diff --git a/SOURCES/shadow-4.9-getsubids.patch b/SOURCES/shadow-4.9-getsubids.patch
new file mode 100644
index 0000000..b9f2449
--- /dev/null
+++ b/SOURCES/shadow-4.9-getsubids.patch
@@ -0,0 +1,245 @@
+diff -up shadow-4.9/man/getsubids.1.xml.getsubids shadow-4.9/man/getsubids.1.xml
+--- shadow-4.9/man/getsubids.1.xml.getsubids 2021-11-18 16:27:33.951053120 +0100
++++ shadow-4.9/man/getsubids.1.xml 2021-11-18 16:27:33.951053120 +0100
+@@ -0,0 +1,141 @@
++
++
++
++]>
++
++
++
++
++ Iker
++ Pedrosa
++ Creation, 2021
++
++
++
++ getsubids
++ 1
++ User Commands
++ shadow-utils
++ &SHADOW_UTILS_VERSION;
++
++
++ getsubids
++ get the subordinate id ranges for a user
++
++
++
++
++ getsubids
++
++ options
++
++
++ USER
++
++
++
++
++
++ DESCRIPTION
++
++ The getsubids command lists the subordinate user ID
++ ranges for a given user. The subordinate group IDs can be listed using
++ the option.
++
++
++
++
++ OPTIONS
++
++ The options which apply to the getsubids command are:
++
++
++
++
++
++
++
++
++ List the subordinate group ID ranges.
++
++
++
++
++
++
++
++ EXAMPLE
++
++ For example, to obtain the subordinate UIDs of the testuser:
++
++
++
++$ getsubids testuser
++0: testuser 100000 65536
++
++
++
++ This command output provides (in order from left to right) the list
++ index, username, UID range start, and number of UIDs in range.
++
++
++
++
++ SEE ALSO
++
++
++ login.defs5
++ ,
++
++ newgidmap1
++ ,
++
++ newuidmap1
++ ,
++
++ subgid5
++ ,
++
++ subuid5
++ ,
++
++ useradd8
++ ,
++
++ userdel8
++ .
++
++ usermod8
++ ,
++
++
++
+diff -up shadow-4.9/man/Makefile.am.getsubids shadow-4.9/man/Makefile.am
+--- shadow-4.9/man/Makefile.am.getsubids 2021-07-22 23:55:35.000000000 +0200
++++ shadow-4.9/man/Makefile.am 2021-11-18 16:27:33.951053120 +0100
+@@ -62,6 +62,7 @@ man_MANS += $(man_nopam)
+ endif
+
+ man_subids = \
++ man1/getsubids.1 \
+ man1/newgidmap.1 \
+ man1/newuidmap.1 \
+ man5/subgid.5 \
+@@ -80,6 +81,7 @@ man_XMANS = \
+ expiry.1.xml \
+ faillog.5.xml \
+ faillog.8.xml \
++ getsubids.1.xml \
+ gpasswd.1.xml \
+ groupadd.8.xml \
+ groupdel.8.xml \
+diff -up shadow-4.9/src/getsubids.c.getsubids shadow-4.9/src/getsubids.c
+--- shadow-4.9/src/getsubids.c.getsubids 2021-11-18 16:27:33.951053120 +0100
++++ shadow-4.9/src/getsubids.c 2021-11-18 16:27:33.951053120 +0100
+@@ -0,0 +1,46 @@
++#include
++#include
++#include
++#include "subid.h"
++#include "prototypes.h"
++
++const char *Prog;
++FILE *shadow_logfd = NULL;
++
++void usage(void)
++{
++ fprintf(stderr, "Usage: %s [-g] user\n", Prog);
++ fprintf(stderr, " list subuid ranges for user\n");
++ fprintf(stderr, " pass -g to list subgid ranges\n");
++ exit(EXIT_FAILURE);
++}
++
++int main(int argc, char *argv[])
++{
++ int i, count=0;
++ struct subid_range *ranges;
++ const char *owner;
++
++ Prog = Basename (argv[0]);
++ shadow_logfd = stderr;
++ if (argc < 2)
++ usage();
++ owner = argv[1];
++ if (argc == 3 && strcmp(argv[1], "-g") == 0) {
++ owner = argv[2];
++ count = get_subgid_ranges(owner, &ranges);
++ } else if (argc == 2 && strcmp(argv[1], "-h") == 0) {
++ usage();
++ } else {
++ count = get_subuid_ranges(owner, &ranges);
++ }
++ if (!ranges) {
++ fprintf(stderr, "Error fetching ranges\n");
++ exit(1);
++ }
++ for (i = 0; i < count; i++) {
++ printf("%d: %s %lu %lu\n", i, owner,
++ ranges[i].start, ranges[i].count);
++ }
++ return 0;
++}
+diff -up shadow-4.9/src/list_subid_ranges.c.getsubids shadow-4.9/src/list_subid_ranges.c
+diff -up shadow-4.9/src/Makefile.am.getsubids shadow-4.9/src/Makefile.am
+--- shadow-4.9/src/Makefile.am.getsubids 2021-11-18 16:27:33.943053061 +0100
++++ shadow-4.9/src/Makefile.am 2021-11-18 16:28:03.647272392 +0100
+@@ -157,8 +157,8 @@ if FCAPS
+ setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
+ endif
+
+-noinst_PROGRAMS += list_subid_ranges \
+- get_subid_owners \
++bin_PROGRAMS += getsubids
++noinst_PROGRAMS += get_subid_owners \
+ new_subid_range \
+ free_subid_range \
+ check_subid_range
+@@ -174,13 +174,13 @@ MISCLIBS = \
+ $(LIBCRYPT) \
+ $(LIBTCB)
+
+-list_subid_ranges_LDADD = \
++getsubids_LDADD = \
+ $(top_builddir)/lib/libshadow.la \
+ $(top_builddir)/libmisc/libmisc.la \
+ $(top_builddir)/libsubid/libsubid.la \
+ $(MISCLIBS) -ldl
+
+-list_subid_ranges_CPPFLAGS = \
++getsubids_CPPFLAGS = \
+ -I$(top_srcdir)/lib \
+ -I$(top_srcdir)/libmisc \
+ -I$(top_srcdir)/libsubid
diff --git a/SOURCES/shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch b/SOURCES/shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
new file mode 100644
index 0000000..658156a
--- /dev/null
+++ b/SOURCES/shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
@@ -0,0 +1,13 @@
+diff -up shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist shadow-4.9/libmisc/prefix_flag.c
+--- shadow-4.9/libmisc/prefix_flag.c.groupdel-fix-sigsegv-when-passwd-does-not-exist 2021-11-19 09:21:36.997091941 +0100
++++ shadow-4.9/libmisc/prefix_flag.c 2021-11-19 09:22:19.001341010 +0100
+@@ -288,6 +288,9 @@ extern struct passwd* prefix_getpwent()
+ if(!passwd_db_file) {
+ return getpwent();
+ }
++ if (!fp_pwent) {
++ return NULL;
++ }
+ return fgetpwent(fp_pwent);
+ }
+ extern void prefix_endpwent()
diff --git a/SOURCES/shadow-4.9-move-create-home.patch b/SOURCES/shadow-4.9-move-create-home.patch
index 94bb84c..0ed6ea7 100644
--- a/SOURCES/shadow-4.9-move-create-home.patch
+++ b/SOURCES/shadow-4.9-move-create-home.patch
@@ -1,8 +1,22 @@
+From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa
+Date: Fri, 8 Oct 2021 13:09:59 +0200
+Subject: [PATCH] useradd: create directories after the SELinux user
+
+Create the home and mail folders after the SELinux user has been set for
+the added user. This will allow the folders to be created with the
+SELinux user label.
+
+Signed-off-by: Iker Pedrosa
+---
+ src/useradd.c | 46 +++++++++++++++++++++++-----------------------
+ 1 file changed, 23 insertions(+), 23 deletions(-)
+
diff --git a/src/useradd.c b/src/useradd.c
-index baeffb35..02e1402c 100644
+index 6269c01c..b463a170 100644
--- a/src/useradd.c
+++ b/src/useradd.c
-@@ -2644,27 +2644,12 @@ int main (int argc, char **argv)
+@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
usr_update ();
@@ -34,17 +48,14 @@ index baeffb35..02e1402c 100644
/*
* tallylog_reset needs to be able to lookup
* a valid existing user name,
-@@ -2695,9 +2680,24 @@ int main (int argc, char **argv)
- exit(1);
+@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
}
+ #endif /* WITH_SELINUX */
-- nscd_flush_cache ("passwd");
-- nscd_flush_cache ("group");
-- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+ if (mflg) {
+ create_home ();
+ if (home_added) {
-+ copy_tree (def_template, prefix_user_home, false, true,
++ copy_tree (def_template, prefix_user_home, false, false,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
@@ -59,6 +70,19 @@ index baeffb35..02e1402c 100644
+ if (!rflg) {
+ create_mail ();
+ }
++
+ if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
+ "useradd")) {
+ exit(1);
+ }
+- nscd_flush_cache ("passwd");
+- nscd_flush_cache ("group");
+- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+-
return E_SUCCESS;
}
+
+--
+2.31.1
+
diff --git a/SOURCES/shadow-4.9-newgrp-fix-segmentation-fault.patch b/SOURCES/shadow-4.9-newgrp-fix-segmentation-fault.patch
new file mode 100644
index 0000000..49332a1
--- /dev/null
+++ b/SOURCES/shadow-4.9-newgrp-fix-segmentation-fault.patch
@@ -0,0 +1,35 @@
+From 497e90751bc0d95cc998b0f06305040563903948 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa
+Date: Wed, 10 Nov 2021 12:02:04 +0100
+Subject: [PATCH] newgrp: fix segmentation fault
+
+Fix segmentation fault in newgrp when xgetspnam() returns a NULL value
+that is immediately freed.
+
+The error was committed in
+https://github.com/shadow-maint/shadow/commit/e65cc6aebcb4132fa413f00a905216a5b35b3d57
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019553
+
+Signed-off-by: Iker Pedrosa
+---
+ src/newgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/newgrp.c b/src/newgrp.c
+index 730f47e8..566f1c89 100644
+--- a/src/newgrp.c
++++ b/src/newgrp.c
+@@ -163,8 +163,8 @@ static void check_perms (const struct group *grp,
+ spwd = xgetspnam (pwd->pw_name);
+ if (NULL != spwd) {
+ pwd->pw_passwd = xstrdup (spwd->sp_pwdp);
++ spw_free (spwd);
+ }
+- spw_free (spwd);
+
+ if ((pwd->pw_passwd[0] == '\0') && (grp->gr_passwd[0] != '\0')) {
+ needspasswd = true;
+--
+2.31.1
+
diff --git a/SOURCES/shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch b/SOURCES/shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch
new file mode 100644
index 0000000..e7761b7
--- /dev/null
+++ b/SOURCES/shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch
@@ -0,0 +1,30 @@
+From d8e54618feea201987c1f3cb402ed50d1d8b604f Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa
+Date: Mon, 15 Nov 2021 12:40:15 +0100
+Subject: [PATCH] pwck: fix segfault when calling fprintf()
+
+As shadow_logfd variable is not set at the beginning of the program if
+something fails and fprintf() is called a segmentation fault happens.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2021339
+
+Signed-off-by: Iker Pedrosa
+---
+ src/pwck.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pwck.c b/src/pwck.c
+index 4248944a..4ce86af2 100644
+--- a/src/pwck.c
++++ b/src/pwck.c
+@@ -857,6 +857,7 @@ int main (int argc, char **argv)
+ * Get my name so that I can use it to report errors.
+ */
+ Prog = Basename (argv[0]);
++ shadow_logfd = stderr;
+
+ (void) setlocale (LC_ALL, "");
+ (void) bindtextdomain (PACKAGE, LOCALEDIR);
+--
+2.31.1
+
diff --git a/SOURCES/shadow-4.9-revert-useradd-fix-memleak.patch b/SOURCES/shadow-4.9-revert-useradd-fix-memleak.patch
new file mode 100644
index 0000000..e8251f2
--- /dev/null
+++ b/SOURCES/shadow-4.9-revert-useradd-fix-memleak.patch
@@ -0,0 +1,30 @@
+From 4624e9fca1b02b64e25e8b2280a0186182ab73ba Mon Sep 17 00:00:00 2001
+From: Serge Hallyn
+Date: Sat, 14 Aug 2021 19:37:24 -0500
+Subject: [PATCH] Revert "useradd.c:fix memleaks of grp"
+
+In some cases, the value which was being freed is not actually
+safe to free.
+
+Closes #394
+
+This reverts commit c44b71cec25d60efc51aec9de3abce1f6efbfcf5.
+---
+ src/useradd.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index f90127cd..0d3f390d 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -413,7 +413,6 @@ static void get_defaults (void)
+ } else {
+ def_group = grp->gr_gid;
+ def_gname = xstrdup (grp->gr_name);
+- gr_free(grp);
+ }
+ }
+
+--
+2.31.1
+
diff --git a/SOURCES/shadow-4.9-semanage-close-the-selabel-handle.patch b/SOURCES/shadow-4.9-semanage-close-the-selabel-handle.patch
new file mode 100644
index 0000000..11a23e4
--- /dev/null
+++ b/SOURCES/shadow-4.9-semanage-close-the-selabel-handle.patch
@@ -0,0 +1,61 @@
+From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa
+Date: Fri, 8 Oct 2021 13:13:13 +0200
+Subject: [PATCH] semanage: close the selabel handle
+
+Close the selabel handle to update the file_context. This means that the
+file_context will be remmaped and used by selabel_lookup() to return
+the appropriate context to label the home folder.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
+
+Signed-off-by: Iker Pedrosa
+---
+ lib/prototypes.h | 1 +
+ lib/selinux.c | 5 +++++
+ lib/semanage.c | 1 +
+ 3 files changed, 7 insertions(+)
+
+diff --git a/lib/prototypes.h b/lib/prototypes.h
+index 1d1586d4..b697e0ec 100644
+--- a/lib/prototypes.h
++++ b/lib/prototypes.h
+@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+ extern int set_selinux_file_context (const char *dst_name, mode_t mode);
++extern void reset_selinux_handle (void);
+ extern int reset_selinux_file_context (void);
+ extern int check_selinux_permit (const char *perm_name);
+ #endif
+diff --git a/lib/selinux.c b/lib/selinux.c
+index c83545f9..b075d4c0 100644
+--- a/lib/selinux.c
++++ b/lib/selinux.c
+@@ -50,6 +50,11 @@ static void cleanup(void)
+ }
+ }
+
++void reset_selinux_handle (void)
++{
++ cleanup();
++}
++
+ /*
+ * set_selinux_file_context - Set the security context before any file or
+ * directory creation.
+diff --git a/lib/semanage.c b/lib/semanage.c
+index 0d30456a..a5bf9218 100644
+--- a/lib/semanage.c
++++ b/lib/semanage.c
+@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
+ }
+
+ ret = 0;
++ reset_selinux_handle();
+
+ done:
+ semanage_seuser_key_free (key);
+--
+2.31.1
+
diff --git a/SOURCES/shadow-4.9-useradd-copy-tree-argument.patch b/SOURCES/shadow-4.9-useradd-copy-tree-argument.patch
new file mode 100644
index 0000000..f6b9827
--- /dev/null
+++ b/SOURCES/shadow-4.9-useradd-copy-tree-argument.patch
@@ -0,0 +1,13 @@
+diff --git a/src/useradd.c b/src/useradd.c
+index b463a170..f7c97958 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2704,7 +2704,7 @@ int main (int argc, char **argv)
+ if (mflg) {
+ create_home ();
+ if (home_added) {
+- copy_tree (def_template, prefix_user_home, false, false,
++ copy_tree (def_template, prefix_user_home, false, true,
+ (uid_t)-1, user_id, (gid_t)-1, user_gid);
+ } else {
+ fprintf (stderr,
diff --git a/SPECS/shadow-utils.spec b/SPECS/shadow-utils.spec
index e9cb766..aa46a17 100644
--- a/SPECS/shadow-utils.spec
+++ b/SPECS/shadow-utils.spec
@@ -1,8 +1,9 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.9
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
+License: BSD and GPLv2+
URL: https://github.com/shadow-maint/shadow
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
Source1: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
@@ -20,7 +21,7 @@ Source6: shadow-utils.HOME_MODE.xml
Patch0: shadow-4.9-redhat.patch
# Be more lenient with acceptable user/group names - non upstreamable
Patch1: shadow-4.8-goodname.patch
-# Move create home to the end of main - upstreamability unknown
+# https://github.com/shadow-maint/shadow/commit/09c752f00f9dfc610f66d68be38c9e5be8ca7f15
Patch2: shadow-4.9-move-create-home.patch
# SElinux related - upstreamability unknown
Patch3: shadow-4.9-default-range.patch
@@ -52,20 +53,46 @@ Patch15: shadow-4.9-usermod-allow-all-group-types.patch
Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
# https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62
Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
+# https://github.com/shadow-maint/shadow/commit/234af5cf67fc1a3ba99fc246ba65869a3c416545
+Patch18: shadow-4.9-semanage-close-the-selabel-handle.patch
+# https://github.com/shadow-maint/shadow/commit/4624e9fca1b02b64e25e8b2280a0186182ab73ba
+Patch19: shadow-4.9-revert-useradd-fix-memleak.patch
+# https://github.com/shadow-maint/shadow/commit/06eb4e4d76ac7f1ac86e68a89b2dc9be7c7323a2
+Patch20: shadow-4.9-useradd-copy-tree-argument.patch
+# https://github.com/shadow-maint/shadow/commit/d8e54618feea201987c1f3cb402ed50d1d8b604f
+Patch21: shadow-4.9-pwck-fix-segfault-when-calling-fprintf.patch
+# https://github.com/shadow-maint/shadow/commit/497e90751bc0d95cc998b0f06305040563903948
+Patch22: shadow-4.9-newgrp-fix-segmentation-fault.patch
+# https://github.com/shadow-maint/shadow/commit/3b6ccf642c6bb2b7db087f09ee563ae9318af734
+Patch23: shadow-4.9-getsubids.patch
+# https://github.com/shadow-maint/shadow/commit/a757b458ffb4fb9a40bcbb4f7869449431c67f83
+Patch24: shadow-4.9-groupdel-fix-sigsegv-when-passwd-does-not-exist.patch
+
+### Dependencies ###
+Requires: audit-libs >= 1.6.5
+Requires: libselinux >= 1.25.2-1
+Requires: setup
-License: BSD and GPLv2+
-BuildRequires: make
+### Build Dependencies ###
+BuildRequires: audit-libs-devel >= 1.6.5
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: bison
+BuildRequires: docbook-dtds
+BuildRequires: docbook-style-xsl
+BuildRequires: flex
BuildRequires: gcc
+BuildRequires: gettext-devel
+BuildRequires: itstool
+BuildRequires: libacl-devel
+BuildRequires: libattr-devel
BuildRequires: libselinux-devel >= 1.25.2-1
-BuildRequires: audit-libs-devel >= 1.6.5
BuildRequires: libsemanage-devel
-BuildRequires: libacl-devel, libattr-devel
-BuildRequires: bison, flex, docbook-style-xsl, docbook-dtds
-BuildRequires: autoconf, automake, libtool, gettext-devel
-BuildRequires: /usr/bin/xsltproc, /usr/bin/itstool
-Requires: libselinux >= 1.25.2-1
-Requires: audit-libs >= 1.6.5
-Requires: setup
+BuildRequires: libtool
+BuildRequires: libxslt
+BuildRequires: make
+
+### Provides ###
Provides: shadow = %{epoch}:%{version}-%{release}
%description
@@ -117,6 +144,13 @@ Development files for shadow-utils-subid.
%patch15 -p1 -b .usermod-allow-all-group-types
%patch16 -p1 -b .useradd-avoid-generating-empty-subid-range
%patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds
+%patch18 -p1 -b .semanage-close-the-selabel-handle
+%patch19 -p1 -b .revert-useradd-fix-memleak
+%patch20 -p1 -b .useradd-copy-tree-argument
+%patch21 -p1 -b .pwck-fix-segfault-when-calling-fprintf
+%patch22 -p1 -b .newgrp-fix-segmentation-fault
+%patch23 -p1 -b .getsubids
+%patch24 -p1 -b .groupdel-fix-sigsegv-when-passwd-does-not-exist
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -279,12 +313,23 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
%files subid
%{_libdir}/libsubid.so.*
+%{_bindir}/getsubids
+%{_mandir}/man1/getsubids.1*
%files subid-devel
%{includesubiddir}/subid.h
%{_libdir}/libsubid.so
%changelog
+* Thu Dec 2 2021 Iker Pedrosa - 2:4.9-3
+- getsubids: provide system binary and man page. Resolves: #2013015
+- useradd: generate home and mail directories with selinux user attribute. Resolves: #1993081
+- useradd: revert fix memleak of grp. Resolves: #2020238
+- groupdel: fix SIGSEGV when passwd does not exist. Resolves: #2024834
+- pwck: fix segfault when calling fprintf()
+- newgrp: fix segmentation fault
+- Clean spec file: organize dependencies and move License location
+
* Tue Aug 17 2021 Iker Pedrosa - 2:4.9-2
- libmisc: fix default value in SHA_get_salt_rounds(). Resolves: #1993919