summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/008_login_log_failure_in_FTMP51
-rw-r--r--debian/patches/401_cppw_src.dpatch276
-rw-r--r--debian/patches/402_cppw_selinux64
-rw-r--r--debian/patches/429_login_FAILLOG_ENAB84
-rw-r--r--debian/patches/463_login_delay_obeys_to_PAM97
-rw-r--r--debian/patches/501_commonio_group_shadow60
-rw-r--r--debian/patches/503_shadowconfig.8201
-rw-r--r--debian/patches/505_useradd_recommend_adduser36
-rw-r--r--debian/patches/506_relaxed_usernames100
-rw-r--r--debian/patches/508_nologin_in_usr_sbin18
-rw-r--r--debian/patches/542_useradd-O_option43
-rw-r--r--debian/patches/900_testsuite_groupmems81
-rw-r--r--debian/patches/901_testsuite_gcov76
-rw-r--r--debian/patches/README.patches22
-rw-r--r--debian/patches/series16
15 files changed, 1225 insertions, 0 deletions
diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP
new file mode 100644
index 0000000..cc2bc72
--- /dev/null
+++ b/debian/patches/008_login_log_failure_in_FTMP
@@ -0,0 +1,51 @@
+Goal: Log login failures to the btmp file
+
+Notes:
+ * I'm not sure login should add an entry in the FTMP file when PAM is used.
+ (but nothing in /etc/login.defs indicates that the failure is not logged)
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -849,6 +849,24 @@
+ (void) puts ("");
+ (void) puts (_("Login incorrect"));
+
++ if (getdef_str("FTMP_FILE") != NULL) {
++#ifdef USE_UTMPX
++ struct utmpx *failent =
++ prepare_utmpx (failent_user,
++ tty,
++ /* FIXME: or fromhost? */hostname,
++ utent);
++#else /* !USE_UTMPX */
++ struct utmp *failent =
++ prepare_utmp (failent_user,
++ tty,
++ hostname,
++ utent);
++#endif /* !USE_UTMPX */
++ failtmp (failent_user, failent);
++ free (failent);
++ }
++
+ if (failcount >= retries) {
+ SYSLOG ((LOG_NOTICE,
+ "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -60,7 +60,6 @@
+ {"ENVIRON_FILE", NULL}, \
+ {"ENV_TZ", NULL}, \
+ {"FAILLOG_ENAB", NULL}, \
+- {"FTMP_FILE", NULL}, \
+ {"ISSUE_FILE", NULL}, \
+ {"LASTLOG_ENAB", NULL}, \
+ {"LOGIN_STRING", NULL}, \
+@@ -91,6 +90,7 @@
+ {"ERASECHAR", NULL},
+ {"FAIL_DELAY", NULL},
+ {"FAKE_SHELL", NULL},
++ {"FTMP_FILE", NULL},
+ {"GID_MAX", NULL},
+ {"GID_MIN", NULL},
+ {"HOME_MODE", NULL},
diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/401_cppw_src.dpatch
new file mode 100644
index 0000000..2590df1
--- /dev/null
+++ b/debian/patches/401_cppw_src.dpatch
@@ -0,0 +1,276 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add cppw / cpgr
+
+@DPATCH@
+--- /dev/null
++++ b/src/cppw.c
+@@ -0,0 +1,238 @@
++/*
++ cppw, cpgr copy with locking given file over the password or group file
++ with -s will copy with locking given file over shadow or gshadow file
++
++ Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
++
++ Based on vipw, vigr by:
++ Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 2 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful, but
++ WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program; if not, write to the Free Software
++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++
++ */
++
++#include <config.h>
++#include "defines.h"
++
++#include <errno.h>
++#include <sys/stat.h>
++#include <unistd.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <sys/types.h>
++#include <signal.h>
++#include <utime.h>
++#include "exitcodes.h"
++#include "prototypes.h"
++#include "pwio.h"
++#include "shadowio.h"
++#include "groupio.h"
++#include "sgroupio.h"
++
++
++const char *Prog;
++
++const char *filename, *filenewname;
++static bool filelocked = false;
++static int (*unlock) (void);
++
++/* local function prototypes */
++static int create_copy (FILE *fp, const char *dest, struct stat *sb);
++static void cppwexit (const char *msg, int syserr, int ret);
++static void cppwcopy (const char *file,
++ const char *in_file,
++ int (*file_lock) (void),
++ int (*file_unlock) (void));
++
++static int create_copy (FILE *fp, const char *dest, struct stat *sb)
++{
++ struct utimbuf ub;
++ FILE *bkfp;
++ int c;
++ mode_t mask;
++
++ mask = umask (077);
++ bkfp = fopen (dest, "w");
++ (void) umask (mask);
++ if (NULL == bkfp) {
++ return -1;
++ }
++
++ rewind (fp);
++ while ((c = getc (fp)) != EOF) {
++ if (putc (c, bkfp) == EOF) {
++ break;
++ }
++ }
++
++ if ( (c != EOF)
++ || (fflush (bkfp) != 0)) {
++ (void) fclose (bkfp);
++ (void) unlink (dest);
++ return -1;
++ }
++ if ( (fsync (fileno (bkfp)) != 0)
++ || (fclose (bkfp) != 0)) {
++ (void) unlink (dest);
++ return -1;
++ }
++
++ ub.actime = sb->st_atime;
++ ub.modtime = sb->st_mtime;
++ if ( (utime (dest, &ub) != 0)
++ || (chmod (dest, sb->st_mode) != 0)
++ || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
++ (void) unlink (dest);
++ return -1;
++ }
++ return 0;
++}
++
++static void cppwexit (const char *msg, int syserr, int ret)
++{
++ int err = errno;
++ if (filelocked) {
++ (*unlock) ();
++ }
++ if (NULL != msg) {
++ fprintf (stderr, "%s: %s", Prog, msg);
++ if (0 != syserr) {
++ fprintf (stderr, ": %s", strerror (err));
++ }
++ (void) fputs ("\n", stderr);
++ }
++ if (NULL != filename) {
++ fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
++ } else {
++ fprintf (stderr, _("%s: no changes\n"), Prog);
++ }
++
++ exit (ret);
++}
++
++static void cppwcopy (const char *file,
++ const char *in_file,
++ int (*file_lock) (void),
++ int (*file_unlock) (void))
++{
++ struct stat st1;
++ FILE *f;
++ char filenew[1024];
++
++ snprintf (filenew, sizeof filenew, "%s.new", file);
++ unlock = file_unlock;
++ filename = file;
++ filenewname = filenew;
++
++ if (access (file, F_OK) != 0) {
++ cppwexit (file, 1, 1);
++ }
++ if (file_lock () == 0) {
++ cppwexit (_("Couldn't lock file"), 0, 5);
++ }
++ filelocked = true;
++
++ /* file to copy has same owners, perm */
++ if (stat (file, &st1) != 0) {
++ cppwexit (file, 1, 1);
++ }
++ f = fopen (in_file, "r");
++ if (NULL == f) {
++ cppwexit (in_file, 1, 1);
++ }
++ if (create_copy (f, filenew, &st1) != 0) {
++ cppwexit (_("Couldn't make copy"), errno, 1);
++ }
++
++ /* XXX - here we should check filenew for errors; if there are any,
++ * fail w/ an appropriate error code and let the user manually fix
++ * it. Use pwck or grpck to do the check. - Stephen (Shamelessly
++ * stolen from '--marekm's comment) */
++
++ if (rename (filenew, file) != 0) {
++ fprintf (stderr, _("%s: can't copy %s: %s)\n"),
++ Prog, filenew, strerror (errno));
++ cppwexit (NULL,0,1);
++ }
++
++ (*file_unlock) ();
++}
++
++int main (int argc, char **argv)
++{
++ int flag;
++ bool cpshadow = false;
++ char *in_file;
++ int e = E_USAGE;
++ bool do_cppw = true;
++
++ (void) setlocale (LC_ALL, "");
++ (void) bindtextdomain (PACKAGE, LOCALEDIR);
++ (void) textdomain (PACKAGE);
++
++ Prog = Basename (argv[0]);
++ if (strcmp (Prog, "cpgr") == 0) {
++ do_cppw = false;
++ }
++
++ while ((flag = getopt (argc, argv, "ghps")) != EOF) {
++ switch (flag) {
++ case 'p':
++ do_cppw = true;
++ break;
++ case 'g':
++ do_cppw = false;
++ break;
++ case 's':
++ cpshadow = true;
++ break;
++ case 'h':
++ e = E_SUCCESS;
++ /*pass through*/
++ default:
++ (void) fputs (_("Usage:\n\
++`cppw <file>' copys over /etc/passwd `cppw -s <file>' copys over /etc/shadow\n\
++`cpgr <file>' copys over /etc/group `cpgr -s <file>' copys over /etc/gshadow\n\
++"), (E_SUCCESS != e) ? stderr : stdout);
++ exit (e);
++ }
++ }
++
++ if (argc != optind + 1) {
++ cppwexit (_("wrong number of arguments, -h for usage"),0,1);
++ }
++
++ in_file = argv[optind];
++
++ if (do_cppw) {
++ if (cpshadow) {
++ cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
++ } else {
++ cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
++ }
++ } else {
++#ifdef SHADOWGRP
++ if (cpshadow) {
++ cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
++ } else
++#endif /* SHADOWGRP */
++ {
++ cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
++ }
++ }
++
++ return 0;
++}
++
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -33,6 +33,7 @@
+ bin_PROGRAMS += su
+ endif
+ usbin_PROGRAMS = \
++ cppw \
+ chgpasswd \
+ chpasswd \
+ groupadd \
+@@ -101,6 +102,7 @@
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
++cppw_LDADD = $(LDADD) $(LIBSELINUX) $(LIBAUDIT)
+ expiry_LDADD = $(LDADD) $(LIBECONF)
+ gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -90,6 +90,7 @@
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
++src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c
diff --git a/debian/patches/402_cppw_selinux b/debian/patches/402_cppw_selinux
new file mode 100644
index 0000000..5f2da1b
--- /dev/null
+++ b/debian/patches/402_cppw_selinux
@@ -0,0 +1,64 @@
+Goal: Add selinux support to cppw
+
+Fix:
+
+Status wrt upstream: cppw is not available upstream.
+ The patch was made based on the
+ 302_vim_selinux_support patch. It needs to be
+ reviewed by an SE-Linux aware person.
+
+Depends on 401_cppw_src.dpatch
+
+Index: git/src/cppw.c
+===================================================================
+--- git.orig/src/cppw.c
++++ git/src/cppw.c
+@@ -34,6 +34,9 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <utime.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif /* WITH_SELINUX */
+ #include "exitcodes.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+@@ -139,6 +142,22 @@
+ if (access (file, F_OK) != 0) {
+ cppwexit (file, 1, 1);
+ }
++#ifdef WITH_SELINUX
++ /* if SE Linux is enabled then set the context of all new files
++ * to be the context of the file we are editing */
++ if (is_selinux_enabled () > 0) {
++ security_context_t passwd_context=NULL;
++ int ret = 0;
++ if (getfilecon (file, &passwd_context) < 0) {
++ cppwexit (_("Couldn't get file context"), errno, 1);
++ }
++ ret = setfscreatecon (passwd_context);
++ freecon (passwd_context);
++ if (0 != ret) {
++ cppwexit (_("setfscreatecon () failed"), errno, 1);
++ }
++ }
++#endif /* WITH_SELINUX */
+ if (file_lock () == 0) {
+ cppwexit (_("Couldn't lock file"), 0, 5);
+ }
+@@ -167,6 +186,15 @@
+ cppwexit (NULL,0,1);
+ }
+
++#ifdef WITH_SELINUX
++ /* unset the fscreatecon */
++ if (is_selinux_enabled () > 0) {
++ if (setfscreatecon (NULL)) {
++ cppwexit (_("setfscreatecon() failed"), errno, 1);
++ }
++ }
++#endif /* WITH_SELINUX */
++
+ (*file_unlock) ();
+ }
+
diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB
new file mode 100644
index 0000000..fd691a8
--- /dev/null
+++ b/debian/patches/429_login_FAILLOG_ENAB
@@ -0,0 +1,84 @@
+Goal: Re-enable logging and displaying failures on login when login is
+ compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
+ faillog file if it does not exist on postinst (as on Woody).
+Depends: 008_login_more_LOG_UNKFAIL_ENAB
+Fixes: #192849
+
+Note: It could be removed if pam_tally could report the number of failures
+ preceding a successful login.
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -136,9 +136,9 @@
+ #endif
+ );
+
+-#ifndef USE_PAM
+ static struct faillog faillog;
+
++#ifndef USE_PAM
+ static void bad_time_notify (void);
+ static void check_nologin (bool login_to_root);
+ #else
+@@ -809,6 +809,9 @@
+ SYSLOG ((LOG_NOTICE,
+ "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+ failcount, fromhost, failent_user));
++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++ failure (pwd->pw_uid, tty, &faillog);
++ }
+ fprintf (stderr,
+ _("Maximum number of tries exceeded (%u)\n"),
+ failcount);
+@@ -826,6 +829,14 @@
+ pam_strerror (pamh, retcode)));
+ failed = true;
+ }
++ if ( (NULL != pwd)
++ && getdef_bool("FAILLOG_ENAB")
++ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
++ SYSLOG((LOG_CRIT,
++ "exceeded failure limit for `%s' %s",
++ failent_user, fromhost));
++ failed = 1;
++ }
+
+ if (!failed) {
+ break;
+@@ -849,6 +860,10 @@
+ (void) puts ("");
+ (void) puts (_("Login incorrect"));
+
++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++ failure (pwd->pw_uid, tty, &faillog);
++ }
++
+ if (getdef_str("FTMP_FILE") != NULL) {
+ #ifdef USE_UTMPX
+ struct utmpx *failent =
+@@ -1305,6 +1320,7 @@
+ */
+ #ifndef USE_PAM
+ motd (); /* print the message of the day */
++#endif
+ if ( getdef_bool ("FAILLOG_ENAB")
+ && (0 != faillog.fail_cnt)) {
+ failprint (&faillog);
+@@ -1317,6 +1333,7 @@
+ username, (int) faillog.fail_cnt));
+ }
+ }
++#ifndef USE_PAM
+ if ( getdef_bool ("LASTLOG_ENAB")
+ && pwd->pw_uid <= (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL)
+ && (ll.ll_time != 0)) {
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -89,6 +89,7 @@
+ {"ENV_SUPATH", NULL},
+ {"ERASECHAR", NULL},
+ {"FAIL_DELAY", NULL},
++ {"FAILLOG_ENAB", NULL},
+ {"FAKE_SHELL", NULL},
+ {"FTMP_FILE", NULL},
+ {"GID_MAX", NULL},
diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM
new file mode 100644
index 0000000..414571a
--- /dev/null
+++ b/debian/patches/463_login_delay_obeys_to_PAM
@@ -0,0 +1,97 @@
+Goal: Do not hardcode pam_fail_delay and let pam_unix do its
+ job to set a delay...or not
+
+Fixes: #87648
+
+Status wrt upstream: Forwarded but not applied yet
+
+Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -536,7 +536,6 @@
+ #if defined(HAVE_STRFTIME) && !defined(USE_PAM)
+ char ptime[80];
+ #endif
+- unsigned int delay;
+ unsigned int retries;
+ bool subroot = false;
+ #ifndef USE_PAM
+@@ -561,6 +560,7 @@
+ pid_t child;
+ char *pam_user = NULL;
+ #else
++ unsigned int delay;
+ struct spwd *spwd = NULL;
+ #endif
+ /*
+@@ -723,7 +723,6 @@
+ }
+
+ environ = newenvp; /* make new environment active */
+- delay = getdef_unum ("FAIL_DELAY", 1);
+ retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
+
+ #ifdef USE_PAM
+@@ -739,8 +738,7 @@
+
+ /*
+ * hostname & tty are either set to NULL or their correct values,
+- * depending on how much we know. We also set PAM's fail delay to
+- * ours.
++ * depending on how much we know.
+ *
+ * PAM_RHOST and PAM_TTY are used for authentication, only use
+ * information coming from login or from the caller (e.g. no utmp)
+@@ -749,10 +747,6 @@
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item (pamh, PAM_TTY, tty);
+ PAM_FAIL_CHECK;
+-#ifdef HAS_PAM_FAIL_DELAY
+- retcode = pam_fail_delay (pamh, 1000000 * delay);
+- PAM_FAIL_CHECK;
+-#endif
+ /* if fflg, then the user has already been authenticated */
+ if (!fflg) {
+ unsigned int failcount = 0;
+@@ -793,12 +787,6 @@
+ bool failed = false;
+
+ failcount++;
+-#ifdef HAS_PAM_FAIL_DELAY
+- if (delay > 0) {
+- retcode = pam_fail_delay(pamh, 1000000*delay);
+- PAM_FAIL_CHECK;
+- }
+-#endif
+
+ retcode = pam_authenticate (pamh, 0);
+
+@@ -1121,14 +1109,17 @@
+ free (username);
+ username = NULL;
+
++#ifndef USE_PAM
+ /*
+ * Wait a while (a la SVR4 /usr/bin/login) before attempting
+ * to login the user again. If the earlier alarm occurs
+ * before the sleep() below completes, login will exit.
+ */
++ delay = getdef_unum ("FAIL_DELAY", 1);
+ if (delay > 0) {
+ (void) sleep (delay);
+ }
++#endif
+
+ (void) puts (_("Login incorrect"));
+
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -88,7 +88,6 @@
+ {"ENV_PATH", NULL},
+ {"ENV_SUPATH", NULL},
+ {"ERASECHAR", NULL},
+- {"FAIL_DELAY", NULL},
+ {"FAILLOG_ENAB", NULL},
+ {"FAKE_SHELL", NULL},
+ {"FTMP_FILE", NULL},
diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/501_commonio_group_shadow
new file mode 100644
index 0000000..171382a
--- /dev/null
+++ b/debian/patches/501_commonio_group_shadow
@@ -0,0 +1,60 @@
+Goal: save the [g]shadow files with the 'shadow' group and mode 0440
+
+Fixes: #166793
+
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -44,6 +44,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <signal.h>
++#include <grp.h>
+ #include "nscd.h"
+ #include "sssd.h"
+ #ifdef WITH_TCB
+@@ -986,12 +987,23 @@
+ goto fail;
+ }
+ } else {
++ struct group *grp;
+ /*
+ * Default permissions for new [g]shadow files.
+ */
+ sb.st_mode = db->st_mode;
+ sb.st_uid = db->st_uid;
+ sb.st_gid = db->st_gid;
++
++ /*
++ * Try to retrieve the shadow's GID, and fall back to GID 0.
++ */
++ if (sb.st_gid == 0) {
++ if ((grp = getgrnam("shadow")) != NULL)
++ sb.st_gid = grp->gr_gid;
++ else
++ sb.st_gid = 0;
++ }
+ }
+
+ snprintf (buf, sizeof buf, "%s+", db->filename);
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -229,7 +229,7 @@
+ #ifdef WITH_SELINUX
+ NULL, /* scontext */
+ #endif
+- 0400, /* st_mode */
++ 0440, /* st_mode */
+ 0, /* st_uid */
+ 0, /* st_gid */
+ NULL, /* head */
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -105,7 +105,7 @@
+ #ifdef WITH_SELINUX
+ NULL, /* scontext */
+ #endif /* WITH_SELINUX */
+- 0400, /* st_mode */
++ 0440, /* st_mode */
+ 0, /* st_uid */
+ 0, /* st_gid */
+ NULL, /* head */
diff --git a/debian/patches/503_shadowconfig.8 b/debian/patches/503_shadowconfig.8
new file mode 100644
index 0000000..0f0d339
--- /dev/null
+++ b/debian/patches/503_shadowconfig.8
@@ -0,0 +1,201 @@
+Goal: Document the shadowconfig utility
+
+Status wrt upstream: The shadowconfig utility is debian specific.
+ Its man page also (but it used to be distributed)
+
+Index: git/man/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/shadowconfig.8
+@@ -0,0 +1,41 @@
++.\"Generated by db2man.xsl. Don't modify this, modify the source.
++.de Sh \" Subsection
++.br
++.if t .Sp
++.ne 5
++.PP
++\fB\\$1\fR
++.PP
++..
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Ip \" List item
++.br
++.ie \\n(.$>=3 .ne \\$3
++.el .ne 3
++.IP "\\$1" \\$2
++..
++.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
++.SH NAME
++shadowconfig \- toggle shadow passwords on and off
++.SH "SYNOPSIS"
++.ad l
++.hy 0
++.HP 13
++\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
++.ad
++.hy
++
++.SH "DESCRIPTION"
++
++.PP
++\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
++
++.PP
++Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
++
++.PP
++Note that turning shadow passwords off and on again will lose all password aging information\&.
++
+Index: git/man/shadowconfig.8.xml
+===================================================================
+--- /dev/null
++++ git/man/shadowconfig.8.xml
+@@ -0,0 +1,52 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++<refentry id='shadowconfig.8'>
++ <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
++ <refentryinfo>
++ <date>19 Apr 1997</date>
++ </refentryinfo>
++ <refmeta>
++ <refentrytitle>shadowconfig</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
++ <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
++ </refmeta>
++ <refnamediv id='name'>
++ <refname>shadowconfig</refname>
++ <refpurpose>toggle shadow passwords on and off</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv id='synopsis'>
++ <cmdsynopsis>
++ <command>shadowconfig</command>
++ <group choice='plain'>
++ <arg choice='plain'><replaceable>on</replaceable></arg>
++ <arg choice='plain'><replaceable>off</replaceable></arg>
++ </group>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id='description'>
++ <title>DESCRIPTION</title>
++ <para><command>shadowconfig</command> on will turn shadow passwords on;
++ <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
++ passwords off. <command>shadowconfig</command> will print an error
++ message and exit with a nonzero code if it finds anything awry. If
++ that happens, you should correct the error and run it again. Turning
++ shadow passwords on when they are already on, or off when they are
++ already off, is harmless.
++ </para>
++
++ <para>
++ Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
++ brief introduction
++ to shadow passwords and related features.
++ </para>
++
++ <para>Note that turning shadow passwords off and on again will lose all
++ password
++ aging information.
++ </para>
++ </refsect1>
++</refentry>
+Index: git/man/fr/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/fr/shadowconfig.8
+@@ -0,0 +1,26 @@
++.\" This file was generated with po4a. Translate the source file.
++.\"
++.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
++.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
++.SH NOM
++shadowconfig \- active ou désactive les mots de passe cachés
++.SH SYNOPSIS
++\fBshadowconfig\fP \fIon\fP | \fIoff\fP
++.SH DESCRIPTION
++.PP
++\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
++d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
++quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
++de recommencer.
++
++Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
++désactiver lorsqu'ils ne sont pas actifs est sans effet.
++
++Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
++mots de passe cachés et à leurs fonctionnalités.
++
++Notez que désactiver puis réactiver les mots de passe cachés aura pour
++conséquence la perte des informations d'âge sur les mots de passe.
++.SH TRADUCTION
++Nicolas FRANÇOIS, 2004.
++Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
+Index: git/man/ja/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/ja/shadowconfig.8
+@@ -0,0 +1,25 @@
++.\" all right reserved,
++.\" Translated Tue Oct 30 11:59:11 JST 2001
++.\" by Maki KURODA <mkuroda@aisys-jp.com>
++.\"
++.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
++.SH 名前
++shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
++.SH 書式
++.B "shadowconfig"
++.IR on " | " off
++.SH 説明
++.PP
++.B shadowconfig on
++は shadow パスワードを有効にする。
++.B shadowconfig off
++は shadow パスワードを無効にする。
++.B shadowconfig
++は何らかの間違いがあると、エラーメッセージを表示し、
++ゼロではない返り値を返す。
++もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
++shadow パスワードの設定がすでにオンの場合にオンに設定したり、
++すでにオフの場合にオフに設定しても、何の影響もない。
++
++.I /usr/share/doc/passwd/README.debian.gz
++には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
+Index: git/man/pl/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/pl/shadowconfig.8
+@@ -0,0 +1,27 @@
++.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
++.\" {PTM/WK/1999-09-14}
++.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
++.SH NAZWA
++shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
++.SH SKŁADNIA
++.B "shadowconfig"
++.IR on " | " off
++.SH OPIS
++.PP
++.B shadowconfig on
++włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
++.B shadowconfig off
++wyłącza dodatkowe pliki haseł i grup.
++.B shadowconfig
++wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
++znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
++.\" if it finds anything awry.
++i uruchomić program ponownie.
++
++Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
++gdy jest wyłączona jest nieszkodliwe.
++
++Przeczytaj
++.IR /usr/share/doc/passwd/README.debian.gz ,
++gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
++plików haseł przesłanianych (shadow passwords) i związanych tematów.
diff --git a/debian/patches/505_useradd_recommend_adduser b/debian/patches/505_useradd_recommend_adduser
new file mode 100644
index 0000000..448def4
--- /dev/null
+++ b/debian/patches/505_useradd_recommend_adduser
@@ -0,0 +1,36 @@
+Goal: Recommend using adduser and deluser.
+
+Fixes: #406046
+
+Status wrt upstream: Debian specific patch.
+
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -107,6 +107,12 @@
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
++ <command>useradd</command> is a low level utility for adding
++ users. On Debian, administrators should usually use
++ <citerefentry><refentrytitle>adduser</refentrytitle>
++ <manvolnum>8</manvolnum></citerefentry> instead.
++ </para>
++ <para>
+ When invoked without the <option>-D</option> option, the
+ <command>useradd</command> command creates a new user account using
+ the values specified on the command line plus the default values from
+--- a/man/userdel.8.xml
++++ b/man/userdel.8.xml
+@@ -83,6 +83,12 @@
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
++ <command>userdel</command> is a low level utility for removing
++ users. On Debian, administrators should usually use
++ <citerefentry><refentrytitle>deluser</refentrytitle>
++ <manvolnum>8</manvolnum></citerefentry> instead.
++ </para>
++ <para>
+ The <command>userdel</command> command modifies the system account
+ files, deleting all entries that refer to the user name <emphasis
+ remap='I'>LOGIN</emphasis>. The named user must exist.
diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames
new file mode 100644
index 0000000..8eb1792
--- /dev/null
+++ b/debian/patches/506_relaxed_usernames
@@ -0,0 +1,100 @@
+Goal: Relaxed usernames/groupnames checking patch.
+
+Status wrt upstream: Debian specific. Not to be used upstream
+
+Details:
+ Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
+ characters and don't start with '-', '+', or '~'. This patch is more
+ restrictive than original Karl's version. closes: #264879
+ Also closes: #377844
+
+ Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
+
+ I can't come up with a good justification as to why characters other
+ than ':'s and '\0's should be disallowed in group and usernames (other
+ than '-' as the leading character). Thus, the maintenance tools don't
+ anymore. closes: #79682, #166798, #171179
+
+--- a/libmisc/chkname.c
++++ b/libmisc/chkname.c
+@@ -54,6 +54,7 @@
+ return true;
+ }
+
++#if 0
+ /*
+ * User/group names must match [a-z_][a-z0-9_-]*[$]
+ */
+@@ -73,6 +74,26 @@
+ return false;
+ }
+ }
++#endif
++ /*
++ * POSIX indicate that usernames are composed of characters from the
++ * portable filename character set [A-Za-z0-9._-], and that the hyphen
++ * should not be used as the first character of a portable user name.
++ *
++ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
++ */
++ if ( ('\0' == *name)
++ || ('-' == *name)
++ || ('~' == *name)
++ || ('+' == *name)) {
++ return false;
++ }
++ do {
++ if ((':' == *name) || (',' == *name) || isspace(*name)) {
++ return false;
++ }
++ name++;
++ } while ('\0' != *name);
+
+ return true;
+ }
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -662,12 +662,20 @@
+ </para>
+
+ <para>
+- Usernames must start with a lower case letter or an underscore,
++ It is usually recommended to only use usernames that begin with a lower case letter or an underscore,
+ followed by lower case letters, digits, underscores, or dashes.
+ They can end with a dollar sign.
+ In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ </para>
+ <para>
++ On Debian, the only constraints are that usernames must neither start
++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++ colon (':'), a comma (','), or a whitespace (space: ' ',
++ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
++ ('/') may break the default algorithm for the definition of the
++ user's home directory.
++ </para>
++ <para>
+ Usernames may only be up to 32 characters long.
+ </para>
+ </refsect1>
+--- a/man/groupadd.8.xml
++++ b/man/groupadd.8.xml
+@@ -273,12 +273,18 @@
+ <refsect1 id='caveats'>
+ <title>CAVEATS</title>
+ <para>
+- Groupnames must start with a lower case letter or an underscore,
++ It is usually recommended to only use groupnames that begin with a lower case letter or an underscore,
+ followed by lower case letters, digits, underscores, or dashes.
+ They can end with a dollar sign.
+ In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+ </para>
+ <para>
++ On Debian, the only constraints are that groupnames must neither start
++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++ colon (':'), a comma (','), or a whitespace (space:' ',
++ end of line: '\n', tabulation: '\t', etc.).
++ </para>
++ <para>
+ Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+ </para>
+ <para>
diff --git a/debian/patches/508_nologin_in_usr_sbin b/debian/patches/508_nologin_in_usr_sbin
new file mode 100644
index 0000000..d5091b1
--- /dev/null
+++ b/debian/patches/508_nologin_in_usr_sbin
@@ -0,0 +1,18 @@
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -24,7 +24,6 @@
+ # $prefix/bin and $prefix/sbin, no install-data hacks...)
+
+ bin_PROGRAMS = groups login
+-sbin_PROGRAMS = nologin
+ ubin_PROGRAMS = faillog lastlog chage chfn chsh expiry gpasswd newgrp passwd
+ if ENABLE_SUBIDS
+ ubin_PROGRAMS += newgidmap newuidmap
+@@ -45,6 +44,7 @@
+ grpunconv \
+ logoutd \
+ newusers \
++ nologin \
+ pwck \
+ pwconv \
+ pwunconv \
diff --git a/debian/patches/542_useradd-O_option b/debian/patches/542_useradd-O_option
new file mode 100644
index 0000000..f9ea5a0
--- /dev/null
+++ b/debian/patches/542_useradd-O_option
@@ -0,0 +1,43 @@
+Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
+
+Note: useradd.8 needs to be regenerated.
+
+Status wrt upstream: not included as this is just specific
+ backward compatibility for Debian
+
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -341,6 +341,11 @@
+ databases are reset to avoid reusing the entry from a previously
+ deleted user.
+ </para>
++ <para>
++ For the compatibility with previous Debian's
++ <command>useradd</command>, the <option>-O</option> option is
++ also supported.
++ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -1143,9 +1143,9 @@
+ };
+ while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:UZ:",
++ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:UZ:",
+ #else /* !WITH_SELINUX */
+- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U",
++ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:U",
+ #endif /* !WITH_SELINUX */
+ long_options, NULL)) != -1) {
+ switch (c) {
+@@ -1274,6 +1274,7 @@
+ kflg = true;
+ break;
+ case 'K':
++ case 'O': /* compatibility with previous Debian useradd */
+ /*
+ * override login.defs defaults (-K name=value)
+ * example: -K UID_MIN=100 -K UID_MAX=499
diff --git a/debian/patches/900_testsuite_groupmems b/debian/patches/900_testsuite_groupmems
new file mode 100644
index 0000000..6bdc497
--- /dev/null
+++ b/debian/patches/900_testsuite_groupmems
@@ -0,0 +1,81 @@
+--- a/debian/passwd.install
++++ b/debian/passwd.install
+@@ -9,6 +9,7 @@
+ usr/sbin/cppw
+ usr/sbin/groupadd
+ usr/sbin/groupdel
++usr/sbin/groupmems
+ usr/sbin/groupmod
+ usr/sbin/grpck
+ usr/sbin/grpconv
+@@ -33,6 +34,7 @@
+ usr/share/man/*/man8/chpasswd.8
+ usr/share/man/*/man8/groupadd.8
+ usr/share/man/*/man8/groupdel.8
++usr/share/man/*/man8/groupmems.8
+ usr/share/man/*/man8/groupmod.8
+ usr/share/man/*/man8/grpck.8
+ usr/share/man/*/man8/grpconv.8
+@@ -59,6 +61,7 @@
+ usr/share/man/man8/chpasswd.8
+ usr/share/man/man8/groupadd.8
+ usr/share/man/man8/groupdel.8
++usr/share/man/man8/groupmems.8
+ usr/share/man/man8/groupmod.8
+ usr/share/man/man8/grpck.8
+ usr/share/man/man8/grpconv.8
+--- a/debian/passwd.postinst
++++ b/debian/passwd.postinst
+@@ -31,6 +31,24 @@
+ exit 1
+ )
+ fi
++ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
++ then
++ groupadd -g 99 groupmems || (
++ cat <<EOF
++************************ TESTSUITE *****************************
++Group ID 99 has been allocated for the groupmems group. You have either
++used 99 yourself or created a groupmems group with a different ID.
++Please correct this problem and reconfigure with ``dpkg --configure passwd''.
++
++Note that both user and group IDs in the range 0-99 are globally
++allocated by the Debian project and must be the same on every Debian
++system.
++EOF
++ exit 1
++ )
++# FIXME
++ chgrp groupmems /usr/sbin/groupmems
++ fi
+ ;;
+ esac
+
+--- a/debian/rules
++++ b/debian/rules
+@@ -60,6 +60,7 @@
+ dh_installpam -p passwd --name=chsh
+ dh_installpam -p passwd --name=chpasswd
+ dh_installpam -p passwd --name=newusers
++ dh_installpam -p passwd --name=groupmems
+ ifeq ($(DEB_HOST_ARCH_OS),hurd)
+ # login is not built on The Hurd, but some utilities of passwd depends on
+ # /etc/login.defs.
+@@ -87,3 +88,6 @@
+ chgrp shadow debian/passwd/usr/bin/expiry
+ chmod g+s debian/passwd/usr/bin/chage
+ chmod g+s debian/passwd/usr/bin/expiry
++ chgrp groupmems debian/passwd/usr/sbin/groupmems
++ chmod u+s debian/passwd/usr/sbin/groupmems
++ chmod o-x debian/passwd/usr/sbin/groupmems
+--- /dev/null
++++ b/debian/passwd.groupmems.pam
+@@ -0,0 +1,8 @@
++# The PAM configuration file for the Shadow 'groupmod' service
++#
++
++# This allows root to modify groups without being prompted for a password
++auth sufficient pam_rootok.so
++
++@include common-auth
++@include common-account
diff --git a/debian/patches/901_testsuite_gcov b/debian/patches/901_testsuite_gcov
new file mode 100644
index 0000000..717ccca
--- /dev/null
+++ b/debian/patches/901_testsuite_gcov
@@ -0,0 +1,76 @@
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -1,6 +1,8 @@
+
+ AUTOMAKE_OPTIONS = 1.0 foreign
+
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ DEFS =
+
+ noinst_LTLIBRARIES = libshadow.la
+--- a/libmisc/Makefile.am
++++ b/libmisc/Makefile.am
+@@ -1,6 +1,8 @@
+
+ EXTRA_DIST = .indent.pro xgetXXbyYY.c
+
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ INCLUDES = -I$(top_srcdir)/lib
+
+ noinst_LIBRARIES = libmisc.a
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -7,6 +7,8 @@
+ suidperms = 4755
+ sgidperms = 2755
+
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ INCLUDES = \
+ -I${top_srcdir}/lib \
+ -I$(top_srcdir)/libmisc
+--- a/debian/rules
++++ b/debian/rules
+@@ -40,6 +40,12 @@
+ endif
+ export CFLAGS
+
++clean:: clean_gcov
++
++clean_gcov:
++ find . -name "*.gcda" -delete
++ find . -name "*.gcno" -delete
++
+ # Add extras to the install process:
+ binary-install/login::
+ dh_installpam -p login
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -174,23 +174,9 @@
+ trust the formatted time received from the unix domain (or worse,
+ UDP) socket. -MM */
+ /* Avoid translated PAM error messages: Set LC_ALL to "C".
++ * This is disabled for coverage testing
+ * --Nekral */
+-#define SYSLOG(x) \
+- do { \
+- char *old_locale = setlocale (LC_ALL, NULL); \
+- char *saved_locale = NULL; \
+- if (NULL != old_locale) { \
+- saved_locale = strdup (old_locale); \
+- } \
+- if (NULL != saved_locale) { \
+- (void) setlocale (LC_ALL, "C"); \
+- } \
+- syslog x ; \
+- if (NULL != saved_locale) { \
+- (void) setlocale (LC_ALL, saved_locale); \
+- free (saved_locale); \
+- } \
+- } while (false)
++#define SYSLOG(x) syslog x
+ #else /* !ENABLE_NLS */
+ #define SYSLOG(x) syslog x
+ #endif /* !ENABLE_NLS */
diff --git a/debian/patches/README.patches b/debian/patches/README.patches
new file mode 100644
index 0000000..a804fe3
--- /dev/null
+++ b/debian/patches/README.patches
@@ -0,0 +1,22 @@
+Small intro to the system for numbering the patches here...
+
+-The 00xx-... patches are forwarded to upstream's git repository
+
+-The 0xx_... series of patches are patches isolated from the latest
+ version of the shadow Debian package not using quilt in order to
+ separate upstream from Debian-specific stuff.
+
+ NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
+
+-The 4xx series are patches which have been applied to Debian's shadow
+ and have NOT been accepted and/or applied upstream. These patches MUST be kept
+ even after resynced with upstream
+
+-The 5xx series are patches which are applied to Debian's shadow
+ and will never be proposed upstream because they're too specific
+ This list SHOULD BE AS SHORT AS POSSIBLE
+
+In short, while we are working towards synchronisation with upstream,
+our goal is to make 0xx patches disappear by moving them either to 3xx
+series (things already implemented upstream) or to 4xx series
+(Debian-specific patches).
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..68dc397
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,16 @@
+# These patches are only for the testsuite:
+#900_testsuite_groupmems
+#901_testsuite_gcov
+
+503_shadowconfig.8
+008_login_log_failure_in_FTMP
+429_login_FAILLOG_ENAB
+401_cppw_src.dpatch
+# 402 should be merged in 401, but should be reviewed by SE Linux experts first
+402_cppw_selinux
+506_relaxed_usernames
+542_useradd-O_option
+463_login_delay_obeys_to_PAM
+508_nologin_in_usr_sbin
+505_useradd_recommend_adduser
+501_commonio_group_shadow