diff --git a/SOURCES/shadow-4.3.1-manfix.patch b/SOURCES/shadow-4.3.1-manfix.patch
deleted file mode 100644
index bd1577e..0000000
--- a/SOURCES/shadow-4.3.1-manfix.patch
+++ /dev/null
@@ -1,349 +0,0 @@
-Index: shadow-4.5/man/groupmems.8.xml
-===================================================================
---- shadow-4.5.orig/man/groupmems.8.xml
-+++ shadow-4.5/man/groupmems.8.xml
-@@ -179,20 +179,10 @@
- <refsect1 id='setup'>
- <title>SETUP</title>
- <para>
-- The <command>groupmems</command> executable should be in mode
-- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
-- <emphasis>groups</emphasis>. The system administrator can add users to
-- group <emphasis>groups</emphasis> to allow or disallow them using the
-- <command>groupmems</command> utility to manage their own group
-- membership list.
-+ In this operating system the <command>groupmems</command> executable
-+ is not setuid and regular users cannot use it to manipulate
-+ the membership of their own group.
- </para>
--
-- <programlisting>
-- $ groupadd -r groups
-- $ chmod 2770 groupmems
-- $ chown root.groups groupmems
-- $ groupmems -g groups -a gk4
-- </programlisting>
- </refsect1>
-
- <refsect1 id='configuration'>
-Index: shadow-4.5/man/chage.1.xml
-===================================================================
---- shadow-4.5.orig/man/chage.1.xml
-+++ shadow-4.5/man/chage.1.xml
-@@ -102,6 +102,9 @@
- Set the number of days since January 1st, 1970 when the password
- was last changed. The date may also be expressed in the format
- YYYY-MM-DD (or the format more commonly used in your area).
-+ If the <replaceable>LAST_DAY</replaceable> is set to
-+ <emphasis>0</emphasis> the user is forced to change his password
-+ on the next log on.
- </para>
- </listitem>
- </varlistentry>
-@@ -119,6 +122,13 @@
- system again.
- </para>
- <para>
-+ For example the following can be used to set an account to expire
-+ in 180 days:
-+ </para>
-+ <programlisting>
-+ chage -E $(date -d +180days +%Y-%m-%d)
-+ </programlisting>
-+ <para>
- Passing the number <emphasis remap='I'>-1</emphasis> as the
- <replaceable>EXPIRE_DATE</replaceable> will remove an account
- expiration date.
-@@ -233,6 +243,18 @@
- The <command>chage</command> program requires a shadow password file to
- be available.
- </para>
-+ <para>
-+ The chage program will report only the information from the shadow
-+ password file. This implies that configuration from other sources
-+ (e.g. LDAP or empty password hash field from the passwd file) that
-+ affect the user's login will not be shown in the chage output.
-+ </para>
-+ <para>
-+ The <command>chage</command> program will also not report any
-+ inconsistency between the shadow and passwd files (e.g. missing x in
-+ the passwd file). The <command>pwck</command> can be used to check
-+ for this kind of inconsistencies.
-+ </para>
- <para>The <command>chage</command> command is restricted to the root
- user, except for the <option>-l</option> option, which may be used by
- an unprivileged user to determine when their password or account is due
-Index: shadow-4.5/man/ja/man5/login.defs.5
-===================================================================
---- shadow-4.5.orig/man/ja/man5/login.defs.5
-+++ shadow-4.5/man/ja/man5/login.defs.5
-@@ -147,10 +147,6 @@ PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_
- shadow パスワード機能のどのプログラムが
- どのパラメータを使用するかを示したものである。
- .na
--.IP chfn 12
--CHFN_AUTH CHFN_RESTRICT
--.IP chsh 12
--CHFN_AUTH
- .IP groupadd 12
- GID_MAX GID_MIN
- .IP newusers 12
-Index: shadow-4.5/man/login.defs.5.xml
-===================================================================
---- shadow-4.5.orig/man/login.defs.5.xml
-+++ shadow-4.5/man/login.defs.5.xml
-@@ -162,6 +162,17 @@
- long numeric parameters is machine-dependent.
- </para>
-
-+ <para>
-+ Please note that the parameters in this configuration file control the
-+ behavior of the tools from the shadow-utils component. None of these
-+ tools uses the PAM mechanism, and the utilities that use PAM (such as the
-+ passwd command) should be configured elsewhere. The only values that
-+ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
-+ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
-+ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
-+ pam(8) for more information.
-+ </para>
-+
- <para>The following configuration items are provided:</para>
-
- <variablelist remap='IP'>
-@@ -252,16 +263,6 @@
- </listitem>
- </varlistentry>
- <varlistentry>
-- <term>chfn</term>
-- <listitem>
-- <para>
-- <phrase condition="no_pam">CHFN_AUTH</phrase>
-- CHFN_RESTRICT
-- <phrase condition="no_pam">LOGIN_STRING</phrase>
-- </para>
-- </listitem>
-- </varlistentry>
-- <varlistentry>
- <term>chgpasswd</term>
- <listitem>
- <para>
-@@ -282,14 +283,6 @@
- </para>
- </listitem>
- </varlistentry>
-- <varlistentry condition="no_pam">
-- <term>chsh</term>
-- <listitem>
-- <para>
-- CHSH_AUTH LOGIN_STRING
-- </para>
-- </listitem>
-- </varlistentry>
- <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
- <!-- faillog: no variables -->
- <varlistentry>
-@@ -350,34 +343,6 @@
- </varlistentry>
- <!-- id: no variables -->
- <!-- lastlog: no variables -->
-- <varlistentry>
-- <term>login</term>
-- <listitem>
-- <para>
-- <phrase condition="no_pam">CONSOLE</phrase>
-- CONSOLE_GROUPS DEFAULT_HOME
-- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
-- ENV_TZ ENVIRON_FILE</phrase>
-- ERASECHAR FAIL_DELAY
-- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
-- FAKE_SHELL
-- <phrase condition="no_pam">FTMP_FILE</phrase>
-- HUSHLOGIN_FILE
-- <phrase condition="no_pam">ISSUE_FILE</phrase>
-- KILLCHAR
-- <phrase condition="no_pam">LASTLOG_ENAB</phrase>
-- LOGIN_RETRIES
-- <phrase condition="no_pam">LOGIN_STRING</phrase>
-- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
-- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
-- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
-- QUOTAS_ENAB</phrase>
-- TTYGROUP TTYPERM TTYTYPE_FILE
-- <phrase condition="no_pam">ULIMIT UMASK</phrase>
-- USERGROUPS_ENAB
-- </para>
-- </listitem>
-- </varlistentry>
- <!-- logoutd: no variables -->
- <varlistentry>
- <term>newgrp / sg</term>
-@@ -405,17 +370,6 @@
- </listitem>
- </varlistentry>
- <!-- nologin: no variables -->
-- <varlistentry condition="no_pam">
-- <term>passwd</term>
-- <listitem>
-- <para>
-- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
-- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
-- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
-- SHA_CRYPT_MIN_ROUNDS</phrase>
-- </para>
-- </listitem>
-- </varlistentry>
- <varlistentry>
- <term>pwck</term>
- <listitem>
-@@ -442,32 +396,6 @@
- </para>
- </listitem>
- </varlistentry>
-- <varlistentry>
-- <term>su</term>
-- <listitem>
-- <para>
-- <phrase condition="no_pam">CONSOLE</phrase>
-- CONSOLE_GROUPS DEFAULT_HOME
-- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
-- ENV_PATH ENV_SUPATH
-- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
-- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
-- SULOG_FILE SU_NAME
-- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
-- SYSLOG_SU_ENAB
-- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
-- </para>
-- </listitem>
-- </varlistentry>
-- <varlistentry>
-- <term>sulogin</term>
-- <listitem>
-- <para>
-- ENV_HZ
-- <phrase condition="no_pam">ENV_TZ</phrase>
-- </para>
-- </listitem>
-- </varlistentry>
- <varlistentry>
- <term>useradd</term>
- <listitem>
-Index: shadow-4.5/man/shadow.5.xml
-===================================================================
---- shadow-4.5.orig/man/shadow.5.xml
-+++ shadow-4.5/man/shadow.5.xml
-@@ -129,7 +129,7 @@
- <listitem>
- <para>
- The date of the last password change, expressed as the number
-- of days since Jan 1, 1970.
-+ of days since Jan 1, 1970 00:00 UTC.
- </para>
- <para>
- The value 0 has a special meaning, which is that the user
-@@ -208,8 +208,8 @@
- </para>
- <para>
- After expiration of the password and this expiration period is
-- elapsed, no login is possible using the current user's
-- password. The user should contact her administrator.
-+ elapsed, no login is possible for the user.
-+ The user should contact her administrator.
- </para>
- <para>
- An empty field means that there are no enforcement of an
-@@ -224,7 +224,7 @@
- <listitem>
- <para>
- The date of expiration of the account, expressed as the number
-- of days since Jan 1, 1970.
-+ of days since Jan 1, 1970 00:00 UTC.
- </para>
- <para>
- Note that an account expiration differs from a password
-Index: shadow-4.5/man/useradd.8.xml
-===================================================================
---- shadow-4.5.orig/man/useradd.8.xml
-+++ shadow-4.5/man/useradd.8.xml
-@@ -347,6 +347,11 @@
- <option>CREATE_HOME</option> is not enabled, no home
- directories are created.
- </para>
-+ <para>
-+ The directory where the user's home directory is created must
-+ exist and have proper SELinux context and permissions. Otherwise
-+ the user's home directory cannot be created or accessed.
-+ </para>
- </listitem>
- </varlistentry>
- <varlistentry>
-Index: shadow-4.5/man/usermod.8.xml
-===================================================================
---- shadow-4.5.orig/man/usermod.8.xml
-+++ shadow-4.5/man/usermod.8.xml
-@@ -132,7 +132,8 @@
- If the <option>-m</option>
- option is given, the contents of the current home directory will
- be moved to the new home directory, which is created if it does
-- not already exist.
-+ not already exist. If the current home directory does not exist
-+ the new home directory will not be created.
- </para>
- </listitem>
- </varlistentry>
-@@ -256,7 +257,8 @@
- <listitem>
- <para>
- Move the content of the user's home directory to the new
-- location.
-+ location. If the current home directory does not exist
-+ the new home directory will not be created.
- </para>
- <para>
- This option is only valid in combination with the
-diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml
-index 01ace007..93fe7421 100644
---- a/man/login.defs.d/SUB_GID_COUNT.xml
-+++ b/man/login.defs.d/SUB_GID_COUNT.xml
-@@ -42,7 +42,7 @@
- <para>
- The default values for <option>SUB_GID_MIN</option>,
- <option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
-- are respectively 100000, 600100000 and 10000.
-+ are respectively 100000, 600100000 and 65536.
- </para>
- </listitem>
- </varlistentry>
-diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml
-index 5ad812f7..516417b7 100644
---- a/man/login.defs.d/SUB_UID_COUNT.xml
-+++ b/man/login.defs.d/SUB_UID_COUNT.xml
-@@ -42,7 +42,7 @@
- <para>
- The default values for <option>SUB_UID_MIN</option>,
- <option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
-- are respectively 100000, 600100000 and 10000.
-+ are respectively 100000, 600100000 and 65536.
- </para>
- </listitem>
- </varlistentry>
-diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
---- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200
-+++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200
-@@ -320,13 +320,13 @@
- <varlistentry>
- <term><replaceable>4</replaceable></term>
- <listitem>
-- <para>GID not unique (when <option>-o</option> not used)</para>
-+ <para>GID is already used (when called without <option>-o</option>)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><replaceable>9</replaceable></term>
- <listitem>
-- <para>group name not unique</para>
-+ <para>group name is already used</para>
- </listitem>
- </varlistentry>
- <varlistentry>
-
diff --git a/SOURCES/shadow-4.5-goodname.patch b/SOURCES/shadow-4.5-goodname.patch
deleted file mode 100644
index 2f82828..0000000
--- a/SOURCES/shadow-4.5-goodname.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-Index: shadow-4.5/libmisc/chkname.c
-===================================================================
---- shadow-4.5.orig/libmisc/chkname.c
-+++ shadow-4.5/libmisc/chkname.c
-@@ -47,27 +47,46 @@
- #include "chkname.h"
-
- static bool is_valid_name (const char *name)
--{
-+{
- /*
-- * User/group names must match [a-z_][a-z0-9_-]*[$]
-- */
-- if (('\0' == *name) ||
-- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
-+ * User/group names must match gnu e-regex:
-+ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
-+ *
-+ * as a non-POSIX, extension, allow "$" as the last char for
-+ * sake of Samba 3.x "add machine script"
-+ *
-+ * Also do not allow fully numeric names or just "." or "..".
-+ */
-+ int numeric;
-+
-+ if ('\0' == *name ||
-+ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
-+ '\0' == name[1])) ||
-+ !((*name >= 'a' && *name <= 'z') ||
-+ (*name >= 'A' && *name <= 'Z') ||
-+ (*name >= '0' && *name <= '9') ||
-+ *name == '_' ||
-+ *name == '.')) {
- return false;
- }
-
-+ numeric = isdigit(*name);
-+
- while ('\0' != *++name) {
-- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
-- ( ('0' <= *name) && ('9' >= *name) ) ||
-- ('_' == *name) ||
-- ('-' == *name) ||
-- ( ('$' == *name) && ('\0' == *(name + 1)) )
-+ if (!((*name >= 'a' && *name <= 'z') ||
-+ (*name >= 'A' && *name <= 'Z') ||
-+ (*name >= '0' && *name <= '9') ||
-+ *name == '_' ||
-+ *name == '.' ||
-+ *name == '-' ||
-+ (*name == '$' && name[1] == '\0')
- )) {
- return false;
- }
-+ numeric &= isdigit(*name);
- }
-
-- return true;
-+ return !numeric;
- }
-
- bool is_valid_user_name (const char *name)
-Index: shadow-4.5/man/groupadd.8.xml
-===================================================================
---- shadow-4.5.orig/man/groupadd.8.xml
-+++ shadow-4.5/man/groupadd.8.xml
-@@ -256,10 +256,14 @@
- <refsect1 id='caveats'>
- <title>CAVEATS</title>
- <para>
-- Groupnames must start with a lower case letter or an underscore,
-- followed by lower case letters, digits, underscores, or dashes.
-- They can end with a dollar sign.
-- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
-+ Groupnames may contain only lower and upper case letters, digits,
-+ underscores, or dashes. They can end with a dollar sign.
-+
-+ Dashes are not allowed at the beginning of the groupname.
-+ Fully numeric groupnames and groupnames . or .. are
-+ also disallowed.
-+
-+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
- </para>
- <para>
- Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
-Index: shadow-4.5/man/useradd.8.xml
-===================================================================
---- shadow-4.5.orig/man/useradd.8.xml
-+++ shadow-4.5/man/useradd.8.xml
-@@ -633,10 +633,16 @@
- </para>
-
- <para>
-- Usernames must start with a lower case letter or an underscore,
-- followed by lower case letters, digits, underscores, or dashes.
-- They can end with a dollar sign.
-- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
-+ Usernames may contain only lower and upper case letters, digits,
-+ underscores, or dashes. They can end with a dollar sign.
-+
-+ Dashes are not allowed at the beginning of the username.
-+ Fully numeric usernames and usernames . or .. are
-+ also disallowed. It is not recommended to use usernames beginning
-+ with . character as their home directories will be hidden in
-+ the <command>ls</command> output.
-+
-+ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
- </para>
- <para>
- Usernames may only be up to 32 characters long.
diff --git a/SOURCES/shadow-4.6-goodname.patch b/SOURCES/shadow-4.6-goodname.patch
new file mode 100644
index 0000000..13b5f75
--- /dev/null
+++ b/SOURCES/shadow-4.6-goodname.patch
@@ -0,0 +1,104 @@
+diff -up shadow-4.6/libmisc/chkname.c.goodname shadow-4.6/libmisc/chkname.c
+--- shadow-4.6/libmisc/chkname.c.goodname 2020-10-23 12:50:47.202529031 +0200
++++ shadow-4.6/libmisc/chkname.c 2020-10-23 12:54:54.604692559 +0200
+@@ -49,25 +49,44 @@
+ static bool is_valid_name (const char *name)
+ {
+ /*
+- * User/group names must match [a-z_][a-z0-9_-]*[$]
+- */
+- if (('\0' == *name) ||
+- !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
++ * User/group names must match gnu e-regex:
++ * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
++ *
++ * as a non-POSIX, extension, allow "$" as the last char for
++ * sake of Samba 3.x "add machine script"
++ *
++ * Also do not allow fully numeric names or just "." or "..".
++ */
++ int numeric;
++
++ if ('\0' == *name ||
++ ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
++ '\0' == name[1])) ||
++ !((*name >= 'a' && *name <= 'z') ||
++ (*name >= 'A' && *name <= 'Z') ||
++ (*name >= '0' && *name <= '9') ||
++ *name == '_' ||
++ *name == '.')) {
+ return false;
+ }
+
++ numeric = isdigit(*name);
++
+ while ('\0' != *++name) {
+- if (!(( ('a' <= *name) && ('z' >= *name) ) ||
+- ( ('0' <= *name) && ('9' >= *name) ) ||
+- ('_' == *name) ||
+- ('-' == *name) ||
+- ( ('$' == *name) && ('\0' == *(name + 1)) )
++ if (!((*name >= 'a' && *name <= 'z') ||
++ (*name >= 'A' && *name <= 'Z') ||
++ (*name >= '0' && *name <= '9') ||
++ *name == '_' ||
++ *name == '.' ||
++ *name == '-' ||
++ (*name == '$' && name[1] == '\0')
+ )) {
+ return false;
+ }
++ numeric &= isdigit(*name);
+ }
+
+- return true;
++ return !numeric;
+ }
+
+ bool is_valid_user_name (const char *name)
+diff -up shadow-4.6/man/groupadd.8.xml.goodname shadow-4.6/man/groupadd.8.xml
+--- shadow-4.6/man/groupadd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/groupadd.8.xml 2020-10-23 12:50:47.202529031 +0200
+@@ -273,10 +273,14 @@
+ <refsect1 id='caveats'>
+ <title>CAVEATS</title>
+ <para>
+- Groupnames must start with a lower case letter or an underscore,
+- followed by lower case letters, digits, underscores, or dashes.
+- They can end with a dollar sign.
+- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
++ Groupnames may begin with lower and upper case letters, digits,
++ underscores, or periods. They may continue with all the aforementioned
++ characters, or dashes. Finally, they can end with a dollar sign.
++
++ Fully numeric groupnames and groupnames containing only . or .. are
++ disallowed.
++
++ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
+ </para>
+ <para>
+ Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+diff -up shadow-4.6/man/useradd.8.xml.goodname shadow-4.6/man/useradd.8.xml
+--- shadow-4.6/man/useradd.8.xml.goodname 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/useradd.8.xml 2020-10-23 12:50:47.202529031 +0200
+@@ -650,10 +650,16 @@
+ </para>
+
+ <para>
+- Usernames must start with a lower case letter or an underscore,
+- followed by lower case letters, digits, underscores, or dashes.
+- They can end with a dollar sign.
+- In regular expression terms: [a-z_][a-z0-9_-]*[$]?
++ Usernames may begin with lower and upper case letters, digits,
++ underscores, or periods. They may continue with all the aforementioned
++ characters, or dashes. Finally, they can end with a dollar sign.
++
++ Fully numeric usernames and usernames containing only . or .. are
++ disallowed. It is not recommended to use usernames beginning
++ with . character as their home directories will be hidden in
++ the <command>ls</command> output.
++
++ In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
+ </para>
+ <para>
+ Usernames may only be up to 32 characters long.
diff --git a/SOURCES/shadow-4.6-manfix.patch b/SOURCES/shadow-4.6-manfix.patch
new file mode 100644
index 0000000..80ae198
--- /dev/null
+++ b/SOURCES/shadow-4.6-manfix.patch
@@ -0,0 +1,349 @@
+diff -up shadow-4.6/man/groupmems.8.xml.manfix shadow-4.6/man/groupmems.8.xml
+--- shadow-4.6/man/groupmems.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/groupmems.8.xml 2020-10-23 13:15:24.105387634 +0200
+@@ -179,20 +179,10 @@
+ <refsect1 id='setup'>
+ <title>SETUP</title>
+ <para>
+- The <command>groupmems</command> executable should be in mode
+- <literal>2770</literal> as user <emphasis>root</emphasis> and in group
+- <emphasis>groups</emphasis>. The system administrator can add users to
+- group <emphasis>groups</emphasis> to allow or disallow them using the
+- <command>groupmems</command> utility to manage their own group
+- membership list.
++ In this operating system the <command>groupmems</command> executable
++ is not setuid and regular users cannot use it to manipulate
++ the membership of their own group.
+ </para>
+-
+- <programlisting>
+- $ groupadd -r groups
+- $ chmod 2770 groupmems
+- $ chown root.groups groupmems
+- $ groupmems -g groups -a gk4
+- </programlisting>
+ </refsect1>
+
+ <refsect1 id='configuration'>
+diff -up shadow-4.6/man/chage.1.xml.manfix shadow-4.6/man/chage.1.xml
+--- shadow-4.6/man/chage.1.xml.manfix 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/chage.1.xml 2020-10-23 13:15:24.105387634 +0200
+@@ -102,6 +102,9 @@
+ Set the number of days since January 1st, 1970 when the password
+ was last changed. The date may also be expressed in the format
+ YYYY-MM-DD (or the format more commonly used in your area).
++ If the <replaceable>LAST_DAY</replaceable> is set to
++ <emphasis>0</emphasis> the user is forced to change his password
++ on the next log on.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -119,6 +122,13 @@
+ system again.
+ </para>
+ <para>
++ For example the following can be used to set an account to expire
++ in 180 days:
++ </para>
++ <programlisting>
++ chage -E $(date -d +180days +%Y-%m-%d)
++ </programlisting>
++ <para>
+ Passing the number <emphasis remap='I'>-1</emphasis> as the
+ <replaceable>EXPIRE_DATE</replaceable> will remove an account
+ expiration date.
+@@ -233,6 +243,18 @@
+ The <command>chage</command> program requires a shadow password file to
+ be available.
+ </para>
++ <para>
++ The chage program will report only the information from the shadow
++ password file. This implies that configuration from other sources
++ (e.g. LDAP or empty password hash field from the passwd file) that
++ affect the user's login will not be shown in the chage output.
++ </para>
++ <para>
++ The <command>chage</command> program will also not report any
++ inconsistency between the shadow and passwd files (e.g. missing x in
++ the passwd file). The <command>pwck</command> can be used to check
++ for this kind of inconsistencies.
++ </para>
+ <para>The <command>chage</command> command is restricted to the root
+ user, except for the <option>-l</option> option, which may be used by
+ an unprivileged user to determine when their password or account is due
+diff -up shadow-4.6/man/ja/man5/login.defs.5.manfix shadow-4.6/man/ja/man5/login.defs.5
+--- shadow-4.6/man/ja/man5/login.defs.5.manfix 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/ja/man5/login.defs.5 2020-10-23 13:15:24.106387639 +0200
+@@ -147,10 +147,6 @@ 以下の参照表は、
+ shadow パスワード機能のどのプログラムが
+ どのパラメータを使用するかを示したものである。
+ .na
+-.IP chfn 12
+-CHFN_AUTH CHFN_RESTRICT
+-.IP chsh 12
+-CHFN_AUTH
+ .IP groupadd 12
+ GID_MAX GID_MIN
+ .IP newusers 12
+diff -up shadow-4.6/man/login.defs.5.xml.manfix shadow-4.6/man/login.defs.5.xml
+--- shadow-4.6/man/login.defs.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/login.defs.5.xml 2020-10-23 13:15:43.280475188 +0200
+@@ -162,6 +162,27 @@
+ long numeric parameters is machine-dependent.
+ </para>
+
++ <para>
++ Please note that the parameters in this configuration file control the
++ behavior of the tools from the shadow-utils component. None of these
++ tools uses the PAM mechanism, and the utilities that use PAM (such as the
++ passwd command) should be configured elsewhere. The only values that
++ affect PAM modules are <emphasis>ENCRYPT_METHOD</emphasis> and <emphasis>SHA_CRYPT_MAX_ROUNDS</emphasis>
++ for pam_unix module, <emphasis>FAIL_DELAY</emphasis> for pam_faildelay module,
++ and <emphasis>UMASK</emphasis> for pam_umask module. Refer to
++ pam(8) for more information.
++ </para>
++
++ <para>
++ Please also take into account that this man page is generic and some of
++ the options may be unsupported by currently installed tools. In case of
++ doubt check <xref linkend="cross_references"/> and
++ <xref linkend="see_also"/>. For example see
++ <citerefentry><refentrytitle>login</refentrytitle>
++ <manvolnum>1</manvolnum></citerefentry> for login specific options such
++ as <emphasis>LOGIN_STRING</emphasis>.
++ </para>
++
+ <para>The following configuration items are provided:</para>
+
+ <variablelist remap='IP'>
+@@ -252,16 +273,6 @@
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+- <term>chfn</term>
+- <listitem>
+- <para>
+- <phrase condition="no_pam">CHFN_AUTH</phrase>
+- CHFN_RESTRICT
+- <phrase condition="no_pam">LOGIN_STRING</phrase>
+- </para>
+- </listitem>
+- </varlistentry>
+- <varlistentry>
+ <term>chgpasswd</term>
+ <listitem>
+ <para>
+@@ -282,14 +293,6 @@
+ </para>
+ </listitem>
+ </varlistentry>
+- <varlistentry condition="no_pam">
+- <term>chsh</term>
+- <listitem>
+- <para>
+- CHSH_AUTH LOGIN_STRING
+- </para>
+- </listitem>
+- </varlistentry>
+ <!-- expiry: no variables (CONSOLE_GROUPS linked, but not used) -->
+ <!-- faillog: no variables -->
+ <varlistentry>
+@@ -350,34 +353,6 @@
+ </varlistentry>
+ <!-- id: no variables -->
+ <!-- lastlog: no variables -->
+- <varlistentry>
+- <term>login</term>
+- <listitem>
+- <para>
+- <phrase condition="no_pam">CONSOLE</phrase>
+- CONSOLE_GROUPS DEFAULT_HOME
+- <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+- ENV_TZ ENVIRON_FILE</phrase>
+- ERASECHAR FAIL_DELAY
+- <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+- FAKE_SHELL
+- <phrase condition="no_pam">FTMP_FILE</phrase>
+- HUSHLOGIN_FILE
+- <phrase condition="no_pam">ISSUE_FILE</phrase>
+- KILLCHAR
+- <phrase condition="no_pam">LASTLOG_ENAB</phrase>
+- LOGIN_RETRIES
+- <phrase condition="no_pam">LOGIN_STRING</phrase>
+- LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+- <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+- MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+- QUOTAS_ENAB</phrase>
+- TTYGROUP TTYPERM TTYTYPE_FILE
+- <phrase condition="no_pam">ULIMIT UMASK</phrase>
+- USERGROUPS_ENAB
+- </para>
+- </listitem>
+- </varlistentry>
+ <!-- logoutd: no variables -->
+ <varlistentry>
+ <term>newgrp / sg</term>
+@@ -405,17 +380,6 @@
+ </listitem>
+ </varlistentry>
+ <!-- nologin: no variables -->
+- <varlistentry condition="no_pam">
+- <term>passwd</term>
+- <listitem>
+- <para>
+- ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
+- PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
+- <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+- SHA_CRYPT_MIN_ROUNDS</phrase>
+- </para>
+- </listitem>
+- </varlistentry>
+ <varlistentry>
+ <term>pwck</term>
+ <listitem>
+@@ -442,32 +406,6 @@
+ </para>
+ </listitem>
+ </varlistentry>
+- <varlistentry>
+- <term>su</term>
+- <listitem>
+- <para>
+- <phrase condition="no_pam">CONSOLE</phrase>
+- CONSOLE_GROUPS DEFAULT_HOME
+- <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+- ENV_PATH ENV_SUPATH
+- <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+- MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+- SULOG_FILE SU_NAME
+- <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+- SYSLOG_SU_ENAB
+- <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+- </para>
+- </listitem>
+- </varlistentry>
+- <varlistentry>
+- <term>sulogin</term>
+- <listitem>
+- <para>
+- ENV_HZ
+- <phrase condition="no_pam">ENV_TZ</phrase>
+- </para>
+- </listitem>
+- </varlistentry>
+ <varlistentry>
+ <term>useradd</term>
+ <listitem>
+diff -up shadow-4.6/man/shadow.5.xml.manfix shadow-4.6/man/shadow.5.xml
+--- shadow-4.6/man/shadow.5.xml.manfix 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/shadow.5.xml 2020-10-23 13:15:24.106387639 +0200
+@@ -129,7 +129,7 @@
+ <listitem>
+ <para>
+ The date of the last password change, expressed as the number
+- of days since Jan 1, 1970.
++ of days since Jan 1, 1970 00:00 UTC.
+ </para>
+ <para>
+ The value 0 has a special meaning, which is that the user
+@@ -208,8 +208,8 @@
+ </para>
+ <para>
+ After expiration of the password and this expiration period is
+- elapsed, no login is possible using the current user's
+- password. The user should contact her administrator.
++ elapsed, no login is possible for the user.
++ The user should contact her administrator.
+ </para>
+ <para>
+ An empty field means that there are no enforcement of an
+@@ -224,7 +224,7 @@
+ <listitem>
+ <para>
+ The date of expiration of the account, expressed as the number
+- of days since Jan 1, 1970.
++ of days since Jan 1, 1970 00:00 UTC.
+ </para>
+ <para>
+ Note that an account expiration differs from a password
+diff -up shadow-4.6/man/useradd.8.xml.manfix shadow-4.6/man/useradd.8.xml
+--- shadow-4.6/man/useradd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200
++++ shadow-4.6/man/useradd.8.xml 2020-10-23 13:15:24.106387639 +0200
+@@ -347,6 +347,11 @@
+ <option>CREATE_HOME</option> is not enabled, no home
+ directories are created.
+ </para>
++ <para>
++ The directory where the user's home directory is created must
++ exist and have proper SELinux context and permissions. Otherwise
++ the user's home directory cannot be created or accessed.
++ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+diff -up shadow-4.6/man/usermod.8.xml.manfix shadow-4.6/man/usermod.8.xml
+--- shadow-4.6/man/usermod.8.xml.manfix 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/usermod.8.xml 2020-10-23 13:15:24.106387639 +0200
+@@ -132,7 +132,8 @@
+ If the <option>-m</option>
+ option is given, the contents of the current home directory will
+ be moved to the new home directory, which is created if it does
+- not already exist.
++ not already exist. If the current home directory does not exist
++ the new home directory will not be created.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -256,7 +257,8 @@
+ <listitem>
+ <para>
+ Move the content of the user's home directory to the new
+- location.
++ location. If the current home directory does not exist
++ the new home directory will not be created.
+ </para>
+ <para>
+ This option is only valid in combination with the
+diff -up shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml
+--- shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/login.defs.d/SUB_GID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200
+@@ -42,7 +42,7 @@
+ <para>
+ The default values for <option>SUB_GID_MIN</option>,
+ <option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option>
+- are respectively 100000, 600100000 and 10000.
++ are respectively 100000, 600100000 and 65536.
+ </para>
+ </listitem>
+ </varlistentry>
+diff -up shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml
+--- shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml.manfix 2018-04-29 18:42:37.000000000 +0200
++++ shadow-4.6/man/login.defs.d/SUB_UID_COUNT.xml 2020-10-23 13:15:24.106387639 +0200
+@@ -42,7 +42,7 @@
+ <para>
+ The default values for <option>SUB_UID_MIN</option>,
+ <option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option>
+- are respectively 100000, 600100000 and 10000.
++ are respectively 100000, 600100000 and 65536.
+ </para>
+ </listitem>
+ </varlistentry>
+diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
+--- shadow-4.6/man/groupadd.8.xml.manfix 2020-10-23 13:15:24.100387611 +0200
++++ shadow-4.6/man/groupadd.8.xml 2020-10-23 13:15:24.106387639 +0200
+@@ -322,13 +322,13 @@
+ <varlistentry>
+ <term><replaceable>4</replaceable></term>
+ <listitem>
+- <para>GID not unique (when <option>-o</option> not used)</para>
++ <para>GID is already used (when called without <option>-o</option>)</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><replaceable>9</replaceable></term>
+ <listitem>
+- <para>group name not unique</para>
++ <para>group name is already used</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
diff --git a/SOURCES/shadow-4.6-sssd-redirect-warning.patch b/SOURCES/shadow-4.6-sssd-redirect-warning.patch
new file mode 100644
index 0000000..c452231
--- /dev/null
+++ b/SOURCES/shadow-4.6-sssd-redirect-warning.patch
@@ -0,0 +1,59 @@
+From 87257a49a1821d67870aa9760c71b6791583709c Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Fri, 2 Oct 2020 16:09:42 +0200
+Subject: [PATCH] lib/sssd: redirect warning message to file
+
+Instead of printing warning in stderr print it to file. This way the
+user is not spammed with unnecessary messages when updating packages.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749001
+---
+ lib/sssd.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/lib/sssd.c b/lib/sssd.c
+index 80e49e55..f864ce68 100644
+--- a/lib/sssd.c
++++ b/lib/sssd.c
+@@ -11,7 +11,7 @@
+ #include "prototypes.h"
+ #include "sssd.h"
+
+-#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
++#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache."
+
+ int sssd_flush_cache (int dbflags)
+ {
+@@ -46,24 +46,22 @@ int sssd_flush_cache (int dbflags)
+ free(sss_cache_args);
+ if (rv != 0) {
+ /* run_command writes its own more detailed message. */
+- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
++ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
+ return -1;
+ }
+
+ code = WEXITSTATUS (status);
+ if (!WIFEXITED (status)) {
+- (void) fprintf (stderr,
+- _("%s: sss_cache did not terminate normally (signal %d)\n"),
+- Prog, WTERMSIG (status));
++ SYSLOG ((LOG_WARN, "%s: sss_cache did not terminate normally (signal %d)",
++ Prog, WTERMSIG (status)));
+ return -1;
+ } else if (code == E_CMD_NOTFOUND) {
+ /* sss_cache is not installed, or it is installed but uses an
+ interpreter that is missing. Probably the former. */
+ return 0;
+ } else if (code != 0) {
+- (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
+- Prog, code);
+- (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
++ SYSLOG ((LOG_WARN, "%s: sss_cache exited with status %d", Prog, code));
++ SYSLOG ((LOG_WARN, MSG_SSSD_FLUSH_CACHE_FAILED, Prog));
+ return -1;
+ }
+
+--
+2.26.2
+
diff --git a/SPECS/shadow-utils.spec b/SPECS/shadow-utils.spec
index 81dfeef..a806a39 100644
--- a/SPECS/shadow-utils.spec
+++ b/SPECS/shadow-utils.spec
@@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.6
-Release: 11%{?dist}
+Release: 12%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@@ -11,13 +11,13 @@ Source3: shadow-utils.login.defs
Source4: shadow-bsd.txt
Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Patch0: shadow-4.6-redhat.patch
-Patch1: shadow-4.5-goodname.patch
+Patch1: shadow-4.6-goodname.patch
Patch2: shadow-4.1.5.1-info-parent-dir.patch
Patch6: shadow-4.6-selinux.patch
Patch10: shadow-4.6-orig-context.patch
Patch11: shadow-4.1.5.1-logmsg.patch
Patch14: shadow-4.1.5.1-default-range.patch
-Patch15: shadow-4.3.1-manfix.patch
+Patch15: shadow-4.6-manfix.patch
Patch17: shadow-4.1.5.1-userdel-helpfix.patch
Patch19: shadow-4.2.1-date-parsing.patch
Patch21: shadow-4.6-move-home.patch
@@ -43,6 +43,8 @@ Patch42: shadow-4.6-regular-user.patch
Patch43: shadow-4.6-home_mode-directive.patch
# Upstreamed
Patch44: shadow-4.6-check-local-groups.patch
+# https://github.com/shadow-maint/shadow/commit/e84df9e163e133eb11a2728024ff3e3440592cf8
+Patch45: shadow-4.6-sssd-redirect-warning.patch
License: BSD and GPLv2+
Group: System Environment/Base
@@ -105,6 +107,7 @@ are used for managing group accounts.
%patch42 -p1 -b .regular-user
%patch43 -p1 -b .home_mode-directive
%patch44 -p1 -b .check-local-groups
+%patch45 -p1 -b .sssd-redirect-warning
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -259,6 +262,11 @@ done
%{_mandir}/man8/vigr.8*
%changelog
+* Fri Oct 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-12
+- lib/sssd: redirect warning message to file (#1749001)
+- useradd: clarify valid usernames/groupnames (#1869432)
+- login.defs: link login specific information to its own package (#1804766)
+
* Fri Aug 7 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.6-11
- change UMASK value and add HOME_MODE in login.defs (#1777718)