From fed1a56686bd6436cac7aa4dbf240c85865d5a211c0578f20dea9370bf29c9b8 Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.com>
Date: Thu, 9 May 2019 15:58:55 +0000
Subject: [PATCH] Accepting request 700496 from
 home:sbrabec:branches:util-linux-2.33.1

Depends on https://build.opensuse.org/request/show/700494!
- Fix problems in reading of login.defs values (bsc#1121197,
  util-linux-login_defs-priority1.patch,
  util-linux-login_defs-priority2.patch,
  util-linux-login_defs-SYS_UID.patch).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Add virtual symbols for login.defs compatibility (bsc#1121197).
- Add login.defs safety check util-linux-login_defs-check.sh
  (bsc#1121197).
- Drop bc BuildRequires: not needed.

OBS-URL: https://build.opensuse.org/request/show/700496
OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=398
---
 python3-libmount.changes              | 17 ++++++
 python3-libmount.spec                 | 45 +++++++++-------
 su.default                            | 20 +++-----
 util-linux-login_defs-SYS_UID.patch   | 60 ++++++++++++++++++++++
 util-linux-login_defs-check.sh        | 58 +++++++++++++++++++++
 util-linux-login_defs-priority1.patch | 39 ++++++++++++++
 util-linux-login_defs-priority2.patch | 74 +++++++++++++++++++++++++++
 util-linux-systemd.changes            | 17 ++++++
 util-linux-systemd.spec               | 45 +++++++++-------
 util-linux.changes                    | 12 +++++
 util-linux.spec                       | 44 ++++++++++------
 11 files changed, 365 insertions(+), 66 deletions(-)
 create mode 100644 util-linux-login_defs-SYS_UID.patch
 create mode 100644 util-linux-login_defs-check.sh
 create mode 100644 util-linux-login_defs-priority1.patch
 create mode 100644 util-linux-login_defs-priority2.patch

diff --git a/python3-libmount.changes b/python3-libmount.changes
index cc0ebab..da9200a 100644
--- a/python3-libmount.changes
+++ b/python3-libmount.changes
@@ -1,9 +1,26 @@
+-------------------------------------------------------------------
+Thu May  2 23:51:45 CEST 2019 - sbrabec@suse.com
+
+- Fix problems in reading of login.defs values (bsc#1121197,
+  util-linux-login_defs-priority1.patch,
+  util-linux-login_defs-priority2.patch,
+  util-linux-login_defs-SYS_UID.patch).
+- Perform one-time reset of /etc/default/su (bsc#1121197).
+- Add virtual symbols for login.defs compatibility (bsc#1121197).
+- Add login.defs safety check util-linux-login_defs-check.sh
+  (bsc#1121197).
+
 -------------------------------------------------------------------
 Mon Mar  4 15:23:27 CET 2019 - sbrabec@suse.com
 
 - Integrate pam_keyinit pam module to login
   (boo#1081947, login.pamd, remote.pamd).
 
+-------------------------------------------------------------------
+Mon Mar  4 13:00:08 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop bc BuildRequires: not needed.
+
 -------------------------------------------------------------------
 Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
 
diff --git a/python3-libmount.spec b/python3-libmount.spec
index 211bcda..06ab52f 100644
--- a/python3-libmount.spec
+++ b/python3-libmount.spec
@@ -75,7 +75,6 @@ Summary:        %main_summary
 License:        GPL-2.0-or-later
 Group:          %main_group
 BuildRequires:  audit-devel
-BuildRequires:  bc
 BuildRequires:  binutils-devel
 BuildRequires:  fdupes
 BuildRequires:  gettext-devel
@@ -127,6 +126,7 @@ Release:        0
 Url:            https://www.kernel.org/pub/linux/utils/util-linux/
 Source:         https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
 Source1:        util-linux-rpmlintrc
+Source2:        util-linux-login_defs-check.sh
 Source4:        raw.service
 Source5:        etc.raw
 Source6:        etc_filesystems
@@ -145,6 +145,12 @@ Source51:       blkid.conf
 Patch0:         make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
 Patch1:         libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
 Patch2:         Add-documentation-on-blacklisted-modules-to-mount-8-.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
+Patch3:         util-linux-login_defs-priority1.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
+Patch4:         util-linux-login_defs-priority2.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
+Patch5:         util-linux-login_defs-SYS_UID.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #
 %if %build_util_linux
@@ -174,6 +180,10 @@ Provides:       s390-32
 # uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
 Provides:       uuid-runtime = %{version}-%{release}
 Obsoletes:      uuid-runtime <= 2.19.1
+# All login.defs variables require support from shadow side.
+# Upgrade this symbol version only if new variables appear!
+# Verify by shadow-login_defs-check.sh from shadow source package.
+Requires:       login_defs-support-for-util-linux >= 2.33.1
 #
 # Using "Requires" here would lend itself to help upgrading, but since
 # util-linux is in the initial bootstrap, that is not a good thing to do:
@@ -380,11 +390,16 @@ library.
 %endif
 %prep
 %setup -q -n %{_name}-%{version}
+cp -a %{S:2} .
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
+bash ./util-linux-login_defs-check.sh
 %if %build_util_linux
 #
 #BEGIN SYSTEMD SAFETY CHECK
@@ -720,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
 %if %build_util_linux
 %pre
 %service_add_pre raw.service
-# Check whether we are upgrading from < Leap 15 or SLE 15
-# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
-# (bsc#353876#c7)
-if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
-	touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
-fi
 
 %post
 %service_add_post raw.service
@@ -749,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
 	fi
 done
 # %{_sysconfdir}/default/su is tagged as noreplace.
-# But we want to upgrade to a more secure default on upgrade.
-# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
-if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
-		 grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
-	if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
-		cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
+# But we want to migrate variables to /etc/login.defs (bsc#1121197).
+# Perform one-time config replace.
+if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
+	if test -f %{_sysconfdir}/default/su.rpmnew ; then
+		if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
+			cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
+		fi
+		mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
+		echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
+		echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
+		echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
 	fi
-	sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
-	echo "One time change of %{_sysconfdir}/default/su was performed." >&2
-	echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
-	echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
 fi
-rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
 
 %preun
 %service_del_preun raw.service
diff --git a/su.default b/su.default
index 89fc7e2..0840fb4 100644
--- a/su.default
+++ b/su.default
@@ -1,14 +1,8 @@
-# Per default, only "su -" will set a new PATH.
-# If this variable is set to "yes" (default is "no"),
-# every su call will overwrite the PATH variable.
+# /etc/default/su is an override for /etc/login.defs for su and runuser
+# (It is also read as a fallback for login.)
+#
+# See /etc/login.defs, su(1) or runuser(1) for more.
+#
+# List of su/runuser variables:
+# ALWAYS_SET_PATH, ENV_PATH, ENV_ROOTPATH, ENV_SUPATH, FAIL_DELAY
 #
-# The recommended default is "yes". The default "no" behavior could have
-# a security implication in applications that use commands without path.
-ALWAYS_SET_PATH=yes
-
-# Default path.
-PATH=/usr/local/bin:/bin:/usr/bin
-
-# Default path for a user invoking su to root.
-SUPATH=/usr/sbin:/bin:/usr/bin:/sbin
-
diff --git a/util-linux-login_defs-SYS_UID.patch b/util-linux-login_defs-SYS_UID.patch
new file mode 100644
index 0000000..7098d21
--- /dev/null
+++ b/util-linux-login_defs-SYS_UID.patch
@@ -0,0 +1,60 @@
+From 0d37969cbe2cb85d9c01f78071528a8a7c789f96 Mon Sep 17 00:00:00 2001
+From: Stanislav Brabec <sbrabec@suse.cz>
+Date: Wed, 24 Apr 2019 11:16:53 +0200
+Subject: [PATCH] lslogins: Fix discrepancies of SYS_UID_MIN
+
+util-linux does not contain useradd. Its most popular implementation
+comes from shadow. SYS_UID_MIN is one of common parameters. Its
+hardcoded fallback value is equal to 101 in shadow useradd (see
+shadow-4.6/libmisc/find_new_uid.c: get_ranges()), but 201 in
+login-utils/lslogins.c.
+
+Let lslogins use the same fallback as useradd from shadow.
+
+Hopefully most distros define its custom value of SYS_UID_MIN in
+/etc/login.defs, so this problem is not visible.
+
+login-utils/lslogins.1 does not mention its default at all. Add a
+reference and improve text of lslogins(1) to prevent off-by-one
+interpretation.
+
+Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ login-utils/lslogins.1 | 6 +++---
+ login-utils/lslogins.c | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/login-utils/lslogins.1 b/login-utils/lslogins.1
+index 5aa14c706..f003ef264 100644
+--- a/login-utils/lslogins.1
++++ b/login-utils/lslogins.1
+@@ -92,9 +92,9 @@ Display information related to login by password (see also \fB\-afL).
+ Raw output (no columnation).
+ .TP
+ \fB\-s\fR, \fB\-\-system\-accs\fR
+-Show system accounts.  These are by default all accounts with a UID below 1000
+-(non-inclusive), with the exception of either nobody or nfsnobody (UID 65534).
+-This hardcoded default maybe overwritten by parameters SYS_UID_MIN and SYS_UID_MAX in
++Show system accounts.  These are by default all accounts with a UID between 101 and 999
++(inclusive), with the exception of either nobody or nfsnobody (UID 65534).
++This hardcoded default may be overwritten by parameters SYS_UID_MIN and SYS_UID_MAX in
+ the file /etc/login.defs.
+ .TP
+ \fB\-\-time\-format\fR \fItype\fP
+diff --git a/login-utils/lslogins.c b/login-utils/lslogins.c
+index efb20a4f7..3d9c9b97a 100644
+--- a/login-utils/lslogins.c
++++ b/login-utils/lslogins.c
+@@ -74,7 +74,7 @@ static int lslogins_flag;
+ 
+ #define UL_UID_MIN 1000
+ #define UL_UID_MAX 60000
+-#define UL_SYS_UID_MIN 201
++#define UL_SYS_UID_MIN 101
+ #define UL_SYS_UID_MAX 999
+ 
+ /* we use the value of outmode to determine
+-- 
+2.21.0
+
diff --git a/util-linux-login_defs-check.sh b/util-linux-login_defs-check.sh
new file mode 100644
index 0000000..b500955
--- /dev/null
+++ b/util-linux-login_defs-check.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+# Extract list of variables supported by su/runuser.
+#
+# If you edit this file, you will probably need to edit
+# shadow-login_defs-check.sh from shadow sources in a similar way.
+
+set -o errexit
+
+echo -n "Checking login.defs variables in util-linux... " >&2
+(
+	grep -rh getlogindefs . |
+		sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
+	grep -rh logindefs_setenv . |
+		sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
+) | LC_ALL=C sort -u >util-linux-login_defs-vars.lst
+
+if test $(sha1sum util-linux-login_defs-vars.lst | sed 's/ .*$//') != a9c56a10a4b5a0afb63c9208b8ca0cb1b46a8429 ; then
+
+	echo "does not match!" >&2
+	echo "Checksum is: $(sha1sum util-linux-login_defs-vars.lst | sed 's/ .*$//')" >&2
+
+cat >&2 <<EOF
+
+You have to perform following steps:
+
+Check whether the error is false positive (script failed to extract
+variables) or true positive (variable list changed).
+
+If it is false positive:
+- Fix this script.
+- The same fix is needed in shadow package in shadow-login_defs-check.sh.
+
+If it is true positive:
+- Check-out shadow package and call shadow-login_defs-check.sh.
+- Compare its output shadow-login_defs-check-util-linux.lst with
+  util-linux-login_defs-vars.lst in the util-linux build directory.
+- Update shadow shadow-login_defs-util-linux.patch, if needed.
+- If shadow-login_defs-util-linux.patch was updated, update
+  login_defs-support-for-util-linux symbol version in both shadow and
+  util-linux spec files accordingly.
+- Update checksum in this script.
+- Possibly update su.default with these new list of su/runuser specific
+  variables:
+EOF
+	echo -n "  " >&2
+	(
+		grep -rh getlogindefs login-utils/su-common.c |
+			sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
+		grep -rh logindefs_setenv  login-utils/su-common.c |
+			sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
+	) | LC_ALL=C sort -u | tr '\n' ' ' | sed 's/ /, /g;s/, $//' >&2
+	echo -e '\n' >&2
+
+	exit 1
+else
+	echo "OK" >&2
+fi
diff --git a/util-linux-login_defs-priority1.patch b/util-linux-login_defs-priority1.patch
new file mode 100644
index 0000000..ce6ce19
--- /dev/null
+++ b/util-linux-login_defs-priority1.patch
@@ -0,0 +1,39 @@
+From 15a191f6d30dfe202a080a3d90968b63d695a29f Mon Sep 17 00:00:00 2001
+From: Stanislav Brabec <sbrabec@suse.cz>
+Date: Thu, 10 Jan 2019 01:28:53 +0100
+Subject: [PATCH 1/2] su-common.c: prefer /etc/default/su over login.defs
+
+su(1) documentation says:
+       /etc/default/su  command specific logindef config file
+       /etc/login.defs  global logindef config file
+
+It indirectly indicates that /etc/default/su should take precedence
+over /etc/login.defs.
+
+But the reverse is true. It is not possible to define ENV_PATH in
+/etc/login.defs and then make su specific customization in
+/etc/default/su. We need to change read order to match the documented
+behavior.
+
+Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
+---
+ login-utils/su-common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/login-utils/su-common.c b/login-utils/su-common.c
+index e0604e246..19074247c 100644
+--- a/login-utils/su-common.c
++++ b/login-utils/su-common.c
+@@ -1229,8 +1229,8 @@ static void load_config(void *data)
+ 	struct su_context *su = (struct su_context *) data;
+ 
+ 	DBG(MISC, ul_debug("loading logindefs"));
+-	logindefs_load_file(su->runuser ? _PATH_LOGINDEFS_RUNUSER : _PATH_LOGINDEFS_SU);
+ 	logindefs_load_file(_PATH_LOGINDEFS);
++	logindefs_load_file(su->runuser ? _PATH_LOGINDEFS_RUNUSER : _PATH_LOGINDEFS_SU);
+ }
+ 
+ /*
+-- 
+2.20.1
+
diff --git a/util-linux-login_defs-priority2.patch b/util-linux-login_defs-priority2.patch
new file mode 100644
index 0000000..7d7013d
--- /dev/null
+++ b/util-linux-login_defs-priority2.patch
@@ -0,0 +1,74 @@
+From 86f42e5a2a9d8a483ad0ca85fdf090172fb4d385 Mon Sep 17 00:00:00 2001
+From: Stanislav Brabec <sbrabec@suse.cz>
+Date: Thu, 10 Jan 2019 01:28:54 +0100
+Subject: [PATCH 2/2] su-common.c: prefer ENV_SUPATH over ENV_ROOTPATH
+
+ENV_SUPATH and ENV_ROOTPATH are equivalent and ENV_ROOTPATH takes
+precedence in both login and su. It makes no sense. More logical would be
+precedence of ENV_SUPATH in su and ENV_ROOTPATH in login.
+
+Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
+---
+ login-utils/login.1     | 2 +-
+ login-utils/runuser.1   | 2 +-
+ login-utils/su-common.c | 4 ++--
+ login-utils/su.1        | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/login-utils/login.1 b/login-utils/login.1
+index cb8addec3..b73eae147 100644
+--- a/login-utils/login.1
++++ b/login-utils/login.1
+@@ -282,7 +282,7 @@ a regular user logs in.  The default value is
+ (string)
+ .RS 4
+ If set, it will be used to define the PATH environment variable when
+-the superuser logs in.  The default value is
++the superuser logs in.  ENV_ROOTPATH takes precedence.  The default value is
+ .I /usr\:/local\:/sbin:\:/usr\:/local\:/bin:\:/sbin:\:/bin:\:/usr\:/sbin:\:/usr\:/bin
+ .RE
+ .SH FILES
+diff --git a/login-utils/runuser.1 b/login-utils/runuser.1
+index bf0d02471..221672200 100644
+--- a/login-utils/runuser.1
++++ b/login-utils/runuser.1
+@@ -183,7 +183,7 @@ default value is
+ .B ENV_SUPATH
+ (string)
+ .RS 4
+-Defines the PATH environment variable for root. The default value is
++Defines the PATH environment variable for root.  ENV_SUPATH takes precedence.  The default value is
+ .IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin .
+ .RE
+ .PP
+diff --git a/login-utils/su-common.c b/login-utils/su-common.c
+index 19074247c..0e44eb87c 100644
+--- a/login-utils/su-common.c
++++ b/login-utils/su-common.c
+@@ -989,8 +989,8 @@ static void setenv_path(const struct passwd *pw)
+ 	if (pw->pw_uid)
+ 		rc = logindefs_setenv("PATH", "ENV_PATH", _PATH_DEFPATH);
+ 
+-	else if ((rc = logindefs_setenv("PATH", "ENV_ROOTPATH", NULL)) != 0)
+-		rc = logindefs_setenv("PATH", "ENV_SUPATH", _PATH_DEFPATH_ROOT);
++	else if ((rc = logindefs_setenv("PATH", "ENV_SUPATH", NULL)) != 0)
++		rc = logindefs_setenv("PATH", "ENV_ROOTPATH", _PATH_DEFPATH_ROOT);
+ 
+ 	if (rc)
+ 		err(EXIT_FAILURE, _("failed to set the PATH environment variable"));
+diff --git a/login-utils/su.1 b/login-utils/su.1
+index d6a064fd2..5ae6d6b2d 100644
+--- a/login-utils/su.1
++++ b/login-utils/su.1
+@@ -209,7 +209,7 @@ default value is
+ .B ENV_SUPATH
+ (string)
+ .RS 4
+-Defines the PATH environment variable for root.  The default value is
++Defines the PATH environment variable for root.  ENV_SUPATH takes precedence.  The default value is
+ .IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin .
+ .RE
+ .PP
+-- 
+2.20.1
+
diff --git a/util-linux-systemd.changes b/util-linux-systemd.changes
index cc0ebab..da9200a 100644
--- a/util-linux-systemd.changes
+++ b/util-linux-systemd.changes
@@ -1,9 +1,26 @@
+-------------------------------------------------------------------
+Thu May  2 23:51:45 CEST 2019 - sbrabec@suse.com
+
+- Fix problems in reading of login.defs values (bsc#1121197,
+  util-linux-login_defs-priority1.patch,
+  util-linux-login_defs-priority2.patch,
+  util-linux-login_defs-SYS_UID.patch).
+- Perform one-time reset of /etc/default/su (bsc#1121197).
+- Add virtual symbols for login.defs compatibility (bsc#1121197).
+- Add login.defs safety check util-linux-login_defs-check.sh
+  (bsc#1121197).
+
 -------------------------------------------------------------------
 Mon Mar  4 15:23:27 CET 2019 - sbrabec@suse.com
 
 - Integrate pam_keyinit pam module to login
   (boo#1081947, login.pamd, remote.pamd).
 
+-------------------------------------------------------------------
+Mon Mar  4 13:00:08 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop bc BuildRequires: not needed.
+
 -------------------------------------------------------------------
 Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
 
diff --git a/util-linux-systemd.spec b/util-linux-systemd.spec
index d362767..733c5f5 100644
--- a/util-linux-systemd.spec
+++ b/util-linux-systemd.spec
@@ -75,7 +75,6 @@ Summary:        %main_summary
 License:        GPL-2.0-or-later
 Group:          %main_group
 BuildRequires:  audit-devel
-BuildRequires:  bc
 BuildRequires:  binutils-devel
 BuildRequires:  fdupes
 BuildRequires:  gettext-devel
@@ -127,6 +126,7 @@ Release:        0
 Url:            https://www.kernel.org/pub/linux/utils/util-linux/
 Source:         https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
 Source1:        util-linux-rpmlintrc
+Source2:        util-linux-login_defs-check.sh
 Source4:        raw.service
 Source5:        etc.raw
 Source6:        etc_filesystems
@@ -145,6 +145,12 @@ Source51:       blkid.conf
 Patch0:         make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
 Patch1:         libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
 Patch2:         Add-documentation-on-blacklisted-modules-to-mount-8-.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
+Patch3:         util-linux-login_defs-priority1.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
+Patch4:         util-linux-login_defs-priority2.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
+Patch5:         util-linux-login_defs-SYS_UID.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #
 %if %build_util_linux
@@ -174,6 +180,10 @@ Provides:       s390-32
 # uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
 Provides:       uuid-runtime = %{version}-%{release}
 Obsoletes:      uuid-runtime <= 2.19.1
+# All login.defs variables require support from shadow side.
+# Upgrade this symbol version only if new variables appear!
+# Verify by shadow-login_defs-check.sh from shadow source package.
+Requires:       login_defs-support-for-util-linux >= 2.33.1
 #
 # Using "Requires" here would lend itself to help upgrading, but since
 # util-linux is in the initial bootstrap, that is not a good thing to do:
@@ -380,11 +390,16 @@ library.
 %endif
 %prep
 %setup -q -n %{_name}-%{version}
+cp -a %{S:2} .
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
+bash ./util-linux-login_defs-check.sh
 %if %build_util_linux
 #
 #BEGIN SYSTEMD SAFETY CHECK
@@ -720,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
 %if %build_util_linux
 %pre
 %service_add_pre raw.service
-# Check whether we are upgrading from < Leap 15 or SLE 15
-# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
-# (bsc#353876#c7)
-if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
-	touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
-fi
 
 %post
 %service_add_post raw.service
@@ -749,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
 	fi
 done
 # %{_sysconfdir}/default/su is tagged as noreplace.
-# But we want to upgrade to a more secure default on upgrade.
-# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
-if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
-		 grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
-	if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
-		cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
+# But we want to migrate variables to /etc/login.defs (bsc#1121197).
+# Perform one-time config replace.
+if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
+	if test -f %{_sysconfdir}/default/su.rpmnew ; then
+		if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
+			cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
+		fi
+		mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
+		echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
+		echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
+		echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
 	fi
-	sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
-	echo "One time change of %{_sysconfdir}/default/su was performed." >&2
-	echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
-	echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
 fi
-rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
 
 %preun
 %service_del_preun raw.service
diff --git a/util-linux.changes b/util-linux.changes
index c862851..da9200a 100644
--- a/util-linux.changes
+++ b/util-linux.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu May  2 23:51:45 CEST 2019 - sbrabec@suse.com
+
+- Fix problems in reading of login.defs values (bsc#1121197,
+  util-linux-login_defs-priority1.patch,
+  util-linux-login_defs-priority2.patch,
+  util-linux-login_defs-SYS_UID.patch).
+- Perform one-time reset of /etc/default/su (bsc#1121197).
+- Add virtual symbols for login.defs compatibility (bsc#1121197).
+- Add login.defs safety check util-linux-login_defs-check.sh
+  (bsc#1121197).
+
 -------------------------------------------------------------------
 Mon Mar  4 15:23:27 CET 2019 - sbrabec@suse.com
 
diff --git a/util-linux.spec b/util-linux.spec
index bfbf92e..3d21f5b 100644
--- a/util-linux.spec
+++ b/util-linux.spec
@@ -126,6 +126,7 @@ Release:        0
 Url:            https://www.kernel.org/pub/linux/utils/util-linux/
 Source:         https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
 Source1:        util-linux-rpmlintrc
+Source2:        util-linux-login_defs-check.sh
 Source4:        raw.service
 Source5:        etc.raw
 Source6:        etc_filesystems
@@ -144,6 +145,12 @@ Source51:       blkid.conf
 Patch0:         make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
 Patch1:         libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
 Patch2:         Add-documentation-on-blacklisted-modules-to-mount-8-.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
+Patch3:         util-linux-login_defs-priority1.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
+Patch4:         util-linux-login_defs-priority2.patch
+# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
+Patch5:         util-linux-login_defs-SYS_UID.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #
 %if %build_util_linux
@@ -173,6 +180,10 @@ Provides:       s390-32
 # uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
 Provides:       uuid-runtime = %{version}-%{release}
 Obsoletes:      uuid-runtime <= 2.19.1
+# All login.defs variables require support from shadow side.
+# Upgrade this symbol version only if new variables appear!
+# Verify by shadow-login_defs-check.sh from shadow source package.
+Requires:       login_defs-support-for-util-linux >= 2.33.1
 #
 # Using "Requires" here would lend itself to help upgrading, but since
 # util-linux is in the initial bootstrap, that is not a good thing to do:
@@ -379,11 +390,16 @@ library.
 %endif
 %prep
 %setup -q -n %{_name}-%{version}
+cp -a %{S:2} .
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
+bash ./util-linux-login_defs-check.sh
 %if %build_util_linux
 #
 #BEGIN SYSTEMD SAFETY CHECK
@@ -719,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
 %if %build_util_linux
 %pre
 %service_add_pre raw.service
-# Check whether we are upgrading from < Leap 15 or SLE 15
-# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
-# (bsc#353876#c7)
-if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
-	touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
-fi
 
 %post
 %service_add_post raw.service
@@ -748,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
 	fi
 done
 # %{_sysconfdir}/default/su is tagged as noreplace.
-# But we want to upgrade to a more secure default on upgrade.
-# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
-if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
-		 grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
-	if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
-		cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
+# But we want to migrate variables to /etc/login.defs (bsc#1121197).
+# Perform one-time config replace.
+if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
+	if test -f %{_sysconfdir}/default/su.rpmnew ; then
+		if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
+			cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
+		fi
+		mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
+		echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
+		echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
+		echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
 	fi
-	sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
-	echo "One time change of %{_sysconfdir}/default/su was performed." >&2
-	echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
-	echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
 fi
-rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
 
 %preun
 %service_del_preun raw.service