summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCoprDistGit <infra@openeuler.org>2023-10-12 11:50:23 +0000
committerCoprDistGit <infra@openeuler.org>2023-10-12 11:50:23 +0000
commita39ad350cc564b3b46e6f75e2f9d1f26f646861e (patch)
tree2c862b9103baa1192a30703077647caeac8d638c
parent9db7dc8abcf40be92578f61ae05c86ba78c65866 (diff)
automatic import of shadowopeneuler22.03_LTS
Diffstat
-rw-r--r--.gitignore1
-rw-r--r--backport-Added-control-character-check.patch45
-rw-r--r--backport-Correctly-handle-illegal-system-file-in-tz.patch55
-rw-r--r--backport-Explicitly-override-only-newlines.patch55
-rw-r--r--backport-Fix-off-by-one-mistakes.patch74
-rw-r--r--backport-Fix-typos-in-length-calculations.patch32
-rw-r--r--backport-Overhaul-valid_field.patch61
-rw-r--r--backport-Prevent-out-of-boundary-access.patch56
-rw-r--r--backport-Read-whole-line-in-yes_or_no.patch67
-rw-r--r--backport-chgpasswd-fix-segfault-in-command-line-options.patch36
-rw-r--r--backport-commonio-free-removed-database-entries.patch39
-rw-r--r--backport-run_parts-for-groupadd-and-groupdel.patch127
-rw-r--r--backport-semanage-disconnect-to-free-libsemanage-internals.patch76
-rw-r--r--backport-useradd-check-if-subid-range-exists-for-user.patch41
-rw-r--r--chpasswd5
-rw-r--r--gpl-2.0.txt339
-rw-r--r--newusers5
-rw-r--r--shadow-Remove-encrypted-passwd-for-useradd-gr.patch133
-rw-r--r--shadow-add-sm3-crypt-support.patch782
-rw-r--r--shadow-bsd.txt32
-rw-r--r--shadow-utils.login.defs306
-rw-r--r--shadow-utils.useradd8
-rw-r--r--shadow.spec355
-rw-r--r--sources1
-rw-r--r--usermod-unlock.patch65
25 files changed, 2796 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
index e69de29..62e64a7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/shadow-4.13.tar.xz
diff --git a/backport-Added-control-character-check.patch b/backport-Added-control-character-check.patch
new file mode 100644
index 0000000..79d074e
--- /dev/null
+++ b/backport-Added-control-character-check.patch
@@ -0,0 +1,45 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+ *
+ * The supplied field is scanned for non-printable and other illegal
+ * characters.
+- * + -1 is returned if an illegal character is present.
+- * + 1 is returned if no illegal characters are present, but the field
+- * contains a non-printable character.
++ * + -1 is returned if an illegal or control character is present.
++ * + 1 is returned if no illegal or control characters are present,
++ * but the field contains a non-printable character.
+ * + 0 is returned otherwise.
+ */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ }
+
+ if (0 == err) {
+- /* Search if there are some non-printable characters */
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+ if (!isprint (*cp)) {
+ err = 1;
++ }
++ if (!iscntrl (*cp)) {
++ err = -1;
+ break;
+ }
+ }
+--
+2.27.0
+
diff --git a/backport-Correctly-handle-illegal-system-file-in-tz.patch b/backport-Correctly-handle-illegal-system-file-in-tz.patch
new file mode 100644
index 0000000..5355ec7
--- /dev/null
+++ b/backport-Correctly-handle-illegal-system-file-in-tz.patch
@@ -0,0 +1,55 @@
+From 37ae2320809cb16afa9dacd8e5ea317ae216ee36 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Fri, 27 Jan 2023 11:57:51 +0000
+Subject: [PATCH] Correctly handle illegal system file in tz
+
+If the file referenced by ENV_TZ has a zero length string, then an out
+of boundary write occurs. Also the result can be wrong because it is
+assumed that the file will always end with a newline.
+
+Only override a newline character with '\0' to avoid these cases.
+
+This cannot be considered to be security relevant because login.defs
+and its contained references to system files should be trusted to begin
+with.
+
+Proof of Concept:
+
+1. Compile shadow's su with address sanitizer and --without-libpam
+
+2. Setup your /etc/login.defs to contain ENV_TZ=/etc/tzname
+
+3. Prepare /etc/tzname to contain a '\0' byte at the beginning
+
+`python -c "print('\x00')" > /etc/tzname`
+
+4. Use su
+
+`su -l`
+
+You can see the following output:
+
+`tz.c:45:8: runtime error: index 18446744073709551615 out of bounds for type 'char [8192]'`
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+---
+ libmisc/tz.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libmisc/tz.c b/libmisc/tz.c
+index f3f5733e..9f3a41f2 100644
+--- a/libmisc/tz.c
++++ b/libmisc/tz.c
+@@ -42,7 +42,8 @@
+
+ strcpy (tzbuf, def_tz);
+ } else {
+- tzbuf[strlen (tzbuf) - 1] = '\0';
++ /* Remove optional trailing '\n'. */
++ tzbuf[strcspn (tzbuf, "\n")] = '\0';
+ }
+
+ if (NULL != fp) {
+--
+2.27.0
+
diff --git a/backport-Explicitly-override-only-newlines.patch b/backport-Explicitly-override-only-newlines.patch
new file mode 100644
index 0000000..a1fc8c6
--- /dev/null
+++ b/backport-Explicitly-override-only-newlines.patch
@@ -0,0 +1,55 @@
+From ffc480c2e93f05266e4b130229877ad13f71a8c0 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Mon, 30 Jan 2023 11:53:47 +0000
+Subject: [PATCH] Explicitly override only newlines
+
+Override only newlines with '\0' to avoid undesired truncation of
+actual line content.
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+---
+ lib/port.c | 6 +++---
+ libmisc/console.c | 3 ++-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/port.c b/lib/port.c
+index 0bea2ef4..90eb1498 100644
+--- a/lib/port.c
++++ b/lib/port.c
+@@ -130,8 +130,8 @@ static struct port *getportent (void)
+ again:
+
+ /*
+- * Get the next line and remove the last character, which
+- * is a '\n'. Lines which begin with '#' are all ignored.
++ * Get the next line and remove optional trailing '\n'.
++ * Lines which begin with '#' are all ignored.
+ */
+
+ if (fgets (buf, (int) sizeof buf, ports) == 0) {
+@@ -149,7 +149,7 @@ static struct port *getportent (void)
+ * TTY devices.
+ */
+
+- buf[strlen (buf) - 1] = 0;
++ buf[strcspn (buf, "\n")] = 0;
+
+ port.pt_names = ttys;
+ for (cp = buf, j = 0; j < PORT_TTY; j++) {
+diff --git a/libmisc/console.c b/libmisc/console.c
+index bc024eba..63d3ceb3 100644
+--- a/libmisc/console.c
++++ b/libmisc/console.c
+@@ -71,7 +71,8 @@ static bool is_listed (const char *cfgin, const char *tty, bool def)
+ */
+
+ while (fgets (buf, (int) sizeof (buf), fp) != NULL) {
+- buf[strlen (buf) - 1] = '\0';
++ /* Remove optional trailing '\n'. */
++ buf[strcspn (buf, "\n")] = '\0';
+ if (strcmp (buf, tty) == 0) {
+ (void) fclose (fp);
+ return true;
+--
+2.27.0
+
diff --git a/backport-Fix-off-by-one-mistakes.patch b/backport-Fix-off-by-one-mistakes.patch
new file mode 100644
index 0000000..fe11716
--- /dev/null
+++ b/backport-Fix-off-by-one-mistakes.patch
@@ -0,0 +1,74 @@
+From 587ce83e3ff4bea64ac028149ac9b66df37f688c Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Fri, 16 Dec 2022 00:52:27 +0100
+Subject: [PATCH] Fix off-by-one mistakes
+
+The buffers have a size of 512 (see xmalloc() above), which is what
+snprintf(3) expects.
+
+Link: <https://github.com/shadow-maint/shadow/pull/607>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/groupmod.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/groupmod.c b/src/groupmod.c
+index 006eca1c..828c7c0b 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -554,13 +554,13 @@ static void prepare_failure_reports (void)
+ #endif
+ info_passwd.audit_msg = xmalloc (512);
+
+- (void) snprintf (info_group.audit_msg, 511,
++ (void) snprintf (info_group.audit_msg, 512,
+ "changing %s; ", gr_dbname ());
+ #ifdef SHADOWGRP
+- (void) snprintf (info_gshadow.audit_msg, 511,
++ (void) snprintf (info_gshadow.audit_msg, 512,
+ "changing %s; ", sgr_dbname ());
+ #endif
+- (void) snprintf (info_passwd.audit_msg, 511,
++ (void) snprintf (info_passwd.audit_msg, 512,
+ "changing %s; ", pw_dbname ());
+
+ info_group.action = info_group.audit_msg
+@@ -573,16 +573,16 @@ static void prepare_failure_reports (void)
+ + strlen (info_passwd.audit_msg);
+
+ (void) snprintf (info_group.action,
+- 511 - strlen (info_group.audit_msg),
++ 512 - strlen (info_group.audit_msg),
+ "group %s/%lu",
+ group_name, (unsigned long int) group_id);
+ #ifdef SHADOWGRP
+ (void) snprintf (info_gshadow.action,
+- 511 - strlen (info_group.audit_msg),
++ 512 - strlen (info_group.audit_msg),
+ "group %s", group_name);
+ #endif
+ (void) snprintf (info_passwd.action,
+- 511 - strlen (info_group.audit_msg),
++ 512 - strlen (info_group.audit_msg),
+ "group %s/%lu",
+ group_name, (unsigned long int) group_id);
+
+@@ -617,13 +617,13 @@ static void prepare_failure_reports (void)
+ strncat (info_group.action, ", new gid: ",
+ 511 - strlen (info_group.audit_msg));
+ (void) snprintf (info_group.action+strlen (info_group.action),
+- 511 - strlen (info_group.audit_msg),
++ 512 - strlen (info_group.audit_msg),
+ "%lu", (unsigned long int) group_newid);
+
+ strncat (info_passwd.action, ", new gid: ",
+ 511 - strlen (info_passwd.audit_msg));
+ (void) snprintf (info_passwd.action+strlen (info_passwd.action),
+- 511 - strlen (info_passwd.audit_msg),
++ 512 - strlen (info_passwd.audit_msg),
+ "%lu", (unsigned long int) group_newid);
+ }
+ info_group.audit_msg[511] = '\0';
+--
+2.27.0
+
diff --git a/backport-Fix-typos-in-length-calculations.patch b/backport-Fix-typos-in-length-calculations.patch
new file mode 100644
index 0000000..8d339ad
--- /dev/null
+++ b/backport-Fix-typos-in-length-calculations.patch
@@ -0,0 +1,32 @@
+From ed69feaaff3c86745390c9839ecfc4b8f9706075 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Fri, 16 Dec 2022 01:08:12 +0100
+Subject: [PATCH] Fix typos in length calculations
+
+Link: <https://github.com/shadow-maint/shadow/pull/607>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/groupmod.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/groupmod.c b/src/groupmod.c
+index 7802e5b1..8c219194 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -578,11 +578,11 @@ static void prepare_failure_reports (void)
+ group_name, (unsigned long int) group_id);
+ #ifdef SHADOWGRP
+ (void) snprintf (info_gshadow.action,
+- 512 - strlen (info_group.audit_msg),
++ 512 - strlen (info_gshadow.audit_msg),
+ "group %s", group_name);
+ #endif
+ (void) snprintf (info_passwd.action,
+- 512 - strlen (info_group.audit_msg),
++ 512 - strlen (info_passwd.audit_msg),
+ "group %s/%lu",
+ group_name, (unsigned long int) group_id);
+
+--
+2.27.0
+
diff --git a/backport-Overhaul-valid_field.patch b/backport-Overhaul-valid_field.patch
new file mode 100644
index 0000000..7573d17
--- /dev/null
+++ b/backport-Overhaul-valid_field.patch
@@ -0,0 +1,61 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+
+ /* For each character of field, search if it appears in the list
+ * of illegal characters. */
++ if (illegal && NULL != strpbrk (field, illegal)) {
++ return -1;
++ }
++
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+- if (strchr (illegal, *cp) != NULL) {
++ unsigned char c = *cp;
++ if (!isprint (c)) {
++ err = 1;
++ }
++ if (iscntrl (c)) {
+ err = -1;
+ break;
+ }
+ }
+
+- if (0 == err) {
+- /* Search if there are non-printable or control characters */
+- for (cp = field; '\0' != *cp; cp++) {
+- if (!isprint (*cp)) {
+- err = 1;
+- }
+- if (!iscntrl (*cp)) {
+- err = -1;
+- break;
+- }
+- }
+- }
+-
+ return err;
+ }
+
+--
+2.27.0
+
diff --git a/backport-Prevent-out-of-boundary-access.patch b/backport-Prevent-out-of-boundary-access.patch
new file mode 100644
index 0000000..321b616
--- /dev/null
+++ b/backport-Prevent-out-of-boundary-access.patch
@@ -0,0 +1,56 @@
+From 8e0ad48c21bd7d5506ff44eb4c04f796b80045ce Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Mon, 30 Jan 2023 11:54:49 +0000
+Subject: [PATCH] Prevent out of boundary access
+
+If lines start with '\0' then it is possible to trigger out of
+boundary accesses.
+
+Check if indices are valid before accessing them.
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+---
+ src/login_nopam.c | 4 ++--
+ src/suauth.c | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/login_nopam.c b/src/login_nopam.c
+index b09cffe4..18072a43 100644
+--- a/src/login_nopam.c
++++ b/src/login_nopam.c
+@@ -100,7 +100,7 @@ int login_access (const char *user, const char *from)
+ int end;
+ lineno++;
+ end = (int) strlen (line) - 1;
+- if (line[end] != '\n') {
++ if (line[0] == '\0' || line[end] != '\n') {
+ SYSLOG ((LOG_ERR,
+ "%s: line %d: missing newline or line too long",
+ TABLE, lineno));
+@@ -320,7 +320,7 @@ static bool from_match (const char *tok, const char *string)
+ if (strchr (string, '.') == NULL) {
+ return true;
+ }
+- } else if ( (tok[(tok_len = strlen (tok)) - 1] == '.') /* network */
++ } else if ( (tok[0] != '\0' && tok[(tok_len = strlen (tok)) - 1] == '.') /* network */
+ && (strncmp (tok, resolve_hostname (string), tok_len) == 0)) {
+ return true;
+ }
+diff --git a/src/suauth.c b/src/suauth.c
+index 2641d334..d68a3340 100644
+--- a/src/suauth.c
++++ b/src/suauth.c
+@@ -68,8 +68,9 @@ int check_su_auth (const char *actual_id,
+
+ while (fgets (temp, sizeof (temp), authfile_fd) != NULL) {
+ lines++;
++ endline = strlen(temp) - 1;
+
+- if (temp[endline = strlen (temp) - 1] != '\n') {
++ if (temp[0] == '\0' || temp[endline] != '\n') {
+ SYSLOG ((LOG_ERR,
+ "%s, line %d: line too long or missing newline",
+ SUAUTHFILE, lines));
+--
+2.27.0
+
diff --git a/backport-Read-whole-line-in-yes_or_no.patch b/backport-Read-whole-line-in-yes_or_no.patch
new file mode 100644
index 0000000..c70a8b8
--- /dev/null
+++ b/backport-Read-whole-line-in-yes_or_no.patch
@@ -0,0 +1,67 @@
+From 0c83b981053b65c9bab4f1c2e60d004e920f8faf Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Fri, 27 Jan 2023 11:53:57 +0000
+Subject: [PATCH] Read whole line in yes_or_no
+
+Do not stop after 79 characters. Read the complete line to avoid
+arbitrary limitations.
+
+Proof of Concept:
+
+```
+cat > passwd-poc << EOF
+root:x:0:0:root:/root:/bin/bash
+root:x:0:0:root:/root:/bin/bash
+root:x:0:0:root:/root:/bin/bash
+EOF
+python -c "print(80*'y')" | pwck passwd-poc
+```
+
+Two lines should still be within the file because we agreed only once
+to remove a duplicated line.
+
+Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Reviewed-by: Serge Hallyn <serge@hallyn.com>
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/0c83b981053b65c9bab4f1c2e60d004e920f8faf
+---
+ libmisc/yesno.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/libmisc/yesno.c b/libmisc/yesno.c
+index 1a1a3714..d8847e40 100644
+--- a/libmisc/yesno.c
++++ b/libmisc/yesno.c
+@@ -28,7 +28,8 @@
+ */
+ bool yes_or_no (bool read_only)
+ {
+- char buf[80];
++ int c;
++ bool result;
+
+ /*
+ * In read-only mode all questions are answered "no".
+@@ -46,11 +47,13 @@ bool yes_or_no (bool read_only)
+ /*
+ * Get a line and see what the first character is.
+ */
++ c = fgetc(stdin);
+ /* TODO: use gettext */
+- if (fgets (buf, (int) sizeof buf, stdin) == buf) {
+- return buf[0] == 'y' || buf[0] == 'Y';
+- }
++ result = (c == 'y' || c == 'Y');
++
++ while (c != '\n' && c != EOF)
++ c = fgetc(stdin);
+
+- return false;
++ return result;
+ }
+
+--
+2.27.0
+
diff --git a/backport-chgpasswd-fix-segfault-in-command-line-options.patch b/backport-chgpasswd-fix-segfault-in-command-line-options.patch
new file mode 100644
index 0000000..db47426
--- /dev/null
+++ b/backport-chgpasswd-fix-segfault-in-command-line-options.patch
@@ -0,0 +1,36 @@
+From 53a17c1742a4b5fcf9280fd6dd85fc77588535c2 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Date: Wed, 21 Jun 2023 15:12:43 +0200
+Subject: [PATCH] chgpasswd: fix segfault in command-line options
+
+Using the --sha-rounds option without first giving a crypt method via the --crypt-method option results in comparisons with a NULL pointer and thus make chgpasswd segfault:
+
+$ chgpasswd -s 1
+zsh: segmentation fault chgpasswd -s 1
+
+Current patch add a sanity check before these comparisons to ensure there is a defined encryption method.
+---
+ src/chgpasswd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/chgpasswd.c b/src/chgpasswd.c
+index fe4055d8..7b773e2f 100644
+--- a/src/chgpasswd.c
++++ b/src/chgpasswd.c
+@@ -186,6 +186,13 @@ static void process_flags (int argc, char **argv)
+ case 's':
+ sflg = true;
+ bad_s = 0;
++
++ if (!crypt_method) {
++ fprintf (stderr,
++ _("%s: no crypt method defined\n"),
++ Prog);
++ usage (E_USAGE);
++ }
+ #if defined(USE_SHA_CRYPT)
+ if ( ( ((0 == strcmp (crypt_method, "SHA256")) || (0 == strcmp (crypt_method, "SHA512")))
+ && (0 == getlong(optarg, &sha_rounds)))) {
+--
+2.20.1
+
diff --git a/backport-commonio-free-removed-database-entries.patch b/backport-commonio-free-removed-database-entries.patch
new file mode 100644
index 0000000..13322f7
--- /dev/null
+++ b/backport-commonio-free-removed-database-entries.patch
@@ -0,0 +1,39 @@
+From a8dd8ce6c9a5f6e69ed4e9fa7b0c0976bb4ba332 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 1 Apr 2023 13:36:51 +0200
+Subject: [PATCH] commonio: free removed database entries
+
+Free the actual struct of the removed entry.
+
+Example userdel report:
+
+ Direct leak of 40 byte(s) in 1 object(s) allocated from:
+ #0 0x55b230efe857 in reallocarray (./src/userdel+0xda857)
+ #1 0x55b230f6041f in mallocarray ./lib/./alloc.h:97:9
+ #2 0x55b230f6041f in commonio_open ./lib/commonio.c:563:7
+ #3 0x55b230f39098 in open_files ./src/userdel.c:555:6
+ #4 0x55b230f39098 in main ./src/userdel.c:1189:2
+ #5 0x7f9b48c64189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/a8dd8ce6c9a5f6e69ed4e9fa7b0c0976bb4ba332
+---
+ lib/commonio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 40e62298..a0449c83 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -1060,6 +1060,8 @@ int commonio_remove (struct commonio_db *db, const char *name)
+ db->ops->free (p->eptr);
+ }
+
++ free(p);
++
+ return 1;
+ }
+
+--
+2.27.0
+
diff --git a/backport-run_parts-for-groupadd-and-groupdel.patch b/backport-run_parts-for-groupadd-and-groupdel.patch
new file mode 100644
index 0000000..43c175b
--- /dev/null
+++ b/backport-run_parts-for-groupadd-and-groupdel.patch
@@ -0,0 +1,127 @@
+From 4e1f674c41724dd96ad2c3a0c02ac9f6666697ba Mon Sep 17 00:00:00 2001
+From: ed neville <ed@s5h.net>
+Date: Mon, 27 Mar 2023 20:23:03 +0100
+Subject: [PATCH] run_parts for groupadd and groupdel
+
+run_parts currently exists in useradd and userdel, this commit mirrors
+the functionality with groupadd and groupdel
+
+Hook for group{add,del} to include killing processes that have group
+membership that would no longer exist to avoid membership ID reuse.
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/4e1f674c41724dd96ad2c3a0c02ac9f6666697ba
+---
+ .../groupdel-pre.d/01-kill_group_procs.sh | 26 +++++++++++++++++++
+ src/groupadd.c | 11 ++++++++
+ src/groupdel.c | 11 ++++++++
+ 3 files changed, 48 insertions(+)
+ create mode 100644 etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh
+
+diff --git a/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh b/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh
+new file mode 100644
+index 00000000..10db5279
+--- /dev/null
++++ b/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh
+@@ -0,0 +1,26 @@
++#!/bin/sh
++
++PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
++GROUPID=`awk -F: '$1 == "'"${SUBJECT}"'" { print $3 }' /etc/group`
++
++if [ "${GROUPID}" = "" ]; then
++ exit 0
++fi
++
++for status in /proc/*/status; do
++ # either this isn't a process or its already dead since expanding the list
++ [ -f "$status" ] || continue
++
++ tbuf=${status%/status}
++ pid=${tbuf#/proc/}
++ case "$pid" in
++ "$$") continue;;
++ [0-9]*) :;;
++ *) continue
++ esac
++
++ grep -q '^Groups:.*\b'"${GROUPID}"'\b.*' "/proc/$pid/status" || continue
++
++ kill -9 "$pid" || echo "cannot kill $pid" 1>&2
++done
++
+diff --git a/src/groupadd.c b/src/groupadd.c
+index 31142101..2eda1c68 100644
+--- a/src/groupadd.c
++++ b/src/groupadd.c
+@@ -34,6 +34,7 @@
+ #include "sgroupio.h"
+ #endif
+ #include "shadowlog.h"
++#include "run_part.h"
+
+ /*
+ * exit status values
+@@ -603,6 +604,11 @@ int main (int argc, char **argv)
+
+ check_perms ();
+
++ if (run_parts ("/etc/shadow-maint/groupadd-pre.d", group_name,
++ "groupadd")) {
++ exit(1);
++ }
++
+ #ifdef SHADOWGRP
+ is_shadow_grp = sgr_file_present ();
+ #endif
+@@ -621,6 +627,11 @@ int main (int argc, char **argv)
+
+ grp_update ();
+ close_files ();
++ if (run_parts ("/etc/shadow-maint/groupadd-post.d", group_name,
++ "groupadd")) {
++ exit(1);
++ }
++
+
+ nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
+diff --git a/src/groupdel.c b/src/groupdel.c
+index fdccf5e1..bae4367b 100644
+--- a/src/groupdel.c
++++ b/src/groupdel.c
+@@ -32,6 +32,7 @@
+ #include "sgroupio.h"
+ #endif
+ #include "shadowlog.h"
++#include "run_part.h"
+ /*
+ * Global variables
+ */
+@@ -461,6 +462,11 @@ int main (int argc, char **argv)
+ group_busy (group_id);
+ }
+
++ if (run_parts ("/etc/shadow-maint/groupdel-pre.d", group_name,
++ "groupdel")) {
++ exit(1);
++ }
++
+ /*
+ * Do the hard stuff - open the files, delete the group entries,
+ * then close and update the files.
+@@ -471,6 +477,11 @@ int main (int argc, char **argv)
+
+ close_files ();
+
++ if (run_parts ("/etc/shadow-maint/groupdel-post.d", group_name,
++ "groupdel")) {
++ exit(1);
++ }
++
+ nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
+
+--
+2.27.0
+
diff --git a/backport-semanage-disconnect-to-free-libsemanage-internals.patch b/backport-semanage-disconnect-to-free-libsemanage-internals.patch
new file mode 100644
index 0000000..94a0722
--- /dev/null
+++ b/backport-semanage-disconnect-to-free-libsemanage-internals.patch
@@ -0,0 +1,76 @@
+From 7078ed1e0b8a197aa9e5103986bce927abef87a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 1 Apr 2023 14:11:06 +0200
+Subject: [PATCH] semanage: disconnect to free libsemanage internals
+
+Destroying the handle does not actually disconnect, see [1].
+Also free the key on user removal.
+
+[1]: https://github.com/SELinuxProject/selinux/blob/e9072e7d45f4559887d11b518099135cbe564163/libsemanage/src/direct_api.c#L330
+
+Example adduser leak:
+
+ Direct leak of 1008 byte(s) in 14 object(s) allocated from:
+ #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+ #1 0x7fb5cfffad09 in dbase_file_init src/database_file.c:170:45
+
+ Direct leak of 392 byte(s) in 7 object(s) allocated from:
+ #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+ #1 0x7fb5cfffc929 in dbase_policydb_init src/database_policydb.c:187:27
+
+ Direct leak of 144 byte(s) in 2 object(s) allocated from:
+ #0 0x5638f2e782ae in __interceptor_malloc (./src/useradd+0xee2ae)
+ #1 0x7fb5cfffb519 in dbase_join_init src/database_join.c:249:28
+
+ [...]
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/7078ed1e0b8a197aa9e5103986bce927abef87a4
+---
+ lib/semanage.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/semanage.c b/lib/semanage.c
+index 5d336b08..d412186c 100644
+--- a/lib/semanage.c
++++ b/lib/semanage.c
+@@ -97,6 +97,8 @@ static semanage_handle_t *semanage_init (void)
+ return handle;
+
+ fail:
++ if (handle)
++ semanage_disconnect (handle);
+ semanage_handle_destroy (handle);
+ return NULL;
+ }
+@@ -156,7 +158,7 @@ done:
+
+
+ static int semanage_user_add (semanage_handle_t *handle,
+- semanage_seuser_key_t *key,
++ const semanage_seuser_key_t *key,
+ const char *login_name,
+ const char *seuser_name)
+ {
+@@ -279,6 +281,8 @@ int set_seuser (const char *login_name, const char *seuser_name)
+
+ done:
+ semanage_seuser_key_free (key);
++ if (handle)
++ semanage_disconnect (handle);
+ semanage_handle_destroy (handle);
+ return ret;
+ }
+@@ -353,6 +357,9 @@ int del_seuser (const char *login_name)
+
+ ret = 0;
+ done:
++ semanage_seuser_key_free (key);
++ if (handle)
++ semanage_disconnect (handle);
+ semanage_handle_destroy (handle);
+ return ret;
+ }
+--
+2.27.0
+
diff --git a/backport-useradd-check-if-subid-range-exists-for-user.patch b/backport-useradd-check-if-subid-range-exists-for-user.patch
new file mode 100644
index 0000000..62c172f
--- /dev/null
+++ b/backport-useradd-check-if-subid-range-exists-for-user.patch
@@ -0,0 +1,41 @@
+From e0524e813a3bae2891b33a66f35876841c11cee7 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Mon, 24 Oct 2022 10:46:36 +0200
+Subject: [PATCH 1/4] useradd: check if subid range exists for user
+
+Check if a user already has a subid range before assigning one.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+
+Reference: https://github.com/shadow-maint/shadow/commit/e0524e813a3bae2891b33a66f35876841c11cee7
+Conflict: NA
+---
+ src/useradd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 7ea0a9c4..e784d602 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2188,14 +2188,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
+ fail_exit (E_PW_UPDATE);
+ }
+ #ifdef ENABLE_SUBIDS
+- if (is_sub_uid &&
++ if (is_sub_uid && !local_sub_uid_assigned(user_name) &&
+ (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
+ fprintf (stderr,
+ _("%s: failed to prepare the new %s entry\n"),
+ Prog, sub_uid_dbname ());
+ fail_exit (E_SUB_UID_UPDATE);
+ }
+- if (is_sub_gid &&
++ if (is_sub_gid && !local_sub_gid_assigned(user_name) &&
+ (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
+ fprintf (stderr,
+ _("%s: failed to prepare the new %s entry\n"),
+--
+2.12.3
+
diff --git a/chpasswd b/chpasswd
new file mode 100644
index 0000000..15c4663
--- /dev/null
+++ b/chpasswd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+# This tool only uses the password stack.
+password substack system-auth
+-password optional pam_gnome_keyring.so use_authtok
+password substack postlogin
diff --git a/gpl-2.0.txt b/gpl-2.0.txt
new file mode 100644
index 0000000..d159169
--- /dev/null
+++ b/gpl-2.0.txt
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/newusers b/newusers
new file mode 100644
index 0000000..15c4663
--- /dev/null
+++ b/newusers
@@ -0,0 +1,5 @@
+#%PAM-1.0
+# This tool only uses the password stack.
+password substack system-auth
+-password optional pam_gnome_keyring.so use_authtok
+password substack postlogin
diff --git a/shadow-Remove-encrypted-passwd-for-useradd-gr.patch b/shadow-Remove-encrypted-passwd-for-useradd-gr.patch
new file mode 100644
index 0000000..07b29c1
--- /dev/null
+++ b/shadow-Remove-encrypted-passwd-for-useradd-gr.patch
@@ -0,0 +1,133 @@
+From 280a8474ad87f44f9620eeac75cbf8a34b5edc2f Mon Sep 17 00:00:00 2001
+From: xiongshenglan <xiongshenglan@huawei.com>
+Date: Thu, 27 Jul 2023 09:30:16 +0800
+Subject: [PATCH] shadow: Remove encrypted passwd for
+ useradd-groupadd-groupmod-usermod
+
+Remove encrypted passwd for useradd/groupadd/groupmod/usermod
+In groupadd/useradd, p parameter does not meet password complexity checks. Do
+not satisfy security requirements.
+
+Signed-off-by: xiongshenglan <xiongshenglan@huawei.com>
+---
+ src/groupadd.c | 4 ++++
+ src/groupmod.c | 4 ++++
+ src/useradd.c | 4 ++++
+ src/usermod.c | 4 ++++
+ 4 files changed, 16 insertions(+)
+
+diff --git a/src/groupadd.c b/src/groupadd.c
+index d7f68b1..9b7a521 100644
+--- a/src/groupadd.c
++++ b/src/groupadd.c
+@@ -125,7 +125,9 @@ static /*@noreturn@*/void usage (int status)
+ (void) fputs (_(" -K, --key KEY=VALUE override /etc/login.defs defaults\n"), usageout);
+ (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n"
+ " (non-unique) GID\n"), usageout);
++#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), usageout);
++#endif
+ (void) fputs (_(" -r, --system create a system account\n"), usageout);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+ (void) fputs (_(" -P, --prefix PREFIX_DI directory prefix\n"), usageout);
+@@ -459,10 +461,12 @@ static void process_flags (int argc, char **argv)
+ case 'o':
+ oflg = true;
+ break;
++#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ case 'p':
+ pflg = true;
+ group_passwd = optarg;
+ break;
++#endif
+ case 'r':
+ rflg = true;
+ break;
+diff --git a/src/groupmod.c b/src/groupmod.c
+index acd6f35..f9dcabd 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -139,8 +139,10 @@ static void usage (int status)
+ (void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
+ (void) fputs (_(" -n, --new-name NEW_GROUP change the name to NEW_GROUP\n"), usageout);
+ (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), usageout);
++#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n"
+ " PASSWORD\n"), usageout);
++#endif
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+ (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
+ (void) fputs (_(" -U, --users USERS list of user members of this group\n"), usageout);
+@@ -449,10 +451,12 @@ static void process_flags (int argc, char **argv)
+ case 'o':
+ oflg = true;
+ break;
++#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ case 'p':
+ group_passwd = optarg;
+ pflg = true;
+ break;
++#endif
+ case 'R': /* no-op, handled in process_root_flag () */
+ break;
+ case 'P': /* no-op, handled in process_prefix_flag () */
+diff --git a/src/useradd.c b/src/useradd.c
+index 89abd5e..e5ba3dd 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -907,7 +907,9 @@ static void usage (int status)
+ " the user\n"), usageout);
+ (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n"
+ " (non-unique) UID\n"), usageout);
++#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), usageout);
++#endif
+ (void) fputs (_(" -r, --system create a system account\n"), usageout);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+ (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
+@@ -1366,6 +1368,7 @@ static void process_flags (int argc, char **argv)
+ case 'o':
+ oflg = true;
+ break;
++#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ case 'p': /* set encrypted password */
+ if (!VALID (optarg)) {
+ fprintf (stderr,
+@@ -1375,6 +1378,7 @@ static void process_flags (int argc, char **argv)
+ }
+ user_pass = optarg;
+ break;
++#endif
+ case 'r':
+ rflg = true;
+ break;
+diff --git a/src/usermod.c b/src/usermod.c
+index ca8db92..509a50b 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -384,7 +384,9 @@ static /*@noreturn@*/void usage (int status)
+ (void) fputs (_(" -m, --move-home move contents of the home directory to the\n"
+ " new location (use only with -d)\n"), usageout);
+ (void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout);
++#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ (void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout);
++#endif
+ (void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
+ (void) fputs (_(" -r, --remove remove the user from only the supplemental GROUPS\n"
+ " mentioned by the -G option without removing\n"
+@@ -1121,10 +1123,12 @@ static void process_flags (int argc, char **argv)
+ case 'o':
+ oflg = true;
+ break;
++#ifndef CONFIG_SHADOW_REMOVE_POPTION
+ case 'p':
+ user_pass = optarg;
+ pflg = true;
+ break;
++#endif
+ case 'r':
+ rflg = true;
+ break;
+--
+2.12.3
+
diff --git a/shadow-add-sm3-crypt-support.patch b/shadow-add-sm3-crypt-support.patch
new file mode 100644
index 0000000..bfb5184
--- /dev/null
+++ b/shadow-add-sm3-crypt-support.patch
@@ -0,0 +1,782 @@
+From d7fa75bbd22a08b4e0b8c7e3ccab588c87d23835 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Wed, 29 Dec 2021 16:05:56 +0800
+Subject: [PATCH] shadow add sm3 crypt support
+
+---
+ configure.ac | 9 ++++
+ etc/login.defs | 17 ++++++++
+ lib/encrypt.c | 3 ++
+ lib/getdef.c | 4 ++
+ libmisc/obscure.c | 3 ++
+ libmisc/salt.c | 106 +++++++++++++++++++++++++++++++++++++++++++---
+ src/chgpasswd.c | 48 +++++++++++++++------
+ src/chpasswd.c | 46 ++++++++++++++------
+ src/newusers.c | 61 +++++++++++++++++++-------
+ src/passwd.c | 7 ++-
+ 10 files changed, 254 insertions(+), 50 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 924254a..dde1de8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -274,6 +274,9 @@ AC_ARG_WITH(libcrack,
+ AC_ARG_WITH(sha-crypt,
+ [AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
+ [with_sha_crypt=$withval], [with_sha_crypt=yes])
++AC_ARG_WITH(sm3-crypt,
++ [AS_HELP_STRING([--with-sm3-crypt], [allow the SM3 password encryption algorithms @<:@default=yes@:>@])],
++ [with_sm3_crypt=$withval], [with_sm3_crypt=yes])
+ AC_ARG_WITH(bcrypt,
+ [AS_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
+ [with_bcrypt=$withval], [with_bcrypt=no])
+@@ -307,6 +310,11 @@ if test "$with_sha_crypt" = "yes"; then
+ AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
+ fi
+
++AM_CONDITIONAL(USE_SM3_CRYPT, test "x$with_sm3_crypt" = "xyes")
++if test "$with_sm3_crypt" = "yes"; then
++ AC_DEFINE(USE_SM3_CRYPT, 1, [Define to allow the SM3 password encryption algorithms])
++fi
++
+ AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
+ if test "$with_bcrypt" = "yes"; then
+ AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
+@@ -752,6 +760,7 @@ echo " tcb support (incomplete): $with_tcb"
+ echo " shadow group support: $enable_shadowgrp"
+ echo " S/Key support: $with_skey"
+ echo " SHA passwords encryption: $with_sha_crypt"
++echo " SM3 passwords encryption: $with_sm3_crypt"
+ echo " bcrypt passwords encryption: $with_bcrypt"
+ echo " yescrypt passwords encryption: $with_yescrypt"
+ echo " nscd support: $with_nscd"
+diff --git a/etc/login.defs b/etc/login.defs
+index 114dbcd..fd310b7 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -353,6 +353,23 @@ CHFN_RESTRICT rwh
+ #SHA_CRYPT_MIN_ROUNDS 5000
+ #SHA_CRYPT_MAX_ROUNDS 5000
+
++#
++# Only works if ENCRYPT_METHOD is set to SM3.
++#
++# Define the number of SM3 rounds.
++# With a lot of rounds, it is more difficult to brute-force the password.
++# However, more CPU resources will be needed to authenticate users if
++# this value is increased.
++#
++# If not specified, the libc will choose the default number of rounds (5000),
++# which is orders of magnitude too low for modern hardware.
++# The values must be within the 1000-999999999 range.
++# If only one of the MIN or MAX values is set, then this value will be used.
++# If MIN > MAX, the highest value will be used.
++#
++#SM3_CRYPT_MAX_ROUNDS 5000
++#SM3_CRYPT_MIN_ROUNDS 5000
++
+ #
+ # Only works if ENCRYPT_METHOD is set to BCRYPT.
+ #
+diff --git a/lib/encrypt.c b/lib/encrypt.c
+index c84a255..11b301b 100644
+--- a/lib/encrypt.c
++++ b/lib/encrypt.c
+@@ -52,6 +52,9 @@
+ case '6':
+ method = "SHA512";
+ break;
++ case 's': // salt = $sm3$...
++ method = "SM3";
++ break;
+ case 'y':
+ method = "YESCRYPT";
+ break;
+diff --git a/lib/getdef.c b/lib/getdef.c
+index dcd1fe7..9a8089a 100644
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -102,6 +102,10 @@ static struct itemdef def_table[] = {
+ {"SHA_CRYPT_MAX_ROUNDS", NULL},
+ {"SHA_CRYPT_MIN_ROUNDS", NULL},
+ #endif
++#ifdef USE_SM3_CRYPT
++ {"SM3_CRYPT_MAX_ROUNDS", NULL},
++ {"SM3_CRYPT_MIN_ROUNDS", NULL},
++#endif
+ #ifdef USE_BCRYPT
+ {"BCRYPT_MAX_ROUNDS", NULL},
+ {"BCRYPT_MIN_ROUNDS", NULL},
+diff --git a/libmisc/obscure.c b/libmisc/obscure.c
+index 3daaa95..644259d 100644
+--- a/libmisc/obscure.c
++++ b/libmisc/obscure.c
+@@ -246,6 +246,9 @@ static /*@observer@*//*@null@*/const char *obscure_msg (
+ || (strcmp (result, "SHA256") == 0)
+ || (strcmp (result, "SHA512") == 0)
+ #endif
++#ifdef USE_SM3_CRYPT
++ || (strcmp (result, "SM3") == 0)
++#endif
+ #ifdef USE_BCRYPT
+ || (strcmp (result, "BCRYPT") == 0)
+ #endif
+diff --git a/libmisc/salt.c b/libmisc/salt.c
+index e5f633a..df4b328 100644
+--- a/libmisc/salt.c
++++ b/libmisc/salt.c
+@@ -63,6 +63,17 @@
+ #define SHA_ROUNDS_MAX 999999999
+ #endif
+
++#ifdef USE_SM3_CRYPT
++/* Fixed salt len for sm3 crypt. */
++#define SM3_CRYPT_SALT_SIZE 16
++/* Default number of rounds if not explicitly specified. */
++#define SM3_ROUNDS_DEFAULT 5000
++/* Minimum number of rounds. */
++#define SM3_ROUNDS_MIN 1000
++/* Maximum number of rounds. */
++#define SM3_ROUNDS_MAX 999999999
++#endif
++
+ #ifdef USE_YESCRYPT
+ /*
+ * Default number of base64 characters used for the salt.
+@@ -95,13 +106,17 @@ static long read_random_bytes (void);
+ #if !USE_XCRYPT_GENSALT
+ static /*@observer@*/const char *gensalt (size_t salt_size);
+ #endif /* !USE_XCRYPT_GENSALT */
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT)
+ static long shadow_random (long min, long max);
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_SM3_CRYPT*/
+ #ifdef USE_SHA_CRYPT
+ static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds);
+ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds);
+ #endif /* USE_SHA_CRYPT */
++#ifdef USE_SM3_CRYPT
++static /*@observer@*/const unsigned long SM3_get_salt_rounds (/*@null@*/int *prefered_rounds);
++static /*@observer@*/void SM3_salt_rounds_to_buf (char *buf, unsigned long rounds);
++#endif
+ #ifdef USE_BCRYPT
+ static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds);
+ static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds);
+@@ -195,7 +210,7 @@ end:
+ return randval;
+ }
+
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT)
+ /*
+ * Return a random number between min and max (both included).
+ *
+@@ -217,7 +232,7 @@ static long shadow_random (long min, long max)
+ }
+ return ret;
+ }
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_SM3_CRYPT*/
+
+ #ifdef USE_SHA_CRYPT
+ /* Return the the rounds number for the SHA crypt methods. */
+@@ -293,6 +308,80 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long round
+ }
+ #endif /* USE_SHA_CRYPT */
+
++#ifdef USE_SM3_CRYPT
++/* Return the the rounds number for the SM3 crypt methods. */
++static /*@observer@*/const unsigned long SM3_get_salt_rounds (/*@null@*/int *prefered_rounds)
++{
++ unsigned long rounds;
++
++ if (NULL == prefered_rounds) {
++ long min_rounds = getdef_long ("SM3_CRYPT_MIN_ROUNDS", -1);
++ long max_rounds = getdef_long ("SM3_CRYPT_MAX_ROUNDS", -1);
++
++ if ((-1 == min_rounds) && (-1 == max_rounds)) {
++ rounds = SM3_ROUNDS_DEFAULT;
++ }
++ else {
++ if (-1 == min_rounds) {
++ min_rounds = max_rounds;
++ }
++
++ if (-1 == max_rounds) {
++ max_rounds = min_rounds;
++ }
++
++ if (min_rounds > max_rounds) {
++ max_rounds = min_rounds;
++ }
++
++ rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
++ }
++ } else if (0 == *prefered_rounds) {
++ rounds = SM3_ROUNDS_DEFAULT;
++ } else {
++ rounds = (unsigned long) *prefered_rounds;
++ }
++
++ /* Sanity checks. The libc should also check this, but this
++ * protects against a rounds_prefix overflow. */
++ if (rounds < SM3_ROUNDS_MIN) {
++ rounds = SM3_ROUNDS_MIN;
++ }
++
++ if (rounds > SM3_ROUNDS_MAX) {
++ rounds = SM3_ROUNDS_MAX;
++ }
++
++ return rounds;
++}
++
++/*
++ * Fill a salt prefix specifying the rounds number for the SM3 crypt methods
++ * to a buffer.
++ */
++static /*@observer@*/void SM3_salt_rounds_to_buf (char *buf, unsigned long rounds)
++{
++ const size_t buf_begin = strlen (buf);
++
++ /* Nothing to do here if SM3_ROUNDS_DEFAULT is used. */
++ if (rounds == SM3_ROUNDS_DEFAULT) {
++ return;
++ }
++
++ /*
++ * Check if the result buffer is long enough.
++ * We are going to write a maximum of 17 bytes,
++ * plus one byte for the terminator.
++ * rounds=XXXXXXXXX$
++ * 00000000011111111
++ * 12345678901234567
++ */
++ assert (GENSALT_SETTING_SIZE > buf_begin + 17);
++
++ (void) snprintf (buf + buf_begin, 18, "rounds=%lu$", rounds);
++}
++#endif /* USE_SM3_CRYPT */
++
+ #ifdef USE_BCRYPT
+ /* Return the the rounds number for the BCRYPT method. */
+ static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds)
+@@ -463,7 +552,7 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ * which can both be set inside the login.defs file.
+ *
+ * If meth is specified, an additional parameter can be provided.
+- * * For the SHA256 and SHA512 method, this specifies the number of rounds
++ * * For the SHA256 and SHA512 and SM3 method, this specifies the number of rounds
+ * (if not NULL).
+ * * For the YESCRYPT method, this specifies the cost factor (if not NULL).
+ */
+@@ -515,6 +604,13 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
+ rounds = SHA_get_salt_rounds ((int *) arg);
+ SHA_salt_rounds_to_buf (result, rounds);
+ #endif /* USE_SHA_CRYPT */
++#ifdef USE_SM3_CRYPT
++ } else if (0 == strcmp (method, "SM3")) {
++ strcpy(result, "$sm3$");
++ salt_len = SM3_CRYPT_SALT_SIZE;
++ rounds = SM3_get_salt_rounds ((int *) arg);
++ SM3_salt_rounds_to_buf (result, rounds);
++#endif /* USE_SM3_CRYPT */
+ } else if (0 != strcmp (method, "DES")) {
+ fprintf (log_get_logfd(),
+ _("Invalid ENCRYPT_METHOD value: '%s'.\n"
+diff --git a/src/chgpasswd.c b/src/chgpasswd.c
+index d17acb6..9b00520 100644
+--- a/src/chgpasswd.c
++++ b/src/chgpasswd.c
+@@ -39,15 +39,18 @@
+ const char *Prog;
+ static bool eflg = false;
+ static bool md5flg = false;
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ static bool sflg = false;
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+
+ static /*@null@*//*@observer@*/const char *crypt_method = NULL;
+ #define cflg (NULL != crypt_method)
+ #ifdef USE_SHA_CRYPT
+ static long sha_rounds = 5000;
+ #endif
++#ifdef USE_SM3_CRYPT
++static long sm3_rounds = 5000;
++#endif
+ #ifdef USE_BCRYPT
+ static long bcrypt_rounds = 13;
+ #endif
+@@ -119,6 +122,9 @@ static /*@noreturn@*/void usage (int status)
+ #if defined(USE_YESCRYPT)
+ " YESCRYPT"
+ #endif
++#if defined(USE_SM3_CRYPT)
++ " SM3"
++ #endif
+ );
+ (void) fputs (_(" -e, --encrypted supplied passwords are encrypted\n"), usageout);
+ (void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
+@@ -126,11 +132,11 @@ static /*@noreturn@*/void usage (int status)
+ " the MD5 algorithm\n"),
+ usageout);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
+- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n"
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
++ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n"
+ " or YESCRYPT crypt algorithms\n"),
+ usageout);
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ (void) fputs ("\n", usageout);
+
+ exit (status);
+@@ -144,22 +150,22 @@ static /*@noreturn@*/void usage (int status)
+ static void process_flags (int argc, char **argv)
+ {
+ int c;
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ int bad_s;
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ static struct option long_options[] = {
+ {"crypt-method", required_argument, NULL, 'c'},
+ {"encrypted", no_argument, NULL, 'e'},
+ {"help", no_argument, NULL, 'h'},
+ {"md5", no_argument, NULL, 'm'},
+ {"root", required_argument, NULL, 'R'},
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ {"sha-rounds", required_argument, NULL, 's'},
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ {NULL, 0, NULL, '\0'}
+ };
+ while ((c = getopt_long (argc, argv,
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ "c:ehmR:s:",
+ #else
+ "c:ehmR:",
+@@ -180,7 +186,7 @@ static void process_flags (int argc, char **argv)
+ break;
+ case 'R': /* no-op, handled in process_root_flag () */
+ break;
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ case 's':
+ sflg = true;
+ bad_s = 0;
+@@ -202,6 +208,12 @@ static void process_flags (int argc, char **argv)
+ bad_s = 1;
+ }
+ #endif /* USE_YESCRYPT */
++#if defined(USE_SM3_CRYPT)
++ if (( (0 == strcmp (crypt_method, "SM3"))
++ && (0 == getlong(optarg, &sm3_rounds)))) {
++ bad_s = 1;
++ }
++#endif /* USE_SM3_CRYPT */
+ if (bad_s != 0) {
+ fprintf (stderr,
+ _("%s: invalid numeric argument '%s'\n"),
+@@ -209,7 +221,7 @@ static void process_flags (int argc, char **argv)
+ usage (E_USAGE);
+ }
+ break;
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+
+ default:
+ usage (E_USAGE);
+@@ -228,7 +240,7 @@ static void process_flags (int argc, char **argv)
+ */
+ static void check_flags (void)
+ {
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ if (sflg && !cflg) {
+ fprintf (stderr,
+ _("%s: %s flag is only allowed with the %s flag\n"),
+@@ -259,6 +271,9 @@ static void check_flags (void)
+ #ifdef USE_YESCRYPT
+ && (0 != strcmp (crypt_method, "YESCRYPT"))
+ #endif /* USE_YESCRYPT */
++#ifdef USE_SM3_CRYPT
++ && (0 != strcmp (crypt_method, "SM3"))
++#endif /* USE_SM3_CRYPT */
+ ) {
+ fprintf (stderr,
+ _("%s: unsupported crypt method: %s\n"),
+@@ -483,7 +498,7 @@ int main (int argc, char **argv)
+ if (md5flg) {
+ crypt_method = "MD5";
+ }
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ if (sflg) {
+ #if defined(USE_SHA_CRYPT)
+ if ( (0 == strcmp (crypt_method, "SHA256"))
+@@ -501,6 +516,11 @@ int main (int argc, char **argv)
+ arg = &yescrypt_cost;
+ }
+ #endif /* USE_YESCRYPT */
++#if defined(USE_SM3_CRYPT)
++ if (0 == strcmp (crypt_method, "SM3")) {
++ arg = &sm3_rounds;
++ }
++#endif /* USE_SM3_CRYPT */
+ }
+ #endif
+ salt = crypt_make_salt (crypt_method, arg);
+diff --git a/src/chpasswd.c b/src/chpasswd.c
+index 48d5178..9003c18 100644
+--- a/src/chpasswd.c
++++ b/src/chpasswd.c
+@@ -38,7 +38,7 @@
+ const char *Prog;
+ static bool eflg = false;
+ static bool md5flg = false;
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ static bool sflg = false;
+ #endif
+
+@@ -47,6 +47,9 @@ static /*@null@*//*@observer@*/const char *crypt_method = NULL;
+ #ifdef USE_SHA_CRYPT
+ static long sha_rounds = 5000;
+ #endif
++#ifdef USE_SM3_CRYPT
++static long sm3_rounds = 5000;
++#endif
+ #ifdef USE_BCRYPT
+ static long bcrypt_rounds = 13;
+ #endif
+@@ -113,6 +116,9 @@ static /*@noreturn@*/void usage (int status)
+ #endif
+ #if defined(USE_YESCRYPT)
+ " YESCRYPT"
++#endif
++#if defined(USE_SM3_CRYPT)
++ " SM3"
+ #endif
+ );
+ (void) fputs (_(" -e, --encrypted supplied passwords are encrypted\n"), usageout);
+@@ -121,11 +127,11 @@ static /*@noreturn@*/void usage (int status)
+ " the MD5 algorithm\n"),
+ usageout);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
+- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n"
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
++ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n"
+ " or YESCRYPT crypt algorithms\n"),
+ usageout);
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ (void) fputs ("\n", usageout);
+
+ exit (status);
+@@ -139,23 +145,23 @@ static /*@noreturn@*/void usage (int status)
+ static void process_flags (int argc, char **argv)
+ {
+ int c;
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ int bad_s;
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ static struct option long_options[] = {
+ {"crypt-method", required_argument, NULL, 'c'},
+ {"encrypted", no_argument, NULL, 'e'},
+ {"help", no_argument, NULL, 'h'},
+ {"md5", no_argument, NULL, 'm'},
+ {"root", required_argument, NULL, 'R'},
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ {"sha-rounds", required_argument, NULL, 's'},
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ {NULL, 0, NULL, '\0'}
+ };
+
+ while ((c = getopt_long (argc, argv,
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ "c:ehmR:s:",
+ #else
+ "c:ehmR:",
+@@ -176,7 +182,7 @@ static void process_flags (int argc, char **argv)
+ break;
+ case 'R': /* no-op, handled in process_root_flag () */
+ break;
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ case 's':
+ sflg = true;
+ bad_s = 0;
+@@ -198,14 +204,20 @@ static void process_flags (int argc, char **argv)
+ bad_s = 1;
+ }
+ #endif /* USE_YESCRYPT */
+- if (bad_s != 0) {
++#if defined(USE_SM3_CRYPT)
++ if (( (0 == strcmp (crypt_method, "SM3"))
++ && (0 == getlong(optarg, &sm3_rounds)))) {
++ bad_s = 1;
++ }
++#endif /* USE_SM3_CRYPT */
++ if (bad_s != 0) {
+ fprintf (stderr,
+ _("%s: invalid numeric argument '%s'\n"),
+ Prog, optarg);
+ usage (E_USAGE);
+ }
+ break;
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+
+ default:
+ usage (E_USAGE);
+@@ -224,7 +236,7 @@ static void process_flags (int argc, char **argv)
+ */
+ static void check_flags (void)
+ {
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ if (sflg && !cflg) {
+ fprintf (stderr,
+ _("%s: %s flag is only allowed with the %s flag\n"),
+@@ -249,6 +261,9 @@ static void check_flags (void)
+ &&(!IS_CRYPT_METHOD("SHA256"))
+ &&(!IS_CRYPT_METHOD("SHA512"))
+ #endif /* USE_SHA_CRYPT */
++#ifdef USE_SM3_CRYPT
++ &&(!IS_CRYPT_METHOD("SM3"))
++#endif /* USE_SM3_CRYPT */
+ #ifdef USE_BCRYPT
+ &&(!IS_CRYPT_METHOD("BCRYPT"))
+ #endif /* USE_BCRYPT */
+@@ -422,6 +437,11 @@ static const char *get_salt(void)
+ arg = &yescrypt_cost;
+ }
+ #endif /* USE_YESCRYPT */
++#if defined(USE_SM3_CRYPT)
++ if (IS_CRYPT_METHOD("SM3")) {
++ arg = &sm3_rounds;
++ }
++#endif /* USE_SM3_CRYPT */
+ }
+ #endif
+ return crypt_make_salt (crypt_method, arg);
+diff --git a/src/newusers.c b/src/newusers.c
+index deeb361..149670e 100644
+--- a/src/newusers.c
++++ b/src/newusers.c
+@@ -58,12 +58,15 @@ static bool rflg = false; /* create a system account */
+ #ifndef USE_PAM
+ static /*@null@*//*@observer@*/char *crypt_method = NULL;
+ #define cflg (NULL != crypt_method)
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_SM3_CRYPT)
+ static bool sflg = false;
+ #endif
+ #ifdef USE_SHA_CRYPT
+ static long sha_rounds = 5000;
+ #endif /* USE_SHA_CRYPT */
++#ifdef USE_SM3_CRYPT
++static long sm3_rounds = 5000;
++#endif /* USE_SM3_CRYPT */
+ #ifdef USE_BCRYPT
+ static long bcrypt_rounds = 13;
+ #endif /* USE_BCRYPT */
+@@ -129,6 +132,9 @@ static void usage (int status)
+ #endif
+ #if defined(USE_YESCRYPT)
+ " YESCRYPT"
++#endif
++#if defined(USE_SM3_CRYPT)
++ " SM3"
+ #endif
+ );
+ #endif /* !USE_PAM */
+@@ -136,11 +142,11 @@ static void usage (int status)
+ (void) fputs (_(" -r, --system create system accounts\n"), usageout);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
+ #ifndef USE_PAM
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
+- (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n"
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
++ (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT, SM3\n"
+ " or YESCRYPT crypt algorithms\n"),
+ usageout);
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ #endif /* !USE_PAM */
+ (void) fputs ("\n", usageout);
+
+@@ -436,6 +442,13 @@ static int update_passwd (struct passwd *pwd, const char *password)
+ }
+ }
+ #endif /* USE_YESCRYPT */
++#if defined(USE_SM3_CRYPT)
++ if (sflg) {
++ if (0 == strcmp (crypt_method, "SM3")) {
++ crypt_arg = &sm3_rounds;
++ }
++ }
++#endif /* USE_SM3_CRYPT */
+ }
+
+ if ((NULL != crypt_method) && (0 == strcmp(crypt_method, "NONE"))) {
+@@ -492,6 +505,13 @@ static int add_passwd (struct passwd *pwd, const char *password)
+ }
+ }
+ #endif /* USE_PAM */
++#if defined(USE_SM3_CRYPT)
++ if (sflg) {
++ if (0 == strcmp (crypt_method, "SM3")) {
++ crypt_arg = &sm3_rounds;
++ }
++ }
++#endif /* USE_SM3_CRYPT */
+ }
+
+ /*
+@@ -609,9 +629,9 @@ static void process_flags (int argc, char **argv)
+ {
+ int c;
+ #ifndef USE_PAM
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ int bad_s;
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ #endif /* !USE_PAM */
+ static struct option long_options[] = {
+ {"badname", no_argument, NULL, 'b'},
+@@ -622,20 +642,20 @@ static void process_flags (int argc, char **argv)
+ {"system", no_argument, NULL, 'r'},
+ {"root", required_argument, NULL, 'R'},
+ #ifndef USE_PAM
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ {"sha-rounds", required_argument, NULL, 's'},
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ #endif /* !USE_PAM */
+ {NULL, 0, NULL, '\0'}
+ };
+
+ while ((c = getopt_long (argc, argv,
+ #ifndef USE_PAM
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ "c:bhrs:",
+-#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT */
++#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT && !USE_SM3_CRYPT */
+ "c:bhr",
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ #else /* USE_PAM */
+ "bhr",
+ #endif
+@@ -658,7 +678,7 @@ static void process_flags (int argc, char **argv)
+ case 'R': /* no-op, handled in process_root_flag () */
+ break;
+ #ifndef USE_PAM
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ case 's':
+ sflg = true;
+ bad_s = 0;
+@@ -680,14 +700,20 @@ static void process_flags (int argc, char **argv)
+ bad_s = 1;
+ }
+ #endif /* USE_YESCRYPT */
+- if (bad_s != 0) {
++#if defined(USE_SM3_CRYPT)
++ if (( (0 == strcmp (crypt_method, "SM3"))
++ && (0 == getlong(optarg, &sm3_rounds)))) {
++ bad_s = 1;
++ }
++#endif /* USE_SM3_CRYPT */
++ if (bad_s != 0) {
+ fprintf (stderr,
+ _("%s: invalid numeric argument '%s'\n"),
+ Prog, optarg);
+ usage (EXIT_FAILURE);
+ }
+ break;
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+ #endif /* !USE_PAM */
+ default:
+ usage (EXIT_FAILURE);
+@@ -721,14 +747,14 @@ static void process_flags (int argc, char **argv)
+ static void check_flags (void)
+ {
+ #ifndef USE_PAM
+-#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
++#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) || defined(USE_SM3_CRYPT)
+ if (sflg && !cflg) {
+ fprintf (stderr,
+ _("%s: %s flag is only allowed with the %s flag\n"),
+ Prog, "-s", "-c");
+ usage (EXIT_FAILURE);
+ }
+-#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */
++#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT || USE_SM3_CRYPT */
+
+ if (cflg) {
+ if ( (0 != strcmp (crypt_method, "DES"))
+@@ -738,6 +764,9 @@ static void check_flags (void)
+ && (0 != strcmp (crypt_method, "SHA256"))
+ && (0 != strcmp (crypt_method, "SHA512"))
+ #endif /* USE_SHA_CRYPT */
++#ifdef USE_SM3_CRYPT
++ && (0 != strcmp (crypt_method, "SM3"))
++#endif /* USE_SM3_CRYPT */
+ #ifdef USE_BCRYPT
+ && (0 != strcmp (crypt_method, "BCRYPT"))
+ #endif /* USE_BCRYPT */
+diff --git a/src/passwd.c b/src/passwd.c
+index 8c6f81a..00711da 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -84,7 +84,7 @@ static bool spw_locked = false;
+ #ifndef USE_PAM
+ /*
+ * Size of the biggest passwd:
+- * $6$ 3
++ * $sm3$ 5
+ * rounds= 7
+ * 999999999 9
+ * $ 1
+@@ -93,7 +93,7 @@ static bool spw_locked = false;
+ * SHA512 123
+ * nul 1
+ *
+- * total 161
++ * total 163
+ */
+ static char crypt_passwd[256];
+ static bool do_update_pwd = false;
+@@ -263,6 +263,9 @@ static int new_password (const struct passwd *pw)
+ #ifdef USE_YESCRYPT
+ || (strcmp (method, "YESCRYPT") == 0)
+ #endif /* USE_YESCRYPT*/
++#ifdef USE_SM3_CRYPT
++ || (strcmp (method, "SM3") == 0)
++#endif /* USE_SM3_CRYPT */
+
+ ) {
+ pass_max_len = -1;
+--
+2.27.0
+
diff --git a/shadow-bsd.txt b/shadow-bsd.txt
new file mode 100644
index 0000000..a2c1609
--- /dev/null
+++ b/shadow-bsd.txt
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 1990 - 1994, Julianne Frances Haugh
+ * Copyright (c) 1996 - 2000, Marek Michałkiewicz
+ * Copyright (c) 2000 - 2006, Tomasz Kłoczko
+ * Copyright (c) 2007 - 2011, Nicolas François
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the copyright holders or contributors may not be used to
+ * endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
diff --git a/shadow-utils.login.defs b/shadow-utils.login.defs
new file mode 100644
index 0000000..1a04a8d
--- /dev/null
+++ b/shadow-utils.login.defs
@@ -0,0 +1,306 @@
+#
+# Please note that the parameters in this configuration file control the
+# behavior of the tools from the shadow-utils component. None of these
+# tools uses the PAM mechanism, and the utilities that use PAM (such as the
+# passwd command) should therefore be configured elsewhere. Refer to
+# /etc/pam.d/system-auth for more information.
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
+# pam_unix(8) enforces a 2s delay)
+#
+#FAIL_DELAY 3
+
+# Currently FAILLOG_ENAB is not supported
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+#LOG_UNKFAIL_ENAB no
+
+# Currently LOG_OK_LOGINS is not supported
+
+# Currently LASTLOG_ENAB is not supported
+
+#
+# Limit the highest user ID number for which the lastlog entries should
+# be updated.
+#
+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
+# lastlog entries.
+#
+#LASTLOG_UID_MAX
+
+# Currently MAIL_CHECK_ENAB is not supported
+
+# Currently OBSCURE_CHECKS_ENAB is not supported
+
+# Currently PORTTIME_CHECKS_ENAB is not supported
+
+# Currently QUOTAS_ENAB is not supported
+
+# Currently SYSLOG_SU_ENAB is not supported
+
+#
+# Enable "syslog" logging of newgrp(1) and sg(1) activity.
+#
+#SYSLOG_SG_ENAB yes
+
+# Currently CONSOLE is not supported
+
+# Currently SULOG_FILE is not supported
+
+# Currently MOTD_FILE is not supported
+
+# Currently ISSUE_FILE is not supported
+
+# Currently TTYTYPE_FILE is not supported
+
+# Currently FTMP_FILE is not supported
+
+# Currently NOLOGINS_FILE is not supported
+
+# Currently SU_NAME is not supported
+
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR /var/spool/mail
+#MAIL_FILE .mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+#HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+# Currently ENV_TZ is not supported
+
+# Currently ENV_HZ is not supported
+
+#
+# The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
+#ENV_PATH PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a write(1) program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP as the number of such group
+# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
+# set TTYPERM to either 622 or 600.
+#
+#TTYGROUP tty
+#TTYPERM 0600
+
+# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
+
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories if HOME_MODE is not set.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up their mind.
+UMASK 077
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_MIN_LEN Minimum acceptable password length.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_MIN_LEN 5
+PASS_WARN_AGE 7
+
+# Currently PASS_MIN_LEN is not supported
+
+# Currently SU_WHEEL_ONLY is not supported
+
+# Currently CRACKLIB_DICTPATH is not supported
+
+#
+# Min/max values for automatic uid selection in useradd(8)
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+SYS_UID_MIN 201
+SYS_UID_MAX 999
+# Extra per user uids
+SUB_UID_MIN 100000
+SUB_UID_MAX 600100000
+SUB_UID_COUNT 65536
+
+#
+# Min/max values for automatic gid selection in groupadd(8)
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+SYS_GID_MIN 201
+SYS_GID_MAX 999
+# Extra per user group ids
+SUB_GID_MIN 100000
+SUB_GID_MAX 600100000
+SUB_GID_COUNT 65536
+
+#
+# Max number of login(1) retries if password is bad
+#
+#LOGIN_RETRIES 3
+
+#
+# Max time in seconds for login(1)
+#
+#LOGIN_TIMEOUT 60
+
+# Currently PASS_CHANGE_TRIES is not supported
+
+# Currently PASS_ALWAYS_WARN is not supported
+
+# Currently PASS_MAX_LEN is not supported
+
+# Currently CHFN_AUTH is not supported
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+#CHFN_RESTRICT rwh
+
+# Currently LOGIN_STRING is not supported
+
+# Currently MD5_CRYPT_ENAB is not supported
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password (default)
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password
+#
+ENCRYPT_METHOD SHA512
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be within the 1000-999999999 range.
+#
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+# Currently SHA_CRYPT_MIN_ROUNDS is not supported
+
+#
+# Only works if ENCRYPT_METHOD is set to BCRYPT.
+#
+# Define the number of BCRYPT rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, 13 rounds will be attempted.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#BCRYPT_MIN_ROUNDS 13
+#BCRYPT_MAX_ROUNDS 31
+
+#
+# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+#
+# Define the YESCRYPT cost factor.
+# With a higher cost factor, it is more difficult to brute-force the password.
+# However, more CPU time and more memory will be needed to authenticate users
+# if this value is increased.
+#
+# If not specified, a cost factor of 5 will be used.
+# The value must be within the 1-11 range.
+#
+#YESCRYPT_COST_FACTOR 5
+
+# Currently CONSOLE_GROUPS is not supported
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is yes.
+#
+#DEFAULT_HOME yes
+
+# Currently ENVIRON_FILE is not supported
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# Enables userdel(8) to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-zero number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permits to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP 0
+
+#
+# If useradd(8) should create home directories for users by default (non
+# system users only).
+# This option is overridden with the -M or -m flags on the useradd(8)
+# command-line.
+#
+CREATE_HOME yes
+
+#
+# Force use shadow, even if shadow passwd & shadow group files are
+# missing.
+#
+#FORCE_SHADOW yes
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+#HMAC_CRYPTO_ALGO SHA512
diff --git a/shadow-utils.useradd b/shadow-utils.useradd
new file mode 100644
index 0000000..a7db290
--- /dev/null
+++ b/shadow-utils.useradd
@@ -0,0 +1,8 @@
+# useradd defaults file
+GROUP=100
+HOME=/home
+INACTIVE=-1
+SHELL=/bin/bash
+SKEL=/etc/skel
+CREATE_MAIL_SPOOL=yes
+
diff --git a/shadow.spec b/shadow.spec
new file mode 100644
index 0000000..e1a7176
--- /dev/null
+++ b/shadow.spec
@@ -0,0 +1,355 @@
+Name: shadow
+Version: 4.13
+Release: 7
+Epoch: 2
+License: BSD and GPLv2+
+Summary: Tools for managing accounts and shadow password files
+URL: http://pkg-shadow.alioth.debian.org/
+Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
+Source2: shadow-utils.useradd
+Source3: shadow-utils.login.defs
+Source4: shadow-bsd.txt
+Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+Source6: chpasswd
+Source7: newusers
+
+%global includesubiddir %{_includedir}/shadow
+
+# fix unknown item 'LASTLOG_MAX_UID'
+Patch0: usermod-unlock.patch
+Patch1: backport-useradd-check-if-subid-range-exists-for-user.patch
+Patch2: shadow-add-sm3-crypt-support.patch
+Patch3: backport-Fix-off-by-one-mistakes.patch
+Patch4: backport-Fix-typos-in-length-calculations.patch
+Patch5: backport-Correctly-handle-illegal-system-file-in-tz.patch
+Patch6: backport-Explicitly-override-only-newlines.patch
+Patch7: backport-Prevent-out-of-boundary-access.patch
+Patch8: backport-Added-control-character-check.patch
+Patch9: backport-Overhaul-valid_field.patch
+Patch10: backport-Read-whole-line-in-yes_or_no.patch
+Patch11: backport-commonio-free-removed-database-entries.patch
+Patch12: backport-semanage-disconnect-to-free-libsemanage-internals.patch
+Patch13: backport-run_parts-for-groupadd-and-groupdel.patch
+Patch14: shadow-Remove-encrypted-passwd-for-useradd-gr.patch
+Patch15: backport-chgpasswd-fix-segfault-in-command-line-options.patch
+
+BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
+BuildRequires: libacl-devel, libattr-devel
+BuildRequires: bison, flex, gnome-doc-utils, docbook-style-xsl, docbook-dtds
+BuildRequires: autoconf, automake, libtool, gettext-devel, itstool, pam-devel
+Requires: libselinux
+Requires: audit-libs
+Requires: setup
+Requires(pre): coreutils
+Requires(post): coreutils
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+Provides: shadow-utils = %{version}-%{release}
+Obsoletes: shadow-utils < %{version}-%{release}
+
+%description
+This package includes the necessary programs for converting plain
+password files to the shadow password format and to manage user and
+group accounts.
+
+%package subid-devel
+Summary: Development package for shadow-utils-subid
+License: BSD and GPLv2+
+
+%description subid-devel
+Development files for shadow-utils-subid.
+
+%package_help
+
+%prep
+%autosetup -n shadow-%{version} -p1
+
+iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
+cp -f doc/HOWTO.utf8 doc/HOWTO
+
+cp -a %{SOURCE4} %{SOURCE5} .
+
+%build
+export CFLAGS="$RPM_OPT_FLAGS -fpie"
+export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
+
+autoreconf -fiv
+%configure \
+ --enable-shadowgrp \
+ --enable-man \
+ --with-audit \
+ --with-sha-crypt \
+ --with-selinux \
+ --without-libcrack \
+ --with-libpam \
+ --enable-shared \
+ --with-group-name-max-length=32
+%make_build
+
+%install
+rm -rf $RPM_BUILD_ROOT
+%make_install gnulocaledir=$RPM_BUILD_ROOT/%{_datadir}/locale MKINSTALLDIRS=`pwd`/mkinstalldirs
+install -d -m 755 $RPM_BUILD_ROOT/%{_sysconfdir}/default
+install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/login.defs
+install -p -c -m 0600 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/default/useradd
+install -p -c -m 0644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/chpasswd
+install -p -c -m 0644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/newusers
+
+ln -s useradd $RPM_BUILD_ROOT%{_sbindir}/adduser
+ln -s useradd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/adduser.8
+for subdir in $RPM_BUILD_ROOT/%{_mandir}/{??,??_??,??_??.*}/man* ; do
+ test -d $subdir && test -e $subdir/useradd.8 && echo ".so man8/useradd.8" > $subdir/adduser.8
+done
+
+# Remove binaries we don't use.
+rm $RPM_BUILD_ROOT/%{_bindir}/chfn
+rm $RPM_BUILD_ROOT/%{_bindir}/chsh
+rm $RPM_BUILD_ROOT/%{_bindir}/expiry
+rm $RPM_BUILD_ROOT/%{_bindir}/groups
+rm $RPM_BUILD_ROOT/%{_bindir}/login
+rm $RPM_BUILD_ROOT/%{_bindir}/passwd
+rm $RPM_BUILD_ROOT/%{_bindir}/su
+rm $RPM_BUILD_ROOT/%{_bindir}/faillog
+rm $RPM_BUILD_ROOT/%{_sbindir}/logoutd
+rm $RPM_BUILD_ROOT/%{_sbindir}/nologin
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/chfn.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chfn.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/chsh.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/chsh.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/expiry.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/expiry.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/groups.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/groups.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/login.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/login.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man1/su.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man1/su.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/passwd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/suauth.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/suauth.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/logoutd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/logoutd.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/nologin.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/nologin.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man3/getspnam.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man3/getspnam.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man5/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man5/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/man8/faillog.*
+rm $RPM_BUILD_ROOT/%{_mandir}/*/man8/faillog.*
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/chfn
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/chsh
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/login
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/passwd
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/su
+
+find $RPM_BUILD_ROOT%{_mandir} -depth -type d -empty -delete
+%find_lang shadow
+for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
+ dir=$(echo $dir | sed -e "s|^$RPM_BUILD_ROOT||")
+ lang=$(basename $dir)
+done
+
+# Move subid.h to its own folder
+echo $(ls)
+mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
+install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
+
+# Remove .la files created by libsubid
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a}
+
+%files -f shadow.lang
+%doc NEWS doc/HOWTO README
+%{!?_licensedir:%global license %%doc}
+%license gpl-2.0.txt shadow-bsd.txt
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/login.defs
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/default/useradd
+%{_bindir}/sg
+%attr(4755,root,root) %{_bindir}/chage
+%attr(4755,root,root) %{_bindir}/gpasswd
+%{_bindir}/lastlog
+%attr(4755,root,root) %{_bindir}/newgrp
+%attr(4755,root,root) %{_bindir}/newgidmap
+%attr(4755,root,root) %{_bindir}/newuidmap
+%{_sbindir}/adduser
+%attr(0755,root,root) %{_sbindir}/user*
+%attr(0755,root,root) %{_sbindir}/group*
+%{_bindir}/getsubids
+%{_sbindir}/grpck
+%{_sbindir}/pwck
+%{_sbindir}/*conv
+%{_sbindir}/chpasswd
+%{_sbindir}/chgpasswd
+%{_sbindir}/newusers
+%{_sbindir}/vipw
+%{_sbindir}/vigr
+%{_sysconfdir}/pam.d/chpasswd
+%{_sysconfdir}/pam.d/groupmems
+%{_sysconfdir}/pam.d/newusers
+
+%files subid-devel
+%{_libdir}/libsubid.so.*
+%{includesubiddir}/subid.h
+%{_libdir}/libsubid.so
+
+%files help
+%{_mandir}/*/*
+
+%changelog
+* Wed Sep 20 2023 lvgenggeng <lvgenggeng@uniontech.com> - 2:4.13-7
+- backport patches from upstream
+
+* Fri Aug 11 2023 xiongshenglan<xiongshenglan@huawei.com> - 2:4.13-6
+- Remove encrypted passwd for useradd-groupadd-groupmod-usermod
+
+* Mon Jun 19 2023 yunjia_w<yunjia.wang@huawei.com> - 2:4.13-5
+- backport patches from upstream
+
+* Thu Apr 20 2023 yunjia_w<yunjia.wang@huawei.com> - 2:4.13-4
+- fix CVE-2023-29383
+
+* Thu Mar 23 2023 fuanan <fuanan3@h-partners.com> - 2:4.13-3
+- backport patches from upstream
+
+* Thu Feb 9 2023 yunjia_w<yunjia.wang@huawei.com> - 2:4.13-2
+- SM3 patch is compatible with version 4.13
+
+* Wed Feb 8 2023 yunjia_w<yunjia.wang@huawei.com> - 2:4.13-1
+- update version to 4.13
+
+* Thu Dec 1 2022 xiongshenglan<xiongshenglan@huawei.com> - 2:4.9-8
+- backport useradd check if subid range exists for user
+
+* Tue Nov 22 2022 yunjia_w<yunjia.wang@huawei.com> - 2:4.9-7
+- chpasswd fix function problem with R parameter
+
+* Mon Oct 31 2022 yunjia_w<yunjia.wang@huawei.com> - 2:4.9-6
+- add some backport to optimize some functions
+
+* Tue Aug 23 2022 fushanqing <fushanqing@kylinos.cn> - 2:4.9-5
+- remove patch 'shadow-4.1.5.1-var-lock.patch' and 'shadow-utils-fix-lock-file-residue.patch'
+
+* Tue Aug 2 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2:4.9-4
+- add-sm3-crypt-support.patch add update release to 4.9-4
+
+* Mon Feb 21 2022 panxiaohe <panxh.life@foxmail.com> - 2:4.9-1
+- update to 4.9
+- synchronized login.defs with upstream file
+- useradd: modify check ID range for system users
+
+* Thu Sep 30 2021 steven Y.Gui <steven_ygui@163.com> - 2:4.8.1-7
+- backport some patches to fix memory leak
+
+* Mon Jul 26 2021 wangchen<wangchen137@huawei.com> - 2:4.8.1-6
+- delete unnecessary gdb from BuildRequires
+
+* Thu Apr 29 2021 Hugel<gengqihu1@huawei.com> - 2:4.8.1-5
+- shadow should depend on audit-libs
+
+* Thu Jul 9 2020 Anakin Zhang<benjamin93@163.com> - 2:4.8.1-4
+- fix zh_CN typo
+
+* Sun Jun 28 2020 Anakin Zhang<benjamin93@163.com> - 2:4.8.1-3
+- generate /var/spool/mail/$USER with the proper SELinux user identity
+
+* Tue May 12 2020 steven<steven_ygui@163.com> - 2:4.8.1-2
+- Enable --with-libpam config during compiling
+
+* Fri Apr 24 2020 steven<steven_ygui@163.com> - 2:4.8.1-1
+- Upgrade version to 4.8.1
+
+* Sat Mar 21 2020 openEuler Buildteam <buildteam@openEuler.org> - 2:4.7-10
+- Only package man file into shadow-help; add buildrequires of gdb
+
+* Tue Mar 17 2020 openEuler Buildteam <buildteam@openEuler.org> - 2:4.7-9
+- Remove redundant file
+
+* Fri Feb 21 2020 openEuler Buildteam <buildteam@openEuler.org> - 2:4.7-8
+- Remove redundant patches
+
+* Thu Feb 6 2020 openEuler Buildteam <buildteam@openEuler.org> - 2:4.7-7
+- User name can start with an upper case letter
+
+* Sat Jan 18 2020 openEuler Buildteam <buildteam@openEuler.org> - 2:4.7-6
+- Delete ALWAYS_SET_PATH, which has been set by security-tool
+
+* Thu Jan 16 2020 openEuler Buildteam <buildteam@openEuler.org> - 2:4.7-5
+- Fix unknown item 'LASTLOG_MAX_UID'
+
+* Sun Jan 12 2020 openEuler Buildteam <buildteam@openEuler.org> - 2:4.7-4
+- Delete unused patch
+
+* Thu Dec 19 2019 openEuler Buildteam <buildteam@openEuler.org> - 2:4.7-3
+- Delete unused infomation
+
+* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 2:4.7-2
+- fix invaild path
+
+* Thu Aug 29 2019 hexiaowen <hexiaowen@huawei.com> - 2:4.7-1
+- update to 4.7
+
+* Tue Aug 20 2019 guoxiaoqi<guoxiaoqi2@huawei.com> - 2:4.6-2.h9
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:rename patches
+
+* Thu Aug 8 2019 guoxiaoqi <guoxiaoqi2@huawei.com> - 2:4.6-2.h8
+- Type:NA
+- ID:NA
+- SUG:NA
+- DESC: format patches
+
+* Thu Aug 1 2019 Jiangchuangang<Jiangchuangang@huawei.com> - 2:4.6-2.h7
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:openEuler Debranding
+
+* Fri May 3 2019 lubing<lubing6@huawei.com> - 2:4.6-2.h6
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:fix lock file residue
+
+* Tue Mar 12 2019 yangzhuangzhuang<yangzhuangzhuang1@huawei.com> - 2:4.6-2.h5
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:su.c: run pam_getenvlist() after setup_env
+ Log UID in nologin
+ Fix some issues found in Coverity scan.
+ useradd: fix segfault trying to overwrite const data with mkstemp
+ Fix the default mentioned in man page for SUB_UID/GID_COUNT variables.
+
+* Wed Mar 6 2019 hanzhijun<hanzhijun@huawei.com> - 2:4.6-2.h4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+ DESC:shadow 4.1.5.1 var lock
+
+* Thu Jan 31 2019 liuqianya<liuqianya@huawei.com> - 2:4.6-2.h3
+- Type:bugfix
+- ID:NA
+- SUG:NA
+ DESC:Revert"shadow 4.1.5.1 var lock"
+
+* Mon Jan 28 2019 liuqianya<liuqianya@huawei.com> - 2:4.6-2.h2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+ DESC:Revert "shadow-utils: sync patches"
+
+* Fri Jan 25 2019 liuqianya<liuqianya@huawei.com> - 2:4.6-2.h1
+- Type:bugfix
+- ID:NA
+- SUG:NA
+ DESC:add ruserok to avoid compilation failure
+ hulk shadow remove passwd param for useradd
+ shadow 4.1.5.1 var lock
+
+* Sat Jul 14 2018 Jiangchuangang<Jiangchuangang@huawei.com> - 2:4.6-2
+- Package Initialization
diff --git a/sources b/sources
new file mode 100644
index 0000000..9256ec2
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+b1ab01b5462ddcf43588374d57bec123 shadow-4.13.tar.xz
diff --git a/usermod-unlock.patch b/usermod-unlock.patch
new file mode 100644
index 0000000..ff9602d
--- /dev/null
+++ b/usermod-unlock.patch
@@ -0,0 +1,65 @@
+Index: shadow-4.5/src/usermod.c
+===================================================================
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -466,14 +466,17 @@ static char *new_pw_passwd (char *pw_pass)
+ strcat (buf, pw_pass);
+ pw_pass = buf;
+ } else if (Uflg && pw_pass[0] == '!') {
+- char *s;
++ char *s = pw_pass;
+
+- if (pw_pass[1] == '\0') {
++ while ('!' == *s)
++ ++s;
++
++ if (*s == '\0') {
+ fprintf (stderr,
+ _("%s: unlocking the user's password would result in a passwordless account.\n"
+ "You should set a password with usermod -p to unlock this user's password.\n"),
+ Prog);
+- return pw_pass;
++ return NULL;
+ }
+
+ #ifdef WITH_AUDIT
+@@ -482,12 +485,15 @@ static char *new_pw_passwd (char *pw_pass)
+ user_newname, (unsigned int) user_newid, 0);
+ #endif
+ SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
+- s = pw_pass;
+- while ('\0' != *s) {
+- *s = *(s + 1);
+- s++;
+- }
++ memmove (pw_pass, s, strlen (s) + 1);
+ } else if (pflg) {
++ if (strchr (user_pass, ':') != NULL) {
++ fprintf (stderr,
++ _("%s: The password field cannot contain a colon character.\n"),
++ Prog);
++ return NULL;
++
++ }
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "changing password",
+@@ -536,6 +542,8 @@ static void new_pwent (struct passwd *pwent)
+ if ( (!is_shadow_pwd)
+ || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
+ pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
++ if (pwent->pw_passwd == NULL)
++ fail_exit (E_PW_UPDATE);
+ }
+
+ if (uflg) {
+@@ -650,6 +658,8 @@ static void new_spent (struct spwd *spent)
+ * + aging has been requested
+ */
+ spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
++ if (spent->sp_pwdp == NULL)
++ fail_exit(E_PW_UPDATE);
+
+ if (pflg) {
+ spent->sp_lstchg = (long) gettime () / SCALE;
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-19 08:31:58 +0000