summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/008_login_log_failure_in_FTMP51
-rw-r--r--debian/patches/401_cppw_src.dpatch276
-rw-r--r--debian/patches/402_cppw_selinux62
-rw-r--r--debian/patches/428_grpck_add_prune_option26
-rw-r--r--debian/patches/429_login_FAILLOG_ENAB92
-rw-r--r--debian/patches/463_login_delay_obeys_to_PAM105
-rw-r--r--debian/patches/501_commonio_group_shadow37
-rw-r--r--debian/patches/503_shadowconfig.8191
-rw-r--r--debian/patches/505_useradd_recommend_adduser36
-rw-r--r--debian/patches/506_relaxed_usernames100
-rw-r--r--debian/patches/508_nologin_in_usr_sbin18
-rw-r--r--debian/patches/523_su_arguments_are_concatenated48
-rw-r--r--debian/patches/523_su_arguments_are_no_more_concatenated_by_default50
-rw-r--r--debian/patches/542_useradd-O_option43
-rw-r--r--debian/patches/900_testsuite_groupmems81
-rw-r--r--debian/patches/901_testsuite_gcov76
-rw-r--r--debian/patches/README.patches71
-rw-r--r--debian/patches/environ.patch26
-rw-r--r--debian/patches/getspnam_r.patch64
-rw-r--r--debian/patches/putgrent.patch51
-rw-r--r--debian/patches/putpwent-segfault.patch13
-rw-r--r--debian/patches/series43
-rw-r--r--debian/patches/utmp.c.patch47
23 files changed, 19 insertions, 1588 deletions
diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP
deleted file mode 100644
index b2851cc..0000000
--- a/debian/patches/008_login_log_failure_in_FTMP
+++ /dev/null
@@ -1,51 +0,0 @@
-Goal: Log login failures to the btmp file
-
-Notes:
- * I'm not sure login should add an entry in the FTMP file when PAM is used.
- (but nothing in /etc/login.defs indicates that the failure is not logged)
-
---- a/src/login.c
-+++ b/src/login.c
-@@ -835,6 +835,24 @@
- (void) puts ("");
- (void) puts (_("Login incorrect"));
-
-+ if (getdef_str("FTMP_FILE") != NULL) {
-+#ifdef USE_UTMPX
-+ struct utmpx *failent =
-+ prepare_utmpx (failent_user,
-+ tty,
-+ /* FIXME: or fromhost? */hostname,
-+ utent);
-+#else /* !USE_UTMPX */
-+ struct utmp *failent =
-+ prepare_utmp (failent_user,
-+ tty,
-+ hostname,
-+ utent);
-+#endif /* !USE_UTMPX */
-+ failtmp (failent_user, failent);
-+ free (failent);
-+ }
-+
- if (failcount >= retries) {
- SYSLOG ((LOG_NOTICE,
- "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
---- a/lib/getdef.c
-+++ b/lib/getdef.c
-@@ -62,6 +62,7 @@
- {"ERASECHAR", NULL},
- {"FAIL_DELAY", NULL},
- {"FAKE_SHELL", NULL},
-+ {"FTMP_FILE", NULL},
- {"GID_MAX", NULL},
- {"GID_MIN", NULL},
- {"HUSHLOGIN_FILE", NULL},
-@@ -103,7 +104,6 @@
- {"ENVIRON_FILE", NULL},
- {"ENV_TZ", NULL},
- {"FAILLOG_ENAB", NULL},
-- {"FTMP_FILE", NULL},
- {"ISSUE_FILE", NULL},
- {"LASTLOG_ENAB", NULL},
- {"LOGIN_STRING", NULL},
diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/401_cppw_src.dpatch
deleted file mode 100644
index 687f9e9..0000000
--- a/debian/patches/401_cppw_src.dpatch
+++ /dev/null
@@ -1,276 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Add cppw / cpgr
-
-@DPATCH@
---- /dev/null
-+++ b/src/cppw.c
-@@ -0,0 +1,238 @@
-+/*
-+ cppw, cpgr copy with locking given file over the password or group file
-+ with -s will copy with locking given file over shadow or gshadow file
-+
-+ Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
-+
-+ Based on vipw, vigr by:
-+ Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 2 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful, but
-+ WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program; if not, write to the Free Software
-+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+
-+ */
-+
-+#include <config.h>
-+#include "defines.h"
-+
-+#include <errno.h>
-+#include <sys/stat.h>
-+#include <unistd.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <sys/types.h>
-+#include <signal.h>
-+#include <utime.h>
-+#include "exitcodes.h"
-+#include "prototypes.h"
-+#include "pwio.h"
-+#include "shadowio.h"
-+#include "groupio.h"
-+#include "sgroupio.h"
-+
-+
-+const char *Prog;
-+
-+const char *filename, *filenewname;
-+static bool filelocked = false;
-+static int (*unlock) (void);
-+
-+/* local function prototypes */
-+static int create_copy (FILE *fp, const char *dest, struct stat *sb);
-+static void cppwexit (const char *msg, int syserr, int ret);
-+static void cppwcopy (const char *file,
-+ const char *in_file,
-+ int (*file_lock) (void),
-+ int (*file_unlock) (void));
-+
-+static int create_copy (FILE *fp, const char *dest, struct stat *sb)
-+{
-+ struct utimbuf ub;
-+ FILE *bkfp;
-+ int c;
-+ mode_t mask;
-+
-+ mask = umask (077);
-+ bkfp = fopen (dest, "w");
-+ (void) umask (mask);
-+ if (NULL == bkfp) {
-+ return -1;
-+ }
-+
-+ rewind (fp);
-+ while ((c = getc (fp)) != EOF) {
-+ if (putc (c, bkfp) == EOF) {
-+ break;
-+ }
-+ }
-+
-+ if ( (c != EOF)
-+ || (fflush (bkfp) != 0)) {
-+ (void) fclose (bkfp);
-+ (void) unlink (dest);
-+ return -1;
-+ }
-+ if ( (fsync (fileno (bkfp)) != 0)
-+ || (fclose (bkfp) != 0)) {
-+ (void) unlink (dest);
-+ return -1;
-+ }
-+
-+ ub.actime = sb->st_atime;
-+ ub.modtime = sb->st_mtime;
-+ if ( (utime (dest, &ub) != 0)
-+ || (chmod (dest, sb->st_mode) != 0)
-+ || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
-+ (void) unlink (dest);
-+ return -1;
-+ }
-+ return 0;
-+}
-+
-+static void cppwexit (const char *msg, int syserr, int ret)
-+{
-+ int err = errno;
-+ if (filelocked) {
-+ (*unlock) ();
-+ }
-+ if (NULL != msg) {
-+ fprintf (stderr, "%s: %s", Prog, msg);
-+ if (0 != syserr) {
-+ fprintf (stderr, ": %s", strerror (err));
-+ }
-+ (void) fputs ("\n", stderr);
-+ }
-+ if (NULL != filename) {
-+ fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
-+ } else {
-+ fprintf (stderr, _("%s: no changes\n"), Prog);
-+ }
-+
-+ exit (ret);
-+}
-+
-+static void cppwcopy (const char *file,
-+ const char *in_file,
-+ int (*file_lock) (void),
-+ int (*file_unlock) (void))
-+{
-+ struct stat st1;
-+ FILE *f;
-+ char filenew[1024];
-+
-+ snprintf (filenew, sizeof filenew, "%s.new", file);
-+ unlock = file_unlock;
-+ filename = file;
-+ filenewname = filenew;
-+
-+ if (access (file, F_OK) != 0) {
-+ cppwexit (file, 1, 1);
-+ }
-+ if (file_lock () == 0) {
-+ cppwexit (_("Couldn't lock file"), 0, 5);
-+ }
-+ filelocked = true;
-+
-+ /* file to copy has same owners, perm */
-+ if (stat (file, &st1) != 0) {
-+ cppwexit (file, 1, 1);
-+ }
-+ f = fopen (in_file, "r");
-+ if (NULL == f) {
-+ cppwexit (in_file, 1, 1);
-+ }
-+ if (create_copy (f, filenew, &st1) != 0) {
-+ cppwexit (_("Couldn't make copy"), errno, 1);
-+ }
-+
-+ /* XXX - here we should check filenew for errors; if there are any,
-+ * fail w/ an appropriate error code and let the user manually fix
-+ * it. Use pwck or grpck to do the check. - Stephen (Shamelessly
-+ * stolen from '--marekm's comment) */
-+
-+ if (rename (filenew, file) != 0) {
-+ fprintf (stderr, _("%s: can't copy %s: %s)\n"),
-+ Prog, filenew, strerror (errno));
-+ cppwexit (NULL,0,1);
-+ }
-+
-+ (*file_unlock) ();
-+}
-+
-+int main (int argc, char **argv)
-+{
-+ int flag;
-+ bool cpshadow = false;
-+ char *in_file;
-+ int e = E_USAGE;
-+ bool do_cppw = true;
-+
-+ (void) setlocale (LC_ALL, "");
-+ (void) bindtextdomain (PACKAGE, LOCALEDIR);
-+ (void) textdomain (PACKAGE);
-+
-+ Prog = Basename (argv[0]);
-+ if (strcmp (Prog, "cpgr") == 0) {
-+ do_cppw = false;
-+ }
-+
-+ while ((flag = getopt (argc, argv, "ghps")) != EOF) {
-+ switch (flag) {
-+ case 'p':
-+ do_cppw = true;
-+ break;
-+ case 'g':
-+ do_cppw = false;
-+ break;
-+ case 's':
-+ cpshadow = true;
-+ break;
-+ case 'h':
-+ e = E_SUCCESS;
-+ /*pass through*/
-+ default:
-+ (void) fputs (_("Usage:\n\
-+`cppw <file>' copys over /etc/passwd `cppw -s <file>' copys over /etc/shadow\n\
-+`cpgr <file>' copys over /etc/group `cpgr -s <file>' copys over /etc/gshadow\n\
-+"), (E_SUCCESS != e) ? stderr : stdout);
-+ exit (e);
-+ }
-+ }
-+
-+ if (argc != optind + 1) {
-+ cppwexit (_("wrong number of arguments, -h for usage"),0,1);
-+ }
-+
-+ in_file = argv[optind];
-+
-+ if (do_cppw) {
-+ if (cpshadow) {
-+ cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
-+ } else {
-+ cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
-+ }
-+ } else {
-+#ifdef SHADOWGRP
-+ if (cpshadow) {
-+ cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
-+ } else
-+#endif /* SHADOWGRP */
-+ {
-+ cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
-+ }
-+ }
-+
-+ return 0;
-+}
-+
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -26,6 +26,7 @@
- sbin_PROGRAMS = nologin
- ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
- usbin_PROGRAMS = \
-+ cppw \
- chgpasswd \
- chpasswd \
- groupadd \
-@@ -82,6 +83,7 @@
- chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
- chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
- chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
-+cppw_LDADD = $(LDADD) $(LIBSELINUX)
- gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
- groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
- groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
---- a/po/POTFILES.in
-+++ b/po/POTFILES.in
-@@ -85,6 +85,7 @@
- src/chgpasswd.c
- src/chpasswd.c
- src/chsh.c
-+src/cppw.c
- src/expiry.c
- src/faillog.c
- src/gpasswd.c
diff --git a/debian/patches/402_cppw_selinux b/debian/patches/402_cppw_selinux
deleted file mode 100644
index b92767f..0000000
--- a/debian/patches/402_cppw_selinux
+++ /dev/null
@@ -1,62 +0,0 @@
-Goal: Add selinux support to cppw
-
-Fix:
-
-Status wrt upstream: cppw is not available upstream.
- The patch was made based on the
- 302_vim_selinux_support patch. It needs to be
- reviewed by an SE-Linux aware person.
-
-Depends on 401_cppw_src.dpatch
-
---- a/src/cppw.c
-+++ b/src/cppw.c
-@@ -34,6 +34,9 @@
- #include <sys/types.h>
- #include <signal.h>
- #include <utime.h>
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#endif /* WITH_SELINUX */
- #include "exitcodes.h"
- #include "prototypes.h"
- #include "pwio.h"
-@@ -139,6 +142,22 @@
- if (access (file, F_OK) != 0) {
- cppwexit (file, 1, 1);
- }
-+#ifdef WITH_SELINUX
-+ /* if SE Linux is enabled then set the context of all new files
-+ * to be the context of the file we are editing */
-+ if (is_selinux_enabled () > 0) {
-+ security_context_t passwd_context=NULL;
-+ int ret = 0;
-+ if (getfilecon (file, &passwd_context) < 0) {
-+ cppwexit (_("Couldn't get file context"), errno, 1);
-+ }
-+ ret = setfscreatecon (passwd_context);
-+ freecon (passwd_context);
-+ if (0 != ret) {
-+ cppwexit (_("setfscreatecon () failed"), errno, 1);
-+ }
-+ }
-+#endif /* WITH_SELINUX */
- if (file_lock () == 0) {
- cppwexit (_("Couldn't lock file"), 0, 5);
- }
-@@ -167,6 +186,15 @@
- cppwexit (NULL,0,1);
- }
-
-+#ifdef WITH_SELINUX
-+ /* unset the fscreatecon */
-+ if (is_selinux_enabled () > 0) {
-+ if (setfscreatecon (NULL)) {
-+ cppwexit (_("setfscreatecon() failed"), errno, 1);
-+ }
-+ }
-+#endif /* WITH_SELINUX */
-+
- (*file_unlock) ();
- }
-
diff --git a/debian/patches/428_grpck_add_prune_option b/debian/patches/428_grpck_add_prune_option
deleted file mode 100644
index e71f142..0000000
--- a/debian/patches/428_grpck_add_prune_option
+++ /dev/null
@@ -1,26 +0,0 @@
-Goal: grpck now has an (otherwise undocumented) -p option, so that
- shadowconfig can clean up the results of the above, so the config
- script will fail randomly less often.
-Fixes: #103385
-
-Status wrt upstream: It could certainly be submitted to upstream.
-
---- a/src/grpck.c
-+++ b/src/grpck.c
-@@ -81,6 +81,7 @@
- /* Options */
- static bool read_only = false;
- static bool sort_mode = false;
-+static bool prune = false;
-
- /* local function prototypes */
- static void fail_exit (int status);
-@@ -203,7 +204,7 @@
- /*
- * Parse the command line arguments
- */
-- while ((c = getopt_long (argc, argv, "hqrR:s",
-+ while ((c = getopt_long (argc, argv, "hqprR:s",
- long_options, NULL)) != -1) {
- switch (c) {
- case 'h':
diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB
deleted file mode 100644
index 57a6d15..0000000
--- a/debian/patches/429_login_FAILLOG_ENAB
+++ /dev/null
@@ -1,92 +0,0 @@
-Goal: Re-enable logging and displaying failures on login when login is
- compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
- faillog file if it does not exist on postinst (as on Woody).
-Depends: 008_login_more_LOG_UNKFAIL_ENAB
-Fixes: #192849
-
-Note: It could be removed if pam_tally could report the number of failures
- preceding a successful login.
-
---- a/src/login.c
-+++ b/src/login.c
-@@ -133,9 +133,9 @@
- /*@null@*/const struct utmp *utent);
- #endif /* ! USE_PAM */
-
--#ifndef USE_PAM
- static struct faillog faillog;
-
-+#ifndef USE_PAM
- static void bad_time_notify (void);
- static void check_nologin (bool login_to_root);
- #else
-@@ -795,6 +795,9 @@
- SYSLOG ((LOG_NOTICE,
- "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
- failcount, fromhost, failent_user));
-+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
-+ failure (pwd->pw_uid, tty, &faillog);
-+ }
- fprintf (stderr,
- _("Maximum number of tries exceeded (%u)\n"),
- failcount);
-@@ -812,6 +815,14 @@
- pam_strerror (pamh, retcode)));
- failed = true;
- }
-+ if ( (NULL != pwd)
-+ && getdef_bool("FAILLOG_ENAB")
-+ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
-+ SYSLOG((LOG_CRIT,
-+ "exceeded failure limit for `%s' %s",
-+ failent_user, fromhost));
-+ failed = 1;
-+ }
-
- if (!failed) {
- break;
-@@ -835,6 +846,10 @@
- (void) puts ("");
- (void) puts (_("Login incorrect"));
-
-+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
-+ failure (pwd->pw_uid, tty, &faillog);
-+ }
-+
- if (getdef_str("FTMP_FILE") != NULL) {
- #ifdef USE_UTMPX
- struct utmpx *failent =
-@@ -1291,6 +1306,7 @@
- */
- #ifndef USE_PAM
- motd (); /* print the message of the day */
-+#endif
- if ( getdef_bool ("FAILLOG_ENAB")
- && (0 != faillog.fail_cnt)) {
- failprint (&faillog);
-@@ -1303,6 +1319,7 @@
- username, (int) faillog.fail_cnt));
- }
- }
-+#ifndef USE_PAM
- if ( getdef_bool ("LASTLOG_ENAB")
- && (ll.ll_time != 0)) {
- time_t ll_time = ll.ll_time;
---- a/lib/getdef.c
-+++ b/lib/getdef.c
-@@ -61,6 +61,7 @@
- {"ENV_SUPATH", NULL},
- {"ERASECHAR", NULL},
- {"FAIL_DELAY", NULL},
-+ {"FAILLOG_ENAB", NULL},
- {"FAKE_SHELL", NULL},
- {"FTMP_FILE", NULL},
- {"GID_MAX", NULL},
-@@ -103,7 +104,6 @@
- {"ENV_HZ", NULL},
- {"ENVIRON_FILE", NULL},
- {"ENV_TZ", NULL},
-- {"FAILLOG_ENAB", NULL},
- {"ISSUE_FILE", NULL},
- {"LASTLOG_ENAB", NULL},
- {"LOGIN_STRING", NULL},
diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM
deleted file mode 100644
index 26285ea..0000000
--- a/debian/patches/463_login_delay_obeys_to_PAM
+++ /dev/null
@@ -1,105 +0,0 @@
-Goal: Do not hardcode pam_fail_delay and let pam_unix do its
- job to set a delay...or not
-
-Fixes: #87648
-
-Status wrt upstream: Forwarded but not applied yet
-
-Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
-
---- a/src/login.c
-+++ b/src/login.c
-@@ -529,7 +529,6 @@
- #if defined(HAVE_STRFTIME) && !defined(USE_PAM)
- char ptime[80];
- #endif
-- unsigned int delay;
- unsigned int retries;
- bool subroot = false;
- #ifndef USE_PAM
-@@ -549,6 +548,7 @@
- pid_t child;
- char *pam_user = NULL;
- #else
-+ unsigned int delay;
- struct spwd *spwd = NULL;
- #endif
- /*
-@@ -709,7 +709,6 @@
- }
-
- environ = newenvp; /* make new environment active */
-- delay = getdef_unum ("FAIL_DELAY", 1);
- retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
-
- #ifdef USE_PAM
-@@ -725,8 +724,7 @@
-
- /*
- * hostname & tty are either set to NULL or their correct values,
-- * depending on how much we know. We also set PAM's fail delay to
-- * ours.
-+ * depending on how much we know.
- *
- * PAM_RHOST and PAM_TTY are used for authentication, only use
- * information coming from login or from the caller (e.g. no utmp)
-@@ -735,10 +733,6 @@
- PAM_FAIL_CHECK;
- retcode = pam_set_item (pamh, PAM_TTY, tty);
- PAM_FAIL_CHECK;
--#ifdef HAS_PAM_FAIL_DELAY
-- retcode = pam_fail_delay (pamh, 1000000 * delay);
-- PAM_FAIL_CHECK;
--#endif
- /* if fflg, then the user has already been authenticated */
- if (!fflg) {
- unsigned int failcount = 0;
-@@ -779,12 +773,6 @@
- bool failed = false;
-
- failcount++;
--#ifdef HAS_PAM_FAIL_DELAY
-- if (delay > 0) {
-- retcode = pam_fail_delay(pamh, 1000000*delay);
-- PAM_FAIL_CHECK;
-- }
--#endif
-
- retcode = pam_authenticate (pamh, 0);
-
-@@ -1107,14 +1095,17 @@
- free (username);
- username = NULL;
-
-+#ifndef USE_PAM
- /*
- * Wait a while (a la SVR4 /usr/bin/login) before attempting
- * to login the user again. If the earlier alarm occurs
- * before the sleep() below completes, login will exit.
- */
-+ delay = getdef_unum ("FAIL_DELAY", 1);
- if (delay > 0) {
- (void) sleep (delay);
- }
-+#endif
-
- (void) puts (_("Login incorrect"));
-
---- a/lib/getdef.c
-+++ b/lib/getdef.c
-@@ -60,7 +60,6 @@
- {"ENV_PATH", NULL},
- {"ENV_SUPATH", NULL},
- {"ERASECHAR", NULL},
-- {"FAIL_DELAY", NULL},
- {"FAILLOG_ENAB", NULL},
- {"FAKE_SHELL", NULL},
- {"FTMP_FILE", NULL},
-@@ -104,6 +103,7 @@
- {"ENV_HZ", NULL},
- {"ENVIRON_FILE", NULL},
- {"ENV_TZ", NULL},
-+ {"FAIL_DELAY", NULL},
- {"ISSUE_FILE", NULL},
- {"LASTLOG_ENAB", NULL},
- {"LOGIN_STRING", NULL},
diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/501_commonio_group_shadow
deleted file mode 100644
index 436d48f..0000000
--- a/debian/patches/501_commonio_group_shadow
+++ /dev/null
@@ -1,37 +0,0 @@
-Goal: save the [g]shadow files with the 'shadow' group and mode 0440
-
-Fixes: #166793
-
---- a/lib/commonio.c
-+++ b/lib/commonio.c
-@@ -44,6 +44,7 @@
- #include <errno.h>
- #include <stdio.h>
- #include <signal.h>
-+#include <grp.h>
- #include "nscd.h"
- #ifdef WITH_TCB
- #include <tcb.h>
-@@ -966,13 +967,20 @@
- goto fail;
- }
- } else {
-+ struct group *grp;
- /*
- * Default permissions for new [g]shadow files.
- * (passwd and group always exist...)
- */
-- sb.st_mode = 0400;
-+ sb.st_mode = 0440;
- sb.st_uid = 0;
-- sb.st_gid = 0;
-+ /*
-+ * Try to retrieve the shadow's GID, and fall back to GID 0.
-+ */
-+ if ((grp = getgrnam("shadow")) != NULL)
-+ sb.st_gid = grp->gr_gid;
-+ else
-+ sb.st_gid = 0;
- }
-
- snprintf (buf, sizeof buf, "%s+", db->filename);
diff --git a/debian/patches/503_shadowconfig.8 b/debian/patches/503_shadowconfig.8
deleted file mode 100644
index 9d78adf..0000000
--- a/debian/patches/503_shadowconfig.8
+++ /dev/null
@@ -1,191 +0,0 @@
-Goal: Document the shadowconfig utility
-
-Status wrt upstream: The shadowconfig utility is debian specific.
- Its man page also (but it used to be distributed)
-
---- /dev/null
-+++ b/man/shadowconfig.8
-@@ -0,0 +1,41 @@
-+.\"Generated by db2man.xsl. Don't modify this, modify the source.
-+.de Sh \" Subsection
-+.br
-+.if t .Sp
-+.ne 5
-+.PP
-+\fB\\$1\fR
-+.PP
-+..
-+.de Sp \" Vertical space (when we can't use .PP)
-+.if t .sp .5v
-+.if n .sp
-+..
-+.de Ip \" List item
-+.br
-+.ie \\n(.$>=3 .ne \\$3
-+.el .ne 3
-+.IP "\\$1" \\$2
-+..
-+.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
-+.SH NAME
-+shadowconfig \- toggle shadow passwords on and off
-+.SH "SYNOPSIS"
-+.ad l
-+.hy 0
-+.HP 13
-+\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
-+.ad
-+.hy
-+
-+.SH "DESCRIPTION"
-+
-+.PP
-+\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
-+
-+.PP
-+Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
-+
-+.PP
-+Note that turning shadow passwords off and on again will lose all password aging information\&.
-+
---- /dev/null
-+++ b/man/shadowconfig.8.xml
-@@ -0,0 +1,52 @@
-+<?xml version="1.0" encoding="UTF-8"?>
-+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
-+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-+<refentry id='shadowconfig.8'>
-+ <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
-+ <refentryinfo>
-+ <date>19 Apr 1997</date>
-+ </refentryinfo>
-+ <refmeta>
-+ <refentrytitle>shadowconfig</refentrytitle>
-+ <manvolnum>8</manvolnum>
-+ <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
-+ <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
-+ </refmeta>
-+ <refnamediv id='name'>
-+ <refname>shadowconfig</refname>
-+ <refpurpose>toggle shadow passwords on and off</refpurpose>
-+ </refnamediv>
-+
-+ <refsynopsisdiv id='synopsis'>
-+ <cmdsynopsis>
-+ <command>shadowconfig</command>
-+ <group choice='plain'>
-+ <arg choice='plain'><replaceable>on</replaceable></arg>
-+ <arg choice='plain'><replaceable>off</replaceable></arg>
-+ </group>
-+ </cmdsynopsis>
-+ </refsynopsisdiv>
-+
-+ <refsect1 id='description'>
-+ <title>DESCRIPTION</title>
-+ <para><command>shadowconfig</command> on will turn shadow passwords on;
-+ <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
-+ passwords off. <command>shadowconfig</command> will print an error
-+ message and exit with a nonzero code if it finds anything awry. If
-+ that happens, you should correct the error and run it again. Turning
-+ shadow passwords on when they are already on, or off when they are
-+ already off, is harmless.
-+ </para>
-+
-+ <para>
-+ Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
-+ brief introduction
-+ to shadow passwords and related features.
-+ </para>
-+
-+ <para>Note that turning shadow passwords off and on again will lose all
-+ password
-+ aging information.
-+ </para>
-+ </refsect1>
-+</refentry>
---- /dev/null
-+++ b/man/fr/shadowconfig.8
-@@ -0,0 +1,26 @@
-+.\" This file was generated with po4a. Translate the source file.
-+.\"
-+.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
-+.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
-+.SH NOM
-+shadowconfig \- active ou désactive les mots de passe cachés
-+.SH SYNOPSIS
-+\fBshadowconfig\fP \fIon\fP | \fIoff\fP
-+.SH DESCRIPTION
-+.PP
-+\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
-+d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
-+quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
-+de recommencer.
-+
-+Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
-+désactiver lorsqu'ils ne sont pas actifs est sans effet.
-+
-+Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
-+mots de passe cachés et à leurs fonctionnalités.
-+
-+Notez que désactiver puis réactiver les mots de passe cachés aura pour
-+conséquence la perte des informations d'âge sur les mots de passe.
-+.SH TRADUCTION
-+Nicolas FRANÇOIS, 2004.
-+Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
---- /dev/null
-+++ b/man/ja/shadowconfig.8
-@@ -0,0 +1,25 @@
-+.\" all right reserved,
-+.\" Translated Tue Oct 30 11:59:11 JST 2001
-+.\" by Maki KURODA <mkuroda@aisys-jp.com>
-+.\"
-+.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
-+.SH 名前
-+shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
-+.SH 書式
-+.B "shadowconfig"
-+.IR on " | " off
-+.SH 説明
-+.PP
-+.B shadowconfig on
-+は shadow パスワードを有効にする。
-+.B shadowconfig off
-+は shadow パスワードを無効にする。
-+.B shadowconfig
-+は何らかの間違いがあると、エラーメッセージを表示し、
-+ゼロではない返り値を返す。
-+もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
-+shadow パスワードの設定がすでにオンの場合にオンに設定したり、
-+すでにオフの場合にオフに設定しても、何の影響もない。
-+
-+.I /usr/share/doc/passwd/README.debian.gz
-+には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
---- /dev/null
-+++ b/man/pl/shadowconfig.8
-@@ -0,0 +1,27 @@
-+.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
-+.\" {PTM/WK/1999-09-14}
-+.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
-+.SH NAZWA
-+shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
-+.SH SKŁADNIA
-+.B "shadowconfig"
-+.IR on " | " off
-+.SH OPIS
-+.PP
-+.B shadowconfig on
-+włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
-+.B shadowconfig off
-+wyłącza dodatkowe pliki haseł i grup.
-+.B shadowconfig
-+wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
-+znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
-+.\" if it finds anything awry.
-+i uruchomić program ponownie.
-+
-+Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
-+gdy jest wyłączona jest nieszkodliwe.
-+
-+Przeczytaj
-+.IR /usr/share/doc/passwd/README.debian.gz ,
-+gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
-+plików haseł przesłanianych (shadow passwords) i związanych tematów.
diff --git a/debian/patches/505_useradd_recommend_adduser b/debian/patches/505_useradd_recommend_adduser
deleted file mode 100644
index c5c3587..0000000
--- a/debian/patches/505_useradd_recommend_adduser
+++ /dev/null
@@ -1,36 +0,0 @@
-Goal: Recommend using adduser and deluser.
-
-Fixes: #406046
-
-Status wrt upstream: Debian specific patch.
-
---- a/man/useradd.8.xml
-+++ b/man/useradd.8.xml
-@@ -84,6 +84,12 @@
- <refsect1 id='description'>
- <title>DESCRIPTION</title>
- <para>
-+ <command>useradd</command> is a low level utility for adding
-+ users. On Debian, administrators should usually use
-+ <citerefentry><refentrytitle>adduser</refentrytitle>
-+ <manvolnum>8</manvolnum></citerefentry> instead.
-+ </para>
-+ <para>
- When invoked without the <option>-D</option> option, the
- <command>useradd</command> command creates a new user account using
- the values specified on the command line plus the default values from
---- a/man/userdel.8.xml
-+++ b/man/userdel.8.xml
-@@ -64,6 +64,12 @@
- <refsect1 id='description'>
- <title>DESCRIPTION</title>
- <para>
-+ <command>userdel</command> is a low level utility for removing
-+ users. On Debian, administrators should usually use
-+ <citerefentry><refentrytitle>deluser</refentrytitle>
-+ <manvolnum>8</manvolnum></citerefentry> instead.
-+ </para>
-+ <para>
- The <command>userdel</command> command modifies the system account
- files, deleting all entries that refer to the user name <emphasis
- remap='I'>LOGIN</emphasis>. The named user must exist.
diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames
deleted file mode 100644
index bdf3961..0000000
--- a/debian/patches/506_relaxed_usernames
+++ /dev/null
@@ -1,100 +0,0 @@
-Goal: Relaxed usernames/groupnames checking patch.
-
-Status wrt upstream: Debian specific. Not to be used upstream
-
-Details:
- Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
- characters and don't start with '-', '+', or '~'. This patch is more
- restrictive than original Karl's version. closes: #264879
- Also closes: #377844
-
- Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
-
- I can't come up with a good justification as to why characters other
- than ':'s and '\0's should be disallowed in group and usernames (other
- than '-' as the leading character). Thus, the maintenance tools don't
- anymore. closes: #79682, #166798, #171179
-
---- a/libmisc/chkname.c
-+++ b/libmisc/chkname.c
-@@ -48,6 +48,7 @@
-
- static bool is_valid_name (const char *name)
- {
-+#if 0
- /*
- * User/group names must match [a-z_][a-z0-9_-]*[$]
- */
-@@ -66,6 +67,26 @@
- return false;
- }
- }
-+#endif
-+ /*
-+ * POSIX indicate that usernames are composed of characters from the
-+ * portable filename character set [A-Za-z0-9._-], and that the hyphen
-+ * should not be used as the first character of a portable user name.
-+ *
-+ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
-+ */
-+ if ( ('\0' == *name)
-+ || ('-' == *name)
-+ || ('~' == *name)
-+ || ('+' == *name)) {
-+ return false;
-+ }
-+ do {
-+ if ((':' == *name) || (',' == *name) || isspace(*name)) {
-+ return false;
-+ }
-+ name++;
-+ } while ('\0' != *name);
-
- return true;
- }
---- a/man/useradd.8.xml
-+++ b/man/useradd.8.xml
-@@ -635,12 +635,20 @@
- </para>
-
- <para>
-- Usernames must start with a lower case letter or an underscore,
-+ It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
- </para>
- <para>
-+ On Debian, the only constraints are that usernames must neither start
-+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
-+ colon (':'), a comma (','), or a whitespace (space: ' ',
-+ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
-+ ('/') may break the default algorithm for the definition of the
-+ user's home directory.
-+ </para>
-+ <para>
- Usernames may only be up to 32 characters long.
- </para>
- </refsect1>
---- a/man/groupadd.8.xml
-+++ b/man/groupadd.8.xml
-@@ -240,12 +240,18 @@
- <refsect1 id='caveats'>
- <title>CAVEATS</title>
- <para>
-- Groupnames must start with a lower case letter or an underscore,
-+ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
- followed by lower case letters, digits, underscores, or dashes.
- They can end with a dollar sign.
- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
- </para>
- <para>
-+ On Debian, the only constraints are that groupnames must neither start
-+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
-+ colon (':'), a comma (','), or a whitespace (space:' ',
-+ end of line: '\n', tabulation: '\t', etc.).
-+ </para>
-+ <para>
- Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
- </para>
- <para>
diff --git a/debian/patches/508_nologin_in_usr_sbin b/debian/patches/508_nologin_in_usr_sbin
deleted file mode 100644
index 026e2db..0000000
--- a/debian/patches/508_nologin_in_usr_sbin
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -23,7 +23,6 @@
- # $prefix/bin and $prefix/sbin, no install-data hacks...)
-
- bin_PROGRAMS = groups login su
--sbin_PROGRAMS = nologin
- ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
- usbin_PROGRAMS = \
- cppw \
-@@ -38,6 +37,7 @@
- grpunconv \
- logoutd \
- newusers \
-+ nologin \
- pwck \
- pwconv \
- pwunconv \
diff --git a/debian/patches/523_su_arguments_are_concatenated b/debian/patches/523_su_arguments_are_concatenated
deleted file mode 100644
index 0abc4c5..0000000
--- a/debian/patches/523_su_arguments_are_concatenated
+++ /dev/null
@@ -1,48 +0,0 @@
-Goal: Concatenate the non-su arguments and provide them to the shell with
- the -c option
-Fixes: #317264
- see also #276419
-
-Status wrt upstream: This is a Debian specific patch.
-
-Note: the fix of the man page is still missing.
- (to be taken from the trunk)
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -1150,6 +1150,35 @@
- argv[0] = "-c";
- argv[1] = command;
- }
-+ /* On Debian, the arguments are concatenated and the
-+ * resulting string is always given to the shell with its
-+ * -c option.
-+ */
-+ {
-+ char **parg;
-+ unsigned int cmd_len = 0;
-+ char *cmd = NULL;
-+ if (strcmp(argv[0], "-c") != 0) {
-+ argv--;
-+ argv[0] = "-c";
-+ }
-+ /* Now argv[0] is always -c, and other arguments
-+ * can be concatenated
-+ */
-+ cmd_len = 1; /* finale '\0' */
-+ for (parg = &argv[1]; *parg; parg++) {
-+ cmd_len += strlen (*parg) + 1;
-+ }
-+ cmd = (char *) xmalloc (sizeof (char) * cmd_len);
-+ cmd[0] = '\0';
-+ for (parg = &argv[1]; *parg; parg++) {
-+ strcat (cmd, " ");
-+ strcat (cmd, *parg);
-+ }
-+ cmd[cmd_len - 1] = '\0';
-+ argv[1] = &cmd[1]; /* do not take first space */
-+ argv[2] = NULL;
-+ }
- /*
- * Use the shell and create an argv
- * with the rest of the command line included.
diff --git a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default b/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
deleted file mode 100644
index d421345..0000000
--- a/debian/patches/523_su_arguments_are_no_more_concatenated_by_default
+++ /dev/null
@@ -1,50 +0,0 @@
-Goal: Do not concatenate the additional arguments, and support an
- environment variable to revert to the old Debian's su behavior.
-
-This patch needs the su_arguments_are_concatenated patch.
-
-This patch, and su_arguments_are_concatenated should be dropped after
-Etch.
-
-Status wrt upstream: This patch is Debian specific.
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -104,6 +104,19 @@
- /* If nonzero, change some environment vars to indicate the user su'd to. */
- static bool change_environment = true;
-
-+/*
-+ * If nonzero, keep the old Debian behavior:
-+ * * concatenate all the arguments and provide them to the -c option of
-+ * the shell
-+ * * If there are some additional arguments, but no -c, add a -c
-+ * argument anyway
-+ * Drawbacks:
-+ * * you can't provide options to the shell (other than -c)
-+ * * you can't rely on the argument count
-+ * See http://bugs.debian.org/276419
-+ */
-+static int old_debian_behavior;
-+
- #ifdef USE_PAM
- static pam_handle_t *pamh = NULL;
- static int caught = 0;
-@@ -950,6 +963,8 @@
- int ret;
- #endif /* USE_PAM */
-
-+ old_debian_behavior = (getenv("SU_NO_SHELL_ARGS") != NULL);
-+
- (void) setlocale (LC_ALL, "");
- (void) bindtextdomain (PACKAGE, LOCALEDIR);
- (void) textdomain (PACKAGE);
-@@ -1154,7 +1169,7 @@
- * resulting string is always given to the shell with its
- * -c option.
- */
-- {
-+ if (old_debian_behavior) {
- char **parg;
- unsigned int cmd_len = 0;
- char *cmd = NULL;
diff --git a/debian/patches/542_useradd-O_option b/debian/patches/542_useradd-O_option
deleted file mode 100644
index 506352f..0000000
--- a/debian/patches/542_useradd-O_option
+++ /dev/null
@@ -1,43 +0,0 @@
-Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
-
-Note: useradd.8 needs to be regenerated.
-
-Status wrt upstream: not included as this is just specific
- backward compatibility for Debian
-
---- a/man/useradd.8.xml
-+++ b/man/useradd.8.xml
-@@ -321,6 +321,11 @@
- databases are resetted to avoid reusing the entry from a previously
- deleted user.
- </para>
-+ <para>
-+ For the compatibility with previous Debian's
-+ <command>useradd</command>, the <option>-O</option> option is
-+ also supported.
-+ </para>
- </listitem>
- </varlistentry>
- <varlistentry>
---- a/src/useradd.c
-+++ b/src/useradd.c
-@@ -1011,9 +1011,9 @@
- };
- while ((c = getopt_long (argc, argv,
- #ifdef WITH_SELINUX
-- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:UZ:",
-+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:UZ:",
- #else /* !WITH_SELINUX */
-- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:s:u:U",
-+ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:s:u:U",
- #endif /* !WITH_SELINUX */
- long_options, NULL)) != -1) {
- switch (c) {
-@@ -1136,6 +1136,7 @@
- kflg = true;
- break;
- case 'K':
-+ case 'O': /* compatibility with previous Debian useradd */
- /*
- * override login.defs defaults (-K name=value)
- * example: -K UID_MIN=100 -K UID_MAX=499
diff --git a/debian/patches/900_testsuite_groupmems b/debian/patches/900_testsuite_groupmems
deleted file mode 100644
index 6bdc497..0000000
--- a/debian/patches/900_testsuite_groupmems
+++ /dev/null
@@ -1,81 +0,0 @@
---- a/debian/passwd.install
-+++ b/debian/passwd.install
-@@ -9,6 +9,7 @@
- usr/sbin/cppw
- usr/sbin/groupadd
- usr/sbin/groupdel
-+usr/sbin/groupmems
- usr/sbin/groupmod
- usr/sbin/grpck
- usr/sbin/grpconv
-@@ -33,6 +34,7 @@
- usr/share/man/*/man8/chpasswd.8
- usr/share/man/*/man8/groupadd.8
- usr/share/man/*/man8/groupdel.8
-+usr/share/man/*/man8/groupmems.8
- usr/share/man/*/man8/groupmod.8
- usr/share/man/*/man8/grpck.8
- usr/share/man/*/man8/grpconv.8
-@@ -59,6 +61,7 @@
- usr/share/man/man8/chpasswd.8
- usr/share/man/man8/groupadd.8
- usr/share/man/man8/groupdel.8
-+usr/share/man/man8/groupmems.8
- usr/share/man/man8/groupmod.8
- usr/share/man/man8/grpck.8
- usr/share/man/man8/grpconv.8
---- a/debian/passwd.postinst
-+++ b/debian/passwd.postinst
-@@ -31,6 +31,24 @@
- exit 1
- )
- fi
-+ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
-+ then
-+ groupadd -g 99 groupmems || (
-+ cat <<EOF
-+************************ TESTSUITE *****************************
-+Group ID 99 has been allocated for the groupmems group. You have either
-+used 99 yourself or created a groupmems group with a different ID.
-+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
-+
-+Note that both user and group IDs in the range 0-99 are globally
-+allocated by the Debian project and must be the same on every Debian
-+system.
-+EOF
-+ exit 1
-+ )
-+# FIXME
-+ chgrp groupmems /usr/sbin/groupmems
-+ fi
- ;;
- esac
-
---- a/debian/rules
-+++ b/debian/rules
-@@ -60,6 +60,7 @@
- dh_installpam -p passwd --name=chsh
- dh_installpam -p passwd --name=chpasswd
- dh_installpam -p passwd --name=newusers
-+ dh_installpam -p passwd --name=groupmems
- ifeq ($(DEB_HOST_ARCH_OS),hurd)
- # login is not built on The Hurd, but some utilities of passwd depends on
- # /etc/login.defs.
-@@ -87,3 +88,6 @@
- chgrp shadow debian/passwd/usr/bin/expiry
- chmod g+s debian/passwd/usr/bin/chage
- chmod g+s debian/passwd/usr/bin/expiry
-+ chgrp groupmems debian/passwd/usr/sbin/groupmems
-+ chmod u+s debian/passwd/usr/sbin/groupmems
-+ chmod o-x debian/passwd/usr/sbin/groupmems
---- /dev/null
-+++ b/debian/passwd.groupmems.pam
-@@ -0,0 +1,8 @@
-+# The PAM configuration file for the Shadow 'groupmod' service
-+#
-+
-+# This allows root to modify groups without being prompted for a password
-+auth sufficient pam_rootok.so
-+
-+@include common-auth
-+@include common-account
diff --git a/debian/patches/901_testsuite_gcov b/debian/patches/901_testsuite_gcov
deleted file mode 100644
index 717ccca..0000000
--- a/debian/patches/901_testsuite_gcov
+++ /dev/null
@@ -1,76 +0,0 @@
---- a/lib/Makefile.am
-+++ b/lib/Makefile.am
-@@ -1,6 +1,8 @@
-
- AUTOMAKE_OPTIONS = 1.0 foreign
-
-+CFLAGS += -fprofile-arcs -ftest-coverage
-+
- DEFS =
-
- noinst_LTLIBRARIES = libshadow.la
---- a/libmisc/Makefile.am
-+++ b/libmisc/Makefile.am
-@@ -1,6 +1,8 @@
-
- EXTRA_DIST = .indent.pro xgetXXbyYY.c
-
-+CFLAGS += -fprofile-arcs -ftest-coverage
-+
- INCLUDES = -I$(top_srcdir)/lib
-
- noinst_LIBRARIES = libmisc.a
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -7,6 +7,8 @@
- suidperms = 4755
- sgidperms = 2755
-
-+CFLAGS += -fprofile-arcs -ftest-coverage
-+
- INCLUDES = \
- -I${top_srcdir}/lib \
- -I$(top_srcdir)/libmisc
---- a/debian/rules
-+++ b/debian/rules
-@@ -40,6 +40,12 @@
- endif
- export CFLAGS
-
-+clean:: clean_gcov
-+
-+clean_gcov:
-+ find . -name "*.gcda" -delete
-+ find . -name "*.gcno" -delete
-+
- # Add extras to the install process:
- binary-install/login::
- dh_installpam -p login
---- a/lib/defines.h
-+++ b/lib/defines.h
-@@ -174,23 +174,9 @@
- trust the formatted time received from the unix domain (or worse,
- UDP) socket. -MM */
- /* Avoid translated PAM error messages: Set LC_ALL to "C".
-+ * This is disabled for coverage testing
- * --Nekral */
--#define SYSLOG(x) \
-- do { \
-- char *old_locale = setlocale (LC_ALL, NULL); \
-- char *saved_locale = NULL; \
-- if (NULL != old_locale) { \
-- saved_locale = strdup (old_locale); \
-- } \
-- if (NULL != saved_locale) { \
-- (void) setlocale (LC_ALL, "C"); \
-- } \
-- syslog x ; \
-- if (NULL != saved_locale) { \
-- (void) setlocale (LC_ALL, saved_locale); \
-- free (saved_locale); \
-- } \
-- } while (false)
-+#define SYSLOG(x) syslog x
- #else /* !ENABLE_NLS */
- #define SYSLOG(x) syslog x
- #endif /* !ENABLE_NLS */
diff --git a/debian/patches/README.patches b/debian/patches/README.patches
deleted file mode 100644
index 8df4cd3..0000000
--- a/debian/patches/README.patches
+++ /dev/null
@@ -1,71 +0,0 @@
-Small intro to the system for numbering the patches here...
-
--The 0xx series of patches are patches isolated from the latest
- version of the shadow Debian package not using quilt in order to
- separate upstream from Debian-specific stuff.
-
- NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
-
--The 1xx series are l10n patches to upstream 4.0.18.1. As upstream has
- adopted Debian translations, it is very likely that these patches
- will become useless when we will have synced with upstream
-
--The 2xx series are patches for manual pages translations to upstream
- 4.0.18.1.
-
--The 3xx series are patches which have been temporarily applied to
- Debian's shadow while we *know* they have been applied upstream as well
- These patches should NOT be kept when we will sync with upstream
-
--The 4xx series are patches which have been applied to Debian's shadow
- and have NOT been accepted and/or applied upstream. These patches MUST be kept
- even after resynced with upstream
-
--The 5xx series are patches which are applied to Debian's shadow
- and will never be proposed upstream because they're too specific
- This list SHOULD BE AS SHORT AS POSSIBLE
-
-In short, while we are working towards synchronisation with upstream,
-our goal is to make 0xx patches disappear by moving them either to 3xx
-series (things already implemented upstream) or to 4xx series
-(Debian-specific patches).
-
-
-Short HOWTO for quilt
-=====================
-
-The quilt system can be assimilated to a Pile Of Patches management system.
-Patches live in debian/patches, the working directory is "."
-
-The basic commands are (abbreviation accepted):
-quilt push (asks to apply the next patch in the pile)
-quilt pop (removes the current patch and go up in the pile)
-quilt refresh (take the current changes in tree onto the patch)
-
-When a file is changed by a patch, quilt saves it somewhere under .pc on
-application. This is how it can refresh it afterward (comparing the version
-in .pc and the one you currently have in your working dir).
-
-There are three common pitfalls with quilt:
- - doing "quilt pop" without doing "quilt refresh". The version of current
- dir is replaced with the version of the .pc dir. Your changes are lost.
- Quilt wont let you do so, but you can force it with '-f' if you're fool.
- - editing a file with is not in the patch yet. Quilt didn't do any previous
- backup.
- Use "quilt add" to add files to patches.
- Set $EDITOR and use "quilt edit" to edit a file, and add it onto the
- patch if needed.
- - If you update your working directory, patches may not revert cleanly.
- It is thus recommended to use "quilt pop -a" before updating with
- "svn up".
- If you forget (and run into trouble), you may want to remove the whole
- shadow-?.?.? directory. If you use the makefile which is in the upper
- directory (trunk/), shadow-?.?.?/debian/patches is a link to
- debian/patches, so this dirctory does not contain any valuable info.
-
-The documentation is quite well done, I think. "quilt -h" will list you the
-commands. "quilt <cmd> -h" will give you some hints about it. "man quilt" is
-a reference documentation. /usr/share/doc/quilt/quilt.pdf.gz is a complete
-manual, with tutorial.
-
-
diff --git a/debian/patches/environ.patch b/debian/patches/environ.patch
deleted file mode 100644
index 4f1f9b1..0000000
--- a/debian/patches/environ.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Index: shadow-4.1.5/lib/spawn.c
-===================================================================
---- shadow-4.1.5.orig/lib/spawn.c 2011-10-16 18:05:19.000000000 +0000
-+++ shadow-4.1.5/lib/spawn.c 2012-05-29 00:09:49.520136311 +0000
-@@ -38,6 +38,8 @@
- #include "exitcodes.h"
- #include "prototypes.h"
-
-+extern char **environ;
-+
- int run_command (const char *cmd, const char *argv[],
- /*@null@*/const char *envp[], /*@out@*/int *status)
- {
-Index: shadow-4.1.5/src/su.c
-===================================================================
---- shadow-4.1.5.orig/src/su.c 2012-05-28 20:21:23.981943165 +0000
-+++ shadow-4.1.5/src/su.c 2012-05-29 00:10:44.318173199 +0000
-@@ -78,6 +78,8 @@
- /*@-exitarg@*/
- #include "exitcodes.h"
-
-+extern char **environ;
-+
- /*
- * Global variables
- */
diff --git a/debian/patches/getspnam_r.patch b/debian/patches/getspnam_r.patch
deleted file mode 100644
index e0603cc..0000000
--- a/debian/patches/getspnam_r.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Index: shadow-4.1.5/configure.in
-===================================================================
---- shadow-4.1.5.orig/configure.in 2012-05-29 01:07:07.625675582 +0000
-+++ shadow-4.1.5/configure.in 2012-05-29 01:08:12.699463029 +0000
-@@ -45,6 +45,25 @@
- getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r getaddrinfo)
- AC_SYS_LARGEFILE
-
-+AC_MSG_CHECKING(if getspnam_r take 5 arguments)
-+AC_TRY_COMPILE(
-+ [
-+#include <sys/types.h>
-+#include <shadow.h>
-+ ],
-+ [
-+struct spwd *pw;
-+struct spwd pwbuf;
-+char pwdata[512];
-+(void) getspnam_r("bin", &pwbuf, pwdata, sizeof(pwdata), &pw);
-+ ],
-+ [AC_MSG_RESULT(yes)
-+ AC_DEFINE(GETSPNAM_R_5ARG, 1,
-+ [Define if your getspnam_r()
-+ functions take 5 arguments])],
-+ [AC_MSG_RESULT(no)]
-+)
-+
- dnl Checks for typedefs, structures, and compiler characteristics.
- AC_C_CONST
- AC_TYPE_UID_T
-Index: shadow-4.1.5/libmisc/xgetXXbyYY.c
-===================================================================
---- shadow-4.1.5.orig/libmisc/xgetXXbyYY.c 2012-05-29 01:07:07.652770807 +0000
-+++ shadow-4.1.5/libmisc/xgetXXbyYY.c 2012-05-29 01:11:08.044438439 +0000
-@@ -89,9 +89,15 @@
- exit (13);
- }
- errno = 0;
-+#ifndef __use_4_args
- status = REENTRANT_NAME(ARG_NAME, result, buffer,
- length, &resbuf);
- if ((0 == status) && (resbuf == result)) {
-+#else
-+ resbuf = REENTRANT_NAME(ARG_NAME, result, buffer,
-+ length);
-+ if (resbuf == result) {
-+#endif
- /* Build a result structure that can be freed by
- * the shadow *_free functions. */
- LOOKUP_TYPE *ret_result = DUP_FUNCTION(result);
-Index: shadow-4.1.5/libmisc/xgetspnam.c
-===================================================================
---- shadow-4.1.5.orig/libmisc/xgetspnam.c 2012-05-29 01:07:07.687176476 +0000
-+++ shadow-4.1.5/libmisc/xgetspnam.c 2012-05-29 01:11:15.833088840 +0000
-@@ -60,5 +60,9 @@
- #define DUP_FUNCTION __spw_dup
- #define HAVE_FUNCTION_R (defined HAVE_GETSPNAM_R)
-
-+#ifndef GETSPNAM_R_5ARG
-+#define __use_4_args
-+#endif
-+
- #include "xgetXXbyYY.c"
-
diff --git a/debian/patches/putgrent.patch b/debian/patches/putgrent.patch
deleted file mode 100644
index ea326c2..0000000
--- a/debian/patches/putgrent.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Index: shadow-4.1.5/lib/groupio.c
-===================================================================
---- shadow-4.1.5.orig/lib/groupio.c 2012-05-29 01:52:46.829380353 +0000
-+++ shadow-4.1.5/lib/groupio.c 2012-05-29 01:54:54.027846005 +0000
-@@ -44,6 +44,46 @@
- #include "getdef.h"
- #include "groupio.h"
-
-+#ifndef HAVE_PUTGRENT
-+#define _nn(x) x ? x : ""
-+int putgrent (const struct group *gr, FILE *fp)
-+{
-+ int rc;
-+ int i;
-+
-+ if ((NULL == gr) || (NULL == fp)) {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+
-+ flockfile(fp);
-+ if (gr->gr_name[0] == '+' || gr->gr_name[0] == '-') {
-+ rc = fprintf(fp, "%s:%s::", gr->gr_name, _nn(gr->gr_passwd));
-+ } else {
-+ rc = fprintf(fp, "%s:%s:%lu:", gr->gr_name, _nn(gr->gr_passwd), (unsigned long int) gr->gr_gid);
-+ }
-+
-+ if (rc < 0) {
-+ funlockfile(fp);
-+ return -1;
-+ }
-+
-+ if (NULL != gr->gr_mem) {
-+ for (i = 0; gr->gr_mem[i] != NULL; ++i) {
-+ if (0 > fprintf(fp, i == 0 ? "%s" : ",%s", gr->gr_mem[i])) {
-+ funlockfile(fp);
-+ return -1;
-+ }
-+ }
-+ }
-+
-+ putc_unlocked('\n', fp);
-+ funlockfile(fp);
-+ return 0;
-+}
-+#undef _nn
-+#endif /* HAVE_PUTGRENT */
-+
- static /*@null@*/struct commonio_entry *merge_group_entries (
- /*@null@*/ /*@returned@*/struct commonio_entry *gr1,
- /*@null@*/struct commonio_entry *gr2);
diff --git a/debian/patches/putpwent-segfault.patch b/debian/patches/putpwent-segfault.patch
deleted file mode 100644
index 601ecf6..0000000
--- a/debian/patches/putpwent-segfault.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: shadow-4.1.5/lib/pwmem.c
-===================================================================
---- shadow-4.1.5.orig/lib/pwmem.c 2009-09-07 19:08:21.000000000 +0000
-+++ shadow-4.1.5/lib/pwmem.c 2012-06-03 18:39:48.377996169 +0000
-@@ -44,7 +44,7 @@
- {
- struct passwd *pw;
-
-- pw = (struct passwd *) malloc (sizeof *pw);
-+ pw = (struct passwd *) calloc (1, sizeof *pw);
- if (NULL == pw) {
- return NULL;
- }
diff --git a/debian/patches/series b/debian/patches/series
index 6d2d836..98b7f59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,24 +1,19 @@
-# These patches are only for the testsuite:
-#900_testsuite_groupmems
-#901_testsuite_gcov
-
-503_shadowconfig.8
-428_grpck_add_prune_option
-008_login_log_failure_in_FTMP
-429_login_FAILLOG_ENAB
-401_cppw_src.dpatch
-# 402 should be merged in 401, but should be reviewed by SE Linux experts first
-402_cppw_selinux
-506_relaxed_usernames
-542_useradd-O_option
-501_commonio_group_shadow
-463_login_delay_obeys_to_PAM
-523_su_arguments_are_concatenated
-523_su_arguments_are_no_more_concatenated_by_default
-508_nologin_in_usr_sbin
-505_useradd_recommend_adduser
-utmp.c.patch
-getspnam_r.patch
-environ.patch
-putgrent.patch
-putpwent-segfault.patch
+0001-503_shadowconfig.8.patch
+0002-428_grpck_add_prune_option.patch
+0003-008_login_log_failure_in_FTMP.patch
+0004-429_login_FAILLOG_ENAB.patch
+0005-401_cppw_src.dpatch.patch
+0006-402_cppw_selinux.patch
+0007-506_relaxed_usernames.patch
+0008-542_useradd-O_option.patch
+0009-501_commonio_group_shadow.patch
+0010-463_login_delay_obeys_to_PAM.patch
+0011-523_su_arguments_are_concatenated.patch
+0012-523_su_arguments_are_no_more_concatenated_by_default.patch
+0013-508_nologin_in_usr_sbin.patch
+0014-505_useradd_recommend_adduser.patch
+0015-utmp.c.patch
+0016-getspnam_r.patch
+0017-environ.patch
+0018-putgrent.patch
+0019-putpwent-segfault.patch
diff --git a/debian/patches/utmp.c.patch b/debian/patches/utmp.c.patch
deleted file mode 100644
index 624303f..0000000
--- a/debian/patches/utmp.c.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Index: shadow-4.1.5/libmisc/utmp.c
-===================================================================
---- shadow-4.1.5.orig/libmisc/utmp.c 2012-05-29 01:00:07.623017148 +0000
-+++ shadow-4.1.5/libmisc/utmp.c 2012-05-29 01:08:05.294474465 +0000
-@@ -32,15 +32,19 @@
-
- #include <config.h>
-
--#include "defines.h"
--#include "prototypes.h"
--
--#include <utmp.h>
-
- #ifdef USE_UTMPX
- #include <utmpx.h>
-+#define utmp utmpx
-+#define updwtmp updwtmpx
-+#define pututline pututxline
-+#else
-+#include <utmp.h>
- #endif
-
-+#include "defines.h"
-+#include "prototypes.h"
-+
- #include <assert.h>
- #include <netdb.h>
- #include <stdio.h>
-@@ -281,6 +285,10 @@
- /* ut_exit is only for DEAD_PROCESS */
- utent->ut_session = getsid (0);
- if (gettimeofday (&tv, NULL) == 0) {
-+#ifdef USE_UTMPX
-+ utent->ut_tv.tv_sec = tv.tv_sec;
-+ utent->ut_tv.tv_usec = tv.tv_usec;
-+#else
- #ifdef HAVE_STRUCT_UTMP_UT_TIME
- utent->ut_time = tv.tv_sec;
- #endif /* HAVE_STRUCT_UTMP_UT_TIME */
-@@ -291,6 +299,7 @@
- utent->ut_tv.tv_sec = tv.tv_sec;
- utent->ut_tv.tv_usec = tv.tv_usec;
- #endif /* HAVE_STRUCT_UTMP_UT_TV */
-+#endif
- }
-
- return utent;