SHA_CRYPT_MAX_ROUNDS 5000
+ 
+ #
+-# Only works if ENCRYPT_METHOD is set to BCRYPT.
+-#
+-# Define the number of BCRYPT rounds.
+-# With a lot of rounds, it is more difficult to brute-force the password.
+-# However, more CPU resources will be needed to authenticate users if
+-# this value is increased.
+-#
+-# If not specified, 13 rounds will be attempted.
+-# If only one of the MIN or MAX values is set, then this value will be used.
+-# If MIN > MAX, the highest value will be used.
+-#
+-#BCRYPT_MIN_ROUNDS 13
+-#BCRYPT_MAX_ROUNDS 13
+-
+-#
+-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+-#
+-# Define the YESCRYPT cost factor.
+-# With a higher cost factor, it is more difficult to brute-force the password.
+-# However, more CPU time and more memory will be needed to authenticate users
+-# if this value is increased.
+-#
+-# If not specified, a cost factor of 5 will be used.
+-# The value must be within the 1-11 range.
+-#
+-#YESCRYPT_COST_FACTOR 5
+-
+-#
+-# List of groups to add to the user's supplementary group set
+-# when logging in from the console (as determined by the CONSOLE
+-# setting).  Default is none.
+-#
+-# Use with caution - it is possible for users to gain permanent
+-# access to these groups, even when not logged in from the console.
+-# How to do it is left as an exercise for the reader...
+-#
+-#CONSOLE_GROUPS		floppy:audio:cdrom
+-
+-#
+ # Should login be allowed if we can't cd to the home directory?
+ # Default is no.
+ #
+@@ -402,12 +238,6 @@ DEFAULT_HOME	yes
+ NONEXISTENT	/nonexistent
+ 
+ #
+-# If this file exists and is readable, login environment will be
+-# read from it.  Every line should be in the form name=value.
+-#
+-ENVIRON_FILE	/etc/environment
+-
+-#
+ # If defined, this command is run when removing a user.
+ # It should remove any at/cron/print jobs etc. owned by
+ # the user to be removed (passed as the first argument).
diff --git a/shadow-util-linux.patch b/shadow-util-linux.patch
new file mode 100644
index 0000000..96ea5ae
--- /dev/null
+++ b/shadow-util-linux.patch
@@ -0,0 +1,139 @@
+Add variables referred by util-linux login, runuser and su, but not by
+shadow.
+
+Delete variables used by shadow implementation of login, su and runuser
+that has no use in util-linux implementation.
+
+Index: etc/login.defs
+===================================================================
+--- etc/login.defs.orig
++++ etc/login.defs
+@@ -1,5 +1,7 @@
+ #
+ # /etc/login.defs - Configuration control definitions for the shadow package.
++# Some variables are used by login(1), su(1) and runuser(1) from util-linux
++# package as well pam pam_unix(8) from pam package.
+ #
+ #	$Id$
+ #
+@@ -17,9 +19,8 @@ FAIL_DELAY		3
+ LOG_UNKFAIL_ENAB	no
+ 
+ #
+-# Enable logging of successful logins
++# Enable "syslog" logging of  newgrp(1) and sg(1) activity.
+ #
+-LOG_OK_LOGINS		no
+ 
+ #
+ # Limit the highest user ID number for which the lastlog entries should
+@@ -31,10 +32,9 @@ LOG_OK_LOGINS		no
+ #LASTLOG_UID_MAX
+ 
+ #
+-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
+-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
++# Enable "syslog" logging of newgrp(1) and sg(1) activity - in addition
++# to sulog file logging.
+ #
+-SYSLOG_SU_ENAB		yes
+ SYSLOG_SG_ENAB		yes
+ 
+ #
+@@ -58,6 +58,12 @@ MOTD_FILE	/etc/motd
+ #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
+ 
+ #
++# If set to "yes", login stops display content specified by MOTD_FILE after
++# the first accessible item in the list.
++#
++#MOTD_FIRSTONLY	no
++
++#
+ # If defined, file which maps tty line to TERM environment parameter.
+ # Each line of the file is in a format similar to "vt100  tty01".
+ #
+@@ -72,12 +78,33 @@ MOTD_FILE	/etc/motd
+ HUSHLOGIN_FILE	.hushlogin
+ #HUSHLOGIN_FILE	/etc/hushlogins
+ 
++# If this variable is set to "yes", hostname will be suppressed in the
++# login: prompt.
++#LOGIN_PLAIN_PROMPT	no
++
+ #
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+ # (they are minimal, add the rest in the shell startup files)
+-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+-ENV_PATH	PATH=/bin:/usr/bin
++#
++# ENV_PATH: The default PATH settings for non-root.
++#
++# ENV_ROOTPATH: The default PATH settings for root
++# (used by login, su and runuser).
++#
++# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser
++# (and falback for login).
++#
++ENV_PATH	/bin:/usr/bin
++ENV_ROOTPATH	/sbin:/bin:/usr/sbin:/usr/bin
++#ENV_SUPATH	/sbin:/bin:/usr/sbin:/usr/bin
++
++# If this variable is set to "yes", su will always set path. every su
++# call will overwrite the PATH variable.
++#
++# Per default, only "su -" will set a new PATH.
++#
++ALWAYS_SET_PATH	no
+ 
+ #
+ # Terminal permissions
+@@ -93,19 +120,6 @@ ENV_PATH	PATH=/bin:/usr/bin
+ TTYGROUP	tty
+ TTYPERM		0600
+ 
+-#
+-# Login configuration initializations:
+-#
+-#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+-#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+-#
+-# The ERASECHAR and KILLCHAR are used only on System V machines.
+-#
+-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+-#
+-ERASECHAR	0177
+-KILLCHAR	025
+-
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
+ # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+@@ -163,6 +177,12 @@ SUB_GID_COUNT		    65536
+ LOGIN_RETRIES		5
+ 
+ #
++# Tell login to only re-prompt for the password if authentication
++# failed, but the username is valid. The default value is no.
++#
++LOGIN_KEEP_USERNAME	no
++
++#
+ # Max time in seconds for login(1)
+ #
+ LOGIN_TIMEOUT		60
+@@ -315,14 +335,6 @@ CHARACTER_CLASS         [ABCDEFGHIJKLMNO
+ #GRANT_AUX_GROUP_SUBIDS yes
+ 
+ #
+-# Prevents an empty password field to be interpreted as "no authentication
+-# required".
+-# Set to "yes" to prevent for all accounts
+-# Set to "superuser" to prevent for UID 0 / root (default)
+-# Set to "no" to not prevent for any account (dangerous, historical default)
+-PREVENT_NO_AUTH superuser
+-
+-#
+ # Select the HMAC cryptography algorithm.
+ # Used in pam_timestamp module to calculate the keyed-hash message
+ # authentication code.
diff --git a/shadow.changes b/shadow.changes
new file mode 100644
index 0000000..99d4180
--- /dev/null
+++ b/shadow.changes
@@ -0,0 +1,1187 @@
+-------------------------------------------------------------------
+Mon Jul  8 11:13:17 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
+
+- Disable flushing sssd caches. The sssd's files provider is no
+  longer available.
+
+-------------------------------------------------------------------
+Mon Jun 24 13:02:56 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1226850: Drop incorrect econf patch (until time to fix it)
+  Drop shadow-4.16.0-econf.patch
+
+-------------------------------------------------------------------
+Wed Jun 19 06:51:45 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.16.0:
+  * The shadow implementations of id(1) and groups(1) are deprecated
+    in favor of the GNU coreutils and binutils versions.
+    They will be removed in 4.17.0.
+  * The rlogind implementation has been removed.
+  * The libsubid major version has been bumped, since it now requires
+    specification of the module's free() implementation.
+- Update shadow-login_defs-suse.patch
+- Add shadow-4.16.0-econf.patch:
+  Replace deprecated econf_readDirs with econf_readConfig
+
+-------------------------------------------------------------------
+Sun Mar 24 09:06:48 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.15.1:
+  * Fix a bug that caused spurious error messages about unknown
+    login.defs configuration options #967
+  * Adding checks for fd omission #964
+  * Use temporary stat buffer #974
+  * Fix wrong french translation #975
+- Drop shadow-4.15.0-fix-definition.patch
+
+-------------------------------------------------------------------
+Thu Mar 21 06:37:27 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Add shadow-4.15.0-fix-definition.patch:
+  Fix error messages about config options.
+  See gh/shadow-maint/shadow#967
+
+-------------------------------------------------------------------
+Sun Mar 10 07:02:35 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.15.0
+  * libshadow:
+    + Use utmpx instead of utmp. This fixes a regression introduced
+      in 4.14.0.
+    + Fix build error (parameter name omitted).
+  * Build system:
+    + Link correctly with libdl.
+    + Install pam configs for chpasswd(8) and newusers(8) when using
+      ./configure --with-libpam --disable-account-tools-setuid.
+    + Merge libshadow and libmisc into a single libshadow. This fixes
+      problems in the linker, which were reported at least in Gentoo.
+    + Fix build with musl libc.
+    + Support out of tree builds
+  * useradd(8):
+    + Set proper SELinux labels for def_usrtemplate
+- Update Serge Hallyns GPG key
+- Update shadow-login_defs-unused-by-pam.patch
+
+-------------------------------------------------------------------
+Sun Mar  3 06:03:25 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.14.6:
+  * login(1):
+    + Fix off-by-one bugs.
+  * passwd(1):
+    + Don't silently truncate passwords of length >= 200 characters.
+      Instead, accept a length of PASS_MAX, and reject longer ones.
+  * libshadow:
+    + Fix calculation in strtoday(), which caused a wrong half-day
+      offset in some cases (bsc#1176006)
+    + Fix parsing of dates in get_date() (bsc#1176006)
+    + Use utmpx instead of utmp. This fixes a regression introduced in
+      4.14.0.
+
+-------------------------------------------------------------------
+Tue Feb 13 18:33:26 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.14.5:
+  * Build system:
+     + Fix regression introduced in 4.14.4, due to a typo. chgpasswd had
+       been deleted from a Makefile variable, but it should have been
+       chpasswd.
+- Remove shadow-4.14.4-chgpasswd-typo.patch
+
+-------------------------------------------------------------------
+Mon Feb 12 19:37:52 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.14.4:
+  * Build system:
+    + Link correctly with libdl.
+    + Install pam configs for chpasswd(8) and newusers(8) when using
+      ./configure --with-libpam --disable-account-tools-setuid.
+  * libshadow:
+    + Fix build error (parameter name omitted).
+    + Fix off-by-one bug.
+    + Remove warning.
+- Add shadow-4.14.4-chgpasswd-typo.patch: to fix build. See #926
+- Update patch macro `patchN` -> `patch -P N`
+
+-------------------------------------------------------------------
+Tue Jan 16 06:57:35 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.14.3:
+  * libshadow:
+    + Avoid null pointer dereference (#904)
+
+-------------------------------------------------------------------
+Tue Jan  9 12:51:12 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1199026 bsc#1203823:
+  Remove pam_keyinit from PAM configuration.
+  This was introduced for bsc#1144060.
+
+-------------------------------------------------------------------
+Mon Oct 30 07:20:29 UTC 2023 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.14.2:
+  * libshadow:
+    + Fix build with musl libc.
+    + Avoid NULL dereference.
+    + Update utmp at an initial login
+  * useradd(8):
+    + Set proper SELinux labels for def_usrtemplate
+  * Manual:
+    + Document --prefix in chage(1), chpasswd(8), and passwd(1)
+- Drop upstreamed shadow-4.14.0-selinux-labels.patch
+
+-------------------------------------------------------------------
+Fri Oct  6 08:32:09 UTC 2023 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.14.1:
+  Build system: Merge libshadow and libmisc into a single libshadow.
+  This fixes problems in the linker, which were reported at least
+  in Gentoo. #791
+- Add Alejandro Colomar (new stable branch maintainer) to shadow.keyring
+
+-------------------------------------------------------------------
+Tue Sep 26 13:20:59 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+
+- Add shadow-4.14.0-selinux-labels.patch:
+  Set proper SELinux labels for new homedirs.
+  See gh/shadow-maint/shadow#812.
+
+-------------------------------------------------------------------
+Thu Aug 17 10:14:14 UTC 2023 - Michael Vetter <mvetter@suse.com>
+
+- Remove dependency on libbsd:
+  On Tumbleweed we have glibc 2.38 already thus string functions
+  like strlcpy will be present and won't be needed from libbsd.
+  `readpassphrase()` is then the only function from libbsd not present.
+  Upstream shadow has an in tree copy of it, that is used when the
+  `--without-libbsd` flag is passed along.
+  By relying on glibc 2.38 we don't need to add libbsd and libmd
+  to our ring0 but can't easily upgrade on SLE.
+
+-------------------------------------------------------------------
+Thu Aug 17 06:43:38 UTC 2023 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.14.0:
+  * configure: add with-libbsd option
+  * Code cleanup
+  * Replace utmp interface #757 
+  * new option enable-logind #674
+  * shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh
+  * chsh: warn if root sets a shell not listed in /etc/shells #535
+  * newgrp: fix potential string injection
+  * lastlog: fix alignment of Latest header
+  * Fix yescrypt support #748
+  * chgpasswd: Fix segfault in command-line options
+  * gpasswd: Fix password leak
+  * Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
+  * usermod: fix off-by-one issues #701
+  * ch(g)passwd: Check selinux permissions upon startup #675
+  * sub_[ug]id_{add,remove}: fix return values
+  * chsh: Verify that login shell path is absolute #730
+  * process_prefix_flag: Drop privileges
+  * run_parts for groupadd and groupdel #706
+  * newgrp/useradd: always set SIGCHLD to default
+  * useradd/usermod: add --selinux-range argument #698
+  * sssd: skip flushing if executable does not exist #699
+  * semanage: Do not set default SELinux range #676
+  * Add control character check #687
+  * usermod: respect --prefix for --gid option
+  * Fix null dereference in basename
+  * newuidmap and newgidmap: support passing pid as fd
+  * Prevent out of boundary access #633
+  * Explicitly override only newlines #633
+  * Correctly handle illegal system file in tz #633
+  * Supporting vendor given -shells- configuration file #599
+  * Warn if failed to read existing /etc/nsswitch.conf
+  * chfn: new_fields: fix wrong fields printed
+  * Allow supplementary groups to be added via config file #586
+  * useradd: check if subid range exists for user #592 (rh#2012929)
+- Refresh useradd-default.patch
+- Remove upstreamed patches:
+  * useradd-userkeleton.patch
+  * shadow-audit-no-id.patch
+  * shadow-fix-print-login-timeout.patch
+  * shadow-CVE-2023-29383.patch
+- Dont build lastlog (lastlog.legacy) anymore since we
+  use lastlog2 by default now.
+- This release depends either on libbsd or on glibc >= 2.38
+  which only recently got released. libbsd (and libmd) would be
+  new packages in our ring0
+
+-------------------------------------------------------------------
+Tue Apr 18 15:39:47 UTC 2023 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1210507 (CVE-2023-29383):
+  Check for control characters
+- Add shadow-CVE-2023-29383.patch
+
+-------------------------------------------------------------------
+Wed Apr 12 12:08:43 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
+
+- Rename lastlog to lastlog.legacy to be able to switch to
+  Y2038 safe lastlog2 as default [jsc#PED-3144]
+
+-------------------------------------------------------------------
+Thu Feb 16 11:31:33 UTC 2023 - Michael Vetter <mvetter@suse.com>
+
+- Update shadow-fix-print-login-timeout.patch
+- Reorder source files and patches
+
+-------------------------------------------------------------------
+Wed Feb 15 10:49:33 UTC 2023 - Ludwig Nussel <lnussel@suse.de>
+
+- Remove scripts that claim to be config but are in /usr (boo#1191578)
+  * userdel-script.patch
+  * useradd-script.patch
+  * useradd.local
+  * userdel-post.local
+  * userdel-pre.local
+
+-------------------------------------------------------------------
+Fri Jan 13 08:21:46 UTC 2023 - Michael Vetter <mvetter@suse.com>
+
+- Add shadow-fix-print-login-timeout.patch:
+  Fix printing full login timeout message
+  See gh/shadow-maint/shadow#621
+
+-------------------------------------------------------------------
+Fri Dec 16 10:04:44 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1205502: Fix useradd audit event logging of ID field
+  * Add shadow-audit-no-id.patch
+  See gh/shadow-maint/shadow#606
+
+-------------------------------------------------------------------
+Tue Nov  8 21:15:44 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.13:
+  * useradd.8: fix default group ID
+  * Revert drop of subid_init()
+  * Georgian translation
+  * useradd: Avoid taking unneeded space: do not reset non-existent data
+    in lastlog
+  * relax username restrictions
+  * selinux: check MLS enabled before setting serange
+  * copy_tree: use fchmodat instead of chmod
+  * copy_tree: don't block on FIFOs
+  * add shell linter
+  * copy_tree: carefully treat permissions
+  * lib/commonio: make lock failures more detailed
+  * lib: use strzero and memzero where applicable
+  * Update Dutch translation
+  * Don't test for NULL before calling free
+  * Use libc MAX() and MIN()
+  * chage: Fix regression in print_date
+  * usermod: report error if homedir does not exist
+  * libmisc: minimum id check for system accounts
+  * fix usermod -rG x y wrongly adding a group
+  * man: add missing space in useradd.8.xml
+  * lastlog: check for localtime() return value
+  * Raise limit for passwd and shadow entry length
+  * Remove adduser-old.c
+  * useradd: Fix buffer overflow when using a prefix
+  * Don't warn when failed to open /etc/nsswitch.conf
+- Remove patches we took from upstream pre-release:
+  * shadow-copytree-usermod-fifo.patch
+  * shadow-chage-format.patch
+  * shadow-prefix-overflow.patch
+- Remove chkname-regex.patch:
+  Upstream now also relaxed the usernames requirements.
+  They don't use regex for this but the result is similar.
+  Plus they also check that the name is less than 32 characters long.
+- Rebase useradd-userkeleton.patch 
+
+-------------------------------------------------------------------
+Mon Nov  7 11:20:36 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Add shadow-copytree-usermod-fifo.patch:
+  Fix regression that prevented `usermod -m` to work when their
+  home directory contained at least one fifo
+  See https://github.com/shadow-maint/shadow/pull/565
+
+-------------------------------------------------------------------
+Wed Nov  2 10:59:16 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1204811: Fix chage date format string regression
+  * Add shadow-chage-format.patch
+
+-------------------------------------------------------------------
+Mon Oct 24 22:04:41 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Add shadow-prefix-overflow.patch:
+  Fix buffer overflow when calling useradd with --prefix
+  See https://github.com/shadow-maint/shadow/pull/588
+
+-------------------------------------------------------------------
+Mon Aug 22 13:59:35 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.12.3:
+  Revert removal of subid_init, which should have bumped soname.
+  So note that 4.12 through 4.12.2 were broken for subid users.
+
+-------------------------------------------------------------------
+Fri Aug 19 06:32:28 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.12.2:
+  * Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
+- Refresh useradd-userkeleton.patch:
+  LSTAT() was removed with https://github.com/shadow-maint/shadow/pull/545
+  Let's use fstatat() now.
+
+-------------------------------------------------------------------
+Mon Aug 15 17:42:01 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.12.1:
+  * Fix uk manpages
+- Remove shadow-4.12-remove-uk.patch: fixed upstream
+
+-------------------------------------------------------------------
+Fri Aug 12 06:05:35 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.12:
+  * Add absolute path hint to --root
+  * Various cleanups
+  * Fix Ubuntu release used in CI tests
+  * add -F options to userad
+  * useradd manpage updates
+  * Check for ownerid (not just username) in subid ranges
+  * Declare file local functions static
+  * Use strict prototypes
+  * Do not drop const qualifier for Basename
+  * Constify various pointers
+  * Don't return uninitialized memory
+  * Don't let compiler optimize away memory cleaning
+  * Remove many obsolete compatibility checks  and defines
+  * Modify ID range check in useradd
+  * Use "extern "C"" to make libsubid easier to use from C++
+  * French translation updates
+  * Fix s/with-pam/with-libpam/
+  * Spanish translation updates
+  * French translation fixes
+  * Default max group name length to 32
+  * Fix PAM service files without-selinux
+  * Improve manpages
+    - groupadd, useradd, usermod
+    - groups and id
+    - pwck
+  * Add fedora to CI builds
+  * Fix condition under which pw_dir check happens
+  * logoutd: switch to strncat
+  * AUTHORS: improve markdown output
+  * Handle ERANGE errors correctly
+  * Check for fopen NULL return
+  * Split get_salt() into its own fn juyin)
+  * Get salt before chroot to ensure /dev/urandom.
+  * Chpasswd code cleanup
+  * Work around git safe.directory enforcement
+  * Alphabetize order in usermod help
+  * Erase password copy on error branches
+  * Suggest using --badname if needed
+  * Update translation files
+  * Correct badnames option to badname
+  * configure: replace obsolete autoconf macros
+  * tests: replace egrep with grep -E
+  * Update Ukrainian translations
+  * Cleanups
+    - Remove redeclared variable
+    - Remove commented out code and FIXMEs
+    - Add header guards
+    - Initialize local variables
+  * CI updates
+    - Create github workflow to install dependencies
+    - Enable CodeQL
+    - Update actions version
+  * libmisc: use /dev/urandom as fallback if other methods fail
+- Add shadow-4.12-remove-uk.patch:
+  Disable non working Ukranian translation for now
+  https://github.com/shadow-maint/shadow/issues/547
+
+-------------------------------------------------------------------
+Tue Aug  9 06:29:07 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
+
+- Remove duplicate pam.d/useradd entry
+- Provide /etc/login.defs.d on SLE15 since we support and use it
+
+-------------------------------------------------------------------
+Mon Aug  8 13:00:46 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
+
+- Use %_pam_vendordir macro
+
+-------------------------------------------------------------------
+Wed Jan 12 16:52:39 UTC 2022 - Stanislav Brabec <sbrabec@suse.com>
+
+- The legacy code does not support /etc/login.defs.d used by YaST.
+  Enable libeconf to read it (bsc#1192954).
+
+-------------------------------------------------------------------
+Mon Jan  3 10:36:15 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.11.1:
+  * build: include lib/shadowlog_internal.h in dist tarballs
+
+-------------------------------------------------------------------
+Mon Jan  3 10:35:30 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.11:
+  * Handle possible TOCTTOU issues in usermod/userdel
+  	- (CVE-2013-4235)
+  	- Use O_NOFOLLOW when copying file
+  	- Kill all user tasks in userdel
+  * Fix useradd -D segfault
+  * Clean up obsolete libc feature-check ifdefs
+  * Fix -fno-common build breaks due to duplicate Prog declarations
+  * Have single date_to_str definition
+  * Fix libsubid SONAME version
+  * Clarify licensing info, use SPDX.
+
+-------------------------------------------------------------------
+Mon Jan  3 10:29:39 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.10:
+  * From this release forward, su from this package should be
+    considered deprecated. Please replace any users of it with su
+	from util-linux
+  * libsubid fixes
+  * Rename the test program list_subid_ranges to getsubids, write
+    a manpage, so distros can ship it.
+  * Add libeconf dep for new*idmap
+  * Allow all group types with usermod -G
+  * Avoid useradd generating empty subid range
+  * Handle NULL pw_passwd
+  * Fix default value SHA_get_salt_rounds
+  * Use https where possible in README
+  * Update content and format of README
+  * Translation updates
+  * Switch from xml2po to itstool in 'make dist'
+  * Fix double frees
+  * Add LOG_INIT configurable to useradd
+  * Add CREATE_MAIL_SPOOL documentation
+  * Create a security.md
+  * Fix su never being SIGKILLd when trapping TERM
+  * Fix wrong SELinux labels in several possible cases
+  * Fix missing chmod in chadowtb_move
+  * Handle malformed hushlogins entries
+  * Fix groupdel segv when passwd does not exist
+  * Fix covscan-found newgrp segfault
+  * Remove trailing slash on hoedir
+  * Fix passwd -l message - it does not change expirey
+  * Fix SIGCHLD handling bugs in su and vipw
+  * Remove special case for "" in usermod
+  * Implement usermod -rG to remove a specific group
+  * call pam_end() after fork in child path for su and login
+  * useradd: In absence of /etc/passwd, assume 0 == root
+  * lib: check NULL before freeing data
+  * Fix pwck segfault
+- Remove because upstreamed:
+  * shadow-4.9-pwck-segfault.patch
+  * shadow-4.9-newgrp-segfault.patch
+  * shadow-4.9-useradd-subuid.patch
+  * shadow-4.9-sgent-free.patch
+  * shadow-passwd-handle-null.patch
+  * shadow-fix-sigabrt.patch
+  * shadow-libeconf-include.patch
+  * libsubid-build-fix.patch
+- Refreshed:
+  * shadow-util-linux.patch
+  * shadow.changes
+  * shadow.keyring
+  * shadow.spec
+  * useradd-script.patch
+  * useradd-userkeleton.patch
+  * userdel-script.patch
+- Update shadow.keyring:
+  * Serge Hallyn serge@hallyn.com (B175CFA98F192AF2)
+  * Christian Brauner christian@brauner.io (4880B8C9BD0E5106FC070F4F7B3C391EFEA93624)
+
+-------------------------------------------------------------------
+Tue Nov 30 17:12:40 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- Really enable USERGROUPS_ENAB [bsc#1189139].
+  Did go lost during merges.
+
+-------------------------------------------------------------------
+Thu Nov 18 13:46:03 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- Fix segfaults in newgrp and pwck
+  * Add shadow-4.9-newgrp-segfault.patch 
+    https://github.com/shadow-maint/shadow/pull/437
+  * Add shadow-4.9-pwck-segfault.patch
+    https://github.com/shadow-maint/shadow/pull/445
+
+-------------------------------------------------------------------
+Tue Nov 16 15:58:46 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * shadow.service
+
+-------------------------------------------------------------------
+Tue Nov  9 01:39:44 UTC 2021 - Stanislav Brabec <sbrabec@suse.com>
+
+- shadow-util-linux.patch:
+  * Remove the section patching lib/getdef.c in favor of the
+    upstream FOREIGNDEFS.
+  * Add LOGIN_KEEP_USERNAME to login.defs.
+  * Remove PREVENT_NO_AUTH from login.defs. Only used by the
+    unpackaged login and su.
+- shadow-login_defs-unused-by-pam.patch:
+  * Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
+    YESCRYPT_COST_FACTOR, not supported by the current
+    configuratiton.
+- Update login_defs-support-for-pam symbol to version 1.5.2
+  (support for new variable HMAC_CRYPTO_ALGO).
+- Update login_defs-support-for-util-linux to version 2.37
+  (support for new variable LOGIN_KEEP_USERNAME).
+- Refresh shadow-login_defs-comments.patch and
+  shadow-login_defs-suse.patch.
+- Improve shadow-login_defs-check.sh:
+  * Add helper to import local new version in the parent dir.
+  * Fix spec editing sed expression.
+  * Add PREVENT_NO_AUTH to known unused variables.
+  * Update pam sed expression to find HMAC_CRYPTO_ALGO.
+  * Add more sanity checks.
+
+-------------------------------------------------------------------
+Mon Sep 20 09:43:41 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1190146: Fix empty subid range
+  Add shadow-4.9-useradd-subuid.patch
+  https://github.com/shadow-maint/shadow/pull/399
+
+-------------------------------------------------------------------
+Mon Sep 20 09:09:13 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1190145: Fix double free in gpasswd:
+  Add shadow-4.9-sgent-free.patch upstreamed as
+  https://github.com/shadow-maint/shadow/pull/417
+
+-------------------------------------------------------------------
+Tue Sep  7 15:08:19 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- Fix shadow-login_defs-check.sh:
+  In the last update we switched from calling make to %make_build
+  macro. Using sed to adapt the spec file now.
+
+-------------------------------------------------------------------
+Wed Aug 18 15:17:52 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- libsubid-devel: add missing requires for libsubid3
+- Remove README.changes-pwdutils, all distros you can upgrade from
+  use already shadow
+
+-------------------------------------------------------------------
+Wed Aug 18 14:59:15 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to
+  be compatible with other Linux distros and the other tools
+  creating user accounts in use on openSUSE. Set HOME_MODE to 700
+  for security reasons and compatibility. [bsc#1189139] [bsc#1182850]
+
+-------------------------------------------------------------------
+Tue Aug 17 15:08:09 UTC 2021 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.9:
+  * Updated translations
+  * Major salt updates
+  * Various coverity and cleanup fixes
+  * Consistently use 0 to disable PASS_MIN_DAYS in man
+  * Implement NSS support for subids and a libsubid
+  * setfcap: retain setfcap when mapping uid 0
+  * login.defs: include HMAC_CRYPTO_ALGO key
+  * selinux fixes
+  * Fix path prefix path handling
+  * Manpage updates
+  * Treat an empty passwd field as invalid(Haelwenn Monnier)
+  * newxidmap: allow running under alternative gid
+  * usermod: check that shell is executable
+  * Add yescript support
+  * useradd memleak fixes
+  * useradd: use built-in settings by default
+  * getdefs: add foreign
+  * buffer overflow fixes
+  * Adding run-parts style for pre and post useradd/del
+- Refresh:
+  * shadow-login_defs-unused-by-pam.patch
+  * userdel-script.patch
+  * useradd-script.patch
+  * chkname-regex.patch
+  * useradd-default.patch: bbf4b79 stopped shipping default file.
+    change group in code now.
+  * shadow-login_defs-suse.patch
+  * useradd-userkeleton.patch
+- Remove because upstreamed:
+  * shadow-4.1.5.1-userdel-helpfix.patch
+  * shadow-4.1.5.1-logmsg.patch
+- Add libsubid-build-fix.patch:
+  See https://github.com/shadow-maint/shadow/issues/387
+- Add shadow-libeconf-include.patch:
+  See c6847011e8b656adacd9a0d2a78418cad0de34cb
+- Add shadow-fix-sigabrt.patch:
+  See https://github.com/shadow-maint/shadow/issues/394
+- Add shadow-passwd-handle-null.patch [bsc#1188307]:
+  See https://github.com/shadow-maint/shadow/pull/398
+- Remove %{_sysconfdir}/default/useradd: file not shipped anymore
+- Remove --disable-shared: Dont need it anymore
+  See https://github.com/shadow-maint/shadow/issues/336
+
+-------------------------------------------------------------------
+Thu Jul  1 11:51:39 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- login.defs/MOTD_FILE: Use "" instead of blank entry [bsc#1187536]
+- Add /etc/login.defs.d directory
+
+-------------------------------------------------------------------
+Sat Jun  5 13:38:52 UTC 2021 - Maurizio Galli <maurizio.galli@gmail.com>
+
+- Enable shadowgrp so that we can set more secure group passwords
+  using shadow.
+
+-------------------------------------------------------------------
+Fri Jun  4 07:46:34 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- Disable MOTD_FILE to allow the use of pam_motd to unify motd
+  message output [bsc#1185897]. Else motd entries of e.g. cockpit
+  will not be shown.
+
+-------------------------------------------------------------------
+Thu Jan 28 22:28:02 UTC 2021 - Stanislav Brabec <sbrabec@suse.com>
+
+- Do not require libeconf-devel on products without /usr/etc.
+
+-------------------------------------------------------------------
+Thu Jan 21 06:52:30 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- Split login.defs configuration file into own sub-package, which
+  allows to install util-linux or pam on small embedded/edge
+  systems or container without the need to pull in the full shadow
+  suite.
+
+-------------------------------------------------------------------
+Wed Nov 11 14:38:13 UTC 2020 - Fabian Vogt <fvogt@suse.com>
+
+- Amend patches/useradd-userkeleton.patch to also write into
+  existing directories and prefer files from /etc
+
+-------------------------------------------------------------------
+Wed Nov 11 11:28:09 UTC 2020 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch useradd-userkeleton.patch to extend original C code
+  of useradd to handle /usr/etc/skel (boo#1173321)
+- Remove /usr/etc/skel support in useradd.local script
+
+-------------------------------------------------------------------
+Mon Nov  2 15:54:02 UTC 2020 - Dr. Werner Fink <werner@suse.de>
+
+- Change again useradd.local script to let it work even for system
+  accounts and work together with SELinux (bsc#1178296)
+- Change patch useradd-script.patch to support the four arguments
+  used by the useradd.local script (bsc#1178296)
+
+-------------------------------------------------------------------
+Fri Oct  9 13:12:11 UTC 2020 - Dr. Werner Fink <werner@suse.de>
+
+- Add support for /usr/etc/skel to useradd.local script (boo#1173321)
+
+-------------------------------------------------------------------
+Thu Oct  8 03:16:58 UTC 2020 - Stanislav Brabec <sbrabec@suse.com>
+
+- shadow-login_defs-check.sh: Fix the regexp to get a real variable
+  list (boo#1164274).
+
+-------------------------------------------------------------------
+Tue Sep  8 00:56:37 UTC 2020 - Stanislav Brabec <sbrabec@suse.com>
+
+- login.defs: Add support for new util-linux-2.36 login variable
+  MOTD_FIRSTONLY (shadow-util-linux.patch).
+- shadow-login_defs-comments.patch: Remove duplicated
+  LASTLOG_UID_MAX.
+- shadow-login_defs-check.sh: Update for new build system.
+- shadow-util-linux.patch: Restore lost chunk: SYSLOG_SU_ENAB is
+  not used in SUSE Linux.
+- Refresh shadow-login_defs-suse.patch and
+  shadow-login_defs-comments.patch.
+
+-------------------------------------------------------------------
+Fri May 22 11:21:15 UTC 2020 - Fabian Vogt <fvogt@suse.com>
+
+- Use pure #!/bin/sh in:
+  * useradd.local
+  * userdel-post.local
+  * userdel-pre.local
+
+-------------------------------------------------------------------
+Fri Jan 24 08:09:23 UTC 2020 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.8.1:
+  * selinux: include stdio
+  * man: don't suggest making groupmems user-writeable
+  * Makefile: bail out on error in for loops
+  * Adding logging of SSH_ORIGINAL_COMMAND to nologin
+  * add new HOME_MODE login.defs option
+  * Add tty logging to useradd
+  * Useradd: make non-executable shell check only a warning
+  * Update Dutch translation
+  * user_busy: Do not mistake a regular user process for a namespaced one
+  * Revert "Honor --sbindir and --bindir for binary installation"
+- Remove shadow-4.8-shell-check.patch: included
+- Remove shadow-4.8-selinux-include.patch: upstreamed
+
+-------------------------------------------------------------------
+Mon Jan 20 10:36:20 UTC 2020 - Michael Vetter <mvetter@suse.com>
+
+- Set 0755 for chpasswd, groupadd, groupdel, groupmod, newusers,
+  useradd, userdel, usermod explicitly.
+
+-------------------------------------------------------------------
+Thu Jan 16 12:54:39 UTC 2020 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1160729: Make valid shell check only a warning
+  * Add shadow-4.8-shell-check.patch
+
+-------------------------------------------------------------------
+Tue Dec 17 12:43:01 UTC 2019 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.8:
+  * Initial optional bcrypt support.
+  * Make build/install of 'su' optional.
+  * Fix for vipw not resuming correctly when suspended
+  * Sync password field descriptions in manpages
+  * Check for valid shell argument in useradd
+  * Allow translation of new strings through POTFILES.in
+  * Migrate to itstool for translations
+  * Migrate to new SELinux api
+  * Support --enable-vendordir
+  * pwck: Only check homedir if set and not a system user
+  * Support nonstandard usernames
+  * sget{pw,gr}ent: check for data at EOL
+  * Add YYY-MM-DD support in chage
+  * Fix failing chmod calls for suidubins
+  * Fix --sbindir and --bindir for binary installations
+  * Fix LASTLOG_UID_MAX in login.defs
+  * Fix configure error with dash
+- Remove because upstreamed:
+  * libeconf.patch
+  * shadow-usermod-variable.patch
+- Rebase:
+  * shadow-login_defs-unused-by-pam.patch
+  * chkname-regex.patch
+  * shadow-util-linux.patch
+  * shadow-login_defs-comments.patch
+- Add shadow-4.8-selinux-include.patch
+  See https://github.com/shadow-maint/shadow/pull/200
+
+-------------------------------------------------------------------
+Mon Oct  7 09:50:30 CEST 2019 - kukuk@suse.de
+
+- libeconf.patch: Add support for libeconf and /usr/etc for
+  login.defs.
+- Move first configuration files and pam config files to /usr/etc
+
+-------------------------------------------------------------------
+Mon Sep  2 11:12:59 UTC 2019 - mvetter@suse.com
+
+- bsc#1144060: Add pam_keyinit.so to /etc/pam.d configuration files
+  to support kernel keyring feature
+- Update pamd.tar.bz2 with pam configuration files accordingly
+
+-------------------------------------------------------------------
+Mon Aug 19 14:50:02 CEST 2019 - kukuk@suse.de
+
+- encryption_method_nis.patch: drop, DES should really not be used
+  anymore anywhere, even with NIS
+- shadow-login_defs-suse.patch: remove encryption NIS entry
+
+-------------------------------------------------------------------
+Fri Jul 26 23:44:56 CEST 2019 - sbrabec@suse.com
+
+- Fix incorrect variable name in usermod
+  (shadow-usermod-variable.patch).
+- shadow-login_defs-comments.patch:
+  * Drop SHA_CRYPT_*_ROUNDS that are in the upstream login.defs.
+  * Add missing LASTLOG_UID_MAX.
+  * Refresh shadow-login_defs-suse.patch.
+- Port shadow-login_defs-check.sh to match the current spec file
+  and login.defs.
+
+-------------------------------------------------------------------
+Thu Jul 25 15:27:15 CEST 2019 - kukuk@suse.de
+
+- Provide "useradd_or_adduser_dep" for sysuser-shadow
+
+-------------------------------------------------------------------
+Sat Jul 20 02:11:10 CEST 2019 - sbrabec@suse.com
+
+- shadow-login_defs-suse.patch: Set ALWAYS_SET_PATH default to
+  "yes" (bsc#353876#c7).
+
+-------------------------------------------------------------------
+Fri Jul 19 10:19:44 UTC 2019 - sbrabec@suse.com
+
+- Fix comment about patch in spec file
+
+-------------------------------------------------------------------
+Fri Jun 14 06:20:46 UTC 2019 - mvetter@suse.com
+
+- Update to 4.7:
+  * Spawn: don't loop forever on ECHILD
+  * Do not fail locking if there is a stale lockfile (Tomas Mraz)
+  * Use lckpwdf if prefix not set (Tomas Mraz)
+  * Build: check correct DocBook version (Jan Tojnar)
+  * Usermod: Print 'no changes' to stdout, not stderr (Serge Hallyn)
+  * Add support for btrfs subvolumes for home (Adam Majer)
+  * Fix chpasswd long line handling (Nathan Ruiz)
+  * Use secure_getenv for gettime (Chris Lamb)
+  * Make sp_lstchg reproducible (Chris Lamb)
+  * Do not crash commonio_close if db file is not open (Tomas Mraz)
+  * Don't flush nscd and sssd cache in read-only mode (Charlie Vuillemez)
+  * French manpage update (Alban VIDAL)
+  * Fix manpage defaults for SUB_UID/GID_COUNT (Tomas Mraz)
+  * Sync po files from shadow.pot (Alban VIDAL)
+  * Usermod: guard against unsafe chown of homedir contents (Tomas Mraz)
+  * Add LASTLOG_UID_MAX to login.defs (Tomas Mraz)
+  * new[ug]idmap file capabilities support (Giuseppe Scrivano and Christian Brauner)
+  * Fix segfault in useradd (bsc#1141113, Tomas Mraz)
+  * Coverity issues (Tomas Mraz)
+  * Flush sssd caches (Jakub Hrozek)
+  * Log UID in nologin (Vladimir Ivanov)
+  * run pam_getenvlist after setup_env in su.c (Michael Vogt)
+  * Support systems with only utmpx (A. Wilcox)
+  * Fix unguarded ENABLE_SUBIDS code (Jan Chren (rindeal))
+  * Update po/zh_CN translation (Lion Yang)
+  * Create parent dirs for useradd -m (Michael Vetter)
+  * Prevent usermod segv
+  * Fix usermod crash (fariouche)
+- Remove btrfs-subvolumes.patch (fate#316134):
+  upstreamed: https://github.com/shadow-maint/shadow/pull/149
+- Remove useradd-mkdirs.patch (bsc#865563):
+  upstreamed https://github.com/shadow-maint/shadow/pull/112
+- Remove shadow-4.6.0-fix-usermod-prefix-crash.patch
+  upstreamed https://github.com/shadow-maint/shadow/issues/110
+- Remove shadow-4.6-bsc1141113-useradd-segfault.patch
+  (SLE15 SP3 and openSUSE Leap 15.3 only)
+  upstreamed https://github.com/shadow-maint/shadow/issues/125
+- Rebase userdel-script.patch
+- Rebase useradd-script.patch
+- Rebase shadow-util-linux.patch
+
+-------------------------------------------------------------------
+Thu May 30 11:15:49 UTC 2019 - Martin Pluskal <mpluskal@suse.com>
+
+- Make building more verbose
+- Use spec-cleaner
+
+-------------------------------------------------------------------
+Thu May  2 09:45:48 UTC 2019 - lnussel@suse.de
+
+- don't specify MOTD_FILE in login.defs but fall back to built in
+  defaults of login (boo#1133929)
+
+-------------------------------------------------------------------
+Tue Apr 30 22:27:14 CEST 2019 - sbrabec@suse.com
+
+- Split shadow-login_defs.patch hunks to its logical components
+  (bsc#1121197):
+  * shadow-login_defs-unused-by-pam.patch
+  * shadow-login_defs-comments.patch
+  * shadow-util-linux.patch
+  * shadow-login_defs-suse.patch
+  * Move appropriate hunks to chkname-regex.patch and
+    encryption_method_nis.patch
+  * Remove GROUPADD_CMD that is not supported (bsc#1121197#c14).
+- Split getdef-new-defs.patch hunks to its logical components
+  (bsc#1121197):
+  * encryption_method_nis.patch
+  * chkname-regex.patch
+  * shadow-util-linux.patch
+    Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT.
+  * useradd-script.patch, userdel-script.patch
+  * Remove duplicated definitions of MOTD_FILE and ENV_PATH.
+- Add shadow-login_defs-unused-check.sh to allow verification of
+  login.defs variable usage (bsc#1121197).
+- Add virtual symbols for login.defs compatibility (bsc#1121197).
+
+-------------------------------------------------------------------
+Wed Jan 23 09:35:01 UTC 2019 - adam.majer@suse.de
+
+- btrfs-subvolumes.patch: implement support for creating user home
+  directories on btrfs subvolumes (fate#316134)
+
+-------------------------------------------------------------------
+Wed Oct 31 14:17:29 UTC 2018 - Valentin Rothberg <vrothberg@suse.com>
+
+- Add empty /etc/sub{u,g}id files. useradd and usermod add entries for users
+  only when those files exist. Having those entries is a requirement to create
+  user namespaces, for instance, when running podman as a non-root user.
+
+-------------------------------------------------------------------
+Mon May 14 12:45:42 UTC 2018 - mvetter@suse.com
+
+- Update to 4.6:
+  * Newgrp: avoid unnecessary lookups
+  * Make language less binary
+  * Add error when turning off man switch
+  * Spelling fixes
+  * Make userdel work with -R
+  * newgidmap: enforce setgroups=deny if self-mapping a group
+  * Norwegian bokmål translation
+  * pwck: prevent crash by not passing O_CREAT
+  * WITH_TCB fixes from Mandriva
+  * Fix pwconv and grpconv entry skips
+  * Fix -- slurping in su
+  * add --prefix option
+- Remove CVE-2018-7169.patch: upstreamed
+- Remove shadow-4.1.5.1-pam_group.patch: upstreamed
+- Update userdel-script.patch: change due to prefix
+- Update useradd-mkdirs.patch: change due to prefix
+  Additionally changed in that patch (bsc#1106914):
+  * Test for strdup() failure
+  * Directory to 0755 instead 0777
+- Add shadow-4.6.0-fix-usermod-prefix-crash.patch:
+  Fixes crash in usermod when called with --prefix.
+  See https://github.com/shadow-maint/shadow/issues/110
+
+-------------------------------------------------------------------
+Thu Feb 22 15:10:45 UTC 2018 - fvogt@suse.com
+
+- Use %license (boo#1082318)
+
+-------------------------------------------------------------------
+Fri Feb 16 08:39:08 UTC 2018 - kbabioch@suse.com
+
+- Added CVE-2018-7169.patch: Fixed an privilege escalation in newgidmap,
+  which allowed an unprivileged user to be placed in a user namespace where
+  setgroups(2) is allowed. (CVE-2018-7169 bsc#1081294)
+
+-------------------------------------------------------------------
+Wed Nov  8 12:39:12 UTC 2017 - mvetter@suse.com
+
+- bsc#1061838:
+  Revert: Requires: group(mail)
+  Introduced circular dependency
+
+-------------------------------------------------------------------
+Fri Oct 13 15:44:28 UTC 2017 - adam.majer@suse.de
+
+- Revert accidentalied prerequisites.
+  Use PreReq for permissions
+
+-------------------------------------------------------------------
+Thu Oct 12 08:59:28 UTC 2017 - schwab@suse.de
+
+- Prequire group(shadow), group(root), user(root)
+
+-------------------------------------------------------------------
+Mon Oct  9 11:53:44 UTC 2017 - mvetter@suse.com
+
+- bsc#1061838:
+  Add Requires for group(mail)
+
+-------------------------------------------------------------------
+Thu Sep 14 08:18:27 UTC 2017 - mvetter@suse.com
+
+- boo#1048645:
+  Set suid bit for newuidmap and newgimap
+
+-------------------------------------------------------------------
+Thu Sep 14 08:17:08 UTC 2017 - mvetter@suse.com
+
+- Revert the changes for bsc#1023895 back
+  Pulls in too many deps into ring0.
+  Next version of shadow plans to have no conditional man pages.
+
+-------------------------------------------------------------------
+Fri Sep  8 11:41:13 UTC 2017 - mvetter@suse.com
+
+- run spec-cleaner
+- bsc#1023895:
+  man page contained invalid options because they depend
+  on compile flags and we shipped pre built ones.
+  New BuildRequires: docbook-xsl-stylesheets docbook_4 xml2po
+  xsltproc
+
+-------------------------------------------------------------------
+Thu Jun  8 17:00:57 CEST 2017 - kukuk@suse.de
+
+- Adjust requires (we need user/group root instead of aaa_base now)
+
+-------------------------------------------------------------------
+Mon May 22 13:31:25 UTC 2017 - adam.majer@suse.de
+
+- New upstream version 4.5
+- Refreshed patches:
+  * shadow-login_defs.patch
+  * chkname-regex.patch
+  * getdef-new-defs.patch
+  * useradd-mkdirs.patch
+- Upstreamed patches:
+  * shadow-4.1.5.1-manfix.patch
+  * shadow-4.1.5.1-errmsg.patch
+  * shadow-4.1.5.1-backup-mode.patch
+  * shadow-4.1.5.1-audit-owner.patch
+  * shadow-4.2.1-defs-chroot.patch
+  * shadow-4.2.1-merge-group.patch
+  * Fix-user-busy-errors-at-userdel.patch
+  * useradd-clear-tallylog.patch
+- shadow-4.1.5.1-pam_group.patch
+  dynamically added users via pam_group are not listed in groups
+  databases but are still valid
+- shadow.keyring: update keyring with current maintainer's keyid
+  only - Serge Hallyn 'F1D08DB778185BF784002DFFE9FEEA06A85E3F9D'
+- disable_new_audit_function.patch:
+  Disable newer libaudit functionality for older distributions
+
+-------------------------------------------------------------------
+Mon Feb 20 07:28:24 UTC 2017 - josef.moellers@suse.com
+
+- useradd: call external program "/sbin/pam_tally2" to reset
+  failed login counter in "/var/log/tallylog"
+  (bsc#980486, useradd-clear-tallylog.patch)
+
+-------------------------------------------------------------------
+Wed Nov  2 07:41:51 UTC 2016 - meissner@suse.com
+
+- add keyring, three public keys from https://pkg-shadow.alioth.debian.org/download.php
+
+-------------------------------------------------------------------
+Tue Oct 18 15:55:43 UTC 2016 - mvetter@suse.com
+
+- bsc#1002975: Use permissions according to permissions package
+  and dont try to manipulate them in %files section.
+
+-------------------------------------------------------------------
+Wed Sep 14 07:46:33 UTC 2016 - mvetter@suse.com
+
+- boo#994486: Include shadow.5 manpage
+  Previously this was provided by man-pages package in
+  the man-pages-addons tarball which got removed later on.
+
+-------------------------------------------------------------------
+Tue May 31 06:48:41 UTC 2016 - mvetter@suse.com
+
+- Add package dependency for aaa_base, fixing bnc#899409
+  (was done by tbehrens@suse.com but not submitted to Factory)
+
+-------------------------------------------------------------------
+Mon May 30 09:41:55 UTC 2016 - mvetter@suse.com
+
+- shadow 4.2.1 requested by fate#320422
+- bsc#979069: Dont include shadow-4.1.5.1-bug935203-manpage.patch
+- Dont set SUID bit yet. Once bsc#979282 is through, which will adapt the permissions package, we can enable the SUID bits.
+  Remove the files used to circumvent the check.
+- Remove:
+    * shadow-rpmlintrc
+    * shadow-subids
+    * shadow-subids.easy
+    * shadow-subids.secure
+    * shadow-subids.paranoid
+
+-------------------------------------------------------------------
+Thu May 19 12:28:47 UTC 2016 - christian.brauner@mailbox.org
+
+- Update to shadow-4.2.1:
+  - add support for subuids/subgids via newuidmap/newgidmap
+- Rename chkname-regex.diff to chkname-regex.patch
+- Rename encryption_method_nis.diff to encryption_method_nis.patch
+- Rename getdef-new-defs.diff to getdef-new-defs.patch
+- Rename shadow-login_defs.diff to shadow-login_defs.patch
+- Rename userdel-scripts.diff to userdel-script.patch
+- Rename useradd-script.diff to useradd-script.patch
+- Rename useradd-default.diff to useradd-default.patch
+- Rename useradd-mkdirs.diff to useradd-mkdirs.patch
+- Add fixes from Red Hat/Fedora:
+  - shadow-4.1.5.1-audit-owner.patch.patch:
+    - log owner changes for home directory
+  - shadow-4.1.5.1-userdel-helpfix.patch.patch:
+    - give a hint about what happens when you force the removal of a user
+  - shadow-4.2.1-defs-chroot.patch.patch:
+    - initialize uid_t uid_min and uid_t uid_max not before we need them
+  - shadow-4.2.1-merge-group.patch.patch:
+    - simplify by using a single call to snprintf()
+- Add upstream fix
+  - Fix-user-busy-errors-at-userdel.patch:
+    - call sub_uid_close()
+
+-------------------------------------------------------------------
+Fri Jan 15 11:08:29 UTC 2016 - fvogt@suse.com
+
+- Moved call from %verifyscript into %post:
+  * Caused call to %service_add_post shadow.service shadow.timer
+    during rpm -qV shadow
+
+-------------------------------------------------------------------
+Wed Jul 15 13:25:11 UTC 2015 - jkeil@suse.de
+
+- Add systemd unit files to continuously check password & groupfile integrity
+  * Idea from Arch Linux
+  * pending request to systemd-presets-branding-openSUSE to enable by default
+
+-------------------------------------------------------------------
+Mon Mar 31 22:00:00 UTC 2014 - tbehrens@suse.com
+
+- Add patch useradd-mkdirs.diff: fix for bnc#865563, create all parts
+  of the path
+
+-------------------------------------------------------------------
+Fri Nov 22 10:15:25 UTC 2013 - werner@suse.de
+
+- Stop any systemd user manager instance in case a user entry will
+  be deleted (bnc#849870).  Nevertheless a running process requires
+  the option --force for the userdel command.
+
+-------------------------------------------------------------------
+Tue Nov 12 14:47:30 CET 2013 - kukuk@suse.de
+
+- Add ENCRYPT_METHOD_NIS for pam_unix.so (encryption_method_nis.diff)
+
+-------------------------------------------------------------------
+Tue Sep 17 14:56:44 CEST 2013 - kukuk@suse.de
+
+- Add some fixes from Fedora:
+  - shadow-4.1.5.1-backup-mode.patch: open backup file with correct
+    permissions.
+  - shadow-4.1.5.1-logmsg.patch: fix error message
+  - shadow-4.1.5.1-errmsg.patch: print error reason
+  - shadow-4.1.5.1-manfix.patch: fix manual page
+
+-------------------------------------------------------------------
+Tue Feb  5 13:19:46 CET 2013 - kukuk@suse.de
+
+- Cleanup login.defs and enable ENCRYPT_METHOD [bnc#802006]
+
+-------------------------------------------------------------------
+Tue Nov 13 17:31:50 CET 2012 - kukuk@suse.de
+
+- Fix getdef default variables (getdef-new-defs.diff)
+
+-------------------------------------------------------------------
+Tue Nov 13 10:36:28 CET 2012 - kukuk@suse.de
+
+- Fix default group value in /etc/default/useradd
+  (useradd-default.diff)
+
+-------------------------------------------------------------------
+Thu Sep 27 15:20:44 CEST 2012 - kukuk@suse.de
+
+- Implement CHARACTER_CLASS support
+  (chkname-regex.diff)
+
+-------------------------------------------------------------------
+Wed Sep 26 15:20:06 CEST 2012 - kukuk@suse.de
+
+- Add support for useradd.local
+  (useradd-script.diff)
+
+-------------------------------------------------------------------
+Tue Sep 25 16:22:18 CEST 2012 - kukuk@suse.de
+
+- Fix spec file
+- Adjust login.defs
+  (shadow-login_defs.diff)
+- Add userdel*.local script support and scrips
+  (userdel-scripts.diff)
+
+-------------------------------------------------------------------
+Mon Sep 24 16:04:03 CEST 2012 - kukuk@suse.de
+
+- Initial package [FATE#314473]
diff --git a/shadow.keyring b/shadow.keyring
new file mode 100644
index 0000000..669b83e
--- /dev/null
+++ b/shadow.keyring
@@ -0,0 +1,239 @@
+Serge Hallyn <sergeh@kernel.org>
+Serge Hallyn <serge@hallyn.com>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBE+oKZQBCACz5WylGAr+eitZjuSigzR+y30W3E+gkU0DSNlBB3WlorOtmzMX
+9F2d+z+ozJuez4NPqwfQ5y2ExKSbL8i1rwYmExZIzTDpm1Q6N3hG+vLbxwbrbsKT
+qW9rPiXriU5yRwuvVJl4NOU6T/Pau3/VD8iFN7U4mVpNFVPlB8vCvDJ+07Z0xIH9
+MXe8uaERG3v2EL7Mv8L5w05XEeuTT/CJiw6NdzwjZc1FymVoFjntetl8HaJ+5JCB
+2ylAbnw/wZJHORgsLxZhOL6/zrJRG8GvjgB+1l8izgl4n0DOqjyyoQIZJ+mfuHR0
+6wDqwvP5F9RZqCh8Md4hYujop5a0BKfAzLfdABEBAAG0IFNlcmdlIEhhbGx5biA8
+c2VyZ2VoQGtlcm5lbC5vcmc+iQFOBBMBCgA4FiEEZtA4fbhdMg+ECBZtsXXPqY8Z
+KvIFAl2r0d0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQsXXPqY8ZKvIM
+nAgAiTpLlXuzyD4C+9I/yCA9N/BqK43jnMfJOl/Ky56vgJ/WbrFJLuO3wubMlRLD
+3jurC6SK2g0TpygyoX2MjwZVT60Sq3ZcgIh71yyWHhtZ29NuUiKsKnajb9IlP+AM
+1V0g9py41YdDUmAuC/5crqyK+8u1CVrB/is7Eym598gIl9nyGvaZrzgjG1cRCjzf
+ZU8pRG+VPMr5Xla8rDKBZl+LcusV90eAUa0E/KVFS5N1dQ6HKckYXPSBN3DKHZy+
+qKa1k7Dq0CnkTjQmjaMu3j5sdOXg4QUfhCHeLDFAtadNdP04I6g5KZRvC44XdQ1A
+bxFMLyObhCsq/QxSh/nYrKsw0rQsU2VyZ2UgSGFsbHluIChrZXJuZWwub3JnKSA8
+c2VyZ2VAaGFsbHluLmNvbT6JATgEEwECACIFAk+oKZQCGwMGCwkIBwMCBhUIAgkK
+CwQWAgMBAh4BAheAAAoJELF1z6mPGSryYfEIAJviOHYwzXjnHWrsbQQ75rJq2wQ4
+NlM5FRljskufCXtIz/DUpKKT3aqG3y7ywtEwl4ePofJmLbC0O5bZF9blgSSCV02z
+zGdeUosAJsxumYHVi9CRHWsiAaNMX8gif9vePqz/iY/caPS4w4gBXJK8vLwvxToI
+4CZDwIlMkMov//3HQ5v5OKfeqbA1rnsGI74vUw9Zt/Sqgudz5bY65693OqeRRWU6
+tOH8zo4HkFew26Ydh80qAn1R7ALnk68zwfXj8vdyR9f05dEqbg/4thZWcjWC/Frn
+QOjcTwKu5DnUCE937a1MPzt4t1FCYUHrqcLN99uzGuOD42o9/S+JAa2HWhe5Ag0E
+Zb/8ygEQAPBwca/apgMnuaVqUSYOCz3qyQ9S65yyifznXrLRYjS3WwCl/yb8imer
+Hw5ykDij2WjlHQbod2j/pooCJuhOUfqg1JI5o2nNNFsLOxrYSGsScsK1pSDyOgA4
+Kg+wnAGzNAmW47fI05HfCILeK8CvHylxbpEHM0Ola/KivBmg9mqq7I/zTElL9oDT
+oOyyO7B0IHZUCbjjkApHZY8VH89kcyBsrXKh5o8BwjwyqiZKvt4uzEjOS58iUYts
+rxCDnyGLfp4MFsOWhQi2Z8mN+7iPEApUiKKu+Z4ESCq+/YUtjlIrmcAmw6aqlxLT
+/6RqEpoUj57zq+JuYZQKsnEJpnUayG/cFomrsPQuAz4pbWDb0Q/yXLqCw3QR1vjm
+kFmgaT8gtO4Idn2qfQ0Nnj8LCcSXjSsWBCaEPVF6Tq5TGMaJOjTwSCFWrW6AsNkw
+PI9G8OWfpUWB7ciF4sdGYnBpT11xhUeUg0UsBbOLWQCC8fVIs1gsrwDLbIxXx1lV
+XRncM9/6FYQ5IX95N8te2GBDkYzdpTpxgQAqaPHsHvbEoop10qn+HDem0zV66zT2
+6EAmD3w9PVlRFYqxGjiAjXC8nwsdnNxuGVBqrZjy2YFDI7JIk9k0qKVDrx3o7/L3
+tj0kPjg69Zg2QqgozBSLc4CCS2DzXKjeelxY7IAqfmXel4p5QHRnABEBAAGJA2wE
+GAEKACAWIQRm0Dh9uF0yD4QIFm2xdc+pjxkq8gUCZb/8ygIbAgJACRCxdc+pjxkq
+8sF0IAQZAQoAHRYhBH5W4sE/p3zjFVmtyX3CTDbDNB0gBQJlv/zKAAoJEH3CTDbD
+NB0gUxgQAMW3d6UYo3HdM56El7B8f1PiPKjNBU4A4rZTm/veZFvlr2hSlTQXxxgf
+5Y/Eh8VDal9yMhoI8VjfEsyDEmRBgv+KteDaC9YWv/WycImS1tcjF6ddX8s5sVLm
+yie1C+SZKxw0ExgWJJzQgJD0xCgEo/2ci4Xc14Et8ay4CiOscfONngAu0Su2WFSg
+dtFEcQcYtxR87E8wyPya34OtQuKpwS2+Om5m75/qi6odtnuaB84/TajMyFz/9Fvo
+lleUJ0HvnVOpbd2wdmprkTGP7lnhxrBYi2JCZTcaO32gvADZEY9m6zEimFx1fYJJ
+QPpl4mO5XhRHtImsg2BKSJZSKhp7IxWP4O2GkrL714c+BiOAYtXnGijBPW3K6h0P
+pToGS9DkNwBHJAULXQXydIbvy6knSvgrG44aOS/M1MnbgbfW8GuKOgYtOVyCRk/1
+463gsr92BkM1zHF/+Q0I88wB+ZiYjSyYXtJx1jtaUUUhio1GM76Z35YFCiZ9sdi3
+IA8hgc8WSW4FESFZq2hbaOc9j0uifPbsZY+uE1vcQN7niBGvdEidAzkKtroOhzBM
+I5qWDh3UxWj5pXeNntExucf4bhM9abb57NshNd1GFGE8uIIgiJAF45JAh922vHCr
+9T4NaKwf3MC7fGo+kBSTNNh7V35gxg96NTk+cq71eh13007l5GWy7B0H+gJ/V5J6
+5xXkUnIx04oUztD2a6YIPuWVRwuyRsHSCzpqFR8K2iRzJFBlrQdMslUSXQJ0kFcM
+W70cC0LO+nXF7G57mS5z3ZMILfEkLSFUIwHRdzFu0j9nDjQwcF9ws8ExBAgkAMi+
+2VzqMVHz4TekGMEgE/vP2RQSSR4T6JycYRI4gLyhDX9+uZsHBkb46Nn4nUGEqjJ1
+umVMYg1Ww6vJqzkKLjWnibkA0fKaUmhVJS2RZ1Dr6Xm+LFFFzSpHGGhy4vvik0FO
+RyTNv5jBmMwRcebLcodl8m22KpwjRTkSOOzx+cXlB9KOVlbLj1UxCxFirufHRqxy
+F9sprm3IKJxe4/65AQ0EXavhqwEIAMKECc/f8f0/CenKkz3wXGEtlG46YLjtTt2t
+WYXdt9Z04ihVaYePanFtvuujyO3I3jUQNv2foU1CtOuVyfZqX+TXqs0BUPXWwTCk
+MOyc/fEQ5u0BFJjWYtmr2sZY4Ag1juJsmzI7g3cnMLL9LbjpbHRruFIT5rnv9NwG
+7PURn1XnCt9tdZ/d0h7vEaNkD37j67rjy8UElVVcwVGhsCR8CkqwZ6ZwpQxE9wyq
+/Txb+v8qEJcohc5SWbYl70AtzHObokkW6cvRjNz+BcEpnPfu10lbPO/8a16B96VD
+djDGPj2shfNsFLaT8MtFfDAdjZRGlrfv3Wp4qFRlSUGrjInvOLMAEQEAAYkBNgQY
+AQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+GrAhsgAAoJELF1z6mPGSry
+W4wH/3Xk9x+WUxeJNtm+5hOfe/KBsXQUbBz+JHGFjd9YQw98jUvPNN1RfgtKf31b
++FDKbk/cu+9bNLSfhKDz2AEREViogKRcVjJDy9XmmWQd1oo+M4GHNYhpIt5ZK1d3
+CROIiqisLQsih64/gl9gboMcsUuHRkc3hVKUb2umCZPG37hUdAvOmOMS7/0KCGS5
+pXnfsX+zegSKjps12siExYXiRpkxbF9MW7er6/6ukvHLx4jHpgiZ5Sjt/9OqUiAO
+gUSQfhpAUJlaLxe9E3nj+ABs7LV+FOjtI64skqgqbYo5VXobFSJhqFTog1+KmMzn
+fsdKaOZQuZh3v3TtGUzkxoMUHPe5AQ0EXavhYgEIAMd+iVOTx6FC3Ghv2PASeXsn
+xtb9Af+aBjNf0m8WKTLgIS9xQbxgNJctG6AEptkBfAStRLIA5qOa0iYIpkJynEPb
+onJ12qvtlJ6b6g1h3AThYXQBjTQ89X+rlFzVGQsieqanjI+fiSNbDarOLQUbeJOr
+kfFukr34o5xloKENL/kwu1lDG/Y2GMxZRLe1aVJUXQg4FiEiaE+LNFbrUHxdNR2P
+E4XuJHetneHEiT/zXpvEF4MCisjJTGAHEC43rl7OqHU/GDdcW0udyf9v33LCFWTR
+LlgKKHVyUrHVhVzbB2z1+xnxxh/bQXjgttIP3Zqn8LXiLnUNU5+ejJiuAwdwcn8A
+EQEAAYkBNgQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJdq+FiAhsMAAoJ
+ELF1z6mPGSry9/UH/0vOoYu6b57UxsJNR5dCMhsPYV7FFIX9uj5XIDo/bQt2RTMa
+2PuKMbcDGINsDqHXqOFpZq5WDHhq0cEoIqhlkgj1uC77LLGw7mWyiaMbITQDlRzP
+9c9Qj3NkGNKW6FTwR7LPh43kgXygO1StVADIdHapiw9hI52rF8FrNYy4oNRXhUcD
+Pfn03akuIbF75saCHaYO/xoQeEqE+0qV82V/FT5tISMygkzgq+9zUhiA4XQjxiVh
+SK2cAi0iUTXZecyEueLk6zZ9vkD8JZagSirTFgxtLrnhVpUBJMOgffv5jmO/Sun4
+s+3JbAdicmsFqw90hWmGNwa0F5HZ20rEVAwkdt25AQ0EXavgpgEIAOk8dMgYu4Q7
+hU461EC/MtxIiwSD8i7lizUB8SzxFPnyWgkvG2Fik5lUiDJmEstLdCm3dpapiJud
+zcTgl9Abo4xgoq+VbKRCPk0017JE2bNSbF3TmxhaHAHiBvhU/U+kRz+lDnUE1Smh
+zGd1yn1kCvmG9MmWjiQPkG9vLx3d46DBnqHO6wn1AFeKiKuyCs1igvtT2qz+2+iz
+Y9tyd+s2O95+1CDQslqQ8IQNP00cFTJljsk3dmZXQb6SkxxTNG+E/2vMdUZhUbb7
+UIFUOmFekZvGZMIf9sNMJGCVIN+vyMMhE1MA17iJGxtAFVqeMN4wA9+MA4z5udke
+gdbxnWxLtg0AEQEAAYkCbAQYAQoAIBYhBGbQOH24XTIPhAgWbbF1z6mPGSryBQJd
+q+CmAhsCAUAJELF1z6mPGSrywHQgBBkBCgAdFiEEqb0/8XByttt4D8+UNXDaFycK
+ziQFAl2r4KYACgkQNXDaFycKziT2fAf+PgS08m9Uiks9LWAp9BpaiVn0SXx/XYhT
+JmRr78UrCHogZstAET2haLqWwMIoyOpie5Vutxi2WXQtzsJ1BHV9LB/NP3nFT/P9
+asZXzFtBBRQsDwxW5ii20hkHKG10M2+QGiC0ssfi1zjQFKbaOpxvou5Pi+zBQuT1
+RQ65NQrFYQI4zdyLbnniX2EZpDipLFJeGs881HQt7RjwSUtAjXW9M/pQQDp/JWEj
+p6D3R4ys0/Y4cJblCci5rM8Un/aVvXYGBqEpsddhH9xGpk0JTWtGAfw1a0ovRv39
+D1uwG8uXTQiUDTGGlllXhzpLkcJBtT8VeogiAGZC99pbNW5BU8cbFyOHB/9Q/HBm
+Iqmj5MYvQZCQ//cf9Af9gc+o2YA4/Kg2pSf9GKZizd3J8NO05O6YSsXqIsBr2lIG
+jw4klkE7GyRd/KVMQOxrFY9vFcdSxQuklnFUeiH73RFP3nsdzw+MRr4Hcpbm9F0f
+CnB6aU1gqf74e/6Qiv6d2pq7Dzyzx7ZCm8BRLT2HZbFeYQ6GsdOIYgWzWXqurk/6
+8rlE1D7Fo9KK9lmrLOwrr7ez1pOLHA8pPDhZhxI5D3ZhDsLUux3caCUfFdP/VpaJ
+ijGNc1HYt8mk4U1Qb6ZlafTYb75F9d61v8/M/HATZ5KpT9gr0aGkfwptzCwlBJ8y
+pcRI9AuUUDCTAXIGuQENBE+oKZQBCADc9sYSnWAj3y6QE9sGNDUFaKpAFUsprpQ8
+LeA05nh3RUxYDd75qc0ewtGR1+SlgpehKQfSXVQT254jM5lJanNDPYffk9k9lMwg
+SVoTP2QaszfDgir7WKKQuj3dBwnmYHdIY2mq+eaAh/1cCU//ggdaATo4ENQhKTAI
+iuviGKBpYX/zHAlPIvyFjERsBmq0woQKvDGsoQEObx1zu1GaTWeTSIEnHyRhajMQ
+rKUAxSCh9Th2Vj6xOhvx9TK6li+ecxYuuBVP0Xllg1GdoQBC8KWITDOrU18suj1v
+EGK4YOzQQPxANs6I81SvVddd2bh71cyAjhHr1kugw3PWQvLe4yHHABEBAAGJAR8E
+GAECAAkFAk+oKZQCGwwACgkQsXXPqY8ZKvJrVAgAi7CVXJt8mZiN+yzwiZVlzrkR
+QduB2cgvGZD6Hm3MJc1aVA3Gh0tJcLo+SdutCOzKSmPRSsnWT19EKxpDMrc9j97P
+i9SDrGyUOx7Bz8gKjTI6BcfPNAhAyIr5Gr9SDyTx6tUduSmmErrvjYWP1/Jz7spI
+nN2wQd5ZVRSvS/rNZGh1NU31oeWlbpkU0JpGbZkMXv4JIy+1caH5zzrcRMC9JFxf
+m/bYdaq+jHhMufnSy0Qa3QgJkKvzxzvlIG9BaUmuNeR+XoA9ISEMQzAYXqxJQSL2
+8Er9IVaNgtz5mqCMf8vuDTPGpkYyqGnOjtQNF695wiA7CAr3/WTeiEl6kKsBFg==
+=/+gu
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+Alejandro Colomar <alx@kernel.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGI/tA8BEACYC5fPDOMDrT8SxNlsB9fRj9YAZt7okGtbCIlVuSPs81YMkeJm
+BxtPPnps5Vw2whZS13zaoyPykMg6k+komDWctWQKIF0VgpVYtIuezq4q8kMNmKLc
+MnHiZRKRh8dOqlK6jHcUlF8rBgQhk+RUBUPOqFEYeTveoZ9qqVmWhOVce5uUX01k
+iU2SjoGAGkNDBqmOkhhVUSQg/AVcc4web6Gu184VUbOXx7J5MPpRmXE610fAUeeJ
+1VzyB8U/hgPLrbZX3jQMJbcCSM+Qdxdr/gsptfx1XIm4NsvKXTUOpWg1DQFiQYTJ
+FN6Kz0NKN6MV/3AqbKGtWDqKhFt3u3a7T+uUP/qzi9jma+DruQuzQztI6xnthZCb
+RjFkQ/iUUtuGgmpOB14HrgwNaRjKWddzab+A7BL971Q3fFqDsvrntD+koYVUgTfq
+ErcQo9ZdGRAUL5icyyDg4cC6xgjdmYfnX1s4Rlo3cXJXTZpIOx5AvZV6HYNNm9pu
+EoPm5gjNtk4F+FENNjkB3c2ntFr2prpoxaN9ceNd8a1tkWAgh6ueFVA/tkd1hy+2
+bP7e5+Nk9NjsWLvnL2slep1cX38DU9hx91t21+x/8hCxN4gqtvDJY/eqUZ2d0uAR
+KhPEDZ8GzchxVtX9bGx1HSAVcdnkSzKIGFOJi3ivYqUEihXd5WQE57UovQARAQAB
+tCJBbGVqYW5kcm8gQ29sb21hciA8YWx4QGtlcm5lbC5vcmc+iQJOBBMBCgA4FiEE
+qTSFlM4xKDqCb73Y1XYz1EHiW7UFAmNDAAYCGwEFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQ1XYz1EHiW7Vm4g/+NDfrYWHAHSMBkQnTZdhrOFCR1tJsWTLABwe1
+fMLBW7djLZMZweDMU76UBrucAEsarKkIHyhqpBES5EXwmlvKSnEhzPjXZ+PoHmM0
+M8Lq7QFZ5IEbrhuJbvpfTCa0gleHKIVYCCeaf2AUpgwX1XMkG2mmRdvUDQ2M8NMH
+ljM/OZ+6tBGpw7zvx1kYsSfBerlHxmLXlRxHrr9nWi7zXa+HrHZQAhopuufIb1we
+8lI/gdfywq7s/e5Xelk4dnr/pEFx56G1vh0bc+zU36+C9gX5IXOJv2WrTmOfG3Am
+gaJgWZapJQlPFEByk+2oJf5UOgPRhdX7qLR8mVnQ4EHM1sr9B6UGwcySZpVwag9n
+51WhjgdqYoSPt9dpPSNfNavLJDR+paM0aEHi3/t3mGJSyOPM4E6ejrYk7791fOJF
+0J3VhKr9KR1rMxQpE1kMs7qO1uUJvnF+opzrueMELffwTfDDyvY1bV/ZNou/MPi4
+EbUJyZDvsq2shaKj/NB4nzYJIoGbUzUrz008buTagf+WZ+uTDIdOJbaVPcUUjtzr
+21KifSWxcokNhqSIrsCLzCJkbiKEK7nUoOvl9q3Wl9L5CWAOflr5499iyGqxlJ+E
+7xzerWy1ZqgQHJ3Zp0wVMgHTKvPsmDvwaXBvEZkrUQ4PnInWTNJ2yiNxJU/we7Xx
+kxo4Qk20MUFsZWphbmRybyBDb2xvbWFyIEFuZHJlcyA8YWx4Lm1hbnBhZ2VzQGdt
+YWlsLmNvbT6JAk4EEwEKADgWIQSpNIWUzjEoOoJvvdjVdjPUQeJbtQUCYj+0DwIb
+AQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDVdjPUQeJbtTdsD/97XSXo3Dqb
+eaAWhjreKTwO9sPh9n79tS5CZMne44jvC7OCNGeFYq/MGyk0aDPcfN27dO4YSJXN
+d82t2K5vC85W5+tbnREN+OTNy8b6U4XxpeQhHP7jr5xeQt0aTkUH3Eo+0mzUq4fS
+hxMMch4FuDvMcohkOQs6LMKyvNo0jXAM3nE6nJeRipBjG5d8KKlx9dqmS5Zee9FA
+YayikSFp77aSGIvWFejTS3YDaN/APotN1SheEWHtGRY1zvbPbGKJKMy/k8O0b0TJ
+gGGe0RzFmPaQSCc/ZlpG2jk5BrnnspCDTq1I/2zcpgdwcR3/3Iuw2VAlOU48w7Qs
+fZecvYw+8zlrsJlB/NNU6s1YzeTi37jo43aqgyw4E7iev18f14W2ZQuIQY36hUmf
+4z49hAliWcoq7SZL6tsdmeQPjYWJb1lxds8s+iEH1PUsGObWUkjy1iIfJ+gXCe8E
+uKZKPGY7RWwYoSBliCVVXfgmD2XQja9i3pjRiJ6S7sYjZnugNwFaVbeptHE8NL4J
+Y3eRJpZdGizW58zTfxhvU/AjjDMhqqshW8ZSbAIRI05eGxzwk82qGq+cUVxsBeU8
+7i9DbqNOF50cYyltYVVJ9qPAxO+5sBtW6rq+yxkLArjTlpIRJsrXSiFJFqAp7FkC
+pUx66xvV8LgAVMKeD2o+Ae8mCTmYJfiCabkCDQRj2/4qARAAw4VXqcdlHsnCDqcC
+x5U+nHDOMsyEqG7F8mivt9covXkGUGoLI3ZlGU/5EoRwQB91uHJMU9zJwumQ4tLs
+szhOB/CNBSDZ4XTCcEej+dhQounRIdbY+DcXn4dVdx/mYCFPVb7OtUe68m6vyiai
+2KG288QbjnkzNA222caPQNDy6NsIGh8V5WDKCa7Jk0Zti+tTdi+vhkFjk7+brh5I
+qzahfuk/uVDWBUVT3OiNRywtouTBdfT33JhQyRqSMty6gjkkYyxX0QD5r5EIVrtr
+gre6aBWw3dy64pVs9nxVBhVCH4h6PwReXFB4kfjgw82Q1/DkF/ZMsH8bPPtvjI1N
+Yz+TMaLcUQX7fWlW7YbQSXSwF4mUSMYgdOZ8CTNQjKmpnpVhHYuL67cG26ev/+T4
+OrcT103j/InLipKvYUC3HwFMbq2P/9edqf85d/Nl1KMdByJ3qVVFMuXjiJr0uf1K
+oc7nfP3mqkPUHEdjsHnQnpNWZPBr5xs8iNtGmgltnJE2jacXFqtvJ6M9ugrMauoK
+s5sNMhqvf/zyZiLWkcZ8bWi6cGl/JD1RS66ViFFmVeg5xpVgspUAsADCZLneTCAW
+46DJ2Esq92afIVSz/AUtVjLUJyZIOBaVzY2JXR9s5/ePJAd4T42cg1Kdrdsi0dPY
+MOwPjQBpiuetA4dCWeL5qucnSAUAEQEAAYkCPAQYAQoAJhYhBKk0hZTOMSg6gm+9
+2NV2M9RB4lu1BQJj2/4qAhsMBQkB4TOAAAoJENV2M9RB4lu17J0P/3LN+ueOR4q4
+G5KOnLA5+u1y84d0LI16Z43iAm2NyAWCNkvjGj3RqQD8ZwFmckulf05mhvLOcwxE
+i8aAnEcsK4YfsGjgQRDJIChPnZCfssCkFVjfTyEcMgI4sr8hBjbp+ULL4LOnHu4B
+LjWjeWc48dtVQ7qcetVw7u9ZABfRBPxVBgY8Idxv1qVOQE13P2sPzbYKsFz+2mH5
+54VnMO64zqCbecxgV4NRFcTeNUaDgl6D7zNlNmh4j6c7sKjoEzYIVizApM4xMtOB
+syL4fGXRcNtenuBDc/1/PeHdDhqGGlZds1RmTLJm+gCzVio4z5EXPJMKjAVBHapM
+NMl4TiTay6gMG6QJMwkgVmS2F28wxj9KztkdnC+2YWJdWDeM07Le231X2hnRQE/D
+epN4MouHofOB3I3WY+sSR2KUik9WceL+ICIvUisCNk3GvXVg6hYXIukN8ZR4Sf3A
+rRPpePofDK0vZeWIGt6ZksVY9A3GQc0cMagqgCTK0gUxeDk/tPH8xyz/VvRZPGaC
+GlzeSQ1giSwgNXX1FDfnGOdn/rJh/aoDl1PzTBjyZcZ15s9HSPA6h36TMgCrSCai
+kWjbk8mOJhIhTbxclyI9JLu2AeKu+zP41Gi0AEEGkhFKZ9cG6cGG7AuSsiZ3OqOu
+sym/ZKz1uuXGo1iJJgkZ2yiq3ox7KHMZuQINBGI/t3UBEACr9ldxakkNdKp/Pc8+
+fRznR/+b29CfQWjOEv2njByhQa5CU18jMT6DIOokv2vU7xwaNJviBouaKWAIe5iy
+a3BWHhRpk6e2WnST/X3Zxmm8NjBZAMVl1JXS/vDEDhUu76y/Z82YcHZi52fRXRr3
+jwza/jGFyjLwem04G/CrS+tUHiWd3cbeh09LlQ/zN7cO8oOoYZWyoX0GNtXbUovy
+ssdUt1RODrSVde+8ec7AQm8fg7mRt3HCXhjwrdLxvqVRgG3wYCR3TnzL+rGuhYxa
+TEmbcjPLrKqSfZatsmVir1JJ2Cn8O9Ns5ROsqnulYa0foTo4LDwgqR82uel8mEaZ
+EQh4B7ob8mvqPLKBHbQXVeRTxuqLdyd3W/2yu5nIUi7kA6CIm5mdK8MT6CiHqYYx
+QD33HTN4OtFqrf3TbyjBG5wlzCD2mSrGB52FYgrkfSiKXBOxiqoFo++SpK1wSuHN
+a2ge1hkIdlE8wEPDBDSRqPta8t8ZazNPuc5tR6g0B/JUTIa6r8bDk5NgNj8jrGqv
+MvTWl+txcQ5uYo5OlvdiwHy2/YzEDhWcb1ls0faQQHn2CYFr6S9Ad9dOsMJZ2E29
+K4v/apGnGEjLqqqXWfIxPBq01bZY1pQI8fy+PJkp8IHZfQ2RrmUFaSOufLOgQE7c
+w8j/SxlSdbFrBZA7cMfGLPLT0QARAQABiQRsBBgBCgAgFiEEqTSFlM4xKDqCb73Y
+1XYz1EHiW7UFAmI/t3UCGwICQAkQ1XYz1EHiW7XBdCAEGQEKAB0WIQTqOofwpOug
+MORd8kCejBr7vv/bMgUCYj+3dQAKCRCejBr7vv/bMkq3D/48Y7jLfIB5jY9dzVCm
+ikbuexOAb0YDSZQS3Pt6GnPryIm1gLaRt0jw8HWVI80bMRvTKvJ7D7+kc6GCLK90
+MjxMBdlL/BfBFj8jNuVeaNfI7dTbon0kri56bMI3Ad/G7jryRcnPrRZo/nzGKcMD
+WxV3tgZkamh0pHYWjSttt0fr8t2qXzK74XO3PnU1RkGY1QAlMa89FJXUyW+veFpy
+AJWNW9zYVatjPKPyMLr8I7t9KLjviJBBWwE2fbXgvT58IqhqADKt+YJdXlNiD1Mn
+ZaBbbBCO7Mn+aG+yAJBJKPqmjoN1dOXy1FtuNrHHnTYIHyoRD/IR1DtEwlIYHlhZ
++8uy2rXPMA/I8hSCxFgMEJaY8IzfP49sPvwFMfGgnEFk7jmTAczP7rwSeDuvRnWQ
+ztJqu9PQp3Wmek/ea7WV93rBmI6Vipl8P69m3CzQErnuIZUutsjP0BaiU+hENoXu
+ZmlV0MtnNix0j28sTIe49vtb5UTVRJjIwwI1BDGtM4Ukij9tNkDkntrTkpBE3MFk
+9SYi8aAN99kBCNmkwRdY0opwNhGFJwBEwycv7I7d7s/Y79ZSuZBrjB6nB5gU+Xh1
+tDdQZxzHLctnZ2cAjE8BcU2wrgZghWiRZ7YlI0bozXl6/VJaAVhZU7f6ebklXSYF
+JwTrCwam8VbcgoiukMsdv831NmkPD/4sjSJfoqdE4kGHHX/S/N/Q8LiflefYivLX
+X/WtGyRguuYH+8YDqGaCGco8IKmlRDhaME1achjMp/O808B2rxogpsLWu08AF4PJ
+97w01RfjBr8aA5qvZXnCfAnmpRzQjDrjIuNOle834dXvOAANugR22dBbjv7MRtOp
+Xn1whyAEJIwBeAgKe+p1zwWyQNv2Gq+9C0IQ2w4uJsodjNi6YzFnTvm3HulnNr4s
+L+x/i+24iuz0Gf2KbGiR2FtCyKIek0N2NAhPquoI7L0HEP2FKh3OeEH0aCdFcZf/
+Dw19fjqEROaJhVvSgTvXIVh3dnB4e7qlYsMSNQxqCcKQD4D79kjFrOygySU+6xMp
+vUQvOiF46MrPx8KtfiuPTuEji0Y0F9qz1u5vqwelsg5vpoa12h9qSdX/uWKbRqqQ
+x5gHERLoTXT7aMKYuDU3UAMxEEEOaXnOtWNlr3n4H7zMrZ3qvkTRRmGiH8iGkSFn
+w2WO3rr/flfIQAJLSUH5lTmR4j/XBNtOGSAWKaRU3N5cX2zHcS5YxkaBx3u4Ew+D
+qnBNL6oazpe1iaIoxsyC8MOFyoWHmv/ivv7FbpkWFHgN+R2nenIMiHuHQd/62/RC
+PVEoGmaL+XCfSpmstYz9phejRW7LacBt4BMCV7ghqD6vYCR0QBoENp0V5mKyXQ6P
+R2OsYRFGG7kCDQRiP7s5ARAAktZGlZIjclF0dkQxIpJ2cQ0FOEgzzG0hZzIfHzLW
+T7HvuY0XHWAI64yZbDSdHkKTSKbVnrToCayBDu0oISa3gZh+cd5a+Igf4NsIkGNR
+askGnmZYUM+RP1PzKPlVqdPIcXedZvTermRHIyO73f3p5kw+vDryGyubrt2n2IFb
+J7SopNed2kXIs5dyk89mvJ+muPCDD5wYHbdXfpEH+KznROMHOVHzwfHYQ++finuw
+2cjdJbAyZz6QSopAQeg46UEAk/aTGuI3cEFIzDq6cpqS8fvpbHGL5Oi657t2i1TL
+zUCo/4FK027ZLkTXpcB8hbmKFWhfWueDx3aRNvbloJn7kq97RhnE3tgewi+syJsK
+CrOlHc1rD8/JNL9lcr2yuSTmwY80QDVNU3U2ZeqLdxx47O31zR5VCpGu09Ro57bJ
+j5YaMukwmYLiPwTExkTqqryf7QsLq47Tgd+0YnUyq79XEv067ow+FCxbIoSNlQWB
+W2LbNi3JeNPCM0pWdgFuiQE2KFH0s4qulKxEbEtwpVXOH9fmUN23VkI1TnarfRlG
+XgSdOISRbXa0O9Ta85BF/NtoBXRU4CtDdcmT7343PjRPbAF1ixU+KOhDDuaDBUV5
+iD6BXqyHyL6rciYvqHQwmg2ztdFmTewapV112Vv2wpqvbyrzszTtMw8c92Y7Kfge
+fY8AEQEAAYkCPAQYAQoAJhYhBKk0hZTOMSg6gm+92NV2M9RB4lu1BQJiP7s5AhsM
+BQkB4TOAAAoJENV2M9RB4lu1mAsP/R/4E68Rt7oUI/30eTuiRb9C/Zx6EaZVIJBw
+G2cwKB9GkU4vGR2PU1f25vym92fywSP9OavWyDeVqtN8Ar4U4CbD/L9f2JgZMTXr
+HFgxU94uywKOxhLEL8ylgaU89l6af1BynBn3YU/mLQyMHAMTs0uaifjAedeNJq08
+XWP3bVdxRywj/rqAf52KA9Y/C59mCfx4vmYu2r2jbwCCVWOsL5sgWyThyGKuNv1A
+7+k0JYJlsJ8aro9sS0fjscvoyxajDX2u0Mq/dTbjFWiJQbdT2mWMgiOHxpGDGst9
+NH5+JbYZGV/TfeJFDIAW/Pw3gktKt40IP2t6y5vjyUCHEEn2E6pfnr1XmY6EOae5
+hPYJQNUbJw98RdpPPY3l4FY49M312v6dphAj2kBmMv7mbyLrIZoTsHw5Q++ig83V
+i/I1u4tTvZomFn2po3MO3+QL0FTqzwPjiTyUmSO4rMi5EZiLJF5ITSaESFXNGQb4
+UBTuXYgKXY4spWeYpSB2qREhrkXgXrDWEJBwIBJW4ppPI4hRhefGV6wHTRxF24No
+iVPz4ABaTQFkvZbpyTT+DT0CL8tHMwF7Tq3wFQ4Rr82LBS/fWxgzeyYTgZwXXUFY
+YqM7OXwJKVjlgC2B+OEwgXcdRxB4y5asd//D9wVeD0pfiWk+Ohmi/YF9WmFgmrWe
+vK53nZUH
+=V1ID
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/shadow.service b/shadow.service
new file mode 100644
index 0000000..4137da1
--- /dev/null
+++ b/shadow.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Verify integrity of password and group files
+
+[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+Type=oneshot
+ExecStart=/usr/sbin/pwck -r
+ExecStart=/usr/sbin/grpck -r
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
diff --git a/shadow.spec b/shadow.spec
new file mode 100644
index 0000000..6ebf7bf
--- /dev/null
+++ b/shadow.spec
@@ -0,0 +1,392 @@
+#
+# spec file for package shadow
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%if ! %{defined _distconfdir}
+  %define _distconfdir %{_sysconfdir}
+%else
+  %define no_config 1
+%endif
+Name:           shadow
+Version:        4.16.0
+Release:        0
+Summary:        Utilities to Manage User and Group Accounts
+License:        BSD-3-Clause AND GPL-2.0-or-later
+Group:          System/Base
+URL:            https://github.com/shadow-maint/shadow
+Source0:        https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
+Source1:        pamd.tar.bz2
+Source2:        https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
+Source3:        %{name}.keyring
+Source4:        shadow.service
+Source5:        shadow.timer
+# SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
+Source40:       shadow-login_defs-check.sh
+# PATCH-FIX-SUSE shadow-login_defs-unused-by-pam.patch kukuk@suse.com -- Remove variables that have no use with PAM.
+Patch0:         shadow-login_defs-unused-by-pam.patch
+# PATCH-FEATURE-SUSE useradd-default.patch kukuk@suse.com -- Change useradd defaults group to 1000.
+Patch1:         useradd-default.patch
+# PATCH-FEATURE-SUSE shadow-util-linux.patch sbrabec@suse.com -- Add support for util-linux specific variables, delete shadow login, su runuser specific.
+Patch2:         shadow-util-linux.patch
+# PATCH-FEATURE-SUSE shadow-login_defs-comments.patch kukuk@suse.com -- Adjust login.defs comments.
+Patch3:         shadow-login_defs-comments.patch
+# PATCH-FEATURE-SUSE shadow-login_defs-suse.patch kukuk@suse.com -- Customize login.defs.
+Patch4:         shadow-login_defs-suse.patch
+# PATCH-FIX-SUSE disable_new_audit_function.patch adam.majer@suse.de -- Disable newer libaudit functionality for older distributions.
+Patch5:         disable_new_audit_function.patch
+BuildRequires:  audit-devel > 2.3
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libacl-devel
+BuildRequires:  libattr-devel
+BuildRequires:  libselinux-devel
+BuildRequires:  libsemanage-devel
+BuildRequires:  libtool
+BuildRequires:  pam-devel
+BuildRequires:  xz
+# we depend on libbsd or glibc >= 2.38 for the strlcpy() (and readpassphrase()) functions
+BuildRequires:  glibc-devel >= 2.38
+Requires:       login_defs >= %{version}
+Requires(pre):  group(root)
+Requires(pre):  group(shadow)
+Requires(pre):  permissions
+Requires(pre):  user(root)
+Provides:       pwdutils = 3.2.20
+Obsoletes:      pwdutils <= 3.2.19
+Provides:       useradd_or_adduser_dep
+BuildRequires:  libeconf-devel
+
+%description
+This package includes the necessary programs for converting plain
+password files to the shadow password format and to manage user and
+group accounts.
+
+%package -n login_defs
+Summary:        The login.defs configuration file
+# Virtual provides for supported variables in login.defs.
+# It prevents references to unknown variables.
+# Upgrade them only if shadow-util-linux.patch or
+# encryption_method_nis.patch has to be ported!
+# Call shadow-login_defs-check.sh before!
+Group:          System/Base
+Provides:       login_defs-support-for-pam = 1.5.2
+Provides:       login_defs-support-for-util-linux = 2.37
+BuildArch:      noarch
+
+%description -n login_defs
+This package contains the default login.defs configuration file
+as used by util-linux, pam and shadow.
+
+%package -n libsubid5
+Summary:        A library to manage subordinate uid and gid ranges
+Group:          System/Base
+
+%description -n libsubid5
+Utility library that provides a way to manage subid ranges.
+
+%package -n libsubid-devel
+Summary:        Development files for libsubid5
+Group:          System/Base
+Requires:       libsubid5 = %{version}
+
+%description -n libsubid-devel
+Development files for libsubid5.
+
+%prep
+%setup -q -a 1
+%patch -P 0
+%patch -P 1
+%patch -P 2
+%patch -P 3
+%patch -P 4
+%if 0%{?suse_version} < 1330
+%patch -P 5 -p1
+%endif
+
+iconv -c -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
+mv -v doc/HOWTO.utf8 doc/HOWTO
+
+%build
+export CFLAGS="%{optflags} -fpie"
+export LDFLAGS="-pie"
+
+autoreconf -fvi
+# SSSD files provider is deprecated since 2.9.0, but still enabled in openSUSE Leap 15.6 and SLE 15 SP6
+%configure \
+  --enable-shadowgrp \
+  --enable-account-tools-setuid \
+  --with-audit \
+  --with-libpam \
+  --with-sha-crypt \
+  --with-acl \
+  --with-attr \
+  --with-nscd \
+  --with-selinux \
+  --without-libcrack \
+  --without-libbsd \
+%if 0%{?suse_version} >= 1600
+  --without-sssd \
+%endif
+  --with-group-name-max-length=32 \
+  --enable-vendordir=%{_distconfdir}
+%make_build
+#  --disable-shared \ currently doesn't build with this. See https://github.com/shadow-maint/shadow/issues/336
+
+%install
+%make_install gnulocaledir=%{buildroot}/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
+# Separate call to install man pages. See https://github.com/shadow-maint/shadow/issues/389
+%make_install -C man install-man
+
+install -Dm644 %{SOURCE4} %{buildroot}%{_unitdir}/shadow.service
+install -Dm644 %{SOURCE5} %{buildroot}%{_unitdir}/shadow.timer
+
+# add empty /etc/sub{u,g}id files
+touch %{buildroot}/%{_sysconfdir}/subuid
+touch %{buildroot}/%{_sysconfdir}/subgid
+
+# Remove binaries we don't use.
+rm %{buildroot}/%{_bindir}/groups
+rm %{buildroot}/%{_mandir}/man1/groups.*
+rm %{buildroot}/%{_mandir}/*/man1/groups.*
+
+rm %{buildroot}/%{_sbindir}/grpconv
+rm %{buildroot}/%{_mandir}/man8/grpconv.*
+rm %{buildroot}/%{_mandir}/*/man8/grpconv.*
+rm %{buildroot}/%{_sbindir}/grpunconv
+rm %{buildroot}/%{_mandir}/man8/grpunconv.*
+rm %{buildroot}/%{_mandir}/*/man8/grpunconv.*
+
+rm %{buildroot}/%{_sbindir}/groupmems
+rm %{buildroot}/%{_mandir}/man8/groupmems.*
+rm %{buildroot}/%{_mandir}/*/man8/groupmems.*
+rm %{buildroot}%{_sysconfdir}/pam.d/groupmems
+
+rm %{buildroot}/%{_bindir}/login
+rm %{buildroot}/%{_mandir}/man1/login.*
+rm %{buildroot}/%{_mandir}/*/man1/login.*
+rm %{buildroot}%{_sysconfdir}/pam.d/login
+
+rm %{buildroot}/%{_bindir}/su
+rm %{buildroot}/%{_mandir}/man1/su.*
+rm %{buildroot}/%{_mandir}/*/man1/su.*
+rm %{buildroot}/%{_mandir}/man5/suauth.*
+rm %{buildroot}/%{_mandir}/*/man5/suauth.*
+rm %{buildroot}%{_sysconfdir}/pam.d/su
+
+rm %{buildroot}/%{_bindir}/faillog
+rm %{buildroot}/%{_mandir}/man5/faillog.*
+rm %{buildroot}/%{_mandir}/*/man5/faillog.*
+rm %{buildroot}/%{_mandir}/man8/faillog.*
+rm %{buildroot}/%{_mandir}/*/man8/faillog.*
+
+rm %{buildroot}/%{_sbindir}/logoutd
+rm %{buildroot}/%{_mandir}/man8/logoutd.*
+rm %{buildroot}/%{_mandir}/*/man8/logoutd.*
+rm %{buildroot}/%{_sbindir}/nologin
+rm %{buildroot}/%{_mandir}/man8/nologin.*
+rm %{buildroot}/%{_mandir}/*/man8/nologin.*
+
+rm %{buildroot}/%{_sbindir}/chgpasswd
+rm %{buildroot}/%{_mandir}/man8/chgpasswd.*
+rm %{buildroot}/%{_mandir}/*/man8/chgpasswd.*
+rm %{buildroot}%{_sysconfdir}/pam.d/chgpasswd
+
+rm %{buildroot}/%{_mandir}/man3/getspnam.*
+rm %{buildroot}/%{_mandir}/*/man3/getspnam.*
+rm %{buildroot}/%{_mandir}/man5/gshadow.5*
+rm %{buildroot}/%{_mandir}/*/man5/gshadow.5*
+rm %{buildroot}/%{_mandir}/man5/passwd.5*
+rm %{buildroot}/%{_mandir}/*/man5/passwd.5*
+
+rm -rf %{buildroot}%{_mandir}/{??,??_??}
+
+rm %{buildroot}/%{_libdir}/libsubid.{la,a}
+
+# Move /etc to /usr/etc
+if [ ! -d %{buildroot}%{_distconfdir} ]; then
+    mkdir -p %{buildroot}%{_distconfdir}
+    mkdir -p %{buildroot}%{_pam_vendordir}
+    mv %{buildroot}%{_sysconfdir}/login.defs %{buildroot}%{_distconfdir}
+    mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/
+fi
+mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d
+
+%find_lang shadow
+
+%pre
+%service_add_pre shadow.service shadow.timer
+for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
+  test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
+done
+
+%pre -n login_defs
+test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs.rpmsave.old ||:
+
+%post
+%set_permissions %{_bindir}/chage
+%set_permissions %{_bindir}/chfn
+%set_permissions %{_bindir}/chsh
+%set_permissions %{_bindir}/expiry
+%set_permissions %{_bindir}/gpasswd
+%set_permissions %{_bindir}/newgrp
+%set_permissions %{_bindir}/passwd
+%set_permissions %{_bindir}/newgidmap
+%set_permissions %{_bindir}/newuidmap
+
+%service_add_post shadow.service shadow.timer
+
+%verifyscript
+%verify_permissions %{_bindir}/chage
+%verify_permissions %{_bindir}/chfn
+%verify_permissions %{_bindir}/chsh
+%verify_permissions %{_bindir}/expiry
+%verify_permissions %{_bindir}/gpasswd
+%verify_permissions %{_bindir}/newgrp
+%verify_permissions %{_bindir}/passwd
+%verify_permissions %{_bindir}/newgidmap
+%verify_permissions %{_bindir}/newuidmap
+
+%preun
+%service_del_preun shadow.service shadow.timer
+
+%postun
+%service_del_postun shadow.service shadow.timer
+
+%posttrans
+%if %{defined no_config}
+# Migration to /usr/etc
+for i in pam.d/chage pam.d/chfn pam.d/chpasswd pam.d/chsh pam.d/groupadd pam.d/groupdel pam.d/groupmod pam.d/newusers pam.d/passwd pam.d/useradd pam.d/userdel pam.d/usermod; do
+  test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
+done
+%endif
+
+%posttrans -n login_defs
+# rpmsave file can be created by
+# - change of owning package (SLE15 SP2->SP3, Leap 15.2->15.3)
+# - Migration to /usr/etc (after SLE15 and Leap 15)
+test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpmsave %{_sysconfdir}/login.defs ||:
+
+%post -n libsubid5 -p /sbin/ldconfig
+%postun -n libsubid5 -p /sbin/ldconfig
+
+%files -f shadow.lang
+%license COPYING
+%doc NEWS doc/HOWTO README
+%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid
+%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid
+%if %{defined no_config}
+%{_pam_vendordir}/chage
+%{_pam_vendordir}/chfn
+%{_pam_vendordir}/chsh
+%{_pam_vendordir}/passwd
+%{_pam_vendordir}/chpasswd
+%{_pam_vendordir}/groupadd
+%{_pam_vendordir}/groupdel
+%{_pam_vendordir}/groupmod
+%{_pam_vendordir}/newusers
+%{_pam_vendordir}/useradd
+%{_pam_vendordir}/userdel
+%{_pam_vendordir}/usermod
+%else
+%config %{_sysconfdir}/pam.d/chage
+%config %{_sysconfdir}/pam.d/chfn
+%config %{_sysconfdir}/pam.d/chsh
+%config %{_sysconfdir}/pam.d/passwd
+%config %{_sysconfdir}/pam.d/chpasswd
+%config %{_sysconfdir}/pam.d/groupadd
+%config %{_sysconfdir}/pam.d/groupdel
+%config %{_sysconfdir}/pam.d/groupmod
+%config %{_sysconfdir}/pam.d/newusers
+%config %{_sysconfdir}/pam.d/useradd
+%config %{_sysconfdir}/pam.d/userdel
+%config %{_sysconfdir}/pam.d/usermod
+%endif
+%verify(not mode) %attr(2755,root,shadow) %{_bindir}/chage
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chfn
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/chsh
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/expiry
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/gpasswd
+%verify(not mode) %attr(4755,root,root) %{_bindir}/newgrp
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/passwd
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newgidmap
+%verify(not mode) %attr(4755,root,shadow) %{_bindir}/newuidmap
+%{_bindir}/sg
+%{_bindir}/getsubids
+%attr(0755,root,root) %{_sbindir}/groupadd
+%attr(0755,root,root) %{_sbindir}/groupdel
+%attr(0755,root,root) %{_sbindir}/groupmod
+%{_sbindir}/grpck
+%{_sbindir}/pwck
+%attr(0755,root,root) %{_sbindir}/useradd
+%attr(0755,root,root) %{_sbindir}/userdel
+%attr(0755,root,root) %{_sbindir}/usermod
+%{_sbindir}/pwconv
+%{_sbindir}/pwunconv
+%attr(0755,root,root) %{_sbindir}/chpasswd
+%attr(0755,root,root) %{_sbindir}/newusers
+%{_sbindir}/vipw
+%{_sbindir}/vigr
+%{_mandir}/man1/chage.1%{?ext_man}
+%{_mandir}/man1/chfn.1%{?ext_man}
+%{_mandir}/man1/chsh.1%{?ext_man}
+%{_mandir}/man1/expiry.1%{?ext_man}
+%{_mandir}/man1/gpasswd.1%{?ext_man}
+%{_mandir}/man1/newgrp.1%{?ext_man}
+%{_mandir}/man1/passwd.1%{?ext_man}
+%{_mandir}/man1/sg.1%{?ext_man}
+%{_mandir}/man3/shadow.3%{?ext_man}
+%{_mandir}/man5/shadow.5%{?ext_man}
+%{_mandir}/man8/chpasswd.8%{?ext_man}
+%{_mandir}/man8/groupadd.8%{?ext_man}
+%{_mandir}/man8/groupdel.8%{?ext_man}
+%{_mandir}/man8/groupmod.8%{?ext_man}
+%{_mandir}/man8/grpck.8%{?ext_man}
+%{_mandir}/man8/newusers.8%{?ext_man}
+%{_mandir}/man8/pwck.8%{?ext_man}
+%{_mandir}/man8/pwconv.8%{?ext_man}
+%{_mandir}/man8/pwunconv.8%{?ext_man}
+%{_mandir}/man8/useradd.8%{?ext_man}
+%{_mandir}/man8/userdel.8%{?ext_man}
+%{_mandir}/man8/usermod.8%{?ext_man}
+%{_mandir}/man8/vigr.8%{?ext_man}
+%{_mandir}/man8/vipw.8%{?ext_man}
+%{_mandir}/man5/subuid.5%{?ext_man}
+%{_mandir}/man5/subgid.5%{?ext_man}
+%{_mandir}/man1/newgidmap.1%{?ext_man}
+%{_mandir}/man1/newuidmap.1%{?ext_man}
+%{_mandir}/man1/getsubids.1%{?ext_man}
+
+%{_unitdir}/*
+
+%files -n login_defs
+%dir %{_sysconfdir}/login.defs.d
+%if %{defined no_config}
+%attr(0644,root,root) %{_distconfdir}/login.defs
+%else
+%attr(0644,root,root) %config %{_sysconfdir}/login.defs
+%endif
+%{_mandir}/man5/login.defs.5%{?ext_man}
+
+%files -n libsubid5
+%{_libdir}/libsubid.so.*
+
+%files -n libsubid-devel
+%dir %{_includedir}/shadow
+%{_includedir}/shadow/subid.h
+%{_libdir}/libsubid.so
+
+%changelog
diff --git a/shadow.timer b/shadow.timer
new file mode 100644
index 0000000..3823cbb
--- /dev/null
+++ b/shadow.timer
@@ -0,0 +1,7 @@
+[Unit]
+Description=Daily verification of password and group files
+
+[Timer]
+OnCalendar=daily
+AccuracySec=12h
+Persistent=true
diff --git a/useradd-default.patch b/useradd-default.patch
new file mode 100644
index 0000000..8e633d0
--- /dev/null
+++ b/useradd-default.patch
@@ -0,0 +1,13 @@
+Index: src/useradd.c
+===================================================================
+--- src/useradd.c.orig
++++ src/useradd.c
+@@ -87,7 +87,7 @@ const char *Prog;
+ /*
+  * These defaults are used if there is no defaults file.
+  */
+-static gid_t def_group = 1000;
++static gid_t def_group = 100;
+ static const char *def_groups = "";
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";