[Pkg-shadow-devel] Ubuntu (new upstream) shadow 1:4.5-1.1ubuntu1

Ubuntu Merge-o-Matic mom at ubuntu.com
Fri Jan 25 04:41:53 GMT 2019


This e-mail has been sent due to an upload to Ubuntu of a new upstream
version which still contains Ubuntu changes.  It contains the difference
between the Ubuntu version and the equivalent base version in Debian, note
that this difference may include the upstream changes.
-------------- next part --------------
Format: 1.8
Date: Thu, 24 Jan 2019 15:46:48 -0800
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.5-1.1ubuntu1
Distribution: disco
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
 uidmap     - programs to help use subuids
Changes: 
 shadow (1:4.5-1.1ubuntu1) disco; urgency=low
 .
   * Merge from Debian unstable.  Remaining changes:
     - debian/login.defs:
       + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
         handling does not only apply to "former (pre-PAM) uses".
       + Update documentation of UMASK: Explain that USERGROUPS_ENAB
         will modify this default for UPGs.
     - debian/{source_shadow.py,rules}: Add apport hook
     - debian/patches/1010_extrausers.patch: Add support to passwd for
       libnss-extrausers
     - debian/patches/1011_extrausers_toggle.patch: extrausers support for
       useradd and groupadd
     - debian/patches/1012_extrausers_chfn.patch: add support for
       --extrausers to the chfn tool
     - debian/passwd.maintscripts: Clean up upstart configuration
 .
 shadow (1:4.5-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload (greetings from DebCamp/DebConf Taiwan).
   * Stop shipping su and break old util-linux version. (See #833256)
     - Breaks on old version to force lockstep upgrade, which should
       really be a depends-new-version (and can be switched around
       together with util-linux once the transition is finished).
       Using Breaks/Depends the 'wrong' way around is to make apt
       unpack things in the 'right' order (avoiding any gaps where
       /bin/su is not available during the upgrade phase).
Checksums-Sha1: 
 f850360447ebdf1b9936110785cc2aa1b85530d6 2438 shadow_4.5-1.1ubuntu1.dsc
 41a34223d66a108b3e46643f30bec8d7deb3f68f 470796 shadow_4.5-1.1ubuntu1.debian.tar.xz
Checksums-Sha256: 
 c66b12af6abb7917895b5a375dfd570ed56e1c9b2c0fddd7bd6105acb8dc6167 2438 shadow_4.5-1.1ubuntu1.dsc
 e3de971be9e42dccc1be6a732c4afcf7cb78892ddf1e98ffc1d80ff09b895e79 470796 shadow_4.5-1.1ubuntu1.debian.tar.xz
Files: 
 e46e5a2d681881ef506d00c6a5afc4bf 2438 admin required shadow_4.5-1.1ubuntu1.dsc
 2325c4b80786995126e76f90e654198a 470796 admin required shadow_4.5-1.1ubuntu1.debian.tar.xz
Original-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
-------------- next part --------------
diff -pruN 1:4.5-1.1/debian/changelog 1:4.5-1.1ubuntu1/debian/changelog
--- 1:4.5-1.1/debian/changelog	2018-07-27 08:07:37.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/changelog	2019-01-24 23:46:48.000000000 +0000
@@ -1,3 +1,22 @@
+shadow (1:4.5-1.1ubuntu1) disco; urgency=low
+
+  * Merge from Debian unstable.  Remaining changes:
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/1012_extrausers_chfn.patch: add support for
+      --extrausers to the chfn tool
+    - debian/passwd.maintscripts: Clean up upstart configuration
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Thu, 24 Jan 2019 15:46:48 -0800
+
 shadow (1:4.5-1.1) unstable; urgency=medium
 
   * Non-maintainer upload (greetings from DebCamp/DebConf Taiwan).
@@ -11,6 +30,42 @@ shadow (1:4.5-1.1) unstable; urgency=med
 
  -- Andreas Henriksson <andreas at fatal.se>  Fri, 27 Jul 2018 10:07:37 +0200
 
+shadow (1:4.5-1ubuntu1) bionic; urgency=medium
+
+  * Merge with Debian; remaining changes:
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/1012_extrausers_chfn.patch: add support for
+      --extrausers to the chfn tool
+    - debian/passwd.maintscripts: Clean up upstart configuration
+  * Dropped changes, included in Debian:
+    - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+      /etc/update-motd.d/* scripts twice.
+  * Dropped changes, included upstream:
+    - debian/patches/userns/subuids-nonlocal-users: Don't limit
+      subuid/subgid support to local users.
+    - debian/patches/1021_no_subuids_for_system_users.patch
+    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
+      sending signal
+    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
+      pid_child to 0 if the child process is still running.
+    - CVE-2017-2616
+    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
+    - CVE-2016-6252
+  * Dropped obsoleted changes:
+    - debian/rules: setting DEB_*_INSTALLINIT_ARGS became obsolete after
+      switching to passwd.tmpfile from passwd.service
+
+ -- Balint Reczey <rbalint at ubuntu.com>  Thu, 25 Jan 2018 16:09:22 +0100
+
 shadow (1:4.5-1) unstable; urgency=medium
 
   * New upstream version 4.5
@@ -146,6 +201,86 @@ shadow (1:4.2-3.3) unstable; urgency=med
 
  -- Samuel Thibault <sthibault at debian.org>  Tue, 22 Nov 2016 18:31:28 +0000
 
+shadow (1:4.2-3.2ubuntu4) artful; urgency=medium
+
+  * Drop upstart system jobs.
+
+ -- Dimitri John Ledkov <xnox at ubuntu.com>  Mon, 21 Aug 2017 00:56:14 +0100
+
+shadow (1:4.2-3.2ubuntu2) artful; urgency=medium
+
+  * SECURITY UPDATE: su could be used to kill arbitrary processes.
+    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
+      sending signal
+    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
+      pid_child to 0 if the child process is still running.
+    - CVE-2017-2616
+  * SECURITY UPDATE: getulong() function could accidentally parse negative
+    numbers as large positive numbers.
+    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
+    - CVE-2016-6252
+
+ -- Seth Arnold <seth.arnold at canonical.com>  Thu, 18 May 2017 14:39:32 -0400
+
+shadow (1:4.2-3.2ubuntu1) yakkety; urgency=medium
+
+  * Merge with Debian; remaining changes:
+    - debian/passwd.upstart: Add an upstart job to clear locks on
+      [shadow-]passwd/group.
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+      /etc/update-motd.d/* scripts twice.
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/userns/subuids-nonlocal-users: Don't limit
+      subuid/subgid support to local users.
+  * Dropped changes, included in Debian:
+    - Allow LXC devices (lxc/console, lxc/tty[1234]), used from precise on.
+    - Add uidmap package based on upstream patches that introduce
+      newuidmap/newgidmap as well as /etc/subuid and /etc/subgid. Additional
+      updates on those to widen the default allocation to 65536 uids and gids
+      and only assign ranges to non-system users.
+    - debian/patches/1020_fix_user_busy_errors: Call sub_uid_close in all
+      error cases.
+  * Dropped changes, included upstream:
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout.
+    - debian/patches/496_su_kill_process_group: Kill the child process group,
+      rather than just the immediate child.
+  * Fix pam_motd calls so that the second pam_motd is the noupdate one rather
+    than the first, ensuring /run/motd.dynamic is always populated and shown
+    on the first login after boot.  LP: #1368864.
+  * Don't call 'pam_exec uname', a change adopted in Debian without
+    coordination with the Debian PAM maintainer
+  * Use dh_installinit now for installing the upstart job, as we no longer
+    generate a dependency on upstart-job.
+  * Include /etc/sub[ug]id in the list of files to clear locks for on boot.
+    LP: #1304505
+  * Add a systemd unit to go with the upstart job, so that lock clearing works
+    on newer Ubuntu releases.
+  * add support for "chfn --extrausers" (LP: #1495580)
+  * debian/patches/1010_extrausers.patch:
+    - Fix usermod to handle a readonly /etc gracefully (LP: #1562872)
+  * debian/patches/1010_extrausers.patch:
+    - Fix usermod to look in extrausers location for basic changes to a
+      user's passwd info.  Fixes changing user's real name in Touch via
+      AccountsService.  (Does not address updating groups yet, since that's
+      less useful now, as we can't update any system groups.)
+  * d/p/1021_no_subuids_for_system_users.patch: fix the not creating subuids
+    for system users.  (LP: #1545884)
+  * Replace debian/passwd.service with debian/passwd.tmpfile, systemd tmpfile
+    handling has support for removing files for us on boot.  Thanks to
+    Martin Pitt <pitti at ubuntu.com> for the hint.
+
+ -- Matthias Klose <doko at ubuntu.com>  Tue, 20 Sep 2016 09:43:54 +0200
+
 shadow (1:4.2-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -155,6 +290,93 @@ shadow (1:4.2-3.2) unstable; urgency=med
 
  -- Mattia Rizzolo <mattia at debian.org>  Sun, 18 Sep 2016 14:42:16 +0000
 
+shadow (1:4.2-3.1ubuntu6) yakkety; urgency=medium
+
+  * add support for "chfn --extrausers" (LP: #1495580)
+
+ -- Michael Vogt <michael.vogt at ubuntu.com>  Thu, 23 Jun 2016 08:02:00 +0200
+
+shadow (1:4.2-3.1ubuntu5) xenial; urgency=medium
+
+  * debian/patches/1010_extrausers.patch:
+    - Fix usermod to handle a readonly /etc gracefully (LP: #1562872)
+
+ -- Michael Terry <mterry at ubuntu.com>  Mon, 28 Mar 2016 09:44:23 -0400
+
+shadow (1:4.2-3.1ubuntu4) xenial; urgency=medium
+
+  * debian/patches/1010_extrausers.patch:
+    - Fix usermod to look in extrausers location for basic changes to a
+      user's passwd info.  Fixes changing user's real name in Touch via
+      AccountsService.  (Does not address updating groups yet, since that's
+      less useful now, as we can't update any system groups.)
+
+ -- Michael Terry <mterry at ubuntu.com>  Wed, 02 Mar 2016 15:01:19 -0500
+
+shadow (1:4.2-3.1ubuntu3) xenial; urgency=medium
+
+  * d/p/1021_no_subuids_for_system_users.patch: fix the not creating subuids
+    for system users.  (LP: #1545884)
+
+ -- Serge Hallyn <serge.hallyn at ubuntu.com>  Wed, 17 Feb 2016 20:57:59 -0800
+
+shadow (1:4.2-3.1ubuntu2) xenial; urgency=medium
+
+  * Replace debian/passwd.service with debian/passwd.tmpfile, systemd tmpfile
+    handling has support for removing files for us on boot.  Thanks to
+    Martin Pitt <pitti at ubuntu.com> for the hint.
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Thu, 04 Feb 2016 14:01:27 -0800
+
+shadow (1:4.2-3.1ubuntu1) xenial; urgency=low
+
+  * Merge from Debian unstable.
+    - Includes pam_loginuid in login PAM config.  LP: #1067779.
+    - Fixes typo in usermod -h output.  LP: #1348873.
+  * Remaining changes:
+    - debian/passwd.upstart: Add an upstart job to clear locks on
+      [shadow-]passwd/group.
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+      /etc/update-motd.d/* scripts twice.
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/userns/subuids-nonlocal-users: Don't limit
+      subuid/subgid support to local users.
+  * Dropped changes, included in Debian:
+    - Allow LXC devices (lxc/console, lxc/tty[1234]), used from precise on.
+    - Add uidmap package based on upstream patches that introduce
+      newuidmap/newgidmap as well as /etc/subuid and /etc/subgid. Additional
+      updates on those to widen the default allocation to 65536 uids and gids
+      and only assign ranges to non-system users.
+    - debian/patches/1020_fix_user_busy_errors: Call sub_uid_close in all
+      error cases.
+  * Dropped changes, included upstream:
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout.
+    - debian/patches/496_su_kill_process_group: Kill the child process group,
+      rather than just the immediate child.
+  * Fix pam_motd calls so that the second pam_motd is the noupdate one rather
+    than the first, ensuring /run/motd.dynamic is always populated and shown
+    on the first login after boot.  LP: #1368864.
+  * Don't call 'pam_exec uname', a change adopted in Debian without
+    coordination with the Debian PAM maintainer
+  * Use dh_installinit now for installing the upstart job, as we no longer
+    generate a dependency on upstart-job.
+  * Include /etc/sub[ug]id in the list of files to clear locks for on boot.
+    LP: #1304505
+  * Add a systemd unit to go with the upstart job, so that lock clearing works
+    on newer Ubuntu releases.
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Thu, 28 Jan 2016 22:21:41 -0800
+
 shadow (1:4.2-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -265,6 +487,79 @@ shadow (1:4.2-1) experimental; urgency=l
 
  -- Christian Perrier <bubulle at debian.org>  Tue, 22 Apr 2014 09:01:42 +0200
 
+shadow (1:4.1.5.1-1.1ubuntu7) wily; urgency=medium
+
+  * debian/patches/userns/subuids-nonlocal-users: Don't limit
+    subuid/subgid support to local users.  Closes LP: #1475749.
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Mon, 20 Jul 2015 18:44:12 -0700
+
+shadow (1:4.1.5.1-1.1ubuntu6) wily; urgency=medium
+
+  * extrausers support for useradd and groupadd (LP: #1323732)
+
+ -- Sergio Schvezov <sergio.schvezov at canonical.com>  Thu, 25 Jun 2015 15:26:55 -0300
+
+shadow (1:4.1.5.1-1.1ubuntu5) wily; urgency=medium
+
+  * debian/rules: Re-enable audit support. (LP: #1414817)
+  * debian/control: add libaudit-dev to Build-Depends.
+
+ -- Mathieu Trudel-Lapierre <mathieu-tl at ubuntu.com>  Tue, 02 Jun 2015 10:46:18 -0400
+
+shadow (1:4.1.5.1-1.1ubuntu4) vivid; urgency=medium
+
+  * debian/patches/1020_fix_user_busy_errors:
+    - libmisc/user_busy.c: Call sub_uid_close in all error cases, otherwise
+      code that later opens it as RW fails obscurely. (LP: #1436937)
+
+ -- William Grant <wgrant at ubuntu.com>  Mon, 20 Apr 2015 18:41:47 +0100
+
+shadow (1:4.1.5.1-1.1ubuntu3) vivid; urgency=medium
+
+  * No change rebuild to get debug symbols for all architectures.
+
+ -- Brian Murray <brian at ubuntu.com>  Tue, 02 Dec 2014 11:39:38 -0800
+
+shadow (1:4.1.5.1-1.1ubuntu2) utopic; urgency=medium
+
+  * debian/patches/1010_extrausers.patch:
+    - Add support to passwd for libnss-extrausers by falling back to the
+      /var/lib/extrausers/ locations if it exists when updating
+      passwd or shadow.
+
+ -- Michael Terry <mterry at ubuntu.com>  Fri, 18 Jul 2014 10:00:44 -0400
+
+shadow (1:4.1.5.1-1.1ubuntu1) utopic; urgency=medium
+
+  * Merge from Debian unstable.  Remaining changes:
+     - debian/passwd.upstart: Add an upstrat job to clear locks on
+       [shadow-]passwd/group. (LP: #523896).
+     - Allow LXC devices (lxc/console, lxc/tty[1234]) that we'll start using
+       in LXC with Precise.
+     - debian/login.defs:
+       + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+         handling does not only apply to "former (pre-PAM) uses".
+       + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+         will modify this default for UPGs. (Closes: #583971)
+     - debian/{source_shadow.py,rules}: Add apport hook
+     - debian/patches/495_stdout-encrypted-password: chpasswd can report
+       password hashes on stdout (Debian bug 505640).
+     - Install upstart job by-hand, instead of using dh_installinit to avoid
+       dependency on upstart-job.
+     - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+       /etc/update-motd.d/* scripts twice (LP: #1169558).
+     - debian/patches/496_su_kill_process_group: Kill the child process group,
+       rather than just the immediate child; this is needed now that su no
+       longer starts a controlling terminal when not running an interactive
+       shell (closes: #713979).
+     - Add uidmap package based on upstream patches that introduce
+       newuidmap/newgidmap as well as /etc/subuid and /etc/subgid. Additional
+       updates on those to widen the default allocation to 65536 uids and gids
+       and only assign ranges to non-system users.
+
+ -- St��phane Graber <stgraber at ubuntu.com>  Fri, 02 May 2014 15:17:15 -0400
+
 shadow (1:4.1.5.1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -278,6 +573,103 @@ shadow (1:4.1.5.1-1.1) unstable; urgency
 
  -- Samuel Thibault <sthibault at debian.org>  Sun, 16 Mar 2014 20:58:24 +0100
 
+shadow (1:4.1.5.1-1ubuntu9) trusty; urgency=medium
+
+  * Set our subuid and subgid range to 65536 uids by default.
+  * Patch newusers to not add subuids and subgids to system users.
+  * Patch useradd to not add subuids and subgids to system users and to
+    regular users who don't fit between uid_min and uid_max.
+    (This is needed due to adduser not passing --system...)
+
+ -- St��phane Graber <stgraber at ubuntu.com>  Sun, 16 Feb 2014 19:33:48 -0500
+
+shadow (1:4.1.5.1-1ubuntu8) trusty; urgency=medium
+
+  * Fix postinst to create subuid and subgid when missing as those won't
+    get created by usermod or any of the other tools.
+
+ -- St��phane Graber <stgraber at ubuntu.com>  Fri, 17 Jan 2014 16:15:13 -0500
+
+shadow (1:4.1.5.1-1ubuntu7) trusty; urgency=medium
+
+  * Don't ship subuid/subgid as conffiles as that'll just cause problems
+    on upgrades. Instead simply touch them if they're not already present.
+
+ -- St��phane Graber <stgraber at ubuntu.com>  Sun, 12 Jan 2014 12:59:46 -0500
+
+shadow (1:4.1.5.1-1ubuntu6) saucy; urgency=low
+
+  * debian/patches/496_su_kill_process_group: Kill the child process group,
+    rather than just the immediate child; this is needed now that su no
+    longer starts a controlling terminal when not running an interactive
+    shell (closes: #713979).
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Fri, 26 Jul 2013 16:55:52 +0100
+
+shadow (1:4.1.5.1-1ubuntu5) saucy; urgency=low
+
+  [ Serge Hallyn ]
+  * debian/patches/userns: patches from Eric Biederman to enable use of
+    subuids, plus some bugfix patches on top of them. (LP: #1192864)
+  * passwd.install: add new manpages
+  * debian/control, debian/uidmap.install: create new uidmap package
+    containing the new setuid-root binaries newuidmap and newgidmap 
+  * debian/subuid, debian/rules: install a default /etc/subuid and /etc/subgid
+  * debian/patches/userns/16_add-argument-sanity-checking.patch: address
+    three sanity checking concerns brought up by sarnold at
+    http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2013-June/ \
+    009752.html.
+
+ -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>  Fri, 28 Jun 2013 11:31:51 +0100
+
+shadow (1:4.1.5.1-1ubuntu4) raring; urgency=low
+
+  * Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+    /etc/update-motd.d/* scripts twice (LP: #1169558).
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Thu, 18 Apr 2013 01:01:45 +0100
+
+shadow (1:4.1.5.1-1ubuntu3) raring; urgency=low
+
+  * Install upstart job by-hand, instead of using dh_installinit to avoid
+    dependency on upstart-job.
+
+ -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>  Mon, 18 Mar 2013 03:23:31 +0000
+
+shadow (1:4.1.5.1-1ubuntu2) raring; urgency=low
+
+  * Revert build-dependency from gettext:any to gettext, now that gettext is
+    Multi-Arch: foreign.
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Thu, 29 Nov 2012 15:27:11 +0000
+
+shadow (1:4.1.5.1-1ubuntu1) raring; urgency=low
+
+  * The "Yorkshire Blue" release.
+  * Merge from Debian unstable.  Remaining changes:  
+     - debian/passwd.upstart: Add an upstrat job to clear locks on
+       [shadow-]passwd/group. (LP: #523896).
+     - Build-depend on gettext:any for cross-building support.
+     - Allow LXC devices (lxc/console, lxc/tty[1234]) that we'll start using
+       in LXC with Precise.
+     - debian/login.defs:
+       + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+         handling does not only apply to "former (pre-PAM) uses".
+       + Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify
+         this default for UPGs. (Closes: #583971)
+     - debian/{source_shadow.py,rules}: Add apport hook
+     - debian/patches/495_stdout-encrypted-password: chpasswd can report
+       password hashes on stdout (Debian bug 505640).
+
+  * Dropped changes, merged in Debian:
+     - Fix case of ttyAMA0-3 devices and move them near the ttyAM0-15 ones;
+       Debian #544184; fixes console on Vexpress boards (e.g. in QEMU).
+     - use SHA512 by default for password crypt routine.
+     - debian/rules: fix FTBFS from newer libtools
+     - Mark passwd Multi-Arch: foreign.
+  
+ -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>  Tue, 23 Oct 2012 09:59:19 +0100
+
 shadow (1:4.1.5.1-1) unstable; urgency=low
 
   * The "Gruy��re" release.
@@ -421,6 +813,68 @@ shadow (1:4.1.5-1) unstable; urgency=low
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sun, 12 Feb 2012 22:27:03 +0100
 
+shadow (1:4.1.4.2+svn3283-3ubuntu7) quantal; urgency=low
+
+  * debian/passwd.upstart: Add an upstrat job to clear locks on
+    [shadow-]passwd/group. (LP: #523896).
+
+ -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>  Fri, 31 Aug 2012 13:00:33 +0100
+
+shadow (1:4.1.4.2+svn3283-3ubuntu6) quantal; urgency=low
+
+  * debian/source_shadow.py: Fix compatibility with python3. Thanks Edward
+    Donovan! (LP: #1013171)
+
+ -- Martin Pitt <martin.pitt at ubuntu.com>  Mon, 18 Jun 2012 15:09:54 +0200
+
+shadow (1:4.1.4.2+svn3283-3ubuntu5) precise; urgency=low
+
+  * Build-depend on gettext:any for cross-building support.
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Mon, 09 Apr 2012 00:28:03 +0100
+
+shadow (1:4.1.4.2+svn3283-3ubuntu4) precise; urgency=low
+
+  * Allow LXC devices (lxc/console, lxc/tty[1234]) that we'll start using
+    in LXC with Precise.
+
+ -- St��phane Graber <stgraber at ubuntu.com>  Fri, 10 Feb 2012 15:34:05 -0500
+
+shadow (1:4.1.4.2+svn3283-3ubuntu3) precise; urgency=low
+
+  * Fix case of ttyAMA0-3 devices and move them near the ttyAM0-15 ones;
+    Debian #544184; fixes console on Vexpress boards (e.g. in QEMU).
+
+ -- Lo��c Minier <loic.minier at ubuntu.com>  Wed, 30 Nov 2011 22:47:47 +0100
+
+shadow (1:4.1.4.2+svn3283-3ubuntu2) oneiric; urgency=low
+
+  * debian/login.defs:
+    - Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+      handling does not only apply to "former (pre-PAM) uses".
+    - Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify
+      this default for UPGs. (Closes: #583971)
+
+ -- Martin Pitt <martin.pitt at ubuntu.com>  Fri, 24 Jun 2011 11:07:34 +0200
+
+shadow (1:4.1.4.2+svn3283-3ubuntu1) natty; urgency=low
+
+  * The "string cheese" release.
+  * Merge from Debian unstable.  Remaining changes:
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - debian/rules: fix FTBFS from newer libtools
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout (Debian bug 505640).
+  * Dropped changes, merged in Debian:
+    - debian/patches/300_CVE-2011-0721: reject newlines in GECOS updates.
+    - CVE-2011-0721
+  * Mark passwd Multi-Arch: foreign, so packages that aren't of the same
+    arch can depend on it.
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Sun, 20 Feb 2011 15:59:15 -0800
+
 shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high
 
   * The "Trappe d'Echourgnac" release.
@@ -431,6 +885,34 @@ shadow (1:4.1.4.2+svn3283-3) unstable; u
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Mon, 13 Feb 2011 23:20:05 +0100
 
+shadow (1:4.1.4.2+svn3283-2ubuntu3) natty; urgency=low
+
+  * SECURITY UPDATE: could inject NIS groups memberships into /etc/passwd.
+    - debian/patches/300_CVE-2011-0721: reject newlines in GECOS updates.
+    - CVE-2011-0721
+
+ -- Kees Cook <kees at ubuntu.com>  Tue, 15 Feb 2011 13:57:01 -0800
+
+shadow (1:4.1.4.2+svn3283-2ubuntu2) natty; urgency=low
+
+  * debian/patches/495_stdout-encrypted-password: adjust patch for changes 
+    in src/chpasswd.c to fix FTBFS
+
+ -- Oliver Grawert <ogra at ubuntu.com>  Tue, 04 Jan 2011 15:48:49 +0100
+
+shadow (1:4.1.4.2+svn3283-2ubuntu1) natty; urgency=low
+
+  * Merge from debian unstable.  Remaining changes:
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - debian/rules: fix FTBFS from newer libtools
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout (Debian bug 505640).
+    - Rework 495_stdout-encrypted-password to cope with chpasswd using PAM.
+
+ -- Oliver Grawert <ogra at ubuntu.com>  Wed, 24 Nov 2010 13:42:42 +0100
+
 shadow (1:4.1.4.2+svn3283-2) unstable; urgency=low
 
   * The "Bleu du Vercors-Sassenage" release.
@@ -502,6 +984,32 @@ shadow (1:4.1.4.2+svn3283-1) unstable; u
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sun, 29 Aug 2010 21:14:12 +0200
 
+shadow (1:4.1.4.2-1ubuntu3) maverick; urgency=low
+
+  * add ttyO0-3 to debian/securetty.linux, if OMAP kernels are built with
+    TI's DMA-offloaded driver instead of the default 8250 one the serial tty's
+    are called like that (LP: #512845).
+
+ -- Oliver Grawert <ogra at ubuntu.com>  Tue, 31 Aug 2010 14:45:17 +0200
+
+shadow (1:4.1.4.2-1ubuntu2) lucid; urgency=low
+
+  * debian/{source_shadow.py,rules}: Add apport hook
+  * debian/rules: fix FTBFS from newer libtools
+
+ -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Tue, 26 Jan 2010 08:54:59 -0500
+
+shadow (1:4.1.4.2-1ubuntu1) lucid; urgency=low
+
+  * Merged with debian unstable. Remaning changes (LP: #477299):
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout (Debian bug 505640).
+    - Rework 495_stdout-encrypted-password to cope with chpasswd using PAM.
+
+ -- Nicolas Valc��rcel Scerpella (Canonical) <nvalcarcel at canonical.com>  Sat, 07 Nov 2009 04:55:18 -0500
+
 shadow (1:4.1.4.2-1) unstable; urgency=low
 
   * The "Tome des Bauges" release.
@@ -529,6 +1037,25 @@ shadow (1:4.1.4.2-1) unstable; urgency=l
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Fri, 24 Jul 2009 05:03:23 +0200
 
+shadow (1:4.1.4.1-1ubuntu2) karmic; urgency=low
+
+  * debian/securetty.linux: also list ttyS2 and ttyS3; beagleboard uses ttyS2
+    as serial port.
+
+ -- Lo��c Minier <loic.minier at ubuntu.com>  Fri, 31 Jul 2009 15:34:56 +0200
+
+shadow (1:4.1.4.1-1ubuntu1) karmic; urgency=low
+
+  * Resynchronise with Debian. Remaining changes:
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout (Debian bug 505640).
+  * Rework 495_stdout-encrypted-password to cope with chpasswd using PAM.
+    It's looking a bit ugly now ...
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Wed, 03 Jun 2009 11:16:51 +0100
+
 shadow (1:4.1.4.1-1) unstable; urgency=low
 
   * The "Chevrotin" release.
@@ -616,6 +1143,21 @@ shadow (1:4.1.4-1) unstable; urgency=low
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Mon, 11 May 2009 00:25:11 +0200
 
+shadow (1:4.1.3.1-1ubuntu1) karmic; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/patches/stdout-encrypted-password.patch: chpasswd can report
+      password hashes on stdout (debian bug 505640).
+    - debian/login.pam: Enable SELinux support (debian bug 527106).
+    - debian/securetty.linux: support Freescale MX-series (debian bug 527095).
+  * Add debian/patches/300_lastlog_failure: fixed upstream (debian bug 524873).
+  * Drop debian/patches/593_omit_lastchange_field_if_clock_is_misset: fixed
+    upstream.
+
+ -- Kees Cook <kees at ubuntu.com>  Tue, 05 May 2009 09:45:21 -0700
+
 shadow (1:4.1.3.1-1) unstable; urgency=low
 
   * The "Le Puant Mac��r��" release.
@@ -711,6 +1253,108 @@ shadow (1:4.1.3-1) unstable; urgency=low
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Tue, 14 Apr 2009 23:33:22 +0200
 
+shadow (1:4.1.1-6ubuntu6) jaunty; urgency=low
+
+  * debian/login.preinst: fix typo in grep (LP: #354887).
+
+ -- Kees Cook <kees at ubuntu.com>  Fri, 03 Apr 2009 22:12:07 -0700
+
+shadow (1:4.1.1-6ubuntu5) jaunty; urgency=low
+
+  * debian/login.preinst: add special-case handling to restore the
+    original white-space in /etc/login.defs that is changed by
+    system-tools-backends (LP: #316756).
+
+ -- Kees Cook <kees at ubuntu.com>  Fri, 03 Apr 2009 14:33:43 -0700
+
+shadow (1:4.1.1-6ubuntu4) jaunty; urgency=low
+
+  * debian/patches/593_omit_lastchange_field_if_clock_is_misset (LP: #349504)
+    - If the system clock is set to Jan 01, 1970, and a new user is created
+      the last changed field gets set to 0, which tells login that the 
+      password is expired and must be changed. During installation, 
+      this can cause autologin to fail. Having the clock set to 01/01/1970
+      on a fresh install is common on the ARM architecture, so this is a high
+      priority bug since its likely to affect most ARM users on first install
+
+ -- Michael Casadevall <mcasadevall at ubuntu.com>  Thu, 02 Apr 2009 14:05:31 -0400
+
+shadow (1:4.1.1-6ubuntu3) jaunty; urgency=low
+
+  [ Bryan McLellan ]
+  * Don't do the vm-builder root password check on fresh installations
+    (LP: #340841).
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Tue, 17 Mar 2009 13:32:55 +0000
+
+shadow (1:4.1.1-6ubuntu2) jaunty; urgency=low
+
+  * debian/securetty.linux (LP: #316841)
+    - Updated securetty support for Freescale MX-series boards
+
+ -- Michael Casadevall <sonicmctails at gmail.com>  Tue, 13 Jan 2009 12:56:38 -0500
+
+shadow (1:4.1.1-6ubuntu1) jaunty; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - Ubuntu specific:
+      + debian/login.pam: Enable SELinux support in login.pam.
+      + debian/rules: regenerate autoconf to avoid libtool-caused FTBFS.
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+      + debian/passwd.postinst: disable the root password for virtual
+        machines created with vm-builder on Ubuntu 8.10.
+    - debian/patches/stdout-encrypted-password.patch: allow chpasswd to
+      report encrypted passwords to stdout for tools needing encrypted
+      passwords (debian bug 505640).
+
+ -- Kees Cook <kees at ubuntu.com>  Mon, 08 Dec 2008 00:44:46 -0800
+
+shadow (1:4.1.1-6) unstable; urgency=medium
+
+  * The "Rollot" release.
+  * debian/patches/303_login_symlink_attack: Fix a race condition that could
+    lead to gaining ownership or changing mode of arbitrary files.
+    Closes: #505271 
+  * debian/patches/304_su.1_synopsis: Fix the su synopsis. username is
+    referenced in the manpage, not LOGIN. Closes: #501830
+  * debian/patches/305_login.1_japanese: Fix the path of the utmp and wtmp
+    files. Closes: #501353
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Fri, 14 Nov 2008 21:52:42 +0100
+
+shadow (1:4.1.1-5ubuntu3) jaunty; urgency=low
+
+  * disable the root password for virtual machines created with vm-builder
+    on Ubuntu 8.10. (LP: #296841)
+
+ -- Jamie Strandboge <jamie at ubuntu.com>  Thu, 13 Nov 2008 20:32:42 -0600
+
+shadow (1:4.1.1-5ubuntu2) jaunty; urgency=low
+
+  * debian/login.defs: use SHA512 by default for password crypt routine
+    (LP: #51551, currently Ubuntu specific).
+  * debian/patches/stdout-encrypted-password.patch: allow chpasswd to report
+    encrypted passwords to stdout for tools needing encrypted passwords
+    (debian bug 505640).
+  * debian/rules: regenerate autoconf to avoid libtool-caused FTBFS.
+
+ -- Kees Cook <kees at ubuntu.com>  Thu, 13 Nov 2008 16:43:48 -0800
+
+shadow (1:4.1.1-5ubuntu1) jaunty; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - debian/login.pam: Enable SELinux support in login.pam.
+
+ -- Scott James Remnant <scott at ubuntu.com>  Wed, 05 Nov 2008 07:26:43 +0000
+
+shadow (1:4.1.1-5) unstable; urgency=low
+
+  * The "Bergues" release.
+  * debian/login.pam: restore the Etch behavior of pam_securetty.so in case of
+    unknown user. Closes: #443322, #495831
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sun, 14 Sep 2008 19:13:34 +0200
+
 shadow (1:4.1.1-4) unstable; urgency=low
 
   * The "Rocamadour" release.
@@ -788,6 +1432,13 @@ shadow (1:4.1.1-2) unstable; urgency=low
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Fri, 13 Jun 2008 01:27:16 +0200
 
+shadow (1:4.1.1-1ubuntu1) intrepid; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - debian/login.pam: Enable SELinux support in login.pam.
+
+ -- Kees Cook <kees at ubuntu.com>  Mon, 09 Jun 2008 10:08:38 -0700
+
 shadow (1:4.1.1-1) unstable; urgency=low
 
   * New upstream release. This closes the following bugs:
@@ -913,6 +1564,20 @@ shadow (1:4.1.0-1) unstable; urgency=low
 
  -- Christian Perrier <bubulle at debian.org>  Sat, 12 Jan 2008 20:40:02 +0100
 
+shadow (1:4.0.18.2-1ubuntu2) hardy; urgency=low
+
+  * Add 498_make_useradd_faster_with_ldap: make useradd faster when
+    nsswitch uses LDAP or some other remote names database (LP: #120015),
+    thanks to Vince Busam.
+
+ -- Matt T. Proud <mtp at google.com>  Fri, 08 Feb 2008 18:30:51 -0800
+
+shadow (1:4.0.18.2-1ubuntu1) hardy; urgency=low
+
+  * debian/login.pam: Enable SELinux support in login.pam (LP: #191326).
+
+ -- Caleb Case <ccase at tresys.com>  Fri, 08 Feb 2008 02:20:06 -0500
+
 shadow (1:4.0.18.2-1) unstable; urgency=low
 
   * The "Vacherin" release.
@@ -1855,7 +2520,7 @@ shadow (1:4.0.12-5) unstable; urgency=lo
   * Really add /etc/pam.d/su. Closes: #330291
   
  -- Christian Perrier <bubulle at debian.org>  Wed, 28 Sep 2005 19:59:31 +0200
-   
+
 shadow (1:4.0.12-4) unstable; urgency=low
 
   * The "Epoisses" release
@@ -3187,7 +3852,7 @@ shadow (20000902-6.1) unstable; urgency=
   * Upgrade to latest config.sub and config.guess.  Closes: #88547
  
  -- Gerhard Tonn <gt at debian.org>  Fri,  1 Jun 2001 20:38:43 +0200
-                                                              
+
 shadow (20000902-6) unstable; urgency=medium
 
   * actually set root's password when appropriate
diff -pruN 1:4.5-1.1/debian/control 1:4.5-1.1ubuntu1/debian/control
--- 1:4.5-1.1/debian/control	2018-07-26 15:41:12.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/control	2018-07-27 16:50:51.000000000 +0000
@@ -1,5 +1,6 @@
 Source: shadow
-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
+XSBC-Original-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
 Uploaders: Christian Perrier <bubulle at debian.org>,
            Balint Reczey <rbalint at ubuntu.com>,
            Serge Hallyn <serge at hallyn.com>
diff -pruN 1:4.5-1.1/debian/login.defs 1:4.5-1.1ubuntu1/debian/login.defs
--- 1:4.5-1.1/debian/login.defs	2017-09-27 16:45:23.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/login.defs	2018-07-27 16:50:51.000000000 +0000
@@ -214,13 +214,14 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
 # If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #
-# Other former uses of this variable such as setting the umask when
-# user==primary group are not used in PAM environments, such as Debian
-#
 USERGROUPS_ENAB yes
 
 #
diff -pruN 1:4.5-1.1/debian/passwd.maintscript 1:4.5-1.1ubuntu1/debian/passwd.maintscript
--- 1:4.5-1.1/debian/passwd.maintscript	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/passwd.maintscript	2018-01-25 15:09:22.000000000 +0000
@@ -0,0 +1 @@
+rm_conffile /etc/init/passwd.conf 1:4.2-3.2ubuntu4~ passwd
diff -pruN 1:4.5-1.1/debian/patches/1010_extrausers.patch 1:4.5-1.1ubuntu1/debian/patches/1010_extrausers.patch
--- 1:4.5-1.1/debian/patches/1010_extrausers.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/patches/1010_extrausers.patch	2018-01-25 15:09:22.000000000 +0000
@@ -0,0 +1,260 @@
+Description: Add support to passwd for updating libnss-extrausers locations
+Author: Michael Terry <michael.terry at canonical.com>
+
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -316,6 +316,14 @@
+ #endif
+ #endif
+ 
++#ifndef EXTRAUSERS_PASSWD_FILE
++#define EXTRAUSERS_PASSWD_FILE "/var/lib/extrausers/passwd"
++#endif
++
++#ifndef EXTRAUSERS_SHADOW_FILE
++#define EXTRAUSERS_SHADOW_FILE "/var/lib/extrausers/shadow"
++#endif
++
+ #ifndef NULL
+ #define NULL ((void *) 0)
+ #endif
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -565,8 +565,15 @@
+ {
+ 	const struct passwd *pw;
+ 	struct passwd *npw;
++	bool try_extrausers = strcmp (pw_dbname (), EXTRAUSERS_PASSWD_FILE) != 0 &&
++	                      access (EXTRAUSERS_PASSWD_FILE, F_OK) == 0;
+ 
+ 	if (pw_lock () == 0) {
++		if (try_extrausers) {
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			update_noshadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: cannot lock %s; try again later.\n"),
+ 		                Prog, pw_dbname ());
+@@ -574,6 +581,20 @@
+ 	}
+ 	pw_locked = true;
+ 	if (pw_open (O_CREAT | O_RDWR) == 0) {
++		if (try_extrausers) {
++			if (pw_unlock () == 0) {
++				(void) fprintf (stderr,
++				                _("%s: failed to unlock %s\n"),
++				                Prog, pw_dbname ());
++				SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
++				/* continue */
++			}
++			pw_locked = false;
++
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			update_noshadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: cannot open %s\n"),
+ 		                Prog, pw_dbname ());
+@@ -582,6 +603,21 @@
+ 	}
+ 	pw = pw_locate (name);
+ 	if (NULL == pw) {
++		if (try_extrausers) {
++			(void) pw_close ();
++			if (pw_unlock () == 0) {
++				(void) fprintf (stderr,
++				                _("%s: failed to unlock %s\n"),
++				                Prog, pw_dbname ());
++				SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
++				/* continue */
++			}
++			pw_locked = false;
++
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			update_noshadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: user '%s' does not exist in %s\n"),
+ 		                Prog, name, pw_dbname ());
+@@ -619,8 +655,15 @@
+ {
+ 	const struct spwd *sp;
+ 	struct spwd *nsp;
++	bool try_extrausers = strcmp (spw_dbname (), EXTRAUSERS_SHADOW_FILE) != 0 &&
++	                      access (EXTRAUSERS_SHADOW_FILE, F_OK) == 0;
+ 
+ 	if (spw_lock () == 0) {
++		if (try_extrausers) {
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			update_shadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: cannot lock %s; try again later.\n"),
+ 		                Prog, spw_dbname ());
+@@ -628,6 +671,20 @@
+ 	}
+ 	spw_locked = true;
+ 	if (spw_open (O_CREAT | O_RDWR) == 0) {
++		if (try_extrausers) {
++			if (spw_unlock () == 0) {
++				(void) fprintf (stderr,
++						        _("%s: failed to unlock %s\n"),
++						        Prog, spw_dbname ());
++				SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
++				/* continue */
++			}
++			spw_locked = false;
++
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			update_shadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: cannot open %s\n"),
+ 		                Prog, spw_dbname ());
+@@ -638,7 +695,9 @@
+ 	if (NULL == sp) {
+ 		/* Try to update the password in /etc/passwd instead. */
+ 		(void) spw_close ();
+-		update_noshadow ();
++		if (!try_extrausers) {
++			update_noshadow ();
++		}
+ 		if (spw_unlock () == 0) {
+ 			(void) fprintf (stderr,
+ 			                _("%s: failed to unlock %s\n"),
+@@ -647,6 +706,10 @@
+ 			/* continue */
+ 		}
+ 		spw_locked = false;
++		if (try_extrausers) {
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			update_shadow ();
++		}
+ 		return;
+ 	}
+ 	nsp = __spw_dup (sp);
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -398,6 +398,7 @@
+ int commonio_lock (struct commonio_db *db)
+ {
+ #ifdef HAVE_LCKPWDF
++  if (strncmp(db->filename, "/etc/", 5) == 0) {
+ 	/*
+ 	 * only if the system libc has a real lckpwdf() - the one from
+ 	 * lockpw.c calls us and would cause infinite recursion!
+@@ -425,7 +426,9 @@
+ 
+ 	ulckpwdf ();
+ 	return 0;		/* failure */
+-#else				/* !HAVE_LCKPWDF */
++  } else /* strncmp(db->filename, "/etc/", 5) == 0 */
++#endif				/* HAVE_LCKPWDF */
++  {
+ 	int i;
+ 
+ 	/*
+@@ -453,7 +456,7 @@
+ 		}
+ 	}
+ 	return 0;		/* failure */
+-#endif				/* !HAVE_LCKPWDF */
++  }
+ }
+ 
+ static void dec_lock_count (void)
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -1525,7 +1525,16 @@
+  */
+ static void open_files (void)
+ {
++	bool try_extrausers = strcmp (pw_dbname (), EXTRAUSERS_PASSWD_FILE) != 0 &&
++	                      access (EXTRAUSERS_PASSWD_FILE, F_OK) == 0;
++
+ 	if (pw_lock () == 0) {
++		if (try_extrausers) {
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: cannot lock %s; try again later.\n"),
+ 		         Prog, pw_dbname ());
+@@ -1533,12 +1542,29 @@
+ 	}
+ 	pw_locked = true;
+ 	if (pw_open (O_CREAT | O_RDWR) == 0) {
++		if (try_extrausers) {
++			pw_unlock ();
++			pw_locked = false;
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: cannot open %s\n"),
+ 		         Prog, pw_dbname ());
+ 		fail_exit (E_PW_UPDATE);
+ 	}
+ 	if (is_shadow_pwd && (spw_lock () == 0)) {
++		if (try_extrausers) {
++			pw_close ();
++			pw_unlock ();
++			pw_locked = false;
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: cannot lock %s; try again later.\n"),
+ 		         Prog, spw_dbname ());
+@@ -1546,6 +1572,17 @@
+ 	}
+ 	spw_locked = true;
+ 	if (is_shadow_pwd && (spw_open (O_CREAT | O_RDWR) == 0)) {
++		if (try_extrausers) {
++			pw_close ();
++			pw_unlock ();
++			spw_unlock ();
++			pw_locked = false;
++			spw_locked = false;
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: cannot open %s\n"),
+ 		         Prog, spw_dbname ());
+@@ -1634,11 +1671,22 @@
+ 	struct spwd spent;
+ 	const struct spwd *spwd = NULL;
+ 
++	bool try_extrausers = strcmp (pw_dbname (), EXTRAUSERS_PASSWD_FILE) != 0 &&
++	                      access (EXTRAUSERS_PASSWD_FILE, F_OK) == 0;
++
+ 	/*
+ 	 * Locate the entry in /etc/passwd, which MUST exist.
+ 	 */
+ 	pwd = pw_locate (user_name);
+ 	if (NULL == pwd) {
++		if (try_extrausers) {
++			close_files ();
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			usr_update ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: user '%s' does not exist in %s\n"),
+ 		         Prog, user_name, pw_dbname ());
diff -pruN 1:4.5-1.1/debian/patches/1011_extrausers_toggle.patch 1:4.5-1.1ubuntu1/debian/patches/1011_extrausers_toggle.patch
--- 1:4.5-1.1/debian/patches/1011_extrausers_toggle.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/patches/1011_extrausers_toggle.patch	2018-01-25 15:09:22.000000000 +0000
@@ -0,0 +1,144 @@
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -324,6 +324,22 @@
+ #define EXTRAUSERS_SHADOW_FILE "/var/lib/extrausers/shadow"
+ #endif
+ 
++#ifndef EXTRAUSERS_GROUP_FILE
++#define EXTRAUSERS_GROUP_FILE "/var/lib/extrausers/group"
++#endif
++
++#ifndef EXTRAUSERS_SHADOWGROUP_FILE
++#define EXTRAUSERS_SHADOWGROUP_FILE "/var/lib/extrausers/gshadow"
++#endif
++
++#ifndef EXTRAUSERS_SUBUID_FILE
++#define EXTRAUSERS_SUBUID_FILE "/var/lib/extrausers/subuid"
++#endif
++
++#ifndef EXTRAUSERS_SUBGID_FILE
++#define EXTRAUSERS_SUBGID_FILE "/var/lib/extrausers/subgid"
++#endif
++
+ #ifndef NULL
+ #define NULL ((void *) 0)
+ #endif
+--- a/src/groupadd.c
++++ b/src/groupadd.c
+@@ -102,6 +102,12 @@
+ static void check_flags (void);
+ static void check_perms (void);
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++
++static bool use_extrausers = false;
++
+ /*
+  * usage - display usage message and exit
+  */
+@@ -123,6 +129,7 @@
+ 	(void) fputs (_("  -p, --password PASSWORD       use this encrypted password for the new group\n"), usageout);
+ 	(void) fputs (_("  -r, --system                  create a system account\n"), usageout);
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
++	(void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);
+ 	(void) fputs ("\n", usageout);
+ 	exit (status);
+ }
+@@ -386,12 +393,16 @@
+ 		{"password",   required_argument, NULL, 'p'},
+ 		{"system",     no_argument,       NULL, 'r'},
+ 		{"root",       required_argument, NULL, 'R'},
++        {"extrausers", no_argument,       NULL, EXTRAUSERS_OPT},
+ 		{NULL, 0, NULL, '\0'}
+ 	};
+ 
+ 	while ((c = getopt_long (argc, argv, "fg:hK:op:rR:",
+ 		                 long_options, NULL)) != -1) {
+ 		switch (c) {
++        case EXTRAUSERS_OPT:
++            use_extrausers = true;
++            break;
+ 		case 'f':
+ 			/*
+ 			 * "force" - do nothing, just exit(0), if the
+@@ -598,7 +609,18 @@
+ 
+ 	check_perms ();
+ 
++    if (use_extrausers) {
++		fprintf (stderr, "ENTER EXTRAUSERS_GROUP_FILE");
++        gr_setdbname (EXTRAUSERS_GROUP_FILE);
++		fprintf (stderr, "EXIT EXTRAUSERS_GROUP_FILE");
++    }
++
+ #ifdef SHADOWGRP
++    if (use_extrausers) {
++		fprintf (stderr, "ENTER EXTRAUSERS_SHADOWGROUP_FILE");
++        sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++		fprintf (stderr, "EXIT EXTRAUSERS_SHADOWGROUP_FILE");
++    }
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+ 
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -143,6 +143,12 @@
+ static long sys_ngroups;
+ static bool do_grp_update = false;	/* group files need to be updated */
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++
++static bool use_extrausers = false;
++
+ static bool
+     bflg = false,		/* new default root of home directory */
+     cflg = false,		/* comment (GECOS) field for new account */
+@@ -781,6 +787,7 @@
+ #ifdef WITH_SELINUX
+ 	(void) fputs (_("  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping\n"), usageout);
+ #endif				/* WITH_SELINUX */
++	(void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);
+ 	(void) fputs ("\n", usageout);
+ 	exit (status);
+ }
+@@ -1055,6 +1062,7 @@
+ #ifdef WITH_SELINUX
+ 			{"selinux-user",   required_argument, NULL, 'Z'},
+ #endif				/* WITH_SELINUX */
++			{"extrausers",     no_argument,       NULL, EXTRAUSERS_OPT},
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+@@ -1065,6 +1073,9 @@
+ #endif				/* !WITH_SELINUX */
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
++			case EXTRAUSERS_OPT:
++                use_extrausers = true;
++                break;
+ 			case 'b':
+ 				if (   ( !VALID (optarg) )
+ 				    || ( optarg[0] != '/' )) {
+@@ -2181,6 +2192,18 @@
+ 		}
+ 	}
+ 
++    if (use_extrausers) {
++        pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++        spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++        gr_setdbname (EXTRAUSERS_GROUP_FILE);
++        /* TODO expose this information in other tools */
++        sub_uid_setdbname(EXTRAUSERS_SUBUID_FILE);
++        sub_gid_setdbname(EXTRAUSERS_SUBGID_FILE);
++#ifdef SHADOWGRP
++        sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++#endif
++    }
++
+ 	/*
+ 	 * Do the hard stuff:
+ 	 * - open the files,
diff -pruN 1:4.5-1.1/debian/patches/1012_extrausers_chfn.patch 1:4.5-1.1ubuntu1/debian/patches/1012_extrausers_chfn.patch
--- 1:4.5-1.1/debian/patches/1012_extrausers_chfn.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/patches/1012_extrausers_chfn.patch	2018-01-25 15:09:22.000000000 +0000
@@ -0,0 +1,64 @@
+Description: add support for --extrausers for chfn
+ This add support for --extrausers to the chfn tool.
+Author: Michael Vogt <mvo at ubuntu.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1495580
+
+--- shadow-4.2.orig/src/chfn.c
++++ shadow-4.2/src/chfn.c
+@@ -74,6 +74,11 @@ static bool hflg = false;		/* -h - set h
+ static bool oflg = false;		/* -o - set other information        */
+ static bool pw_locked = false;
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++static bool use_extrausers = false;
++
+ /*
+  * External identifiers
+  */
+@@ -126,6 +131,7 @@ static /*@noreturn@*/void usage (int sta
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -u, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -w, --work-phone WORK_PHONE   change user's office phone number\n"), usageout);
++	(void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);        
+ 	(void) fputs ("\n", usageout);
+ 	exit (status);
+ }
+@@ -276,6 +282,7 @@ static void process_flags (int argc, cha
+ 		{"root",       required_argument, NULL, 'R'},
+ 		{"help",       no_argument,       NULL, 'u'},
+ 		{"work-phone", required_argument, NULL, 'w'},
++                {"extrausers", no_argument, NULL, EXTRAUSERS_OPT},
+ 		{NULL, 0, NULL, '\0'}
+ 	};
+ 
+@@ -289,6 +296,9 @@ static void process_flags (int argc, cha
+ 	while ((c = getopt_long (argc, argv, "f:h:o:r:R:uw:",
+ 	                         long_options, NULL)) != -1) {
+ 		switch (c) {
++                case EXTRAUSERS_OPT:
++                   use_extrausers = true;
++                   break;
+ 		case 'f':
+ 			if (!may_change_field ('f')) {
+ 				fprintf (stderr,
+@@ -657,6 +667,18 @@ int main (int argc, char **argv)
+ 	/* parse the command line options */
+ 	process_flags (argc, argv);
+ 
++        if (use_extrausers) {
++           pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++           spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++           gr_setdbname (EXTRAUSERS_GROUP_FILE);
++           /* TODO expose this information in other tools */
++           sub_uid_setdbname(EXTRAUSERS_SUBUID_FILE);
++           sub_gid_setdbname(EXTRAUSERS_SUBGID_FILE);
++#ifdef SHADOWGRP
++           sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++#endif
++        }
++        
+ 	/*
+ 	 * Get the name of the user to check. It is either the command line
+ 	 * name, or the name getlogin() returns.
diff -pruN 1:4.5-1.1/debian/patches/series 1:4.5-1.1ubuntu1/debian/patches/series
--- 1:4.5-1.1/debian/patches/series	2017-09-27 16:45:23.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/patches/series	2018-07-27 16:50:52.000000000 +0000
@@ -14,3 +14,6 @@
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
 501_commonio_group_shadow
+1010_extrausers.patch
+1011_extrausers_toggle.patch
+1012_extrausers_chfn.patch
diff -pruN 1:4.5-1.1/debian/rules 1:4.5-1.1ubuntu1/debian/rules
--- 1:4.5-1.1/debian/rules	2018-06-18 19:06:11.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/rules	2018-07-27 16:50:51.000000000 +0000
@@ -52,6 +52,8 @@ endif
 	dh_installpam -p login
 	install -c -m 444 debian/login.defs debian/login/etc/login.defs
 	install -c -m 444 debian/securetty.$(DEB_HOST_ARCH_OS) debian/login/etc/securetty
+	install -d debian/login/usr/share/apport/package-hooks
+	install -c -m 644 debian/source_shadow.py debian/login/usr/share/apport/package-hooks/source_shadow.py
 	dh_lintian -p login
 
 binary-install/passwd::
diff -pruN 1:4.5-1.1/debian/source_shadow.py 1:4.5-1.1ubuntu1/debian/source_shadow.py
--- 1:4.5-1.1/debian/source_shadow.py	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.5-1.1ubuntu1/debian/source_shadow.py	2018-01-25 15:09:22.000000000 +0000
@@ -0,0 +1,26 @@
+#!/usr/bin/python
+
+'''Apport package hook for shadow
+
+(c) 2010 Canonical Ltd.
+Contributors:
+Marc Deslauriers <marc.deslauriers at canonical.com>
+
+This program is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by the
+Free Software Foundation; either version 2 of the License, or (at your
+option) any later version.  See http://www.gnu.org/copyleft/gpl.html for
+the full text of the license.
+'''
+
+from apport.hookutils import *
+
+def add_info(report):
+
+    attach_file_if_exists(report, '/etc/login.defs', 'LoginDefs')
+
+if __name__ == '__main__':
+    report = {}
+    add_info(report)
+    for key in report:
+        print('[%s]\n%s' % (key, report[key]))


More information about the Pkg-shadow-devel mailing list