[Pkg-shadow-devel] Ubuntu (new upstream) shadow 1:4.8.1-2ubuntu1

Ubuntu Merge-o-Matic mom at ubuntu.com
Wed Dec 1 00:42:05 GMT 2021


This e-mail has been sent due to an upload to Ubuntu of a new upstream
version which still contains Ubuntu changes.  It contains the difference
between the Ubuntu version and the equivalent base version in Debian, note
that this difference may include the upstream changes.
-------------- next part --------------
Format: 1.8
Date: Mon, 15 Nov 2021 16:13:44 -0600
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.8.1-2ubuntu1
Distribution: jammy
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: William 'jawn-smith' Wilson <jawn-smith at ubuntu.com>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
 uidmap     - programs to help use subuids
Closes: 989712 992578 998633
Launchpad-Bugs-Fixed: 1951161
Changes: 
 shadow (1:4.8.1-2ubuntu1) jammy; urgency=low
 .
   * Merge from Debian unstable (LP: #1951161). Remaining changes:
     - debian/login.defs:
       + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
         handling does not only apply to "former (pre-PAM) uses".
       + Update documentation of UMASK: Explain that USERGROUPS_ENAB
         will modify this default for UPGs.
       + Enable private home directories by default
     - debian/{source_shadow.py,login.install}: Add apport hook
     - debian/patches/1010_extrausers.patch: Add support to passwd for
       libnss-extrausers
     - debian/patches/1011_extrausers_toggle.patch: extrausers support for
       useradd and groupadd
     - debian/patches/1014_extrausers_delgroup.patch
       + add --extrausers option to "groupdel"
     - debian/patches/1013_extrausers_deluser.patch
       + add --extrausers option to "userdel"
     - debian/patches/1012_extrausers_chfn.patch
       + add support for --extrausers to the chfn tool
     - debian/patches/1015_add_zsys_support.patch
       + Call zsys to handle home directory if available.
     - debian/patches/1016_extrausers_gpasswd.patch
       + Add support for extrausers in gpasswd.
     - debian/patches/506_relaxed_usernames.patch
       + disallow purely numeric usernames
   * Dropped changes, included in Debian:
     - debian/passwd.maintscripts: Clean up upstart configuration
 .
 shadow (1:4.8.1-2) unstable; urgency=medium
 .
   * debian/control: Switch to libsemanage-dev from libsemanage1-dev
     (Closes: #998633)
   * ACK NMU, thanks for all the changes
   * Make passwd recommend sensible-utils because vipw uses sensible-editor
   * Add files to debian/not-installed or install them when they were missed
     This change ships a few more man page translations
   * debian/control: Bump debhelper-compat version to 13
   * List man pages to install in debian/*.manpages instead of in
     debian/*.install
   * Clean up debian/control using 'cme fix dpkg-control'
   * Rename deprecated debian/passwd.tmpfile to debian/passwd.tmpfiles
   * debian/control: Revert to my personal email address in the Maintainer field
 .
 shadow (1:4.8.1-1.1) unstable; urgency=medium
 .
   [ Johannes Schauer Marin Rodrigues ]
   * Non-maintainer upload.
 .
   [ Niels Thykier ]
   * Remove obsolete login.preinst
   * Remove obsolete code from passwd maintscripts
 .
   [ Helmut Grohne ]
   * logoutd is gone since at least buster (closes: #989712)
   * Delete duplicate subuid/subgid creation.
   * login.postinstd support for DPKG_ROOT (closes: #992578)
Checksums-Sha1: 
 291bf434d9896cebb0f07d809db93029d10aa809 2381 shadow_4.8.1-2ubuntu1.dsc
 c1bd7989829b06ce9f0b96c30857e74639c8bdf6 86604 shadow_4.8.1-2ubuntu1.debian.tar.xz
Checksums-Sha256: 
 1dab567da10edf43562328b6d3f792a55e784d26cf7a12236a962ac77624f877 2381 shadow_4.8.1-2ubuntu1.dsc
 6bb2b8c8ddb84769cef202295ed5fdc8c7119fdbcb08358a917aa8f6d3c9890f 86604 shadow_4.8.1-2ubuntu1.debian.tar.xz
Files: 
 cf65c0136294df5a69c2bdcfb05205fb 2381 admin required shadow_4.8.1-2ubuntu1.dsc
 4e6affda849c92d5a4cc340b81c45af5 86604 admin required shadow_4.8.1-2ubuntu1.debian.tar.xz
Original-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
-------------- next part --------------
diff -pruN 1:4.8.1-2/debian/changelog 1:4.8.1-2ubuntu1/debian/changelog
--- 1:4.8.1-2/debian/changelog	2021-11-10 09:39:04.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/changelog	2021-11-15 22:13:44.000000000 +0000
@@ -1,3 +1,34 @@
+shadow (1:4.8.1-2ubuntu1) jammy; urgency=low
+
+  * Merge from Debian unstable (LP: #1951161). Remaining changes:
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+      + Enable private home directories by default
+    - debian/{source_shadow.py,login.install}: Add apport hook
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/1014_extrausers_delgroup.patch
+      + add --extrausers option to "groupdel"
+    - debian/patches/1013_extrausers_deluser.patch
+      + add --extrausers option to "userdel"
+    - debian/patches/1012_extrausers_chfn.patch
+      + add support for --extrausers to the chfn tool
+    - debian/patches/1015_add_zsys_support.patch
+      + Call zsys to handle home directory if available.
+    - debian/patches/1016_extrausers_gpasswd.patch
+      + Add support for extrausers in gpasswd.
+    - debian/patches/506_relaxed_usernames.patch
+      + disallow purely numeric usernames
+  * Dropped changes, included in Debian:
+    - debian/passwd.maintscripts: Clean up upstart configuration
+
+ -- William 'jawn-smith' Wilson <jawn-smith at ubuntu.com>  Mon, 15 Nov 2021 16:13:44 -0600
+
 shadow (1:4.8.1-2) unstable; urgency=medium
 
   * debian/control: Switch to libsemanage-dev from libsemanage1-dev
@@ -31,6 +62,97 @@ shadow (1:4.8.1-1.1) unstable; urgency=m
 
  -- Johannes Schauer Marin Rodrigues <josch at debian.org>  Sat, 23 Oct 2021 21:04:57 +0200
 
+shadow (1:4.8.1-1ubuntu9) impish; urgency=medium
+
+  * Disallow purely numeric usernames. This includes hexadecimal and
+    octal syntax. (LP: #1927078)
+
+ -- William 'jawn-smith' Wilson <william.wilson at canonical.com>  Thu, 17 Jun 2021 14:35:15 -0500
+
+shadow (1:4.8.1-1ubuntu8) hirsute; urgency=medium
+
+  * Enable private home directories by default (LP: #48734)
+  -  Set HOME_MODE=750 in login.defs to enable private home directories
+
+ -- Alex Murray <alex.murray at canonical.com>  Thu, 07 Jan 2021 15:35:37 +1030
+
+shadow (1:4.8.1-1ubuntu7) hirsute; urgency=medium
+
+  [ Marcus Tomlinson ]
+  * debian/patches/1016_extrausers_gpasswd.patch:
+    - Add support for extrausers in gpasswd.
+
+ -- Dimitri John Ledkov <xnox at ubuntu.com>  Wed, 02 Dec 2020 10:44:11 +0000
+
+shadow (1:4.8.1-1ubuntu6) groovy; urgency=medium
+
+  * debian/patches/1015_add_zsys_support.patch:
+    - Add support for ZSys user deletion (LP: #1881540)
+    - Fix a build warning
+
+ -- Didier Roche <didrocks at ubuntu.com>  Thu, 28 May 2020 08:37:47 +0200
+
+shadow (1:4.8.1-1ubuntu5) focal; urgency=medium
+
+  * debian/patches/1015_add_zsys_support.patch:
+    Fix regression on zfs system when the user dataset wasn’t created
+    (LP: #1873263)
+    - wrong variable was used when merged with debian
+    - reset the correct order to ensure owner and mod are correct.
+
+ -- Didier Roche <didrocks at ubuntu.com>  Thu, 16 Apr 2020 14:36:45 +0200
+
+shadow (1:4.8.1-1ubuntu4) focal; urgency=medium
+
+  * debian/patches/1015_add_zsys_support.patch:
+    - use now zsysctl command instead of zsys which isn't available anymore.
+      This fix creation of new user dataset on ZFS.
+
+ -- Didier Roche <didrocks at ubuntu.com>  Mon, 06 Apr 2020 09:51:10 +0200
+
+shadow (1:4.8.1-1ubuntu3) focal; urgency=medium
+
+  * debian/patches/1013_extrausers_deluser.patch:
+    - move "if (use_extrausers)" check before the test if the user
+      actually exists in the local database
+  * debian/tests:
+    - add smoke autopkgtest tests around {user,group}{add,del} with
+      and without extrausers to avoid regressions like the one fixed
+      in 4.8.1-1ubuntu2
+
+ -- Michael Vogt <michael.vogt at ubuntu.com>  Mon, 09 Mar 2020 10:43:16 +0100
+
+shadow (1:4.8.1-1ubuntu2) focal; urgency=medium
+
+  * No-change rebuild to pick up dependency on libcrypt1.
+
+ -- Matthias Klose <doko at ubuntu.com>  Sat, 07 Mar 2020 10:16:01 +0100
+
+shadow (1:4.8.1-1ubuntu1) focal; urgency=medium
+
+  * Merge from Debian unstable.  Remaining changes:
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,login.install}: Add apport hook
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/1014_extrausers_delgroup.patch
+      + add --extrausers option to "groupdel"
+    - debian/patches/1013_extrausers_deluser.patch
+      + add --extrausers option to "userdel"
+    - debian/patches/1012_extrausers_chfn.patch:
+      + add support for --extrausers to the chfn tool
+    - debian/patches/1015_add_zsys_support.patch:
+      + Call zsys to handle home directory if available.
+    - debian/passwd.maintscripts: Clean up upstart configuration
+
+ -- Balint Reczey <rbalint at ubuntu.com>  Fri, 07 Feb 2020 16:32:06 +0100
+
 shadow (1:4.8.1-1) unstable; urgency=medium
 
   * debian/default/useradd: Fix typo DHSELL -> DSHELL (Closes: #897028)
@@ -40,6 +162,31 @@ shadow (1:4.8.1-1) unstable; urgency=med
 
  -- Balint Reczey <rbalint at ubuntu.com>  Fri, 07 Feb 2020 15:54:14 +0100
 
+shadow (1:4.8-1ubuntu1) focal; urgency=medium
+
+  * Merge from Debian unstable.  Remaining changes:
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,login.install}: Add apport hook
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/1014_extrausers_delgroup.patch
+      + add --extrausers option to "groupdel"
+    - debian/patches/1013_extrausers_deluser.patch
+      + add --extrausers option to "userdel"
+    - debian/patches/1012_extrausers_chfn.patch:
+      + add support for --extrausers to the chfn tool
+    - debian/patches/1015_add_zsys_support.patch:
+      + Call zsys to handle home directory if available.
+    - debian/passwd.maintscripts: Clean up upstart configuration
+
+ -- Balint Reczey <rbalint at ubuntu.com>  Mon, 20 Jan 2020 15:16:35 +0100
+
 shadow (1:4.8-1) unstable; urgency=medium
 
   [ Laurent Bigonville ]
@@ -111,6 +258,53 @@ shadow (1:4.7-1) unstable; urgency=mediu
 
  -- Balint Reczey <rbalint at ubuntu.com>  Mon, 08 Jul 2019 15:58:46 +0200
 
+shadow (1:4.5-1.1ubuntu4) eoan; urgency=medium
+
+  * debian/patches/1015_add_zsys_support.patch:
+    - Call zsys to handle home directory if available.
+    We call zsys to handle dataset creation for zsys system in a separate
+    home dataset for each user on the system.
+    This allows one to handle user dataset outside of /home and also renaming.
+    We don't support yet deletion, as removing the dataset would remove as
+    well every snapshot of the history, and so, revert to previous version
+    will result in user created, but no home directory, which is unwanted.
+    (LP: #1842902)
+
+ -- Didier Roche <didrocks at ubuntu.com>  Thu, 29 Aug 2019 15:00:07 +0200
+
+shadow (1:4.5-1.1ubuntu3) eoan; urgency=medium
+
+  * debian/patches/1014_extrausers_delgroup.patch
+    - add --extrausers option to "groupdel" (LP: #1840375)
+
+ -- Michael Vogt <michael.vogt at ubuntu.com>  Wed, 21 Aug 2019 11:40:17 +0200
+
+shadow (1:4.5-1.1ubuntu2) disco; urgency=medium
+
+  * debian/patches/1013_extrausers_deluser.patch
+    - add --extrausers option to "userdel" (LP: #1659534)
+
+ -- Michael Vogt <michael.vogt at ubuntu.com>  Fri, 22 Mar 2019 19:32:50 +0100
+
+shadow (1:4.5-1.1ubuntu1) disco; urgency=low
+
+  * Merge from Debian unstable.  Remaining changes:
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/1012_extrausers_chfn.patch: add support for
+      --extrausers to the chfn tool
+    - debian/passwd.maintscripts: Clean up upstart configuration
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Thu, 24 Jan 2019 15:46:48 -0800
+
 shadow (1:4.5-1.1) unstable; urgency=medium
 
   * Non-maintainer upload (greetings from DebCamp/DebConf Taiwan).
@@ -124,6 +318,42 @@ shadow (1:4.5-1.1) unstable; urgency=med
 
  -- Andreas Henriksson <andreas at fatal.se>  Fri, 27 Jul 2018 10:07:37 +0200
 
+shadow (1:4.5-1ubuntu1) bionic; urgency=medium
+
+  * Merge with Debian; remaining changes:
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/1012_extrausers_chfn.patch: add support for
+      --extrausers to the chfn tool
+    - debian/passwd.maintscripts: Clean up upstart configuration
+  * Dropped changes, included in Debian:
+    - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+      /etc/update-motd.d/* scripts twice.
+  * Dropped changes, included upstream:
+    - debian/patches/userns/subuids-nonlocal-users: Don't limit
+      subuid/subgid support to local users.
+    - debian/patches/1021_no_subuids_for_system_users.patch
+    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
+      sending signal
+    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
+      pid_child to 0 if the child process is still running.
+    - CVE-2017-2616
+    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
+    - CVE-2016-6252
+  * Dropped obsoleted changes:
+    - debian/rules: setting DEB_*_INSTALLINIT_ARGS became obsolete after
+      switching to passwd.tmpfile from passwd.service
+
+ -- Balint Reczey <rbalint at ubuntu.com>  Thu, 25 Jan 2018 16:09:22 +0100
+
 shadow (1:4.5-1) unstable; urgency=medium
 
   * New upstream version 4.5
@@ -259,6 +489,86 @@ shadow (1:4.2-3.3) unstable; urgency=med
 
  -- Samuel Thibault <sthibault at debian.org>  Tue, 22 Nov 2016 18:31:28 +0000
 
+shadow (1:4.2-3.2ubuntu4) artful; urgency=medium
+
+  * Drop upstart system jobs.
+
+ -- Dimitri John Ledkov <xnox at ubuntu.com>  Mon, 21 Aug 2017 00:56:14 +0100
+
+shadow (1:4.2-3.2ubuntu2) artful; urgency=medium
+
+  * SECURITY UPDATE: su could be used to kill arbitrary processes.
+    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
+      sending signal
+    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
+      pid_child to 0 if the child process is still running.
+    - CVE-2017-2616
+  * SECURITY UPDATE: getulong() function could accidentally parse negative
+    numbers as large positive numbers.
+    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
+    - CVE-2016-6252
+
+ -- Seth Arnold <seth.arnold at canonical.com>  Thu, 18 May 2017 14:39:32 -0400
+
+shadow (1:4.2-3.2ubuntu1) yakkety; urgency=medium
+
+  * Merge with Debian; remaining changes:
+    - debian/passwd.upstart: Add an upstart job to clear locks on
+      [shadow-]passwd/group.
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+      /etc/update-motd.d/* scripts twice.
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/userns/subuids-nonlocal-users: Don't limit
+      subuid/subgid support to local users.
+  * Dropped changes, included in Debian:
+    - Allow LXC devices (lxc/console, lxc/tty[1234]), used from precise on.
+    - Add uidmap package based on upstream patches that introduce
+      newuidmap/newgidmap as well as /etc/subuid and /etc/subgid. Additional
+      updates on those to widen the default allocation to 65536 uids and gids
+      and only assign ranges to non-system users.
+    - debian/patches/1020_fix_user_busy_errors: Call sub_uid_close in all
+      error cases.
+  * Dropped changes, included upstream:
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout.
+    - debian/patches/496_su_kill_process_group: Kill the child process group,
+      rather than just the immediate child.
+  * Fix pam_motd calls so that the second pam_motd is the noupdate one rather
+    than the first, ensuring /run/motd.dynamic is always populated and shown
+    on the first login after boot.  LP: #1368864.
+  * Don't call 'pam_exec uname', a change adopted in Debian without
+    coordination with the Debian PAM maintainer
+  * Use dh_installinit now for installing the upstart job, as we no longer
+    generate a dependency on upstart-job.
+  * Include /etc/sub[ug]id in the list of files to clear locks for on boot.
+    LP: #1304505
+  * Add a systemd unit to go with the upstart job, so that lock clearing works
+    on newer Ubuntu releases.
+  * add support for "chfn --extrausers" (LP: #1495580)
+  * debian/patches/1010_extrausers.patch:
+    - Fix usermod to handle a readonly /etc gracefully (LP: #1562872)
+  * debian/patches/1010_extrausers.patch:
+    - Fix usermod to look in extrausers location for basic changes to a
+      user's passwd info.  Fixes changing user's real name in Touch via
+      AccountsService.  (Does not address updating groups yet, since that's
+      less useful now, as we can't update any system groups.)
+  * d/p/1021_no_subuids_for_system_users.patch: fix the not creating subuids
+    for system users.  (LP: #1545884)
+  * Replace debian/passwd.service with debian/passwd.tmpfile, systemd tmpfile
+    handling has support for removing files for us on boot.  Thanks to
+    Martin Pitt <pitti at ubuntu.com> for the hint.
+
+ -- Matthias Klose <doko at ubuntu.com>  Tue, 20 Sep 2016 09:43:54 +0200
+
 shadow (1:4.2-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -268,6 +578,93 @@ shadow (1:4.2-3.2) unstable; urgency=med
 
  -- Mattia Rizzolo <mattia at debian.org>  Sun, 18 Sep 2016 14:42:16 +0000
 
+shadow (1:4.2-3.1ubuntu6) yakkety; urgency=medium
+
+  * add support for "chfn --extrausers" (LP: #1495580)
+
+ -- Michael Vogt <michael.vogt at ubuntu.com>  Thu, 23 Jun 2016 08:02:00 +0200
+
+shadow (1:4.2-3.1ubuntu5) xenial; urgency=medium
+
+  * debian/patches/1010_extrausers.patch:
+    - Fix usermod to handle a readonly /etc gracefully (LP: #1562872)
+
+ -- Michael Terry <mterry at ubuntu.com>  Mon, 28 Mar 2016 09:44:23 -0400
+
+shadow (1:4.2-3.1ubuntu4) xenial; urgency=medium
+
+  * debian/patches/1010_extrausers.patch:
+    - Fix usermod to look in extrausers location for basic changes to a
+      user's passwd info.  Fixes changing user's real name in Touch via
+      AccountsService.  (Does not address updating groups yet, since that's
+      less useful now, as we can't update any system groups.)
+
+ -- Michael Terry <mterry at ubuntu.com>  Wed, 02 Mar 2016 15:01:19 -0500
+
+shadow (1:4.2-3.1ubuntu3) xenial; urgency=medium
+
+  * d/p/1021_no_subuids_for_system_users.patch: fix the not creating subuids
+    for system users.  (LP: #1545884)
+
+ -- Serge Hallyn <serge.hallyn at ubuntu.com>  Wed, 17 Feb 2016 20:57:59 -0800
+
+shadow (1:4.2-3.1ubuntu2) xenial; urgency=medium
+
+  * Replace debian/passwd.service with debian/passwd.tmpfile, systemd tmpfile
+    handling has support for removing files for us on boot.  Thanks to
+    Martin Pitt <pitti at ubuntu.com> for the hint.
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Thu, 04 Feb 2016 14:01:27 -0800
+
+shadow (1:4.2-3.1ubuntu1) xenial; urgency=low
+
+  * Merge from Debian unstable.
+    - Includes pam_loginuid in login PAM config.  LP: #1067779.
+    - Fixes typo in usermod -h output.  LP: #1348873.
+  * Remaining changes:
+    - debian/passwd.upstart: Add an upstart job to clear locks on
+      [shadow-]passwd/group.
+    - debian/login.defs:
+      + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+        handling does not only apply to "former (pre-PAM) uses".
+      + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+        will modify this default for UPGs.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+      /etc/update-motd.d/* scripts twice.
+    - debian/patches/1010_extrausers.patch: Add support to passwd for
+      libnss-extrausers
+    - debian/patches/1011_extrausers_toggle.patch: extrausers support for
+      useradd and groupadd
+    - debian/patches/userns/subuids-nonlocal-users: Don't limit
+      subuid/subgid support to local users.
+  * Dropped changes, included in Debian:
+    - Allow LXC devices (lxc/console, lxc/tty[1234]), used from precise on.
+    - Add uidmap package based on upstream patches that introduce
+      newuidmap/newgidmap as well as /etc/subuid and /etc/subgid. Additional
+      updates on those to widen the default allocation to 65536 uids and gids
+      and only assign ranges to non-system users.
+    - debian/patches/1020_fix_user_busy_errors: Call sub_uid_close in all
+      error cases.
+  * Dropped changes, included upstream:
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout.
+    - debian/patches/496_su_kill_process_group: Kill the child process group,
+      rather than just the immediate child.
+  * Fix pam_motd calls so that the second pam_motd is the noupdate one rather
+    than the first, ensuring /run/motd.dynamic is always populated and shown
+    on the first login after boot.  LP: #1368864.
+  * Don't call 'pam_exec uname', a change adopted in Debian without
+    coordination with the Debian PAM maintainer
+  * Use dh_installinit now for installing the upstart job, as we no longer
+    generate a dependency on upstart-job.
+  * Include /etc/sub[ug]id in the list of files to clear locks for on boot.
+    LP: #1304505
+  * Add a systemd unit to go with the upstart job, so that lock clearing works
+    on newer Ubuntu releases.
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Thu, 28 Jan 2016 22:21:41 -0800
+
 shadow (1:4.2-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -378,6 +775,79 @@ shadow (1:4.2-1) experimental; urgency=l
 
  -- Christian Perrier <bubulle at debian.org>  Tue, 22 Apr 2014 09:01:42 +0200
 
+shadow (1:4.1.5.1-1.1ubuntu7) wily; urgency=medium
+
+  * debian/patches/userns/subuids-nonlocal-users: Don't limit
+    subuid/subgid support to local users.  Closes LP: #1475749.
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Mon, 20 Jul 2015 18:44:12 -0700
+
+shadow (1:4.1.5.1-1.1ubuntu6) wily; urgency=medium
+
+  * extrausers support for useradd and groupadd (LP: #1323732)
+
+ -- Sergio Schvezov <sergio.schvezov at canonical.com>  Thu, 25 Jun 2015 15:26:55 -0300
+
+shadow (1:4.1.5.1-1.1ubuntu5) wily; urgency=medium
+
+  * debian/rules: Re-enable audit support. (LP: #1414817)
+  * debian/control: add libaudit-dev to Build-Depends.
+
+ -- Mathieu Trudel-Lapierre <mathieu-tl at ubuntu.com>  Tue, 02 Jun 2015 10:46:18 -0400
+
+shadow (1:4.1.5.1-1.1ubuntu4) vivid; urgency=medium
+
+  * debian/patches/1020_fix_user_busy_errors:
+    - libmisc/user_busy.c: Call sub_uid_close in all error cases, otherwise
+      code that later opens it as RW fails obscurely. (LP: #1436937)
+
+ -- William Grant <wgrant at ubuntu.com>  Mon, 20 Apr 2015 18:41:47 +0100
+
+shadow (1:4.1.5.1-1.1ubuntu3) vivid; urgency=medium
+
+  * No change rebuild to get debug symbols for all architectures.
+
+ -- Brian Murray <brian at ubuntu.com>  Tue, 02 Dec 2014 11:39:38 -0800
+
+shadow (1:4.1.5.1-1.1ubuntu2) utopic; urgency=medium
+
+  * debian/patches/1010_extrausers.patch:
+    - Add support to passwd for libnss-extrausers by falling back to the
+      /var/lib/extrausers/ locations if it exists when updating
+      passwd or shadow.
+
+ -- Michael Terry <mterry at ubuntu.com>  Fri, 18 Jul 2014 10:00:44 -0400
+
+shadow (1:4.1.5.1-1.1ubuntu1) utopic; urgency=medium
+
+  * Merge from Debian unstable.  Remaining changes:
+     - debian/passwd.upstart: Add an upstrat job to clear locks on
+       [shadow-]passwd/group. (LP: #523896).
+     - Allow LXC devices (lxc/console, lxc/tty[1234]) that we'll start using
+       in LXC with Precise.
+     - debian/login.defs:
+       + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+         handling does not only apply to "former (pre-PAM) uses".
+       + Update documentation of UMASK: Explain that USERGROUPS_ENAB
+         will modify this default for UPGs. (Closes: #583971)
+     - debian/{source_shadow.py,rules}: Add apport hook
+     - debian/patches/495_stdout-encrypted-password: chpasswd can report
+       password hashes on stdout (Debian bug 505640).
+     - Install upstart job by-hand, instead of using dh_installinit to avoid
+       dependency on upstart-job.
+     - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+       /etc/update-motd.d/* scripts twice (LP: #1169558).
+     - debian/patches/496_su_kill_process_group: Kill the child process group,
+       rather than just the immediate child; this is needed now that su no
+       longer starts a controlling terminal when not running an interactive
+       shell (closes: #713979).
+     - Add uidmap package based on upstream patches that introduce
+       newuidmap/newgidmap as well as /etc/subuid and /etc/subgid. Additional
+       updates on those to widen the default allocation to 65536 uids and gids
+       and only assign ranges to non-system users.
+
+ -- Stéphane Graber <stgraber at ubuntu.com>  Fri, 02 May 2014 15:17:15 -0400
+
 shadow (1:4.1.5.1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
@@ -391,6 +861,103 @@ shadow (1:4.1.5.1-1.1) unstable; urgency
 
  -- Samuel Thibault <sthibault at debian.org>  Sun, 16 Mar 2014 20:58:24 +0100
 
+shadow (1:4.1.5.1-1ubuntu9) trusty; urgency=medium
+
+  * Set our subuid and subgid range to 65536 uids by default.
+  * Patch newusers to not add subuids and subgids to system users.
+  * Patch useradd to not add subuids and subgids to system users and to
+    regular users who don't fit between uid_min and uid_max.
+    (This is needed due to adduser not passing --system...)
+
+ -- Stéphane Graber <stgraber at ubuntu.com>  Sun, 16 Feb 2014 19:33:48 -0500
+
+shadow (1:4.1.5.1-1ubuntu8) trusty; urgency=medium
+
+  * Fix postinst to create subuid and subgid when missing as those won't
+    get created by usermod or any of the other tools.
+
+ -- Stéphane Graber <stgraber at ubuntu.com>  Fri, 17 Jan 2014 16:15:13 -0500
+
+shadow (1:4.1.5.1-1ubuntu7) trusty; urgency=medium
+
+  * Don't ship subuid/subgid as conffiles as that'll just cause problems
+    on upgrades. Instead simply touch them if they're not already present.
+
+ -- Stéphane Graber <stgraber at ubuntu.com>  Sun, 12 Jan 2014 12:59:46 -0500
+
+shadow (1:4.1.5.1-1ubuntu6) saucy; urgency=low
+
+  * debian/patches/496_su_kill_process_group: Kill the child process group,
+    rather than just the immediate child; this is needed now that su no
+    longer starts a controlling terminal when not running an interactive
+    shell (closes: #713979).
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Fri, 26 Jul 2013 16:55:52 +0100
+
+shadow (1:4.1.5.1-1ubuntu5) saucy; urgency=low
+
+  [ Serge Hallyn ]
+  * debian/patches/userns: patches from Eric Biederman to enable use of
+    subuids, plus some bugfix patches on top of them. (LP: #1192864)
+  * passwd.install: add new manpages
+  * debian/control, debian/uidmap.install: create new uidmap package
+    containing the new setuid-root binaries newuidmap and newgidmap 
+  * debian/subuid, debian/rules: install a default /etc/subuid and /etc/subgid
+  * debian/patches/userns/16_add-argument-sanity-checking.patch: address
+    three sanity checking concerns brought up by sarnold at
+    http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2013-June/ \
+    009752.html.
+
+ -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>  Fri, 28 Jun 2013 11:31:51 +0100
+
+shadow (1:4.1.5.1-1ubuntu4) raring; urgency=low
+
+  * Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
+    /etc/update-motd.d/* scripts twice (LP: #1169558).
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Thu, 18 Apr 2013 01:01:45 +0100
+
+shadow (1:4.1.5.1-1ubuntu3) raring; urgency=low
+
+  * Install upstart job by-hand, instead of using dh_installinit to avoid
+    dependency on upstart-job.
+
+ -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>  Mon, 18 Mar 2013 03:23:31 +0000
+
+shadow (1:4.1.5.1-1ubuntu2) raring; urgency=low
+
+  * Revert build-dependency from gettext:any to gettext, now that gettext is
+    Multi-Arch: foreign.
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Thu, 29 Nov 2012 15:27:11 +0000
+
+shadow (1:4.1.5.1-1ubuntu1) raring; urgency=low
+
+  * The "Yorkshire Blue" release.
+  * Merge from Debian unstable.  Remaining changes:  
+     - debian/passwd.upstart: Add an upstrat job to clear locks on
+       [shadow-]passwd/group. (LP: #523896).
+     - Build-depend on gettext:any for cross-building support.
+     - Allow LXC devices (lxc/console, lxc/tty[1234]) that we'll start using
+       in LXC with Precise.
+     - debian/login.defs:
+       + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+         handling does not only apply to "former (pre-PAM) uses".
+       + Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify
+         this default for UPGs. (Closes: #583971)
+     - debian/{source_shadow.py,rules}: Add apport hook
+     - debian/patches/495_stdout-encrypted-password: chpasswd can report
+       password hashes on stdout (Debian bug 505640).
+
+  * Dropped changes, merged in Debian:
+     - Fix case of ttyAMA0-3 devices and move them near the ttyAM0-15 ones;
+       Debian #544184; fixes console on Vexpress boards (e.g. in QEMU).
+     - use SHA512 by default for password crypt routine.
+     - debian/rules: fix FTBFS from newer libtools
+     - Mark passwd Multi-Arch: foreign.
+  
+ -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>  Tue, 23 Oct 2012 09:59:19 +0100
+
 shadow (1:4.1.5.1-1) unstable; urgency=low
 
   * The "Gruyère" release.
@@ -534,6 +1101,68 @@ shadow (1:4.1.5-1) unstable; urgency=low
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sun, 12 Feb 2012 22:27:03 +0100
 
+shadow (1:4.1.4.2+svn3283-3ubuntu7) quantal; urgency=low
+
+  * debian/passwd.upstart: Add an upstrat job to clear locks on
+    [shadow-]passwd/group. (LP: #523896).
+
+ -- Dmitrijs Ledkovs <dmitrij.ledkov at ubuntu.com>  Fri, 31 Aug 2012 13:00:33 +0100
+
+shadow (1:4.1.4.2+svn3283-3ubuntu6) quantal; urgency=low
+
+  * debian/source_shadow.py: Fix compatibility with python3. Thanks Edward
+    Donovan! (LP: #1013171)
+
+ -- Martin Pitt <martin.pitt at ubuntu.com>  Mon, 18 Jun 2012 15:09:54 +0200
+
+shadow (1:4.1.4.2+svn3283-3ubuntu5) precise; urgency=low
+
+  * Build-depend on gettext:any for cross-building support.
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Mon, 09 Apr 2012 00:28:03 +0100
+
+shadow (1:4.1.4.2+svn3283-3ubuntu4) precise; urgency=low
+
+  * Allow LXC devices (lxc/console, lxc/tty[1234]) that we'll start using
+    in LXC with Precise.
+
+ -- Stéphane Graber <stgraber at ubuntu.com>  Fri, 10 Feb 2012 15:34:05 -0500
+
+shadow (1:4.1.4.2+svn3283-3ubuntu3) precise; urgency=low
+
+  * Fix case of ttyAMA0-3 devices and move them near the ttyAM0-15 ones;
+    Debian #544184; fixes console on Vexpress boards (e.g. in QEMU).
+
+ -- Loïc Minier <loic.minier at ubuntu.com>  Wed, 30 Nov 2011 22:47:47 +0100
+
+shadow (1:4.1.4.2+svn3283-3ubuntu2) oneiric; urgency=low
+
+  * debian/login.defs:
+    - Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
+      handling does not only apply to "former (pre-PAM) uses".
+    - Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify
+      this default for UPGs. (Closes: #583971)
+
+ -- Martin Pitt <martin.pitt at ubuntu.com>  Fri, 24 Jun 2011 11:07:34 +0200
+
+shadow (1:4.1.4.2+svn3283-3ubuntu1) natty; urgency=low
+
+  * The "string cheese" release.
+  * Merge from Debian unstable.  Remaining changes:
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - debian/rules: fix FTBFS from newer libtools
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout (Debian bug 505640).
+  * Dropped changes, merged in Debian:
+    - debian/patches/300_CVE-2011-0721: reject newlines in GECOS updates.
+    - CVE-2011-0721
+  * Mark passwd Multi-Arch: foreign, so packages that aren't of the same
+    arch can depend on it.
+
+ -- Steve Langasek <steve.langasek at ubuntu.com>  Sun, 20 Feb 2011 15:59:15 -0800
+
 shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high
 
   * The "Trappe d'Echourgnac" release.
@@ -544,6 +1173,34 @@ shadow (1:4.1.4.2+svn3283-3) unstable; u
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Mon, 13 Feb 2011 23:20:05 +0100
 
+shadow (1:4.1.4.2+svn3283-2ubuntu3) natty; urgency=low
+
+  * SECURITY UPDATE: could inject NIS groups memberships into /etc/passwd.
+    - debian/patches/300_CVE-2011-0721: reject newlines in GECOS updates.
+    - CVE-2011-0721
+
+ -- Kees Cook <kees at ubuntu.com>  Tue, 15 Feb 2011 13:57:01 -0800
+
+shadow (1:4.1.4.2+svn3283-2ubuntu2) natty; urgency=low
+
+  * debian/patches/495_stdout-encrypted-password: adjust patch for changes 
+    in src/chpasswd.c to fix FTBFS
+
+ -- Oliver Grawert <ogra at ubuntu.com>  Tue, 04 Jan 2011 15:48:49 +0100
+
+shadow (1:4.1.4.2+svn3283-2ubuntu1) natty; urgency=low
+
+  * Merge from debian unstable.  Remaining changes:
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/{source_shadow.py,rules}: Add apport hook
+    - debian/rules: fix FTBFS from newer libtools
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout (Debian bug 505640).
+    - Rework 495_stdout-encrypted-password to cope with chpasswd using PAM.
+
+ -- Oliver Grawert <ogra at ubuntu.com>  Wed, 24 Nov 2010 13:42:42 +0100
+
 shadow (1:4.1.4.2+svn3283-2) unstable; urgency=low
 
   * The "Bleu du Vercors-Sassenage" release.
@@ -615,6 +1272,32 @@ shadow (1:4.1.4.2+svn3283-1) unstable; u
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sun, 29 Aug 2010 21:14:12 +0200
 
+shadow (1:4.1.4.2-1ubuntu3) maverick; urgency=low
+
+  * add ttyO0-3 to debian/securetty.linux, if OMAP kernels are built with
+    TI's DMA-offloaded driver instead of the default 8250 one the serial tty's
+    are called like that (LP: #512845).
+
+ -- Oliver Grawert <ogra at ubuntu.com>  Tue, 31 Aug 2010 14:45:17 +0200
+
+shadow (1:4.1.4.2-1ubuntu2) lucid; urgency=low
+
+  * debian/{source_shadow.py,rules}: Add apport hook
+  * debian/rules: fix FTBFS from newer libtools
+
+ -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Tue, 26 Jan 2010 08:54:59 -0500
+
+shadow (1:4.1.4.2-1ubuntu1) lucid; urgency=low
+
+  * Merged with debian unstable. Remaning changes (LP: #477299):
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout (Debian bug 505640).
+    - Rework 495_stdout-encrypted-password to cope with chpasswd using PAM.
+
+ -- Nicolas Valcárcel Scerpella (Canonical) <nvalcarcel at canonical.com>  Sat, 07 Nov 2009 04:55:18 -0500
+
 shadow (1:4.1.4.2-1) unstable; urgency=low
 
   * The "Tome des Bauges" release.
@@ -642,6 +1325,25 @@ shadow (1:4.1.4.2-1) unstable; urgency=l
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Fri, 24 Jul 2009 05:03:23 +0200
 
+shadow (1:4.1.4.1-1ubuntu2) karmic; urgency=low
+
+  * debian/securetty.linux: also list ttyS2 and ttyS3; beagleboard uses ttyS2
+    as serial port.
+
+ -- Loïc Minier <loic.minier at ubuntu.com>  Fri, 31 Jul 2009 15:34:56 +0200
+
+shadow (1:4.1.4.1-1ubuntu1) karmic; urgency=low
+
+  * Resynchronise with Debian. Remaining changes:
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/patches/495_stdout-encrypted-password: chpasswd can report
+      password hashes on stdout (Debian bug 505640).
+  * Rework 495_stdout-encrypted-password to cope with chpasswd using PAM.
+    It's looking a bit ugly now ...
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Wed, 03 Jun 2009 11:16:51 +0100
+
 shadow (1:4.1.4.1-1) unstable; urgency=low
 
   * The "Chevrotin" release.
@@ -729,6 +1431,21 @@ shadow (1:4.1.4-1) unstable; urgency=low
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Mon, 11 May 2009 00:25:11 +0200
 
+shadow (1:4.1.3.1-1ubuntu1) karmic; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - Ubuntu specific:
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+    - debian/patches/stdout-encrypted-password.patch: chpasswd can report
+      password hashes on stdout (debian bug 505640).
+    - debian/login.pam: Enable SELinux support (debian bug 527106).
+    - debian/securetty.linux: support Freescale MX-series (debian bug 527095).
+  * Add debian/patches/300_lastlog_failure: fixed upstream (debian bug 524873).
+  * Drop debian/patches/593_omit_lastchange_field_if_clock_is_misset: fixed
+    upstream.
+
+ -- Kees Cook <kees at ubuntu.com>  Tue, 05 May 2009 09:45:21 -0700
+
 shadow (1:4.1.3.1-1) unstable; urgency=low
 
   * The "Le Puant Macéré" release.
@@ -824,6 +1541,108 @@ shadow (1:4.1.3-1) unstable; urgency=low
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Tue, 14 Apr 2009 23:33:22 +0200
 
+shadow (1:4.1.1-6ubuntu6) jaunty; urgency=low
+
+  * debian/login.preinst: fix typo in grep (LP: #354887).
+
+ -- Kees Cook <kees at ubuntu.com>  Fri, 03 Apr 2009 22:12:07 -0700
+
+shadow (1:4.1.1-6ubuntu5) jaunty; urgency=low
+
+  * debian/login.preinst: add special-case handling to restore the
+    original white-space in /etc/login.defs that is changed by
+    system-tools-backends (LP: #316756).
+
+ -- Kees Cook <kees at ubuntu.com>  Fri, 03 Apr 2009 14:33:43 -0700
+
+shadow (1:4.1.1-6ubuntu4) jaunty; urgency=low
+
+  * debian/patches/593_omit_lastchange_field_if_clock_is_misset (LP: #349504)
+    - If the system clock is set to Jan 01, 1970, and a new user is created
+      the last changed field gets set to 0, which tells login that the 
+      password is expired and must be changed. During installation, 
+      this can cause autologin to fail. Having the clock set to 01/01/1970
+      on a fresh install is common on the ARM architecture, so this is a high
+      priority bug since its likely to affect most ARM users on first install
+
+ -- Michael Casadevall <mcasadevall at ubuntu.com>  Thu, 02 Apr 2009 14:05:31 -0400
+
+shadow (1:4.1.1-6ubuntu3) jaunty; urgency=low
+
+  [ Bryan McLellan ]
+  * Don't do the vm-builder root password check on fresh installations
+    (LP: #340841).
+
+ -- Colin Watson <cjwatson at ubuntu.com>  Tue, 17 Mar 2009 13:32:55 +0000
+
+shadow (1:4.1.1-6ubuntu2) jaunty; urgency=low
+
+  * debian/securetty.linux (LP: #316841)
+    - Updated securetty support for Freescale MX-series boards
+
+ -- Michael Casadevall <sonicmctails at gmail.com>  Tue, 13 Jan 2009 12:56:38 -0500
+
+shadow (1:4.1.1-6ubuntu1) jaunty; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - Ubuntu specific:
+      + debian/login.pam: Enable SELinux support in login.pam.
+      + debian/rules: regenerate autoconf to avoid libtool-caused FTBFS.
+      + debian/login.defs: use SHA512 by default for password crypt routine.
+      + debian/passwd.postinst: disable the root password for virtual
+        machines created with vm-builder on Ubuntu 8.10.
+    - debian/patches/stdout-encrypted-password.patch: allow chpasswd to
+      report encrypted passwords to stdout for tools needing encrypted
+      passwords (debian bug 505640).
+
+ -- Kees Cook <kees at ubuntu.com>  Mon, 08 Dec 2008 00:44:46 -0800
+
+shadow (1:4.1.1-6) unstable; urgency=medium
+
+  * The "Rollot" release.
+  * debian/patches/303_login_symlink_attack: Fix a race condition that could
+    lead to gaining ownership or changing mode of arbitrary files.
+    Closes: #505271 
+  * debian/patches/304_su.1_synopsis: Fix the su synopsis. username is
+    referenced in the manpage, not LOGIN. Closes: #501830
+  * debian/patches/305_login.1_japanese: Fix the path of the utmp and wtmp
+    files. Closes: #501353
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Fri, 14 Nov 2008 21:52:42 +0100
+
+shadow (1:4.1.1-5ubuntu3) jaunty; urgency=low
+
+  * disable the root password for virtual machines created with vm-builder
+    on Ubuntu 8.10. (LP: #296841)
+
+ -- Jamie Strandboge <jamie at ubuntu.com>  Thu, 13 Nov 2008 20:32:42 -0600
+
+shadow (1:4.1.1-5ubuntu2) jaunty; urgency=low
+
+  * debian/login.defs: use SHA512 by default for password crypt routine
+    (LP: #51551, currently Ubuntu specific).
+  * debian/patches/stdout-encrypted-password.patch: allow chpasswd to report
+    encrypted passwords to stdout for tools needing encrypted passwords
+    (debian bug 505640).
+  * debian/rules: regenerate autoconf to avoid libtool-caused FTBFS.
+
+ -- Kees Cook <kees at ubuntu.com>  Thu, 13 Nov 2008 16:43:48 -0800
+
+shadow (1:4.1.1-5ubuntu1) jaunty; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - debian/login.pam: Enable SELinux support in login.pam.
+
+ -- Scott James Remnant <scott at ubuntu.com>  Wed, 05 Nov 2008 07:26:43 +0000
+
+shadow (1:4.1.1-5) unstable; urgency=low
+
+  * The "Bergues" release.
+  * debian/login.pam: restore the Etch behavior of pam_securetty.so in case of
+    unknown user. Closes: #443322, #495831
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sun, 14 Sep 2008 19:13:34 +0200
+
 shadow (1:4.1.1-4) unstable; urgency=low
 
   * The "Rocamadour" release.
@@ -901,6 +1720,13 @@ shadow (1:4.1.1-2) unstable; urgency=low
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Fri, 13 Jun 2008 01:27:16 +0200
 
+shadow (1:4.1.1-1ubuntu1) intrepid; urgency=low
+
+  * Merge from debian unstable, remaining changes:
+    - debian/login.pam: Enable SELinux support in login.pam.
+
+ -- Kees Cook <kees at ubuntu.com>  Mon, 09 Jun 2008 10:08:38 -0700
+
 shadow (1:4.1.1-1) unstable; urgency=low
 
   * New upstream release. This closes the following bugs:
@@ -1026,6 +1852,20 @@ shadow (1:4.1.0-1) unstable; urgency=low
 
  -- Christian Perrier <bubulle at debian.org>  Sat, 12 Jan 2008 20:40:02 +0100
 
+shadow (1:4.0.18.2-1ubuntu2) hardy; urgency=low
+
+  * Add 498_make_useradd_faster_with_ldap: make useradd faster when
+    nsswitch uses LDAP or some other remote names database (LP: #120015),
+    thanks to Vince Busam.
+
+ -- Matt T. Proud <mtp at google.com>  Fri, 08 Feb 2008 18:30:51 -0800
+
+shadow (1:4.0.18.2-1ubuntu1) hardy; urgency=low
+
+  * debian/login.pam: Enable SELinux support in login.pam (LP: #191326).
+
+ -- Caleb Case <ccase at tresys.com>  Fri, 08 Feb 2008 02:20:06 -0500
+
 shadow (1:4.0.18.2-1) unstable; urgency=low
 
   * The "Vacherin" release.
diff -pruN 1:4.8.1-2/debian/control 1:4.8.1-2ubuntu1/debian/control
--- 1:4.8.1-2/debian/control	2021-11-10 09:39:04.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/control	2021-11-15 22:13:37.000000000 +0000
@@ -1,5 +1,6 @@
 Source: shadow
-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
+XSBC-Original-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
 Uploaders: Balint Reczey <balint at balintreczey.hu>,
            Serge Hallyn <serge at hallyn.com>
 Section: admin
diff -pruN 1:4.8.1-2/debian/login.defs 1:4.8.1-2ubuntu1/debian/login.defs
--- 1:4.8.1-2/debian/login.defs	2021-11-10 09:39:04.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/login.defs	2021-11-11 15:42:38.000000000 +0000
@@ -150,6 +150,11 @@ ERASECHAR	0177
 KILLCHAR	025
 UMASK		022
 
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+HOME_MODE	0750
+
 #
 # Password aging controls:
 #
@@ -214,13 +219,14 @@ DEFAULT_HOME	yes
 #USERDEL_CMD	/usr/sbin/userdel_local
 
 #
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
 # If set to yes, userdel will remove the user's group if it contains no
 # more members, and useradd will create by default a group with the name
 # of the user.
 #
-# Other former uses of this variable such as setting the umask when
-# user==primary group are not used in PAM environments, such as Debian
-#
 USERGROUPS_ENAB yes
 
 #
diff -pruN 1:4.8.1-2/debian/login.install 1:4.8.1-2ubuntu1/debian/login.install
--- 1:4.8.1-2/debian/login.install	2021-11-10 09:39:04.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/login.install	2021-11-11 15:42:38.000000000 +0000
@@ -1,4 +1,5 @@
 debian/login.defs etc
+debian/source_shadow.py usr/share/apport/package-hooks
 usr/share/locale/*/LC_MESSAGES/shadow.mo
 usr/sbin/nologin
 usr/bin/faillog
diff -pruN 1:4.8.1-2/debian/passwd.maintscript 1:4.8.1-2ubuntu1/debian/passwd.maintscript
--- 1:4.8.1-2/debian/passwd.maintscript	2021-11-10 09:39:04.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/passwd.maintscript	2021-11-11 15:42:38.000000000 +0000
@@ -1 +1,2 @@
 rm_conffile /etc/cron.daily/passwd 1:4.7-2~
+rm_conffile /etc/init/passwd.conf 1:4.2-3.2ubuntu4~ passwd
diff -pruN 1:4.8.1-2/debian/patches/1010_extrausers.patch 1:4.8.1-2ubuntu1/debian/patches/1010_extrausers.patch
--- 1:4.8.1-2/debian/patches/1010_extrausers.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/1010_extrausers.patch	2020-02-07 15:32:06.000000000 +0000
@@ -0,0 +1,264 @@
+From: Michael Terry <michael.terry at canonical.com>
+Date: Fri, 20 Dec 2019 16:45:51 +0100
+Subject: Add support to passwd for updating libnss-extrausers locations
+
+---
+ lib/commonio.c |  2 ++
+ lib/defines.h  |  8 ++++++++
+ src/passwd.c   | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ src/usermod.c  | 48 +++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 122 insertions(+), 1 deletion(-)
+
+diff --git a/lib/commonio.c b/lib/commonio.c
+index 9f6ceca..008691f 100644
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -419,6 +419,7 @@ int commonio_lock (struct commonio_db *db)
+ 	int i;
+ 
+ #ifdef HAVE_LCKPWDF
++  if (strncmp(db->filename, "/etc/", 5) == 0) {
+ 	/*
+ 	 * Only if the system libc has a real lckpwdf() - the one from
+ 	 * lockpw.c calls us and would cause infinite recursion!
+@@ -448,6 +449,7 @@ int commonio_lock (struct commonio_db *db)
+ 		ulckpwdf ();
+ 		return 0;		/* failure */
+ 	}
++  } /* strncmp(db->filename, "/etc/", 5) == 0 */
+ #endif				/* !HAVE_LCKPWDF */
+ 
+ 	/*
+diff --git a/lib/defines.h b/lib/defines.h
+index 2fb1b56..ffa8b6a 100644
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -316,6 +316,14 @@ char *strchr (), *strrchr (), *strtok ();
+ #endif
+ #endif
+ 
++#ifndef EXTRAUSERS_PASSWD_FILE
++#define EXTRAUSERS_PASSWD_FILE "/var/lib/extrausers/passwd"
++#endif
++
++#ifndef EXTRAUSERS_SHADOW_FILE
++#define EXTRAUSERS_SHADOW_FILE "/var/lib/extrausers/shadow"
++#endif
++
+ #ifndef NULL
+ #define NULL ((void *) 0)
+ #endif
+diff --git a/src/passwd.c b/src/passwd.c
+index 13619b1..bfe0aea 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -559,8 +559,15 @@ static void update_noshadow (void)
+ {
+ 	const struct passwd *pw;
+ 	struct passwd *npw;
++	bool try_extrausers = strcmp (pw_dbname (), EXTRAUSERS_PASSWD_FILE) != 0 &&
++	                      access (EXTRAUSERS_PASSWD_FILE, F_OK) == 0;
+ 
+ 	if (pw_lock () == 0) {
++		if (try_extrausers) {
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			update_noshadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: cannot lock %s; try again later.\n"),
+ 		                Prog, pw_dbname ());
+@@ -568,6 +575,20 @@ static void update_noshadow (void)
+ 	}
+ 	pw_locked = true;
+ 	if (pw_open (O_CREAT | O_RDWR) == 0) {
++		if (try_extrausers) {
++			if (pw_unlock () == 0) {
++				(void) fprintf (stderr,
++				                _("%s: failed to unlock %s\n"),
++				                Prog, pw_dbname ());
++				SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
++				/* continue */
++			}
++			pw_locked = false;
++
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			update_noshadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: cannot open %s\n"),
+ 		                Prog, pw_dbname ());
+@@ -576,6 +597,21 @@ static void update_noshadow (void)
+ 	}
+ 	pw = pw_locate (name);
+ 	if (NULL == pw) {
++		if (try_extrausers) {
++			(void) pw_close ();
++			if (pw_unlock () == 0) {
++				(void) fprintf (stderr,
++				                _("%s: failed to unlock %s\n"),
++				                Prog, pw_dbname ());
++				SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
++				/* continue */
++			}
++			pw_locked = false;
++
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			update_noshadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: user '%s' does not exist in %s\n"),
+ 		                Prog, name, pw_dbname ());
+@@ -613,8 +649,15 @@ static void update_shadow (void)
+ {
+ 	const struct spwd *sp;
+ 	struct spwd *nsp;
++	bool try_extrausers = strcmp (spw_dbname (), EXTRAUSERS_SHADOW_FILE) != 0 &&
++	                      access (EXTRAUSERS_SHADOW_FILE, F_OK) == 0;
+ 
+ 	if (spw_lock () == 0) {
++		if (try_extrausers) {
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			update_shadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: cannot lock %s; try again later.\n"),
+ 		                Prog, spw_dbname ());
+@@ -622,6 +665,20 @@ static void update_shadow (void)
+ 	}
+ 	spw_locked = true;
+ 	if (spw_open (O_CREAT | O_RDWR) == 0) {
++		if (try_extrausers) {
++			if (spw_unlock () == 0) {
++				(void) fprintf (stderr,
++						        _("%s: failed to unlock %s\n"),
++						        Prog, spw_dbname ());
++				SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
++				/* continue */
++			}
++			spw_locked = false;
++
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			update_shadow ();
++			return;
++		}
+ 		(void) fprintf (stderr,
+ 		                _("%s: cannot open %s\n"),
+ 		                Prog, spw_dbname ());
+@@ -632,7 +689,9 @@ static void update_shadow (void)
+ 	if (NULL == sp) {
+ 		/* Try to update the password in /etc/passwd instead. */
+ 		(void) spw_close ();
+-		update_noshadow ();
++		if (!try_extrausers) {
++			update_noshadow ();
++		}
+ 		if (spw_unlock () == 0) {
+ 			(void) fprintf (stderr,
+ 			                _("%s: failed to unlock %s\n"),
+@@ -641,6 +700,10 @@ static void update_shadow (void)
+ 			/* continue */
+ 		}
+ 		spw_locked = false;
++		if (try_extrausers) {
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			update_shadow ();
++		}
+ 		return;
+ 	}
+ 	nsp = __spw_dup (sp);
+diff --git a/src/usermod.c b/src/usermod.c
+index 05b9871..fb833e1 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -1566,7 +1566,16 @@ static void close_files (void)
+  */
+ static void open_files (void)
+ {
++	bool try_extrausers = strcmp (pw_dbname (), EXTRAUSERS_PASSWD_FILE) != 0 &&
++	                      access (EXTRAUSERS_PASSWD_FILE, F_OK) == 0;
++
+ 	if (pw_lock () == 0) {
++		if (try_extrausers) {
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: cannot lock %s; try again later.\n"),
+ 		         Prog, pw_dbname ());
+@@ -1574,12 +1583,29 @@ static void open_files (void)
+ 	}
+ 	pw_locked = true;
+ 	if (pw_open (O_CREAT | O_RDWR) == 0) {
++		if (try_extrausers) {
++			pw_unlock ();
++			pw_locked = false;
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: cannot open %s\n"),
+ 		         Prog, pw_dbname ());
+ 		fail_exit (E_PW_UPDATE);
+ 	}
+ 	if (is_shadow_pwd && (spw_lock () == 0)) {
++		if (try_extrausers) {
++			pw_close ();
++			pw_unlock ();
++			pw_locked = false;
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: cannot lock %s; try again later.\n"),
+ 		         Prog, spw_dbname ());
+@@ -1587,6 +1613,17 @@ static void open_files (void)
+ 	}
+ 	spw_locked = true;
+ 	if (is_shadow_pwd && (spw_open (O_CREAT | O_RDWR) == 0)) {
++		if (try_extrausers) {
++			pw_close ();
++			pw_unlock ();
++			spw_unlock ();
++			pw_locked = false;
++			spw_locked = false;
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: cannot open %s\n"),
+ 		         Prog, spw_dbname ());
+@@ -1675,11 +1712,22 @@ static void usr_update (void)
+ 	struct spwd spent;
+ 	const struct spwd *spwd = NULL;
+ 
++	bool try_extrausers = strcmp (pw_dbname (), EXTRAUSERS_PASSWD_FILE) != 0 &&
++	                      access (EXTRAUSERS_PASSWD_FILE, F_OK) == 0;
++
+ 	/*
+ 	 * Locate the entry in /etc/passwd, which MUST exist.
+ 	 */
+ 	pwd = pw_locate (user_name);
+ 	if (NULL == pwd) {
++		if (try_extrausers) {
++			close_files ();
++			pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++			spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++			open_files ();
++			usr_update ();
++			return;
++		}
+ 		fprintf (stderr,
+ 		         _("%s: user '%s' does not exist in %s\n"),
+ 		         Prog, user_name, pw_dbname ());
diff -pruN 1:4.8.1-2/debian/patches/1011_extrausers_toggle.patch 1:4.8.1-2ubuntu1/debian/patches/1011_extrausers_toggle.patch
--- 1:4.8.1-2/debian/patches/1011_extrausers_toggle.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/1011_extrausers_toggle.patch	2020-02-07 15:32:06.000000000 +0000
@@ -0,0 +1,154 @@
+From: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
+Date: Fri, 20 Dec 2019 16:45:51 +0100
+Subject: _extrausers_toggle
+
+---
+ lib/defines.h  | 16 ++++++++++++++++
+ src/groupadd.c | 22 ++++++++++++++++++++++
+ src/useradd.c  | 23 +++++++++++++++++++++++
+ 3 files changed, 61 insertions(+)
+
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -324,6 +324,22 @@
+ #define EXTRAUSERS_SHADOW_FILE "/var/lib/extrausers/shadow"
+ #endif
+ 
++#ifndef EXTRAUSERS_GROUP_FILE
++#define EXTRAUSERS_GROUP_FILE "/var/lib/extrausers/group"
++#endif
++
++#ifndef EXTRAUSERS_SHADOWGROUP_FILE
++#define EXTRAUSERS_SHADOWGROUP_FILE "/var/lib/extrausers/gshadow"
++#endif
++
++#ifndef EXTRAUSERS_SUBUID_FILE
++#define EXTRAUSERS_SUBUID_FILE "/var/lib/extrausers/subuid"
++#endif
++
++#ifndef EXTRAUSERS_SUBGID_FILE
++#define EXTRAUSERS_SUBGID_FILE "/var/lib/extrausers/subgid"
++#endif
++
+ #ifndef NULL
+ #define NULL ((void *) 0)
+ #endif
+--- a/src/groupadd.c
++++ b/src/groupadd.c
+@@ -105,6 +105,12 @@
+ static void check_flags (void);
+ static void check_perms (void);
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++
++static bool use_extrausers = false;
++
+ /*
+  * usage - display usage message and exit
+  */
+@@ -127,6 +133,7 @@
+ 	(void) fputs (_("  -r, --system                  create a system account\n"), usageout);
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -P, --prefix PREFIX_DIR       directory prefix\n"), usageout);
++	(void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);
+ 	(void) fputs ("\n", usageout);
+ 	exit (status);
+ }
+@@ -391,12 +398,16 @@
+ 		{"system",     no_argument,       NULL, 'r'},
+ 		{"root",       required_argument, NULL, 'R'},
+ 		{"prefix",     required_argument, NULL, 'P'},
++		{"extrausers", no_argument,       NULL, EXTRAUSERS_OPT},
+ 		{NULL, 0, NULL, '\0'}
+ 	};
+ 
+ 	while ((c = getopt_long (argc, argv, "fg:hK:op:rR:P:",
+ 		                 long_options, NULL)) != -1) {
+ 		switch (c) {
++        case EXTRAUSERS_OPT:
++            use_extrausers = true;
++            break;
+ 		case 'f':
+ 			/*
+ 			 * "force" - do nothing, just exit(0), if the
+@@ -606,7 +617,18 @@
+ 
+ 	check_perms ();
+ 
++    if (use_extrausers) {
++		fprintf (stderr, "ENTER EXTRAUSERS_GROUP_FILE");
++        gr_setdbname (EXTRAUSERS_GROUP_FILE);
++		fprintf (stderr, "EXIT EXTRAUSERS_GROUP_FILE");
++    }
++
+ #ifdef SHADOWGRP
++    if (use_extrausers) {
++		fprintf (stderr, "ENTER EXTRAUSERS_SHADOWGROUP_FILE");
++        sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++		fprintf (stderr, "EXIT EXTRAUSERS_SHADOWGROUP_FILE");
++    }
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+ 
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -150,6 +150,12 @@
+ 
+ extern int allow_bad_names;
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++
++static bool use_extrausers = false;
++
+ static bool
+     bflg = false,		/* new default root of home directory */
+     cflg = false,		/* comment (GECOS) field for new account */
+@@ -859,6 +865,7 @@
+ #ifdef WITH_SELINUX
+ 	(void) fputs (_("  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping\n"), usageout);
+ #endif				/* WITH_SELINUX */
++	(void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);
+ 	(void) fputs ("\n", usageout);
+ 	exit (status);
+ }
+@@ -1139,6 +1146,7 @@
+ #ifdef WITH_SELINUX
+ 			{"selinux-user",   required_argument, NULL, 'Z'},
+ #endif				/* WITH_SELINUX */
++			{"extrausers",     no_argument,       NULL, EXTRAUSERS_OPT},
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 		while ((c = getopt_long (argc, argv,
+@@ -1149,6 +1157,9 @@
+ #endif				/* !WITH_SELINUX */
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
++			case EXTRAUSERS_OPT:
++                use_extrausers = true;
++                break;
+ 			case 'b':
+ 				if (   ( !VALID (optarg) )
+ 				    || ( optarg[0] != '/' )) {
+@@ -2384,6 +2395,18 @@
+ 		}
+ 	}
+ 
++    if (use_extrausers) {
++        pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++        spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++        gr_setdbname (EXTRAUSERS_GROUP_FILE);
++        /* TODO expose this information in other tools */
++        sub_uid_setdbname(EXTRAUSERS_SUBUID_FILE);
++        sub_gid_setdbname(EXTRAUSERS_SUBGID_FILE);
++#ifdef SHADOWGRP
++        sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++#endif
++    }
++
+ 	/*
+ 	 * Do the hard stuff:
+ 	 * - open the files,
diff -pruN 1:4.8.1-2/debian/patches/1012_extrausers_chfn.patch 1:4.8.1-2ubuntu1/debian/patches/1012_extrausers_chfn.patch
--- 1:4.8.1-2/debian/patches/1012_extrausers_chfn.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/1012_extrausers_chfn.patch	2020-02-07 15:32:06.000000000 +0000
@@ -0,0 +1,71 @@
+From: Michael Vogt <mvo at ubuntu.com>
+Date: Fri, 20 Dec 2019 16:45:51 +0100
+Subject: add support for --extrausers for chfn
+
+This add support for --extrausers to the chfn tool.
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1495580
+---
+ src/chfn.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/chfn.c b/src/chfn.c
+index b2658fc..acf945a 100644
+--- a/src/chfn.c
++++ b/src/chfn.c
+@@ -71,6 +71,11 @@ static bool hflg = false;		/* -h - set home phone number        */
+ static bool oflg = false;		/* -o - set other information        */
+ static bool pw_locked = false;
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++static bool use_extrausers = false;
++
+ /*
+  * External identifiers
+  */
+@@ -123,6 +128,7 @@ static /*@noreturn@*/void usage (int status)
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -u, --help                    display this help message and exit\n"), usageout);
+ 	(void) fputs (_("  -w, --work-phone WORK_PHONE   change user's office phone number\n"), usageout);
++	(void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);        
+ 	(void) fputs ("\n", usageout);
+ 	exit (status);
+ }
+@@ -273,6 +279,7 @@ static void process_flags (int argc, char **argv)
+ 		{"root",       required_argument, NULL, 'R'},
+ 		{"help",       no_argument,       NULL, 'u'},
+ 		{"work-phone", required_argument, NULL, 'w'},
++                {"extrausers", no_argument, NULL, EXTRAUSERS_OPT},
+ 		{NULL, 0, NULL, '\0'}
+ 	};
+ 
+@@ -286,6 +293,9 @@ static void process_flags (int argc, char **argv)
+ 	while ((c = getopt_long (argc, argv, "f:h:o:r:R:uw:",
+ 	                         long_options, NULL)) != -1) {
+ 		switch (c) {
++                case EXTRAUSERS_OPT:
++                   use_extrausers = true;
++                   break;
+ 		case 'f':
+ 			if (!may_change_field ('f')) {
+ 				fprintf (stderr,
+@@ -653,6 +663,18 @@ int main (int argc, char **argv)
+ 	/* parse the command line options */
+ 	process_flags (argc, argv);
+ 
++        if (use_extrausers) {
++           pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++           spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++           gr_setdbname (EXTRAUSERS_GROUP_FILE);
++           /* TODO expose this information in other tools */
++           sub_uid_setdbname(EXTRAUSERS_SUBUID_FILE);
++           sub_gid_setdbname(EXTRAUSERS_SUBGID_FILE);
++#ifdef SHADOWGRP
++           sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++#endif
++        }
++        
+ 	/*
+ 	 * Get the name of the user to check. It is either the command line
+ 	 * name, or the name getlogin() returns.
diff -pruN 1:4.8.1-2/debian/patches/1013_extrausers_deluser.patch 1:4.8.1-2ubuntu1/debian/patches/1013_extrausers_deluser.patch
--- 1:4.8.1-2/debian/patches/1013_extrausers_deluser.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/1013_extrausers_deluser.patch	2020-03-09 08:10:31.000000000 +0000
@@ -0,0 +1,71 @@
+From: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
+Date: Fri, 20 Dec 2019 16:45:51 +0100
+Subject: _extrausers_deluser
+
+===================================================================
+---
+ src/userdel.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+Index: shadow-4.8.1/src/userdel.c
+===================================================================
+--- shadow-4.8.1.orig/src/userdel.c
++++ shadow-4.8.1/src/userdel.c
+@@ -139,6 +139,12 @@ static int remove_mailbox (void);
+ static int remove_tcbdir (const char *user_name, uid_t user_id);
+ #endif				/* WITH_TCB */
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++
++static bool use_extrausers = false;
++
+ /*
+  * usage - display usage message and exit
+  */
+@@ -157,6 +163,7 @@ static void usage (int status)
+ 	(void) fputs (_("  -r, --remove                  remove home directory and mail spool\n"), usageout);
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -P, --prefix PREFIX_DIR       prefix directory where are located the /etc/* files\n"), usageout);
++	(void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);
+ #ifdef WITH_SELINUX
+ 	(void) fputs (_("  -Z, --selinux-user            remove any SELinux user mapping for the user\n"), usageout);
+ #endif				/* WITH_SELINUX */
+@@ -1035,6 +1042,7 @@ int main (int argc, char **argv)
+ 			{"remove",       no_argument,       NULL, 'r'},
+ 			{"root",         required_argument, NULL, 'R'},
+ 			{"prefix",       required_argument, NULL, 'P'},
++                        {"extrausers", no_argument,       NULL, EXTRAUSERS_OPT},
+ #ifdef WITH_SELINUX
+ 			{"selinux-user", no_argument,       NULL, 'Z'},
+ #endif				/* WITH_SELINUX */
+@@ -1048,6 +1056,9 @@ int main (int argc, char **argv)
+ #endif				/* !WITH_SELINUX */
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
++                        case EXTRAUSERS_OPT:
++                                use_extrausers = true;
++                                break;
+ 			case 'f':	/* force remove even if not owned by user */
+ 				fflg = true;
+ 				break;
+@@ -1136,6 +1147,18 @@ int main (int argc, char **argv)
+ 	is_sub_gid = sub_gid_file_present ();
+ #endif				/* ENABLE_SUBIDS */
+ 
++        if (use_extrausers) {
++               pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++               spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++               gr_setdbname (EXTRAUSERS_GROUP_FILE);
++               /* TODO expose this information in other tools */
++               sub_uid_setdbname(EXTRAUSERS_SUBUID_FILE);
++               sub_gid_setdbname(EXTRAUSERS_SUBGID_FILE);
++#ifdef SHADOWGRP
++               sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++#endif
++        }
++
+ 	/*
+ 	 * Start with a quick check to see if the user exists.
+ 	 */
diff -pruN 1:4.8.1-2/debian/patches/1014_extrausers_delgroup.patch 1:4.8.1-2ubuntu1/debian/patches/1014_extrausers_delgroup.patch
--- 1:4.8.1-2/debian/patches/1014_extrausers_delgroup.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/1014_extrausers_delgroup.patch	2020-02-07 15:32:06.000000000 +0000
@@ -0,0 +1,71 @@
+From: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
+Date: Fri, 20 Dec 2019 16:45:51 +0100
+Subject: _extrausers_delgroup
+
+===================================================================
+---
+ src/groupdel.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/src/groupdel.c b/src/groupdel.c
+index f941a84..7487582 100644
+--- a/src/groupdel.c
++++ b/src/groupdel.c
+@@ -87,6 +87,12 @@ static void open_files (void);
+ static void group_busy (gid_t gid);
+ static void process_flags (int argc, char **argv);
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++
++static bool use_extrausers = false;
++
+ /*
+  * usage - display usage message and exit
+  */
+@@ -102,6 +108,7 @@ static /*@noreturn@*/void usage (int status)
+ 	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
+ 	(void) fputs (_("  -P, --prefix PREFIX_DIR       prefix directory where are located the /etc/* files\n"), usageout);
+ 	(void) fputs (_("  -f, --force                   delete group even if it is the primary group of a user\n"), usageout);
++        (void) fputs (_("      --extrausers              Use the extra users database\n"), usageout);
+ 	(void) fputs ("\n", usageout);
+ 	exit (status);
+ }
+@@ -325,6 +332,7 @@ static void process_flags (int argc, char **argv)
+ 		{"help", no_argument,       NULL, 'h'},
+ 		{"root", required_argument, NULL, 'R'},
+ 		{"prefix", required_argument, NULL, 'P'},
++		{"extrausers", no_argument, NULL, EXTRAUSERS_OPT},
+ 		{NULL, 0, NULL, '\0'}
+ 	};
+ 
+@@ -341,6 +349,9 @@ static void process_flags (int argc, char **argv)
+ 		case 'f':
+ 			check_group_busy = false;
+ 			break;
++		case EXTRAUSERS_OPT:
++			use_extrausers = true;
++			break;
+ 		default:
+ 			usage (E_USAGE);
+ 		}
+@@ -482,6 +493,18 @@ int main (int argc, char **argv)
+ 		group_busy (group_id);
+ 	}
+ 
++        if (use_extrausers) {
++               pw_setdbname (EXTRAUSERS_PASSWD_FILE);
++               spw_setdbname (EXTRAUSERS_SHADOW_FILE);
++               gr_setdbname (EXTRAUSERS_GROUP_FILE);
++               /* TODO expose this information in other tools */
++               sub_uid_setdbname(EXTRAUSERS_SUBUID_FILE);
++               sub_gid_setdbname(EXTRAUSERS_SUBGID_FILE);
++#ifdef SHADOWGRP
++               sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++#endif
++        }
++
+ 	/*
+ 	 * Do the hard stuff - open the files, delete the group entries,
+ 	 * then close and update the files.
diff -pruN 1:4.8.1-2/debian/patches/1015_add_zsys_support.patch 1:4.8.1-2ubuntu1/debian/patches/1015_add_zsys_support.patch
--- 1:4.8.1-2/debian/patches/1015_add_zsys_support.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/1015_add_zsys_support.patch	2020-05-28 06:37:47.000000000 +0000
@@ -0,0 +1,194 @@
+From: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
+Date: Fri, 29 Jun 2018 17:22:06 +0200
+Subject: Call zsys to handle home directory if available
+
+We call zsys to handle dataset creation for zsys system in a separate home
+dataset for each user on the system.
+This allows one to handle user dataset outside of /home and also renaming.
+We don't handle with system users (uid < 1000) as we consider them by default
+as part of the system.
+We don't support yet deletion, as removing the dataset would remove as well
+every snapshot of the history, and so, revert to previous version will result
+in user created, but no home directory, which is unwanted.
+Forwarded: not-needed
+Origin: ubuntu
+---
+ src/useradd.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ src/usermod.c | 36 +++++++++++++++++++++++++++++++++++-
+ 2 files changed, 77 insertions(+), 2 deletions(-)
+
+Index: shadow-4.8.1/src/useradd.c
+===================================================================
+--- shadow-4.8.1.orig/src/useradd.c
++++ shadow-4.8.1/src/useradd.c
+@@ -2084,6 +2084,13 @@ static void usr_update (void)
+  */
+ static void create_home (void)
+ {
++	const char zsys[] = "/sbin/zsysctl";
++	const char *pname = "zsysctl";
++	pid_t childpid;
++	int devnull_fd;
++	int zsys_failed;
++	int zsys_status;
++
+ 	if (access (prefix_user_home, F_OK) != 0) {
+ 		char path[strlen (prefix_user_home) + 2];
+ 		char *bhome, *cp;
+@@ -2159,6 +2166,7 @@ static void create_home (void)
+ #endif
+ 			fail_exit (E_HOMEDIR);
+ 		}
++
+ 				if (chown (path, 0, 0) < 0) {
+ 					fprintf (stderr,
+ 									_("%s: warning: chown on `%s' failed: %m\n"),
+@@ -2169,6 +2177,47 @@ static void create_home (void)
+ 									_("%s: warning: chmod on `%s' failed: %m\n"),
+ 									Prog, path);
+ 				}
++
++				// We don't create zsys user dataset for system users
++				zsys_failed = 0;
++				if (user_id < 1000) {
++					zsys_failed = 1;
++				} else {
++					zsys_failed = 0;
++					// Do a first chown before we prepare the mountpoint
++					if (chown (prefix_user_home, user_id, user_gid) < 0) {
++						fprintf (stderr,
++										_("%s: warning: chown on `%s' failed: %m\n"),
++										Prog, prefix_user_home);
++					}
++					switch (childpid = fork())
++					{
++					case -1: /* error */
++						zsys_failed = 1;
++						break;
++					case 0:							  /* child */
++						devnull_fd = open("/dev/null", O_WRONLY);
++						if (devnull_fd == -1) {
++							perror("can't open /dev/null");
++							exit(3);
++						}
++						// don't print zsys stdout and stderr
++						if (dup2(devnull_fd, 1) == -1 || (dup2(devnull_fd, 2) == -1)) {
++							exit(3);
++						}
++						execl(zsys, pname, "userdata", "create", user_name, path, NULL);
++						/* If we come here, something has gone terribly wrong */
++						perror(zsys);
++						exit(42); /* don't continue, we now have 2 processes running! */
++						/* NOTREACHED */
++						break;
++					default: /* parent */
++						if (waitpid(childpid, &zsys_status, 0) == -1 || !WIFEXITED(zsys_status) || WEXITSTATUS(zsys_status) != 0)
++							zsys_failed = 1;
++						break;
++					}
++				}
++
+ 			}
+ 			cp = strtok (NULL, "/");
+ 		}
+Index: shadow-4.8.1/src/usermod.c
+===================================================================
+--- shadow-4.8.1.orig/src/usermod.c
++++ shadow-4.8.1/src/usermod.c
+@@ -1819,6 +1819,12 @@ static void usr_update (void)
+ static void move_home (void)
+ {
+ 	struct stat sb;
++	const char zsys[] = "/sbin/zsysctl";
++	const char *pname = "zsysctl";
++	int devnull_fd;
++	pid_t childpid;
++	int zsys_failed;
++	int zsys_status;
+ 
+ 	if (access (prefix_user_newhome, F_OK) == 0) {
+ 		/*
+@@ -1853,7 +1859,35 @@ static void move_home (void)
+ 		}
+ #endif
+ 
+-		if (rename (prefix_user_home, prefix_user_newhome) == 0) {
++		zsys_failed = 0;
++		switch (childpid = fork())
++		{
++		case -1: /* error */
++			zsys_failed = 1;
++			break;
++		case 0: /* child */
++			devnull_fd = open("/dev/null", O_WRONLY);
++			if (devnull_fd == -1){
++				perror("can't open /dev/null");
++				exit(3);
++			}
++			// don't print zsys stdout and stderr
++			if (dup2(devnull_fd, 1) == -1 || (dup2(devnull_fd, 2) == -1)) {
++				exit(3);
++			}
++			execl(zsys, pname, "userdata", "set-home", prefix_user_home, prefix_user_newhome, NULL);
++			/* If we come here, something has gone terribly wrong */
++			perror(zsys);
++			exit(42); /* don't continue, we now have 2 processes running! */
++			/* NOTREACHED */
++			break;
++		default: /* parent */
++			if (waitpid(childpid, &zsys_status, 0) == -1 || !WIFEXITED(zsys_status) || WEXITSTATUS(zsys_status) != 0)
++				zsys_failed = 1;
++			break;
++		}
++
++		if (zsys_failed == 0 || rename (prefix_user_home, prefix_user_newhome) == 0) {
+ 			/* FIXME: rename above may have broken symlinks
+ 			 *        pointing to the user's home directory
+ 			 *        with an absolute path. */
+Index: shadow-4.8.1/src/userdel.c
+===================================================================
+--- shadow-4.8.1.orig/src/userdel.c
++++ shadow-4.8.1/src/userdel.c
+@@ -1296,6 +1296,42 @@ int main (int argc, char **argv)
+ 	}
+ #endif				/* EXTRA_CHECK_HOME_DIR */
+ 
++	/* ZSys support: always dissociate dataset, even if we don’t delete the content */
++	if (user_id >= 1000) {
++		const char zsys[] = "/sbin/zsysctl";
++		const char *pname = "zsysctl";
++		pid_t childpid;
++		int devnull_fd;
++		int zsys_status;
++		switch (childpid = fork())
++		{
++		case -1: /* error */
++			break;
++		case 0:							  /* child */
++			devnull_fd = open("/dev/null", O_WRONLY);
++			if (devnull_fd == -1) {
++				perror("can't open /dev/null");
++				exit(3);
++			}
++			// don't print ZSys stdout and stderr
++			if (dup2(devnull_fd, 1) == -1 || (dup2(devnull_fd, 2) == -1)) {
++				exit(3);
++			}
++			if (rflg)
++				execl(zsys, pname, "userdata", "dissociate", "--remove", user_name, NULL);
++			else
++				execl(zsys, pname, "userdata", "dissociate", user_name, NULL);
++			/* If we come here, something has gone terribly wrong */
++			perror(zsys);
++			exit(42); /* don't continue, we now have 2 processes running! */
++			/* NOTREACHED */
++			break;
++		default: /* parent */
++			waitpid(childpid, &zsys_status, 0);
++			break;
++		}
++	}
++
+ 	if (rflg) {
+ #ifdef WITH_BTRFS
+ 		int is_subvolume = btrfs_is_subvolume (user_home);
diff -pruN 1:4.8.1-2/debian/patches/1016_extrausers_gpasswd.patch 1:4.8.1-2ubuntu1/debian/patches/1016_extrausers_gpasswd.patch
--- 1:4.8.1-2/debian/patches/1016_extrausers_gpasswd.patch	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/1016_extrausers_gpasswd.patch	2020-12-02 10:44:02.000000000 +0000
@@ -0,0 +1,55 @@
+From bea0ec0e35d7417b258dcbf85c700e204afd1a1e Mon Sep 17 00:00:00 2001
+From: Marcus Tomlinson <marcus.tomlinson at canonical.com>
+Date: Wed, 21 Oct 2020 13:18:01 +0100
+Subject: add extrausers flag
+
+---
+ src/gpasswd.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index 4d75af9..e72ae64 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -123,6 +123,10 @@ static void log_gpasswd_success (const char *suffix);
+ static void log_gpasswd_success_system (/*@null@*/unused void *arg);
+ static void log_gpasswd_success_group (/*@null@*/unused void *arg);
+ 
++#ifndef EXTRAUSERS_OPT
++#define EXTRAUSERS_OPT 100000
++#endif
++
+ /*
+  * usage - display usage message
+  */
+@@ -141,6 +145,7 @@ static void usage (int status)
+ 	(void) fputs (_("  -r, --remove-password         remove the GROUP's password\n"), usageout);
+ 	(void) fputs (_("  -R, --restrict                restrict access to GROUP to its members\n"), usageout);
+ 	(void) fputs (_("  -M, --members USER,...        set the list of members of GROUP\n"), usageout);
++	(void) fputs (_("      --extrausers              use the extra users database\n"), usageout);
+ #ifdef SHADOWGRP
+ 	(void) fputs (_("  -A, --administrators ADMIN,...\n"
+ 	                "                                set the list of administrators for GROUP\n"), usageout);
+@@ -238,12 +243,19 @@ static void process_flags (int argc, char **argv)
+ 		{"root",            required_argument, NULL, 'Q'},
+ 		{"remove-password", no_argument,       NULL, 'r'},
+ 		{"restrict",        no_argument,       NULL, 'R'},
++		{"extrausers",      no_argument,       NULL, EXTRAUSERS_OPT},
+ 		{NULL, 0, NULL, '\0'}
+ 		};
+ 
+ 	while ((c = getopt_long (argc, argv, "a:A:d:ghM:Q:rR",
+ 	                         long_options, NULL)) != -1) {
+ 		switch (c) {
++		case EXTRAUSERS_OPT:
++			gr_setdbname (EXTRAUSERS_GROUP_FILE);
++#ifdef SHADOWGRP
++			sgr_setdbname (EXTRAUSERS_SHADOWGROUP_FILE);
++#endif
++			break;
+ 		case 'a':	/* add a user */
+ 			aflg = true;
+ 			user = optarg;
+-- 
+cgit v1.1
+
diff -pruN 1:4.8.1-2/debian/patches/506_relaxed_usernames 1:4.8.1-2ubuntu1/debian/patches/506_relaxed_usernames
--- 1:4.8.1-2/debian/patches/506_relaxed_usernames	2021-11-10 09:39:04.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/506_relaxed_usernames	2021-11-11 15:42:38.000000000 +0000
@@ -25,7 +25,7 @@ Details:
  	/*
  	 * User/group names must match [a-z_][a-z0-9_-]*[$]
  	 */
-@@ -73,6 +74,26 @@
+@@ -73,7 +74,62 @@
  			return false;
  		}
  	}
@@ -37,24 +37,60 @@ Details:
 +	 *
 +	 * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
 +	 */
++	bool is_numeric = true;
++	bool is_hex = true;
++	bool is_octal = true;
++	/*
++	 * We skip the hex and octal checks for the first two characters in the
++	 * loop, and inspect them individually before the loop starts. This
++	 * checks for "0x" and "0o" at the beginning of the username while still
++	 * treating "x" and "o" as non-numeric characters in all other scenarios
++	 */
++	int chars_checked = 0;
++
 +	if (   ('\0' == *name)
 +	    || ('-'  == *name)
 +	    || ('~'  == *name)
 +	    || ('+'  == *name)) {
 +		return false;
 +	}
++	/* if the username does not start with "0x" it is not hexadecimal */
++	if (*name != '0' || *(name + 1) != 'x') {
++		is_hex = false;
++	}
++	/* if the username does not start with "0o" it is not octal */
++	if (*name != '0' || *(name + 1) != 'o') {
++		is_octal = false;
++	}
 +	do {
 +		if ((':' == *name) || (',' == *name) || isspace(*name)) {
 +			return false;
 +		}
++		if ((*name < '0' || *name > '9')) {
++			is_numeric = false;
++		}
++		if ((*name < '0' || *name > '9') &&
++		    (*name < 'A' || *name > 'F') &&
++		    (*name < 'a' || *name > 'f') &&
++		    chars_checked >= 2) {
++			is_hex = false;
++		}
++		if ((*name < '0' || *name > '7') && chars_checked >= 2) {
++			is_octal = false;
++		}
++		chars_checked++;
 +		name++;
 +	} while ('\0' != *name);
  
++	if (is_numeric || is_hex || is_octal) {
++		return false;
++	}
  	return true;
  }
+ 
 --- a/man/useradd.8.xml
 +++ b/man/useradd.8.xml
-@@ -662,12 +662,20 @@
+@@ -662,12 +662,25 @@
      </para>
  
      <para>
@@ -73,12 +109,17 @@ Details:
 +      user's home directory.
 +    </para>
 +    <para>
++      On Ubuntu, the same constraints as Debian are in place, with the
++      additional constraint that the username cannot be fully numeric.
++      This includes octal and hexadecimal syntax.
++    </para>
++    <para>
        Usernames may only be up to 32 characters long.
      </para>
    </refsect1>
 --- a/man/groupadd.8.xml
 +++ b/man/groupadd.8.xml
-@@ -273,12 +273,18 @@
+@@ -273,12 +273,23 @@
     <refsect1 id='caveats'>
       <title>CAVEATS</title>
       <para>
@@ -94,6 +135,11 @@ Details:
 +       colon (':'), a comma (','), or a whitespace (space:' ',
 +       end of line: '\n', tabulation: '\t', etc.).
 +     </para>
++    <para>
++      On Ubuntu, the same constraints as Debian are in place, with the
++      additional constraint that the groupname cannot be fully numeric.
++      This includes octal and hexadecimal syntax.
++    </para>
 +     <para>
         Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
       </para>
diff -pruN 1:4.8.1-2/debian/patches/series 1:4.8.1-2ubuntu1/debian/patches/series
--- 1:4.8.1-2/debian/patches/series	2021-11-10 09:39:04.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/patches/series	2021-11-11 15:42:38.000000000 +0000
@@ -14,3 +14,10 @@
 508_nologin_in_usr_sbin
 505_useradd_recommend_adduser
 501_commonio_group_shadow
+1010_extrausers.patch
+1011_extrausers_toggle.patch
+1012_extrausers_chfn.patch
+1013_extrausers_deluser.patch
+1014_extrausers_delgroup.patch
+1015_add_zsys_support.patch
+1016_extrausers_gpasswd.patch
diff -pruN 1:4.8.1-2/debian/source_shadow.py 1:4.8.1-2ubuntu1/debian/source_shadow.py
--- 1:4.8.1-2/debian/source_shadow.py	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/source_shadow.py	2020-02-07 15:32:06.000000000 +0000
@@ -0,0 +1,26 @@
+#!/usr/bin/python
+
+'''Apport package hook for shadow
+
+(c) 2010 Canonical Ltd.
+Contributors:
+Marc Deslauriers <marc.deslauriers at canonical.com>
+
+This program is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by the
+Free Software Foundation; either version 2 of the License, or (at your
+option) any later version.  See http://www.gnu.org/copyleft/gpl.html for
+the full text of the license.
+'''
+
+from apport.hookutils import *
+
+def add_info(report):
+
+    attach_file_if_exists(report, '/etc/login.defs', 'LoginDefs')
+
+if __name__ == '__main__':
+    report = {}
+    add_info(report)
+    for key in report:
+        print('[%s]\n%s' % (key, report[key]))
diff -pruN 1:4.8.1-2/debian/tests/control 1:4.8.1-2ubuntu1/debian/tests/control
--- 1:4.8.1-2/debian/tests/control	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/tests/control	2021-06-17 19:35:15.000000000 +0000
@@ -0,0 +1,2 @@
+Tests: smoke, numeric-username
+Restrictions: needs-root, allow-stderr
diff -pruN 1:4.8.1-2/debian/tests/numeric-username 1:4.8.1-2ubuntu1/debian/tests/numeric-username
--- 1:4.8.1-2/debian/tests/numeric-username	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/tests/numeric-username	2021-06-17 19:35:15.000000000 +0000
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -ux
+
+# purely numeric usernames are considered invalid
+for invalidUsername in "0" "00" "0123456789" "0x0" "0x0123456789" "0o0" "0o01234567" "0xDEADBEEF" "0xcafe42" "0xdeadbeef" "0xdeadBEEF"
+do
+	useradd $invalidUsername
+	ret=$?
+	if [ $ret -eq 0 ]
+	then
+		exit 1
+	fi
+done
+
+# usernames that start with a digit and contain other valid characters should not fail
+for validUsername in "0root" "0123456789root" "0-0" "0_0" "0.o" "0xo" "0-o" "0_o" "0x0x0x0" "0o0123456789" "0.0.0.0" "0x123.456.789" "0o123.456.789" "123.456" "0.0" "0xdeadbeefjawn-smith" "0o123jawn-smith"
+do
+	useradd $validUsername
+	ret=$?
+	if [ $ret -ne 0 ]
+	then
+		exit 1
+	fi
+done
diff -pruN 1:4.8.1-2/debian/tests/smoke 1:4.8.1-2ubuntu1/debian/tests/smoke
--- 1:4.8.1-2/debian/tests/smoke	1970-01-01 00:00:00.000000000 +0000
+++ 1:4.8.1-2ubuntu1/debian/tests/smoke	2020-03-09 09:26:15.000000000 +0000
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+set -e
+
+# smoke test for {user,group}{add,del}
+mkdir -p /var/lib/extrausers
+
+echo "Adding an user works"
+useradd shadow-test-user
+grep '^shadow-test-user:x:' /etc/passwd
+grep '^shadow-test-user:!:' /etc/shadow
+# nothing got added to the extrausers
+! grep 'shadow-test-user' /var/lib/extrausers/passwd
+! grep 'shadow-test-user' /var/lib/extrausers/shadow
+
+echo "Removing an user works"
+userdel shadow-test-user
+! grep 'shadow-test-user' /etc/passwd
+! grep 'shadow-test-user' /etc/shadow
+
+echo "Adding an extrauser works"
+useradd --extrausers shadow-test-user
+grep '^shadow-test-user:x:' /var/lib/extrausers/passwd
+grep '^shadow-test-user:!:' /var/lib/extrausers/shadow
+# nothing got added to the system
+! grep 'shadow-test-user' /etc/passwd
+! grep 'shadow-test-user' /etc/shadow
+
+echo "Removing an extrauser works"
+userdel --extrausers shadow-test-user
+! grep 'shadow-test-user' /var/lib/extrausers/passwd
+! grep 'shadow-test-user' /var/lib/extrausers/passwd


More information about the Pkg-shadow-devel mailing list