Sync changes to SLFO-1.2 branch

- Update to 4.18.0:
  * CI: purge man-db #1241
  * passwd: document exit code when PAM has errored #1244
  * Man patches #1175
  * Quick fix: define E_PAM_ERR in lib/pam_pass.c #1245
  * Accept /usr/sbin/nologin as an alternate to /sbin/nologin #1246
  * Add LOGIN_ENV_SAFELIST to FOREIGNDEFS #1248
  * ci: add gawk as a fedora dependency #1252
  * man/useradd.8.xml: fix the CREATE_HOME description #1251
  * lib/getdate.y: Restrict the date formats that we support #1238
  * newuidmap: better error logging on failure #1254
  * Extend basic test cases to check shadow and gshadow entries #1237
  * lib/sizeof.h: Make sure STRLEN() only accepts string literals #1260
  * Add strprefix(), and use it instead of its pattern #1152
  * src/: Simplify, using strpbrk(3) #1167
  * lib/string/strdup/: STRNDUPA(): Reimplement in terms of strndupa(3) #1189
  * Remove dead beef #1230
  * lib/atoi/a2i/: Simplify these macros #1137
  * strtolower(): Add API, and use it instead of its pattern #1211
  * lib/: sget*ent(): Simplify #1146
  * fields #1150
  * yacc(1) is a dead language; bury it deep in the ground #1217
  * Test expiration date #1233
  * [scp] Add strcaseprefix(), and use it instead of its pattern #1262
  * valid_field(): Improve readability #1208
  * lib/, src/, tests/: Use the standard countof() instead of our NITEMS() #1259
  * lib/fs/mkstemp/, src/: Move fmkomstemp() to separate files under
    lib/fs/mkstemp/, and split into mkomstemp() #1139
  * [x][v]aprintf(): Add APIs, and use them instead of [x][v]asprintf(3) #1168
  * lib/get_pid.c: pid_t is a signed integer #1264

OBS-URL: https://build.opensuse.org/request/show/1288422
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shadow?expand=0&rev=78

shadow-4.16.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b78e3921a95d53282a38e90628880624736bf6235e36eea50c50835f59a3530b
-size 2204832

shadow-4.16.0.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEflbiwT+nfOMVWa3JfcJMNsM0HSAFAmZyBfQACgkQfcJMNsM0
-HSA4PxAA57RSvccAbXTTmp2sHMZVPbzizydThuGgqY/4F9egRvywUUlNy0vz/QAA
-e0u8ja+paKhLjXg4HvA/Ejy+gtAE5NuvNCr/ihL8Xii6s/GH6OaW8EDcL0509j7L
-PchWYkHYSqwdqdjLoy6NroaaEEllAzVEeNp2UzN9F7jllteF8gDjqY2j8SLqrkmm
-Xb15kzk6mbqk5BxAOoZmgoRRDw+YRCBA2EzN0ztwR0h1rjwoCjebQk3E/qV+fM1t
-pKKYVTnLRmb9E2tvPR1Oibzercisi/+6Z7br+Xh1Gz/mfZ++4CiOQrJndUTBj9zU
-v7GEHMEdV8qz/Qzvh1eyxA7KX5zZqbXT3I/+kRvX01CJtI64MVdEOOqSeup794fr
-QlaptfoAfe+ZS6exe1SwY2tZkoX4qXeeUNQXRBo8GJlG9auMA46U2CjtRGgyK6BK
-cf/YkzUr9aTWExL3d2tZJzvEX80AHSR+MF2kW8UzIQI8hch1Pncp8an6NfLFbmsl
-nyz5+GqrSuc1gNe7wnz5Lkxk3q4epmvdPcyrb16XDr42k3dP0IWZE50c8Caf05Nq
-9zJC+It75nX7PFbGcZnNgE6sjsc6MB28O2wUb4Z51IU+s8hzthk2P4v0gq30TgrZ
-vKTXxIYwp+yLii1sSTWUdE8a6vNK93cQki5uuB3R6VeNVBMZJA0=
-=bB1D
------END PGP SIGNATURE-----

shadow-4.17.2.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmeCkssACgkQNXDaFycK
+ziQhuwf/bcEJKV+x66isorvoeGbqdtW7oGz3ueu8501X2lO5OZgxo6oseq27ynfc
+xG6RBMnvkm94pjw3iCqEjYwyJ30js+HVWd6cN7T6GyAGdeYRMvHEfpww7IR1Py3n
+6ZgYR4hcLu0T6zVg3bwUNtn29QCINo1SdS7PtsCBBDkwm8WeR+xHsSU+eV3kvNF8
+CID4wvwMW7lCBetADbI+ZvbKBvDkfUBAkJWm/a/wLJrztwTw307xOvyR5P5QjoIn
+ZMtmcmsWL+5Y13OoUccdUm9jDOTPILYtC7Y7y2Nolh0qOsCnMKzD0D11KDIoPlfc
+Rymwesu4+adiSYUfKvqabkb3c/GrbA==
+=lu9c
+-----END PGP SIGNATURE-----

shadow-login_defs-check.sh

@@ -33,14 +33,18 @@ if ! test -f openSUSE:Factory/util-linux/BUILD/*/configure.ac ; then
 		osc co openSUSE:Factory util-linux
 	fi
 	cd openSUSE:Factory/util-linux
+# BEGIN HACK
+# quilt does not understand our util-linux.spec.
+	sed -i s/@BUILD_FLAVOR@// util-linux.spec
+# END HACK
 	quilt setup -d BUILD util-linux.spec
-	cd BUILD/*
+	cd $(ls -1d BUILD/* | sed /SPECPARTS/d)
 	quilt push -a
 	cd ../../../..
 fi
 
 echo "Extracting variables from util-linux..."
-cd openSUSE:Factory/util-linux/BUILD/*
+cd $(ls -1d openSUSE:Factory/util-linux/BUILD/* | sed /SPECPARTS/d)
 (
 	grep -rh getlogindefs . |
 		sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
@@ -68,13 +72,13 @@ if ! test -f openSUSE:Factory/pam/BUILD/*/configure.ac ; then
 	fi
 	cd openSUSE:Factory/pam
 	quilt setup -d BUILD pam.spec
-	cd BUILD/*
+	cd $(ls -1d BUILD/* | sed /SPECPARTS/d)
 	quilt push -a
 	cd ../../../..
 fi
 
 echo "Extracting variables from pam..."
-cd openSUSE:Factory/pam/BUILD/*
+cd $(ls -1d openSUSE:Factory/pam/BUILD/* | sed /SPECPARTS/d)
 grep -rh LOGIN_DEFS . |
 	sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
 	LC_ALL=C sort -u >../../../../shadow-login_defs-check-pam.lst

shadow-login_defs-suse.patch

@@ -82,7 +82,7 @@ Index: etc/login.defs
  # System accounts
 -SYS_UID_MIN		  101
 -SYS_UID_MAX		  999
-+SYS_UID_MIN		  100
++SYS_UID_MIN		  201
 +SYS_UID_MAX		  499
  # Extra per user uids
  SUB_UID_MIN		   100000
@@ -93,7 +93,7 @@ Index: etc/login.defs
  # System accounts
 -SYS_GID_MIN		  101
 -SYS_GID_MAX		  999
-+SYS_GID_MIN		  100
++SYS_GID_MIN		  201
 +SYS_GID_MAX		  499
  # Extra per user group ids
  SUB_GID_MIN		   100000

shadow-util-linux.patch

@@ -122,7 +122,7 @@ Index: etc/login.defs
  # Max time in seconds for login(1)
  #
  LOGIN_TIMEOUT		60
-@@ -315,14 +335,6 @@ CHARACTER_CLASS         [ABCDEFGHIJKLMNO
+@@ -285,14 +305,6 @@ USERGROUPS_ENAB yes
  #GRANT_AUX_GROUP_SUBIDS yes
  
  #
@@ -137,3 +137,26 @@ Index: etc/login.defs
  # Select the HMAC cryptography algorithm.
  # Used in pam_timestamp module to calculate the keyed-hash message
  # authentication code.
+@@ -301,3 +313,10 @@ PREVENT_NO_AUTH superuser
+ # that are available in your system.
+ #
+ #HMAC_CRYPTO_ALGO SHA512
++
++# Forces login to protect the specified environment variables if -p is not
++# used. The string value is a comma-separated list of variable names. For
++# example: "LANG,LC_MESSAGES,LC_COLLATE".  The safelist is ignored for the
++# environment variables HOME, SHELL and USER.
++#LOGIN_ENV_SAFELIST
++
+Index: lib/getdef.c
+===================================================================
+--- lib/getdef.c.orig
++++ lib/getdef.c
+@@ -76,6 +76,7 @@ struct itemdef {
+ #define FOREIGNDEFS				\
+ 	{"ALWAYS_SET_PATH", NULL},		\
+ 	{"ENV_ROOTPATH", NULL},			\
++	{"LOGIN_ENV_SAFELIST", NULL},		\
+ 	{"LOGIN_KEEP_USERNAME", NULL},		\
+ 	{"LOGIN_PLAIN_PROMPT", NULL},		\
+ 	{"MOTD_FIRSTONLY", NULL},		\

shadow.changes

@@ -1,3 +1,81 @@
+-------------------------------------------------------------------
+Wed Apr  9 00:05:49 UTC 2025 - Stanislav Brabec <sbrabec@suse.com>
+
+- shadow-util-linux.patch: util-linux-2.41 introduced new variable:
+  LOGIN_ENV_SAFELIST. Recognize it and update dependencies. The
+  patch includes gh/shadow-maint/shadow/pull#1248.
+- shadow-login_defs-check-login_defs.lst: Make the util-linux.spec
+  multibuild file compatible with quilt. Make it working with new
+  quilt.
+
+-------------------------------------------------------------------
+Mon Jan 20 10:20:31 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1235453: Set SYS_{UID,GID}_MIN to 201:
+  After repeated similar requests to change the ID ranges we set the
+  above mentioned value to 201. The max value will stay at 499.
+  This range should be sufficient and will give us leeway for the
+  future.
+  It's not straightforward to find out which static UIDs/GIDs are
+  used in all packages.
+  Update shadow-login_defs-suse.patch
+
+-------------------------------------------------------------------
+Sat Jan 11 16:37:07 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.17.2:
+  * src/login_nopam.c: Fix compiler warnings #1170
+  * lib/chkname.c: Put limits for LOGIN_NAME_MAX and sysconf(_SC_LOGIN_NAME_MAX) #1169
+  * Use HTTPS in link to Wikipedia article on password strength #1164
+  * lib/attr.h: use C23 attributes only with gcc >= 10 #1172
+  * login: Fix no-pam authorization regression #1174
+  * man: Add Portuguese translation #1178
+  * Update French translation #1177
+  * Add cheap defense mechanisms #1171
+  * Add Romanian translation #1176
+
+-------------------------------------------------------------------
+Tue Dec 31 19:41:57 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.17.1:
+  * Fix `su -` regression #1163
+
+-------------------------------------------------------------------
+Fri Dec 27 16:06:45 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.17.0:
+  * Fix the lower part of the domain of csrand_uniform()
+  * Fix use of volatile pointer
+  * Use 'dist-hook' to clean up <tests/unit/Makefile>
+  * Use str2[u]l() instead of atoi(3)
+  * Use a2i() in various places
+  * Fix const correctness
+  * Use uid_t for holding UIDs (and GIDs)
+  * Move all sprintf(3)-like APIs to a subdirectory
+  * Move all copying APIs to a subdirectory
+  * Fix forever loop on ENOMEM
+  * Fix REALLOC() nmemb calculation
+  * Remove id(1)
+  * Remove groups(1)
+  * Use local time for human-readable dates
+  * Use %F instead of %Y-%m-%d with strftime(3)
+  * is_valid{user,group}_name(): Set errno to distinguish the reasons
+  * Recommend --badname only if it is useful
+  * Add fmkomstemp() to fix mode of </etc/default/useradd>
+  * Fix use-after-free bug in sgetgrent()
+  * Update Catalan translation
+  * Remove references to cppw, cpgr
+  * groupadd, groupmod: Update gshadow file with -U
+  * Added option -a for listing active users only, optimized using if aflg,return
+  * Added information in lastlog man page for new option '-a'
+  * Plenty of code cleanup and clarifications
+
+-------------------------------------------------------------------
+Fri Dec  6 08:56:10 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.17.0 RC1:
+  Pre-release without changelog
+
 -------------------------------------------------------------------
 Mon Jul  8 11:13:17 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
 

shadow.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package shadow
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
   %define no_config 1
 %endif
 Name:           shadow
-Version:        4.16.0
+Version:        4.17.2
 Release:        0
 Summary:        Utilities to Manage User and Group Accounts
 License:        BSD-3-Clause AND GPL-2.0-or-later
@@ -84,7 +84,7 @@ Summary:        The login.defs configuration file
 # Call shadow-login_defs-check.sh before!
 Group:          System/Base
 Provides:       login_defs-support-for-pam = 1.5.2
-Provides:       login_defs-support-for-util-linux = 2.37
+Provides:       login_defs-support-for-util-linux = 2.41
 BuildArch:      noarch
 
 %description -n login_defs
@@ -158,11 +158,6 @@ install -Dm644 %{SOURCE5} %{buildroot}%{_unitdir}/shadow.timer
 touch %{buildroot}/%{_sysconfdir}/subuid
 touch %{buildroot}/%{_sysconfdir}/subgid
 
-# Remove binaries we don't use.
-rm %{buildroot}/%{_bindir}/groups
-rm %{buildroot}/%{_mandir}/man1/groups.*
-rm %{buildroot}/%{_mandir}/*/man1/groups.*
-
 rm %{buildroot}/%{_sbindir}/grpconv
 rm %{buildroot}/%{_mandir}/man8/grpconv.*
 rm %{buildroot}/%{_mandir}/*/man8/grpconv.*