update to 4.9 and modify check ID range for system users

2022-02-21 10:35:04 +08:00 · 2022-02-21 10:35:04 +08:00 · d168ce83f3
commit d168ce83f3
parent 404eae4926
31 changed files with 1466 additions and 610 deletions
--- a/Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
+++ b/Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
@ -0,0 +1,112 @@
 From 537b8cd90be7b47b45c45cfd27765ef85eb0ebf1 Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge@hallyn.com>
 Date: Fri, 23 Jul 2021 17:51:13 -0500
 Subject: [PATCH] Fix out of tree builds with respect to libsubid includes
 There's a better way to do this, and I hope to clean that up,
 but this fixes out of tree builds for me right now.
 Closes #386
 Signed-off-by: Serge Hallyn <serge@hallyn.com>
 ---
 lib/Makefile.am      | 2 ++
 libmisc/Makefile.am  | 2 +-
 libsubid/Makefile.am | 4 ++--
 src/Makefile.am      | 6 ++++++
 4 files changed, 11 insertions(+), 3 deletions(-)
 diff --git a/lib/Makefile.am b/lib/Makefile.am
 index ecf3ee2..5ac2e11 100644
 --- a/lib/Makefile.am
 +++ b/lib/Makefile.am
@@ -10,6 +10,8 @@ if HAVE_VENDORDIR
 libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
 endif
 +libshadow_la_CPPFLAGS += -I$(top_srcdir)
 +
 libshadow_la_SOURCES = \
 	commonio.c \
 	commonio.h \
 diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am
 index 9766a7e..9f237e0 100644
 --- a/libmisc/Makefile.am
 +++ b/libmisc/Makefile.am
@@ -1,7 +1,7 @@
 EXTRA_DIST = .indent.pro xgetXXbyYY.c
 -AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS)
 +AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
 noinst_LTLIBRARIES = libmisc.la
 diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
 index 8305156..99308c1 100644
 --- a/libsubid/Makefile.am
 +++ b/libsubid/Makefile.am
@@ -20,8 +20,8 @@ MISCLIBS = \
 	$(LIBPAM)
 libsubid_la_LIBADD = \
 -	$(top_srcdir)/lib/libshadow.la \
 -	$(top_srcdir)/libmisc/libmisc.la \
 +	$(top_builddir)/lib/libshadow.la \
 +	$(top_builddir)/libmisc/libmisc.la \
 	$(MISCLIBS) -ldl
 AM_CPPFLAGS = \
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 3502701..7c1a349 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
@@ -10,6 +10,7 @@ sgidperms = 2755
 AM_CPPFLAGS = \
 	-I${top_srcdir}/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-DLOCALEDIR=\"$(datadir)/locale\"
 # XXX why are login and su in /bin anyway (other than for
@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \
 list_subid_ranges_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 get_subid_owners_LDADD = \
@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \
 get_subid_owners_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 new_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 new_subid_range_LDADD = \
@@ -210,6 +214,7 @@ new_subid_range_LDADD = \
 free_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 	-I$(top_srcdir)/libmisc \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libsubid
 free_subid_range_LDADD = \
@@ -220,6 +225,7 @@ free_subid_range_LDADD = \
 check_subid_range_CPPFLAGS = \
 	-I$(top_srcdir)/lib \
 +	-I$(top_srcdir) \
 	-I$(top_srcdir)/libmisc
 check_subid_range_LDADD = \
 -- 
 1.8.3.1
--- a/Fixes-the-linking-issues-when-libsubid-is-static-and.patch
+++ b/Fixes-the-linking-issues-when-libsubid-is-static-and.patch
@ -0,0 +1,28 @@
 From fc832e4648d6e80e95aaa762a158453ee43fe1cb Mon Sep 17 00:00:00 2001
 From: "(GalaxyMaster)" <galaxy4public@users.noreply.github.com>
 Date: Wed, 27 Oct 2021 20:14:42 +1100
 Subject: [PATCH] Fixes the linking issues when libsubid is static and linked
 to binaries that also define the Prog and shadow_logfd variables.
 ---
 libsubid/api.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/libsubid/api.c b/libsubid/api.c
 index a7b904d..a51b4e0 100644
 --- a/libsubid/api.c
 +++ b/libsubid/api.c
@@ -39,8 +39,8 @@
 #include "idmapping.h"
 #include "subid.h"
 -const char *Prog = "(libsubid)";
 -FILE *shadow_logfd;
 +static const char *Prog = "(libsubid)";
 +static FILE *shadow_logfd;
 bool libsubid_init(const char *progname, FILE * logfd)
 {
 -- 
 1.8.3.1
--- a/Makefile-include-libeconf-dependency-in-new-idmap.patch
+++ b/Makefile-include-libeconf-dependency-in-new-idmap.patch
@ -0,0 +1,32 @@
 From c6847011e8b656adacd9a0d2a78418cad0de34cb Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Mon, 2 Aug 2021 15:54:20 +0200
 Subject: [PATCH] Makefile: include libeconf dependency in new*idmap
 new*idmap has a dependency with libeconf since commit
 c464ec55709dc931ba2f24073b8b1a86d5209ab0. I'm just adding it to the
 Makefile to be able to compile in distributions that include libeconf.
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/Makefile.am | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 7c1a349..6cc873b 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
@@ -96,8 +96,8 @@ LIBCRYPT_NOPAM = $(LIBCRYPT)
 endif
 chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
 -newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
 -newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) -ldl
 +newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 +newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
 chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
 chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
 -- 
 1.8.3.1
--- a/Respect-enable-static-no-in-libsubid.patch
+++ b/Respect-enable-static-no-in-libsubid.patch
@ -0,0 +1,45 @@
 From fa986b1d73605ecca54a4f19249227aeab827bf6 Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <shallyn@cisco.com>
 Date: Sun, 25 Jul 2021 17:18:02 +0000
 Subject: [PATCH] Respect --enable-static=no in libsubid
 libsubid's Makefile.am was always setting enable-shared in its LDFLAGS.
 Do that only if not building static.
 Closes #387
 Signed-off-by: Serge Hallyn <shallyn@cisco.com>
 ---
 configure.ac         | 2 ++
 libsubid/Makefile.am | 2 ++
 2 files changed, 4 insertions(+)
 diff --git a/configure.ac b/configure.ac
 index 0f237cc..994836b 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -321,6 +321,8 @@ if test "$with_sha_crypt" = "yes"; then
 	AC_DEFINE(USE_SHA_CRYPT, 1, [Define to allow the SHA256 and SHA512 password encryption algorithms])
 fi
 +AM_CONDITIONAL(ENABLE_SHARED, test "x$enable_shared" = "xyes")
 +
 AM_CONDITIONAL(USE_BCRYPT, test "x$with_bcrypt" = "xyes")
 if test "$with_bcrypt" = "yes"; then
 	AC_DEFINE(USE_BCRYPT, 1, [Define to allow the bcrypt password encryption algorithm])
 diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
 index 99308c1..8bba02a 100644
 --- a/libsubid/Makefile.am
 +++ b/libsubid/Makefile.am
@@ -1,6 +1,8 @@
 lib_LTLIBRARIES = libsubid.la
 +if ENABLE_SHARED
 libsubid_la_LDFLAGS = -Wl,-soname,libsubid.so.@LIBSUBID_ABI@ \
 	-shared -version-info @LIBSUBID_ABI_MAJOR@
 +endif
 libsubid_la_SOURCES = api.c
 pkginclude_HEADERS = subid.h
 -- 
 1.8.3.1
--- a/Revert-useradd.c-fix-memleaks-of-grp.patch
+++ b/Revert-useradd.c-fix-memleaks-of-grp.patch
@ -0,0 +1,30 @@
 From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge@hallyn.com>
 Date: Sat, 14 Aug 2021 19:37:24 -0500
 Subject: [PATCH] Revert "useradd.c:fix memleaks of grp"
 In some cases, the value which was being freed is not actually
 safe to free.
 Closes #394
 This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5.
 ---
 src/useradd.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index f90127c..0d3f390 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -413,7 +413,6 @@ static void get_defaults (void)
 			} else {
 				def_group = grp->gr_gid;
 				def_gname = xstrdup (grp->gr_name);
 -				gr_free(grp);
 			}
 		}
 -- 
 1.8.3.1
--- a/add-home_mode-xml-file.patch
+++ b/add-home_mode-xml-file.patch
@ -1,62 +0,0 @@
 From 56073640403f65193689d94a5024547181c8c4d8 Mon Sep 17 00:00:00 2001
 From: guiyao <guiyao@huawei.com>
 Date: Wed, 15 Apr 2020 19:15:53 -0400
 Subject: [PATCH] add home_mode xml file
 ---
 man/login.defs.d/HOME_MODE.xml | 43 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 man/login.defs.d/HOME_MODE.xml
 diff --git a/man/login.defs.d/HOME_MODE.xml b/man/login.defs.d/HOME_MODE.xml
 new file mode 100644
 index 0000000..21aa55f
 --- /dev/null
 +++ b/man/login.defs.d/HOME_MODE.xml
@@ -0,0 +1,43 @@
 +<!--
 +   Copyright (c) 1991 - 1993, Julianne Frances Haugh
 +   Copyright (c) 1991 - 1993, Chip Rosenthal
 +   Copyright (c) 2007 - 2009, Nicolas François
 +   All rights reserved.
 +  
 +   Redistribution and use in source and binary forms, with or without
 +   modification, are permitted provided that the following conditions
 +   are met:
 +   1. Redistributions of source code must retain the above copyright
 +      notice, this list of conditions and the following disclaimer.
 +   2. Redistributions in binary form must reproduce the above copyright
 +      notice, this list of conditions and the following disclaimer in the
 +      documentation and/or other materials provided with the distribution.
 +   3. The name of the copyright holders or contributors may not be used to
 +      endorse or promote products derived from this software without
 +      specific prior written permission.
 +  
 +   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 +   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 +   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 +   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
 +   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 +   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 +   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 +   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 +   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 +   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 +   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 +-->
 +<varlistentry>
 +  <term><option>HOME_MODE</option> (number)</term>
 +  <listitem>
 +    <para>
 +      The mode for new home directories. If not specified,
 +      the <option>UMASK</option> is used to create the mode.
 +    </para>
 +    <para>
 +      <command>useradd</command> and <command>newusers</command> use this
 +      to set the mode of the home directory they create.
 +    </para>
 +  </listitem>
 +</varlistentry>
 -- 
 1.8.3.1
--- a/backport-useradd-modify-check-ID-range-for-system-users.patch
+++ b/backport-useradd-modify-check-ID-range-for-system-users.patch
@ -0,0 +1,42 @@
 From f1f1678e13aa3ae49bdb139efaa2c5bc53dcfe92 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 4 Jan 2022 13:06:00 +0100
 Subject: [PATCH] useradd: modify check ID range for system users
 useradd warns that a system user ID less than SYS_UID_MIN is outside the
 expected range, even though that ID has been specifically selected with
 the "-u" option.
 In my opinion all the user ID's below SYS_UID_MAX are for the system,
 thus I change the condition to take that into account.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004911
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Conflict: context adaptation
 ---
 src/useradd.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index 34376fa..4c71c38 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -2409,11 +2409,9 @@ static void check_uid_range(int rflg, uid_t user_id)
 	uid_t uid_min ;
 	uid_t uid_max ;
 	if(rflg){
 -		uid_min = (uid_t)getdef_ulong("SYS_UID_MIN",101UL);
 		uid_max = (uid_t)getdef_ulong("SYS_UID_MAX",getdef_ulong("UID_MIN",1000UL)-1);
 -		if(uid_min <= uid_max){
 -			if(user_id < uid_min || user_id >uid_max)
 -				fprintf(stderr, _("%s warning: %s's uid %d outside of the SYS_UID_MIN %d and SYS_UID_MAX %d range.\n"), Prog, user_name, user_id, uid_min, uid_max);
 +		if (user_id > uid_max) {
 +			fprintf(stderr, _("%s warning: %s's uid %d is greater than SYS_UID_MAX %d\n"), Prog, user_name, user_id, uid_max);
 		}
 	}else{
 		uid_min = (uid_t)getdef_ulong("UID_MIN", 1000UL);
 -- 
 1.8.3.1
--- a/fix-logmsg.patch
+++ b/fix-logmsg.patch
@ -1,13 +0,0 @@
 Index: shadow-4.5/src/useradd.c
 ===================================================================
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -329,7 +329,7 @@ static void fail_exit (int code)
 	              user_name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
 -	SYSLOG ((LOG_INFO, "failed adding user '%s', data deleted", user_name));
 +	SYSLOG ((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
 	exit (code);
 }
--- a/generate-mail-USER-with-the-proper-selinux-identity.patch
+++ b/generate-mail-USER-with-the-proper-selinux-identity.patch
@ -1,61 +0,0 @@
 From 8a1e92aff17be6266d0dc89321082e062af05832 Mon Sep 17 00:00:00 2001
 From: ikerexxe <ipedrosa@redhat.com>
 Date: Wed, 5 Feb 2020 15:04:39 +0100
 Subject: [PATCH] useradd: generate /var/spool/mail/$USER with the proper
 SELinux user identity
 Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
 ---
 src/useradd.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 diff --git a/src/useradd.c b/src/useradd.c
 index a679392d..645d4a40 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -190,6 +190,7 @@ static bool home_added = false;
 #define E_NAME_IN_USE	9	/* username already in use */
 #define E_GRP_UPDATE	10	/* can't update group file */
 #define E_HOMEDIR	12	/* can't create home directory */
 +#define E_MAILBOXFILE	13	/* can't create mailbox file */
 #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
 #ifdef ENABLE_SUBIDS
 #define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
@@ -2210,6 +2211,16 @@ static void create_mail (void)
 			sprintf (file, "%s/%s/%s", prefix, spool, user_name);
 		else
 			sprintf (file, "%s/%s", spool, user_name);
 +
 +#ifdef WITH_SELINUX
 +		if (set_selinux_file_context (file) != 0) {
 +			fprintf (stderr,
 +			         _("%s: cannot set SELinux context for mailbox file %s\n"),
 +			         Prog, file);
 +			fail_exit (E_MAILBOXFILE);
 +		}
 +#endif
 +
 		fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
 		if (fd < 0) {
 			perror (_("Creating mailbox file"));
@@ -2234,6 +2245,15 @@ static void create_mail (void)
 		fsync (fd);
 		close (fd);
 +#ifdef WITH_SELINUX
 +		/* Reset SELinux to create files with default contexts */
 +		if (reset_selinux_file_context () != 0) {
 +			fprintf (stderr,
 +			         _("%s: cannot reset SELinux file creation context\n"),
 +			         Prog);
 +			fail_exit (E_MAILBOXFILE);
 +		}
 +#endif
 	}
 }
 -- 
 2.24.1
--- a/groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
+++ b/groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
@ -0,0 +1,32 @@
 From a757b458ffb4fb9a40bcbb4f7869449431c67f83 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fran=C3=A7ois=20Rigault?= <frigo@amadeus.com>
 Date: Mon, 1 Nov 2021 13:54:25 +0100
 Subject: [PATCH] groupdel: fix SIGSEGV when passwd does not exist
 When using groupdel with a prefix, groupdel will attempt to read a
 passwd file to look for any user in the group. When the file does not
 exist it cores with segmentation fault.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1986111
 Conflict: context adaptation
 ---
 libmisc/prefix_flag.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c
 index cca553a..b6628ac 100644
 --- a/libmisc/prefix_flag.c
 +++ b/libmisc/prefix_flag.c
@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
 	if(!passwd_db_file) {
 		return getpwent();
 	}
 +	if (!fp_pwent) {
 +		return NULL;
 +	}
 	return fgetpwent(fp_pwent);
 }
 extern void prefix_endpwent()
 -- 
 1.8.3.1
--- a/libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
+++ b/libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
@ -0,0 +1,60 @@
 From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001
 From: Mike Gilbert <floppym@gentoo.org>
 Date: Sat, 14 Aug 2021 13:24:34 -0400
 Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds()
 If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified,
 use SHA_ROUNDS_DEFAULT.
 Previously, the code fell through, calling shadow_random(-1, -1). This
 ultimately set rounds = (unsigned long) -1, which ends up being a very
 large number! This then got capped to SHA_ROUNDS_MAX later in the
 function.
 The new behavior matches BCRYPT_get_salt_rounds().
 Bug: https://bugs.gentoo.org/808195
 Fixes: https://github.com/shadow-maint/shadow/issues/393
 ---
 libmisc/salt.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)
 diff --git a/libmisc/salt.c b/libmisc/salt.c
 index 91d528f..30eefb9 100644
 --- a/libmisc/salt.c
 +++ b/libmisc/salt.c
@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre
 		if ((-1 == min_rounds) && (-1 == max_rounds)) {
 			rounds = SHA_ROUNDS_DEFAULT;
 		}
 +		else {
 +			if (-1 == min_rounds) {
 +				min_rounds = max_rounds;
 +			}
 -		if (-1 == min_rounds) {
 -			min_rounds = max_rounds;
 -		}
 +			if (-1 == max_rounds) {
 +				max_rounds = min_rounds;
 +			}
 -		if (-1 == max_rounds) {
 -			max_rounds = min_rounds;
 -		}
 +			if (min_rounds > max_rounds) {
 +				max_rounds = min_rounds;
 +			}
 -		if (min_rounds > max_rounds) {
 -			max_rounds = min_rounds;
 +			rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 		}
 -
 -		rounds = (unsigned long) shadow_random (min_rounds, max_rounds);
 	} else if (0 == *prefered_rounds) {
 		rounds = SHA_ROUNDS_DEFAULT;
 	} else {
 -- 
 1.8.3.1
--- a/libsubid-link-to-PAM-libraries.patch
+++ b/libsubid-link-to-PAM-libraries.patch
@ -0,0 +1,28 @@
 From f4a84efb468b8be21be124700ce35159c444e9d6 Mon Sep 17 00:00:00 2001
 From: Xi Ruoyao <xry111@mengyan1223.wang>
 Date: Fri, 23 Jul 2021 14:38:08 +0800
 Subject: [PATCH] libsubid: link to PAM libraries
 libsubid.so links to libmisc.a, which contains several routines referring to
 PAM functions.
 ---
 libsubid/Makefile.am | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am
 index 189165b..8305156 100644
 --- a/libsubid/Makefile.am
 +++ b/libsubid/Makefile.am
@@ -16,7 +16,8 @@ MISCLIBS = \
 	$(LIBCRYPT) \
 	$(LIBACL) \
 	$(LIBATTR) \
 -	$(LIBTCB)
 +	$(LIBTCB) \
 +	$(LIBPAM)
 libsubid_la_LIBADD = \
 	$(top_srcdir)/lib/libshadow.la \
 -- 
 1.8.3.1
--- a/man-zh_CN-fix-typo.patch
+++ b/man-zh_CN-fix-typo.patch
@ -1,93 +0,0 @@
 From 915cc6bb9cc8463576aea4b0262ad5f4f1700cd5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=E8=B0=AD=E4=B9=9D=E9=BC=8E?= <109224573@qq.com>
 Date: Mon, 3 Feb 2020 22:02:16 +0800
 Subject: [PATCH] =?UTF-8?q?man(zh=5FCN):=20fix=20typo=20=E7=8E=B0=E5=AE=9E?=
 =?UTF-8?q?=20->=20=E6=98=BE=E7=A4=BA?=
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Anakin Zhang <benjamin93@163.com>
 ---
 man/po/zh_CN.po | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/man/po/zh_CN.po b/man/po/zh_CN.po
 index 2537807..85d1243 100644
 --- a/man/po/zh_CN.po
 +++ b/man/po/zh_CN.po
@@ -334,7 +334,7 @@ msgstr "<option>-h</option>, <option>--help</option>"
 #: expiry.1.xml:114(para) chsh.1.xml:103(para) chpasswd.8.xml:173(para)
 #: chgpasswd.8.xml:133(para) chfn.1.xml:169(para) chage.1.xml:131(para)
 msgid "Display help message and exit."
 -msgstr "现实帮助信息并退出。"
 +msgstr "显示帮助信息并退出。"
 #: vipw.8.xml:126(term)
 msgid "<option>-p</option>, <option>--passwd</option>"
@@ -3710,7 +3710,7 @@ msgstr "<option>MAIL_CHECK_ENAB</option> (boolean)"
 #: su.1.xml:34(para) login.defs.5.xml:34(para) login.1.xml:34(para)
 msgid "Enable checking and display of mailbox status upon login."
 -msgstr "启用登录时检查和现实邮箱状态。"
 +msgstr "启用登录时检查和显示邮箱状态。"
 #: su.1.xml:37(para) login.defs.5.xml:37(para) login.1.xml:37(para)
 msgid ""
@@ -6372,7 +6372,7 @@ msgstr "<option>ISSUE_FILE</option> (string)"
 #: login.defs.5.xml:34(para) login.1.xml:34(para)
 msgid "If defined, this file will be displayed before each login prompt."
 -msgstr "如果定义了，此文件将在每次的登录提示之前现实。"
 +msgstr "如果定义了，此文件将在每次的登录提示之前显示。"
 #: login.defs.5.xml:32(term) login.1.xml:32(term)
 msgid "<option>KILLCHAR</option> (number)"
@@ -7125,7 +7125,7 @@ msgstr "$HOME/.hushlogin"
 #: login.1.xml:385(para)
 msgid "Suppress printing of system messages."
 -msgstr "阻止现实系统信息。"
 +msgstr "阻止显示系统信息。"
 #: login.1.xml:399(para)
 msgid ""
@@ -7453,7 +7453,7 @@ msgstr ""
 msgid ""
 "Print the lastlog records more recent than <emphasis remap=\"I\">DAYS</"
 "emphasis>."
 -msgstr "只现实新于 <emphasis remap=\"I\">DAYS</emphasis> 的最近登录记录。"
 +msgstr "只显示新于 <emphasis remap=\"I\">DAYS</emphasis> 的最近登录记录。"
 #: lastlog.8.xml:161(term) faillog.8.xml:202(term)
 msgid ""
@@ -7465,7 +7465,7 @@ msgstr ""
 #: lastlog.8.xml:165(para)
 msgid "Print the lastlog record of the specified user(s)."
 -msgstr "现实指定用户的最近登录记录。"
 +msgstr "显示指定用户的最近登录记录。"
 #: lastlog.8.xml:168(para) faillog.8.xml:211(para)
 msgid ""
@@ -7790,7 +7790,7 @@ msgstr "groups"
 #: groups.1.xml:65(refpurpose)
 msgid "display current group names"
 -msgstr "现实当前组名"
 +msgstr "显示当前组名"
 #: groups.1.xml:72(replaceable)
 msgid "user"
@@ -9396,7 +9396,7 @@ msgstr ""
 #: chage.1.xml:164(para)
 msgid "Show account aging information."
 -msgstr "现实账户年龄信息。"
 +msgstr "显示账户年龄信息。"
 #: chage.1.xml:170(term)
 msgid ""
 -- 
 2.23.0.windows.1
--- a/newgrp-fix-segmentation-fault.patch
+++ b/newgrp-fix-segmentation-fault.patch
@ -0,0 +1,35 @@
 From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Wed, 10 Nov 2021 12:02:04 +0100
 Subject: [PATCH] newgrp: fix segmentation fault
 Fix segmentation fault in newgrp when xgetspnam() returns a NULL value
 that is immediately freed.
 The error was committed in
 https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/newgrp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/newgrp.c b/src/newgrp.c
 index 730f47e..566f1c8 100644
 --- a/src/newgrp.c
 +++ b/src/newgrp.c
@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
 	spwd = xgetspnam (pwd->pw_name);
 	if (NULL != spwd) {
 		pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
 +		spw_free (spwd);
 	}
 -	spw_free (spwd);
 	if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
 		needspasswd = true;
 -- 
 1.8.3.1
--- a/pwck-fix-segfault-when-calling-fprintf.patch
+++ b/pwck-fix-segfault-when-calling-fprintf.patch
@ -0,0 +1,30 @@
 From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Mon, 15 Nov 2021 12:40:15 +0100
 Subject: [PATCH] pwck: fix segfault when calling fprintf()
 As shadow_logfd variable is not set at the beginning of the program if
 something fails and fprintf() is called a segmentation fault happens.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/pwck.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/pwck.c b/src/pwck.c
 index 4248944..4ce86af 100644
 --- a/src/pwck.c
 +++ b/src/pwck.c
@@ -857,6 +857,7 @@ int main (int argc, char **argv)
 	 * Get my name so that I can use it to report errors.
 	 */
 	Prog = Basename (argv[0]);
 +	shadow_logfd = stderr;
 	(void) setlocale (LC_ALL, "");
 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
 -- 
 1.8.3.1
--- a/selinux-flag.patch
+++ b/selinux-flag.patch
@ -1,140 +0,0 @@
 From 73e2af119d62d76cd7edcd2109a122a22e143e91 Mon Sep 17 00:00:00 2001
 From: "guiyao" <guiyao@huawei.com>
 Date: Wed, 15 Apr 2020 15:41:18 -0400
 Subject: [PATCH] selinux-flag
 backport selinux flag patch and modified for new code
 ---
 lib/semanage.c |  7 ++++++
 src/useradd.c  | 69 ++++++++++++++++++++++++++++++----------------------------
 2 files changed, 43 insertions(+), 33 deletions(-)
 diff --git a/lib/semanage.c b/lib/semanage.c
 index e983f5f..7ec8969 100644
 --- a/lib/semanage.c
 +++ b/lib/semanage.c
@@ -294,6 +294,9 @@ int set_seuser (const char *login_name, const char *seuser_name)
 	ret = 0;
 +	/* drop obsolete matchpathcon cache */
 +	matchpathcon_fini();
 +
 done:
 	semanage_seuser_key_free (key);
 	semanage_handle_destroy (handle);
@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)
 	}
 	ret = 0;
 +
 +	/* drop obsolete matchpathcon cache */
 +	matchpathcon_fini();
 +
 done:
 	semanage_handle_destroy (handle);
 	return ret;
 diff --git a/src/useradd.c b/src/useradd.c
 index b294439..47394a3 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -2242,6 +2242,7 @@ static void create_mail (void)
  */
 int main (int argc, char **argv)
 {
 +	int rv = E_SUCCESS;
 #ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
@@ -2464,27 +2465,11 @@ int main (int argc, char **argv)
 	usr_update ();
 -	if (mflg) {
 -		create_home ();
 -		if (home_added) {
 -			copy_tree (def_template, prefix_user_home, false, false,
 -			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 -		} else {
 -			fprintf (stderr,
 -			         _("%s: warning: the home directory %s already exists.\n"
 -			           "%s: Not copying any file from skel directory into it.\n"),
 -			         Prog, user_home, Prog);
 -		}
 -
 -	}
 -
 -	/* Do not create mail directory for system accounts */
 -	if (!rflg) {
 -		create_mail ();
 -	}
 -
 	close_files ();
 +	nscd_flush_cache ("passwd");
 +	nscd_flush_cache ("group");
 +
 	/*
 	 * tallylog_reset needs to be able to lookup
 	 * a valid existing user name,
@@ -2495,25 +2480,43 @@ int main (int argc, char **argv)
 	}
 #ifdef WITH_SELINUX
 -	if (Zflg) {
 -		if (set_seuser (user_name, user_selinux) != 0) {
 -			fprintf (stderr,
 -			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 -			         Prog, user_name, user_selinux);
 +	if (Zflg && *user_selinux) {
 +		if (is_selinux_enabled () > 0) {
 +			if (set_seuser (user_name, user_selinux) != 0) {
 +				fprintf (stderr,
 +					_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 +					Prog, user_name, user_selinux);
 #ifdef WITH_AUDIT
 -			audit_logger (AUDIT_ADD_USER, Prog,
 -			              "adding SELinux user mapping",
 -			              user_name, (unsigned int) user_id, 0);
 -#endif				/* WITH_AUDIT */
 -			fail_exit (E_SE_UPDATE);
 +				audit_logger (AUDIT_ADD_USER, Prog,
 +					"adding SELinux user mapping",
 +					user_name, (unsigned int) user_id, 0);
 +#endif                 /* WITH_AUDIT */
 +				rv = E_SE_UPDATE;
 +			}
 		}
 	}
 -#endif				/* WITH_SELINUX */
 +#endif
 +
 +	if (mflg) {
 +		create_home ();
 +		if (home_added) {
 +			copy_tree (def_template, prefix_user_home, false, true,
 +						(uid_t)-1, user_id, (gid_t)-1, user_gid);
 +		} else {
 +			fprintf (stderr,
 +					_("%s: warning: the home directory already exists.\n"
 +					"Not copying any file from skel directory into it.\n"),
 +					Prog);
 +		}
 +	}
 +
 +	/* Do not create mail directory for system accounts */
 +	if (!rflg) {
 +		create_mail ();
 +	}
 -	nscd_flush_cache ("passwd");
 -	nscd_flush_cache ("group");
 	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
 -	return E_SUCCESS;
 +	return rv;
 }
 -- 
 1.8.3.1
--- a/semanage-close-the-selabel-handle.patch
+++ b/semanage-close-the-selabel-handle.patch
@ -0,0 +1,61 @@
 From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Fri, 8 Oct 2021 13:13:13 +0200
 Subject: [PATCH] semanage: close the selabel handle
 Close the selabel handle to update the file_context. This means that the
 file_context will be remmaped and used by selabel_lookup() to return
 the appropriate context to label the home folder.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 lib/prototypes.h | 1 +
 lib/selinux.c    | 5 +++++
 lib/semanage.c   | 1 +
 3 files changed, 7 insertions(+)
 diff --git a/lib/prototypes.h b/lib/prototypes.h
 index 1d1586d..b697e0e 100644
 --- a/lib/prototypes.h
 +++ b/lib/prototypes.h
@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
 /* selinux.c */
 #ifdef WITH_SELINUX
 extern int set_selinux_file_context (const char *dst_name, mode_t mode);
 +extern void reset_selinux_handle (void);
 extern int reset_selinux_file_context (void);
 extern int check_selinux_permit (const char *perm_name);
 #endif
 diff --git a/lib/selinux.c b/lib/selinux.c
 index c83545f..b075d4c 100644
 --- a/lib/selinux.c
 +++ b/lib/selinux.c
@@ -50,6 +50,11 @@ static void cleanup(void)
 	}
 }
 +void reset_selinux_handle (void)
 +{
 +    cleanup();
 +}
 +
 /*
  * set_selinux_file_context - Set the security context before any file or
  *                            directory creation.
 diff --git a/lib/semanage.c b/lib/semanage.c
 index 0d30456..a5bf921 100644
 --- a/lib/semanage.c
 +++ b/lib/semanage.c
@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
 	}
 	ret = 0;
 +	reset_selinux_handle();
 done:
 	semanage_seuser_key_free (key);
 -- 
 1.8.3.1
--- a/shadow-4.8-goodname.patch
+++ b/shadow-4.8-goodname.patch
@ -1,20 +1,7 @@
-From a386a250712771e44e2020060e6a3ca690f72129 Mon Sep 17 00:00:00 2001
+diff -up shadow-4.8/libmisc/chkname.c.goodname shadow-4.8/libmisc/chkname.c
-From: "guiyao" <guiyao@huawei.com>
+--- shadow-4.8/libmisc/chkname.c.goodname	2020-01-13 09:44:41.968507996 +0100
-Date: Wed, 15 Apr 2020 15:18:25 -0400
+++ shadow-4.8/libmisc/chkname.c	2020-01-13 09:46:27.863727732 +0100
-Subject: [PATCH] shadow: shadow-4.5-goodname
+@@ -55,26 +55,44 @@ static bool is_valid_name (const char *n
 backport patch and do some modify for new code
 ---
 libmisc/chkname.c  | 40 +++++++++++++++++++++++++++++-----------
 man/groupadd.8.xml | 10 ++++++----
 man/useradd.8.xml  | 12 ++++++++----
 3 files changed, 43 insertions(+), 19 deletions(-)
 diff --git a/libmisc/chkname.c b/libmisc/chkname.c
 index bdd1e72..957c966 100644
 --- a/libmisc/chkname.c
 +++ b/libmisc/chkname.c
@@ -55,26 +55,44 @@ static bool is_valid_name (const char *name)
 	}
 	/*
@ -33,13 +20,13 @@ index bdd1e72..957c966 100644
 -	if (('\0' == *name) ||
 -	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
 +	if ('\0' == *name ||
-+		('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+	    ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
-+				'\0' == name[1])) ||
+			      '\0' == name[1])) ||
-+		!((*name >= 'a' && *name <= 'z') ||
+	    !((*name >= 'a' && *name <= 'z') ||
-+		  (*name >= 'A' && *name <= 'Z') ||
+	      (*name >= 'A' && *name <= 'Z') ||
-+		  (*name >= '0' && *name <= '9') ||
+	      (*name >= '0' && *name <= '9') ||
-+		  *name == '_' ||
+	      *name == '_' ||
-+		  *name == '.')) {
+	      *name == '.')) {
 		return false;
 	}
@ -51,15 +38,14 @@ index bdd1e72..957c966 100644
 -		      ('_' == *name) ||
 -		      ('-' == *name) ||
 -		      ( ('$' == *name) && ('\0' == *(name + 1)) )
 -		     )) {
 +		if (!((*name >= 'a' && *name <= 'z') ||
-+			 (*name >= 'A' && *name <= 'Z') ||
+		      (*name >= 'A' && *name <= 'Z') ||
-+			 (*name >= '0' && *name <= '9') ||
+		      (*name >= '0' && *name <= '9') ||
-+			 *name == '_' ||
+		      *name == '_' ||
-+			 *name == '.' ||
+		      *name == '.' ||
-+			 *name == '-' ||
+		      *name == '-' ||
-+			 (*name == '$' && name[1] == '\0')
+		      (*name == '$' && name[1] == '\0')
-+			)) {
+ 		     )) {
 			return false;
 		}
 +		numeric &= isdigit(*name);
@ -70,10 +56,9 @@ index bdd1e72..957c966 100644
 }
 bool is_valid_user_name (const char *name)
-diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml
+diff -up shadow-4.8/man/groupadd.8.xml.goodname shadow-4.8/man/groupadd.8.xml
-index 1e58f09..47a4c95 100644
+--- shadow-4.8/man/groupadd.8.xml.goodname	2019-07-23 17:26:08.000000000 +0200
--- a/man/groupadd.8.xml
+++ shadow-4.8/man/groupadd.8.xml	2020-01-13 09:44:41.968507996 +0100
 +++ b/man/groupadd.8.xml
@@ -273,10 +273,12 @@
    <refsect1 id='caveats'>
      <title>CAVEATS</title>
@ -91,11 +76,10 @@ index 1e58f09..47a4c95 100644
      </para>
      <para>
        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
-diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+diff -up shadow-4.8/man/useradd.8.xml.goodname shadow-4.8/man/useradd.8.xml
-index 03612ce..4e9e0dc 100644
+--- shadow-4.8/man/useradd.8.xml.goodname	2019-10-05 03:23:58.000000000 +0200
--- a/man/useradd.8.xml
+++ shadow-4.8/man/useradd.8.xml	2020-01-13 09:44:41.968507996 +0100
-+++ b/man/useradd.8.xml
+@@ -661,10 +661,14 @@
@@ -662,10 +662,14 @@
     </para>
     <para>
@ -114,6 +98,3 @@ index 03612ce..4e9e0dc 100644
     </para>
     <para>
       Usernames may only be up to 32 characters long.
 -- 
 1.8.3.1
--- a/shadow-4.8-long-entry.patch
+++ b/shadow-4.8-long-entry.patch
@ -1,18 +1,20 @@
-diff --git a/lib/defines.h b/lib/defines.h
+diff -up shadow-4.8/lib/defines.h.long-entry shadow-4.8/lib/defines.h
--- a/lib/defines.h
+--- shadow-4.8/lib/defines.h.long-entry	2020-01-13 10:29:45.288957339 +0100
-+++ b/lib/defines.h
+++ shadow-4.8/lib/defines.h	2020-01-13 10:30:47.482902954 +0100
-@@ -388,4 +388,7 @@ extern char *strerror ();
+@@ -388,6 +388,9 @@ extern char *strerror ();
- #  define shadow_getenv(name) getenv(name)
+ # endif
 #endif
 +/* Maximum length of passwd entry */
 +#define PASSWD_ENTRY_MAX_LENGTH 32768
 +
- #endif				/* _DEFINES_H_ */
+ #ifdef HAVE_SECURE_GETENV
-diff --git a/lib/pwio.c b/lib/pwio.c
+ #  define shadow_getenv(name) secure_getenv(name)
--- a/lib/pwio.c
+ # else
-+++ b/lib/pwio.c
+diff -up shadow-4.8/lib/pwio.c.long-entry shadow-4.8/lib/pwio.c
-@@ -79,7 +79,10 @@ static int passwd_put (const void *ent, FILE * file)
+--- shadow-4.8/lib/pwio.c.long-entry	2019-07-23 17:26:08.000000000 +0200
 +++ shadow-4.8/lib/pwio.c	2020-01-13 10:29:45.288957339 +0100
@@ -79,7 +79,10 @@ static int passwd_put (const void *ent,
 	    || (pw->pw_gid == (gid_t)-1)
 	    || (valid_field (pw->pw_gecos, ":\n") == -1)
 	    || (valid_field (pw->pw_dir, ":\n") == -1)
@ -24,9 +26,9 @@ diff --git a/lib/pwio.c b/lib/pwio.c
 		return -1;
 	}
-diff --git a/lib/sgetpwent.c b/lib/sgetpwent.c
+diff -up shadow-4.8/lib/sgetpwent.c.long-entry shadow-4.8/lib/sgetpwent.c
--- a/lib/sgetpwent.c
+--- shadow-4.8/lib/sgetpwent.c.long-entry	2019-10-05 03:23:58.000000000 +0200
-+++ b/lib/sgetpwent.c
+++ shadow-4.8/lib/sgetpwent.c	2020-01-13 10:29:45.288957339 +0100
@@ -57,7 +57,7 @@
 struct passwd *sgetpwent (const char *buf)
 {
@ -36,7 +38,7 @@ diff --git a/lib/sgetpwent.c b/lib/sgetpwent.c
 	register int i;
 	register char *cp;
 	char *fields[NFIELDS];
-@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *buf)
+@@ -67,8 +67,10 @@ struct passwd *sgetpwent (const char *bu
 	 * the password structure remain valid.
 	 */
@ -48,9 +50,9 @@ diff --git a/lib/sgetpwent.c b/lib/sgetpwent.c
 	strcpy (pwdbuf, buf);
 	/*
-diff --git a/lib/sgetspent.c b/lib/sgetspent.c
+diff -up shadow-4.8/lib/sgetspent.c.long-entry shadow-4.8/lib/sgetspent.c
--- a/lib/sgetspent.c
+--- shadow-4.8/lib/sgetspent.c.long-entry	2019-07-23 17:26:08.000000000 +0200
-+++ b/lib/sgetspent.c
+++ shadow-4.8/lib/sgetspent.c	2020-01-13 10:29:45.289957322 +0100
@@ -48,7 +48,7 @@
  */
 struct spwd *sgetspent (const char *string)
@ -60,7 +62,7 @@ diff --git a/lib/sgetspent.c b/lib/sgetspent.c
 	static struct spwd spwd;
 	char *fields[FIELDS];
 	char *cp;
-@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *string)
+@@ -61,6 +61,7 @@ struct spwd *sgetspent (const char *stri
 	 */
 	if (strlen (string) >= sizeof spwbuf) {
@ -68,10 +70,10 @@ diff --git a/lib/sgetspent.c b/lib/sgetspent.c
 		return 0;	/* fail if too long */
 	}
 	strcpy (spwbuf, string);
-diff --git a/lib/shadowio.c b/lib/shadowio.c
+diff -up shadow-4.8/lib/shadowio.c.long-entry shadow-4.8/lib/shadowio.c
--- a/lib/shadowio.c
+--- shadow-4.8/lib/shadowio.c.long-entry	2019-07-23 17:26:08.000000000 +0200
-+++ b/lib/shadowio.c
+++ shadow-4.8/lib/shadowio.c	2020-01-13 10:29:45.289957322 +0100
-@@ -79,7 +79,9 @@ static int shadow_put (const void *ent, FILE * file)
+@@ -79,7 +79,9 @@ static int shadow_put (const void *ent,
 	if (   (NULL == sp)
 	    || (valid_field (sp->sp_namp, ":\n") == -1)
--- a/shadow-4.8.1.tar.xz
+++ b/shadow-4.8.1.tar.xz
--- a/shadow-4.9-null-tm.patch
+++ b/shadow-4.9-null-tm.patch
@ -1,8 +1,8 @@
 Index: shadow-4.5/src/chage.c
 ===================================================================
--- a/src/chage.c
+--- shadow-4.5.orig/src/chage.c
-+++ b/src/chage.c
+++ shadow-4.5/src/chage.c
-@@ -167,6 +167,10 @@ static void date_to_str (char *buf, size_t maxsize, time_t date)
+@@ -168,6 +168,10 @@ static void date_to_str (char *buf, size
 	struct tm *tp;
 	tp = gmtime (&date);
@ -13,32 +13,11 @@ Index: shadow-4.5/src/chage.c
 #ifdef HAVE_STRFTIME
 	(void) strftime (buf, maxsize, "%Y-%m-%d", tp);
 #else
 Index: shadow-4.5/src/faillog.c
 ===================================================================
 --- a/src/faillog.c
 +++ b/src/faillog.c
@@ -163,10 +163,14 @@ static void print_one (/*@null@*/const struct passwd *pw, bool force)
 	}
 	tm = localtime (&fl.fail_time);
 +	if (tm == NULL) {
 +		cp = "(unknown)";
 +	} else {
 #ifdef HAVE_STRFTIME
 -	strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
 -	cp = ptime;
 +		strftime (ptime, sizeof (ptime), "%D %H:%M:%S %z", tm);
 +		cp = ptime;
 #endif
 +	}
 	printf ("%-9s   %5d    %5d   ",
 	        pw->pw_name, fl.fail_cnt, fl.fail_max);
 	/* FIXME: cp is not defined ifndef HAVE_STRFTIME */
 Index: shadow-4.5/src/lastlog.c
 ===================================================================
--- a/src/lastlog.c
+--- shadow-4.5.orig/src/lastlog.c
-+++ b/src/lastlog.c
+++ shadow-4.5/src/lastlog.c
-@@ -159,13 +159,17 @@ static void print_one (/*@null@*/const struct passwd *pw)
+@@ -158,13 +158,17 @@ static void print_one (/*@null@*/const s
 	ll_time = ll.ll_time;
 	tm = localtime (&ll_time);
@ -62,9 +41,9 @@ Index: shadow-4.5/src/lastlog.c
 		cp = _("**Never logged in**\0");
 Index: shadow-4.5/src/passwd.c
 ===================================================================
--- a/src/passwd.c
+--- shadow-4.5.orig/src/passwd.c
-+++ b/src/passwd.c
+++ shadow-4.5/src/passwd.c
-@@ -456,6 +456,9 @@ static /*@observer@*/const char *date_to_str (time_t t)
+@@ -455,6 +455,9 @@ static /*@observer@*/const char *date_to
 	struct tm *tm;
 	tm = gmtime (&t);
@ -76,9 +55,9 @@ Index: shadow-4.5/src/passwd.c
 #else				/* !HAVE_STRFTIME */
 Index: shadow-4.5/src/usermod.c
 ===================================================================
--- a/src/usermod.c
+--- shadow-4.5.orig/src/usermod.c
-+++ b/src/usermod.c
+++ shadow-4.5/src/usermod.c
-@@ -216,6 +216,10 @@ static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
+@@ -210,6 +210,10 @@ static void date_to_str (/*@unique@*//*@
 	} else {
 		time_t t = (time_t) date;
 		tp = gmtime (&t);
@ -89,6 +68,3 @@ Index: shadow-4.5/src/usermod.c
 #ifdef HAVE_STRFTIME
 		strftime (buf, maxsize, "%Y-%m-%d", tp);
 #else
 -- 
 2.19.1
--- a/shadow-4.9.tar.xz
+++ b/shadow-4.9.tar.xz
--- a/shadow-utils.login.defs
+++ b/shadow-utils.login.defs
@ -1,12 +1,126 @@
 #
 # Please note that the parameters in this configuration file control the
 # behavior of the tools from the shadow-utils component. None of these
 # tools uses the PAM mechanism, and the utilities that use PAM (such as the
 # passwd command) should therefore be configured elsewhere. Refer to
 # /etc/pam.d/system-auth for more information.
 #
 #
 # Delay in seconds before being allowed another attempt after a login failure
 # Note: When PAM is used, some modules may enforce a minimum delay (e.g.
 #       pam_unix(8) enforces a 2s delay)
 #
 #FAIL_DELAY		3
 # Currently FAILLOG_ENAB is not supported
 #
 # Enable display of unknown usernames when login(1) failures are recorded.
 #
 #LOG_UNKFAIL_ENAB	no
 # Currently LOG_OK_LOGINS is not supported
 # Currently LASTLOG_ENAB is not supported
 #
 # Limit the highest user ID number for which the lastlog entries should
 # be updated.
 #
 # No LASTLOG_UID_MAX means that there is no user ID limit for writing
 # lastlog entries.
 #
 #LASTLOG_UID_MAX
 # Currently MAIL_CHECK_ENAB is not supported
 # Currently OBSCURE_CHECKS_ENAB is not supported
 # Currently PORTTIME_CHECKS_ENAB is not supported
 # Currently QUOTAS_ENAB is not supported
 # Currently SYSLOG_SU_ENAB is not supported
 #
 # Enable "syslog" logging of newgrp(1) and sg(1) activity.
 #
 #SYSLOG_SG_ENAB		yes
 # Currently CONSOLE is not supported
 # Currently SULOG_FILE is not supported
 # Currently MOTD_FILE is not supported
 # Currently ISSUE_FILE is not supported
 # Currently TTYTYPE_FILE is not supported
 # Currently FTMP_FILE is not supported
 # Currently NOLOGINS_FILE is not supported
 # Currently SU_NAME is not supported
 # *REQUIRED*
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
 #   QMAIL_DIR is for Qmail
 #
 #QMAIL_DIR	Maildir
 MAIL_DIR	/var/spool/mail
 #MAIL_FILE	.mail
 #
 # If defined, file which inhibits all the usual chatter during the login
 # sequence.  If a full pathname, then hushed mode will be enabled if the
 # user's name or shell are found in the file.  If not a full pathname, then
 # hushed mode will be enabled if the file exists in the user's home directory.
 #
 #HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 # Currently ENV_TZ is not supported
 # Currently ENV_HZ is not supported
 #
 # The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
 #ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
 #ENV_PATH	PATH=/bin:/usr/bin
 #
 # Terminal permissions
 #
 #	TTYGROUP	Login tty will be assigned this group ownership.
 #	TTYPERM		Login tty will be set to this permission.
 #
 # If you have a write(1) program which is "setgid" to a special group
 # which owns the terminals, define TTYGROUP as the number of such group
 # and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
 # set TTYPERM to either 622 or 600.
 #
 #TTYGROUP	tty
 #TTYPERM		0600
 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
 # home directories if HOME_MODE is not set.
 # 022 is the default value, but 027, or even 077, could be considered
 # for increased privacy. There is no One True Answer here: each sysadmin
 # must make up their mind.
 UMASK		077
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
 # If HOME_MODE is not set, the value of UMASK is used to create the mode.
 #HOME_MODE	0700
 # Password aging controls:
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
@ -19,38 +133,174 @@ PASS_MIN_DAYS	0
 PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 # Currently PASS_MIN_LEN is not supported
 # Currently SU_WHEEL_ONLY is not supported
 # Currently CRACKLIB_DICTPATH is not supported
 #
-# Min/max values for automatic uid selection in useradd
+# Min/max values for automatic uid selection in useradd(8)
 #
 UID_MIN                  1000
 UID_MAX                 60000
 # System accounts
 SYS_UID_MIN               201
 SYS_UID_MAX               999
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
 SUB_UID_COUNT		    65536
 #
-# Min/max values for automatic gid selection in groupadd
+# Min/max values for automatic gid selection in groupadd(8)
 #
 GID_MIN                  1000
 GID_MAX                 60000
 # System accounts
 SYS_GID_MIN               201
 SYS_GID_MAX               999
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
 SUB_GID_COUNT		    65536
 #
-# If useradd should create home directories for users by default
+# Max number of login(1) retries if password is bad
 # On RH systems, we do. This option is overridden with the -m flag on
 # useradd command line.
 #
-CREATE_HOME	yes
+#LOGIN_RETRIES		3
-# The permission mask is initialized to this value. If not specified, 
+#
-# the permission mask will be initialized to 022.
+# Max time in seconds for login(1)
-UMASK           077
+#
 #LOGIN_TIMEOUT		60
-# This enables userdel to remove user groups if no members exist.
+# Currently PASS_CHANGE_TRIES is not supported
 # Currently PASS_ALWAYS_WARN is not supported
 # Currently PASS_MAX_LEN is not supported
 # Currently CHFN_AUTH is not supported
 #
 # Which fields may be changed by regular users using chfn(1) - use
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
 # 
 #CHFN_RESTRICT		rwh
 # Currently LOGIN_STRING is not supported
 # Currently MD5_CRYPT_ENAB is not supported
 #
 # If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password (default)
 # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
 # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
 # If set to DES, DES-based algorithm will be used for encrypting password
 #
 ENCRYPT_METHOD SHA512
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
 #
 # Define the number of SHA rounds.
 # With a lot of rounds, it is more difficult to brute-force the password.
 # However, more CPU resources will be needed to authenticate users if
 # this value is increased.
 #
 # If not specified, the libc will choose the default number of rounds (5000).
 # The values must be within the 1000-999999999 range.
 #
 #SHA_CRYPT_MAX_ROUNDS 5000
 # Currently SHA_CRYPT_MIN_ROUNDS is not supported
 #
 # Only works if ENCRYPT_METHOD is set to BCRYPT.
 #
 # Define the number of BCRYPT rounds.
 # With a lot of rounds, it is more difficult to brute-force the password.
 # However, more CPU resources will be needed to authenticate users if
 # this value is increased.
 #
 # If not specified, 13 rounds will be attempted.
 # If only one of the MIN or MAX values is set, then this value will be used.
 # If MIN > MAX, the highest value will be used.
 #
 #BCRYPT_MIN_ROUNDS 13
 #BCRYPT_MAX_ROUNDS 31
 #
 # Only works if ENCRYPT_METHOD is set to YESCRYPT.
 #
 # Define the YESCRYPT cost factor.
 # With a higher cost factor, it is more difficult to brute-force the password.
 # However, more CPU time and more memory will be needed to authenticate users
 # if this value is increased.
 #
 # If not specified, a cost factor of 5 will be used.
 # The value must be within the 1-11 range.
 #
 #YESCRYPT_COST_FACTOR 5
 # Currently CONSOLE_GROUPS is not supported
 #
 # Should login be allowed if we can't cd to the home directory?
 # Default is yes.
 #
 #DEFAULT_HOME	yes
 # Currently ENVIRON_FILE is not supported
 #
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by
 # the user to be removed (passed as the first argument).
 #
 #USERDEL_CMD	/usr/sbin/userdel_local
 #
 # Enables userdel(8) to remove user groups if no members exist.
 #
 USERGROUPS_ENAB yes
-# Use SHA512 to encrypt password.
+#
-ENCRYPT_METHOD SHA512 
+# If set to a non-zero number, the shadow utilities will make sure that
 # groups never have more than this number of users on one line.
 # This permits to support split groups (groups split into multiple lines,
 # with the same group ID, to avoid limitation of the line length in the
 # group file).
 #
 # 0 is the default value and disables this feature.
 #
 #MAX_MEMBERS_PER_GROUP	0
 #
 # If useradd(8) should create home directories for users by default (non
 # system users only).
 # This option is overridden with the -M or -m flags on the useradd(8)
 # command-line.
 #
 CREATE_HOME	yes
 #
 # Force use shadow, even if shadow passwd & shadow group files are
 # missing.
 #
 #FORCE_SHADOW    yes
 #
 # Select the HMAC cryptography algorithm.
 # Used in pam_timestamp module to calculate the keyed-hash message
 # authentication code.
 #
 # Note: It is recommended to check hmac(3) to see the possible algorithms
 # that are available in your system.
 #
 #HMAC_CRYPTO_ALGO SHA512
--- a/shadow.spec
+++ b/shadow.spec
@ -1,32 +1,43 @@
 Name: shadow
-Version: 4.8.1
+Version: 4.9
-Release: 7
+Release: 1
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
 URL: http://pkg-shadow.alioth.debian.org/
-Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
+Source0: https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
 Source2: shadow-utils.useradd
 Source3: shadow-utils.login.defs
 Source4: shadow-bsd.txt
 Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Source6: chpasswd
 Source7: newusers
 %global includesubiddir %{_includedir}/shadow
 # fix unknown item 'LASTLOG_MAX_UID'
-Patch0:  shadow-4.5-goodname.patch
+Patch0:  shadow-4.8-goodname.patch
-Patch1:  fix-logmsg.patch
+Patch1:  shadow-4.9-null-tm.patch
-Patch2:  null-time.patch
+Patch2:  shadow-4.8-long-entry.patch
-Patch3:  long-password-entry.patch
+Patch3:  usermod-unlock.patch
-Patch4:  usermod-unlock.patch
+Patch4:  useradd-create-directories-after-the-SELinux-user.patch
-Patch5:  selinux-flag.patch
+Patch5:  shadow-4.1.5.1-var-lock.patch
-Patch6:  add-home_mode-xml-file.patch
+Patch6:  shadow-utils-fix-lock-file-residue.patch
-Patch7:  shadow-4.1.5.1-var-lock.patch
+Patch7:  Makefile-include-libeconf-dependency-in-new-idmap.patch 
-Patch8:  shadow-utils-fix-lock-file-residue.patch
+Patch8:  usermod-allow-all-group-types-with-G-option.patch
-Patch9:  generate-mail-USER-with-the-proper-selinux-identity.patch
+Patch9:  useradd-avoid-generating-an-empty-subid-range.patch
-Patch10: man-zh_CN-fix-typo.patch
+Patch10: libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
-Patch11: useradd-free-grp-to-avoid-leak.patch
+Patch11: semanage-close-the-selabel-handle.patch
-Patch12: useradd.c-fix-memleaks-of-grp.patch
+Patch12: Revert-useradd.c-fix-memleaks-of-grp.patch
-Patch13: useradd.c-fix-memleak-in-get_groups.patch
+Patch13: useradd-change-SELinux-labels-for-home-files.patch
 Patch14: libsubid-link-to-PAM-libraries.patch
 Patch15: Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
 Patch16: Respect-enable-static-no-in-libsubid.patch
 Patch17: Fixes-the-linking-issues-when-libsubid-is-static-and.patch
 Patch18: pwck-fix-segfault-when-calling-fprintf.patch
 Patch19: newgrp-fix-segmentation-fault.patch
 Patch20: groupdel-fix-SIGSEGV-when-passwd-does-not-exist.patch
 Patch21: backport-useradd-modify-check-ID-range-for-system-users.patch
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@ -47,6 +58,13 @@ This package includes the necessary programs for converting plain
 password files to the shadow password format and to manage user and
 group accounts.
 %package subid-devel
 Summary: Development package for shadow-utils-subid
 License: BSD and GPLv2+
 %description subid-devel
 Development files for shadow-utils-subid.
 %package_help
 %prep
@ -70,7 +88,7 @@ autoreconf -fiv
        --with-selinux \
        --without-libcrack \
        --with-libpam \
-        --disable-shared \
+        --enable-shared \
        --with-group-name-max-length=32
 %make_build
@ -141,6 +159,14 @@ for dir in $(ls -1d $RPM_BUILD_ROOT%{_mandir}/{??,??_??}) ; do
    lang=$(basename $dir)
 done
 # Move subid.h to its own folder
 echo $(ls)
 mkdir -p $RPM_BUILD_ROOT/%{includesubiddir}
 install -m 644 libsubid/subid.h $RPM_BUILD_ROOT/%{includesubiddir}/
 # Remove .la files created by libsubid
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %files -f shadow.lang
 %doc NEWS doc/HOWTO README
 %{!?_licensedir:%global license %%doc}
@ -169,10 +195,20 @@ done
 %{_sysconfdir}/pam.d/groupmems
 %{_sysconfdir}/pam.d/newusers
 %files subid-devel
 %{_libdir}/libsubid.so.*
 %{includesubiddir}/subid.h
 %{_libdir}/libsubid.so
 %files help
 %{_mandir}/*/*
 %changelog
 * Mon Feb 21 2022 panxiaohe <panxh.life@foxmail.com> - 2:4.9-1
 - update to 4.9
 - synchronized login.defs with upstream file
 - useradd: modify check ID range for system users
 * Thu Sep 30 2021 steven Y.Gui <steven_ygui@163.com> - 2:4.8.1-7
 - backport some patches to fix memory leak
--- a/useradd-avoid-generating-an-empty-subid-range.patch
+++ b/useradd-avoid-generating-an-empty-subid-range.patch
@ -0,0 +1,107 @@
 From 9dd720a28578eef5be8171697aae0906e4c53249 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 10 Aug 2021 09:07:03 +0200
 Subject: [PATCH] useradd: avoid generating an empty subid range
 useradd generates an empty subid range when adding a new user. This is
 caused because there are two variables, one local and the other one
 global, that have a very similar name and they are used indistinctly in
 the code. The local variable loads the SUB_*ID_COUNT configuration from
 the login.defs file, while the global variable, which holds a value of
 0, is used to generate the subid range. Causing the empty subid range
 problem.
 I've merged the two variables in the local one and removed the global
 variable. I prefer to do it this way to reduce the scope of it but I'm
 open to doing it the other way round.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1990653
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Conflict: context adaptation
 ---
 src/useradd.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index baeffb3..9abeea6 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -142,9 +142,7 @@ static bool is_sub_gid = false;
 static bool sub_uid_locked = false;
 static bool sub_gid_locked = false;
 static uid_t sub_uid_start;	/* New subordinate uid range */
 -static unsigned long sub_uid_count;
 static gid_t sub_gid_start;	/* New subordinate gid range */
 -static unsigned long sub_gid_count;
 #endif				/* ENABLE_SUBIDS */
 static bool pw_locked = false;
 static bool gr_locked = false;
@@ -234,7 +232,7 @@ static void open_shadow (void);
 static void faillog_reset (uid_t);
 static void lastlog_reset (uid_t);
 static void tallylog_reset (const char *);
 -static void usr_update (void);
 +static void usr_update (unsigned long subuid_count, unsigned long subgid_count);
 static void create_home (void);
 static void create_mail (void);
 static void check_uid_range(int rflg, uid_t user_id);
@@ -2092,7 +2090,7 @@ static void tallylog_reset (const char *user_name)
  *	usr_update() creates the password file entries for this user
  *	and will update the group entries if required.
  */
 -static void usr_update (void)
 +static void usr_update (unsigned long subuid_count, unsigned long subgid_count)
 {
 	struct passwd pwent;
 	struct spwd spent;
@@ -2155,14 +2153,14 @@ static void usr_update (void)
 	}
 #ifdef ENABLE_SUBIDS
 	if (is_sub_uid &&
 -	    (sub_uid_add(user_name, sub_uid_start, sub_uid_count) == 0)) {
 +	    (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) {
 		fprintf (stderr,
 		         _("%s: failed to prepare the new %s entry\n"),
 		         Prog, sub_uid_dbname ());
 		fail_exit (E_SUB_UID_UPDATE);
 	}
 	if (is_sub_gid &&
 -	    (sub_gid_add(user_name, sub_gid_start, sub_gid_count) == 0)) {
 +	    (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) {
 		fprintf (stderr,
 		         _("%s: failed to prepare the new %s entry\n"),
 		         Prog, sub_uid_dbname ());
@@ -2624,16 +2622,16 @@ int main (int argc, char **argv)
 	}
 #ifdef ENABLE_SUBIDS
 -	if (is_sub_uid && sub_uid_count != 0) {
 -		if (find_new_sub_uids(&sub_uid_start, &sub_uid_count) < 0) {
 +	if (is_sub_uid && subuid_count != 0) {
 +		if (find_new_sub_uids(&sub_uid_start, &subuid_count) < 0) {
 			fprintf (stderr,
 			         _("%s: can't create subordinate user IDs\n"),
 			         Prog);
 			fail_exit(E_SUB_UID_UPDATE);
 		}
 	}
 -	if (is_sub_gid && sub_gid_count != 0) {
 -		if (find_new_sub_gids(&sub_gid_start, &sub_gid_count) < 0) {
 +	if (is_sub_gid && subgid_count != 0) {
 +		if (find_new_sub_gids(&sub_gid_start, &subgid_count) < 0) {
 			fprintf (stderr,
 			         _("%s: can't create subordinate group IDs\n"),
 			         Prog);
@@ -2642,7 +2640,7 @@ int main (int argc, char **argv)
 	}
 #endif				/* ENABLE_SUBIDS */
 -	usr_update ();
 +	usr_update (subuid_count, subgid_count);
 	close_files ();
 -- 
 1.8.3.1
--- a/useradd-change-SELinux-labels-for-home-files.patch
+++ b/useradd-change-SELinux-labels-for-home-files.patch
@ -0,0 +1,34 @@
 From 06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Fri, 12 Nov 2021 15:23:30 +0100
 Subject: [PATCH] useradd: change SELinux labels for home files
 Change SELinux labels for files copied from the skeleton directory to
 the home directory.
 This could cause gnome's graphical user adding to fail without copying
 the full skeleton files.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2022658
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/useradd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index b463a17..f7c9795 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -2704,7 +2704,7 @@ int main (int argc, char **argv)
 	if (mflg) {
 		create_home ();
 		if (home_added) {
 -			copy_tree (def_template, prefix_user_home, false, false,
 +			copy_tree (def_template, prefix_user_home, false, true,
 			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 		} else {
 			fprintf (stderr,
 -- 
 1.8.3.1
--- a/useradd-create-directories-after-the-SELinux-user.patch
+++ b/useradd-create-directories-after-the-SELinux-user.patch
@ -0,0 +1,89 @@
 From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Fri, 8 Oct 2021 13:09:59 +0200
 Subject: [PATCH] useradd: create directories after the SELinux user
 Create the home and mail folders after the SELinux user has been set for
 the added user. This will allow the folders to be created with the
 SELinux user label.
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Conflict: context adaptation
 ---
 src/useradd.c | 46 +++++++++++++++++++++++-----------------------
 1 file changed, 23 insertions(+), 23 deletions(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index 6269c01..b463a17 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
 	usr_update ();
 -	if (mflg) {
 -		create_home ();
 -		if (home_added) {
 -			copy_tree (def_template, prefix_user_home, false, false,
 -			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 -		} else {
 -			fprintf (stderr,
 -			         _("%s: warning: the home directory %s already exists.\n"
 -			           "%s: Not copying any file from skel directory into it.\n"),
 -			         Prog, user_home, Prog);
 -		}
 -
 -	}
 -
 -	/* Do not create mail directory for system accounts */
 -	if (!rflg) {
 -		create_mail ();
 -	}
 -
 	close_files ();
 +	nscd_flush_cache ("passwd");
 +	nscd_flush_cache ("group");
 +	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
 +
 	/*
 	 * tallylog_reset needs to be able to lookup
 	 * a valid existing user name,
@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
 	}
 #endif				/* WITH_SELINUX */
 +	if (mflg) {
 +		create_home ();
 +		if (home_added) {
 +			copy_tree (def_template, prefix_user_home, false, false,
 +			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 +		} else {
 +			fprintf (stderr,
 +			         _("%s: warning: the home directory %s already exists.\n"
 +			           "%s: Not copying any file from skel directory into it.\n"),
 +			         Prog, user_home, Prog);
 +		}
 +
 +	}
 +
 +	/* Do not create mail directory for system accounts */
 +	if (!rflg) {
 +		create_mail ();
 +	}
 +
 	if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
 			"useradd")) {
 		exit(1);
 	}
 -	nscd_flush_cache ("passwd");
 -	nscd_flush_cache ("group");
 -	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
 -
 	return E_SUCCESS;
 }
 -- 
 1.8.3.1
--- a/useradd-free-grp-to-avoid-leak.patch
+++ b/useradd-free-grp-to-avoid-leak.patch
@ -1,42 +0,0 @@
 From 569bd1d54f4be070d4ac88042586d9334343702d Mon Sep 17 00:00:00 2001
 From: ikerexxe <ipedrosa@redhat.com>
 Date: Tue, 27 Oct 2020 11:35:53 +0100
 Subject: [PATCH] useradd: free grp to avoid leak
 covscan issue:
 Error: RESOURCE_LEAK (CWE-772): [#def39] [important]
 src/useradd.c:728: alloc_fn: Storage is returned from allocation function "get_local_group".
 src/useradd.c:728: var_assign: Assigning: "grp" = storage returned from "get_local_group(list)".
 src/useradd.c:728: overwrite_var: Overwriting "grp" in "grp = get_local_group(list)" leaks the storage that "grp" points to.
 726|   		 * GID values, otherwise the string is looked up as is.
 727|   		 */
 728|-> 		grp = get_local_group (list);
 729|
 730|   		/*
 ---
 src/useradd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index 3544acd0..107e65f8 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -729,7 +729,7 @@ static int set_defaults (void)
 static int get_groups (char *list)
 {
 	char *cp;
 -	const struct group *grp;
 +	struct group *grp;
 	int errors = 0;
 	int ngroups = 0;
@@ -808,6 +808,7 @@ static int get_groups (char *list)
 		 * Add the group name to the user's list of groups.
 		 */
 		user_groups[ngroups++] = xstrdup (grp->gr_name);
 +		free (grp);
 	} while (NULL != list);
 	user_groups[ngroups] = (char *) 0;
 -- 
--- a/useradd.c-fix-memleak-in-get_groups.patch
+++ b/useradd.c-fix-memleak-in-get_groups.patch
@ -1,41 +0,0 @@
 From fd9d79a1a3438ba7703939cfcd45fc266782c64e Mon Sep 17 00:00:00 2001
 From: whzhe <wanghongzhe@huawei.com>
 Date: Thu, 17 Dec 2020 03:27:15 -0500
 Subject: [PATCH] useradd.c:fix memleak in get_groups
 Signed-off-by: whzhe <wanghongzhe@huawei.com>
 ---
 src/useradd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/src/useradd.c b/src/useradd.c
 index 107e65f8..822b67f5 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -793,6 +793,7 @@ static int get_groups (char *list)
 			fprintf (stderr,
 			         _("%s: group '%s' is a NIS group.\n"),
 			         Prog, grp->gr_name);
 +			gr_free(grp);
 			continue;
 		}
 #endif
@@ -801,6 +802,7 @@ static int get_groups (char *list)
 			fprintf (stderr,
 			         _("%s: too many groups specified (max %d).\n"),
 			         Prog, ngroups);
 +			gr_free(grp);
 			break;
 		}
@@ -808,7 +810,7 @@ static int get_groups (char *list)
 		 * Add the group name to the user's list of groups.
 		 */
 		user_groups[ngroups++] = xstrdup (grp->gr_name);
 -		free (grp);
 +		gr_free (grp);
 	} while (NULL != list);
 	user_groups[ngroups] = (char *) 0;
 -- 
--- a/useradd.c-fix-memleaks-of-grp.patch
+++ b/useradd.c-fix-memleaks-of-grp.patch
@ -1,24 +0,0 @@
 From c44b71cec25d60efc51aec9de3abce1f6efbfcf5 Mon Sep 17 00:00:00 2001
 From: whzhe51 <whzhe51@126.com>
 Date: Sat, 19 Dec 2020 04:29:06 -0500
 Subject: [PATCH] useradd.c:fix memleaks of grp Signed-off-by: whzhe51
 <wanghongzhe@huawei.com>
 ---
 src/useradd.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/useradd.c b/src/useradd.c
 index 107e65f8..29c54e44 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
@@ -411,6 +411,7 @@ static void get_defaults (void)
 			} else {
 				def_group = grp->gr_gid;
 				def_gname = xstrdup (grp->gr_name);
 +				gr_free(grp);
 			}
 		}
 -- 
--- a/usermod-allow-all-group-types-with-G-option.patch
+++ b/usermod-allow-all-group-types-with-G-option.patch
@ -0,0 +1,322 @@
 From e481437ab9ebe9a8bf8fbaabe986d42b2f765991 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Tue, 3 Aug 2021 08:57:20 +0200
 Subject: [PATCH] usermod: allow all group types with -G option
 The only way of removing a group from the supplementary list is to use
 -G option, and list all groups that the user is a member of except for
 the one that wants to be removed. The problem lies when there's a user
 that contains both local and remote groups, and the group to be removed
 is a local one. As we need to include the remote group with -G option
 the command will fail.
 This reverts commit 140510de9de4771feb3af1d859c09604043a4c9b. This way,
 it would be possible to remove the remote groups from the supplementary
 list.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1967641
 Resolves: https://github.com/shadow-maint/shadow/issues/338
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 ---
 src/usermod.c | 220 ++++++++++++++++++++--------------------------------------
 1 file changed, 77 insertions(+), 143 deletions(-)
 diff --git a/src/usermod.c b/src/usermod.c
 index 03bb9b9..a0c03af 100644
 --- a/src/usermod.c
 +++ b/src/usermod.c
@@ -187,7 +187,6 @@ static bool sub_gid_locked = false;
 static void date_to_str (/*@unique@*//*@out@*/char *buf, size_t maxsize,
                          long int date);
 static int get_groups (char *);
 -static struct group * get_local_group (char * grp_name);
 static /*@noreturn@*/void usage (int status);
 static void new_pwent (struct passwd *);
 static void new_spent (struct spwd *);
@@ -201,9 +200,7 @@ static void grp_update (void);
 static void process_flags (int, char **);
 static void close_files (void);
 -static void close_group_files (void);
 static void open_files (void);
 -static void open_group_files (void);
 static void usr_update (void);
 static void move_home (void);
 static void update_lastlog (void);
@@ -261,11 +258,6 @@ static int get_groups (char *list)
 	}
 	/*
 -	 * Open the group files
 -	 */
 -	open_group_files ();
 -
 -	/*
 	 * So long as there is some data to be converted, strip off each
 	 * name and look it up. A mix of numerical and string values for
 	 * group identifiers is permitted.
@@ -284,7 +276,7 @@ static int get_groups (char *list)
 		 * Names starting with digits are treated as numerical GID
 		 * values, otherwise the string is looked up as is.
 		 */
 -		grp = get_local_group (list);
 +		grp = prefix_getgr_nam_gid (list);
 		/*
 		 * There must be a match, either by GID value or by
@@ -334,8 +326,6 @@ static int get_groups (char *list)
 		gr_free ((struct group *)grp);
 	} while (NULL != list);
 -	close_group_files ();
 -
 	user_groups[ngroups] = (char *) 0;
 	/*
@@ -348,44 +338,6 @@ static int get_groups (char *list)
 	return 0;
 }
 -/*
 - * get_local_group - checks if a given group name exists locally
 - *
 - *	get_local_group() checks if a given group name exists locally.
 - *	If the name exists the group information is returned, otherwise NULL is
 - *	returned.
 - */
 -static struct group * get_local_group(char * grp_name)
 -{
 -	const struct group *grp;
 -	struct group *result_grp = NULL;
 -	long long int gid;
 -	char *endptr;
 -
 -	gid = strtoll (grp_name, &endptr, 10);
 -	if (   ('\0' != *grp_name)
 -		&& ('\0' == *endptr)
 -		&& (ERANGE != errno)
 -		&& (gid == (gid_t)gid)) {
 -		grp = gr_locate_gid ((gid_t) gid);
 -	}
 -	else {
 -		grp = gr_locate(grp_name);
 -	}
 -
 -	if (grp != NULL) {
 -		result_grp = __gr_dup (grp);
 -		if (NULL == result_grp) {
 -			fprintf (stderr,
 -					_("%s: Out of memory. Cannot find group '%s'.\n"),
 -					Prog, grp_name);
 -			fail_exit (E_GRP_UPDATE);
 -		}
 -	}
 -
 -	return result_grp;
 -}
 -
 #ifdef ENABLE_SUBIDS
 struct ulong_range
 {
@@ -1523,7 +1475,50 @@ static void close_files (void)
 	}
 	if (Gflg || lflg) {
 -		close_group_files ();
 +		if (gr_close () == 0) {
 +			fprintf (stderr,
 +			         _("%s: failure while writing changes to %s\n"),
 +			         Prog, gr_dbname ());
 +			SYSLOG ((LOG_ERR,
 +			         "failure while writing changes to %s",
 +			         gr_dbname ()));
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +#ifdef SHADOWGRP
 +		if (is_shadow_grp) {
 +			if (sgr_close () == 0) {
 +				fprintf (stderr,
 +				         _("%s: failure while writing changes to %s\n"),
 +				         Prog, sgr_dbname ());
 +				SYSLOG ((LOG_ERR,
 +				         "failure while writing changes to %s",
 +				         sgr_dbname ()));
 +				fail_exit (E_GRP_UPDATE);
 +			}
 +		}
 +#endif
 +#ifdef SHADOWGRP
 +		if (is_shadow_grp) {
 +			if (sgr_unlock () == 0) {
 +				fprintf (stderr,
 +				         _("%s: failed to unlock %s\n"),
 +				         Prog, sgr_dbname ());
 +				SYSLOG ((LOG_ERR,
 +				         "failed to unlock %s",
 +				         sgr_dbname ()));
 +				/* continue */
 +			}
 +		}
 +#endif
 +		if (gr_unlock () == 0) {
 +			fprintf (stderr,
 +			         _("%s: failed to unlock %s\n"),
 +			         Prog, gr_dbname ());
 +			SYSLOG ((LOG_ERR,
 +			         "failed to unlock %s",
 +			         gr_dbname ()));
 +			/* continue */
 +		}
 	}
 	if (is_shadow_pwd) {
@@ -1593,60 +1588,6 @@ static void close_files (void)
 }
 /*
 - * close_group_files - close all of the files that were opened
 - *
 - *	close_group_files() closes all of the files that were opened related
 - *  with groups. This causes any modified entries to be written out.
 - */
 -static void close_group_files (void)
 -{
 -	if (gr_close () == 0) {
 -		fprintf (stderr,
 -					_("%s: failure while writing changes to %s\n"),
 -					Prog, gr_dbname ());
 -		SYSLOG ((LOG_ERR,
 -					"failure while writing changes to %s",
 -					gr_dbname ()));
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -#ifdef SHADOWGRP
 -	if (is_shadow_grp) {
 -		if (sgr_close () == 0) {
 -			fprintf (stderr,
 -						_("%s: failure while writing changes to %s\n"),
 -						Prog, sgr_dbname ());
 -			SYSLOG ((LOG_ERR,
 -						"failure while writing changes to %s",
 -						sgr_dbname ()));
 -			fail_exit (E_GRP_UPDATE);
 -		}
 -	}
 -#endif
 -#ifdef SHADOWGRP
 -	if (is_shadow_grp) {
 -		if (sgr_unlock () == 0) {
 -			fprintf (stderr,
 -						_("%s: failed to unlock %s\n"),
 -						Prog, sgr_dbname ());
 -			SYSLOG ((LOG_ERR,
 -						"failed to unlock %s",
 -						sgr_dbname ()));
 -			/* continue */
 -		}
 -	}
 -#endif
 -	if (gr_unlock () == 0) {
 -		fprintf (stderr,
 -					_("%s: failed to unlock %s\n"),
 -					Prog, gr_dbname ());
 -		SYSLOG ((LOG_ERR,
 -					"failed to unlock %s",
 -					gr_dbname ()));
 -		/* continue */
 -	}
 -}
 -
 -/*
  * open_files - lock and open the password files
  *
  *	open_files() opens the two password files.
@@ -1681,7 +1622,38 @@ static void open_files (void)
 	}
 	if (Gflg || lflg) {
 -		open_group_files ();
 +		/*
 +		 * Lock and open the group file. This will load all of the
 +		 * group entries.
 +		 */
 +		if (gr_lock () == 0) {
 +			fprintf (stderr,
 +			         _("%s: cannot lock %s; try again later.\n"),
 +			         Prog, gr_dbname ());
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +		gr_locked = true;
 +		if (gr_open (O_CREAT | O_RDWR) == 0) {
 +			fprintf (stderr,
 +			         _("%s: cannot open %s\n"),
 +			         Prog, gr_dbname ());
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +#ifdef SHADOWGRP
 +		if (is_shadow_grp && (sgr_lock () == 0)) {
 +			fprintf (stderr,
 +			         _("%s: cannot lock %s; try again later.\n"),
 +			         Prog, sgr_dbname ());
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +		sgr_locked = true;
 +		if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
 +			fprintf (stderr,
 +			         _("%s: cannot open %s\n"),
 +			         Prog, sgr_dbname ());
 +			fail_exit (E_GRP_UPDATE);
 +		}
 +#endif
 	}
 #ifdef ENABLE_SUBIDS
 	if (vflg || Vflg) {
@@ -1718,44 +1690,6 @@ static void open_files (void)
 }
 /*
 - * open_group_files - lock and open the group files
 - *
 - *	open_group_files() loads all of the group entries.
 - */
 -static void open_group_files (void)
 -{
 -	if (gr_lock () == 0) {
 -		fprintf (stderr,
 -					_("%s: cannot lock %s; try again later.\n"),
 -					Prog, gr_dbname ());
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -	gr_locked = true;
 -	if (gr_open (O_CREAT | O_RDWR) == 0) {
 -		fprintf (stderr,
 -					_("%s: cannot open %s\n"),
 -					Prog, gr_dbname ());
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -
 -#ifdef SHADOWGRP
 -	if (is_shadow_grp && (sgr_lock () == 0)) {
 -		fprintf (stderr,
 -					_("%s: cannot lock %s; try again later.\n"),
 -					Prog, sgr_dbname ());
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -	sgr_locked = true;
 -	if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
 -		fprintf (stderr,
 -					_("%s: cannot open %s\n"),
 -					Prog, sgr_dbname ());
 -		fail_exit (E_GRP_UPDATE);
 -	}
 -#endif
 -}
 -
 -/*
  * usr_update - create the user entries
  *
  *	usr_update() creates the password file entries for this user and
 -- 
 1.8.3.1