shadow-utils package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/shadow-4.1.5-2ndskip.patch

@@ -0,0 +1,100 @@
+diff -up shadow-4.1.5/src/grpconv.c.2ndskip shadow-4.1.5/src/grpconv.c
+--- shadow-4.1.5/src/grpconv.c.2ndskip	2012-06-18 13:08:34.438910815 +0200
++++ shadow-4.1.5/src/grpconv.c	2012-06-18 13:12:51.270764552 +0200
+@@ -143,6 +143,7 @@ int main (int argc, char **argv)
+ 	struct group grent;
+ 	const struct sgrp *sg;
+ 	struct sgrp sgent;
++	char *np;
+ 
+ 	Prog = Basename (argv[0]);
+ 
+@@ -184,20 +185,25 @@ int main (int argc, char **argv)
+ 	 * Remove /etc/gshadow entries for groups not in /etc/group.
+ 	 */
+ 	(void) sgr_rewind ();
+-	while ((sg = sgr_next ()) != NULL) {
+-		if (gr_locate (sg->sg_name) != NULL) {
+-			continue;
+-		}
+-
+-		if (sgr_remove (sg->sg_name) == 0) {
+-			/*
+-			 * This shouldn't happen (the entry exists) but...
+-			 */
+-			fprintf (stderr,
+-			         _("%s: cannot remove entry '%s' from %s\n"),
+-			         Prog, sg->sg_name, sgr_dbname ());
+-			fail_exit (3);
++	sg = sgr_next ();
++	np=NULL;
++	while (sg != NULL) {
++		np = strdup(sg->sg_name);
++		sg = sgr_next ();
++
++		if(gr_locate (np) == NULL) {
++			if (sgr_remove (np) == 0) {
++				/*
++				 * This shouldn't happen (the entry exists) but...
++				 */
++				fprintf (stderr,
++					 _("%s: cannot remove entry '%s' from %s\n"),
++					 Prog, np, sgr_dbname ());
++				free(np);
++				fail_exit (3);
++			}
+ 		}
++		free(np);
+ 	}
+ 
+ 	/*
+diff -up shadow-4.1.5/src/pwconv.c.2ndskip shadow-4.1.5/src/pwconv.c
+--- shadow-4.1.5/src/pwconv.c.2ndskip	2012-06-18 11:23:33.938511797 +0200
++++ shadow-4.1.5/src/pwconv.c	2012-06-18 12:57:18.396426194 +0200
+@@ -173,6 +173,7 @@ int main (int argc, char **argv)
+ 	struct passwd pwent;
+ 	const struct spwd *sp;
+ 	struct spwd spent;
++	char *np;
+ 
+ 	Prog = Basename (argv[0]);
+ 
+@@ -223,20 +224,25 @@ int main (int argc, char **argv)
+ 	 * Remove /etc/shadow entries for users not in /etc/passwd.
+ 	 */
+ 	(void) spw_rewind ();
+-	while ((sp = spw_next ()) != NULL) {
+-		if (pw_locate (sp->sp_namp) != NULL) {
+-			continue;
+-		}
+-
+-		if (spw_remove (sp->sp_namp) == 0) {
+-			/*
+-			 * This shouldn't happen (the entry exists) but...
+-			 */
+-			fprintf (stderr,
+-			         _("%s: cannot remove entry '%s' from %s\n"),
+-			         Prog, sp->sp_namp, spw_dbname ());
+-			fail_exit (E_FAILURE);
++	sp = spw_next ();
++	np = NULL;
++	while (sp != NULL) {
++		np = strdup(sp->sp_namp);
++		sp = spw_next ();
++
++		if (pw_locate (np) == NULL) {
++			if (spw_remove (np) == 0) {
++				/*
++				 * This shouldn't happen (the entry exists) but...
++				 */
++				fprintf (stderr,
++					 _("%s: cannot remove entry '%s' from %s\n"),
++					 Prog, np, spw_dbname ());
++				free(np);
++				fail_exit (E_FAILURE);
++			}
+ 		}
++		free(np);
+ 	}
+ 
+ 	/*

SOURCES/shadow-4.1.5-redhat.patch

@@ -0,0 +1,42 @@
+diff -up shadow-4.1.5/man/useradd.8.redhat shadow-4.1.5/man/useradd.8
+diff -up shadow-4.1.5/src/useradd.c.redhat shadow-4.1.5/src/useradd.c
+--- shadow-4.1.5/src/useradd.c.redhat	2011-12-09 23:23:15.000000000 +0100
++++ shadow-4.1.5/src/useradd.c	2012-03-19 09:50:05.227588669 +0100
+@@ -93,7 +93,7 @@ const char *Prog;
+ static gid_t def_group = 100;
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";
+-static const char *def_shell = "";
++static const char *def_shell = "/sbin/nologin";
+ static const char *def_template = SKEL_DIR;
+ static const char *def_create_mail_spool = "no";
+ 
+@@ -103,7 +103,7 @@ static const char *def_expire = "";
+ #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
+ 
+ static const char *user_name = "";
+-static const char *user_pass = "!";
++static const char *user_pass = "!!";
+ static uid_t user_id;
+ static gid_t user_gid;
+ static const char *user_comment = "";
+@@ -1011,9 +1011,9 @@ static void process_flags (int argc, cha
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
++		                         "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:UZ:",
+ #else				/* !WITH_SELINUX */
+-		                         "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
++		                         "b:c:d:De:f:g:G:hk:K:lmMnNop:rR:s:u:U",
+ #endif				/* !WITH_SELINUX */
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
+@@ -1164,6 +1164,7 @@ static void process_flags (int argc, cha
+ 			case 'M':
+ 				Mflg = true;
+ 				break;
++			case 'n':
+ 			case 'N':
+ 				Nflg = true;
+ 				break;

SOURCES/shadow-4.1.5-uflg.patch

@@ -0,0 +1,23 @@
+diff -up shadow-4.1.5/libmisc/find_new_gid.c.uflg shadow-4.1.5/libmisc/find_new_gid.c
+--- shadow-4.1.5/libmisc/find_new_gid.c.uflg	2011-07-30 01:10:27.000000000 +0200
++++ shadow-4.1.5/libmisc/find_new_gid.c	2012-03-19 12:51:46.090554116 +0100
+@@ -68,7 +68,7 @@ int find_new_gid (bool sys_group,
+ 			return -1;
+ 		}
+ 	} else {
+-		gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
++		gid_min = (gid_t) 1;
+ 		gid_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
+ 		gid_max = (gid_t) getdef_ulong ("SYS_GID_MAX", (unsigned long) gid_max);
+ 		if (gid_max < gid_min) {
+@@ -100,6 +100,10 @@ int find_new_gid (bool sys_group,
+ 		return 0;
+ 	}
+ 
++        /* if we did not find free preffered system gid, we start to look for
++         * one in the range assigned to dynamic system IDs */
++        if (sys_group)
++                gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+ 
+ 	/*
+ 	 * Search the entire group file,

SOURCES/shadow-4.1.5.1-audit-owner.patch

@@ -0,0 +1,32 @@
+diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c
+--- shadow-4.1.5.1/src/usermod.c.audit	2011-11-21 23:02:16.000000000 +0100
++++ shadow-4.1.5.1/src/usermod.c	2013-06-14 14:54:20.237026550 +0200
+@@ -1513,6 +1513,14 @@ static void move_home (void)
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ 
++#ifdef WITH_AUDIT
++		if (uflg || gflg) {
++			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++				      "changing home directory owner",
++				      user_newname, (unsigned int) user_newid, 1);
++		}
++#endif
++
+ 		if (rename (user_home, user_newhome) == 0) {
+ 			/* FIXME: rename above may have broken symlinks
+ 			 *        pointing to the user's home directory
+@@ -1947,6 +1955,13 @@ int main (int argc, char **argv)
+ 			 * ownership.
+ 			 *
+ 			 */
++#ifdef WITH_AUDIT
++			if (uflg || gflg) {
++				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++					      "changing home directory owner",
++					      user_newname, (unsigned int) user_newid, 1);
++			}
++#endif
+ 			if (chown_tree (dflg ? user_newhome : user_home,
+ 			                user_id,
+ 			                uflg ? user_newid  : (uid_t)-1,

SOURCES/shadow-4.1.5.1-backup-mode.patch

@@ -0,0 +1,20 @@
+diff -up shadow-4.1.5.1/lib/commonio.c.backup-mode shadow-4.1.5.1/lib/commonio.c
+--- shadow-4.1.5.1/lib/commonio.c.backup-mode	2012-05-18 21:44:54.000000000 +0200
++++ shadow-4.1.5.1/lib/commonio.c	2012-09-19 20:27:16.089444234 +0200
+@@ -301,15 +301,12 @@ static int create_backup (const char *ba
+ 	struct utimbuf ub;
+ 	FILE *bkfp;
+ 	int c;
+-	mode_t mask;
+ 
+ 	if (fstat (fileno (fp), &sb) != 0) {
+ 		return -1;
+ 	}
+ 
+-	mask = umask (077);
+-	bkfp = fopen (backup, "w");
+-	(void) umask (mask);
++	bkfp = fopen_set_perms (backup, "w", &sb);
+ 	if (NULL == bkfp) {
+ 		return -1;
+ 	}

SOURCES/shadow-4.1.5.1-chgrp-guard.patch

@@ -0,0 +1,44 @@
+diff -up shadow-4.1.5.1/man/usermod.8.xml.chgrp-guard shadow-4.1.5.1/man/usermod.8.xml
+--- shadow-4.1.5.1/man/usermod.8.xml.chgrp-guard	2016-05-04 13:44:17.267917583 +0200
++++ shadow-4.1.5.1/man/usermod.8.xml	2016-05-04 13:44:17.284917968 +0200
+@@ -198,6 +198,12 @@
+ 	    The group ownership of files outside of the user's home directory
+ 	    must be fixed manually.
+ 	  </para>
++	  <para>
++	    The change of the group ownership of files inside of the user's
++	    home directory is also not done if the home dir owner uid is
++	    different from the current or new user id. This is safety measure
++	    for special home directories such as <filename>/</filename>.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+@@ -364,6 +370,12 @@
+ 	    must be fixed manually.
+ 	  </para>
+ 	  <para>
++	    The change of the user ownership of files inside of the user's
++	    home directory is also not done if the home dir owner uid is
++	    different from the current or new user id. This is safety measure
++	    for special home directories such as <filename>/</filename>.
++	  </para>
++	  <para>
+ 	    No checks will be performed with regard to the
+ 	    <option>UID_MIN</option>, <option>UID_MAX</option>,
+ 	    <option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
+diff -up shadow-4.1.5.1/src/usermod.c.chgrp-guard shadow-4.1.5.1/src/usermod.c
+--- shadow-4.1.5.1/src/usermod.c.chgrp-guard	2016-05-04 13:44:17.280917877 +0200
++++ shadow-4.1.5.1/src/usermod.c	2016-05-04 13:44:17.285917991 +0200
+@@ -1971,7 +1971,10 @@ int main (int argc, char **argv)
+ 	}
+ 
+ 	if (!mflg && (uflg || gflg)) {
+-		if (access (dflg ? user_newhome : user_home, F_OK) == 0) {
++		struct stat sb;
++
++		if (stat (dflg ? user_newhome : user_home, &sb) == 0 &&
++			((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
+ 			/*
+ 			 * Change the UID on all of the files owned by
+ 			 * `user_id' to `user_newid' in the user's home

SOURCES/shadow-4.1.5.1-crypt-null.patch

@@ -0,0 +1,195 @@
+diff -up shadow-4.1.5.1/lib/encrypt.c.crypt-null shadow-4.1.5.1/lib/encrypt.c
+--- shadow-4.1.5.1/lib/encrypt.c.crypt-null	2010-08-22 15:05:02.000000000 +0200
++++ shadow-4.1.5.1/lib/encrypt.c	2013-07-25 12:27:30.438355782 +0200
+@@ -49,11 +49,10 @@
+ 	if (!cp) {
+ 		/*
+ 		 * Single Unix Spec: crypt() may return a null pointer,
+-		 * and set errno to indicate an error.  The caller doesn't
+-		 * expect us to return NULL, so...
++		 * and set errno to indicate an error. In this case return
++		 * the NULL so the caller can handle appropriately.
+ 		 */
+-		perror ("crypt");
+-		exit (EXIT_FAILURE);
++		return cp;
+ 	}
+ 
+ 	/* The GNU crypt does not return NULL if the algorithm is not
+diff -up shadow-4.1.5.1/libmisc/valid.c.crypt-null shadow-4.1.5.1/libmisc/valid.c
+--- shadow-4.1.5.1/libmisc/valid.c.crypt-null	2010-08-22 21:14:41.000000000 +0200
++++ shadow-4.1.5.1/libmisc/valid.c	2013-07-25 12:27:30.440355847 +0200
+@@ -95,6 +95,7 @@ bool valid (const char *password, const
+ 	 */
+ 
+ 	if (   (NULL != ent->pw_name)
++	    && (NULL != encrypted)
+ 	    && (strcmp (encrypted, ent->pw_passwd) == 0)) {
+ 		return true;
+ 	} else {
+diff -up shadow-4.1.5.1/lib/pwauth.c.crypt-null shadow-4.1.5.1/lib/pwauth.c
+--- shadow-4.1.5.1/lib/pwauth.c.crypt-null	2009-07-13 00:24:48.000000000 +0200
++++ shadow-4.1.5.1/lib/pwauth.c	2013-07-25 12:27:30.438355782 +0200
+@@ -73,6 +73,7 @@ int pw_auth (const char *cipher,
+ 	char prompt[1024];
+ 	char *clear = NULL;
+ 	const char *cp;
++	const char *encrypted;
+ 	int retval;
+ 
+ #ifdef	SKEY
+@@ -177,7 +178,11 @@ int pw_auth (const char *cipher,
+ 	 * the results there as well.
+ 	 */
+ 
+-	retval = strcmp (pw_encrypt (input, cipher), cipher);
++	encrypted = pw_encrypt (input, cipher);
++	if (encrypted!=NULL)
++		retval = strcmp (encrypted, cipher);
++	else
++		retval = -1;
+ 
+ #ifdef  SKEY
+ 	/*
+diff -up shadow-4.1.5.1/src/chgpasswd.c.crypt-null shadow-4.1.5.1/src/chgpasswd.c
+--- shadow-4.1.5.1/src/chgpasswd.c.crypt-null	2011-12-09 22:31:40.000000000 +0100
++++ shadow-4.1.5.1/src/chgpasswd.c	2013-07-25 12:27:30.440355847 +0200
+@@ -469,6 +469,10 @@ int main (int argc, char **argv)
+ #endif
+ 			cp = pw_encrypt (newpwd,
+ 			                 crypt_make_salt (crypt_method, arg));
++			if (cp == NULL) {
++				perror ("crypt");
++				exit (EXIT_FAILURE);
++			}	
+ 		}
+ 
+ 		/*
+diff -up shadow-4.1.5.1/src/chpasswd.c.crypt-null shadow-4.1.5.1/src/chpasswd.c
+--- shadow-4.1.5.1/src/chpasswd.c.crypt-null	2011-12-09 22:31:40.000000000 +0100
++++ shadow-4.1.5.1/src/chpasswd.c	2013-07-25 12:27:30.440355847 +0200
+@@ -492,6 +492,10 @@ int main (int argc, char **argv)
+ #endif
+ 			cp = pw_encrypt (newpwd,
+ 			                 crypt_make_salt(crypt_method, arg));
++			if (cp == NULL) {
++				perror ("crypt");
++				exit (EXIT_FAILURE);
++			}
+ 		}
+ 
+ 		/*
+diff -up shadow-4.1.5.1/src/gpasswd.c.crypt-null shadow-4.1.5.1/src/gpasswd.c
+--- shadow-4.1.5.1/src/gpasswd.c.crypt-null	2011-11-19 23:55:04.000000000 +0100
++++ shadow-4.1.5.1/src/gpasswd.c	2013-07-25 12:27:30.441355866 +0200
+@@ -939,6 +939,10 @@ static void change_passwd (struct group
+ 	}
+ 
+ 	cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL));
++	if (cp==NULL) {
++		perror ("crypt");
++		exit (EXIT_FAILURE);
++	}
+ 	memzero (pass, sizeof pass);
+ #ifdef SHADOWGRP
+ 	if (is_shadowgrp) {
+diff -up shadow-4.1.5.1/src/newgrp.c.crypt-null shadow-4.1.5.1/src/newgrp.c
+--- shadow-4.1.5.1/src/newgrp.c.crypt-null	2011-07-30 03:50:01.000000000 +0200
++++ shadow-4.1.5.1/src/newgrp.c	2013-07-25 12:27:30.442355881 +0200
+@@ -184,7 +184,8 @@ static void check_perms (const struct gr
+ 		cpasswd = pw_encrypt (cp, grp->gr_passwd);
+ 		strzero (cp);
+ 
+-		if (grp->gr_passwd[0] == '\0' ||
++		if (cpasswd == NULL ||
++		    grp->gr_passwd[0] == '\0' ||
+ 		    strcmp (cpasswd, grp->gr_passwd) != 0) {
+ #ifdef WITH_AUDIT
+ 			snprintf (audit_buf, sizeof(audit_buf),
+diff -up shadow-4.1.5.1/src/newusers.c.crypt-null shadow-4.1.5.1/src/newusers.c
+--- shadow-4.1.5.1/src/newusers.c.crypt-null	2011-12-09 22:31:40.000000000 +0100
++++ shadow-4.1.5.1/src/newusers.c	2013-07-25 12:27:30.442355881 +0200
+@@ -387,6 +387,7 @@ static int add_user (const char *name, u
+ static void update_passwd (struct passwd *pwd, const char *password)
+ {
+ 	void *crypt_arg = NULL;
++	char *cp;
+ 	if (crypt_method != NULL) {
+ #ifdef USE_SHA_CRYPT
+ 		if (sflg) {
+@@ -398,9 +399,13 @@ static void update_passwd (struct passwd
+ 	if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) {
+ 		pwd->pw_passwd = (char *)password;
+ 	} else {
+-		pwd->pw_passwd = pw_encrypt (password,
+-		                             crypt_make_salt (crypt_method,
+-		                                              crypt_arg));
++		cp=pw_encrypt (password, crypt_make_salt (crypt_method, 
++		                                          crypt_arg));
++		if (cp == NULL) {
++			perror ("crypt");
++			exit (EXIT_FAILURE);
++		}
++		pwd->pw_passwd = cp;
+ 	}
+ }
+ #endif				/* !USE_PAM */
+@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pw
+ {
+ 	const struct spwd *sp;
+ 	struct spwd spent;
++	char *cp;
+ 
+ #ifndef USE_PAM
+ 	void *crypt_arg = NULL;
+@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pw
+ 		} else {
+ 			const char *salt = crypt_make_salt (crypt_method,
+ 			                                    crypt_arg);
+-			spent.sp_pwdp = pw_encrypt (password, salt);
++			cp = pw_encrypt (password, salt);
++			if (cp == NULL) {
++				perror ("crypt");
++				exit (EXIT_FAILURE);
++			}
++			spent.sp_pwdp = cp;
+ 		}
+ 		spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+ 		if (0 == spent.sp_lstchg) {
+@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pw
+ 		spent.sp_pwdp = (char *)password;
+ 	} else {
+ 		const char *salt = crypt_make_salt (crypt_method, crypt_arg);
+-		spent.sp_pwdp = pw_encrypt (password, salt);
++		cp = pw_encrypt (password, salt);
++		if (cp == NULL) {
++			perror ("crypt");
++			exit (EXIT_FAILURE);
++		}
++		spent.sp_pwdp = cp;
+ 	}
+ #else
+ 	/*
+diff -up shadow-4.1.5.1/src/passwd.c.crypt-null shadow-4.1.5.1/src/passwd.c
+--- shadow-4.1.5.1/src/passwd.c.crypt-null	2012-02-13 21:32:01.000000000 +0100
++++ shadow-4.1.5.1/src/passwd.c	2013-07-25 12:27:30.443355896 +0200
+@@ -242,7 +242,7 @@ static int new_password (const struct pa
+ 		}
+ 
+ 		cipher = pw_encrypt (clear, crypt_passwd);
+-		if (strcmp (cipher, crypt_passwd) != 0) {
++		if ((cipher == NULL) || (strcmp (cipher, crypt_passwd) != 0)) {
+ 			strzero (clear);
+ 			strzero (cipher);
+ 			SYSLOG ((LOG_WARN, "incorrect password for %s",
+@@ -349,6 +349,10 @@ static int new_password (const struct pa
+ 	 * Encrypt the password, then wipe the cleartext password.
+ 	 */
+ 	cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL));
++	if (cp == NULL) {
++		perror ("crypt");
++		exit (EXIT_FAILURE);
++	}
+ 	memzero (pass, sizeof pass);
+ 
+ #ifdef HAVE_LIBCRACK_HIST

SOURCES/shadow-4.1.5.1-date-parsing.patch

@@ -0,0 +1,138 @@
+diff -up shadow-4.1.5.1/libmisc/getdate.c.date-parsing shadow-4.1.5.1/libmisc/getdate.c
+--- shadow-4.1.5.1/libmisc/getdate.c.date-parsing	2008-06-14 00:07:51.000000000 +0200
++++ shadow-4.1.5.1/libmisc/getdate.c	2014-08-29 13:41:22.553267506 +0200
+@@ -261,6 +261,7 @@ static int	yyHaveDay;
+ static int	yyHaveRel;
+ static int	yyHaveTime;
+ static int	yyHaveZone;
++static int	yyHaveYear;
+ static int	yyTimezone;
+ static int	yyDay;
+ static int	yyHour;
+@@ -1730,6 +1731,7 @@ yyreduce:
+ 	      yyDay = (yyvsp[(3) - (5)].Number);
+ 	      yyYear = (yyvsp[(5) - (5)].Number);
+ 	    }
++	    yyHaveYear++;
+ 	}
+     break;
+ 
+@@ -1740,6 +1742,7 @@ yyreduce:
+ 	    yyYear = (yyvsp[(1) - (3)].Number);
+ 	    yyMonth = -(yyvsp[(2) - (3)].Number);
+ 	    yyDay = -(yyvsp[(3) - (3)].Number);
++	    yyHaveYear++;
+ 	}
+     break;
+ 
+@@ -1750,6 +1753,7 @@ yyreduce:
+ 	    yyDay = (yyvsp[(1) - (3)].Number);
+ 	    yyMonth = (yyvsp[(2) - (3)].Number);
+ 	    yyYear = -(yyvsp[(3) - (3)].Number);
++	    yyHaveYear++;
+ 	}
+     break;
+ 
+@@ -1767,6 +1771,7 @@ yyreduce:
+ 	    yyMonth = (yyvsp[(1) - (4)].Number);
+ 	    yyDay = (yyvsp[(2) - (4)].Number);
+ 	    yyYear = (yyvsp[(4) - (4)].Number);
++	    yyHaveYear++;
+ 	}
+     break;
+ 
+@@ -1784,6 +1789,7 @@ yyreduce:
+ 	    yyMonth = (yyvsp[(2) - (3)].Number);
+ 	    yyDay = (yyvsp[(1) - (3)].Number);
+ 	    yyYear = (yyvsp[(3) - (3)].Number);
++	    yyHaveYear++;
+ 	}
+     break;
+ 
+@@ -1928,7 +1934,8 @@ yyreduce:
+   case 49:
+ #line 397 "getdate.y"
+     {
+-	    if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0))
++	    if ((yyHaveTime != 0 || (yyvsp[(1) - (1)].Number) >= 100) && !yyHaveYear
++		&& (yyHaveDate != 0) && (yyHaveRel == 0))
+ 	      yyYear = (yyvsp[(1) - (1)].Number);
+ 	    else
+ 	      {
+@@ -2556,7 +2563,7 @@ yylex (void)
+ 	  return LookupWord (buff);
+ 	}
+       if (c != '(')
+-	return *yyInput++;
++	return (unsigned char)*yyInput++;
+       Count = 0;
+       do
+ 	{
+diff -up shadow-4.1.5.1/libmisc/getdate.y.date-parsing shadow-4.1.5.1/libmisc/getdate.y
+--- shadow-4.1.5.1/libmisc/getdate.y.date-parsing	2008-05-26 10:57:51.000000000 +0200
++++ shadow-4.1.5.1/libmisc/getdate.y	2014-08-29 13:40:37.502229879 +0200
+@@ -152,6 +152,7 @@ static int	yyHaveDay;
+ static int	yyHaveRel;
+ static int	yyHaveTime;
+ static int	yyHaveZone;
++static int      yyHaveYear;
+ static int	yyTimezone;
+ static int	yyDay;
+ static int	yyHour;
+@@ -293,18 +294,21 @@ date	: tUNUMBER '/' tUNUMBER {
+ 	      yyDay = $3;
+ 	      yyYear = $5;
+ 	    }
++	    yyHaveYear++;
+ 	}
+ 	| tUNUMBER tSNUMBER tSNUMBER {
+ 	    /* ISO 8601 format.  yyyy-mm-dd.  */
+ 	    yyYear = $1;
+ 	    yyMonth = -$2;
+ 	    yyDay = -$3;
++	    yyHaveYear++;
+ 	}
+ 	| tUNUMBER tMONTH tSNUMBER {
+ 	    /* e.g. 17-JUN-1992.  */
+ 	    yyDay = $1;
+ 	    yyMonth = $2;
+ 	    yyYear = -$3;
++	    yyHaveYear++;
+ 	}
+ 	| tMONTH tUNUMBER {
+ 	    yyMonth = $1;
+@@ -314,6 +318,7 @@ date	: tUNUMBER '/' tUNUMBER {
+ 	    yyMonth = $1;
+ 	    yyDay = $2;
+ 	    yyYear = $4;
++	    yyHaveYear++;
+ 	}
+ 	| tUNUMBER tMONTH {
+ 	    yyMonth = $2;
+@@ -323,6 +328,7 @@ date	: tUNUMBER '/' tUNUMBER {
+ 	    yyMonth = $2;
+ 	    yyDay = $1;
+ 	    yyYear = $3;
++	    yyHaveYear++;
+ 	}
+ 	;
+ 
+@@ -395,7 +401,8 @@ relunit	: tUNUMBER tYEAR_UNIT {
+ 
+ number	: tUNUMBER
+           {
+-	    if ((yyHaveTime != 0) && (yyHaveDate != 0) && (yyHaveRel == 0))
++	    if ((yyHaveTime != 0 || $1 >= 100) && !yyHaveYear
++		&& (yyHaveDate != 0) && (yyHaveRel == 0))
+ 	      yyYear = $1;
+ 	    else
+ 	      {
+@@ -802,7 +809,7 @@ yylex (void)
+ 	  return LookupWord (buff);
+ 	}
+       if (c != '(')
+-	return *yyInput++;
++	return (unsigned char)*yyInput++;
+       Count = 0;
+       do
+ 	{

SOURCES/shadow-4.1.5.1-default-range.patch

@@ -0,0 +1,35 @@
+diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c
+--- shadow-4.1.5.1/lib/semanage.c.default-range	2012-01-08 17:35:44.000000000 +0100
++++ shadow-4.1.5.1/lib/semanage.c	2013-06-14 15:14:51.970237594 +0200
+@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
+ 		goto done;
+ 	}
+ 
++#if 0
+ 	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+ 	if (ret != 0) {
+ 		fprintf (stderr,
+@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
+ 		ret = 1;
+ 		goto done;
+ 	}
++#endif
+ 
+ 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
+ 	if (ret != 0) {
+@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h
+ 		goto done;
+ 	}
+ 
++#if 0
+ 	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+ 	if (ret != 0) {
+ 		fprintf (stderr,
+@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
+ 		ret = 1;
+ 		goto done;
+ 	}
++#endif
+ 
+ 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
+ 	if (ret != 0) {

SOURCES/shadow-4.1.5.1-errmsg.patch

@@ -0,0 +1,23 @@
+diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c
+--- shadow-4.1.5.1/src/useradd.c.logmsg	2013-02-20 15:41:44.000000000 +0100
++++ shadow-4.1.5.1/src/useradd.c	2013-06-14 14:22:59.529661095 +0200
+@@ -1760,6 +1760,9 @@ static void create_home (void)
+ 	if (access (user_home, F_OK) != 0) {
+ #ifdef WITH_SELINUX
+ 		if (set_selinux_file_context (user_home, NULL) != 0) {
++			fprintf (stderr,
++			         _("%s: cannot set SELinux context for home directory %s\n"),
++			         Prog, user_home);
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ #endif
+@@ -1789,6 +1792,9 @@ static void create_home (void)
+ #ifdef WITH_SELINUX
+ 		/* Reset SELinux to create files with default contexts */
+ 		if (reset_selinux_file_context () != 0) {
++			fprintf (stderr,
++			         _("%s: cannot reset SELinux file creation context\n"),
++			         Prog);
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ #endif

SOURCES/shadow-4.1.5.1-goodname.patch

@@ -0,0 +1,113 @@
+diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c
+--- shadow-4.1.5.1/libmisc/chkname.c.goodname	2009-07-13 00:24:45.000000000 +0200
++++ shadow-4.1.5.1/libmisc/chkname.c	2018-04-24 16:32:40.970529916 +0200
+@@ -49,25 +49,44 @@
+ static bool is_valid_name (const char *name)
+ {
+ 	/*
+-	 * User/group names must match [a-z_][a-z0-9_-]*[$]
+-	 */
+-	if (('\0' == *name) ||
+-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
++         * User/group names must match gnu e-regex:
++         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
++         *
++         * as a non-POSIX, extension, allow "$" as the last char for
++         * sake of Samba 3.x "add machine script"
++         *
++         * Also do not allow fully numeric names or just "." or "..".
++         */
++	int numeric;
++
++	if ('\0' == *name ||
++	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
++			      '\0' == name[1])) ||
++	    !((*name >= 'a' && *name <= 'z') ||
++	      (*name >= 'A' && *name <= 'Z') ||
++	      (*name >= '0' && *name <= '9') ||
++	      *name == '_' ||
++	      *name == '.')) {
+ 		return false;
+ 	}
+ 
++	numeric = isdigit(*name);
++
+ 	while ('\0' != *++name) {
+-		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
+-		      ( ('0' <= *name) && ('9' >= *name) ) ||
+-		      ('_' == *name) ||
+-		      ('-' == *name) ||
+-		      ( ('$' == *name) && ('\0' == *(name + 1)) )
++		if (!((*name >= 'a' && *name <= 'z') ||
++		      (*name >= 'A' && *name <= 'Z') ||
++		      (*name >= '0' && *name <= '9') ||
++		      *name == '_' ||
++		      *name == '.' ||
++		      *name == '-' ||
++		      (*name == '$' && name[1] == '\0')
+ 		     )) {
+ 			return false;
+ 		}
++		numeric &= isdigit(*name);
+ 	}
+ 
+-	return true;
++	return !numeric || getenv("SHADOW_ALLOW_ALL_NUMERIC_USER") != NULL;
+ }
+ 
+ bool is_valid_user_name (const char *name)
+diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml
+--- shadow-4.1.5.1/man/groupadd.8.xml.goodname	2012-05-25 13:45:27.000000000 +0200
++++ shadow-4.1.5.1/man/groupadd.8.xml	2012-09-19 18:43:53.492160653 +0200
+@@ -259,10 +259,14 @@
+    <refsect1 id='caveats'>
+      <title>CAVEATS</title>
+      <para>
+-       Groupnames must start with a lower case letter or an underscore,
+-       followed by lower case letters, digits, underscores, or dashes.
+-       They can end with a dollar sign.
+-       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
++       Groupnames may contain only lower and upper case letters, digits,
++       underscores, or dashes. They can end with a dollar sign.
++
++       Dashes are not allowed at the beginning of the groupname.
++       Fully numeric groupnames and groupnames . or .. are
++       also disallowed.
++
++       In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
+      </para>
+      <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml
+--- shadow-4.1.5.1/man/useradd.8.xml.goodname	2012-05-25 13:45:29.000000000 +0200
++++ shadow-4.1.5.1/man/useradd.8.xml	2012-09-19 18:43:53.493160675 +0200
+@@ -366,7 +366,7 @@
+ 	</term>
+ 	<listitem>
+ 	  <para>
+-	    Do no create the user's home directory, even if the system
++	    Do not create the user's home directory, even if the system
+ 	    wide setting from <filename>/etc/login.defs</filename>
+ 	    (<option>CREATE_HOME</option>) is set to
+ 	    <replaceable>yes</replaceable>.
+@@ -654,10 +654,16 @@
+     </para>
+ 
+     <para>
+-      Usernames must start with a lower case letter or an underscore,
+-      followed by lower case letters, digits, underscores, or dashes.
+-      They can end with a dollar sign.
+-      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
++      Usernames may contain only lower and upper case letters, digits,
++      underscores, or dashes. They can end with a dollar sign.
++
++      Dashes are not allowed at the beginning of the username.
++      Fully numeric usernames and usernames . or .. are
++      also disallowed. It is not recommended to use usernames beginning
++      with . character as their home directories will be hidden in
++      the <command>ls</command> output.
++
++      In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
+     </para>
+     <para>
+       Usernames may only be up to 32 characters long.

SOURCES/shadow-4.1.5.1-info-parent-dir.patch

@@ -0,0 +1,20 @@
+diff -up shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir shadow-4.1.5.1/man/newusers.8.xml
+--- shadow-4.1.5.1/man/newusers.8.xml.info-parent-dir	2012-05-25 13:45:28.000000000 +0200
++++ shadow-4.1.5.1/man/newusers.8.xml	2012-09-19 18:46:35.651613365 +0200
+@@ -216,7 +216,15 @@
+ 	  <para>
+ 	    If this field does not specify an existing directory, the
+ 	    specified directory is created, with ownership set to the
+-	    user being created or updated and its primary group.
++	    user being created or updated and its primary group. Note 
++            that newusers does not create parent directories of the new 
++            user's home directory. The newusers command will fail to 
++            create the home directory if the parent directories do not 
++            exist, and will send a message to stderr informing the user 
++            of the failure. The newusers command will not halt or return 
++            a failure to the calling shell if it fails to create the home 
++            directory, it will continue to process the batch of new users 
++            specified.
+ 	  </para>
+ 	  <para>
+ 	    If the home directory of an existing user is changed,

SOURCES/shadow-4.1.5.1-ingroup.patch

@@ -0,0 +1,121 @@
+diff -up shadow-4.1.5.1/src/newgrp.c.ingroup shadow-4.1.5.1/src/newgrp.c
+--- shadow-4.1.5.1/src/newgrp.c.ingroup	2018-04-24 16:55:24.546677529 +0200
++++ shadow-4.1.5.1/src/newgrp.c	2018-04-24 16:58:17.113445562 +0200
+@@ -83,15 +83,29 @@ static void usage (void)
+ 	}
+ }
+ 
++static bool ingroup(const char *name, struct group *gr)
++{
++	char **look;
++	bool notfound = true;
++
++	look = gr->gr_mem;
++	while (*look && notfound)
++		notfound = strcmp (*look++, name);
++
++	return !notfound;
++}
++
+ /*
+- * find_matching_group - search all groups of a given group id for
++ * find_matching_group - search all groups of a gr's group id for
+  *                       membership of a given username
++ *                       but check gr itself first
+  */
+-static /*@null@*/struct group *find_matching_group (const char *name, gid_t gid)
++static /*@null@*/struct group *find_matching_group (const char *name, struct group *gr)
+ {
+-	struct group *gr;
+-	char **look;
+-	bool notfound = true;
++	gid_t gid = gr->gr_gid;
++
++	if (ingroup(name, gr))
++		return gr;
+ 
+ 	setgrent ();
+ 	while ((gr = getgrent ()) != NULL) {
+@@ -103,14 +117,8 @@ static /*@null@*/struct group *find_matc
+ 		 * A group with matching GID was found.
+ 		 * Test for membership of 'name'.
+ 		 */
+-		look = gr->gr_mem;
+-		while ((NULL != *look) && notfound) {
+-			notfound = (strcmp (*look, name) != 0);
+-			look++;
+-		}
+-		if (!notfound) {
++		if (ingroup(name, gr))
+ 			break;
+-		}
+ 	}
+ 	endgrent ();
+ 	return gr;
+@@ -373,6 +381,7 @@ int main (int argc, char **argv)
+ {
+ 	bool initflag = false;
+ 	int i;
++	bool is_member = false;
+ 	bool cflag = false;
+ 	int err = 0;
+ 	gid_t gid;
+@@ -611,22 +620,36 @@ int main (int argc, char **argv)
+ 		goto failure;
+ 	}
+ 
++#ifdef HAVE_SETGROUPS
++	/* when using pam_group, she will not be listed in the groups
++	 * database. However getgroups() will return the group. So
++	 * if she is listed there already it is ok to grant membership.
++	 */
++	for (i = 0; i < ngroups; i++) {
++		if (grp->gr_gid == grouplist[i]) {
++			is_member = true;
++			break;
++		}
++	}
++#endif                          /* HAVE_SETGROUPS */
+ 	/*
+ 	 * For splitted groups (due to limitations of NIS), check all 
+ 	 * groups of the same GID like the requested group for
+ 	 * membership of the current user.
+ 	 */
+-	grp = find_matching_group (name, grp->gr_gid);
+-	if (NULL == grp) {
+-		/*
+-		 * No matching group found. As we already know that
+-		 * the group exists, this happens only in the case
+-		 * of a requested group where the user is not member.
+-		 *
+-		 * Re-read the group entry for further processing.
+-		 */
+-		grp = xgetgrnam (group);
+-		assert (NULL != grp);
++	if (!is_member) {
++		grp = find_matching_group (name, grp);
++		if (NULL == grp) {
++			/*
++			 * No matching group found. As we already know that
++			 * the group exists, this happens only in the case
++			 * of a requested group where the user is not member.
++			 *
++			 * Re-read the group entry for further processing.
++			 */
++			grp = xgetgrnam (group);
++			assert (NULL != grp);
++		}
+ 	}
+ #ifdef SHADOWGRP
+ 	sgrp = getsgnam (group);
+@@ -639,7 +662,9 @@ int main (int argc, char **argv)
+ 	/*
+ 	 * Check if the user is allowed to access this group.
+ 	 */
+-	check_perms (grp, pwd, group);
++	if (!is_member) {
++		check_perms (grp, pwd, group);
++	}
+ 
+ 	/*
+ 	 * all successful validations pass through this point. The group id

SOURCES/shadow-4.1.5.1-ja-translation.patch

@@ -0,0 +1,25 @@
+From f2ce4cc54edc7dfeb6b12f3e8fff98255a9f477d Mon Sep 17 00:00:00 2001
+From: Taizo Ito <taizo.ito@hde.co.jp>
+Date: Tue, 17 Mar 2015 13:51:27 +0900
+Subject: [PATCH 1/1] typo in japanese man page of useradd
+
+---
+ po/ja.po | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/po/ja.po b/po/ja.po
+index a68a698..0c21c29 100644
+--- a/po/ja.po
++++ b/po/ja.po
+@@ -2047,7 +2047,7 @@ msgid "  -s, --shell SHELL             login shell of the new account\n"
+ msgstr "  -s, --shell SHELL             新アカウントのログインシェル\n"
+ 
+ msgid "  -u, --uid UID                 user ID of the new account\n"
+-msgstr "  -u, --iud UID                 新アカウントのユーザ ID\n"
++msgstr "  -u, --uid UID                 新アカウントのユーザ ID\n"
+ 
+ msgid ""
+ "  -U, --user-group              create a group with the same name as the "
+-- 
+1.8.3.1
+

SOURCES/shadow-4.1.5.1-lastlog-unexpire.patch

@@ -0,0 +1,263 @@
+diff -up shadow-4.1.5.1/man/lastlog.8.xml.unexpire shadow-4.1.5.1/man/lastlog.8.xml
+--- shadow-4.1.5.1/man/lastlog.8.xml.unexpire	2012-05-25 13:45:28.000000000 +0200
++++ shadow-4.1.5.1/man/lastlog.8.xml	2016-04-28 15:09:11.026084219 +0200
+@@ -105,6 +105,17 @@
+       </varlistentry>
+       <varlistentry>
+ 	<term>
++	  <option>-C</option>, <option>--clear</option>
++	</term>
++	<listitem>
++	  <para>
++	    Clear lastlog record of an user. This option can be used only together
++	    with <option>-u</option> (<option>--user</option>)).
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
+ 	  <option>-h</option>, <option>--help</option>
+ 	</term>
+ 	<listitem>
+@@ -124,6 +135,17 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-S</option>, <option>--set</option>
++	</term>
++	<listitem>
++	  <para>
++	    Set lastlog record of an user to the current time. This option can be
++	    used only together with <option>-u</option> (<option>--user</option>)).
++	  </para>
++	</listitem>
++      </varlistentry>
+       <varlistentry>
+ 	<term>
+ 	  <option>-t</option>, <option>--time</option>
+diff -up shadow-4.1.5.1/src/lastlog.c.unexpire shadow-4.1.5.1/src/lastlog.c
+--- shadow-4.1.5.1/src/lastlog.c.unexpire	2011-11-06 21:54:18.000000000 +0100
++++ shadow-4.1.5.1/src/lastlog.c	2016-04-28 15:49:30.253371990 +0200
+@@ -55,6 +55,13 @@
+ #endif
+ 
+ /*
++ * Needed for systems with older audit library.
++ */
++#ifndef AUDIT_ACCT_UNLOCK
++#define AUDIT_ACCT_UNLOCK       1136
++#endif
++
++/*
+  * Global variables
+  */
+ const char *Prog;		/* Program name */
+@@ -71,6 +78,8 @@ static struct stat statbuf;	/* fstat buf
+ static bool uflg = false;	/* print only an user of range of users */
+ static bool tflg = false;	/* print is restricted to most recent days */
+ static bool bflg = false;	/* print excludes most recent days */
++static bool Cflg = false;	/* clear record for user */
++static bool Sflg = false;	/* set record for user */
+ 
+ #define	NOW	(time ((time_t *) 0))
+ 
+@@ -83,8 +92,10 @@ static /*@noreturn@*/void usage (int sta
+ 	                  "Options:\n"),
+ 	                Prog);
+ 	(void) fputs (_("  -b, --before DAYS             print only lastlog records older than DAYS\n"), usageout);
++	(void) fputs (_("  -C, --clear                   clear lastlog record of an user (usable only with -u)\n"), usageout);
+ 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
++	(void) fputs (_("  -S, --set                     set lastlog record to current time (usable only with -u)\n"), usageout);
+ 	(void) fputs (_("  -t, --time DAYS               print only lastlog records more recent than DAYS\n"), usageout);
+ 	(void) fputs (_("  -u, --user LOGIN              print lastlog record of the specified LOGIN\n"), usageout);
+ 	(void) fputs ("\n", usageout);
+@@ -194,6 +205,80 @@ static void print (void)
+ 	}
+ }
+ 
++static void update_one (/*@null@*/const struct passwd *pw)
++{
++	off_t offset;
++	struct lastlog ll;
++	int err;
++
++	if (NULL == pw) {
++		return;
++	}
++
++	offset = (off_t) pw->pw_uid * sizeof (ll);
++	/* fseeko errors are not really relevant for us. */
++	err = fseeko (lastlogfile, offset, SEEK_SET);
++	assert (0 == err);
++
++	memzero (&ll, sizeof (ll));
++
++	if (Sflg) {
++		ll.ll_time = NOW;
++#ifdef HAVE_LL_HOST
++		strcpy (ll.ll_host, "localhost");
++#endif
++		strcpy (ll.ll_line, "lastlog");
++#ifdef WITH_AUDIT
++		audit_logger (AUDIT_ACCT_UNLOCK, Prog,
++			"clearing-lastlog",
++			pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
++#endif
++	}
++#ifdef WITH_AUDIT
++	else {
++		audit_logger (AUDIT_ACCT_UNLOCK, Prog,
++			"refreshing-lastlog",
++			pw->pw_name, (unsigned int) pw->pw_uid, SHADOW_AUDIT_SUCCESS);
++	}
++#endif
++
++	if (fwrite (&ll, sizeof(ll), 1, lastlogfile) != 1) {
++			fprintf (stderr,
++			         _("%s: Failed to update the entry for UID %lu\n"),
++			         Prog, (unsigned long int)pw->pw_uid);
++			exit (EXIT_FAILURE);
++	}
++}
++
++static void update (void)
++{
++	const struct passwd *pwent;
++
++	if (!uflg) /* safety measure */
++		return;
++
++	if (has_umin && has_umax && (umin == umax)) {
++		update_one (getpwuid ((uid_t)umin));
++	} else {
++		setpwent ();
++		while ( (pwent = getpwent ()) != NULL ) {
++			if ((has_umin && (pwent->pw_uid < (uid_t)umin))
++				|| (has_umax && (pwent->pw_uid > (uid_t)umax))) {
++				continue;
++			}
++			update_one (pwent);
++		}
++		endpwent ();
++	}
++
++	if (fflush (lastlogfile) != 0 || fsync (fileno (lastlogfile)) != 0) {
++			fprintf (stderr,
++			         _("%s: Failed to update the lastlog file\n"),
++			         Prog);
++			exit (EXIT_FAILURE);
++	}
++}
++
+ int main (int argc, char **argv)
+ {
+ 	/*
+@@ -208,18 +293,24 @@ int main (int argc, char **argv)
+ 
+ 	process_root_flag ("-R", argc, argv);
+ 
++#ifdef WITH_AUDIT
++	audit_help_open ();
++#endif
++
+ 	{
+ 		int c;
+ 		static struct option const longopts[] = {
+ 			{"before", required_argument, NULL, 'b'},
++			{"clear",  no_argument,       NULL, 'C'},
+ 			{"help",   no_argument,       NULL, 'h'},
+ 			{"root",   required_argument, NULL, 'R'},
++			{"set",    no_argument,       NULL, 'S'},
+ 			{"time",   required_argument, NULL, 't'},
+ 			{"user",   required_argument, NULL, 'u'},
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 
+-		while ((c = getopt_long (argc, argv, "b:hR:t:u:", longopts,
++		while ((c = getopt_long (argc, argv, "b:ChR:St:u:", longopts,
+ 		                         NULL)) != -1) {
+ 			switch (c) {
+ 			case 'b':
+@@ -235,11 +326,21 @@ int main (int argc, char **argv)
+ 				bflg = true;
+ 				break;
+ 			}
++			case 'C':
++			{
++				Cflg = true;
++				break;
++			}
+ 			case 'h':
+ 				usage (EXIT_SUCCESS);
+ 				/*@notreached@*/break;
+ 			case 'R': /* no-op, handled in process_root_flag () */
+ 				break;
++			case 'S':
++			{
++				Sflg = true;
++				break;
++			}
+ 			case 't':
+ 			{
+ 				unsigned long days;
+@@ -294,9 +395,21 @@ int main (int argc, char **argv)
+ 			         Prog, argv[optind]);
+ 			usage (EXIT_FAILURE);
+ 		}
++		if (Cflg && Sflg) {
++			fprintf (stderr,
++			         _("%s: Option -C cannot be used together with option -S\n"),
++			         Prog);
++			usage (EXIT_FAILURE);
++		}
++		if ((Cflg || Sflg) && !uflg) {
++			fprintf (stderr,
++			         _("%s: Options -C and -S require option -u to specify the user\n"),
++			         Prog);
++			usage (EXIT_FAILURE);
++		}
+ 	}
+ 
+-	lastlogfile = fopen (LASTLOG_FILE, "r");
++	lastlogfile = fopen (LASTLOG_FILE, (Cflg || Sflg)?"r+":"r");
+ 	if (NULL == lastlogfile) {
+ 		perror (LASTLOG_FILE);
+ 		exit (EXIT_FAILURE);
+@@ -310,7 +423,10 @@ int main (int argc, char **argv)
+ 		exit (EXIT_FAILURE);
+ 	}
+ 
+-	print ();
++	if (Cflg || Sflg)
++		update ();
++	else
++		print ();
+ 
+ 	(void) fclose (lastlogfile);
+ 
+diff -up shadow-4.1.5.1/src/Makefile.am.unexpire shadow-4.1.5.1/src/Makefile.am
+--- shadow-4.1.5.1/src/Makefile.am.unexpire	2011-11-18 22:23:30.000000000 +0100
++++ shadow-4.1.5.1/src/Makefile.am	2016-04-28 15:09:11.027084241 +0200
+@@ -90,6 +90,7 @@ groupmod_LDADD = $(LDADD) $(LIBPAM_SUID)
+ grpck_LDADD    = $(LDADD) $(LIBSELINUX)
+ grpconv_LDADD  = $(LDADD) $(LIBSELINUX)
+ grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
++lastlog_LDADD   = $(LDADD) $(LIBAUDIT)
+ login_SOURCES  = \
+ 	login.c \
+ 	login_nopam.c
+diff -up shadow-4.1.5.1/src/Makefile.in.unexpire shadow-4.1.5.1/src/Makefile.in
+--- shadow-4.1.5.1/src/Makefile.in.unexpire	2012-05-25 13:56:51.000000000 +0200
++++ shadow-4.1.5.1/src/Makefile.in	2016-04-28 15:09:11.027084241 +0200
+@@ -162,7 +162,7 @@ id_DEPENDENCIES = $(am__DEPENDENCIES_1)
+ 	$(top_builddir)/lib/libshadow.la
+ lastlog_SOURCES = lastlog.c
+ lastlog_OBJECTS = lastlog.$(OBJEXT)
+-lastlog_LDADD = $(LDADD)
++lastlog_LDADD = $(LDADD) $(LIBAUDIT)
+ lastlog_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+ 	$(top_builddir)/libmisc/libmisc.a \
+ 	$(top_builddir)/lib/libshadow.la

SOURCES/shadow-4.1.5.1-logmsg.patch

@@ -0,0 +1,12 @@
+diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c
+--- shadow-4.1.5.1/src/useradd.c.logmsg	2013-02-20 15:41:44.000000000 +0100
++++ shadow-4.1.5.1/src/useradd.c	2013-03-19 18:40:04.908292810 +0100
+@@ -275,7 +275,7 @@ static void fail_exit (int code)
+ 	              user_name, AUDIT_NO_ID,
+ 	              SHADOW_AUDIT_FAILURE);
+ #endif
+-	SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
++	SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
+ 	exit (code);
+ }
+ 

SOURCES/shadow-4.1.5.1-long-entry.patch

@@ -0,0 +1,84 @@
+diff -up shadow-4.1.5.1/lib/defines.h.long-entry shadow-4.1.5.1/lib/defines.h
+--- shadow-4.1.5.1/lib/defines.h.long-entry	2011-09-18 22:44:10.000000000 +0200
++++ shadow-4.1.5.1/lib/defines.h	2018-04-24 16:34:31.261417493 +0200
+@@ -382,4 +382,7 @@ extern char *strerror ();
+ # endif
+ #endif
+ 
++/* Maximum length of passwd entry */
++#define PASSWD_ENTRY_MAX_LENGTH 32768
++
+ #endif				/* _DEFINES_H_ */
+diff -up shadow-4.1.5.1/lib/pwio.c.long-entry shadow-4.1.5.1/lib/pwio.c
+--- shadow-4.1.5.1/lib/pwio.c.long-entry	2011-02-16 21:32:24.000000000 +0100
++++ shadow-4.1.5.1/lib/pwio.c	2018-04-24 16:34:31.263417454 +0200
+@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
+ 	    || (pw->pw_gid == (gid_t)-1)
+ 	    || (valid_field (pw->pw_gecos, ":\n") == -1)
+ 	    || (valid_field (pw->pw_dir, ":\n") == -1)
+-	    || (valid_field (pw->pw_shell, ":\n") == -1)) {
++	    || (valid_field (pw->pw_shell, ":\n") == -1)
++	    || (strlen (pw->pw_name) + strlen (pw->pw_passwd) +
++	        strlen (pw->pw_gecos) + strlen (pw->pw_dir) +
++	        strlen (pw->pw_shell) + 100 > PASSWD_ENTRY_MAX_LENGTH)) {
+ 		return -1;
+ 	}
+ 
+diff -up shadow-4.1.5.1/lib/sgetpwent.c.long-entry shadow-4.1.5.1/lib/sgetpwent.c
+--- shadow-4.1.5.1/lib/sgetpwent.c.long-entry	2009-04-06 06:28:53.000000000 +0200
++++ shadow-4.1.5.1/lib/sgetpwent.c	2018-04-24 16:34:31.263417454 +0200
+@@ -57,7 +57,7 @@
+ struct passwd *sgetpwent (const char *buf)
+ {
+ 	static struct passwd pwent;
+-	static char pwdbuf[1024];
++	static char pwdbuf[PASSWD_ENTRY_MAX_LENGTH];
+ 	register int i;
+ 	register char *cp;
+ 	char *fields[NFIELDS];
+@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
+ 	 * the password structure remain valid.
+ 	 */
+ 
+-	if (strlen (buf) >= sizeof pwdbuf)
++	if (strlen (buf) >= sizeof pwdbuf) {
++		fprintf (stderr, "Too long passwd entry encountered, file corruption?\n");
+ 		return 0;	/* fail if too long */
++	}
+ 	strcpy (pwdbuf, buf);
+ 
+ 	/*
+diff -up shadow-4.1.5.1/lib/sgetspent.c.long-entry shadow-4.1.5.1/lib/sgetspent.c
+--- shadow-4.1.5.1/lib/sgetspent.c.long-entry	2009-04-12 04:46:43.000000000 +0200
++++ shadow-4.1.5.1/lib/sgetspent.c	2018-04-24 16:34:31.264417435 +0200
+@@ -48,7 +48,7 @@
+  */
+ struct spwd *sgetspent (const char *string)
+ {
+-	static char spwbuf[1024];
++	static char spwbuf[PASSWD_ENTRY_MAX_LENGTH];
+ 	static struct spwd spwd;
+ 	char *fields[FIELDS];
+ 	char *cp;
+@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
+ 	 */
+ 
+ 	if (strlen (string) >= sizeof spwbuf) {
++		fprintf (stderr, "Too long shadow entry encountered, file corruption?\n");
+ 		return 0;	/* fail if too long */
+ 	}
+ 	strcpy (spwbuf, string);
+diff -up shadow-4.1.5.1/lib/shadowio.c.long-entry shadow-4.1.5.1/lib/shadowio.c
+--- shadow-4.1.5.1/lib/shadowio.c.long-entry	2011-02-16 21:32:24.000000000 +0100
++++ shadow-4.1.5.1/lib/shadowio.c	2018-04-24 16:34:31.265417416 +0200
+@@ -78,7 +78,9 @@ static int shadow_put (const void *ent,
+ 
+ 	if (   (NULL == sp)
+ 	    || (valid_field (sp->sp_namp, ":\n") == -1)
+-	    || (valid_field (sp->sp_pwdp, ":\n") == -1)) {
++	    || (valid_field (sp->sp_pwdp, ":\n") == -1)
++	    || (strlen (sp->sp_namp) + strlen (sp->sp_pwdp) +
++	        1000 > PASSWD_ENTRY_MAX_LENGTH)) {
+ 		return -1;
+ 	}
+ 

SOURCES/shadow-4.1.5.1-manfix.patch

@@ -0,0 +1,281 @@
+diff -up shadow-4.1.5.1/man/chage.1.xml.manfix shadow-4.1.5.1/man/chage.1.xml
+--- shadow-4.1.5.1/man/chage.1.xml.manfix	2012-05-25 13:45:27.000000000 +0200
++++ shadow-4.1.5.1/man/chage.1.xml	2018-04-24 16:43:48.545743715 +0200
+@@ -102,6 +102,9 @@
+ 	    Set the number of days since January 1st, 1970 when the password
+ 	    was last changed. The date may also be expressed in the format
+ 	    YYYY-MM-DD (or the format more commonly used in your area).
++	    If the <replaceable>LAST_DAY</replaceable> is set to
++	    <emphasis>0</emphasis> the user is forced to change his password
++	    on the next log on.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -123,6 +126,13 @@
+ 	    <replaceable>EXPIRE_DATE</replaceable> will remove an account
+ 	    expiration date.
+ 	  </para>
++	  <para>
++	    For example the following command can be used
++	    to set an account to expire in 180 days:
++	  </para>
++	  <programlisting>
++	    chage -E $(date -d +180days +%Y-%m-%d)
++	  </programlisting>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+diff -up shadow-4.1.5.1/man/groupmems.8.xml.manfix shadow-4.1.5.1/man/groupmems.8.xml
+--- shadow-4.1.5.1/man/groupmems.8.xml.manfix	2012-05-25 13:45:28.000000000 +0200
++++ shadow-4.1.5.1/man/groupmems.8.xml	2015-12-18 12:27:08.466909647 +0100
+@@ -194,6 +194,13 @@
+ 	$ chown root.groups groupmems
+ 	$ groupmems -g groups -a gk4
+     </programlisting>
++
++    <para>
++      In the Red Hat Enterprise Linux 7 the <command>groupmems</command>
++      command is not setuid and regular users cannot use it to manipulate
++      the membership of their own group. This might change in future
++      major releases of the Red Hat Enterprise Linux.
++    </para>
+   </refsect1>
+ 
+   <refsect1 id='configuration'>
+diff -up shadow-4.1.5.1/man/ja/man5/login.defs.5.manfix shadow-4.1.5.1/man/ja/man5/login.defs.5
+--- shadow-4.1.5.1/man/ja/man5/login.defs.5.manfix	2012-05-25 13:45:27.000000000 +0200
++++ shadow-4.1.5.1/man/ja/man5/login.defs.5	2015-12-18 12:34:08.080715842 +0100
+@@ -147,10 +147,6 @@ 以下の参照表は、
+ shadow パスワード機能のどのプログラムが
+ どのパラメータを使用するかを示したものである。
+ .na
+-.IP chfn 12
+-CHFN_AUTH CHFN_RESTRICT
+-.IP chsh 12
+-CHFN_AUTH
+ .IP groupadd 12
+ GID_MAX GID_MIN
+ .IP newusers 12
+diff -up shadow-4.1.5.1/man/login.defs.5.xml.manfix shadow-4.1.5.1/man/login.defs.5.xml
+--- shadow-4.1.5.1/man/login.defs.5.xml.manfix	2012-05-25 13:45:28.000000000 +0200
++++ shadow-4.1.5.1/man/login.defs.5.xml	2014-08-29 13:31:38.364812323 +0200
+@@ -160,6 +160,17 @@
+       long numeric parameters is machine-dependent.
+     </para>
+ 
++    <para>
++      Please note that the parameters in this configuration file control the
++      behavior of the tools from the shadow-utils component. None of these
++      tools uses the PAM mechanism, and the utilities that use PAM (such as the
++      passwd command) should be configured elsewhere. The only values that
++      affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
++      for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
++      and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
++      pam(8) for more information.
++    </para>
++
+     <para>The following configuration items are provided:</para>
+ 
+     <variablelist remap='IP'>
+@@ -248,26 +258,6 @@
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+-	<term>chfn</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CHFN_AUTH</phrase>
+-	    CHFN_RESTRICT
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>chgpasswd</term>
+-	<listitem>
+-	  <para>
+-	    ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
+-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+ 	<term>chpasswd</term>
+ 	<listitem>
+ 	  <para>
+@@ -278,14 +268,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry condition="no_pam">
+-	<term>chsh</term>
+-	<listitem>
+-	  <para>
+-	    CHSH_AUTH LOGIN_STRING
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
+       <!-- faillog: no variables -->
+       <varlistentry>
+@@ -346,34 +328,6 @@
+       </varlistentry>
+       <!-- id: no variables -->
+       <!-- lastlog: no variables -->
+-      <varlistentry>
+-	<term>login</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+-	    ENV_TZ ENVIRON_FILE</phrase>
+-	    ERASECHAR FAIL_DELAY
+-	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+-	    FAKE_SHELL
+-	    <phrase condition="no_pam">FTMP_FILE</phrase>
+-	    HUSHLOGIN_FILE
+-	    <phrase condition="no_pam">ISSUE_FILE</phrase>
+-	    KILLCHAR
+-	    <phrase condition="no_pam">LASTLOG_ENAB</phrase>
+-	    LOGIN_RETRIES
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+-	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+-	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+-	    QUOTAS_ENAB</phrase>
+-	    TTYGROUP TTYPERM TTYTYPE_FILE
+-	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
+-	    USERGROUPS_ENAB
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <!-- logoutd: no variables -->
+       <varlistentry>
+ 	<term>newgrp / sg</term>
+@@ -399,17 +353,6 @@
+ 	</listitem>
+       </varlistentry>
+       <!-- nologin: no variables -->
+-      <varlistentry condition="no_pam">
+-	<term>passwd</term>
+-	<listitem>
+-	  <para>
+-	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
+-	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
+-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>pwck</term>
+ 	<listitem>
+@@ -436,32 +379,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>su</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+-	    ENV_PATH ENV_SUPATH
+-	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+-	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+-	    SULOG_FILE SU_NAME
+-	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+-	    SYSLOG_SU_ENAB
+-	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>sulogin</term>
+-	<listitem>
+-	  <para>
+-	    ENV_HZ
+-	    <phrase condition="no_pam">ENV_TZ</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>useradd</term>
+ 	<listitem>
+diff -up shadow-4.1.5.1/man/useradd.8.xml.manfix shadow-4.1.5.1/man/useradd.8.xml
+--- shadow-4.1.5.1/man/useradd.8.xml.manfix	2015-12-17 14:05:47.930742412 +0100
++++ shadow-4.1.5.1/man/useradd.8.xml	2015-12-17 14:05:47.945742754 +0100
+@@ -134,8 +134,8 @@
+ 	    <replaceable>HOME_DIR</replaceable> is not specified.
+ 	    <replaceable>BASE_DIR</replaceable> is
+ 	    concatenated with the account name to define the home directory. 
+-	    If the <option>-m</option> option is not used,
+-	    <replaceable>BASE_DIR</replaceable> must exist.
++	    The <replaceable>BASE_DIR</replaceable> must exist otherwise
++	    the home directory cannot be created.
+ 	  </para>
+ 	  <para>
+ 	    If this option is not specified, <command>useradd</command>
+@@ -161,7 +161,7 @@
+       </varlistentry>
+       <varlistentry>
+ 	<term>
+-	  <option>-d</option>, <option>--home</option>
++	  <option>-d</option>, <option>--home-dir</option>
+ 	  <replaceable>HOME_DIR</replaceable>
+ 	</term>
+ 	<listitem>
+@@ -171,8 +171,7 @@
+ 	    login directory. The default is to append the
+ 	    <replaceable>LOGIN</replaceable> name to
+ 	    <replaceable>BASE_DIR</replaceable> and use that as the login
+-	    directory name. The directory <replaceable>HOME_DIR</replaceable>
+-	    does not have to exist but will not be created if it is missing.
++	    directory name.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -358,11 +357,16 @@
+ 	    <option>CREATE_HOME</option> is not enabled, no home
+ 	    directories are created.
+ 	  </para>
++	  <para>
++	    The directory where the user's home directory is created must
++	    exist and have proper SELinux context and permissions. Otherwise
++	    the user's home directory cannot be created or accessed.
++	  </para>
+ 	</listitem>
+       </varlistentry>
+       <varlistentry>
+ 	<term>
+-	  <option>-M</option>
++	  <option>-M</option>, <option>--no-create-home</option>
+ 	</term>
+ 	<listitem>
+ 	  <para>
+diff -up shadow-4.1.5.1/man/usermod.8.xml.manfix shadow-4.1.5.1/man/usermod.8.xml
+--- shadow-4.1.5.1/man/usermod.8.xml.manfix	2012-05-25 13:45:29.000000000 +0200
++++ shadow-4.1.5.1/man/usermod.8.xml	2014-08-29 13:33:40.814632618 +0200
+@@ -132,7 +132,8 @@
+ 	    If the <option>-m</option>
+ 	    option is given, the contents of the current home directory will
+ 	    be moved to the new home directory, which is created if it does
+-	    not already exist.
++	    not already exist. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -261,7 +262,8 @@
+ 	<listitem>
+ 	  <para>
+ 	    Move the content of the user's home directory to the new
+-	    location.
++	    location. If the current home directory does not exist
++	    the new home directory will not be created.
+ 	  </para>
+ 	  <para>
+ 	    This option is only valid in combination with the

SOURCES/shadow-4.1.5.1-merge-group.patch

@@ -0,0 +1,27 @@
+diff -up shadow-4.1.5.1/lib/groupio.c.merge-group shadow-4.1.5.1/lib/groupio.c
+--- shadow-4.1.5.1/lib/groupio.c.merge-group	2011-02-16 21:32:24.000000000 +0100
++++ shadow-4.1.5.1/lib/groupio.c	2013-01-29 13:56:43.049275513 +0100
+@@ -330,12 +330,12 @@ static /*@null@*/struct commonio_entry *
+ 
+ 	/* Concatenate the 2 lines */
+ 	new_line_len = strlen (gr1->line) + strlen (gr2->line) +1;
+-	new_line = (char *)malloc ((new_line_len + 1) * sizeof(char*));
++	new_line = (char *)malloc (new_line_len + 1);
+ 	if (NULL == new_line) {
+ 		errno = ENOMEM;
+ 		return NULL;
+ 	}
+-	snprintf(new_line, new_line_len, "%s\n%s", gr1->line, gr2->line);
++	snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line);
+ 	new_line[new_line_len] = '\0';
+ 
+ 	/* Concatenate the 2 list of members */
+@@ -353,7 +353,7 @@ static /*@null@*/struct commonio_entry *
+ 			members++;
+ 		}
+ 	}
+-	new_members = (char **)malloc ( (members+1) * sizeof(char*) );
++	new_members = (char **)calloc (members+1, sizeof(char*));
+ 	if (NULL == new_members) {
+ 		free (new_line);
+ 		errno = ENOMEM;

SOURCES/shadow-4.1.5.1-move-home.patch

@@ -0,0 +1,15 @@
+diff -up shadow-4.1.5.1/src/usermod.c.move-home shadow-4.1.5.1/src/usermod.c
+--- shadow-4.1.5.1/src/usermod.c.move-home	2014-08-29 13:31:38.000000000 +0200
++++ shadow-4.1.5.1/src/usermod.c	2014-08-29 14:14:13.860671177 +0200
+@@ -1571,6 +1571,11 @@ static void move_home (void)
+ 			         Prog, user_home, user_newhome);
+ 			fail_exit (E_HOMEDIR);
+ 		}
++	} else {
++		fprintf (stderr,
++		         _("%s: The previous home directory (%s) does "
++		           "not exist or is inaccessible. Move cannot be completed.\n"),
++		         Prog, user_home);
+ 	}
+ }
+ 

SOURCES/shadow-4.1.5.1-null-tm.patch

@@ -0,0 +1,86 @@
+diff -up shadow-4.1.5.1/src/faillog.c.null-tm shadow-4.1.5.1/src/faillog.c
+--- shadow-4.1.5.1/src/faillog.c.null-tm	2011-11-19 23:54:47.000000000 +0100
++++ shadow-4.1.5.1/src/faillog.c	2016-06-14 11:54:58.582314219 +0200
+@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const s
+ 	}
+ 
+ 	tm = localtime (&fl.fail_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
++		cp = ptime;
+ #endif
++	}
+ 	printf ("%-9s   %5d    %5d   ",
+ 	        pw->pw_name, fl.fail_cnt, fl.fail_max);
+ 	/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
+diff -up shadow-4.1.5.1/src/chage.c.null-tm shadow-4.1.5.1/src/chage.c
+--- shadow-4.1.5.1/src/chage.c.null-tm	2016-05-04 13:44:55.639787900 +0200
++++ shadow-4.1.5.1/src/chage.c	2016-06-14 11:54:58.583314243 +0200
+@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
+ 	struct tm *tp;
+ 
+ 	tp = gmtime (&date);
++	if (tp == NULL) {
++		(void) snprintf (buf, maxsize, "(unknown)");
++		return;
++	}
+ #ifdef HAVE_STRFTIME
+ 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
+ #else
+diff -up shadow-4.1.5.1/src/lastlog.c.null-tm shadow-4.1.5.1/src/lastlog.c
+--- shadow-4.1.5.1/src/lastlog.c.null-tm	2016-05-04 13:44:55.647788082 +0200
++++ shadow-4.1.5.1/src/lastlog.c	2016-06-14 11:54:58.584314267 +0200
+@@ -165,13 +165,17 @@ static void print_one (/*@null@*/const s
+ 
+ 	ll_time = ll.ll_time;
+ 	tm = localtime (&ll_time);
++	if (tm == NULL) {
++		cp = "(unknown)";
++	} else {
+ #ifdef HAVE_STRFTIME
+-	strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
+-	cp = ptime;
++		strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", tm);
++		cp = ptime;
+ #else
+-	cp = asctime (tm);
+-	cp[24] = '\0';
++		cp = asctime (tm);
++		cp[24] = '\0';
+ #endif
++	}
+ 
+ 	if (ll.ll_time == (time_t) 0) {
+ 		cp = _("**Never logged in**\0");
+diff -up shadow-4.1.5.1/src/passwd.c.null-tm shadow-4.1.5.1/src/passwd.c
+--- shadow-4.1.5.1/src/passwd.c.null-tm	2016-05-04 13:44:55.634787787 +0200
++++ shadow-4.1.5.1/src/passwd.c	2016-06-14 11:54:58.584314267 +0200
+@@ -438,6 +438,9 @@ static /*@observer@*/const char *date_to
+ 	struct tm *tm;
+ 
+ 	tm = gmtime (&t);
++	if (tm == NULL) {
++		return "(unknown)";
++	}
+ #ifdef HAVE_STRFTIME
+ 	(void) strftime (buf, sizeof buf, "%m/%d/%Y", tm);
+ #else				/* !HAVE_STRFTIME */
+diff -up shadow-4.1.5.1/src/usermod.c.null-tm shadow-4.1.5.1/src/usermod.c
+--- shadow-4.1.5.1/src/usermod.c.null-tm	2016-05-04 13:44:55.648788104 +0200
++++ shadow-4.1.5.1/src/usermod.c	2016-06-14 11:54:58.585314291 +0200
+@@ -186,6 +186,10 @@ static void date_to_str (/*@unique@*//*@
+ 	} else {
+ 		time_t t = (time_t) date;
+ 		tp = gmtime (&t);
++		if (tp == NULL) {
++			strncpy (buf, "unknown", maxsize);
++			return;
++		}
+ #ifdef HAVE_STRFTIME
+ 		strftime (buf, maxsize, "%Y-%m-%d", tp);
+ #else

SOURCES/shadow-4.1.5.1-orig-context.patch

@@ -0,0 +1,128 @@
+diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c
+--- shadow-4.1.5.1/lib/commonio.c.orig-context	2012-09-19 20:27:16.000000000 +0200
++++ shadow-4.1.5.1/lib/commonio.c	2013-02-20 15:20:55.064962324 +0100
+@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db *
+ 		snprintf (buf, sizeof buf, "%s-", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (buf) != 0) {
++		if (set_selinux_file_context (buf, db->filename) != 0) {
+ 			errors++;
+ 		}
+ #endif
+@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db *
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (buf) != 0) {
++	if (set_selinux_file_context (buf, db->filename) != 0) {
+ 		errors++;
+ 	}
+ #endif
+diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c
+--- shadow-4.1.5.1/libmisc/copydir.c.orig-context	2012-02-13 20:16:32.000000000 +0100
++++ shadow-4.1.5.1/libmisc/copydir.c	2013-02-20 15:19:01.495623232 +0100
+@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
+ 	 */
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		free (oldlink);
+ 		return -1;
+ 	}
+@@ -684,7 +684,7 @@ static int copy_special (const char *src
+ 	int err = 0;
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
+ 		return -1;
+ 	}
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h
+--- shadow-4.1.5.1/lib/prototypes.h.orig-context	2012-01-08 17:04:29.000000000 +0100
++++ shadow-4.1.5.1/lib/prototypes.h	2013-02-20 15:24:17.251126575 +0100
+@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m
+ 
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+-extern int set_selinux_file_context (const char *dst_name);
++extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
+ extern int reset_selinux_file_context (void);
+ #endif
+ 
+diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c
+--- shadow-4.1.5.1/lib/selinux.c.orig-context	2012-01-08 17:35:44.000000000 +0100
++++ shadow-4.1.5.1/lib/selinux.c	2013-02-20 15:16:40.383716877 +0100
+@@ -50,7 +50,7 @@ static bool selinux_enabled;
+  *	Callers may have to Reset SELinux to create files with default
+  *	contexts with reset_selinux_file_context
+  */
+-int set_selinux_file_context (const char *dst_name)
++int set_selinux_file_context (const char *dst_name, const char *orig_name)
+ {
+ 	/*@null@*/security_context_t scontext = NULL;
+ 
+@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
+ 	if (selinux_enabled) {
+ 		/* Get the default security context for this file */
+ 		if (matchpathcon (dst_name, 0, &scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
++			/* We could not get the default, copy the original */
++			if (orig_name == NULL)
++				goto error;
++			if (getfilecon (orig_name, &scontext) < 0)
++				goto error;
+ 		}
+ 		/* Set the security context for the next created file */
+-		if (setfscreatecon (scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
+-		}
++		if (setfscreatecon (scontext) < 0)
++			goto error;
+ 		freecon (scontext);
+ 	}
+ 	return 0;
++    error:
++	if (security_getenforce () != 0) {
++		return 1;
++	}
++	return 0;
+ }
+ 
+ /*
+diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c
+--- shadow-4.1.5.1/src/useradd.c.orig-context	2012-09-19 20:23:33.000000000 +0200
++++ shadow-4.1.5.1/src/useradd.c	2013-02-20 15:19:31.221235459 +0100
+@@ -1759,7 +1759,7 @@ static void create_home (void)
+ {
+ 	if (access (user_home, F_OK) != 0) {
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (user_home) != 0) {
++		if (set_selinux_file_context (user_home, NULL) != 0) {
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ #endif

SOURCES/shadow-4.1.5.1-selinux-perms.patch

@@ -0,0 +1,289 @@
+diff -up shadow-4.1.5.1/src/chgpasswd.c.selinux-perms shadow-4.1.5.1/src/chgpasswd.c
+--- shadow-4.1.5.1/src/chgpasswd.c.selinux-perms	2016-05-04 13:44:55.633787764 +0200
++++ shadow-4.1.5.1/src/chgpasswd.c	2016-05-30 12:01:30.421587253 +0200
+@@ -39,6 +39,13 @@
+ #include <pwd.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/avc.h>
++#endif
++#ifdef WITH_LIBAUDIT
++#include <libaudit.h>
++#endif
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ #include "pam_defs.h"
+@@ -76,6 +83,9 @@ static bool sgr_locked = false;
+ #endif
+ static bool gr_locked = false;
+ 
++/* The name of the caller */
++static char *myname = NULL;
++
+ /* local function prototypes */
+ static void fail_exit (int code);
+ static /*@noreturn@*/void usage (int status);
+@@ -300,6 +310,63 @@ static void check_perms (void)
+ #endif				/* ACCT_TOOLS_SETUID */
+ }
+ 
++#ifdef WITH_SELINUX
++static int
++log_callback (int type, const char *fmt, ...)
++{
++    int audit_fd;
++    va_list ap;
++
++    va_start(ap, fmt);
++#ifdef WITH_AUDIT
++    audit_fd = audit_open();
++
++    if (audit_fd >= 0) {
++	char *buf;
++
++	if (vasprintf (&buf, fmt, ap) < 0)
++		goto ret;
++	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
++				   NULL, 0);
++	audit_close(audit_fd);
++	free(buf);
++	goto ret;
++    }
++
++#endif
++    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
++ret:
++    va_end(ap);
++    return 0;
++}
++
++static void
++selinux_check_root (void)
++{
++    int status = -1;
++    security_context_t user_context;
++    union selinux_callback old_callback;
++
++    if (is_selinux_enabled() < 1)
++	return;
++
++    old_callback = selinux_get_callback(SELINUX_CB_LOG);
++    /* setup callbacks */
++    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
++    if ((status = getprevcon(&user_context)) < 0) {
++	selinux_set_callback(SELINUX_CB_LOG, old_callback);
++	exit(1);
++    }
++
++    status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
++
++    selinux_set_callback(SELINUX_CB_LOG, old_callback);
++    freecon(user_context);
++    if (status != 0 && security_getenforce() != 0)
++	exit(1);
++}
++#endif
++
+ /*
+  * open_files - lock and open the group databases
+  */
+@@ -393,6 +460,7 @@ int main (int argc, char **argv)
+ 
+ 	const struct group *gr;
+ 	struct group newgr;
++	struct passwd *pw = NULL;
+ 	int errors = 0;
+ 	int line = 0;
+ 
+@@ -408,8 +476,33 @@ int main (int argc, char **argv)
+ 
+ 	OPENLOG ("chgpasswd");
+ 
++#ifdef WITH_AUDIT
++	audit_help_open ();
++#endif
++
++	/*
++	 * Determine the name of the user that invoked this command. This
++	 * is really hit or miss because there are so many ways that command
++	 * can be executed and so many ways to trip up the routines that
++	 * report the user name.
++	 */
++	pw = get_my_pwent ();
++	if (NULL == pw) {
++		fprintf (stderr, _("%s: Cannot determine your user name.\n"),
++		         Prog);
++		SYSLOG ((LOG_WARN,
++		         "Cannot determine the user name of the caller (UID %lu)",
++		         (unsigned long) getuid ()));
++		exit (E_NOPERM);
++	}
++	myname = xstrdup (pw->pw_name);
++
+ 	check_perms ();
+ 
++#ifdef WITH_SELINUX
++	selinux_check_root ();
++#endif
++
+ #ifdef SHADOWGRP
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+@@ -533,6 +626,15 @@ int main (int argc, char **argv)
+ 			newgr.gr_passwd = cp;
+ 		}
+ 
++#ifdef WITH_AUDIT
++		{
++
++			audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
++		              "change-password",
++		              myname, AUDIT_NO_ID, gr->gr_name,
++		              SHADOW_AUDIT_SUCCESS);
++		}
++#endif
+ 		/* 
+ 		 * The updated group file entry is then put back and will
+ 		 * be written to the group file later, after all the
+diff -up shadow-4.1.5.1/src/chpasswd.c.selinux-perms shadow-4.1.5.1/src/chpasswd.c
+--- shadow-4.1.5.1/src/chpasswd.c.selinux-perms	2016-05-04 13:44:55.633787764 +0200
++++ shadow-4.1.5.1/src/chpasswd.c	2016-05-30 12:01:42.877859957 +0200
+@@ -39,6 +39,13 @@
+ #include <pwd.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/avc.h>
++#endif
++#ifdef WITH_LIBAUDIT
++#include <libaudit.h>
++#endif
+ #ifdef USE_PAM
+ #include "pam_defs.h"
+ #endif				/* USE_PAM */
+@@ -297,6 +304,63 @@ static void check_perms (void)
+ #endif				/* USE_PAM */
+ }
+ 
++#ifdef WITH_SELINUX
++static int
++log_callback (int type, const char *fmt, ...)
++{
++    int audit_fd;
++    va_list ap;
++
++    va_start(ap, fmt);
++#ifdef WITH_AUDIT
++    audit_fd = audit_open();
++
++    if (audit_fd >= 0) {
++	char *buf;
++
++	if (vasprintf (&buf, fmt, ap) < 0)
++		goto ret;
++	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
++				   NULL, 0);
++	audit_close(audit_fd);
++	free(buf);
++	goto ret;
++    }
++
++#endif
++    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
++ret:
++    va_end(ap);
++    return 0;
++}
++
++static void
++selinux_check_root (void)
++{
++    int status = -1;
++    security_context_t user_context;
++    union selinux_callback old_callback;
++
++    if (is_selinux_enabled() < 1)
++	return;
++
++    old_callback = selinux_get_callback(SELINUX_CB_LOG);
++    /* setup callbacks */
++    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
++    if ((status = getprevcon(&user_context)) < 0) {
++	selinux_set_callback(SELINUX_CB_LOG, old_callback);
++	exit(1);
++    }
++
++    status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
++
++    selinux_set_callback(SELINUX_CB_LOG, old_callback);
++    freecon(user_context);
++    if (status != 0 && security_getenforce() != 0)
++	exit(1);
++}
++#endif
++
+ /*
+  * open_files - lock and open the password databases
+  */
+@@ -405,8 +469,16 @@ int main (int argc, char **argv)
+ 
+ 	OPENLOG ("chpasswd");
+ 
++#ifdef WITH_AUDIT
++	audit_help_open ();
++#endif
++
+ 	check_perms ();
+ 
++#ifdef WITH_SELINUX
++	selinux_check_root ();
++#endif
++
+ #ifdef USE_PAM
+ 	if (!use_pam)
+ #endif				/* USE_PAM */
+@@ -563,6 +635,11 @@ int main (int argc, char **argv)
+ 			newpw.pw_passwd = cp;
+ 		}
+ 
++#ifdef WITH_AUDIT
++		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++		              "updating-password",
++		              pw->pw_name, (unsigned int) pw->pw_uid, 1);
++#endif
+ 		/* 
+ 		 * The updated password file entry is then put back and will
+ 		 * be written to the password file later, after all the
+diff -up shadow-4.1.5.1/src/Makefile.am.selinux-perms shadow-4.1.5.1/src/Makefile.am
+--- shadow-4.1.5.1/src/Makefile.am.selinux-perms	2016-05-04 13:44:55.647788082 +0200
++++ shadow-4.1.5.1/src/Makefile.am	2016-05-27 16:04:49.446582632 +0200
+@@ -79,9 +79,9 @@ endif
+ 
+ chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+diff -up shadow-4.1.5.1/src/Makefile.in.selinux-perms shadow-4.1.5.1/src/Makefile.in
+--- shadow-4.1.5.1/src/Makefile.in.selinux-perms	2016-05-04 13:44:55.647788082 +0200
++++ shadow-4.1.5.1/src/Makefile.in	2016-05-27 16:04:49.447582654 +0200
+@@ -437,9 +437,9 @@ AM_CPPFLAGS = -DLOCALEDIR=\"$(datadir)/l
+ @USE_PAM_TRUE@LIBCRYPT_NOPAM = 
+ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
++chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
++chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBCRYPT)
+ gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)

SOURCES/shadow-4.1.5.1-selinux.patch

@@ -0,0 +1,99 @@
+diff -up shadow-4.1.5.1/lib/semanage.c.selinux shadow-4.1.5.1/lib/semanage.c
+--- shadow-4.1.5.1/lib/semanage.c.selinux	2012-01-08 17:35:44.000000000 +0100
++++ shadow-4.1.5.1/lib/semanage.c	2014-09-10 10:11:55.417506128 +0200
+@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,
+ 
+ 	ret = 0;
+ 
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_seuser_key_free (key);
+ 	semanage_handle_destroy (handle);
+@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
+ 	}
+ 
+ 	ret = 0;
++
++        /* drop obsolete matchpathcon cache */
++        matchpathcon_fini();
++
+ done:
+ 	semanage_handle_destroy (handle);
+ 	return ret;
+diff -up shadow-4.1.5.1/src/useradd.c.selinux shadow-4.1.5.1/src/useradd.c
+--- shadow-4.1.5.1/src/useradd.c.selinux	2014-09-10 10:10:18.791280619 +0200
++++ shadow-4.1.5.1/src/useradd.c	2014-09-10 10:10:18.798280781 +0200
+@@ -1850,6 +1850,7 @@ static void create_mail (void)
+  */
+ int main (int argc, char **argv)
+ {
++	int rv = E_SUCCESS;
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ 	pam_handle_t *pamh = NULL;
+@@ -2037,10 +2038,33 @@ int main (int argc, char **argv)
+ 
+ 	usr_update ();
+ 
++	close_files ();
++
++	nscd_flush_cache ("passwd");
++	nscd_flush_cache ("group");
++
++#ifdef WITH_SELINUX
++	if (Zflg && *user_selinux) {
++		if (is_selinux_enabled () > 0) {
++		    if (set_seuser (user_name, user_selinux) != 0) {
++			fprintf (stderr,
++			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++			         Prog, user_name, user_selinux);
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_ADD_USER, Prog,
++			              "adding SELinux user mapping",
++			              user_name, (unsigned int) user_id, 0);
++#endif				/* WITH_AUDIT */
++			rv = E_SE_UPDATE;
++		    }
++		}
++	}
++#endif
++
+ 	if (mflg) {
+ 		create_home ();
+ 		if (home_added) {
+-			copy_tree (def_template, user_home, false, false,
++			copy_tree (def_template, user_home, false, true,
+ 			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ 		} else {
+ 			fprintf (stderr,
+@@ -2056,27 +2080,6 @@ int main (int argc, char **argv)
+ 		create_mail ();
+ 	}
+ 
+-	close_files ();
+-
+-#ifdef WITH_SELINUX
+-	if (Zflg) {
+-		if (set_seuser (user_name, user_selinux) != 0) {
+-			fprintf (stderr,
+-			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+-			         Prog, user_name, user_selinux);
+-#ifdef WITH_AUDIT
+-			audit_logger (AUDIT_ADD_USER, Prog,
+-			              "adding SELinux user mapping",
+-			              user_name, (unsigned int) user_id, 0);
+-#endif				/* WITH_AUDIT */
+-			fail_exit (E_SE_UPDATE);
+-		}
+-	}
+-#endif				/* WITH_SELINUX */
+-
+-	nscd_flush_cache ("passwd");
+-	nscd_flush_cache ("group");
+-
+-	return E_SUCCESS;
++	return rv;
+ }
+ 

SOURCES/shadow-4.1.5.1-userdel-helpfix.patch

@@ -0,0 +1,15 @@
+diff -up shadow-4.1.5.1/src/userdel.c.userdel shadow-4.1.5.1/src/userdel.c
+--- shadow-4.1.5.1/src/userdel.c.userdel	2012-05-25 13:51:55.000000000 +0200
++++ shadow-4.1.5.1/src/userdel.c	2014-02-12 11:40:30.707686132 +0100
+@@ -130,8 +130,9 @@ static void usage (int status)
+ 	                  "\n"
+ 	                  "Options:\n"),
+ 	                Prog);
+-	(void) fputs (_("  -f, --force                   force removal of files,\n"
+-	                "                                even if not owned by user\n"),
++	(void) fputs (_("  -f, --force                   force some actions that would fail otherwise\n"
++			"                                e.g. removal of user still logged in\n"
++			"                                or files, even if not owned by the user\n"),
+ 	              usageout);
+ 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -r, --remove                  remove home directory and mail spool\n"), usageout);

SOURCES/shadow-4.1.5.1-usermod-passwd.patch

@@ -0,0 +1,63 @@
+diff -up shadow-4.1.5.1/src/usermod.c.passwd shadow-4.1.5.1/src/usermod.c
+--- shadow-4.1.5.1/src/usermod.c.passwd	2015-12-17 14:05:47.959743073 +0100
++++ shadow-4.1.5.1/src/usermod.c	2015-12-18 12:42:28.290405529 +0100
+@@ -360,14 +360,17 @@ static char *new_pw_passwd (char *pw_pas
+ 		strcat (buf, pw_pass);
+ 		pw_pass = buf;
+ 	} else if (Uflg && pw_pass[0] == '!') {
+-		char *s;
++		char *s = pw_pass;
+ 
+-		if (pw_pass[1] == '\0') {
++		while ('!' == *s)
++			++s;
++
++		if (*s == '\0') {
+ 			fprintf (stderr,
+ 			         _("%s: unlocking the user's password would result in a passwordless account.\n"
+ 			           "You should set a password with usermod -p to unlock this user's password.\n"),
+ 			         Prog);
+-			return pw_pass;
++			return NULL;
+ 		}
+ 
+ #ifdef WITH_AUDIT
+@@ -376,12 +379,15 @@ static char *new_pw_passwd (char *pw_pas
+ 		              user_newname, (unsigned int) user_newid, 1);
+ #endif
+ 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
+-		s = pw_pass;
+-		while ('\0' != *s) {
+-			*s = *(s + 1);
+-			s++;
+-		}
++		memmove (pw_pass, s, strlen (s) + 1);
+ 	} else if (pflg) {
++		if (strchr (user_pass, ':') != NULL) {
++			fprintf (stderr,
++			         _("%s: The password field cannot contain a colon character.\n"),
++			         Prog);
++			return NULL;
++
++		}
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ 		              "updating-password",
+@@ -430,6 +436,8 @@ static void new_pwent (struct passwd *pw
+ 	if (   (!is_shadow_pwd)
+ 	    || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
+ 		pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
++		if (pwent->pw_passwd == NULL)
++			fail_exit (E_PW_UPDATE);
+ 	}
+ 
+ 	if (uflg) {
+@@ -544,6 +552,8 @@ static void new_spent (struct spwd *spen
+ 	 *  + aging has been requested
+ 	 */
+ 	spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
++	if (spent->sp_pwdp == NULL)
++		fail_exit(E_PW_UPDATE);
+ 
+ 	if (pflg) {
+ 		spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE;

SOURCES/shadow-utils.login.defs

@@ -0,0 +1,72 @@
+#
+# Please note that the parameters in this configuration file control the
+# behavior of the tools from the shadow-utils component. None of these
+# tools uses the PAM mechanism, and the utilities that use PAM (such as the
+# passwd command) should therefore be configured elsewhere. Refer to
+# /etc/pam.d/system-auth for more information.
+#
+
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#   QMAIL_DIR is for Qmail
+#
+#QMAIL_DIR	Maildir
+MAIL_DIR	/var/spool/mail
+#MAIL_FILE	.mail
+
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_MIN_LEN	Minimum acceptable password length.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_MIN_LEN	5
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN                  1000
+UID_MAX                 60000
+# System accounts
+SYS_UID_MIN               201
+SYS_UID_MAX               999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN                  1000
+GID_MAX                 60000
+# System accounts
+SYS_GID_MIN               201
+SYS_GID_MAX               999
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If useradd should create home directories for users by default
+# On RH systems, we do. This option is overridden with the -m flag on
+# useradd command line.
+#
+CREATE_HOME	yes
+
+# The permission mask is initialized to this value. If not specified, 
+# the permission mask will be initialized to 022.
+UMASK           077
+
+# This enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+# Use SHA512 to encrypt password.
+ENCRYPT_METHOD SHA512 
+

SOURCES/shadow-utils.useradd

@@ -0,0 +1,9 @@
+# useradd defaults file
+GROUP=100
+HOME=/home
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
+CREATE_MAIL_SPOOL=yes
+