summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 20:46:56 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 20:46:56 +0000
commit2dd01f6cc0c6333b58c3e77f3d8a3dca116a1c8b (patch)
tree96185c3fd8772392c9989835f1b9954b5aadb9d8 /debian
parentAdding upstream version 1:4.13+dfsg1. (diff)
downloadshadow-2dd01f6cc0c6333b58c3e77f3d8a3dca116a1c8b.tar.xz
shadow-2dd01f6cc0c6333b58c3e77f3d8a3dca116a1c8b.zip
Adding debian version 1:4.13+dfsg1-4.debian/1%4.13+dfsg1-4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/HOME_MODE.xml43
-rw-r--r--debian/Makefile16
-rw-r--r--debian/NEWS62
-rw-r--r--debian/README.debian62
-rw-r--r--debian/README.source8
-rw-r--r--debian/TODO19
-rw-r--r--debian/bugs-usertags25
-rw-r--r--debian/changelog4102
-rw-r--r--debian/control88
-rw-r--r--debian/copyright221
-rw-r--r--debian/cpgr.81
-rw-r--r--debian/cppw.827
-rw-r--r--debian/default/useradd37
-rw-r--r--debian/dependencies94
-rw-r--r--debian/gitlab-ci.yml7
-rw-r--r--debian/libsubid-dev.install3
-rw-r--r--debian/libsubid4.install1
-rw-r--r--debian/libsubid4.symbols10
-rw-r--r--debian/login.defs394
-rw-r--r--debian/login.dirs1
-rw-r--r--debian/login.install7
-rw-r--r--debian/login.links1
-rw-r--r--debian/login.lintian-overrides1
-rw-r--r--debian/login.maintscript1
-rw-r--r--debian/login.manpages16
-rw-r--r--debian/login.pam100
-rw-r--r--debian/login.postinst30
-rw-r--r--debian/not-installed36
-rw-r--r--debian/passwd.chage.pam8
-rw-r--r--debian/passwd.chfn.pam16
-rw-r--r--debian/passwd.chpasswd.pam5
-rw-r--r--debian/passwd.chsh.pam20
-rw-r--r--debian/passwd.dirs2
-rw-r--r--debian/passwd.examples1
-rw-r--r--debian/passwd.expire.cron57
-rw-r--r--debian/passwd.groupadd.pam8
-rw-r--r--debian/passwd.groupdel.pam8
-rw-r--r--debian/passwd.groupmod.pam8
-rw-r--r--debian/passwd.install26
-rw-r--r--debian/passwd.links2
-rw-r--r--debian/passwd.lintian-overrides6
-rw-r--r--debian/passwd.maintscript1
-rw-r--r--debian/passwd.manpages60
-rw-r--r--debian/passwd.newusers.pam5
-rw-r--r--debian/passwd.passwd.pam6
-rw-r--r--debian/passwd.postinst30
-rw-r--r--debian/passwd.tmpfiles8
-rw-r--r--debian/passwd.useradd.pam8
-rw-r--r--debian/passwd.userdel.pam8
-rw-r--r--debian/passwd.usermod.pam8
-rw-r--r--debian/patches/0001-gpasswd-1-Fix-password-leak.patch137
-rw-r--r--debian/patches/0002-Added-control-character-check.patch45
-rw-r--r--debian/patches/0003-Overhaul-valid_field.patch61
-rw-r--r--debian/patches/008_login_log_failure_in_FTMP51
-rw-r--r--debian/patches/401_cppw_src.dpatch276
-rw-r--r--debian/patches/402_cppw_selinux64
-rw-r--r--debian/patches/429_login_FAILLOG_ENAB84
-rw-r--r--debian/patches/463_login_delay_obeys_to_PAM97
-rw-r--r--debian/patches/501_commonio_group_shadow60
-rw-r--r--debian/patches/502_debian_useradd_defaults41
-rw-r--r--debian/patches/503_shadowconfig.8201
-rw-r--r--debian/patches/505_useradd_recommend_adduser36
-rw-r--r--debian/patches/506_relaxed_usernames111
-rw-r--r--debian/patches/542_useradd-O_option40
-rw-r--r--debian/patches/900_testsuite_groupmems81
-rw-r--r--debian/patches/901_testsuite_gcov76
-rw-r--r--debian/patches/README.patches22
-rw-r--r--debian/patches/series23
-rwxr-xr-xdebian/rules82
-rw-r--r--debian/shadowconfig70
-rw-r--r--debian/source/format1
-rw-r--r--debian/tests/control2
-rwxr-xr-xdebian/tests/smoke13
-rw-r--r--debian/uidmap.install3
-rw-r--r--debian/uidmap.lintian-overrides2
-rw-r--r--debian/uidmap.manpages5
-rw-r--r--debian/upstream/metadata4
-rw-r--r--debian/upstream/signing-key.asc80
-rw-r--r--debian/watch6
79 files changed, 7488 insertions, 0 deletions
diff --git a/debian/HOME_MODE.xml b/debian/HOME_MODE.xml
new file mode 100644
index 0000000..21aa55f
--- /dev/null
+++ b/debian/HOME_MODE.xml
@@ -0,0 +1,43 @@
+<!--
+ Copyright (c) 1991 - 1993, Julianne Frances Haugh
+ Copyright (c) 1991 - 1993, Chip Rosenthal
+ Copyright (c) 2007 - 2009, Nicolas François
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the copyright holders or contributors may not be used to
+ endorse or promote products derived from this software without
+ specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+ <term><option>HOME_MODE</option> (number)</term>
+ <listitem>
+ <para>
+ The mode for new home directories. If not specified,
+ the <option>UMASK</option> is used to create the mode.
+ </para>
+ <para>
+ <command>useradd</command> and <command>newusers</command> use this
+ to set the mode of the home directory they create.
+ </para>
+ </listitem>
+</varlistentry>
diff --git a/debian/Makefile b/debian/Makefile
new file mode 100644
index 0000000..06d49f5
--- /dev/null
+++ b/debian/Makefile
@@ -0,0 +1,16 @@
+PKG=shadow
+SITE=ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/
+
+deb:: check_cheese
+
+include /usr/share/quilt/quilt.debbuild.mk
+
+check_cheese:
+ @dpkg-parsechangelog | grep -q "\* The \".*\".* release\." || { \
+ echo ""; \
+ echo " ** **"; \
+ echo " ** Warning: not a cheesy release! **"; \
+ echo " ** **"; \
+ echo ""; \
+ exit 1; \
+ }
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..a41043e
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,62 @@
+shadow (1:4.13+dfsg1-2) unstable; urgency=medium
+
+ The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
+ affects authentication. The historical default of letting all users with
+ empty password field in without authentication is still in effect.
+
+ -- Balint Reczey <balint@balintreczey.hu> Mon, 25 Sep 2023 17:04:09 +0200
+
+shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
+
+ Login now prevents an empty password field to be interpreted as
+ "no authentication required" for UID 0 (root account).
+ The historical default of letting all users with empty password field
+ in without authentication can be restored in /etc/login.defs setting
+ PREVENT_NO_AUTH to "no".
+
+ -- Balint Reczey <balint@balintreczey.hu> Sun, 07 Nov 2021 21:51:46 +0100
+
+shadow (1:4.7-1) unstable; urgency=medium
+
+ * /etc/securetty is no longer shipped by this package and it is no longer
+ honored in login's PAM configuration by default. Please see #731656 for the
+ details.
+
+ -- Balint Reczey <rbalint@ubuntu.com> Thu, 20 Jun 2019 13:46:52 +0200
+
+shadow (1:4.0.15-5) unstable; urgency=low
+
+ * commands passed in argument to su must use su's -c option and must quote
+ the command if it contains a space, as in:
+ su - root -c "ls -l /"
+ The following commands won't work anymore:
+ su - root -c ls -l /
+ su - root "ls -l /"
+ su - root ls -l /
+
+ -- Christian Perrier <bubulle@debian.org> Sat, 8 Apr 2006 20:11:38 +0200
+
+shadow (1:4.0.14-1) unstable; urgency=low
+
+ * passwd does not support the -f, -s, and -g options anymore. You should use
+ the chfn, chsh and gpasswd utilities instead.
+ * login now distributes the nologin utility, which can be used as a shell
+ to politely refuse a login
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 5 Jan 2006 08:47:44 +0100
+
+shadow (1:4.0.12-1) unstable; urgency=low
+
+ CLOSE_SESSIONS and other variables are not used anymore in
+ /etc/login/defs.
+ As shadow utilities which use this file now warn about unknown
+ entries there, administrators should remove such unknown entries.
+ The supplied login.defs file does not include them anymore.
+
+ dpasswd is no more distributed by upstream. Login do not support
+ dialup password anymore. Re-introducing this functionality in
+ upstream is not trivial.
+
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 25 Aug 2005 08:38:47 +0200
+
diff --git a/debian/README.debian b/debian/README.debian
new file mode 100644
index 0000000..e7ef263
--- /dev/null
+++ b/debian/README.debian
@@ -0,0 +1,62 @@
+Read this file first for a brief overview of the new versions of login
+and passwd.
+
+
+---Shadow passwords
+
+The command `shadowconfig on' will turn on shadow password support.
+`shadowconfig off' will turn it back off. If you turn on shadow
+password support, you'll gain the ability to set password ages and
+expirations with chage(1).
+
+NOTE: If you use the nscd package, you may have problems with a
+slight delay in updating the password information. You may notice
+this during upgrades of certain packages that try to add a system
+user and then access the users information immediately afterwards.
+To avoid this, it is suggested that you stop the nscd daemon before
+upgrades, then restart it again.
+
+---General configuration
+
+Most of the configuration for the shadow utilities is in
+/etc/login.defs. See login.defs(5). The defaults are quite
+reasonable.
+
+Also see the /etc/pam.d/* files for each program to configure the PAM
+support. PAM documentation is available in several formats in the
+libpam-doc package.
+
+
+---MD5 Encryption
+
+This is enabled now using the /etc/pam.d/* files. Examples are given.
+
+
+---Adding users and groups
+
+Though you may add users and groups with the SysV type commands,
+useradd and groupadd, I recommend you add them with Debian adduser
+version 3+. adduser gives you more configuration and conforms to the
+Debian UID and GID allocation.
+
+Editing user and group parameters can be done with usermod and
+groupmod. Removing users and groups can be done with userdel and
+groupdel.
+
+
+--- Group administration
+
+Local group allocation is much easier. With gpasswd(1) you can
+designate users to administer groups. They can then securely add or
+remove users from the group.
+
+
+--- What to read next?
+
+Read the manpages, the other files in this directory, and the Shadow
+Password HOWTO (included in the doc-linux package). A large portion
+of these files deals with getting shadow installed. You can, of
+course, ignore those parts.
+
+Also, the libpam-doc package will go a long way to allowing you to take
+full advantage of the PAM authentication scheme.
diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 0000000..4869e2f
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,8 @@
+If you update the translation of upsteam files (thank you for that!) please
+submit a pull request upstream instead of filing a bug in the Debian BTS
+to get it reviewed and accepted faster.
+
+A testsuite is also available. Instruction on how to run this testsuite
+are available in tests/README
+
+ -- Balint Reczey <balint@balintreczey.hu>, Mon, 31 Jan 2022 14:07:11 +0100
diff --git a/debian/TODO b/debian/TODO
new file mode 100644
index 0000000..4ada3bc
--- /dev/null
+++ b/debian/TODO
@@ -0,0 +1,19 @@
+Things that should be done:
+ * Verify the files left in debian/tmp
+ + e.g. /etc/default/adduser should be installed
+ * Check the build system: rebuilding the package twoce in the same tree
+ doubles the size of the diff.gz file
+
+Other points (not related to the release of a syncronized shadow):
+ * compare the source with the usages and man pages
+ + probably add a sentence to chsh/chfn's manpages about authentication
+ required for ordinary users
+ * do something (a tool) for the variables in login.defs
+ In Debian, some tools are not compiled with the PAM support, so upstream
+ getdef.c won't be OK.
+ It should be nice to see in each man page the set of variables used.
+ The Debian package can now compile (export DEB_BUILD_OPTIONS='nostrip debug')
+ with the debugging informations. This may be used to extract the set of
+ variables used in Debian/for each tools.
+ * verify all the patches around (I've found patches for at least RedHat,
+ OWL, LFS, Mandriva, Gentoo; are they already applied?)
diff --git a/debian/bugs-usertags b/debian/bugs-usertags
new file mode 100644
index 0000000..6117f1d
--- /dev/null
+++ b/debian/bugs-usertags
@@ -0,0 +1,25 @@
+This described the usertags used by the team.
+
+For usertags documentation, see
+http://lists.debian.org/debian-devel-announce/2005/09/msg00002.html
+
+All bugs tagged by team members must be tagged with
+"user pkg-shadow-devel@lists.alioth.debian.org"
+
+Tags list
+---------
+
+toclose: This bug has been announced to be closed in case no more news
+ or information is received from the bug submitter or someone
+ else until the delay specified in the limits_YYYYMMDD tag
+
+limits-YYYYMMDD: combine it with "toclose". Specifies the date after which
+ bugs can be closed without other action in case no news
+ is received
+
+manpages-replace A bug reported angainst a manpages-xx package to indicate
+ conflicting man pages. This tag can be used to tune the
+ Replaces fields.
+
+su-transition: This bug is related to the su transition (#276419)
+
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..c7566f0
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,4102 @@
+shadow (1:4.13+dfsg1-4) unstable; urgency=medium
+
+ [ Helmut Grohne ]
+ * DEP17: Move login and shadowconfig to /usr. (Closes: #1059915)
+
+ -- Serge Hallyn <serge@hallyn.com> Sun, 04 Feb 2024 20:28:27 +0000
+
+shadow (1:4.13+dfsg1-3) unstable; urgency=medium
+
+ * Team upload
+ * Remove myself from uploaders
+
+ -- Balint Reczey <balint@balintreczey.hu> Sun, 15 Oct 2023 19:10:52 +0200
+
+shadow (1:4.13+dfsg1-2) unstable; urgency=medium
+
+ [ Balint Reczey ]
+ * debian/gitlab-ci.yml: Use sudo to fix reprotest test
+ * debian/login.pam: Drop reference to Debian Etch (Closes: #1040064)
+ * debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication.
+ Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547)
+ * Cherry-pick upstream patch to fix gpasswd passwd leak
+ (CVE-2023-4641) (Closes: #1051062)
+ * Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
+ control characters into some /etc/passwd fields.
+ (CVE-2023-29383) (Closes: #1034482)
+
+ [ Gioele Barabucci ]
+ * Support <nodoc> build profile
+ `xsltproc`, `docbook` and all other XML-related packages are not needed
+ when the `<nodoc>` build profile is active, as long as `./configure` is
+ called with `--disable-man`. (Closes: #1051827)
+
+
+ -- Balint Reczey <balint@balintreczey.hu> Tue, 26 Sep 2023 22:01:52 +0200
+
+shadow (1:4.13+dfsg1-1) unstable; urgency=medium
+
+ [ Balint Reczey ]
+ * debian/watch: Make watch file work with new GitHub UI
+ * debian/control: Mark libsubid-dev as Multi-Arch: same
+ * New upstream version 4.13
+ - fix typo in useradd(8) (Closes: #1021380)
+ * Refresh patches
+
+ [ Debian Janitor ]
+ * Remove constraints unnecessary since buster (oldstable)
+ * login: Drop versioned constraint on util-linux in Breaks.
+ Changes-By: deb-scrub-obsolete
+
+ -- Balint Reczey <balint@balintreczey.hu> Fri, 11 Nov 2022 09:28:15 +0100
+
+shadow (1:4.12.3+dfsg1-3) unstable; urgency=medium
+
+ [ Debian Janitor ]
+ * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse.
+
+ [ Balint Reczey ]
+ * Fix tree copying regressions introduced in 4.12.2. (Closes: #1023132)
+
+ -- Balint Reczey <balint@balintreczey.hu> Sat, 05 Nov 2022 14:47:01 +0100
+
+shadow (1:4.12.3+dfsg1-2) unstable; urgency=medium
+
+ * Cherry-pick upstream patch to fix regression in expiration date handling
+ (Closes: #1021697)
+
+ -- Balint Reczey <balint@balintreczey.hu> Sat, 22 Oct 2022 20:23:10 +0200
+
+shadow (1:4.12.3+dfsg1-1) unstable; urgency=medium
+
+ [ Balint Reczey ]
+ * New upstream release (Closes: #1004242, #1006848)
+ * Refresh patches
+ * debian/patches: Reorder patches in series to make it look sane
+ * Fix Lintian elevated-privileges tag rename
+
+ [ Johannes Schauer Marin Rodrigues ]
+ * debian/shadowconfig: Support DPKG_ROOT without using chroot()
+ (Closes: #1007758)
+ * useradd: cherry-pick patch from upstream to avoid creating several GB worth
+ of sparse lastlog and faillog files for users with high uid values
+ (Closes: #1019245)
+
+ [ Debian Janitor ]
+ * Update renamed lintian tag names in lintian overrides.
+ * Update standards version to 4.6.1, no changes needed.
+
+ -- Balint Reczey <balint@balintreczey.hu> Tue, 04 Oct 2022 22:09:04 +0200
+
+shadow (1:4.11.1+dfsg1-2) unstable; urgency=medium
+
+ [ Balint Reczey ]
+ * debian/README.source: Recommend submitting translations upstream
+ * debian/tests/control: Mark smoke test as superficial
+ * useradd: Restore defaults used up to 4.8.1 version.
+ Also fix /etc/default/useradd to state that mail spool directories are
+ not created.
+ * login.defs:
+ - List default value of HOME_MODE
+ - Warn about weak cryptographic choices, like upstream
+ - include HMAC_CRYPTO_ALGO key
+ - Fix typo
+
+ [ Jenkins ]
+ * Trim trailing whitespace.
+ Changes-By: lintian-brush
+ Fixes: lintian: trailing-whitespace
+ * Use canonical URL in Vcs-Git.
+ Changes-By: lintian-brush
+ Fixes: lintian: vcs-field-not-canonical
+ * Fix day-of-week for changelog entry 1:4.1.4.2+svn3283-3.
+ Changes-By: lintian-brush
+ Fixes: lintian: debian-changelog-has-wrong-day-of-week
+
+ -- Balint Reczey <balint@balintreczey.hu> Thu, 03 Mar 2022 20:41:41 +0100
+
+shadow (1:4.11.1+dfsg1-1) unstable; urgency=medium
+
+ * debian/NEWS: Fix version and release of latest entry
+
+ -- Balint Reczey <balint@balintreczey.hu> Mon, 31 Jan 2022 10:33:28 +0100
+
+shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
+
+ * login: Don't list su command as shipped (Closes: #960637)
+ * Install nologin /usr/sbin without patching makefiles
+ * debian/copyright: Fully rewrite the file based on upstream license update
+ and exclude contrib/atudel from upstream tarball
+ * debian/watch: Repack upstream tarball with +dfsg1 suffix
+ * debian/upstream/signing-key.asc: Update upstream signing key
+ * New upstream version 4.11.1+dfsg1
+ * Refresh patches
+ * Set NONEXISTENT to /nonexistent in shipped login.defs (Closes: #960318)
+ * Enable newly added yescrypt support
+ * Include YESCRYPT options in shipped login.defs (Closes: #991914)
+ * debian/rules: Stop using --disable-shared to build shared libraries
+ * Ship the libsubid4 and libsubid-dev packages and ship getsubids in uidmap
+ * debian/rules: Drop obsolete variable setting
+ * debian/login.lintian-overrides: Drop unused override
+ * debian/control: Make the Vcs-Browser URL canonical
+ * debian/login.defs: List new GRANT_AUX_GROUP_SUBIDS option in shipped login.defs
+ * debian/NEWS: Mention new login behaviour regarding empty password field.
+ Also set PREVENT_NO_AUTH in shipped login.defs accordingly.
+ * debian/tests: Cherry-pick part of autopkgtest from Ubuntu.
+ Thanks to Michael Vogt for the more extensive suite in Ubuntu
+ * debian/login.defs: Set default subuid and subgid ranges
+
+ -- Balint Reczey <balint@balintreczey.hu> Sat, 22 Jan 2022 21:03:44 +0100
+
+shadow (1:4.8.1-2) unstable; urgency=medium
+
+ * debian/control: Switch to libsemanage-dev from libsemanage1-dev
+ (Closes: #998633)
+ * ACK NMU, thanks for all the changes
+ * Make passwd recommend sensible-utils because vipw uses sensible-editor
+ * Add files to debian/not-installed or install them when they were missed
+ This change ships a few more man page translations
+ * debian/control: Bump debhelper-compat version to 13
+ * List man pages to install in debian/*.manpages instead of in
+ debian/*.install
+ * Clean up debian/control using 'cme fix dpkg-control'
+ * Rename deprecated debian/passwd.tmpfile to debian/passwd.tmpfiles
+ * debian/control: Revert to my personal email address in the Maintainer field
+
+ -- Balint Reczey <balint@balintreczey.hu> Wed, 10 Nov 2021 10:39:04 +0100
+
+shadow (1:4.8.1-1.1) unstable; urgency=medium
+
+ [ Johannes Schauer Marin Rodrigues ]
+ * Non-maintainer upload.
+
+ [ Niels Thykier ]
+ * Remove obsolete login.preinst
+ * Remove obsolete code from passwd maintscripts
+
+ [ Helmut Grohne ]
+ * logoutd is gone since at least buster (closes: #989712)
+ * Delete duplicate subuid/subgid creation.
+ * login.postinstd support for DPKG_ROOT (closes: #992578)
+
+ -- Johannes Schauer Marin Rodrigues <josch@debian.org> Sat, 23 Oct 2021 21:04:57 +0200
+
+shadow (1:4.8.1-1) unstable; urgency=medium
+
+ * debian/default/useradd: Fix typo DHSELL -> DSHELL (Closes: #897028)
+ * New upstream version 4.8.1
+ - Update Dutch translation (Closes: #946608)
+ * Refresh patches
+
+ -- Balint Reczey <rbalint@ubuntu.com> Fri, 07 Feb 2020 15:54:14 +0100
+
+shadow (1:4.8-1) unstable; urgency=medium
+
+ [ Laurent Bigonville ]
+ * Move the call to pam_motd before pam_selinux open
+
+ [ Justin B Rye ]
+ * login: Update package description (Closes: #808301)
+
+ [ Yuriy M. Kaminskiy ]
+ * Mark uidmap and login as Multi-Arch: foreign (Closes: #934473)
+
+ [ Andreas Henriksson ]
+ * New upstream release.
+ - man: generate translations using itstool instead of xml2po
+ * Replace gnome-doc-utils build-dep with itstool (Closes: #881889)
+ * Use explicit --without-su configure flag
+ * Refresh and massage patches to apply
+ * Cherry-pick upstream patch reverting bindir/sbindir
+ * Fix lintian warning useless-autoreconf-build-depends
+
+ [ Balint Reczey ]
+ * debian/login.su.pam: Drop unused file
+
+ -- Balint Reczey <rbalint@ubuntu.com> Fri, 20 Dec 2019 16:39:40 +0100
+
+shadow (1:4.7-2) unstable; urgency=medium
+
+ [ Balint Reczey ]
+ * Remove obsolete /etc/cron.daily/passwd in maintainer scripts
+ (Closes: #932017)
+ * Remove Christian Perrier from Uploaders according to his request.
+ Thank you for maintaining shadow for long years! (Closes: #893944, #927576)
+
+ [ Gaudenz Steinlin ]
+ * Improve NEWS entry about securetty.
+
+ -- Balint Reczey <rbalint@ubuntu.com> Tue, 16 Jul 2019 18:48:12 +0200
+
+shadow (1:4.7-1) unstable; urgency=medium
+
+ [ Ondřej Nový ]
+ * d/changelog: Remove trailing whitespaces
+
+ [ Niels Thykier ]
+ * Declare the explicit requirement for (fake)root.
+ The shadow package currently requires (fake)root to produce the debs
+ due to static non-root:root ownerships in the debs.
+
+ [ Bryan Quigley ]
+ * Remove cron daily backup.
+ It was added in 2010 (#554170) as a split off from a previous cron
+ job. I haven't seen an argument for why it's useful to keep.
+ Depending on when a mistake occurs in one of the files it backups
+ it will provide variable recovery time of 0 to 24hours.
+
+ [ Balint Reczey ]
+ * Add Salsa CI configuration
+ * Drop Lintian override for su, it is not shipped in login anymore
+ * Stop shipping and honoring /etc/securetty
+ (Closes: #731656, #830255, #879903, #920764, #771675, #917893, #607073)
+ * Migrate to dh from cdbs
+ * Ship some missing man files
+ * Fix checking upstream tarball's OpenPGP signature
+ * New upstream version 4.7
+ * Refresh patches
+ * Run autopkgtest in Salsa CI when it exists
+ * debian/NEWS: Fix version of latest entry
+ * Clean up /etc/securetty properly on upgrade
+
+ -- Balint Reczey <rbalint@ubuntu.com> Mon, 08 Jul 2019 15:58:46 +0200
+
+shadow (1:4.5-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload (greetings from DebCamp/DebConf Taiwan).
+ * Stop shipping su and break old util-linux version. (See #833256)
+ - Breaks on old version to force lockstep upgrade, which should
+ really be a depends-new-version (and can be switched around
+ together with util-linux once the transition is finished).
+ Using Breaks/Depends the 'wrong' way around is to make apt
+ unpack things in the 'right' order (avoiding any gaps where
+ /bin/su is not available during the upgrade phase).
+
+ -- Andreas Henriksson <andreas@fatal.se> Fri, 27 Jul 2018 10:07:37 +0200
+
+shadow (1:4.5-1) unstable; urgency=medium
+
+ * New upstream version 4.5
+ - Fix buffer overflow if NULL line is present in db (CVE-2017-12424)
+ (Closes: #756630)
+ - Make the sp_lstchg shadow field reproducible (Closes: #857803)
+ - Fix regression in useradd not loading defaults properly.
+ (Closes: #865762)
+ * Refresh patches
+ * Drop patches manipulating su argument concatenation:
+ * Cut redundant information from Debian-specific README files
+ * Revert adding pts/0 and pts/1 to securetty.
+ Adding pts/* defeats the purpose of securetty. Let containers add it if
+ needed as described in #830255.
+ * Use my @ubuntu.com email address in Maintainer field
+
+ -- Balint Reczey <rbalint@ubuntu.com> Wed, 27 Sep 2017 12:45:23 -0400
+
+shadow (1:4.4-4.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Reset pid_child only if waitpid was successful.
+ This is a regression fix for CVE-2017-2616. If su receives a signal like
+ SIGTERM, it is not propagated to the child. (Closes: #862806)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 17 May 2017 13:59:59 +0200
+
+shadow (1:4.4-4) unstable; urgency=high
+
+ * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
+
+ -- Balint Reczey <balint@balintreczey.hu> Fri, 24 Feb 2017 01:33:25 +0100
+
+shadow (1:4.4-3) unstable; urgency=medium
+
+ [ Balint Reczey ]
+ * Clean up stale locks on boot (Closes: #478771)
+ * Sync motd handling with sshd.
+ Using patch from Ubuntu (Closes: #757148)
+
+ [ Stéphane Graber ]
+ * Add missing /etc/{subgid|subuid} in postinst
+
+ -- Balint Reczey <balint@balintreczey.hu> Wed, 25 Jan 2017 16:43:09 +0100
+
+shadow (1:4.4-2) unstable; urgency=medium
+
+ [ Balint Reczey ]
+ * Update homepage to new upstream
+ * Always use /bin/sh shell in the build (Closes: #817971)
+ * Replace user´s -> user's to make login.def file valid ASCII
+ (Closes: #850338)
+ * Update patch naming docmentation
+ * Fix typos in German man pages (Closes: #734609)
+ * Send 1000_configure_userns patch upstream
+ * Add call to pam_keyinit for login pam service.
+ This module is linux-any only, so copy what openssh has already done and
+ remove the call at build time for other architectures.
+ The call to this module is needed to have proper per-session kernel
+ keyring. (Closes: #734671)
+ * Add pts/0 and pts/1 to securetty (Closes: #830255)
+ * Add ttySAC* to securetty (Closes: #824391)
+ * Add ttySC[4-9] to securetty (Closes: #768020)
+
+ [ Laurent Bigonville ]
+ * Move pam_selinux open call higher in the session stack (Closes: #747313)
+
+ [ Christian Perrier ]
+ * Fix typos in login.pam (thanks to Jakub Wilk for reporting)
+ (Closes: #747115)
+ * Include groupmems(8) in the passwd package (Closes: #663117)
+
+ [ Frans Spiesschaert ]
+ * Dutch translation update (Closes: #772470)
+
+ [ Trần Ngọc Quân ]
+ * Update Vietnamese translation (Closes: #777107)
+
+ [ Miroslav Kuře ]
+ * Updated Czech translation. (Closes: #759113)
+
+ [ Holger Wansing ]
+ * Update for German man pages
+
+ [ Thomas Blein ]
+ * French manpage translation (Closes: #805182)
+
+ [ Lars Bahner ]
+ * Fix some spelling issues in the Norwegian translation (Closes: #800553)
+
+ -- Balint Reczey <balint@balintreczey.hu> Thu, 19 Jan 2017 18:22:49 +0100
+
+shadow (1:4.4-1) unstable; urgency=medium
+
+ [ Christian Perrier ]
+ * Imported Upstream version 4.2
+ * Debian patch: Fix typo in su.1.xml
+ * Configure userns
+ * Vietnamese translation update
+ * French translation update (Closes: #725793)
+ * German translation update
+ * Update NEWS file
+ * Issue a warning if no manpages have been generated
+ * Regenerate PO files
+ * Regenerate manpages PO files
+ * Imported Upstream version 4.2.1
+
+ [ Serge Hallyn ]
+ * Import new upstream
+ * Patch changes:
+ - Update 501_commonio_group_shadow to work with upstream changes
+ - Update 1010_vietnamese_translation
+ - Drop userns patches which are now all upstream
+
+ [ Balint Reczey ]
+ * Update debian/watch to use GitHub releases
+ * Imported Upstream version 4.4
+ - Fix incorrect integer handling (CVE-2016-6252) (Closes: #832170)
+ * Disable Vietnamese translation patch because it does not apply cleanly
+ * Bump debhelper compat level to 10
+ * ACK NMU by Samuel Thibault dropping the patch which is integrated
+ upstream
+ * Stop build-depending on build-essential dpkg-dev
+ * Tag login package as essential properly
+ * Adopt the package under the Shadow Team's umbrella (Closes: #801707)
+
+ -- Balint Reczey <balint@balintreczey.hu> Fri, 06 Jan 2017 16:19:18 +0100
+
+shadow (1:4.2-3.3) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Apply upstream patch to fix build on hurd-i386. (Closes: #750480)
+
+ -- Samuel Thibault <sthibault@debian.org> Tue, 22 Nov 2016 18:31:28 +0000
+
+shadow (1:4.2-3.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Use HTTPS in Vcs-Git.
+ * Stop using hardening-wrapper and instead use /usr/share/dpkg/buildflags.mk.
+ Closes: #836653
+
+ -- Mattia Rizzolo <mattia@debian.org> Sun, 18 Sep 2016 14:42:16 +0000
+
+shadow (1:4.2-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix error handling in busy user detection. (Closes: #778287)
+
+ -- Bastian Blank <bastian.blank@credativ.de> Thu, 12 Nov 2015 14:33:33 +0000
+
+shadow (1:4.2-3) unstable; urgency=low
+
+ * Enforce hardened builds to workaround cdbs sometimes not building
+ with hardening flags as in 1:4.2-2+b1
+ Thanks to Dr. Markus Waldeck for pointing the issue and Simon Ruderich
+ For providing a working patch.
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 19 Nov 2014 21:59:09 +0100
+
+shadow (1:4.2-2) unstable; urgency=low
+
+ * The "Soumaintrain" release
+ * The "Rigotte de Condrieu" release was 4.2-1
+ * Upload to unstable
+ * Last upload integrates the use of dh_autoreconf which has the same
+ effect then Eric Dorland's patch in 1:4.1.5.1-1.1 NMU to drop the
+ use of automake1.9. Closes: #724434
+
+ [ Samuel Thibault ]
+ * Enable the login package on hurd-any, but without /bin/login, still provided
+ by the hurd package. Closes: #737805.
+ This fix was accidentally forgotten in 1:4.2-1
+
+ [ Josh Triplett ]
+ * use the new pam_exec functionality from pam 1.1.8-1 to implement the
+ dynamic motd, rather than using /run/motd.dynamic from initscripts.
+ This will allow initscripts to drop /etc/init.d/motd.
+ Closes: #741129
+
+ [ Laurent Bigonville ]
+ * Enable libaudit support. Closes: #745774
+
+ [ Trần Ngọc Quân ]
+ * Vietnamese translation update.
+
+ [ Christian Perrier ]
+ * Add a lintian override for newuidmap and newgidmap setuid binaries
+ * Add upstream signing key as debian/upstream-signing-key.asc
+ * Check upstream signing key in debian/watch
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 04 May 2014 19:39:07 +0200
+
+shadow (1:4.2-1) experimental; urgency=low
+
+ [ Nicolas FRANCOIS (Nekral) ]
+ * New upstream release. Fixes:
+ - Invalid free() in su fixed by using strdup(). Thanks to Serge
+ Hallyn for the patch. Closes: #691459
+ - Kill the child process group, rather than just the
+ immediate child; this is needed now that su no
+ longer starts a controlling terminal when not running an
+ interactive shell. Thanks to Colin Watson for the patch.
+ Closes: #713979
+ - German manpages translation update. Closes: #679152
+ - Improve login.defs (typographic errors and better format).
+ Closes: #685415
+ - Russian translation update. Closes: #718356
+ - Do not assume random() is limited by RAND_MAX. Closes: #677275
+ - Support C libraries with unknown fields in struct passwd.
+ Closes: #675824
+ - su: child cleanup is performed before terminating PAM sessions. This
+ avoids anoying "...terminated" messages when PAM module send signal to
+ su during session close. Closes: #670132
+ - vipw/vigr is checking arguments provided after options. Closes: #677812
+ - Updated Japanese translation. Closes: #720004
+ - vipw: Fix error reporting when editor fails. Closes: #688260
+ * Moved to git: replace Vcs-Git in place of Vcs-Svn and adapt
+ Vcs-Browser.
+ * Add pam_loginuid to login PAM settings. Closes: #677441
+ * passwd.install: add new subuid.5 and subgid.5 manpages
+ * debian/rules, debian/control, debian/uidmap.install: create new uidmap
+ package containing the new setuid-root binaries newuidmap and newgidmap
+ Set uidmap as priority optional.
+ * debian/login.su.pam: Enable pam_limits by default. Closes: #705301
+ * debian/rules: Set default editor to sensible-editor for vipw.
+ Closes: #688252
+
+ [ Micah Anderson ]
+ * added debian/patches/userns to enable use of subuids, plus some bugfix
+ patches on top of them, patches from Eric Biederman, pulled from
+ Ubuntu. Closes: #739981
+ * Allow LXC devices (lxc/console, lxc/tty[1234]) in securetty.linux
+ * Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify
+ this default for UPGs. (Closes: #583971)
+ * login.postinst: install a default /etc/subuid and /etc/subgid
+ * fix installation of setuid/setgid/newuidmap/newgid/map man pages
+
+ [ Laurent Bigonville ]
+ * Switch to dpkg-source 3.0 (quilt) format
+ * Add build-dependency against bison
+ * Call dh-autoreconf since we need to regenerate all the autofoo files
+
+ [ Philippe Grégoire ]
+ * Fix 1000_configure_userns to avoid dropping a needed #endif
+ Closes: #744877
+
+ [ Christian Perrier ]
+ * Bump Standards to 3.9.5 (checked)
+ * Use 'set -e' in postinst scripts and not in thei shebang line
+ * Explicitly point to GPL-2 document in debian/copyright
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 22 Apr 2014 09:01:42 +0200
+
+shadow (1:4.1.5.1-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Eric Dorland ]
+ * Switch to automake1.11. (Closes: #724434)
+
+ [ Samuel Thibault ]
+ * Enable the login package on hurd-any, but without /bin/login, still provided
+ by the hurd package. Closes: #737805.
+
+ -- Samuel Thibault <sthibault@debian.org> Sun, 16 Mar 2014 20:58:24 +0100
+
+shadow (1:4.1.5.1-1) unstable; urgency=low
+
+ * The "Gruyère" release.
+
+ [ Nicolas FRANCOIS (Nekral) ]
+ * New upstream release:
+ - login: log into utmp(x) but not into wtmp (this is done by pam_lastlog).
+ Log to utmp(x) was broken by the fix for #605329. Closes: 659957
+ - userdel: Fix segfault when userdel removes the user's group.
+ Closes: #660406
+ - manpages: .so links point to paths relative to the top-level manual
+ hierarchy. Closes: #661025
+ - useradd(8): Return code 13 no more documented. Closes: #661802
+ * debian/patches/series, debian/patches/428_grpck_add_prune_option: Removed.
+ The -p option was not documented and was meant to fix consequences of a
+ bug now fixed more than 10 years ago.
+ * debian/shadowconfig.sh: Display issues, but dot not prompt interactively
+ to fix passwd/group/shadow/gshadow issues. Closes: #638263
+ * debian/control: Bump Standards-Version to 3.9.3 (no changes needed).
+ * debian/rules: Simplify setting of hardening flags. cdbs 0.4.103 needed to
+ get hardened version of shadow-utils. Restore previous requirement on
+ dpkg-dev to 1.13.5.
+
+ [ Christian Perrier ]
+ * Complete Polish translation of logoutd(8). Closes: #668880
+ * German translation of manpages completed. Closes: #673234
+
+ [ Roger Leigh ]
+ * Separation of static and dynamic motd components in login PAM module
+ Closes: #669698
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Fri, 25 May 2012 15:42:01 +0200
+
+shadow (1:4.1.5-1) unstable; urgency=low
+
+ * The "Charolais" release.
+
+ [ Nicolas FRANCOIS (Nekral) ]
+ * New upstream release:
+ - su: Fix possible tty hijacking by dropping the controlling terminal when
+ executing a command (CVE-2005-4890). Closes: #628843
+ - userdel: Check the existence of the user's mail spool before trying to
+ remove it. If it does not exist, a warning is issued, but no failure.
+ Closes: #617295
+ - userdel: Do not remove a group with the same name as the user
+ (usergroup) if this group isn't the user's primary group.
+ Closes: #584868
+ - su: Close the PAM session as root (fix issues with pam_mount and
+ pam_systemd). Closes: #580434
+ - Fix several typos in manpages. Thanks to Simon Brandmair.
+ Closes: #628776
+ - userdel error message has been clarified when the user is still
+ executing processes (it used to complain that the user is logged in).
+ Closes: #603315
+ - passwd(1) references chpasswd(8). Closes: #609117
+ - Spaces have been added between options and arguments in the Russian
+ manpages. Closes: #606159
+ - Fix handling of numerical dates in usermod -e. Closes: #621810
+ - usermod: When the shadow file exists but there are no shadow entries, an
+ entry is created if the password is changed and passwd requires a shadow
+ entry, or if aging features are used (-e or -f). Closes: 632461
+ - Added diagnosis for lock failures. Closes: #616167
+ - grpck/pwck: NIS entries were dropped by -s (sort). Closes: #622765
+ - login does not log into utmp(x) and wtmp. This is already done by
+ pam_lastlog. Closes: #605329
+ - groupmod: document that /etc/passwd can be modified by groupmod -g.
+ Closes: #647308
+ - Updated patches
+ + debian/patches/008_login_log_failure_in_FTMP
+ + debian/patches/401_cppw_src.dpatch
+ + debian/patches/402_cppw_selinux
+ + debian/patches/428_grpck_add_prune_option
+ + debian/patches/429_login_FAILLOG_ENAB
+ + debian/patches/463_login_delay_obeys_to_PAM
+ + debian/patches/501_commonio_group_shadow
+ + debian/patches/505_useradd_recommend_adduser
+ + debian/patches/506_relaxed_usernames
+ + debian/patches/508_nologin_in_usr_sbin
+ + debian/patches/523_su_arguments_are_concatenated
+ + debian/patches/523_su_arguments_are_no_more_concatenated_by_default
+ + debian/patches/542_useradd-O_option
+ + debian/patches/900_testsuite_groupmems
+ - debian/patches/008_su_get_PAM_username: Removed, feature supported
+ upstream.
+ - debian/patches/300_CVE-2011-0721: Removed, applied upstream.
+ - Upstream translation updates from Debian BTS:
+ + Brazilian Portuguese. Closes: #622834
+ + Catalan. Closes: #627526, #657763
+ + Danish. Closes: #621330, #657514
+ + German. Closes: #622908, #656503
+ + French. Closes: #623608, #657621
+ + Japanese. Closes: #620978
+ + Kazakh. Closes: #620930
+ + Portuguese. Closes: #623722, #656686
+ + Russian. Closes: #622106, #655194
+ + Spanish (Closes: #630618)
+ + Swedish. Closes: #621126
+ + Simplified Chinese. Closes: #655858
+ - Upstream manpages translation updates from Debian BTS:
+ + French. Closes: #630250, #657622
+ + German. Closes: #628777
+ + Simplified Chinese. Closes: #602264, #655858
+ + Danish added. Closes: #657516
+ + Russian. Closes: #657710
+ * debian/control: mark passwd as 'Multi-Arch: foreign'. Closes: #614321
+ * debian/securetty.linux: Add IBM pSeries console ports. Closes: #597661
+ * debian/securetty.linux: Add serial Console for MIPS Swarm.
+ (http://lists.debian.org/debian-release/2011/02/msg00320.html)
+ * debian/securetty.linux: Add s390/s390x ports ttysclp0. Closes: #647469
+ * debian/securetty.linux: Fixed typo: ttyama -> ttyAMA. Closes: #544184
+ * debian/rules, debian/man.insert, debian/man.insert.sed: Bug #507673 has
+ been closed. It is no more needed to patch the generated manpages. This
+ also fix failures to build twice is a row. Closes: #636047
+ * debian/patches/401_cppw_src.dpatch: Replace progname by Prog. Rename
+ create_backup_file to create_copy. The lock functions do not set errno.
+ Do not report the error string on cppwexit.
+ * debian/patches/401_cppw_src.dpatch, debian/patches/402_cppw_selinux:
+ Synchronize with coding style.
+ * debian/patches/401_cppw_src.dpatch: Detect as well too many and too
+ few arguments.
+ * debian/patches/506_relaxed_usernames: Really check if the user/group
+ name starts with a dash. Also forbid names starting with '+' or '~'.
+ Document the naming policy in useradd.8 / groupadd.8.
+ * debian/patches/506_relaxed_usernames: Also forbid names containing a
+ comma.
+ * debian/patches/901_testsuite_gcov: Do not revert the locale when testing
+ with gcov to avoid coverage false negatives. This does not impact the
+ debian binary package, only the test package.
+ * debian/control: Add Build-Depends on libsemanage1-dev [linux-any]
+ * debian/rules: Do not hard-code CFLAGS and LDFLAGS. Build with all
+ hardening flags set. Closes: #657010
+ * debian/control: depends on dpkg-dev (>= 1.16.1~) for including
+ /usr/share/dpkg/buildflags.mk
+ * debian/control: Standards-Version: bumped to 3.9.2. No changes.
+ * debian/login.defs: Set the default encryption method to SHA512.
+ Closes: #657717
+
+ [ Christian Perrier ]
+ * Use "linux-any" instead of a negated list of architectures in
+ Build-Depends. Closes: #634465
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Sun, 12 Feb 2012 22:27:03 +0100
+
+shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high
+
+ * The "Trappe d'Echourgnac" release.
+ * Fix typo in /etc/pam.d/login comments. Thanks to Ferenc Wagner.
+ Closes: #598717
+ * debian/patches/300_CVE-2011-0721: Fix insufficient input sanitation
+ leading to possible user or group creation in NIS environments.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Sun, 13 Feb 2011 23:20:05 +0100
+
+shadow (1:4.1.4.2+svn3283-2) unstable; urgency=low
+
+ * The "Bleu du Vercors-Sassenage" release.
+ * Fix backup command line in cron.daily script. Closes: #596283
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Sat, 25 Sep 2010 23:38:39 +0200
+
+shadow (1:4.1.4.2+svn3283-1) unstable; urgency=low
+
+ * The "Bleu de Gex" release.
+ * New upstream unreleased version:
+ - Fix formatting of the login.defs.5 manpage. Closes: #542804
+ - Updated Czech translation. Closes: #548407
+ - Updated Vietnamese translation. Closes: #548065
+ - Remove patches applied upstream:
+ + debian/patches/008_su_no_sanitize_env
+ + debian/patches/483_su_fakelogin_wrong_arg0
+ - Updated patches:
+ + debian/patches/523_su_arguments_are_no_more_concatenated_by_default
+ + debian/patches/542_useradd-O_option
+ - Added support for dates already specified as a number of days since
+ Epoch in useradd, usermod and chage. Closes: #562221
+ - This also allows, in the chage interactive mode, to specify -1 as the
+ expiration date to disable it. Closes: #573018
+ - Fixed parsing of gshadow. This fix password support in newgrp.
+ Closes: #569899
+ - pwck and grpck stop sorting at the first line which begins with a '+'.
+ This will avoid messing up with NIS entries. Closes: #567836
+ - Fix interruption of su, newgrp, vipw with Ctrl-Z. Closes: 530231
+ - mail checking is no more mentioned in login(1) since it is done by PAM.
+ Closes: #470059
+ - The -e (and -c and -m) option was restored in chpasswd (which still uses
+ PAM by default). Closes: #539354
+ - Kazakh translation updated. Closes: #586994
+ - Fixed comma splice in chsh(1). Closes: #582166
+ * debian/securetty.kfreebsd: On GNU/kFreeBSD the serial devices have change
+ from /dev/cuuaX to /dev/ttydX in kernel 6.0. Closes: #544523
+ * debian/securetty.linux: Added support for embedded ARM AMBA PL011 ports
+ (e.g. emulated by QEMU). Closes: #544184
+ * debian/control: Removed Martin Quinson from the Uploaders, on his request.
+ * debian/login.defs: Improve documentation of USERGROUPS_ENAB.
+ Closes: #572687
+ * debian/rules: Added DEB_AUTO_UPDATE_LIBTOOL = pre. Closes: #560633
+ * debian/login.pam: return back to mostly "requisite" for the pam_securetty
+ PAM module, but ignore PAM_USER_UNKNOWN. This will avoid root from
+ entering a password, and will also avoid user enumeration attacks.
+ Mis-typed root login are not protected, only root can be blamed for
+ mis-typing and entering a password on an insecure line. Users willing to
+ protect against mis-typed root login can use "requisite", but will be
+ vulnerable to user enumeration attacks on insecure lines, and should use
+ pam 1.1.0-4 at least. Closes: #574082, #531341
+ * debian/passwd.cron.daily: Handle the backups of the user and group
+ databases so that it can be removed from the standard daily cron job.
+ Closes: #554170
+ * debian/login.defs: Updated description of UMASK (used by pam_umask).
+ * debian/securetty.linux: Reorganize and synchronize with
+ Documentation/devices.txt. This added a lot of TTYs, including the
+ ttyPZ0..3. Closes: #576203
+ * debian/rules, debian/man.insert, debian/man.insert.sed: Hack to avoid bug
+ 507673, causing missing apostrophes in the manpages generated by
+ docbook-xsl (see debian bug 507673).
+ * debian/control: Standards-Version: bumped to 3.8.4. No changes.
+ * debian/passwd.lintian-overrides: Remove old entries relevant for
+ passwd.config.
+ * debian/control: Do not repeat the Section and Priority fields for the
+ binary packages.
+ * debian/rules: Disable new features: --without-acl --without-attr
+ --without-tcb
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Sun, 29 Aug 2010 21:14:12 +0200
+
+shadow (1:4.1.4.2-1) unstable; urgency=low
+
+ * The "Tome des Bauges" release.
+ * New upstream release:
+ - Updated Basque translation. Closes: #535553
+ - Fixed some translatable string. Closes: #525726
+ - Fixed documentation of the short option for --mindays in passwd(1).
+ Closes: #531983
+ - Added support for shells being shell scripts without a shebang.
+ Closes: #479406
+ * debian/securetty.linux: Added Embedded Renesas SuperH ports.
+ Closes: #535927
+ * debian/securetty.linux: Added ttyS2 to ttyS5. Some extension card provide
+ more serial ports, but that should be sufficient until there is a support
+ for regular expressions. Closes: #534244
+ * debian/patches/506_relaxed_usernames: Fixed typo. groupadd(8) should
+ document the restriction on groupnames, not usernames.
+ * debian/login.pam: pam_securetty included as a required module instead of
+ requisite to avoid leak of user name information. Closes: #531341
+ * debian/shadowconfig.sh: Do not run shadowoff() and shadowon() in subshell.
+ This also remove a dependency on bash (even though /bin/sh would have been
+ sufficient). Thanks to Luk for spotting this.
+ * debian/login.dirs, debian/passwd.dirs: Removed usr/share/linda/overrides.
+ * debian/control: Standards-Version: bumped to 3.8.2. No changes.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Fri, 24 Jul 2009 05:03:23 +0200
+
+shadow (1:4.1.4.1-1) unstable; urgency=low
+
+ * The "Chevrotin" release.
+ * New upstream release:
+ - Fixed typo in the French vipw usage. Closes: #528486
+ - Fixed failure to delete an user (wrongly detected as still logged in).
+ On Linux, userdel checks if the user has some running processes.
+ Otherwise, it still check with utmp if the user is logged in and check
+ if the process indicated by utmp is still running to avoid
+ mis-detection of logged-in users. Closes: #528060
+ - newgrp and sg return the exit status of their child. Closes: #529897
+ - Updated patches:
+ + debian/patches/506_relaxed_usernames
+ * debian/login.defs: Removed comment about MD5_CRYPT. MD5_CRYPT_ENAB is no
+ more used by chpasswd and newusers.
+ * debian/patches/*: Updated patches to the new quilt and shadow versions.
+ * debian/patches/506_relaxed_usernames: usernames with a slash will not only
+ break one option. Move to the discussion on the usernames.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Fri, 22 May 2009 16:29:58 +0200
+
+shadow (1:4.1.4-3) unstable; urgency=low
+
+ * The "Banonet" release.
+ * debian/login.pam: Really ignore pam_selinux.so failures when the module do
+ not exist. Closes: #528673
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Sat, 16 May 2009 12:11:15 +0200
+
+shadow (1:4.1.4-2) unstable; urgency=low
+
+ * The "Banon" release.
+ * debian/rules, debian/passwd.linda-overrides, debian/login.linda-overrides:
+ Removed linda-overrides files.
+ * debian/rules: Install the lintian overrides with dh_lintian.
+ * debian/control: Raised dependency on debhelper (>= 6.0.7~) for dh_lintian.
+ * debian/compat: Raised to 6
+ * debian/login.postinst: Install /var/log/faillog during initial installs
+ only. This permits admins to disable failed logins recording.
+ Closes: #488420
+ * debian/login.pam: Ignore pam_selinux.so failures when the module do not
+ exist. A required pam_selinux.so makes login fail when the module does not
+ exist (e.g. on architecture without SE Linux support). Closes: #528673
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Thu, 14 May 2009 22:36:34 +0200
+
+shadow (1:4.1.4-1) unstable; urgency=low
+
+ * The "Chambérat" release.
+ * New upstream release:
+ - Updated Czech translation. Closes: #525658
+ - Updated French translation.
+ - Updated German translation. Closes: #527131
+ - Updated Japanese translation.
+ - Updated Korean translation. Closes: #524719
+ - Updated Portuguese translation. Closes: #525531
+ - Updated Russian translation. Closes: #527636
+ - passwd: Report password properties changes if the password is not
+ actually changed. Closes: #525967
+ - Fixed lastlog. 4.1.3 only reported empty logs. Closes: #524873
+ - Remove patches applied upstream:
+ + debian/patches/403_fix_PATH-MAX_hurd
+ - Updated patches:
+ + debian/patches/008_login_log_failure_in_FTMP
+ + debian/patches/401_cppw_src.dpatch
+ + debian/patches/429_login_FAILLOG_ENAB
+ + debian/patches/463_login_delay_obeys_to_PAM
+ - pwck and grpck warn when the shadowed and non-shadowed files contain
+ an entry for the same user or group and the non shadowed file password
+ field is not 'x'. Closes: #501869
+ Other topics raised in this bug were fixed previously.
+ * debian/securetty.linux: Added Freescale i.MX ports. Closes: #527095
+ * debian/securetty.linux: Added some local X displays. See LP #104957. But
+ only a limited set of displays were added.
+ * debian/rules, debian/passwd.newusers.pam, debian/passwd.chpasswd.pam:
+ Install the newusers and chpasswd PAM service configuration files.
+ newusers and chpasswd now use PAM to update the passwords.
+ Closes: #525153
+ * debian/login.pam: Updated support for SELinux. Closes: #527106
+ * debian/control: Standards-Version bumped to 3.8.1. No changes.
+ * debian/control: Changed gnome-doc-utils dependency to >= 0.4.3 (instead
+ of >= 0.4.3-1)
+ * debian/control: Added ${misc:Depends} to the passwd's Depends and login's
+ Pre-Depends.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Mon, 11 May 2009 00:25:11 +0200
+
+shadow (1:4.1.3.1-1) unstable; urgency=low
+
+ * The "Le Puant Macéré" release.
+ Sorry for the lack of cheese name in 1:4.1.3-1. At least this one should
+ count for two.
+ * New upstream release:
+ - Fixed wrong parsing of octal permissions. This impacted login (permission
+ of the TTYs, UMASK, ERASECHAR or KILLCHAR) in release 1:4.1.3-1 only.
+ Closes: #524139, #524258
+ - removed debian/patches/200_bin_nb: Applied upstream.
+ - removed debian/patches/302_vim_selinux_support: Applied upstream.
+ - Fixed login segfault when called without a username. Closes: #524193
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Wed, 15 Apr 2009 23:59:06 +0200
+
+shadow (1:4.1.3-1) unstable; urgency=low
+
+ * The "" release.
+ * New upstream release:
+ - Fix possible login DOS. Closes: #505071
+ - Fix gpasswd and username with 32 characters. Closes: #508785
+ - Fix typo in nologin(8). Closes: #513252
+ - Remove old features from passwd(1). Closes: #499578
+ - login: Close passwd while waiting for exit. Closes: #474318
+ - login: fix the count of login failures. Closes: #498788
+ - Remove patches applied upstream (4.1.2):
+ + debian/patches/434_login_stop_checking_args_after--
+ + debian/patches/491_configure.in_friendly_selinux_detection
+ + debian/patches/487_passwd_chauthtok_failed_message
+ + debian/patches/406_vipw_resume_properly
+ + debian/patches/414_remove-unwise-advices
+ + debian/patches/300_SHA_crypt_method
+ + debian/patches/301_manpages_missing_options
+ + debian/patches/415_login_put-echoctl-back
+ + debian/patches/431_su_uid_0_not_root
+ - Remove patches applied upstream (4.1.3):
+ + debian/patches/200_Czech_binary_translation
+ + debian/patches/302_remove_non_translated_polish_manpages
+ + debian/patches/494_passwd_lock-no_account_lock
+ + debian/patches/200_Czech_binary_translation
+ + debian/patches/494_passwd_lock-no_account_lock
+ - Updated patches:
+ + debian/patches/431_su_uid_0_not_root
+ + debian/patches/463_login_delay_obeys_to_PAM
+ + debian/patches/008_su_get_PAM_username
+ + debian/patches/302_vim_selinux_support
+ + debian/patches/008_login_log_failure_in_FTMP
+ + debian/patches/429_login_FAILLOG_ENAB
+ + debian/patches/428_grpck_add_prune_option
+ + debian/patches/401_cppw_src.dpatch
+ + debian/patches/506_relaxed_usernames
+ + debian/patches/463_login_delay_obeys_to_PAM
+ + debian/patches/542_useradd-O_option
+ - Translations
+ + New Kazakh translation. Closes: #517809
+ + Updated Slovak translation. Closes: #523621
+ * debian/patches/454_userdel_no_MAIL_FILE: Patch removed. If MAIL_FILE is
+ defined, the mailbox is not in MAIL_SPOOL_DIR.
+ * debian/patches/506_relaxed_usernames: Use an extra paragraph for the note
+ on username with a '/'.
+ * debian/patches/504_undef_USE_PAM.nolibpam,
+ debian/patches/504_undef_USE_PAM.dpatch, debian/rules: Patches removed.
+ Replaced by the --disable-account-tools-setuid configure option.
+ * debian/control: changed the "Replaces" on manpages-zh to a versioned
+ one on 1.5.1-1
+ * debian/control: drop all Replaces on manpages-* when the version is
+ prior to Etch
+ * Versioned Replaces on manpages-tr (<<1..5) as conflicting manpages have
+ been removed in that package
+ * debian/patches/402_cppw_selinux: Add SE Linux support for cppw / cpgr.
+ * debian/patches/900_testsuite_groupmems, debian/patches/901_testsuite_gcov:
+ Added patches, only intended to be used in the testsuite.
+ * debian/securetty.linux: Added ttyPZ0, ttyPZ1, ttyPZ2, ttyPZ3 for PowerMac
+ machines. Closes: #511739
+ * debian/patches/579_chowntty_debug: Removed. With the fix for 505071 and
+ 505271, this additional debug information is no more needed.
+ * debian/patches/507_32char_grnames.dpatch: Patch removed. Replaced by the
+ --with-group-name-max-length=32 configure option.
+ * debian/patches/592_manpages_typos: No more needed.
+ * debian/patches/401_cppw_src.dpatch: Call fsync before closing the backup
+ file descriptor. This ensures that the backup file will be available on
+ the storage medium.
+ * debian/securetty.linux: Removed devfs devices. Usage of devfs enabled
+ kernel in Lenny was not supported. Closes: #511961
+ * debian/login.defs: Added /usr/local/games/ to ENV_PATH (for regular
+ users). Closes: #487379
+ * debian/patches/200_bin_nb: Updated Norwegian Bokmål translation.
+ Closes: #523798
+ * debian/login.defs: Update GID_MIN to 1000. This is more consistent with
+ UID_MIN, SYS_GID_MAX and the usage of the same ID for UID and GIDs. This
+ should also be more consistent with the assignment of system group IDs
+ starting from GID_MAX and going down.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Tue, 14 Apr 2009 23:33:22 +0200
+
+shadow (1:4.1.1-4) unstable; urgency=low
+
+ * The "Rocamadour" release.
+ * debian/patches/302_remove_non_translated_polish_manpages,
+ debian/patches/series: Remove the (untranslated) su.1 and login.1 polish
+ translation. Closes: #491460
+ * debian/patches/506_relaxed_usernames: Document that the naming policy is
+ also used for the group names policy. Differentiate the Debian
+ constraints in a separate paragraph. Added documentation of the username
+ length restriction. Closes: #493230
+ * debian/patches/507_32char_grnames.dpatch: Update the documentation of the
+ group length restriction. Closes: #493230
+ * debian/login.pam: Replace the "multiple" option of pam_selinux by
+ "select_context". This requires PAM 1.0.1, but is commented.
+ Closes: #493181
+ * debian/patches/494_passwd_lock-no_account_lock: Fix typo (missing
+ parenthesis). Thanks to Moray Allan.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Fri, 15 Aug 2008 12:36:15 -0300
+
+shadow (1:4.1.1-3) unstable; urgency=low
+
+ * The "Morbier" release.
+ * debian/patches/302_vim_selinux_support: Add SE Linux support to vipw/vigr.
+ Thanks to Russell Coker. Closes: #491907
+ * debian/patches/494_passwd_lock-no_account_lock: Restore the previous
+ behavior of passwd -l (which changed in #389183): only lock the user's
+ password, not the user's account. Also explicitly document the
+ differences. This restores a behavior common with the previous versions of
+ passwd and with other implementations. Closes: #492307
+ * debian/patches/494_passwd_lock-no_account_lock: Add a reference to
+ usermod(8) in passwd(1). Closes: #412234
+ * debian/login.pam: Enforce a fail delay to avoid login brute-force.
+ Closes: #443322
+ * debian/login.pam: Indicate why the pam_securetty module is used as a
+ requisite module and mentions the possible drawbacks. Closes: #482352
+ * debian/login.defs: Do not mention the libpam-umask package (the module is
+ now provided by libpam-modules). Closes: #492410
+ * debian/patches/200_Czech_binary_translation: Updated Czech translation.
+ Thanks to Miroslav Kure. Closes: #482823
+ * debian/securetty.linux: Add the PA-RISC mux ports (ttyB0, ttyB1).
+ Closes: #488515
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Sat, 26 Jul 2008 10:12:46 +0200
+
+shadow (1:4.1.1-2) unstable; urgency=low
+
+ * The "Brie de Meaux" and "Brie de Melun" double cheese release.
+ * Backported patches from upstream
+ - debian/patches/300_SHA_crypt_method:
+ This fixes bugs in the SHA encryption method that force the salt to have
+ 8 bytes (instead of a random length between 8 and 16 bytes), and force
+ the number of SHA rounds to be equal to the lowest limit (at least 1000
+ SHA rounds).
+ - debian/patches/301_manpages_missing_options:
+ This add the missing documentation of options in useradd, groupadd, and
+ newusers.
+ * Tag patches already applied upstream
+ - debian/patches/487_passwd_chauthtok_failed_message
+ - debian/patches/406_vipw_resume_properly
+ - debian/patches/008_su_get_PAM_username
+ - debian/patches/491_configure.in_friendly_selinux_detection
+ - debian/patches/434_login_stop_checking_args_after--
+ - debian/patches/414_remove-unwise-advices
+ * Added description of new variables in /etc/login.defs:
+ - SYS_UID_MIN, SYS_UID_MAX, SYS_GID_MIN, SYS_GID_MAX
+ - ENCRYPT_METHOD
+ - SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS
+ * New Debian Policy:
+ - debian/control: Bump Standards-Version to 3.8.0 (no changes needed).
+ - debian/README.source: Document how to patch the upstream source, how to
+ use quilt, how to package a new upstream and how to use the testsuite.
+ * debian/patches/505_useradd_recommend_adduser: Fix typo: userdel is used to
+ remove an user, not to add one. Closes: #475795
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Fri, 13 Jun 2008 01:27:16 +0200
+
+shadow (1:4.1.1-1) unstable; urgency=low
+
+ * New upstream release. This closes the following bugs:
+ - Fix errors when gpasswd is called without a gshadow file.
+ Closes: #467236, #467488
+ - Fix newgrp segfault when the primary group is not listed in /etc/groups.
+ Closes: #461670
+ - Fix infinite loop in usermod when two groups have the same name.
+ Closes: #470745
+ - Make SE Linux tests more strict, when the real UID is 0 SE Linux checks
+ will be performed. Closes: #472575
+ - Option --password added to groupadd / groupmod (like useradd / usermod).
+ Closes: #445484
+ - Remove patches applied upstream:
+ + debian/patches/451_login_PATH
+ + debian/patches/462_warn_to_edit_shadow
+ + debian/patches/467_useradd_-r_LSB
+ + debian/patches/466_fflush-prompt
+ + debian/patches/480_getopt_args_reorder
+ + debian/patches/496_login_init_session
+ + debian/patches/408_passwd_check_arguments
+ + debian/patches/412_lastlog_-u_numerical_range
+ + debian/patches/407_adduser_disable_PUG_with-n
+ - Updated patches:
+ + debian/patches/504_undef_USE_PAM.nolibpam
+ $(LIBCRYPT) $(LIBSKEY) $(LIBMD) are no more included in libshadow.la.
+ Avoid link to unneeded libraries (spotted by dpkg-shlibdeps).
+ + debian/patches/501_commonio_group_shadow
+ + debian/patches/429_login_FAILLOG_ENAB
+ + debian/patches/542_useradd-O_option
+ + debian/patches/401_cppw_src.dpatch
+ + debian/patches/428_grpck_add_prune_option
+ - Updated translations:
+ + Basque. Closes: #473555
+ + German. Closes: #473646
+ + Italian. Closes: #472951
+ + Korean. Closes: #471935
+ + Portuguese. Closes: #472244
+ + Russian. Closes: #472506
+ + Slovak. Closes: #471802
+ + Turkish. Closes: #473279
+ * debian/watch: Add a watch file for shadow.
+ * debian/rules, debian/recode_manpages.sh: Do not recode the manpages.
+ Keep them in UTF-8.
+ * debian/rules, debian/control: login (>= 970502-1) was already provided
+ by login in Hamm. libpam-modules (>= 0.72-5) was already provided by
+ libpam-modules in Potato. libpam-runtime (>= 0.76-14) was already provided
+ by libpam-runtime in Sarge (now oldstable). Simplify the dependencies.
+ * debian/control: Move the dependency on libpam-modules from Depends to
+ Pre-Depends. The login package is Essential, and without libpam-modules,
+ login or su are not functional. Thanks to Steve Langasek for pointing this
+ out.
+ * debian/control: There's no need for a dependency on login (now that it is
+ unversionned; see above) in the passwd package.
+ * debian/control: The passwd's Replaces on manpages-de can be versionned
+ again. The su(1) manpage was removed from manpages-de.
+ * debian/securetty.linux: Added ttyUSB0, ttyUSB1, ttyUSB2, and MPC5200
+ serial ports (ttyPSC0, ttyPSC1, ttyPSC2, ttyPSC3, ttyPSC4, ttyPSC5).
+ Closes: #461374
+ * debian/control: Change XS-X-Vcs-Svn to Vcs-Svn. Update the link to the
+ new repository layout. Add a Vcs-Browser field.
+ * debian/control: Added Homepage field.
+ * debian/passwd.postrm: Removed (was empty).
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Thu, 03 Apr 2008 01:31:10 +0200
+
+shadow (1:4.1.0-2) unstable; urgency=low
+
+ * The "Bleu des Causses" release
+ * Unversion the conflict with manpages-de for login, as it also provides
+ a German manpage for su(1). Closes: #460508
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 13 Jan 2008 18:52:46 +0100
+
+shadow (1:4.1.0-1) unstable; urgency=low
+
+ [ Nicolas FRANCOIS (Nekral) ]
+ * The "Bleu d'Auvergne" release
+ * New upstream release. This closes the following bugs:
+ - usermod: Make usermod options independent of the argument order.
+ Closes: #451518
+ - login: Improve logging of login when the user's passwd entry could not
+ be retrieved. Closes: #451521
+ - Updated Russian translations. Thanks to Yuri Kozlov <kozlov.y@gmail.com>.
+ Closes: #452291, #452296
+ - Section of newgrp fixed in the gshadow manpage. Closes: #454485
+ - Remove patches applied upstream:
+ + 468_duplicate_passwd_struct_before_usage
+ + 495_salt_stack_smash
+ + 397_non_numerical_identifier
+ + 405_su_no_pam_end_before_exec
+ + 493_pwck_no_SHADOWPWD
+ + 497_newgrp_primary_group
+ + 409_man_generate_from_PO
+ + 410_newgrp_man_mention_sg
+ + 411_chpasswd_document_no_pam
+ + 494_passwd_lock
+ + 417_passwd_warndays
+ - Updated patches:
+ + debian/patches/504_undef_USE_PAM.dpatch
+ MD5_CRYPT_ENAB is back in login.defs to define the default crypt
+ algorithm. It is tagged as deprecated and ENCRYPT_METHOD is
+ recommended instead. New algorithms are also available.
+ Closes: #447747
+ * Debian packaging fixes:
+ - debian/rules: compile with -W -Wall
+ - debian/rules: large files are now supported by configure. Remove
+ -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 from
+ CFLAGS.
+ - 479_chowntty_debug was debian specific. Renamed to 579_chowntty_debug
+ - Remove (not applied patch) 419_time_structures.dpatch. All its chunks
+ are already applied upstream (with some differences), except one chunk
+ which comes from 008_login_log_failure_in_FTMP. Fix
+ 008_login_log_failure_in_FTMP. This should fix some bugs causing invalid
+ faillog entries on 64 bit architectures with 32 bit compatibility.
+ - debian/securetty.linux: Add ttyS1. Better comments for the ttyS and xen
+ consoles. Add a note for the devfs consoles. They are no more needed for
+ most users. Closes: #454584
+
+ [ Christian Perrier ]
+ * debian/control
+ - Updated to Standards: 3.7.3.0 (checked, no change needed)
+
+ -- Christian Perrier <bubulle@debian.org> Sat, 12 Jan 2008 20:40:02 +0100
+
+shadow (1:4.0.18.2-1) unstable; urgency=low
+
+ * The "Vacherin" release.
+ * New upstream version. This closes the following bugs:
+ - gpasswd manpage improvements. Closes: #445480
+ - support for the resource limits "max nice value", and "max real time
+ priority" was added upstream. Note that it does not impact Debian
+ because shadow is compiled with PAM support on Debian. Closes: #442334
+ - Finnish translation. Closes: #448233
+ - Remove patches applied upstream:
+ + 438_su_GNU_origin
+ + 433_shadow.5-typo_312430
+ + 402-clarify_usermod_usage
+ + 498_man_nonpam_undefined
+ + 301_passwd-typo-383216
+ + 101_ja
+ + 102_de-fix-sorry
+ + 404_man-fr
+ + 103_man-de
+ + 104_man-sv
+ + 302_su_man_mention_sg
+ + 303_wording_fixes_in_su_man
+ + 201_fix_man_su_fr
+ + 202_it_man_uses_gettext
+ + 413_no-sorry-in-passwd
+ + 416_man-fr_newgrp
+ - The upstream tarball is now built with gettext 0.16. Remove
+ + 499_gettext-0.15
+ - Significant changes to patches
+ + 397_non_numerical_identifier
+ usermod.c was already patched upstream; useradd.c was not.
+ + 467_useradd_-r_LSB
+ Simplifications. There should be no changes.
+ + 409_man_generate_from_PO
+ The Italian PO was added upstream. Patch the Italian Makefile.
+ * Upstream bugs not fixed in upstream's CVS:
+ - debian/securetty.linux: Added xvc0 and hvc0 consoles to the Linux's
+ consoles where root login is allowed. (triggered by #423389)
+ - debian/patches/417_passwd_warndays: Correct the long option name for
+ "-w" from "warning" to "warndays". Closes: #445481
+ * Upstream translation updates:
+ - debian/patches/105_zh_CN: Update Simplified Chinese translation
+ Closes: #431287
+ - debian/patches/416_man-fr_newgrp: Fix a typo in the French newgrp man
+ page. Thanks to Nicolas Aupetit. Closes: #439090
+ * Debian packaging fixes:
+ - Fix typos in useradd default file. Thanks to Justin Pryzby.
+ - Fix typos in cppw.8. Thanks to Justin Pryzby. Closes: #447757
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 30 Oct 2007 06:11:40 +0100
+
+shadow (1:4.0.18.1-11) unstable; urgency=low
+
+ * The "Baguette laonnaise" release
+ * Reactivate ECHOCTL in login after it disappeared in 4.0.8. Closes: #429758
+ * Disable audit support. This fixes a failure to build from source.
+ Reported by Sesse
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 22 Jun 2007 19:33:01 +0200
+
+shadow (1:4.0.18.1-10) unstable; urgency=low
+
+ * The "Trappe d'Échourgnac" release
+ * Upstream bugs fixed in upstream's CVS:
+ - 302_su_man_mention_sg: mention sg(1) in su man page. Closes: #396690
+ - 303_wording_fixes_in_su_man: minor wording fixes in su(1)
+ * Upstream bugs not fixed in upstream's CVS:
+ - 410_newgrp_man_mention_sg: mention sg(1) in newgrp man page
+ - 201_fix_man_su_fr: fix translation error in french translation for su(1)
+ - 202_it_man_uses_gettext: switch italian manpages to gettext. This will
+ fix missing paragraphs in translated manpages. Closes: #425689
+ - 411_chpasswd_document_no_pam: Document that chgpasswd do not use PAM to
+ update the passwords. Thus functionnalities provided by PAM modules are
+ not present in chgpasswd (e.g. writting the old password in
+ /etc/security/opasswd). Closes: #396726
+ - 412_lastlog_-u_numerical_range: allow numerical UID and range of IDs in
+ argument to lastog -u. Closes: #259494
+ - 413_no-sorry-in-passwd: No longer print 'Sorry' when something
+ fails in passwd, su and newgrp. Closes: #384164
+ - 414_remove-unwise-advices: Remove not so wise advices about choosing
+ passwords. Closes: #386818
+ - 494_passwd_lock: set the account expiry field when using
+ "passwd -l/-u". Closes: #389183
+ * Debian packaging fixes:
+ - 506_relaxed_usernames: do not allow spaces in usernames. This was at
+ least broken with username starting with a space or tabulation (the user
+ can be added but not removed). Closes: #400683
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 17 Jun 2007 07:38:14 +0200
+
+shadow (1:4.0.18.1-9) unstable; urgency=low
+
+ * The "Etorki" release
+ * Fix debian/copyright and mention that the upstream site
+ is "temporarily?) no longer available. Closes: #423956
+ Add the various copyrights from Marek, Andrzej and Tomasz
+ (deduced from the ChangeLog entries as upstream doesn't have an
+ explicit copyright file)
+ * Debian packaging fixes:
+ The 3 following entries fix the FTBFS when built twice in a row.
+ Closes: #424257
+ - 498_man_nonpam_undefined: Do not patch the generated man/it/Makefile.in.
+ - 409_man_generate_from_PO: Generate the translated man pages at build
+ time.
+ - 200_regenerate_manpages: No more needed.
+
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 15 May 2007 23:40:13 +0200
+
+shadow (1:4.0.18.1-8) unstable; urgency=low
+
+ * The "Feuille de Dreux" release
+ * New upstream version
+ * Debian packaging fixes:
+ - 505_useradd_recommend_adduser: Recommend using adduser and deluser for
+ regular operations. Closes: #406046
+ - Versioned Build-Depends on gnome-doc-utils as we use the "-l"
+ switch of xml2po. Closes: #390110
+ - Remove conflicts for packages that are only in Debian releases prior
+ to sarge:
+ - passwd: shadow-passwd, pam-apps, suidregister (<< 0.50), debconf (<< 0.5)
+ - login: shadow-login, pam-apps, secure-su, suidregister (<< 0.50)
+ - Remove all debconf configuration. This is now done in D-I and is
+ no longer useful on regular systems. Closes: #386529
+ - Remove Replaces for packages that are only in Debian releases prior
+ - passwd: manpages (<=1.15-2), manpages-pl (<= 20020406-1)
+ - login: shadow-login, shadow-passwd, shellutils (<< 2.0-2), manpages-pl (<= 20020406-1)
+ - Remove unneeded Build-Depends: bzip2, file, texinfo, libpam-runtime
+ - /etc/default/useradd: Mentions the creation of primary user groups is
+ neither -n nor -g are specified. See also 407_adduser_disable_PUG_with-n
+ - no longer include /usr/bin/X11 in defaults PATH variable. Closes: #395890
+ - set debhelper compatibility to 5 through debian/compat
+ - ignore a false positive lintian warning about
+ possible-missing-colon-in-closes in line 668 of the changelog
+ * Upstream bugs not yet fixed in upstream releases or CVS:
+ - 493_pwck_no_SHADOWPWD: SHADOWPWD no more exist.
+ pwck do not detect missing users in /etc/shadow.
+ - 466_fflush-prompt: Fix compilation error.
+ One call to yes_or_no was forgotten because it was in
+ commented code (which is now enabled).
+ - 406_vipw_resume_properly: Resume correctly after ^Z
+ Thanks to Dean Gaudet for the patch and report. Closes: #414542
+ - 497_newgrp_primary_group: Do not request a password when a user uses
+ newgrp to switch to her primary group. Closes: #396691
+ - 407_adduser_disable_PUG_with-n: Add option -n to useradd to disable the
+ creation of primary user groups. Closes: #416835
+ - 408_passwd_check_arguments: Check the passwd arguments and fail with the
+ usage message if there are more than one non option arguments (i.e.
+ usernames). Closes: #410268
+ * Upstream bugs fixed in upstream releases or CVS:
+ - 497_non_numerical_identifier moved as 397_non_numerical_identifier
+ because upstream applied it
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 07 May 2007 14:53:13 +0200
+
+shadow (1:4.0.18.1-7) unstable; urgency=low
+
+ * The "Pélardon" release
+ * Debian packaging fixes:
+ - debian/recode_manpages.sh: Recode the Swedish manpages to ISO-8859-1.
+ Closes: #403210
+ - 200_regenerate_manpages: Manually generate the man pages. This fixes the
+ formatting of some pages (e.g. passwd.5); permits to propagate the Debian
+ changes to the translated manpages; and to benefit from the fixes in the
+ Swedish manpages (see 104_man-sv).
+ * Upstream bugs fixed upstream:
+ - 104_man-sv: Fix Swedish manpages's PO encoding (some characters were
+ converted twice to UTF-8).
+ * Upstream bugs or fixes not yet fixed in upstream releases or CVS:
+ - 405_su_no_pam_end_before_exec: Avoid terminating the PAM library in the
+ forked child. This is done later in the parent after closing the PAM
+ session. With pam_krb5, this allow users to reuse the cached credential
+ in the forked shell. Closes: #412061
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 27 Feb 2007 06:51:44 +0100
+
+shadow (1:4.0.18.1-6) unstable; urgency=low
+
+ * The "Vieux Lille" release
+ * Upstream translation updates:
+ - debian/patches/404_man-fr: Fix the French translation of
+ passwd.1. Closes: #395537
+ * Upstream bugs or fixes not yet fixed in upstream releases or CVS:
+ - 403_fix_PATH-MAX_hurd: fixed glibc error on Hurd by not freeing f
+ unconditionnally. Thanks to Michael banck for the patch fix
+ Closes: #402002
+ * Upstream bugs fixed upstream:
+ - 103_man-de: early German translation of manpages. Updates
+ passwd manpage. Closes: #378899
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 7 Dec 2006 19:10:50 +0100
+
+shadow (1:4.0.18.1-5) unstable; urgency=high
+
+ * The "Chaource" release
+ * Debconf translation updates.
+ - Wolof.
+ * Debian packaging fixes:
+ - 401_cppw_src.dpatch:
+ Fix cppw, which copied to /etc/passwd even with the -s switch.
+ Closes: #394182
+
+ -- Christian Perrier <bubulle@debian.org> Sat, 21 Oct 2006 23:33:20 +0200
+
+shadow (1:4.0.18.1-4) unstable; urgency=low
+
+ * The "Brocciu" release
+ * Debconf translation updates. Closes: #392193
+ - Brazilian Portuguese.
+ - Finnish.
+ - Hindi.
+ - Hungarian.
+ - Indonesian.
+ - Norwegian Bokmål.
+ - Slovak.
+ - Turkish.
+ - Vietnamese.
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 17 Oct 2006 22:52:54 +0200
+
+shadow (1:4.0.18.1-3) unstable; urgency=low
+
+ * The "Gris de Lille" release
+ * Debian packaging fixes:
+ - debian/control: Use XS-X-Vcs-Svn: field
+ - debian/login.pam: add (commented) SELinux enabling entry
+ to prepare the system for SELinux. Closes: #387480
+ * Upstream translation updates:
+ - debian/patches/102_de-fix-sorry: Fix the translation of "Sorry" in
+ German. Closes: #383045
+ * Debconf translation updates:
+ - Spanish. Closes: #383812
+ - Hebrew. Closes: #387635
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 17 Sep 2006 08:54:22 +0200
+
+shadow (1:4.0.18.1-2) unstable; urgency=low
+
+ * The "Picodon" release
+ * Upstream translation updates:
+ - debian/patches/101_ja: Japanese. Closes: #381873
+ * Debconf translation updates:
+ - Spanish. Closes: #383812
+ * Upstream bugs fixed in upstream releases or CVS:
+ - debian/patches/301_passwd-typo-383216: fix a typo in passwd.1
+ Closes: #383216
+ * Upstream bugs not yet fixed in upstream releases or CVS:
+ - build with new gettext 0.15. This requires building with automake 1.9
+ and a change in po/Makefile.in.in: 499_gettext-0.15. Closes: #384631
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 25 Aug 2006 19:12:25 +0200
+
+shadow (1:4.0.18.1-1) unstable; urgency=low
+
+ * The "Laguiole" release
+ * New upstream version.
+ * Upstream bugs not yet fixed in upstream releases or CVS:
+ - 497_non_numerical_identifier: In useradd and usermod, only numerical
+ group identifiers were supported.
+ Closes: #381394, #381399, #381404, #381408, #381448
+ - 498_man_nonpam_undefined: Fix a build failure.
+ * Debian specific fixes:
+ - 496_login_init_session: only start a new session if we are init.
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> Fri, 4 Aug 2006 18:50:53 +0200
+
+shadow (1:4.0.18-1) unstable; urgency=low
+
+ * The "Selles sur Cher" release
+ * New upstream version. This closes the following bugs:
+ - Fix the usermod's -a option. It should not take an
+ argument, -a it uses the -G argument. Closes: #380645
+ - Galician translation. Closes: #378793
+ - Basque translation. Closes: #378794
+ - Russian translation. Closes: #378911
+ * Debian packaging fixes:
+ - login.defs: do not mention GETPASS_ASTERISKS since it is no more used.
+ Thanks to Mike Frysinger for noticing it.
+ - 506_relaxed_usernames: Fix the regular expression of the accepted user
+ name in the useradd man page. Closes: #377844
+ - Add Nicolas FRANCOIS to the Uploaders.
+ - Remove the NEWS entry for version 1:4.0.17-1. It was meant to warn
+ testing's users and is not meant for Etch users.
+ - manpages-it 0.3.4-3 do not collides with passwd anymore. Update the
+ Replaces field accordingly.
+ * Debconf translation updates:
+ - Japanese translation updated. Closes: #379954
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 16 Jul 2006 11:41:24 +0200
+
+shadow (1:4.0.17-2) unstable; urgency=low
+
+ * The "La Marseillaise 2006" release
+ * Upstream bugs not yet fixed in upstream releases or CVS:
+ - 495_salt_stack_smash: chpasswd/chgpasswd does not break if compiled
+ with SSP. Closes: #377825
+ - 496_login_init_session: Make login initialize a session so that
+ ^C and ^Z work when used while booting with "init=/bin/login"
+ Closes: #374547
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 14 Jul 2006 13:05:53 +0200
+
+shadow (1:4.0.17-1) unstable; urgency=low
+
+ * The "Sainte-maure de Touraine" release
+ * New upstream version. This closes the following bugs:
+ - Russian translation. Closes: #374998
+ - Khmer translation. Closes: #375065
+ - Nepali translation. Closes: #375485
+ - Korean translation. Closes: #375243
+ - Vietnamese. Closes: #375086
+ * Debian specific fixes:
+ - 503_shadowconfig.8: fix a typo in the French manpage (README.debian
+ instead of README.Debian). Thanks to Mohammed Adnène Trojette.
+ - 508_nologin_in_usr_sbin: keep nologin in /usr/sbin.
+ * Debian packaging fixes:
+ - passwd.postinst: Modified call to shadowconfig as "install" is not
+ a documented argument to postinst. Thanks to Justin Pryzby for
+ spotting that one and proposing a fix. Closes: #374457
+ - passwd.templates: use "for internal use" as template for untranslatable
+ templates which will save some lintian warnings with future
+ versions of lintian
+ * Debconf translation updates:
+ - Lituanian translation updated. Closes: #374313
+ - Dutch translation updated. Closes: #377003
+ * Upstream bugs fixed upstream:
+ - debian/patches/301_useradd-375040: create the mail spool files during
+ user creation when CREATE_MAIL_SPOOL=yes. Closes: #375040
+ Thanks to Stephen Gran for helping out with the correct patch.
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 12 Jul 2006 22:55:13 +0200
+
+shadow (1:4.0.16-2) unstable; urgency=low
+
+ * The "Valençay" release
+ * Upstream bugs or fixes not yet fixed in upstream releases or CVS:
+ - 403_fix_PATH-MAX_hurd: fix FTBFS on Hurd. Thanks to Michael Banck
+ for the fix. Closes: #372155
+
+ -- Christian Perrier <bubulle@debian.org> Sat, 10 Jun 2006 15:31:12 +0200
+
+shadow (1:4.0.16-1) unstable; urgency=low
+
+ * The "Cabécou" release
+ * New upstream release
+ * Added build dependency on gnome-doc-utils so that xml2po is available
+ for building
+ * Debian specific fixes:
+ - 504_undef_USE_PAM.dpatch: do not use PAM for chgpasswd
+ Closes: #369439
+ - debian/rules, debian/passwd.install: cleanup
+ The limits.5 man page is no more installed by upstream. (It wasn't
+ neither on Debian).
+ - no more distribute the login.access.5 and porttime.5 man pages.
+ (not used when login uses PAM)
+ - 592_manpages_typos: add another fix for the XML man pages (useradd.8)
+ It is needed by the current version of docbook-xsl in Debian (1.68).
+ Closes: #369806
+ * Debian packaging fixes:
+ - ignore some lintian warnings about templates writing style for
+ untranslatable templates
+ * Read /etc/default/locale in su PAM config file
+ Closes: #369391
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 7 Jun 2006 20:23:36 +0200
+
+shadow (1:4.0.15-10) unstable; urgency=high
+
+ * The "Emmental" release
+ * Upstream bugs or fixes fixed in upstream releases or CVS:
+ - Fix for CERT VU#312962
+ + check the return value of fchown before fchmod when the mailbox is
+ created by useradd
+ + The patch also uses login.defs::MAIL_DIR instead of /var/mail.
+ * Reading /etc/default/locale is back in login PAM config file
+ after brainstorming with Steve. Closes: #368102
+ * Debian specific fixes
+ - Patches cleanup:
+ + remove 004_configure.in.dpatch (not used since a long time).
+ + rename 404_undef_USE_PAM.nolibpam and 404_undef_USE_PAM.dpatch to
+ 504_xxx as they are debian specific.
+ + rename 407_32char_grnames.dpatch to 507_xxx for the same reason.
+ + rename 432_login_cancel_timout_after_authentication to 332_xxx,
+ because it is already applied upstream.
+ + Likewise for 461_keep_sticky_bit_for_dirs, 486_chgpasswd.8 and
+ 492_correct_exit_status_for_run_commands
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 18 May 2006 01:44:56 -0500
+
+shadow (1:4.0.15-9) unstable; urgency=low
+
+ * The "Coulommiers" release
+ * Debian specific fixes
+ - 506_relaxed_usernames: better wording of the explanations about
+ the constraints on usernames in Debian. Closes: #364909
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 17 May 2006 21:23:36 -0500
+
+shadow (1:4.0.15-8) unstable; urgency=low
+
+ * The "Tomme de Savoie" release
+ * Upstream bugs or fixes not yet fixed in upstream releases or CVS:
+ - 487_passwd_chauthtok_failed_message: Add an informative message
+ When password couldn't be changed in passwd when chauthok fails
+ Closes: #352137
+ * Debian packaging fixes:
+ - stop reading /etc/default/locale in addition to /etc/environment
+ in the PAM configuration file for login and su
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 16 May 2006 20:09:17 -0500
+
+shadow (1:4.0.15-7) unstable; urgency=low
+
+ * The "Abondance" release
+ * Fix UNRELEASED in the NEWS.Debian file. Closes: #364752
+ * debian/control
+ - Updated to Standards: 3.7.2.0 (checked, no change needed: we were
+ already compliant)
+ * Debconf translation updates:
+ - Dutch translation updated. Closes: #363690
+ * Debian specific fixes:
+ - 406_good_name: Better description of what usernames are recommanded or
+ allowed in useradd(8). Thanks to Reuben Thomas. Closes: #364909
+ * Upstream bugs or fixes fixed in upstream releases or CVS:
+ - 303_usermod_-a_in_man. Document -a in usermod man page. Closes: #365091
+ - 402-clarify_usermod_usage. Move -a close to -G. Closes: #363033
+ - Programs translation updates or fixes:
+ - 351_nl-359913: Fix typo in Dutch translation. Closes: #359913
+ - 352_id-361186: Complete Indonesian translation. Closes: #361186, #361187
+ - 353_hu-362749: New Hungarian translation. Closes: #362749
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 4 May 2006 20:53:35 +0200
+
+shadow (1:4.0.15-6) unstable; urgency=high
+
+ * The "Beaufort" release
+ * Debian packaging fixes:
+ - Change the Conflicts on backupninja from (<= 0.9.3-4) to (<< 0.9.3-5).
+ - Set a version Conflicts with gnunet.
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 17 Apr 2006 15:18:05 +0200
+
+shadow (1:4.0.15-5) unstable; urgency=high
+
+ * The "Ossau-Iraty" release
+ * Debian packaging fixes:
+ - Add a NEWS entry for the new su behavior introduced in 1:4.0.15-2
+ - explicitely set DEB_HOST_ARCH_OS to avoid FTBFS on autobuilder now
+ that sudo doesn't pass environment variables explicitely
+
+ -- Christian Perrier <bubulle@debian.org> Sat, 15 Apr 2006 10:05:05 +0200
+
+shadow (1:4.0.15-4) unstable; urgency=high
+
+ * The "Fourme d'Ambert" release
+ * Debian packaging fixes:
+ - set a versioned Conflict with python-4suite.
+
+ -- Christian Perrier <bubulle@debian.org> Sat, 8 Apr 2006 20:11:38 +0200
+
+shadow (1:4.0.15-3) unstable; urgency=high
+
+ * The "Neufchâtel" release
+ * Debian packaging fixes:
+ - set a versioned Conflict with amaviwsd-new. Closes: #360856, #360567
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 5 Apr 2006 08:50:21 +0200
+
+shadow (1:4.0.15-2) unstable; urgency=low
+
+ * The "Pavé d'Auge" release
+ * Debian packaging fixes:
+ - Only replace manpages-es << 1.55-4. Thanks to Rubén
+ - Include chgpasswd in shipped files. Really Closes: #355070
+ - parse /etc/default/locale for locale environment variables in login and
+ su default PAM configuration files. Thanks to Denis Barbier for the
+ patch. Closes: #359163
+ - su: Do not concatenate the additional arguments, and support an
+ environment variable to revert to the old Debian's su behavior.
+ Closes: #276419
+ To avoid breaking packages using the old-style way to pass
+ arguments, set Conflicts with "gnunet, amavisd-new, python-4suite,
+ backupninja (<= 0.9.3-4), echolot (<< 2.1.8-4)"
+ - 467_useradd_-r_LSB. Do not forgot to change the owner of the new home
+ directory. Closes: #360179
+ * Upstream bugs or fixes not already fixed in upstream releases or CVS:
+ - 486_chgpasswd.8: add a manpage for chgpasswd.
+ * Upstream bugs or fixes fixed in upstream releases or CVS:
+ - 492_correct_exit_status_for_run_commands: correct the exit status of su
+ when the invoked command fails. Closes: #360276
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 2 Apr 2006 12:45:49 +0200
+
+shadow (1:4.0.15-1) unstable; urgency=low
+
+ * The "Livarot" release
+ * Ack the previous changes uploaded to experimental except for #276419
+ * New upstream release
+ - chpasswd.8: Rewrite the CAVEATS section. Closes: #355010
+ - Updated translation for:
+ * Indonesian Closes: #345514, #347198
+ * Swedish Closes: #346017, #346449, #352276
+ * Slovak Closes: #346376, #349898, #352028
+ * Romanian Closes: #347755, #352712
+ * Galician Closes: #347943, #352444, #355587
+ * Italian Closes: #348339, #352345
+ * Greek Closes: #348713
+ * Russian Closes: #349193
+ * Basque Closes: #349496
+ * Catalan Closes: #353898
+ * Vietnamese Closes: #352310
+ * Italian Closes: #356610
+ - lastlog: Warn if non-option argument are provided. Closes: #349560
+ - chgpasswd: new utility. Closes: #355070
+ * Debian packaging fixes:
+ - Only replace manpages-ko << 20050219-2. Thanks to the Debian QA Group.
+ - Only replace manpages-fi << 0.2-4. Thanks to the Debian QA Group.
+ - Only replace manpages-de << 0.4-10. Thanks to Daniel Kobras
+ - Only replace manpages-es-extra << 0.8a-15. Thanks to Javier
+ Fernandez-Sanguino Peña.
+ * Upstream bugs or fixes not already fixed in upstream releases or CVS:
+ - 467_useradd_-r_LSB: add a "-r" option for adding system users
+ for LSB compatibility. Closes: #333706
+ This patch, announced in 4.0.14-7 was indeed not applied.
+ * Debconf translation updates:
+ - Punjabi translation renamed to pa.po after debian-i18n decision
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 21 Mar 2006 12:37:01 +0100
+
+shadow (1:4.0.14-9) unstable; urgency=high
+
+ * passwd.postinst: On upgrades from any prior version, chmod 600 various
+ base-config and d-i log files that might contain sensative information,
+ including in some cases, passwords. Closes: #356939
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 15 Mar 2006 08:03:43 +0100
+
+shadow (1:4.0.14-8) experimental; urgency=low
+
+ * The "Salers" release
+ * Debconf translation updates:
+ - Dutch updated. Closes: #354593
+ * Debian packaging fixes:
+ - move the @include statements at the end of pam configuration files.
+ This is of no important with the Debian default common-* files
+ but would lead to unexpected results if the local admin adds
+ "sufficient" lines in these common-* files
+ - make sure debian/recode_manpages.sh fails if a page can't be recoded.
+ - more bulletproof string checks in passwd.config (related to: #355268).
+ - Do not use type-handling for the dependency on libselinux1-dev.
+ Use an explicit list of arches. Thanks to Guillem Jover.
+ - su: Do not concatenate the additional arguments, and support an
+ environment variable to revert to the old Debian's su behavior.
+ Closes: #276419
+ * Upstream bugs fixed in upstream CVS:
+ - make passwd.1 synopsis consistent with other man pages
+ Closes: #352136
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 6 Mar 2006 06:54:42 +0100
+
+shadow (1:4.0.14-7) unstable; urgency=low
+
+ * The "Carré d'Aurillac" release (let's stay in Cantal)
+ * Upstream bugs or fixes not already fixed in upstream releases or CVS:
+ - 467_useradd_-r_LSB: add a "-r" option for adding system users
+ for LSB compatibility. Closes: #333706
+ - 493_selinux_no_proc:
+ Only check selinux_check_passwd_access on SELinux enabled system.
+ This fix issues in passwd, chage, chfn and chsh when /proc is not
+ mounted. Closes: #352494
+ * Debian packaging fixes:
+ - Stop replacing manpages-it (login only, newusers is still conflicting on
+ passwd) and manpages-hu as new releases removed the conflicting manpages
+ - passwd.config:
+ Better POSIX compliance and avoid failure if root password is set to '!'
+ Thanks to Vagrant Cascadian for reporting and providing the patch
+ Closes: #353813
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 22 Feb 2006 06:58:47 +0100
+
+shadow (1:4.0.14-6) unstable; urgency=low
+
+ * The "Cantal" ("Vieux" flavour) release
+ * Upstream bugs or fixes not already fixed in upstream releases or CVS:
+ - 491_configure.in_friendly_selinux_detection:
+ Detect that selinux is not present without failing.
+ - 492_manpages_typos:
+ Fix a typo in the passwd manpage "TheUNIX". Closes: #352135
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 10 Feb 2006 16:50:59 +0100
+
+shadow (1:4.0.14-5) unstable; urgency=low
+
+ * The "Roquefort" release
+ * Upstream bugs or fixes not already fixed in upstream releases or CVS:
+ - 489_useradd_allow_non_uniq_uid:
+ Allow non-unique UID when -o is specified. Closes: #351281
+ - 490_useradd_always_unlock_group_databases:
+ Always remove the lock on the group and gshadow databases.
+ CLoses: #348250
+ - 463_login_delay_obeys_to_PAM:
+ Do not hardcode pam_fail_delay and let pam_unix do its job to
+ set a delay...or not
+ CLoses: #87648
+ * Debian packaging fixes:
+ - Build with SE Linux support for Linux architectures
+ (and do not link the tools without SELinux support with the selinux
+ library: 490_link_selinux_only_when_needed)
+ Closes: #351631
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 9 Feb 2006 19:04:58 +0100
+
+shadow (1:4.0.14-4) unstable; urgency=low
+
+ * The "Cancoillotte" release
+ * Debian specific fixes:
+ - recode_manpages.sh was not called after the switch to CDBS.
+ The man pages were all distributed in UTF-8
+ - Encode the (Debian) shadowconfig manpages in UTF-8 so that
+ recode_manpages.sh can be used on all manpages
+ - do not build login on The Hurd
+ Closes: #349356
+ - debian/rules:
+ additional cleanups
+ * Upstream bugs or fixes not already fixed in upstream releases or CVS:
+ - 485_shell-env-exitcodes:
+ - explicitly pass environment to shell() as 3rd argument
+ - return errno from shell()
+ - introduce E_CMD_NOTFOUND/E_CMD_NOEXEC exitcodes
+ * Debconf translation updates:
+ - Danish updated. Closes: #348571
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 15 Jan 2006 16:27:15 +0100
+
+shadow (1:4.0.14-3) unstable; urgency=low
+
+ * The "Pont-L'Évêque" release
+ * Upstream bugs or fixes not already fixed in upstream releases or CVS:
+ - 479_chowntty_debug:
+ - produce more helpful syslog message[s] when is_my_tty() fails
+ (see bug #332198).
+ - 462_warn_to_edit_shadow:
+ - warn users to edit the shadow file when using vipw or vigr
+ Closes: #62821
+ - 480_getopt_args_reorder:
+ - Allow SU options to be passed after - or the username
+ - 481_userdel_remove_remove_group:
+ - User's group was removed twice, which caused warnings
+ - 461_keep_sticky_bit_for_dirs:
+ - keep the sticky bit in the directory copied by useradd in the
+ skeleton or by usermod.
+ Closes: #296729
+ - 482_libmisc_copydir_check_return_values:
+ - check the return value of system calls in copy_tree
+ - 483_su_fakelogin_wrong_arg0:
+ - shell's name must be -su when su is faking a login shell.
+ Closes: #347747
+ - 484_su-p_preserve_PATH:
+ - -p did not preserve the PATH environment variable when su started a
+ shell (no -c).
+ Closes: #347935
+ * Debian specific fixes:
+ - debian/rules:
+ - switch to cdbs for package build
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 15 Jan 2006 15:03:56 +0100
+
+shadow (1:4.0.14-2) unstable; urgency=low
+
+ * The "Vieux brie" release
+ * Missing dependency on docbook-xml and libxml2-utils
+ Closes: #346395
+
+ -- Christian Perrier <bubulle@debian.org> Sat, 7 Jan 2006 19:08:36 +0100
+
+shadow (1:4.0.14-1) unstable; urgency=low
+
+ * The "Crottin de Chavignol" release
+ * New upstream release. This release fixes the following issues:
+ - French useradd no longer documents nonexisting -n option
+ Closes: #340578
+ - Russian translation update. Closes: #340826
+ - Fix German translation. Closes: #338373
+ - Swedish translation update. Closes: #334264
+ - Ukrainian translation update. Closes: #335381
+ - Tagalog translation update. Closes: #336649
+ - French translation update. Closes: #338410
+ - Simplified Chinese translation update. Closes: #339554
+ - Russian man pages translation update. Closes: #340828
+ * Upstream bugs not already fixed in upstream releases or CVS:
+ - 468_duplicate_passwd_struct_before_usage
+ Duplicate the passwd structures retrieved by getpwnam before calling
+ PAM. Closes: #341230
+ * Debian specific fixes:
+ - 502_fix_generated_man_pages
+ remove the occurences of ’ which is not supported by the current version
+ of docbook-xsl in Debian. Closes: #341489
+ * Debconf translation updates:
+ - Basque updated. Closes: #342102
+ - Catalan updated. Closes: #344964
+ * Debian packaging fixes:
+ - debian/rules, debian/login.files, debian/passwd.files:
+ Use dh_install instead of old dh_movefiles for moving files from
+ debian/tmp and rename {login, passwd}.files to {login,passwd}.install
+ Closes: #343534
+ - debian/rules:
+ debian/rules: stop building login for Hurd, which breaks bootstrap
+ Thanks to Michael Banck for the patch. Closes: #343473
+ - debian/passwd.config:
+ call programs using [a-z] under a C locale. Thanks Denis Barbier
+ for the patch. Closes: #343595
+ - debian/rules, debian/shells, debian/passwd.postinst:
+ Remove the /usr/share/passwd/shells files and the postinst code that
+ installed it as /etc/shells. This is now done by debianutils.
+ Closes: #342858
+ - Also remove README.shells, which should be distributed by debianutils.
+ - debian/passwd.postrm:
+ Do not remove /etc/shells on purge. Closes: #345659
+ - Fix the version of an old entry in NEWS.Debian
+ - Do not distribute the pam.d files for commands with disabled PAM support
+ (chage, chpasswd, groupadd, groupdel, groupmod, useradd, userdel,
+ usermod)
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 6 Jan 2006 07:42:52 +0100
+
+shadow (1:4.0.13-7) unstable; urgency=low
+
+ * The "Chabichou" release
+ * Debian packaging fixes:
+ - debian/rules, debian/login.links, debian/passwd.links:
+ Use dh_link for setting up symlinks
+ - get rid of initial-passwd-udeb as D-I will now use its
+ own udeb (user-setup-udeb)
+ * Debconf translation updates:
+ - Portuguese updated. Closes: #338767
+ - Korean updated. Closes: #339011
+ - Ukrainian updated. Closes: #338878
+ - Galician updated. Closes: #338908
+ - German updated. Closes: #339660
+ - Romanian updated. Closes: #340097
+ * Upstream fixes which will reach next upstream version
+ - 460_vipw-quiet: vipw logs "unchanged" message to stdout
+ and offers a quiet mode. Closes: #190252
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 20 Nov 2005 16:04:54 +0100
+
+shadow (1:4.0.13-6) unstable; urgency=low
+
+ * The "Saint-Nectaire" release
+ * Debian packaging fixes:
+ - passwd.config:
+ Add "seen false" for passwd/root-password and
+ passwd/root-password-again when entered root passwords mismatch or are
+ empty. Thanks to Tollef Fog Heen for noticing.
+ * Debconf translation updates:
+ - Simplified Chinese updated. Closes: #338075
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 10 Nov 2005 17:07:14 +0100
+
+shadow (1:4.0.13-5) unstable; urgency=low
+
+ * The "Fourme de Montbrison" release
+ * Debian packaging fixes:
+ - passwd.config:
+ Add a variable quoting which probably prevented users to
+ preseed a locked password for root and fix a logic error in the script
+ Working user password crypted preseeding (it probably failed earlier)
+ * Debconf translation updates:
+ - Russian updated. Closes: #337370
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 1 Nov 2005 18:10:30 +0100
+
+shadow (1:4.0.13-4) unstable; urgency=low
+
+ * The "Comté" release (let's make Nicolas happy)
+ * Debian packaging fixes:
+ - initial-passwd-udeb:
+ Grab last version of Ubuntu code to get rid of the mktemp error
+ This virtually closes bug 336321 but we keep it opened to be sure
+ that noone imagines pushing this version to testing.
+ * Upstream fixes which will reach next upstream version
+ - 467_usermod_longopts: add long options support to usermod.
+ Closes: #260149
+ - 366_fflush-prompt: fflush prompts to allow scripting. Closes: #333138
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 1 Nov 2005 13:04:09 +0100
+
+shadow (1:4.0.13-3) unstable; urgency=high
+
+ * The "Trou du Cru" release (actually, the one deserving this name is me)
+ * Urgency set to high to avoid breaking D-I for too long
+ * Debian packaging fixes:
+ - debian/control:
+ - Make initial-passwd-udeb priority extra to avoid breaking all D-I
+ images
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 30 Oct 2005 06:52:26 +0100
+
+shadow (1:4.0.13-2) unstable; urgency=low
+
+ * The "Pouligny St-Pierre" release
+ * Debian packaging fixes:
+ - debian/control:
+ - manpages-ja: versioned Replaces as the man pages have now been
+ removed
+ - manpages-ko: versioned Replaces as the man pages have now been
+ removed
+ - debian/login.defs:
+ - fix a typo.
+ - early release of a (currently not used) udeb to allow user creation
+ and password setting to be done in D-I first stage
+ Patch taken from Ubuntu. Thanks to Colin Watson for providing it.
+ - debian/copyright:
+ - for RMS clones sake, stop breaking Thy Holy GNU Copyright
+ Closes: #334870
+ * Patches to upstream man pages, not yet applied upstream:
+ - debian/patches/457_document_useradd_groupadd_nis:
+ Document that low level utilities will certainly never
+ implement strange behaviour such as adding local users or groups with
+ logins existing in external databases
+ Closes: #282184
+ - debian/patches/458_manpages_typos
+ Fix some typos in faillog.5, chage.1, chpasswd.8
+ Thanks to A Costa <agcosta@gis.net>
+ Closes: #333995, #333994, #333993
+ - debian/patches/459_better_document_useradd_-d
+ Better document, in useradd.8, that the home_dir specified
+ with -d is not created if it does not exist
+ Closes: #154996
+ * Debconf translation updates:
+ - Norwegian Bokmal updated. Closes: #316732
+ - Russian updated. Closes: #334250
+ - Tagalog updated. Closes: #335158
+ - Swedish updated. Closes: #335319
+ - Italian updated. Closes: #335856
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 25 Oct 2005 11:46:31 +0200
+
+shadow (1:4.0.13-1) unstable; urgency=low
+
+ * The "Maroilles" release
+ * New upstream version:
+ Debian bugs fixed by the new upstream version:
+ - faillog: Do not oversimplify the date of the last unsuccessful login
+ Closes: #89902
+ - login.1: also mention securetty(5). Closes: #325773
+ - chfn.1, chsh.1, groupadd.8, newusers.8, pwconv.8
+ useradd.8, userdel.8, usermod.8:
+ Improved crossreferences with other manpages
+ Closes: #300892
+ - newgrp.1:
+ Improved documentation of how group passwords work
+ Closes: #325558
+ - passwd.c:
+ The usage line is no more too terse
+ Closes: #146779
+ * Patches to upstream man pages, not yet applied upstream:
+ - debian/patches/452_doc_password_check_order:
+ Document the order for checking the password strength
+ Closes: #115380
+ * Debian packaging fixes:
+ - debian/login.su.pam:
+ - pam_wheel example moved after pam_rootok in config.
+ Also documents that with 'pam_wheel.so group=foo', root may need to
+ be in the foo group. Closes: #330630, #330855
+ - pam_env turned to be used as a session module which it is designed
+ to be. Thanks to Steinar H. Gunderson who pointed this out and
+ Steve Langasek and Andrew Suffield who suggested the right solution.
+ - debian/control:
+ - manpages-es-extra: versioned Replaces as the man pages have now been
+ removed
+ - manpages-de: versioned Replaces as the man pages have now been
+ removed
+ - manpages-hu: versioned Replaces as the man pages have now been
+ removed
+ - debian/rules:
+ - pack upstream's NEWS file into login and passwd. Closes: #331487
+ - pack login.defs and its manpages into "passwd" instead of "login"
+ package for the Hurd platform. Closes: #249372
+ - copy upstream's changelog. Closes: #331487
+ - debian/passwd.config, debian/passwd.templates:
+ - allow preseeding the root (and user) password with a MD5 hash
+ Closes: #275343, #304352
+ Thanks to Colin Watson for the Ubuntu patch
+ - the above also allows preseeding a disabled password for root
+ Closes: #304343
+ - add passwd/user-uid template, which can be preseeded to force the
+ initial user to have a certain uid.
+ Thanks to Colin Watson for the Ubuntu patch
+ - allow hyphens in username
+ Thanks to Colin Watson for the Ubuntu patch (Ubuntu #15721)
+ - debian/login.defs:
+ - document the obsoleted by PAM ENV_HZ variable. Closes: #265613
+ - better document the real use of USERGROUPS_ENAB. Closes: #282822
+ - debian/add-shell, debian/remove-shell, debian/add-shell.8,
+ debian/remove-shell.8:
+ - utilities moved to debianutils. Add a versioned "Depends" line on
+ debianutils so that passwd cannot be upgraded when the new
+ debianutils version including these utilities isn't available
+ Closes: #208514, #268656, #269573, #293171
+ * Debconf translation updates:
+ - Swedish updated. Closes: #332711
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 10 Oct 2005 23:15:47 +0200
+
+shadow (1:4.0.12-6) unstable; urgency=low
+
+ * The "Reblochon" release
+ * Debian packaging fixes:
+ - debian/control:
+ More accurate Replaces lines for manpages-* packages which have
+ been fixed:
+ - manpages-ru
+ - manpages-fr
+ - manpages-fi (removed because distributes translations we don't have)
+ - manpages-pt (removed because distributes translations we don't have)
+ - manpages-tr (removed because distributes translations we don't have)
+ - manpages-zh for login
+ (removed because distributes translations we don't have)
+ - debian/login.pam, debian/login.su.pam:
+ - use "readenv=1" with pam_env so that /etc/environment settings are
+ used. Thanks to Konrad Jelen for pointing it
+ - use "pam_mail" for login and su to display the user's new mail status
+ (for login only) and set the MAIL environment variable
+ Add a comment about the need to *also* define MAIL_DIR and possibly
+ MAIL_FILE in /etc/login.defs so that userdel behaves properly
+ Closes: #330420
+ - Really add /etc/pam.d/passwd. Closes: #330870
+ - Enable pam_group by default in login. Closes: #124293
+ - debian/login.defs:
+ Better document the real and future use of MAIL_DIR and MAIL_FILE
+ * Upstream bugs not already fixed in upstream releases or CVS:
+ - 451_login_PATH: set PATH according to ENV_SUPATH and ENV_PATH for login
+ Closes: #330803
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 28 Sep 2005 19:59:31 +0200
+
+shadow (1:4.0.12-5) unstable; urgency=low
+
+ * Really add /etc/pam.d/su. Closes: #330291
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 28 Sep 2005 19:59:31 +0200
+
+shadow (1:4.0.12-4) unstable; urgency=low
+
+ * The "Epoisses" release
+ * Debian packaging fixes:
+ - debian/control:
+ Add a few more Replaces for broken manpages-xx packages
+ which provide random man pages for software they don't
+ provide. Closes: #330526, #330338
+ * Use dh_installpam correctly so that /etc/pam.d/su really exists
+ Closes: #330291
+ * Change section to admin because of the restructuration of the "base"
+ section by the ftpmasters
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 27 Sep 2005 07:20:44 +0200
+
+shadow (1:4.0.12-3) unstable; urgency=low
+
+ * The "Langres" release
+ * Debian packaging fixes:
+ - debian/control:
+ login now replaces manpages-de because of conflicting login.1
+ manpage. Closes: #330247
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 27 Sep 2005 07:20:44 +0200
+
+shadow (1:4.0.12-2) unstable; urgency=low
+
+ * The "Boulette d'Avesnes" release
+ * Debian packaging fixes:
+ - debian/useradd.default:
+ File added and installed as /etc/default/useradd to provide
+ "safe" defaults to useradd and, for instance, have it create users
+ with a shell. Closes: #293492
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 22 Sep 2005 07:34:29 +0200
+
+shadow (1:4.0.12-1) experimental; urgency=low
+
+ * The "Munster" release
+ * New upstream release
+ * Bugs fixed by the move to upstream release:
+ - Portuguese translation update. Closes: #323069
+ * Debian packaging fixes:
+ - Fix a bug number in the previous changelog entry (s/155297/155279/).
+ - Patches for man pages reduced to only patch XML files:
+ 441, 440, 333, 421, 424, 442, 444
+ - Reduce 005 patch to only patch useradd.8.xml (other changes
+ have been fixed upstream and we assume that the man pages are
+ generated from the XML files).
+ Move the patch for the su man page (wich explain the 437_* patches)
+ to 437_su_add_GNU_options_7
+ - Disable patches now applied upstream:
+ 002, 336, 363, 443_man_it_Makefile.am, 364
+ - login.defs:
+ Entries moved to obsolete sections:
+ CLOSE_SESSIONS, LOGIN_STRING, NO_PASSWORD_CONSOLE, QMAIL_DIR
+ ULIMIT
+ - NEWS.Debian: added
+ - Ship a (currently useless) PAM configuration file for chage, useradd,
+ usermod, userdel, groupadd, groupmod, groupdel, including
+ pam_rootok.so alone
+ - use dh_installpam to install PAM configuration files
+ - start the cleanup of the unused patches list
+ - debian/passwd.config:
+ No more endless loops when the user passwords mismatch
+ Closes: #325910
+ * Upstream bugs not already fixed in upstream releases or CVS:
+ - 443_chage_exit_values: now exit with errorlevel=15 when no
+ shadow password exists (was previously 3 but upstream now uses it)
+ - 447_missing_login.defs_variables: verify the list of login.defs
+ variables used and update the getdef.c and login.def files accordingly.
+ * Debconf translation updates:
+ - German updated. Closes: #321761
+ - Romanian updated. Closes: #323575
+ - Dutch updated. Closes: #323756
+ * Upstream bugs already fixed in upstream releases or CVS:
+ - 448_enable_man: man pages are generated from the XML files.
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 25 Aug 2005 08:38:53 +0200
+
+shadow (1:4.0.11.1-1) experimental; urgency=low
+
+ * New upstream release.
+ * Bugs fixed by the move to upstream release:
+ - Stop documenting about passing env variables at login prompt
+ Closes: #95213
+ - Correct reference to vi(1) man page in vipw(1)
+ Closes: #260636
+ * Debian packaging fixes:
+ - Enable the use of pam_env for su. Needed a fix which appeared
+ in upstream 4.0.6
+ Closes: #155279, #202840, #287108
+ * Debconf translation updates:
+ - Macedonian updated. Closes: #320229
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 26 Jul 2005 09:17:40 +0200
+
+shadow (1:4.0.3-39) unstable; urgency=low
+
+ * Debian packaging fixes:
+ - moved `shadowconfig on` from .preinst to .postinst
+ Closes: #319138
+ - debian/passwd.linda-overrides, debian/login.linda-overrides, debian/rules:
+ Add file permissions overrides for linda similar to those we have for lintian
+ - debian/login.lintian-overrides:
+ No more file permission overrides for login
+ - debian/passwd.config:
+ let error messages from shadowconfig (and therefore underlying
+ pwck/grpck tools which use stdout for this purpose) to reach stdout
+ instead of getting into /dev/null. This helps error diagnostics and
+ supposedly Closes: #319136
+ * Programs translation updates:
+ - French completed.
+ * Man pages translation updates:
+ - 207_id-manpages: correct Indonesian manpages so that they do not
+ fail lexgrog tests by linda
+ - 206_ko-manpages: correct Korean manpages so that they do not
+ fail lexgrog tests by linda
+ * Debconf translation updates:
+ - Arabic updated from Arabeyes repository
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 22 Jul 2005 18:42:24 +0200
+
+shadow (1:4.0.3-38) unstable; urgency=low
+
+ * The "La Marseillaise" release
+ * Debian packaging fixes:
+ - changed debian/rules to generate non-versioned "Depends: login"
+ entry for hurd's "passwd" package. This allows to use native
+ Hurd's login/su, because "hurd" package seems to provide "login".
+ See: #249372 (I don't claim the bug to be dealt with though --
+ it's still not clear whether the newly built "login" package for
+ Hurd is functional).
+ - Enable shadow by default on firsttime installation even when the package
+ is not reconfigured (ie also when not called from base-config).
+ Thanks to Bastian Blank for the patch and comments
+ Closes: #316219
+ - Build shadow with debugging. Closes: #204644
+ * Programs translation updates:
+ - Hebrew translation disabled. Closes: #317805
+ - Portuguese updated. Closes: #318190
+ - Vietnamese updated. Closes: #318257
+ * Debconf translation updates:
+ - Estonian updated. Closes: #317719
+ - Hebrew updated
+ * Upstream bugs already fixed in upstream releases or CVS:
+ - Modified 356_su-stop_cont-proxy to block TSTP, TTIN, TTOU, QUIT
+ and HUP -- to do the same as in newgrp.c
+ Closes: #317747
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 14 Jul 2005 10:14:23 +0200
+
+shadow (1:4.0.3-37) unstable; urgency=low
+
+ * The "Camembert" release
+ * Upstream bugs not fixed in upstream releases or CVS:
+ - 442_useradd.8-O
+ Document useradd's "-O" option
+ Closes: #304934
+ * Debconf translation updates:
+ - Indonesian updated (sent by translator to Christian Perrier)
+ - Bulgarian updated. Closes: #317327
+ - Vietnamese added (sent by translator to Christian Perrier)
+ - Wolof added (sent by translator to Christian Perrier)
+ Closes: #317532
+ * Man pages translation updates:
+ - Really remove the too outdated Korean translation of newgrp.1
+ which doesn't even mention sg
+ * Programs translation updates:
+ - debian/patches/117_id:
+ - Indonesian translation update (sent by translator to Christian Perrier)
+ * Debian packaging fixes:
+ - login.defs
+ Fix a typo (s/dmesg/mesg/), thanks to Maximilian Attens
+ Closes: #317236
+ - Fix FTBFS for GNU/Hurd and GNU/kFreeBSD
+ - securetty.kfreebsd-gnu renamed to securetty.kfreebsd
+ - securetty.netbsd-gnu renamed to securetty.netbsd
+ - securetty.gnu renamed to securetty.hurd
+ Closes: #317304
+ * Upstream bugs not fixed in upstream releases or CVS:
+ - 443_chage_exit_values
+ chage: change the exit value to 3 when chage fails because the system is
+ not shadow enabled.
+ Closes: #317012
+ - 426_grpck_group-gshadow_members_consistency
+ grpck/pwck: fix segmentation faults
+ Closes: #317366
+ - 423_su_arguments_are_concatenated, 423_su_pass_args_without_concatenation
+ revert the patch done for #276419, because it breaks pbuilder and other
+ packages. Also document the Debian su behavior.
+ su behave differently from FreeBSD or SUN; this issue will have to be
+ handled latter (re-open #276419).
+ Closes: #317264
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 6 Jul 2005 03:13:37 +0300
+
+shadow (1:4.0.3-36) unstable; urgency=low
+
+ * Debian specific programs fixes:
+ - Re-enable logging and displaying failures on login when login is
+ compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
+ faillog file if it does not exist on postinst (as on Woody).
+ Closes: #192849
+ - do not localize login's syslog messages.
+ * Debian packaging fixes:
+ - Fix FTBFS with new dpkg 1.13 and use a correct dpkg-architecture
+ invocation. Closes: #314407
+ - Add a comment about potential sensitive information exposure
+ when LOG_UNKFAIL_ENAB is set in login.defs
+ Closes: #298773
+ - Remove limits.5 and limits.conf.5 man pages which do not
+ reflect the way we deal with limits in Debian
+ Closes: #288106, #244754
+ - debian/login.defs:
+ - Make SU_PATH and PATH consistent with the values used in /etc/profile
+ Closes: #286616
+ - Comment the UMASK setting which is more confusing than useful
+ as it only affects console logins. Better use pam_umask instead
+ Closes: #314539, #248150
+ - Add a comment about "appropriate" values for umask
+ Closes: #269583
+ - Correct the assertion about the variable defined by QMAIL_DIR
+ which is MAILDIR, not MAIL
+ Closes: #109279
+ - Move the PASS_MAX_LEN variable at the end of login.defs as this
+ is obsoleted when using PAM
+ Closes: #87301
+ - debian/passwd.config:
+ - Re-enable the password confirmation question at critical priority
+ Closes: #304350
+ - Do no prompt again for the login name when the two passwords don't
+ match while creating a new user
+ Closes: #245332
+ - debian/add-shell.sh, debian/remove-shell.sh, debian/shadowconfig.sh,
+ debian/passwd.config, debian/passwd.postinst:
+ - checked for bashisms, replaced "#!/bin/bash" with "#!/bin/sh",
+ Closes: #315767
+ - replaced "test XXX -a YYY" XSI:isms with "test XXX && test YYY",
+ for rationale see:
+ http://www.opengroup.org/onlinepubs/009695399/utilities/test.html
+ - replaced all unneeded "egrep"s with basic "grep"s
+ Closes: #256732
+ - debian/rules:
+ Remove the setuid bit on login
+ Closes: #298060
+ - debian/passwd.templates:
+ Templates rewrite to shorten them down a little and make them DTSG
+ compliant. Give more details about what the user's full name is used
+ for.
+ Closes: #287410
+ - Updated to Standards: 3.6.2 (checked)
+ * Debconf translation updates:
+ - Estonian added. Closes: #312471
+ - Basque updated. Closes: #314303
+ - Malagasy updated. Closes: #290842
+ - Punjabi updated. Closes: #315372
+ - Danish updated. Closes: #315378
+ - Polish updated. Closes: #315391
+ - Japanese updated. Closes: #315407
+ - Brazilian Portuguese updated. Closes: #315426
+ - Czech updated. Closes: #315429
+ - Spanish updated. Closes: #315434
+ - Lithuanian updated. Closes: #315483
+ - Galician updated. Closes: #315362
+ - Portuguese updated. Closes: #315375
+ - Simplified Chinese updated. Closes: #315567
+ - French updated
+ - Ukrainian updated. Closes: #315727
+ - Welsh updated. Closes: #315809
+ - Slovak updated. Closes: #315812
+ - Romanian updated. Closes: #315783
+ - Finnish updated. Closes: #315972
+ - Catalan updated. Closes: #316026
+ * Man pages translation updates:
+ - Remove the too outdated Korean translation of newgrp.1
+ which doesn't even mention sg
+ Closes: #261490
+ * Man pages correction for Debian specific issues:
+ - 402_usermod.8-system-users-range-286258:
+ Document the system user range from 0 to 999 in Debian
+ Closes: #286258
+ * Upstream bugs not fixed in upstream releases or CVS:
+ - 423_su_pass_args_without_concatenation
+ Thanks to Helmut Waitzmann.
+ Closes: #276419
+ * pass the argument to the shell or command without concatenation
+ before the call to exec.
+ * If no command is provided, the arguments after the username are for
+ the shell, no -c has to be appended.
+ - 008_su_ignore_SIGINT
+ * Also ignore SIGQUIT in su to avoid defeating the delay.
+ The gain in security is very minor.
+ Closes: #288827
+ - 424_pwck.8_quiet_option
+ pwck(8): document the -q option. Closes: #309408
+ - 425_lastlog_8_sparse
+ lastlog(8): Document that lastlog is a sparse file, and don't need to be
+ rotated. Closes: #219321
+ - 426_grpck_group-gshadow_members_consistency
+ * (grpck) warn for inconsistencies between members in /etc/group and gshadow
+ Closes: #75181
+ * (pwck and grpck) warn and propose a fix for entries present in the
+ regular /etc/group or /etc/passwd files and not in shadow/gshadow.
+ - 427_chage_expiry_0
+ Fix chage display in the case of null expiry fields (do not display
+ Never, but 01 Jan 1970)
+ Closes: #78961
+ * Upstream bugs already fixed in upstream releases or CVS:
+ - Corrected typos in chfn.1. Closes: #312428
+ - Corrected typos in gshadow.5. Closes: #312429
+ - Corrected typos in shadow.5. Closes: #312430
+ - Corrected typos in grpck.8. Closes: #312431
+ - Added patch (356th) for su to propagate SIGSTOP up and SIGCONT down.
+ Added similar patch (357th) for newgrp. Both changes only affect
+ operation with CLOSE_SESSION set to yes (in /etc/login.defs).
+ Closes: #314727
+ * Translation updates:
+ - debian/patches/010_more-i18ned-messages
+ - More messages are translatable. We will deal with the translation
+ updates after syncing with upstream.
+ Closes: #266281
+ - debian/patches/114_eu:
+ - Basque translation update. Closes: #314423
+ - debian/patches/132_vi.dpatch:
+ - Vietnamese translation update. Closes: #315840
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 20 Jun 2005 23:37:56 +0300
+
+shadow (1:4.0.3-35) unstable; urgency=low
+
+ * Re-apply the debian/patches/036_CAN-2004-1001_passwd_check patch
+ which fixed the "Adjusted password check to fix authentication bypass"
+ security issue (CAN-2004-1001)
+ * Debian packaging fixes:
+ - Add --host to config_options on cross build. Patch from NIIBE Yutaka.
+ Closes: #283729
+ - Enable login for GNU/Hurd in rules. First patch from Robert Millan.
+ Closes: #249372
+ - Cleanup passwd debconf stuff as md5 passwords are assumed since
+ 1:4.0.3-19 and the resolution of #223664.
+ - Document the TTYPERM variable set to 0600 in the default login.defs file
+ Closes: #59439
+ - Make login and su use limits.so PAM module by default
+ (change made in sarge branch also)
+ Closes: #300720
+ - debian/rules: Add removal of config.log in the clean target
+ - debian/control:
+ - Add Martin to Uploaders
+ - Remove Sam Hartman from Uploaders. The team is now setup and this
+ does not really have a real meaning now. You're still welcome for
+ NMU's, Sam, and thanks for the good work.
+ - Switching from dpatch to quilt.
+ * Debconf translation updates:
+ - Portuguese spellchecked by Miguel Figueiredo
+ - Punjabi (Gumurkhi) added, by Amanpreet Singh Alam. Closes: #309800
+ * Man pages translation updates:
+ - German completed by reference to original man page
+ Closes: #311554
+ * Debian specific programs fixes:
+ - NONE
+ * Upstream bugs not fixed in upstream releases or CVS:
+ - 421_login.1_pishing:
+ Document how to initiate a trusted path under Linux
+ Closes: #305600
+ - set CLOSE_SESSIONS to yes in login.defs, and document why.
+ Closes: #163635
+ * Upstream bugs already fixed in upstream releases or CVS:
+ - 324_configure.in-no-debian-dir:
+ Separated from 004_configure.in : this change will not be needed when
+ syncing with upstream
+ - 325_gshadow_5_manpage:
+ Add a gshadow.5 man page, and clarifications in the newgrp and gpasswd
+ man pages.
+ Closes: #113191, #166173, #169046, #251926
+ - 326_su.1_pwconv.8-typos:
+ Correct typos in su.1 and pwconv.8 man pages.
+ Closes: #309666
+ * Translation updates:
+ - 004_configure.in, 100_LINGUAS
+ Add Vietnamese to LINGUAS. Patch for LINGUAS in configure.in moved
+ from 004_configure.in to the new 100_LINGUAS patch
+ - 101_cs: Czech updated by Miroslav Kure
+ Closes: #308658
+ - 102_de: German updated by Dennis Stampfer
+ - 104_fr: French updated by Jean-Luc Coulon
+ Closes: #308909
+ - 111_ca: Catalan completed by Guillem Jover
+ Closes: #309212
+ - 108_sv: Swedish completed with the help of Magnus Holmgren
+ Encoding issues fixed
+ Closes: #309380
+ - 109_uk: Ukrainian completed by Eugeniy Meshcheryakov
+ Closes: #308647
+ - 120_nl: Dutch updated by Bart Cornelis
+ Closes: #308662
+ - 124_ru: Russian updated by Yuri Kozlov
+ Closes: #308839
+ - 129_ru: Romanian updated by Sorin Bataruc
+ Closes: #308921
+ - 130_zh_TW: Tradition Chinese updated by Tetralet
+ Closes: #311588
+ - 131_tl: Tagalog updated by Eric Pareja
+ Closes: #310386
+ - 132_vi: Correct file used for Vietnamese tanslation
+ Closes: #306614, #307251, #307262, #308479
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 3 Jun 2005 07:32:07 +0200
+
+shadow (1:4.0.3-34) unstable; urgency=low
+
+ * Debian packaging fixes:
+ - NONE
+ * Debian specific programs fixes:
+ - NONE
+ * Upstream bugs not fixed in upstream releases or CVS:
+ - 406_good_name:
+ - relaxed user/group names checking is now fixed and accepts
+ _only_ names matching '^[^-:\n][^:\n]*$'
+ Closes: #264879, #308478
+ * Upstream bugs already fixed in upstream releases or CVS:
+ - 311_high-uids.dpatch:
+ - Add large file support to lastlog and faillog. Closes: #280212
+ * Translation updates:
+ - 132_vi:
+ Vietnamese programs translation added (from upstream CVS)
+ Closes: #308479
+ - 118_it:
+ Italian programs translation updated
+ Closes: #308327
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 10 May 2005 18:24:12 +0200
+
+shadow (1:4.0.3-33) unstable; urgency=low
+
+ * The "Don't believe lintian blindly" release
+ * Urgency left to low because RC bug fixed but we leave priority
+ to sarge-targeted work
+ * Debian packaging fixes:
+ - Remove CVS id tag from the supplied login.defs file
+ Closes: #308019
+ - revert dependency on debconf which would make it required
+ Closes: #308145
+ - Add the missing add-shell, remove-shell, cppw and cpgr
+ (Debian specific) man pages
+ Closes: #162241
+ - make lintian ignore warnings about missing debconf dependency
+ in passwd.lintian-overrides
+ * Debian specific programs fixes:
+ - NONE
+ * Upstream bugs not already fixed in upstream releases or CVS:
+ - NONE
+ * Upstream bugs already fixed in upstream releases or CVS:
+ - 313_pam_access_with_preauth:
+ - allow PAM account authorization when preauthenticated
+ Closes: #193869
+ - 314_passwd.1_formatting:
+ - minor formatting fixes of passwd(1) man page
+ Closes: #304447
+ - 315_chage.1_document_expiration_removal:
+ - document expiration removal in chage(1)
+ Closes: #304542
+ - 316_vipw-race-242407:
+ - make vipw to remove /etc/{passwd|shadow|group|gshadow}.edit
+ and only then unlock
+ Closes: #242407
+ - 317_lastlog_usage_249611:
+ - Fix the lastlog usage and all the translations accordingly
+ (--user instead of --login).
+ Closes: #249611
+ - 323_passwd.1-typo:
+ - correct a typo in passwd(1) man page. Closes: #302740
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 8 May 2005 14:32:20 +0200
+
+shadow (1:4.0.3-32) unstable; urgency=low
+
+ * Switch to dpatch for upstream patches
+ This should bring more clarity to modifications
+ we make to upstream sources and help integrating
+ new upstream releases
+ Old patches have been moved quite roughly to
+ debian/patches
+ * Modified debian/rules for "Calling GNU configure properly", see
+ /usr/share/doc/autotools-dev/README.Debian.gz
+ * Debian packaging fixes:
+ - Lintian fixes:
+ - Description synopsis initial capital letters removed
+ - passwd now depends on debconf (>=0.5.00) as it uses the seen flag
+ - add login.lintian-overrides and passwd.lintian-overrides
+ files to mention setuid and setgid files and avoid lintian warning
+ about them
+ - debian/pam.d/login:
+ - Remove the confusing comment about "nullok". Closes: #207816
+ - debian/rules:
+ - Add call for dh_installdirs
+ - debian/passwd.dirs:
+ - Added
+ - debian/login.dirs:
+ - Added
+ * Debian specific programs fixes:
+ - fixed /usr/sbin/remove-shell bug with handling of non-existing/empty
+ /etc/shells file. Closes: #271565
+ * GNU config automated update: config.sub (20010907 to 20050422),
+ config.guess (20010904 to 20050422)
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 3 May 2005 11:53:12 +0200
+
+shadow (1:4.0.3-31sarge3) unstable; urgency=low
+
+ * The "please buy me a brain" release
+ * *Really* shorten down the Dutch debconf translation for the root password
+ input so that it fits in one screen. Closes: #277750
+ * man/usermod.8: *Really* document -o option in usermod
+ Closes: #302388
+ * man/fr/po4a/fr: Removed. This directory only clutters up the diff
+ and is not used during the build process
+ * man/de/passwd.1: Updated. Closes: #304757
+ * man/de/chsh.1: Updated.
+ * man/it/*: All files updated. Closes: #305095
+ * Translation updates:
+ - Portuguese (from the translation file sent for 4.0.8 upstream)
+ Closes: #305257
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 19 Apr 2005 19:31:43 +0200
+
+shadow (1:4.0.3-31sarge2) unstable; urgency=low
+
+ * Shorten down the Dutch debconf translation for the root password
+ input so that it fits in one screen. Closes: #277750
+ * man/usermod.8: Document -o option in usermod
+ Closes: #302388
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 4 Apr 2005 20:28:47 +0200
+
+shadow (1:4.0.3-31sarge1) unstable; urgency=high
+
+ * Urgency set to high because of RC bug fixed. Reuploaded
+ because I messed up with the changelog first. Use this occasion
+ to start a sarge series just in case. Changes below were made
+ in the former version already.
+ * Avoid package file conflicts for woody->sarge upgrade:
+ - Add manpages-it and manpages-ko to Replaces: for login
+ - Remove manpages-de from Replaces: for login (useless)
+ - Improve readability of the Replaces line for passwd
+ Closes: #299549
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 15 Mar 2005 13:55:34 +0100
+
+shadow (1:4.0.3-31) unstable; urgency=low
+
+ * New maintainer
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 11 Mar 2005 19:28:38 +0100
+
+shadow (1:4.0.3-30.10) unstable; urgency=low
+
+ * Non-maintainer upload targeted at sarge.
+ * Programs translations:
+ - Greek updated. Closes: #293911
+ - French updated. Closes: #294330
+ * Debconf translations:
+ - Galician updated. Closes: #295543
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 7 Feb 2005 08:18:56 +0100
+
+shadow (1:4.0.3-30.9) unstable; urgency=low
+
+ * Non-maintainer upload targeted at sarge.
+ * Programs translations:
+ - German updated. Closes: #291703
+ - Tagalog added. Closes: #292353
+ - Korean updated.
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 23 Jan 2005 09:30:49 +0100
+
+shadow (1:4.0.3-30.8) unstable; urgency=low
+
+ * Non-maintainer upload targeted at sarge.
+ * Debconf translations:
+ - Tagalog added. Closes: #289837
+ * Programs translations:
+ - Traditional Chinese added. Closes: #288879
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 11 Jan 2005 11:39:18 +0100
+
+shadow (1:4.0.3-30.7) unstable; urgency=low
+
+ * Non-maintainer upload targeted at sarge.
+ * Resolv conflict with manpage-spl in login
+ as well as passwd. Thanks to Robert Luberda for
+ the notice
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 23 Dec 2004 22:23:11 +0100
+
+shadow (1:4.0.3-30.6) unstable; urgency=low
+
+ * Revert back to Ian Gulliver genuine patch
+ to chpasswd. Update man page accordingly.
+ Closes: #283961
+ (again)
+ * Programs translations
+ - German updated. Closes: #286522
+ * Debconf translations
+ - German updated. Closes: #286522
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 20 Dec 2004 23:51:39 +0100
+
+shadow (1:4.0.3-30.5) unstable; urgency=high
+
+ * Non-maintainer upload targeted at sarge.
+ Fix release critical bug
+ * Resolve conflict with woody's manpages-pl package
+ which prevent woody->sarge upgrade if
+ manpages-pl was installed
+ Closes: #284239
+ * Programs translations
+ - Romanian added. Closes: #284338
+ * Add MD5 support to chpasswd
+ Thanks to Ian Gulliver for the patch
+ Closes: #283961
+ * Correct typos in man pages
+ Thanks to Nicolas François for the patch
+ Closes: #141322
+ * Replace "C/" with "../../" in man/fr/shadow.conf
+ for best integration in the package build process
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 16 Dec 2004 21:48:56 +0100
+
+shadow (1:4.0.3-30.4) unstable; urgency=low
+
+ * Non-maintainer upload targeted at sarge.
+ Localisation and d-i related updates only
+ * Programs translations
+ - Albanian (very partial) added.
+ * Debconf translations
+ - Hindi added. Closes: #282443
+ - Malagasy added. Closes: #282580
+ - Albanian added. Closes: #282160
+
+ -- Christian Perrier <bubulle@debian.org> Thu, 25 Nov 2004 07:21:53 +0100
+
+shadow (1:4.0.3-30.3) unstable; urgency=high
+
+ * Non-maintainer upload: security fix using the woody patch
+ by the Security Team
+ * Adjusted password check to fix authentication bypass
+ [debian/patches/036_CAN-2004-1001_passwd_check]
+ * Debconf translations
+ - Brazilian Portuguese updated. Closes: #278051
+ - Norwegian Bokmal fixed. Closes: #277563
+ * Programs translations
+ - Indonesian updated. Closes: #277751, #277741
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 2 Nov 2004 22:28:26 +0100
+
+shadow (1:4.0.3-30.2) unstable; urgency=low
+
+ * Non-maintainer upload targeted at sarge.
+ Localisation and d-i related updates only
+ * Debconf translations
+ - Macedonian added. Closes: #275781
+ - Slovakian updated. Closes: #273585
+ - Slovenian added.
+ * Man pages translations
+ - German for vipw.8/vigr.8. Closes: #260645
+ * Fix preseeding for d-i : do not mark debconf templates as seen
+ Also remove the hack for Joey Hess login name..:)
+ Closes: #271407
+ * Ask for the user full name at critical priority so that
+ it is never empty. Closes: #257700
+
+ -- Christian Perrier <bubulle@debian.org> Sun, 10 Oct 2004 19:02:50 +0200
+
+shadow (1:4.0.3-30.1) unstable; urgency=low
+
+ * Non-maintainer upload targeted at sarge. Localisation updates only
+ * Debconf translations
+ - Arabic added. Closes: #261022
+ - Swedish updated. Closes: #261553
+ - Bulgarian added. Closes: #262928
+ - Brazilian Portuguese updated. Closes: #263957
+ - Simplified Chinese updated. Closes: #268646
+ - Traditional Chinese updated. Closes: #268151
+ - German updated. Closes: #268051
+ - Basque synced with templates.pot
+ * Programs translations
+ - Swedish updated. Closes: #261553
+ - Russian updated. Closes: #268412
+ - Norwegian Bokmal updated. Closes: #269907
+ - Norwegian Nynorsk updated. Closes: #269907
+ - Hebrew updated. Closes: #269967
+ - Danish updated. Closes: #270083
+ - Catalan updated. Closes: #254956
+ * Man pages translations
+ - French translation completely rewritten and reviewed
+ Closes: #270168
+ - Add expiry.1 and limits.conf.5 to the list of installed man
+ pages (add two lines to passwd.files and one to rules)
+ From #270168 also.
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 7 Sep 2004 20:20:21 +0200
+
+shadow (1:4.0.3-30) unstable; urgency=high
+ * Attempt to fix FTBFS and dependency problems on hurd. Closes: #235641
+ * don't run dh_undocumented anymore as it has become angstful.
+
+ * Thanks to Christian Perrier:
+ * Debconf translations
+ - Brazilian updated. Closes: #261387
+ - Croatian added. Closes: #261418
+ - Minor corrections fo ja.po and pl.po headers
+ * Programs translations
+ - Dutch updated. Closes: #260361
+ - Hebrew added. Closes: #260722
+ * Urgency set to high because of RC bug fixed:
+ * Correct check for root password being already set in passwd.config
+ Closes: #260799
+
+ * Acknowledge 29.1 NMU:
+ Closes: #256664, #257949, #258241, #258563, #258566, #258957,
+ #190567, #259389, #260223, #257949, #259663, #259827
+
+ -- Karl Ramm <kcr@debian.org> Tue, 27 Jul 2004 09:38:32 -0400
+
+shadow (1:4.0.3-29.1) unstable; urgency=low
+
+ * NMU with maintainer consent
+ * Programs translations
+ - Greek updated. Closes: #256664
+ - Finnish updated. Closes: #257949
+ - Spanish updated. Closes: #258241
+ - Polish updated. Closes: #258563
+ - Indonesian added (configure.in changed accordingly). Closes: #258566
+ - French updated. Closes: #258957, #190567
+ - Slovak updated. Closes: #259389
+ - Portuguese updated. Closes: #260223
+ * Debconf translations
+ - Finnish updated. Closes: #257949
+ * Typo correction in su.1 man page. Closes: #259663
+ * Removed malloc definition in libmisc/xmalloc.c
+ Closes: #259827
+ * Lintian-driven corrections
+ - Corrected section number in several man pages:
+ - grpck.8
+ - pwck.8
+ - ja/grpck.8
+ - pl/grpck.8
+ - pl/pwck.8
+ - Replace the full GPL text in copyright by a pointer
+ - Bumped Standards to 3.6.1.1 (changes checked)
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 19 Jul 2004 17:52:24 +0200
+
+shadow (1:4.0.3-29) unstable; urgency=low
+ * Be up front on the origin of our su. Closes: #244297
+ * The following thanks to Christian Perrier:
+ * Debconf translations
+ - Hungarian added. Closes: #256493
+ - Greek updated. Closes: #251990
+ - Brazilian portuguese updated. Closes: #256771
+ * po/POTFILES.in
+ - corrected file. No more mentions unexisting files
+ Closes: #253792
+ this change was already in 28.5 but was forgotten in the
+ changelog
+ * Acknowledge NMUs:
+ closes: #244604, #244734, #246302, #246376, #246848, #246859,
+ #247084, #247698, #247770, #248386, #248391, #248392,
+ #248392, #248516, #248516, #248648, #248938, #248957,
+ #249141, #249257, #249682, #250169, #250339, #250496,
+ #251140, #251141, #251317, #251495, #251716, #251990,
+ #252087, #252499, #253165, #253186, #253570, #254503,
+ #254760
+
+ -- Karl Ramm <kcr@debian.org> Sat, 3 Jul 2004 00:24:55 -0400
+
+shadow (1:4.0.3-28.5) unstable; urgency=low
+
+ * debian/*.files
+ - care about adding ALL existing translations. Removed hard-coded
+ file names. Closes: #248516
+ Thanks to Ruben Porras for noticing
+ This involves changes to debian/*.files with the use of
+ regexp in these files
+ * libmisc/failure.c
+ - Make use of plural forms. Closes: #251317
+ * Programs translations
+ - Norwegian Bokmal and Norwegian Nynorsk translations. Closes: #252499
+ - Dutch updated. Closes: #253165
+ - Brazilian Portuguese updated
+ - Turkish updated
+ - Korean updated
+ - Czech updated
+ - Japanese updated
+ - German updated
+ - Catalan added. Closes: #254760
+ - Italian updated
+ * Debconf translations
+ - Finnish added. Closes: #253570
+ - Danish updated
+ - Hebrew added. Closes: #253186
+ - Traditional Chinese added. Closes: #254503
+ - French updated for clarification and shorten the root password screen
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 22 Jun 2004 09:44:45 +0200
+
+shadow (1:4.0.3-28.4) unstable; urgency=low
+
+ * NMU for l10n stuff again
+ * Programs translations
+ - All languages "activated" in configure.in. Closes: #248516
+ - Russian. Closes: #250496
+ - Bosnian added. Closes: #251141
+ - Finnish update. Closes: #251495
+ - Italian update. Closes: #252087
+ * Debconf translations
+ - Norwegian Bokmal update. Closes: #250339
+ - Bosnian added. Closes: #251140
+ - Catalan updated. Closes: #251716
+ - Greek update. Closes: #251990
+ - Welsh added (directly sent by Dafydd Harries
+ * Christian Perrier
+ - debian/passwd.config : a few rewards to a few people. Just check
+ the code
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 1 Jun 2004 09:11:01 -0300
+
+shadow (1:4.0.3-28.3) unstable; urgency=high
+
+ * NMU for correcting my mistake
+ * Remove an extra "fi" in passwd.config. Closes: #250169
+ * Debconf translation updates:
+ - Norwegian Nynorsk. Closes: #249682
+
+ -- Christian Perrier <bubulle@debian.org> Fri, 21 May 2004 06:50:13 +0200
+
+shadow (1:4.0.3-28.2) unstable; urgency=high
+
+ * NMU for Debian Installer rc1 release schedule
+ * Removed duplicate sentence in templates. Closes: #244734, #244604
+ * Move the "root password empty" check before the root password
+ confirmation. Closes: #247770
+ * Debconf translation updates:
+ - Danish. Closes: #246859
+ - Spanish. Closes: #246302
+ - Russian. Closes: #248392
+ - Simplified Chinese. Closes: #248938
+ - Lithuanian. Closes: #249141
+ - Italian. Closes: #249257
+ - Dutch sent directly by Bart Cornelis
+ - Korean sent directly by Changwoo Ryu
+ - Galician sent directly by Héctor Fernández
+ - Romanian sent directly by Eddy Petrisor
+ * Programs translation updates:
+ - Korean. Closes: #242055
+ - Japanese. Closes: #242586
+ - Polish. Closes: #246376
+ - Slovak. Closes: #247084
+ - Basque. Closes: #248386
+ - German. Closes: #248391
+ - Russian. Closes: #248392
+ - Spanish. Closes: #248516
+ - Czech. Closes: #248648
+ - Simplified Chinese. Closes: #248957
+ - Indonesian. Closes: #242813
+ - Italian sent directly by Giuseppe Sacco
+ * Translated man pages
+ - Typo correction in Brazilian Portuguese for gpasswd. Closes: #247698
+
+ -- Christian Perrier <bubulle@debian.org> Tue, 18 May 2004 12:09:34 +0200
+
+shadow (1:4.0.3-28.1) unstable; urgency=high
+
+ * NMU for special purposes below
+ * Urgency set to high for helping out Brazilian DD's building CD's
+ for FISL conference
+ * Translation updates:
+ - Debconf:
+ - Brazilian Portuguese. Closes: #246848
+ - Spanish. Was unfortunately based on older templates hence
+ this does not close 246302
+ - Basque: Closes: #243545
+ - German: Closes: #242116
+
+ -- Christian Perrier <bubulle@debian.org> Mon, 10 May 2004 23:23:25 +0200
+
+shadow (1:4.0.3-28) unstable; urgency=low
+
+ * Fix login and passwd in preinst to avoid promts on woody upgrade,
+ Closes: #243099
+ * Fix login and passwd configuration file to support common-passwd
+ * Apply NMU patch from Christian Perrier, Closes: #241438
+
+ -- Sam Hartman <hartmans@debian.org> Thu, 29 Apr 2004 16:31:25 -0400
+
+shadow (1:4.0.3-27) unstable; urgency=low
+
+ * update "da" debconf translation, closes: #241262
+ * new "pt_BR" program translation, closes: #241366
+
+ -- Karl Ramm <kcr@debian.org> Thu, 1 Apr 2004 00:19:44 -0500
+
+shadow (1:4.0.3-26.1) unstable; urgency=low
+
+ * NMU for Debian Installe rneeds
+ * Translation updates:
+ - Debconf:
+ - French. Closes: #241438
+ - Ukrainian. Closes: #241514
+ - Swedish: #241558
+ - Japanese. Closes: #241802
+ - Danish. Closes: #241262
+ - Portuguese. Closes: #241675
+ - Polish. Closes: #243185, #242996
+ - Czech. Closes: #241877
+ - Korean. Closes: #241928
+ - Greek. Closes: #242396
+ - Turkish. Closes: #243103
+ - Slovak. Closes: #245671
+
+ -- Christian Perrier <bubulle@debian.org> Wed, 28 Apr 2004 11:47:34 +0200
+
+shadow (1:4.0.3-26) unstable; urgency=low
+
+ * Have passwd.config fall back gracefully to useradd if adduser is
+ unavailable. closes: #240894
+
+ -- Karl Ramm <kcr@debian.org> Wed, 31 Mar 2004 00:26:17 -0500
+
+shadow (1:4.0.3-25) unstable; urgency=low
+
+ * Update "da" program translation, thanks to Claus Hindsgaul.
+ * Update "sv" translation, closes: #239198
+ * lower debconf priority of shadow password question to 'low'
+
+ -- Karl Ramm <kcr@debian.org> Tue, 30 Mar 2004 19:39:59 -0500
+
+shadow (1:4.0.3-24) unstable; urgency=low
+
+ * add new program translations to the file manifest. *sigh*
+ closes: #241016
+ * add "tr" debconf translation. closes: #239148
+ * Rearrange username creation dialog text to make sense in
+ new order. closes: #240607
+ * Edit the debconf templates for content.
+ * Remove the program .gmo files in the clean step. closes: #200054
+
+ -- Karl Ramm <kcr@debian.org> Tue, 30 Mar 2004 11:37:22 -0500
+
+shadow (1:4.0.3-23) unstable; urgency=low
+
+ * increase maximum group name size to 32 for no particularly good reason
+ closes: #240456
+ * fix su man page to reflect code. closes: #239805
+ * fix username defaulting in passwd.config. closes: #238781
+ * update "it" debconf translation. closes: #237504
+ * update "ru" debconf translation. closes: #238211
+ * update "de" debconf translation. closes: #238779
+ * update "el" debconf translation. closes: #240473
+ * add "nn" debconf translation. closes: #238590
+ * add "da" program translation. closes: #238005
+ * add "nl" program translation. closes: #238488
+ * add "pt" program translation. closes: #238796
+ * add "pt" debconf translation. closes: #239641
+ * remove spurious const, closes: #240677
+
+ -- Karl Ramm <kcr@debian.org> Sun, 28 Mar 2004 19:46:34 -0500
+
+shadow (1:4.0.3-22) unstable; urgency=low
+
+ * Don't assume that lastlog.ll_time or utmp.ut_time or utmpx.ut_tv are made
+ up of time_ts and timevals, because they aren't on x86-64. Dismaying
+ but true.
+
+ -- Karl Ramm <kcr@debian.org> Sun, 14 Mar 2004 16:53:21 -0500
+
+shadow (1:4.0.3-21) unstable; urgency=low
+
+ * Try and get the right French translation update in the right place,
+ Karl, you can do it even if you do only speak English. Closes: #236993
+
+ -- Karl Ramm <kcr@debian.org> Wed, 10 Mar 2004 15:31:35 -0500
+
+shadow (1:4.0.3-20) unstable; urgency=low
+
+ * Added Norwegian Bokmal debconf translation, closes: #206349
+ * tell shadow build system about new message translations
+
+ -- Karl Ramm <kcr@debian.org> Thu, 4 Mar 2004 11:04:44 -0500
+
+shadow (1:4.0.3-19) unstable; urgency=low
+
+ * When creating a user account in psaswd.config, ask for full name
+ first, and make up a default username. Closes: #235386
+ * "No really, assume md5 passwords". Closes: #223664
+
+ -- Karl Ramm <kcr@debian.org> Thu, 4 Mar 2004 00:42:08 -0500
+
+shadow (1:4.0.3-18) unstable; urgency=low
+
+ * Removed po/cs.po and added new debian/po/cs.po
+ Updated Czech translation, closes: #229125
+ * Updated Japanese debconf translation, closes: #227237
+ * Updated Danish debconf translation, closes: #227619
+ * Updated Dutch debconf translation, closes: #227883
+ * Updated Brazilian Portuguese debconf translation, closes: #228080
+ * Added Simplified Chinese debconf translation
+ Added Simplified Chinese programs translation
+ Closes: #229334
+ * Added Greek debconf translation
+ Added Greek programs translation
+ Closes: #229504, #229528
+ * Added Finnish programs translation, closes: #230369
+ charset changed from UTF-8 to ISO-8859-1 as the bug patch was wrong
+ * Updated German debconf translation, closes: #232710
+ * Updated Russian debconf translation, closes: #235541
+ * Added Ukrainian debconf translation, closes: #233560
+ * Added Lithuanian debconf translation, closes: #235698
+ * thanks to Christian Perrier <bubulle@debian.org>
+
+ -- Karl Ramm <kcr@debian.org> Wed, 3 Mar 2004 22:56:31 -0500
+
+shadow (1:4.0.3-17) unstable; urgency=low
+
+ * Fix braino in version number of example dependency in README.shells.
+ Apologies to anyone foolhardy enough to believe my documentation.
+ * Add Swedish debconf translation, closes: #225059
+ * New French debconf translation, closes: #225914
+ * Add Catalan debconf translation, closes: #227029
+ * add securetty files for the hurd, freebsd, and netbsd, closes: #200739
+
+ -- Karl Ramm <kcr@debian.org> Sun, 11 Jan 2004 17:37:54 -0500
+
+shadow (1:4.0.3-16) unstable; urgency=low
+
+ * run dh_installdeb *after* dh_installdebconf,
+ remove . from short description of passwd,
+ add versioned conflict with debconf older than 0.5
+ closes: #224133
+ * replace manpages-it due to man page conflict
+ closes: #224474
+ * fix the *other* su syslogs.
+ closes: #224508
+ * fix filename in control file, closes: #224579
+ * fix permissions on chage and expiry, closes: #224717
+ * run debconf-updatepo
+ * remove debian/compat as redundant
+
+ -- Karl Ramm <kcr@debian.org> Mon, 22 Dec 2003 19:53:30 -0500
+
+shadow (1:4.0.3-15) unstable; urgency=low
+
+ * remove bogus dependency on base-config 2.00,
+ closes: #222772, #223726
+ * New Czech translation thanks to Miroslav Kure.
+
+ -- Karl Ramm <kcr@debian.org> Fri, 12 Dec 2003 18:40:25 -0500
+
+shadow (1:4.0.3-14) unstable; urgency=low
+
+ * exit 30 when backing all the way out in passwd.conf, and
+ depend on base-config 2.00, closes: #222772
+ * adjust debconf templates for debian-installer work,
+ closes: #222832
+
+ -- Karl Ramm <kcr@debian.org> Thu, 11 Dec 2003 01:53:37 -0500
+
+shadow (1:4.0.3-13) unstable; urgency=low
+
+ * Fix typo passwd.config. Closes: #223079, #222714
+ * Let's try out this oldfangled anonymous ftp upload queue.
+
+ -- Karl Ramm <kcr@debian.org> Mon, 8 Dec 2003 17:59:31 -0500
+
+shadow (1:4.0.3-12) unstable; urgency=low
+
+ * Explicitly use automake-1.7 and aclocal-1.7. closes: #216594
+ * Update Danish debconf translation. closes: #216542
+ * Update French debconf translation. closes: #206352
+ * Update Dutch debconf translation. closes: #212995
+ * Remove redundant dependency on grep. closes: #216535
+ * Fix chfn documentation bug. closes: #213931
+ * Fix su syslogs to be less ambiguous. (old:new instead of old-new
+ because '-' can appear in usernames.) Not clearer, mind you, but less
+ ambiguous. closes: #213592
+ * Rename limits(5) to limits.conf(5) and edit to reflect reality.
+ closes: #212935
+ * Move the change_uid call in login back to where it was before -11, and
+ relocate the fork for pam_close_session above it. closes: #211884
+
+ -- Karl Ramm <kcr@debian.org> Sat, 25 Oct 2003 15:26:20 -0400
+
+shadow (1:4.0.3-11) unstable; urgency=low
+
+ * update Japanese debconf translation. closes: #210382
+ * update Brazilian Portugese debconf translation. closes: #208122
+ * run pam cleanup code as root. closes: #195048
+
+ -- Karl Ramm <kcr@debian.org> Sat, 13 Sep 2003 17:49:29 -0400
+
+shadow (1:4.0.3-10) unstable; urgency=low
+
+ * postinst sources confmodule. closes: #88843
+ * Implement the pam configuration New World Order. Wow, that was quick. :-)
+ * Implement a scheme for allowing other packages to modify /etc/shells.
+
+ -- Karl Ramm <kcr@debian.org> Fri, 22 Aug 2003 20:58:42 -0400
+
+shadow (1:4.0.3-9) unstable; urgency=low
+
+ * fix mysterious creeping bug in po/Makefile.in.in, closes: #200052
+ * dutch debconf translation, closes: #204578
+ * switch to po-debconf, closes: #183998, #200130
+ * use automake1.7, closes: #205991
+ * update german debconf translation, closes: #94138
+ * I can't come up with a good justification as to why characters other
+ than ':'s and '\0's should be disallowed in group and usernames (other
+ than '-' as the leading character). Thus, the maintenance tools don't
+ anymore. closes: #79682, #166798, #171179
+ * Fix typo in /etc/pam.d/su. closes: #196804
+ * danish debconf translation, closes: #118245
+ * russian debconf translation, closes: #198729
+ * And last, but not least, what's undoubtedly going to be the most
+ popular change: md5 passwords are turned on by default, and there is
+ no prompt to change them. Yes, this is reduced functionality. No, it
+ can't go back in the way it was; the old code not only modified
+ conffiles, it modified *other*packages* conffiles and was a massive
+ policy violation. I expect this change will motivate the people who
+ have said that they will come up with a proper solution to do so.
+ closes: #186016, #110228, #171808
+
+ -- Karl Ramm <kcr@debian.org> Wed, 20 Aug 2003 02:06:50 -0400
+
+shadow (1:4.0.3-8) unstable; urgency=low
+
+ * Fix missing ':' in getopt call. closes: #184301
+ * Don't install mkpasswd, we don't use it. closes: #185919, #187906
+ * replaces: manpages-ko. closes: #184810
+ * Fix the message in #190567 (not closing until it's been accepted upstream)
+ * Fix brainos in login.1. closes: #184731
+ * Fixup permissions for chage. closes: #184138
+ * Force the umask to 022 in passwd.config. closes: #182506
+ * Add Sam Hartman <hartmans@debian.org> as an uploader.
+ * Update standards-version.
+ * Add versioned build-depend on debhelper.
+
+ -- Karl Ramm <kcr@debian.org> Sat, 26 Apr 2003 15:34:16 -0400
+
+shadow (1:4.0.3-7) unstable; urgency=low
+
+ * When relocating a user's home directory, don't fail and remove the new
+ home directory if we can't remove the old home directory for some
+ reason; the results can be spectularly poort if, for instance, only
+ the rmdir() fails. closes: #166369
+ * run dh_installdebconf so base-config will work. *sigh*. closes: #166788
+
+ -- Karl Ramm <kcr@debian.org> Sun, 24 Nov 2002 21:40:30 -0500
+
+shadow (1:4.0.3-6) unstable; urgency=low
+
+ * remove automake dependency and leave only automake1.5, since it seems
+ to confuse the alpha and mipsel autobuilders for some reason.
+
+ -- Karl Ramm <kcr@debian.org> Sun, 13 Oct 2002 21:45:15 -0400
+
+shadow (1:4.0.3-5) unstable; urgency=low
+
+ * build-depend on libtool and automake. oops. closes: #164545
+
+ -- Karl Ramm <kcr@debian.org> Sun, 13 Oct 2002 01:44:47 -0400
+
+shadow (1:4.0.3-4) unstable; urgency=low
+
+ * I am unable to begin to express the bitterness that I'm now experiencing.
+ * replaces manpages-de <= 0.4-4, closes: #162097, #162173
+ * replaces manpages-fr, closes: #162150
+ * replaces manpages-hu, closes: #162126
+ * replaces manpages-ja, closes: #163511, #162095
+ * fix sg symlink, closes: #162339, #163652
+ * newgrp should be aware that getlogin() and ttyname() are not
+ guaranteed to return anything and NOT blindly assume that they
+ successfully returned a pointer to a string. I mean, really, people,
+ that sort of thing hasn't been reliable since 4.2BSD on a VAX. I'll
+ bet most of the working on the upstream weren't even born yet when
+ this sort of thing was commonplace (it was NEVER acceptable).
+ closes: #162303
+ * pull the manpage for the spiffy su forward. closes: #162275
+ * depend on automake1.5, and rerun the autogrunge. This should
+ *hopefully* make it build more consistently.
+ * this concludes the biweekly treading of water.
+
+ -- Karl Ramm <kcr@debian.org> Sat, 12 Oct 2002 14:56:16 -0400
+
+shadow (1:4.0.3-3) unstable; urgency=low
+
+ * the "fix the brain damage" release
+ * fix pam brain-damage in ch{age,passwd}, {group,user}{add,del,mod}, newusers
+ closes: #162181, #162199, #162228
+ * fix vipw symlink brain-damage: closes: #162218
+ * fix package description brain damage, closes: #139563
+ * install cp{pw,gr} brain damge
+
+ -- Karl Ramm <kcr@debian.org> Wed, 25 Sep 2002 01:21:35 -0400
+
+shadow (1:4.0.3-2) unstable; urgency=low
+
+ * fix "su -". closes: #162089
+ * document exit codes of groupdel and userdel (again, for userdel)
+ closes: #161861
+ * clean up logoutd cleanup
+
+ -- Karl Ramm <kcr@debian.org> Mon, 23 Sep 2002 19:44:40 -0400
+
+shadow (1:4.0.3-1) unstable; urgency=low
+
+ * new upstream version! closes: #149444, #150237, #145415
+ * completely new packaging!
+ * all new bugs!
+ * old bugs as well!
+ * remove /etc/init.d/logoutd, like the old postrm should've, closes: #160682
+ * fix passwd manpage, closes: #160477, #122797
+ * fix lastlog manpage, closes: #159886
+ * add as many virtual console devices as I seem to have to securetty,
+ closes: #156472
+ * add ttyS0 and tts/0 to securetty. closes: #130138
+ * su should not segfault if nobody has uid 0. closes: #139967
+ * install and use translations. closes: #118238
+ * upstream uses new automake. closes: #114935
+ * add russian template file for password. closes: #130358
+ * handle template installation correctly. closes: #156674
+ * don't place a maximum restriction on the length of passwords.
+ closes: #159487
+ * fix description. closes: #145459
+ * update config.{guess,sub}
+
+ -- Karl Ramm <kcr@debian.org> Wed, 18 Sep 2002 10:14:08 -0400
+
+shadow (20000902-12) unstable; urgency=high
+
+ * "oops"
+ * /etc/login.defs: /var/spool/mail -> /var/mail, closes: #125311
+
+ -- Karl Ramm <kcr@debian.org> Sun, 7 Apr 2002 11:54:48 -0400
+
+shadow (20000902-11) unstable; urgency=low
+
+ * Fix some nits:
+ * remove changelog~ file. oops. closes: #139711
+ * fix typo in control. closes: #139564
+ * Hmmm. People open more bugs when I upload new versions of things.
+ Maybe they just notice them more then, or maybe it's just Murphy.
+
+ -- K. Ramm <kcr@debian.org> Tue, 26 Mar 2002 12:14:33 -0500
+
+shadow (20000902-10) unstable; urgency=low
+
+ * We hates the automake. We hates it forever. closes: #139293
+ * stupid ommision: logoutd still in postinst. closes: #139422
+ * make login.defs a bit clearer. closes: #138809
+
+ -- Karl Ramm <kcr@debian.org> Fri, 22 Mar 2002 12:09:07 -0500
+
+shadow (20000902-9) unstable; urgency=medium
+
+ * Get rid of logoutd, it doesn't work, didn't work in potato, and now
+ it's causing people to open RC bugs. closes: #138259, #66153, #121940
+ I'm told the timeoutd package does a better job anyway.
+ * add /bin/tcsh to /etc/shells, closes: #118103, #122112
+ * add /bin/ksh to /etc/shells, closes: #123556
+ * remove text about password aging from passwd(5), closes: #137493
+ * spanish debconf template for passwd, closes: #136463
+ * document the fact that you can not have a valid password in
+ /etc/shadow. closes: #131690
+ * /etc/login.defs: /var/spool/mail -> /var/mail, closes: #125311
+ * fix locations of utmp and wtmp in login(1), closes: #119656
+ * The package description for passwd refers to README.Debian.gz
+ but only README.debian.gz actually exists. Most packages use
+ README.Debian.gz, but the control file is the only place that gets it
+ wrong for this package. When in doubt, fix the documentation. :-)
+ closes: #116955
+
+ -- Karl Ramm <kcr@debian.org> Thu, 14 Mar 2002 17:05:56 -0500
+
+shadow (20000902-8) unstable; urgency=low
+
+ * check in passwd.expire.cron for already-expired passwords; closes: #102319
+ * note in chage.1 and shadowconfig.8 that password aging information
+ only works when shadow passwords are enabled. closes: #103702
+ * enable changing the name in chfn by default. closes: #107819
+ * fail to mangle files in lib/commonio.c, thanks to matt@linuxbox.nu
+ * add /dev/console to the secure ttys list. because. closes: #113949
+ * find the FHS mail spool first in configure. closes: #114951
+ (thanks to mjb@debian.org)
+ * above sadly causes automake to go bonkers, and I don't want to
+ reassemble the build system before woody is released. Keep automake
+ from going off on its own.
+ * terminate argument validation in login when it hits a '--'.
+ closes: #66368
+
+ -- Karl Ramm <kcr@debian.org> Mon, 22 Oct 2001 11:17:35 -0400
+
+shadow (20000902-7) unstable; urgency=low
+
+ * the "I'm sorry, I should've done this earlier" release
+ * Cancel login timeout after authentication so that patient people
+ timing out on network directory services can log in with local
+ accounts. Closes: #107148
+ * Add Brazillian Portugese debconf template translation for passwd.
+ Closes: #105292, #93223
+ * Pull /usr/share/doc/$package/README.shadow-paper.gz. Closes: #98058
+ * Use getent instead of group to verify existence of shadow group
+ [works better for distributed group files]. Closes: #99902
+ [Note that this sort of problem is rampant in these postinst and
+ config scripts, but that's not getting fixed in woody.]
+ * Amend reference to /usr/doc in shadowconfig.8. Closes: #102804
+ * su should set $USER. Closes: #102995
+ * userdel now deletes user groups from /etc/gshdow as well as
+ /etc/group. Closes: #99442
+ * grpck now has an (otherwise undocumented) -p option, so that
+ shadowconfig can clean up the results of the above, so the config
+ script will fail randomly less often. Closes: #103385
+
+ -- Karl Ramm <kcr@debian.org> Wed, 22 Aug 2001 12:09:27 -0400
+
+shadow (20000902-6.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Upgrade to latest config.sub and config.guess. Closes: #88547
+
+ -- Gerhard Tonn <gt@debian.org> Fri, 1 Jun 2001 20:38:43 +0200
+
+shadow (20000902-6) unstable; urgency=medium
+
+ * actually set root's password when appropriate
+ patch thanks to joeyh, closes #98402
+ * fix error in expiry man page. Such damage. closes: #99291
+ * fix group of setgid program chage and expiry, closes: #98122
+
+ -- Karl Ramm <kcr@debian.org> Thu, 31 May 2001 07:38:59 -0400
+
+shadow (20000902-5) unstable; urgency=low
+
+ * add build dependency on file, to keep libtool happy. closes: #97498
+
+ -- Karl Ramm <kcr@debian.org> Wed, 16 May 2001 06:57:23 -0400
+
+shadow (20000902-4) unstable; urgency=low
+
+ * Change maintainers, closes: #92355
+
+ -- Karl Ramm <kcr@debian.org> Sun, 13 May 2001 03:28:07 -0400
+
+shadow (20000902-3.1) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Recompile to fix ARM lossage
+
+ -- Philip Blundell <philb@armlinux.org> Sun, 11 Mar 2001 07:47:27 -0500
+
+shadow (20000902-3) unstable; urgency=low
+
+ * Update config.sub and config.guess so ia64 compiled, closes: #81897
+ * libmisc/sub.c: skip '*' in shell name when doing subsystem, closes:
+ #82893
+ * src/su.c: don't assume uid 0 == "root", use getpwuid to fetch it,
+ closes: #81924
+ * This was fixed in a previous version, closes: #77057
+ * Update passwd long desc, closes: #88299
+ * Conflict with suidmanager << 0.5, and remove suid{,un}register calls,
+ closes: #87157
+ * Update policy to 3.5.0.0
+ * Added debconf support for passwd from base-config
+
+ -- Ben Collins <bcollins@debian.org> Sat, 3 Mar 2001 07:26:57 -0500
+
+shadow (20000902-2) unstable frozen; urgency=low
+
+ * control.hurd->control.gnu: closes: #77940
+ * Cannot reproduce, closes: #79447
+ * User never sent a patch, plus I think removing the passwd/account when
+ doing passwd -l is a bad idea. Makes it so you cannot unlock the
+ account. closes: #77824
+ * Don't allow shadowconfig to change perms of other binaries, close: #77057
+ * IMO, this is not a bug. It's part of a feature, and can be disabled by
+ turning off USER_GROUPS. closes: #76806
+ * /bin/login is suid root for several good reasons. For one, it allows
+ daemons that use it to run as non-root. This is a good thing since it
+ means only one program is running as root, and not several. closes: #17911
+ * sulog is fairly easy to grep or parse so I don't see how the
+ similarity of the log entries for failed and successful is a problem.
+ '-' for failed, '+' for success. closes: #63801
+ * logoutd.8: s,/etc/utmp,/var/run/utmp, closes: #80494
+ * Fix case where pam_auth returns a NULL username, closes: #76817, #75510
+ * Hmm, Linux is a sysv derivative, so the comment is perfectly
+ legitimate, closes: #76898
+ * MAX_PASSWORD is used by useradd, and CHFN_AUTH is actually used by
+ * chfn to decide if the current user needs to auth in order to change
+ their info, closes: #71114
+ * login.1: Fix \' closes: #75435
+ * login -f works for me assuming you call it as root. I tested this with
+ plain pam_unix.so, and also with pam_unix.so stacked with pam_ldap.so.
+ So if it doesn't work with telnet-heimdal, then that program is not
+ doing something right. closes: #78186
+ * login.pam.d: made pam_nologin.so requisite. closes: #80111
+ * su to root seems pretty quick to me, closes: #64756
+ * xmalloc.c: remove decleration of malloc, which was causing system
+ * header conflicts. closes: #80398
+
+ -- Ben Collins <bcollins@debian.org> Sun, 31 Dec 2000 14:33:47 -0500
+
+shadow (20000902-1) unstable frozen; urgency=low
+
+ * New upstream release, lots of Debian patches merged, closes: #72735
+ * man/passwd.1: removed reference to passwd(3), closes: #72704
+ * man/chsh.1,man/chfn.1: document login.defs affects on these programs,
+ closes: #68029
+ * not a bug, expected behavior, closes: #74137
+ * IMO, this is a bug in the user's setup, closes: #65600
+ * securetty: add devfs console devices, closes: #71946
+ * libmisc/sulog.c: removed arbitrary limit on number of chars printed of
+ the tty name (truncated to 6 chars, which is silly), closes: #65404
+ * tested this, and it works fine for me so long as pam_unix.so is called
+ with the nullok option (which it isn't by default because of security
+ concerns), closes: #75063
+ * appears to be fixed by PAM, closes: #70627
+ * src/useradd.c: user mkstemp instead of mktemp, per libc6 linktime
+ warning
+ * src/su.c: fixup arg handling passed to shell, closes: #75326
+
+ -- Ben Collins <bcollins@debian.org> Mon, 23 Oct 2000 13:22:29 -0400
+
+shadow (19990827-21) unstable frozen; urgency=low
+
+ * Added build deps
+ * Use pre-generated files for hurd/linux control file. The old method of
+ using cpp would have broken with the new gcc.
+
+ -- Ben Collins <bcollins@debian.org> Wed, 26 Jul 2000 21:04:03 -0400
+
+shadow (19990827-20) unstable frozen; urgency=low
+
+ * Release Manager
+ None of these are marked as RC in the BTS, however, they do make the
+ package unsuitable for release. Since this is an essential package (IOW,
+ installed on every Debian system), I hope you can see how important it
+ is to make sure this package is perfect. None of the changes are
+ functional (except the fix in logoutd's init script, which was a 20 char
+ change), so please consider this for the next test cycle.
+ * Fix logoutd init script from spurious output when /etc/porttime is not
+ there, closes: #63962, #64067
+ * su: Fix typo in usage output, closes: #60226
+ * passwd: Fixed typo and missing newline in output for successful password
+ change, closes: #64106, #63703
+ * passwd.1: Add documentation on the -f, -e, -s and -d command line
+ options, closes: #64339, #64410
+ * login: Verified that utmp/wtmp works when called by telnet with -h
+ option, closes: #56854
+
+ -- Ben Collins <bcollins@debian.org> Tue, 23 May 2000 14:40:01 -0400
+
+shadow (19990827-19) unstable frozen; urgency=low
+
+ * debian/local/shells: added esh, closes: #59934
+ * logoutd: modify to work with pam_time.so's time.conf file, modify
+ manpage to reflect this, closes: #61300
+ * userdel.8: added note about group removal, closes: #56723
+ * base-config handles md5 setup, closes: #60125
+ * cppw: make sure it gets installed, closes: #62960
+ * passwd: correct error message for "not you", closes: #61313
+ * sulog.c: fixed extern for char (char foo[] -> char *foo), closes: #61643
+ * userdel.8: documented userdel's exit values, closes: #54775
+ * passwd: error messages are two fold, the second is actually from
+ pam_strerror(), closes: #61937
+ * passwd: print "success" on successful password change, closes: #58676
+
+ -- Ben Collins <bcollins@debian.org> Sat, 29 Apr 2000 10:26:56 -0400
+
+shadow (19990827-18) unstable frozen; urgency=low
+
+ * Crap, all the bug fixes from -17 need to go to frozen too
+
+ -- Ben Collins <bcollins@debian.org> Tue, 29 Feb 2000 14:57:14 -0500
+
+shadow (19990827-17) unstable; urgency=low
+
+ * Fixed typo in login.defs, closes: #54877
+ * logoutd.init.d: Check for /etc/security/time.conf, closes: #54900
+ * login.defs: Added note about the MAIL env option, closes: #54768
+ * login.pam.d,passwd.pam.d: Use new options in pam_unix.so to enable
+ obsure password checks. This mimics the old behavior in pre-PAM
+ shadow, closes: #58203
+ * Use patch from Topi Miettinen <tom@pluto.nic.fi> to add pam session
+ ability to su, closes: #57526, #55873, #57532
+ * Made login's -f option also able to use the username after -- if none
+ was passed as it's optarg, closes: #53702
+
+ -- Ben Collins <bcollins@debian.org> Mon, 28 Feb 2000 12:37:22 -0500
+
+shadow (19990827-16) unstable; urgency=low
+
+ * got rid of g+s directories in the source tarball, closes: #54585
+ * make su mode 4755 in the package. This way there is no chance of a
+ failed dpkg install causing it to be left without suid root perms
+ before suidmanager or chmod is called in the postinst.
+ * src/login.c: added faillog support to the pam_authenticate loop. This
+ loop is now completely rewritten, and should produce better results on
+ failures, closes: #53164
+
+ -- Ben Collins <bcollins@debian.org> Sun, 9 Jan 2000 23:35:08 -0500
+
+shadow (19990827-15) unstable; urgency=low
+
+ * src/su.c: moved signal() call to re-establish SIGINT to right place,
+ closes: #54496
+ * src/login.c: if hostname is blank (not a remote login via rlogin or
+ telnet), then use the tty to log failures in syslog, closes: #53966
+ * passwd: Locking a password by appending '!' appears to be pretty
+ standard, so ssh needs to check for it.
+ * passwd and login come with a README.pam that discusses the differences
+ between the PAM and old non-PAM versions. It also talks about where to
+ look for details. Also now that I have added the extra examples to the
+ pam.d files, I hope this satisfies...closes: #52917
+ * A new package, base-config, which will be used by boot floppies is
+ going to have an option to configure MD5 usage for passwords. Since
+ this is the best place for it, and I don't really have any control
+ over it, I am .... closes: #47620
+ * libmisc/chowntty.c: applied patch for read-only root, closes: #52069
+
+ -- Ben Collins <bcollins@debian.org> Sat, 8 Jan 2000 22:11:29 -0500
+
+shadow (19990827-14) unstable; urgency=low
+
+ * debian/local/shells: added /bin/zsh, closes: #53883
+
+ -- Ben Collins <bcollins@debian.org> Sun, 2 Jan 2000 13:51:42 -0500
+
+shadow (19990827-13) unstable; urgency=low
+
+ * su.c: ignore SIGINT while authenticating, closes: #52372
+ * su.pam.d: added 2 new examples of how to allow su for wheel users
+ without prompting for a password, and also how to deny users of a
+ specific group.
+
+ -- Ben Collins <bcollins@debian.org> Sat, 1 Jan 2000 22:29:46 -0500
+
+shadow (19990827-12) unstable; urgency=low
+
+ * Recompiled against latest libpam and up'd the module deps,
+ closes: #52171
+ * login.pam.d: added "noenv" option so we don't clobber login's setting,
+ closes: #51441
+
+ -- Ben Collins <bcollins@debian.org> Tue, 14 Dec 1999 22:41:40 -0500
+
+shadow (19990827-11) unstable; urgency=low
+
+ * debian/passwd.in: add a preinst (matches login's) to fix the latest
+ build change (only affected hurd since it doesn't use login).
+ * debian/scripts/passwd.mk: use passwd.preinst instead of login.preinst
+ to complete the fix above.
+
+ -- Ben Collins <bcollins@debian.org> Mon, 6 Dec 1999 18:25:07 -0500
+
+shadow (19990827-10) unstable; urgency=low
+
+ * src/login.c: only set pam_fail_delay if > 0. Also make the default 0
+ so not defining it has the same affect as disabling it, closes: #51178
+ * src/userdel.c: make sure we remove the shadow group entries when
+ removing the users own group, closes: #50005, #50138
+
+ -- Ben Collins <bcollins@debian.org> Fri, 26 Nov 1999 22:37:44 -0500
+
+shadow (19990827-9) unstable; urgency=low
+
+ * src/su.c: Fixed getopt parsing, and added a usage output
+ * man/su.1: minor typos
+
+ -- Ben Collins <bcollins@debian.org> Mon, 8 Nov 1999 22:13:05 -0500
+
+shadow (19990827-8) unstable; urgency=low
+
+ * src/login.c: fixed loggin of username on succesful login (was using
+ the normal username, when it should have used pam_user),
+ closes: #47819
+ * src/login.c: check for hushed login and pass PAM_SILENT if true,
+ closes: #48002
+ * src/useradd.c: set def_shell to /bin/bash, closes: #48304
+ * doc/README.debian: add note about how to avoid issues with nscd's
+ lag in aging the cache, closes: #48629
+ * src/cppw.c: new program to assist copying a passwd/group file without
+ corruption, closes: #42141
+
+ -- Ben Collins <bcollins@debian.org> Tue, 2 Nov 1999 21:46:28 -0500
+
+shadow (19990827-7) unstable; urgency=low
+
+ * {passwd,login}.pam.d: added blurb about how to use the pam_cracklib
+ module, and also changed it to use pam_unix and not pam_pwdb (gah!
+ how did that happen?), closes: #46983
+ * README.debian: changes to reflect new PAM usage aswell as removing
+ references to obsolete config files, closes: #46595
+ * passwd.expire.cron: example script that informs users by email when
+ their accounts are about to expire, closes: #41393
+ * lastlogin.c: added -h option and usage aswell as long option support,
+ closes: #45804
+ * shadow now only has 3 wishlist bugs and nothing else
+
+ -- Ben Collins <bcollins@debian.org> Sat, 9 Oct 1999 11:54:16 -0400
+
+shadow (19990827-6) unstable; urgency=low
+
+ * debian/shells: new file, needed to include /bin/sash, closes: #45826
+ * useradd.8,groupadd.8: added note about the prefered use of adduser
+ and addgroup when conforming to Debian policy (taken from notes in
+ adduser's man pages), closes: #22821
+ * dialups.5: new man page that documents /etc/{dialups,d_passwd},
+ closes: #42212
+ * src/su.c: added -m, -p and -s command line options to match GNU options,
+ also documented in su(1), closes: #45394, #46424
+ * login.defs.5: clarified usage of TTYTYPE_FILE, closes: #23194
+ * login.pam.d: added pam_issue.so which replaces the old ISSUE_FILE from
+ login.defs, this also allows it to grok escapes in the issue file,
+ also increases the MODDEPS to (>= 0.69-10). By default this module is
+ not enabled, closes: #21044
+ * login.defs.pam.linux: added ISSUE_FILE to list of deprecated options
+
+ -- Ben Collins <bcollins@debian.org> Mon, 4 Oct 1999 19:56:22 -0400
+
+shadow (19990827-5) unstable; urgency=low
+
+ * {login,su}.1: added description of a subsystem login, closes: #31987
+ * src/chowndir.c: fixed recursive chown's on usermod, also changed it
+ to use lchown and lstat since we actually want that, closes: #46405
+ * su.1: removed reference to suauth aswell as added "-c" to the SYNOPSIS,
+ closes: #45685
+ * login.1: added options to the SYNOPSIS and documented OPTIONS,
+ closes: #28763
+ * login.defs.5: documented the ENVIRON_FILE options (even though it's
+ not really used in the PAM version), close: #28786
+ * 010_src_gpasswd.c: new patch, fixes changing group passwords when not
+ using shadow groups, closes: #25919
+ * {chfn,chsh,login}.pam.d: added nullok to pam_unix.so auth line to
+ allow for passwordless accounts, closes: #46510
+ * login.pam.d: add "standard" to the pam_mail option so we get old
+ style "You have..." login messages.
+
+ -- Ben Collins <bcollins@debian.org> Sun, 3 Oct 1999 13:41:53 -0400
+
+shadow (19990827-4) unstable; urgency=low
+
+ * Alright, we are really getting some usage from this now, and seeing
+ some odd ball setups, so it means more work for me, but more stable
+ and feature filled software for you :)
+ * debian/{login,su}.pam.d: Fixed spelling errors, closes: #45234, #45235
+ * debian/login.pam.d: Added commented pam_access.so reference and
+ description, closes: #45241
+ * src/login.c: moved usage of setup_uid_gid() when PAM is enabled or
+ pam_groups.so's groups get clobbered
+ * src/newgrp.c: don't call sanitize_env() and also make sure we don't
+ check passwords when the user is trying to get back to their default
+ group, closes: #22244
+ * Closed some other bugs that were either not really bugs, or they weren't
+ reproducable.
+ * debian/login.pam.d: moved around the pam_motd and pam_mail modules to
+ order them the same as old login would have done
+
+ -- Ben Collins <bcollins@debian.org> Sun, 19 Sep 1999 19:42:13 -0400
+
+shadow (19990827-3) unstable; urgency=low
+
+ * This is a "Sit down and really fix some bugs" update. I'm going through
+ the ones that really need some work.
+ * src/vipw.c: use the system() call to invoke the editor so that it accepts
+ command line args in the EDITOR and VISUAL environment vars, closes: #31029
+ * src/userdel.c: added code to remove user groups (of the same name) if there
+ were no members left and USERGROUPS_ENAB is set to yes, closes: #35046
+ * login.defs: documented above change
+ * {login,passwd}.postinst: fixed some bashisms, closes: #45159
+ * login.defs.pam.linux: documented the FAKE_SHELL option, closes: 31987
+ * su.1,login.1: documented the subsystem root ability in login and su, closes:
+ * doc directory for both packages now includes the README.shadow-paper file
+ closes: #15391
+
+ -- Ben Collins <bcollins@debian.org> Sun, 19 Sep 1999 15:49:11 -0400
+
+shadow (19990827-2) unstable; urgency=low
+
+ * debian/rules: use "$(CC) -E" instead of "cpp" to make it easier to
+ cross compile for Hurd (requested by Marcus Brinkman).
+ * debian/login.pam.d: forgot to remove that comment about login not
+ being PAMified, it is and works fine.
+ * src/login.c: Added login.defs option to turn on and off the persistent
+ login, also give note on when it isn't and is needed in login.defs.
+ * lib/getdef.c: Added CLOSE_SESSIONS for above code.
+ * man/login.defs.5: document the new CLOSE_SESSION option for login
+ * logoutd: disabled until I can fix it to grok /etc/security/time.conf
+
+ -- Ben Collins <bcollins@debian.org> Mon, 13 Sep 1999 18:57:47 -0400
+
+shadow (19990827-1) unstable; urgency=low
+
+ * New Maintainer, with Guy's consent.
+ closes: #22296, #22331 (closed some NMU bug reports)
+ * New upstream release, closes: #15879, #24712, #25739, #28785, #32991
+ closes: #38672, #39933, #41060, #42480, #22534, #12690, #36150, #26412
+ closes: #40398, #43750
+ * Ok, now for some dusting and house cleaning (aka The Bug Killfile
+ Begins Here):
+ %%- login package
+ - Not a bug in login anymore, closes: #28098
+ - No longer pertinent, and is not controlled by the login program,
+ closes: #23155
+ - This does not appear to be a bug anymore, closes: #32424
+ - This is not a login problem. Xterm itself prints the LOGIN message
+ and it does _not_ read login.access, closes: #16958
+ - Seems to be fixed, closes: #28098
+ - Huge list of "Fixed" bugs, that I want to close. I really need to
+ start with a clean slate in order to get some of this cleaned up,
+ closes: #3439, #11443, #13485, #13815, #15176, #15998, #16187, #17529
+ closes: #17532, #17532, #18133, #18225, #20052, #20876, #21280, #21357
+ closes: #21687, #21695, #21746, #21767, #22716, #24710
+ - lastlog(8): Clarified differences in the usage of "login-name" and
+ UID, closes: #26727
+ %%- passwd package
+ - newuser: appears to be working correctly and placing x, not !,
+ closes: #19620
+ - userdel(8): added note about user's mail spool also being deleted,
+ closes: #20790
+ - Can't reproduce this one, closes: #21639
+ - -e expire_date
+ The date on which the user account will be dis-
+ abled. The date is specified in the format
+ MM/DD/YY.
+ Bug filer was trying to use an integer instead of the documented
+ format, closes: #22533
+ - chfn's command line options seem to work for root and non-root,
+ closes: #25396
+ - seems to have been fixed by the latest upstream, #25670
+ - Removed references to shadow(3), closes: #32859
+ - passwd only saves first 8 chars...duh :) closes: #33368
+ - userdel can only do so much, the admin should know to check some
+ things on their own, closes: #35418
+ - Lot's of Y2K issues fixed in this release, closes: #37232
+ - useradd requires the -m option to make it create a home directory
+ if one does not exist, closes: #39581
+ - useradd's -p option requires the password to already be encrypted
+ as documented in useradd(8), closes: #39870, #39874
+ - More "Fixed" bugs in passwd, closes: #13753, #16893, #17894, #18132
+ closes: #18628, #12691
+ %%- su (no longer a package, but has bugs just the same, will be
+ forwarded to the login package soon)
+ - Sorry, but su (all su's) invoke the shell with -c "cmd". This is
+ documented, not a bug, it's a standard interface that su expects,
+ go fix sash's bug for not supporting it, closes: #14551
+ - Acknoledged NMU: closes: #20058
+ - More "Fixed" bugs getting closed...CLOSED AT LAST, closes: #17593
+ closes: #20057, #12689
+ * Switched to a new build setup (dbs)
+ * Split makes into seperate files to make it a little cleaner
+ * FHS compliance changes (usr/{doc,man} to usr/share/{doc,man})
+ * debian/tar.c: removed
+ * su: su is now going to be provided by shadow's login package and
+ removed from shellutils (the shellutils maintainer agreed to this)
+ in preperation for future PAM support. Added conflicts with older
+ version of shellutils that does provide the su binary.
+ * debian/control.in: removed the secure-su package since login now
+ contains su and all of it's components
+ * debian/control.in: modified the package descriptions to be a little
+ more explicative of what they do.
+ * Upgraded standards version to 3.0.1.1
+ * Setup suidmanager support for all +s apps, closes: #15705, #15704, #15699
+ * Enabled PAM. Support now for su, passwd, chfn, chsh. I am working on the
+ support in login.
+ * expiry: Changed to be installed as sgid shadow instead of suid root
+ since it doesn't need root priviledges. Also added man page expiry(1) based
+ on the comments found in expiry.c.
+ * Removed bashism's in control scripts. Now lintian clean (smells fresh too)
+ * chage.c: Keep chage from locking when not running as root, since it just
+ needs to read the shadow and password files. This let's it run sgid shadow
+ instead of suid root. When run as root, it can lock files for editing.
+ * login.c: Pam support Works For Me(tm)!
+ * login.c: Fixed PAM's auth when PAM_USER was not set from the command line,
+ also call pam_fail_delay() with FAIL_DELAY as the arg before authentication.
+ * etc/login.defs.pam.linux: new file, reflects options that PAM takesover
+ * etc/login.defs.pam.hurd: new file, same for Hurd
+ * debian/passwd.mk: make sure that login.defs.5 get's installed for Hurd
+ * pam.d/: Modified defaults for each service to reflect the old style and also
+ added commented options on how to enable obsoleted options from login.defs
+ in the PAM Way(tm).
+ * debian/rules: removed --disable-desrpc from configure options since it was
+ supposedly just a workaround for glibc 2.0
+ * src/login.c: reset pam_fail_delay after every failure
+ * debian/rules: remove debian/files on clean target
+ * src/login.c: removed setup_limits() and check_nologin() usage when PAM is
+ enabled
+ * debian/login.pam.d,debian/login.defs.pam.linux: made notes about the pam_limits.so
+ module, as well as pam_nologin.so
+ * debian/su.pam.d: made notes about pam_limits.so module
+ * debian/control.in: removed depends on libpam-motd since it is now in libpam-modules,
+ also make login conflict with secure-su
+ * debian/*: setup so that Hurd does not get PAM, since they don't have it ported
+ completely yet.
+ * debian/*: Final approach to a final upload, modified login.postinst to check old
+ obsolete conffiles to see if the user needs a notice that they are no longer used.
+
+ -- Ben Collins <bcollins@debian.org> Sat, 11 Sep 1999 19:58:14 -0400
+
+shadow (980403-0.3.3) unstable; urgency=low
+
+ * Non maintainer upload.
+ * Add dpkg-architecture and cross compilation support to the package.
+ * Changes for the Hurd:
+ + Only build passwd, add etc/login.defs.hurd to this package.
+ + libmisc/rlogin.c: Conditionalize CBAUD, which is not portable.
+
+ -- Marcus Brinkmann <brinkmd@debian.org> Thu, 5 Aug 1999 00:28:12 +0200
+
+shadow (980403-0.3.2) unstable; urgency=low
+
+ * configure.in patched for utmpx.h (for arm)
+
+ -- Jim Pick <jim@jimpick.com> Sun, 4 Oct 1998 19:06:15 -0700
+
+shadow (980403-0.3.1) frozen unstable; urgency=low
+
+ * Non maintainer upload.
+ changes.{guess,sub} changed to recognize a Arm architecture.
+
+ -- Turbo Fredriksson <turbo@debian.org> Fri, 14 Aug 1998 22:37:58 -0400
+
+shadow (980403-0.3) frozen unstable; urgency=high
+
+ * Non maintainer upload.
+ * src/login.c: Applied patch from <marekm@i17linuxb.ists.pwr.wroc.pl> to
+ fix security hole of login not checking the return code from setgid(),
+ initgroups() or setuid(). [#24710]
+
+ -- James Troup <james@nocrew.org> Fri, 17 Jul 1998 18:56:31 +0100
+
+shadow (980403-0.2) frozen unstable; urgency=low
+
+ * (login.defs): fixed UMASK
+ (thanks to James Troup for noticing my screwup :)
+ * Pruned non-Debian changelog entries.
+
+ -- Joel Klecker <jk@espy.org> Mon, 11 May 1998 11:25:22 -0700
+
+shadow (980403-0.1) frozen unstable; urgency=low
+
+ * Non-maintainer release.
+ * New upstream release (18225).
+ * (debian/login.postinst)
+ * Use 'touch' instead of 'cat >' when creating /var/log/faillog
+ (15998,16187,21687).
+ * No longer fails if no previous configured version exists (11433).
+ * (gpasswd): now checks which user invoked it before calling setuid() (18132).
+ * (debian/passwd.postinst): removed bashism (13753).
+ * (groupmod): NULL dereference fixed upstream, as a result, it no longer
+ dumps core when changing group name (16893,17894).
+ * (useradd): no longer segfaults if /etc/default/useradd is missing (18628).
+ * (login.defs.1): now documents more options (13485).
+ * (source): includes 'missing' (13815,18133,21280).
+ * (login.1):
+ * Removed mention of "d_passwd(5)", which doesn't exist,
+ and login.defs.5 now documents /etc/dialups (15176).
+ * Added /etc/nologin to FILES section and reference nologin(5) (21695).
+ * The URL mentioned in Bug#15391 is no longer valid.
+ * (login.defs): no longer sets ULIMIT (17529).
+ * (login):
+ * No longer uses static buffers for group lines (17532).
+ * Doesn't seem to make assumptions about gid_t any longer (21767).
+ * (faillog.8): s-/usr/adm-/var/log-g (19974).
+ * (lastlog.8): notes that "some systems" use /var/log instead of
+ /usr/adm (21746).
+ * Install upstream changelog as 'changelog.gz' as per policy (20052).
+ * (secure-su): Changed /etc/suauth to reference the group 'root'
+ instead of 'wheel' (17593).
+
+ -- Joel Klecker <jk@espy.org> Thu, 30 Apr 1998 18:32:12 -0700
+
+shadow (970616-1) unstable; urgency=low
+
+ * Upstream upgrade.
+ * chage works (10561).
+ * Fix NIS behavior (5634,8734,10032,10545,10984,11160,12064).
+ * Wrote pwconv,pwunconv,grpconv,grpunconv manpage (10940).
+ * vipw fixes (10521,10696,11618,11924,12184,13001)
+ * Fixes for new automake.
+ * Compile with glibc2. (8627,8777,9824,11713,11719,12082,12108,11442).
+ * debian/rules fixes (8876,12468).
+ * /etc/login.defs: UMASK=002 (9102).
+ * chown /dev/vcs* on login (9421,13255).
+ * Added tty9-tty12 to /etc/securetty (11644).
+ * Provide template and manpage for /etc/limits (12289).
+ * Fix security hole in postinst (11769).
+ * login fills out ut_addr field in utmp (10701).
+ * shadowconfig.sh fixes (9189,9328,9386,10968,12452,12469).
+ * Overcome postinst bug in old shadow-passwd package (9939,12120).
+ * useradd default GROUP=100 (9244).
+ * Allow 8 bit chars in chfn (12367).
+ * secure-su - set HOME, use SHELL if set (11003,11189).
+
+ -- Guy Maor <maor@ece.utexas.edu> Fri, 26 Sep 1997 19:23:42 -0500
+
+shadow (970616) unstable; urgency=low
+
+ * vipw preserves permissions on edited files (10521).
+ * various other bug fixes.
+
+ -- Marek Michalkiewicz <marekm@piast.t19.ds.pwr.wroc.pl> Mon, 16 Jun 1997 02:02:00 +0200
+
+shadow (970601) unstable; urgency=low
+
+ * Fix typo in libmisc/mail.c causing login to segfault.
+
+ -- Marek Michalkiewicz <marekm@piast.t19.ds.pwr.wroc.pl> Mon, 2 Jun 1997 07:33:00 +0200
+
+shadow (970502-2) unstable; urgency=low
+
+ * Fixes to shadow group support (grpconv didn't work).
+
+ -- Marek Michalkiewicz <marekm@piast.t19.ds.pwr.wroc.pl> Fri, 2 May 1997 15:48:00 +0200
+
+shadow (970502-1) unstable; urgency=low
+
+ * Upstream upgrade.
+
+ -- Marek Michalkiewicz <marekm@piast.t19.ds.pwr.wroc.pl> Fri, 2 May 1997 03:18:00 +0200
+
+shadow (961025-2) frozen unstable; urgency=medium
+
+ * Fix useradd -D segfault (8098, 8152, 8733).
+ * Fix shadowconfig - permfix only on xlock; /etc/init.d/xdm rewrite, chmod
+ (8102, 8320, 8333, 8708).
+ * Remove HOWTO from usr/doc/passwd as it's in linux-doc (8150).
+ * Fixes to su.1 (8153).
+ * login, passwd, su each conflict and replace with the old shadow-*
+ version. (8269, 8290, 8393, 8394).
+ * Put /etc/shells back in passwd (8328).
+ * Fixed login.postinst for upgrade from shadow-login (8392).
+ * Added -e to pwck for use in shadowconfig: reports only errors, no
+ warnings (8542).
+ * Wrote shadowconfig.8 (8588).
+
+ -- Guy Maor <maor@ece.utexas.edu> Sat, 19 Apr 1997 02:34:59 -0500
+
+shadow (961025-1) unstable; urgency=low
+
+ * Upstream upgrade, new source format.
+
+ -- Guy Maor <maor@ece.utexas.edu> Mon, 10 Feb 1997 02:56:56 -0600
+
+shadow (960530-1) experimental; urgency=LOW
+
+ * Added grpunconv script
+ * Changed prerm/postinst scripts to remove/create shadowed group
+ file
+ * Added vipw/vigr binaries
+ * Renamed package to shadow-passwd
+ * Added packages shadow-su and shadow-login
+ * Added 'Essential: yes' to be able to replace passwd and login
+ * Section now base for shadow-passwd and shadow-login
+ * Added /etc/shell conffile
+ * Added /etc/securetty conffile
+ * Added new conffile /etc/suauth. Set it up so only users in group 0
+ can su to root.
+
+ -- Unknown <unknown@debian.org> Mon, 01 Jul 1996 00:00:00 +0000
+
+shadow (960810-1) base; urgency=LOW
+
+ * Added useradd default file so that default group is no longer 1
+ * Also corrected the useradd manpage
+ * Replaced grpunconv script by real binary which does correct
+ locking.
+ * Added 'source' field control file to control files
+ * Changed version naming in debian.rules
+ * New upstream version
+
+ -- Unknown <unknown@debian.org> Mon, 01 Jan 1996 00:00:00 +0000
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..3747bbd
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,88 @@
+Source: shadow
+Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
+Uploaders: Serge Hallyn <serge@hallyn.com>
+Section: admin
+Priority: required
+Build-Depends: debhelper-compat (= 13),
+ gettext,
+ libcrypt-dev,
+ libpam0g-dev,
+ quilt,
+ xsltproc <!nodoc>,
+ docbook-xsl <!nodoc>,
+ docbook-xml <!nodoc>,
+ libxml2-utils <!nodoc>,
+ libselinux1-dev [linux-any],
+ libsemanage-dev [linux-any],
+ itstool <!nodoc>,
+ bison,
+ libaudit-dev [linux-any]
+Standards-Version: 4.6.1
+Vcs-Git: https://salsa.debian.org/debian/shadow.git -b master
+Vcs-Browser: https://salsa.debian.org/debian/shadow
+Homepage: https://github.com/shadow-maint/shadow
+Rules-Requires-Root: binary-targets
+
+Package: passwd
+Architecture: any
+Multi-Arch: foreign
+Depends: ${shlibs:Depends},
+ ${misc:Depends},
+ libpam-modules
+Recommends: sensible-utils
+Description: change and administer password and group data
+ This package includes passwd, chsh, chfn, and many other programs to
+ maintain password and group data.
+ .
+ Shadow passwords are supported. See /usr/share/doc/passwd/README.Debian
+
+Package: login
+Architecture: any
+Multi-Arch: foreign
+Essential: yes
+Pre-Depends: ${shlibs:Depends},
+ ${misc:Depends},
+ libpam-runtime,
+ libpam-modules
+Breaks: hurd (<< 20140206~) [hurd-any]
+Conflicts: python-4suite (<< 0.99cvs20060405-1)
+Replaces: hurd (<< 20140206~) [hurd-any]
+Description: system login tools
+ This package provides some required infrastructure for logins and for
+ changing effective user or group IDs, including:
+ * login, the program that invokes a user shell on a virtual terminal;
+ * nologin, a dummy shell for disabled user accounts;
+
+Package: uidmap
+Architecture: any
+Multi-Arch: foreign
+Priority: optional
+Depends: ${shlibs:Depends},
+ ${misc:Depends}
+Description: programs to help use subuids
+ These programs help unprivileged users to create uid and gid mappings in
+ user namespaces.
+
+Package: libsubid4
+Section: libs
+Priority: optional
+Architecture: any
+Multi-Arch: same
+Pre-Depends: ${misc:Pre-Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: subordinate id handling library -- shared library
+ The library provides an interface for querying, granding and ungranting
+ subordinate user and group ids.
+
+Package: libsubid-dev
+Section: libdevel
+Priority: optional
+Architecture: any
+Multi-Arch: same
+Depends: ${misc:Depends}, libsubid4 (= ${binary:Version})
+Description: subordinate id handling library -- shared library
+ The library provides an interface for querying, granding and ungranting
+ subordinate user and group ids.
+ .
+ This package contains the C header files that are
+ needed for applications to use the libsubid4 library.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..7b7ab2b
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,221 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Shadow
+Source: https://github.com/shadow-maint/shadow
+Note: atudel is licensed under BSD-4-Clause which is not DFSG compatible
+Files-Excluded: contrib/atudel
+
+Files: *
+Copyright: 1989-1994, Julianne Frances Haugh
+ 2016-2022, Serge Hallyn <serge@hallyn.com>
+License: BSD-3-clause
+
+Files: man/po/da.po
+ man/po/de.po
+ man/tr/man1/su.1
+ po/da.po
+ po/de.po
+ po/es.po
+ po/eu.po
+ po/fi.po
+ po/gl.po
+ po/it.po
+ po/kk.po
+ po/nb.po
+ po/nl.po
+ po/nn.po
+ po/pl.po
+ po/pt_BR.po
+ po/ru.po
+ po/sq.po
+ po/sv.po
+ po/vi.po
+Copyright: 1999-2015, Free Software Foundation, Inc
+License: BSD-3-clause
+
+Files: man/fi/man1/chfn.1
+ man/id/man1/*
+ man/ko/man1/chfn.1
+ man/ko/man1/chsh.1
+ man/tr/man1/chfn.1
+ man/zh_TW/man1/chfn.1
+ man/zh_TW/man1/chsh.1
+Copyright: 1994, salvatore valente <svalente@athena.mit.edu>
+License: GPL-1
+
+Files: man/pt_BR/man8/*
+ man/zh_TW/man8/usermod.8
+Copyright: 1991-1994, Julianne Frances Haugh
+License: BSD-3-clause
+
+Files: man/hu/man1/gpasswd.1
+ man/ja/man1/gpasswd.1
+ man/pt_BR/man1/*
+Copyright: 1996, Rafal Maszkowski <rzm@pdi.net>
+License: BSD-3-clause
+
+Files: man/id/man1/login.1
+ man/ko/man1/login.1
+ man/tr/man1/login.1
+Copyright: 1993, Rickard E. Faith <faith@cs.unc.edu>
+License: BSD-3-clause
+
+Files: man/ja/man1/groups.1
+ man/ja/man5/limits.5
+ man/ja/man8/vipw.8
+Copyright: 2001, Maki KURODA
+License: BSD-3-clause
+
+Files: man/pt_BR/man5/passwd.5
+ man/tr/man5/passwd.5
+Copyright: 1993, Michael Haardt <michael@moria.de>
+License: GPL-2+
+
+Files: man/ja/man1/chage.1
+ man/ja/man5/suauth.5
+Copyright: 1997, Kazuyoshi Furutaka
+License: BSD-3-clause
+
+Files: man/po/fr.po
+ po/fr.po
+Copyright: 2011-2013, Debian French l10n team <debian-l10n-french@lists.debian.org>
+License: BSD-3-clause
+
+Files: man/zh_TW/man5/*
+Copyright: 1993, Michael Haardt <michael@moria.de>
+ 1993, Scorpio, www.linuxforum.net
+License: GPL-2+
+
+Files: contrib/udbachk.tgz
+Copyright: 1999, Sami Kerola and Janne Riihijärvi
+License: GPL-2+
+
+Files: man/hu/man5/*
+Copyright: 1993, Michael Haardt <u31b3hs@pool.informatik.rwth-aachen.de>
+License: GPL-2+
+
+Files: contrib/adduser2.sh
+Copyright: 1996, Petri Mattila, Prihateam Networks <petri@prihateam.fi>
+License: GPL-2+
+
+Files: contrib/pwdauth.c
+Copyright: 1996, Marek Michalkiewicz
+License: BSD-3-clause
+
+Files: lib/subordinateio.h
+Copyright: 2012, Eric W. Biederman
+License: BSD-3-clause
+
+Files: libmisc/date_to_str.c
+Copyright: 2021, Alejandro Colomar <alx.manpages@gmail.com>
+License: BSD-3-clause
+
+Files: man/hu/man1/su.1
+Copyright: 1999, Ragnar Hojland Espinosa <ragnar@macula.net>
+License: BSD-3-clause
+
+Files: man/ja/man1/id.1
+Copyright: 2000, ISHIKAWA Keisuke
+License: BSD-3-clause
+
+Files: man/ja/man8/pwconv.8
+Copyright: 2001, Yuichi SATO
+License: BSD-3-clause
+
+Files: src/login_nopam.c
+Copyright: 1995, Wietse Venema
+License: BSD-3-clause
+
+Files: src/su.c
+Copyright: 1989 - 1994, Julianne Frances Haugh
+ 1996 - 2000, Marek Michałkiewicz
+ 2000 - 2006, Tomasz Kłoczko
+ 2007 - 2013, Nicolas François
+License: GPL-2+
+
+Files: src/vipw.c
+Copyright: 1997, Guy Maor <maor@ece.utexas.edu>
+ 1999 - 2000, Marek Michałkiewicz
+ 2002 - 2006, Tomasz Kłoczko
+ 2007 - 2013, Nicolas François
+License: GPL-2+
+
+Files: libmisc/getdate.y
+Copyright: Steven M. Bellovin <smb@research.att.com>
+License: public-domain
+ Originally written by Steven M. Bellovin <smb@research.att.com> while
+ at the University of North Carolina at Chapel Hill. Later tweaked by
+ a couple of people on Usenet. Completely overhauled by Rich $alz
+ <rsalz@bbn.com> and Jim Berets <jberets@bbn.com> in August, 1990;
+ .
+ This code is in the public domain and has no copyright.
+
+Files: man/ko/man5/*
+Copyright: 2000, ASPLINUX <man@asp-linux.co.kr>
+License: GPL-2+
+
+Files: debian/*
+Copyright: 1999-2001, Ben Collins <bcollins@debian.org>
+ 2001-2004 Karl Ramm <kcr@debian.org>
+ 2004-2014 Christian Perrier <bubulle@debian.org>
+ 2006-2012 Nicolas Francois (Nekral) <nicolas.francois@centraliens.net>
+ 2017-2022 Balint Reczey <balint@balintreczey.hu>
+License: BSD-3-clause
+
+Files: debian/HOME_MODE.xml
+Copyright: 1991-1993, Chip Rosenthal
+ 1991-1993, Julianne Frances Haugh
+ 2007-2009, Nicolas François
+License: BSD-3-clause
+
+Files: debian/patches/401_cppw_src.dpatch
+Copyright: 1997, Guy Maor <maor@ece.utexas.edu>
+ 1999, Stephen Frost <sfrost@snowman.net>
+License: GPL-2+
+
+Files: debian/passwd.expire.cron
+Copyright: 1999, Ben Collins <bcollins@debian.org>
+License: BSD-3-clause
+
+License: BSD-3-clause
+ All rights reserved.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the University nor the names of its contributors
+ may be used to endorse or promote products derived from this software
+ without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+License: GPL-1
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 1
+ .
+ On Debian systems, the complete text of version 1 of the GNU General
+ Public License can be found in '/usr/share/common-licenses/GPL-1'.
+
+License: GPL-2+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 dated June, 1991, or (at
+ your option) any later version.
+ .
+ On Debian systems, the complete text of version 2 of the GNU General
+ Public License can be found in '/usr/share/common-licenses/GPL-2'.
diff --git a/debian/cpgr.8 b/debian/cpgr.8
new file mode 100644
index 0000000..d62ec36
--- /dev/null
+++ b/debian/cpgr.8
@@ -0,0 +1 @@
+.so man8/cppw.8
diff --git a/debian/cppw.8 b/debian/cppw.8
new file mode 100644
index 0000000..6a9cc6f
--- /dev/null
+++ b/debian/cppw.8
@@ -0,0 +1,27 @@
+.TH CPPW 8 "7 Apr 2005"
+.SH NAME
+cppw, cpgr \- copy with locking the given file to the password or group file
+.SH SYNOPSIS
+\fBcppw\fR [\fB\-h\fR] [\fB\-s\fR] password_file
+.br
+\fBcpgr\fR [\fB\-h\fR] [\fB\-s\fR] group_file
+
+.SH DESCRIPTION
+.BR cppw " and " cpgr
+will copy, with locking, the given file to
+.IR /etc/passwd " and " /etc/group ", respectively."
+With the \fB\-s\fR flag, they will copy the shadow versions of those files,
+.IR /etc/shadow " and " /etc/gshadow ", respectively."
+
+With the \fB\-h\fR flag, the commands display a short help message and exit
+silently.
+.SH "SEE ALSO"
+.BR vipw (8),
+.BR vigr (8),
+.BR group (5),
+.BR passwd (5),
+.BR shadow (5),
+.BR gshadow (5)
+.SH AUTHOR
+\fBcppw\fR and \fBcpgr\fR were written by Stephen Frost, based on
+\fBvipw\fR and \fBvigr\fR written by Guy Maor.
diff --git a/debian/default/useradd b/debian/default/useradd
new file mode 100644
index 0000000..2cb8167
--- /dev/null
+++ b/debian/default/useradd
@@ -0,0 +1,37 @@
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+# Similar to DSHELL in adduser. However, we use "sh" here because
+# useradd is a low level utility and should be as general
+# as possible
+SHELL=/bin/sh
+#
+# The default group for users
+# 100=users on Debian systems
+# Same as USERS_GID in adduser
+# This argument is used when the -n flag is specified.
+# The default behavior (when -n and -g are not specified) is to create a
+# primary user group with the same name as the user being added to the
+# system.
+# GROUP=100
+#
+# The default home directory. Same as DHOME for adduser
+# HOME=/home
+#
+# The number of days after a password expires until the account
+# is permanently disabled
+# INACTIVE=-1
+#
+# The default expire date
+# EXPIRE=
+#
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+# SKEL=/etc/skel
+#
+# Defines whether the mail spool should be created while
+# creating the account
+# CREATE_MAIL_SPOOL=no
+
diff --git a/debian/dependencies b/debian/dependencies
new file mode 100644
index 0000000..e8cc141
--- /dev/null
+++ b/debian/dependencies
@@ -0,0 +1,94 @@
+Build-Depends:
+==============
+ * autoconf
+ * automake1.9
+ works with 1.7 or 1.9 (at least)
+ * libtool
+ * gettext
+ POT, PO, GMO regenerated?
+ * libpam0g-dev
+ OK
+ * debhelper (>= 4.1.16)
+ * po-debconf
+ OK
+ * quilt
+ patch system
+ * dpkg-dev (>= 1.13.5)
+ * xsltproc
+ used to generate the manpages
+ * docbook-xsl
+ needed for /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl
+ * docbook-xml
+ manpages/docbook.xsl includes html/docbook.xsl
+ (But it is not strictly needed. The generated manpages are identical.
+ Without it, a warning is generated.)
+ Needed by JH_CHECK_XML_CATALOG([-//OASIS//DTD DocBook XML V4.1.2//EN], [DocBook XML DTD V4.1.2], [], enable_man=no)
+ * libxml2-utils
+ needed by the JH_CHECK_XML_CATALOG macros
+ * cdbs
+ used in debian/rules
+ * libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
+ * gnome-doc-utils (>= 0.4.3-1)
+ xml2po, 0.4.3-1 needed for the -l switch.
+
+passwd Depends:
+===============
+ * ${shlibs:Depends}
+ OK
+ * ${loginpam}
+ - hurd
+ login
+ libpam-modules (>= 0.72-5)
+ - other archs
+ + login (>= 970502-1)
+ login is needed because some passwd utils need /etc/login.defs
+ login is Essential, so this is just to enforce the version
+ + libpam-modules (>= 0.72-5)
+ * debianutils (>= 2.15.2)
+ After 1:4.0.12-6, {add,remove}-shell are distributed in debianutils (2.15)
+ /etc/shell was forgotten and introduced in debianutils in 2.15.2
+
+passwd Conflicts:
+=================
+
+passwd Replaces:
+================
+ Some of the passwd man pages are also distributed in some manpages* packages.
+ Look at the debian/02/run test to optimize these dependencies.
+ NOTE: Not all maintainers have been notified.
+ * manpages-de (<< 0.4-9), manpages-fi (<< 0.2-4), manpages-fr (<<1.64.0-1), manpages-hu (<< 20010119-5), manpages-it (<< 0.3.4-3), manpages-ja (<< 0.5.0.0.20050915-1), manpages-ko (<< 20050219-2), manpages-es (<< 1.55-4), manpages-es-extra (<< 0.8a-15), manpages-ru (<< 0.98-3)
+ All those packages have been updated during sarge->etch. So these Replaces
+ should be removed after lenny release
+ * manpages-tr, manpages-zh
+ Those packages are still in etch, so the Replaces should be kept even
+ after lenny release
+
+login Pre-Depends:
+==================
+ * ${shlibs:Depends}
+ * libpam-runtime (>= 0.76-14)
+ sarge contained 0.76-22
+
+Why Pre-Depends? (because it's an essential package?)
+
+login Depends:
+==============
+ * libpam-modules (>= 0.72-5)
+ libpam-modules is needed.
+ potato contained 0.72-9
+
+login Conflicts:
+================
+
+login Replaces:
+===============
+ * Some of the login man pages are also distributed in some manpages* packages.
+ Look at the debian/02/run test to optimize these dependencies.
+ NOTE: Not all maintainers have been notified.
+ - manpages-fi, manpages-fr (<<1.64.0-1), manpages-hu, manpages-it, manpages-ko, manpages-ja (<< 0.5.0.0.20050915-1), manpages-de (<< 0.4-10), manpages-es-extra (<<0.8a-15)
+ Those are packages that have been updated during sarge->etch. These
+ Replaces should be removed after lenny
+ - manpages-tr, manpages-zh
+ Those packages are still in etch, so the Replaces should be kept even
+ after lenny release
+
diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
new file mode 100644
index 0000000..d374267
--- /dev/null
+++ b/debian/gitlab-ci.yml
@@ -0,0 +1,7 @@
+variables:
+ RELEASE: 'unstable'
+ # workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
+ SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
diff --git a/debian/libsubid-dev.install b/debian/libsubid-dev.install
new file mode 100644
index 0000000..264d792
--- /dev/null
+++ b/debian/libsubid-dev.install
@@ -0,0 +1,3 @@
+usr/include/*
+usr/lib/*/libsubid.a
+usr/lib/*/libsubid.so
diff --git a/debian/libsubid4.install b/debian/libsubid4.install
new file mode 100644
index 0000000..73a9bcc
--- /dev/null
+++ b/debian/libsubid4.install
@@ -0,0 +1 @@
+usr/lib/*/libsubid.so.*
diff --git a/debian/libsubid4.symbols b/debian/libsubid4.symbols
new file mode 100644
index 0000000..3357b3a
--- /dev/null
+++ b/debian/libsubid4.symbols
@@ -0,0 +1,10 @@
+libsubid.so.4 libsubid4 #MINVER#
+ subid_get_gid_owners@Base 1:4.11.1
+ subid_get_gid_ranges@Base 1:4.11.1
+ subid_get_uid_owners@Base 1:4.11.1
+ subid_get_uid_ranges@Base 1:4.11.1
+ subid_grant_gid_range@Base 1:4.11.1
+ subid_grant_uid_range@Base 1:4.11.1
+ subid_init@Base 1:4.11.1
+ subid_ungrant_gid_range@Base 1:4.11.1
+ subid_ungrant_uid_range@Base 1:4.11.1
diff --git a/debian/login.defs b/debian/login.defs
new file mode 100644
index 0000000..142e5b0
--- /dev/null
+++ b/debian/login.defs
@@ -0,0 +1,394 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed. All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux. --marekm
+
+# REQUIRED for useradd/userdel/usermod
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
+# MAIL_DIR takes precedence.
+#
+# Essentially:
+# - MAIL_DIR defines the location of users mail spool files
+# (for mbox use) by appending the username to MAIL_DIR as defined
+# below.
+# - MAIL_FILE defines the location of the users mail spool files as the
+# fully-qualified filename obtained by prepending the user home
+# directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+# which is, starting from shadow 4.0.12-1 in Debian, entirely the
+# job of the pam_mail PAM modules
+# See default PAM configuration files provided for
+# login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR /var/mail
+#MAIL_FILE .mail
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+# This option conflicts with the pam_tally PAM module.
+#
+FAILLOG_ENAB yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE /var/log/btmp
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su". If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing
+# the "mesg y" command.
+
+TTYGROUP tty
+TTYPERM 0600
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# UMASK Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+#
+# UMASK is the default umask value for pam_umask and is used by
+# useradd and newusers to set the mode of the new home directories.
+# 022 is the "historical" value in Debian for UMASK
+# 027, or even 077, could be considered better for privacy
+# There is no One True Answer here : each sysadmin must make up his/her
+# mind.
+#
+# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
+# for private user groups, i. e. the uid is the same as gid, and username is
+# the same as the primary group name: for these, the user permissions will be
+# used as group permissions, e. g. 022 will become 002.
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+UMASK 022
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_WARN_AGE 7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+#SYS_UID_MIN 100
+#SYS_UID_MAX 999
+# Extra per user uids
+SUB_UID_MIN 100000
+SUB_UID_MAX 600100000
+SUB_UID_COUNT 65536
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+#SYS_GID_MIN 100
+#SYS_GID_MAX 999
+# Extra per user group ids
+SUB_GID_MIN 100000
+SUB_GID_MAX 600100000
+SUB_GID_COUNT 65536
+
+#
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT 60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
+#
+USERGROUPS_ENAB yes
+
+#
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
+#
+# FAKE_SHELL /bin/fakeshell
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+#CONSOLE /etc/consoles
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
+#
+#CONSOLE_GROUPS floppy:audio:cdrom
+
+#
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD SHA512
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, the libc will choose the default number of rounds (5000),
+# which is orders of magnitude too low for modern hardware.
+# The values must be within the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+#
+# Define the YESCRYPT cost factor.
+# With a higher cost factor, it is more difficult to brute-force the password.
+# However, more CPU time and more memory will be needed to authenticate users
+# if this value is increased.
+#
+# If not specified, a cost factor of 5 will be used.
+# The value must be within the 1-11 range.
+#
+#YESCRYPT_COST_FACTOR 5
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist. Some system accounts intentionally do
+# not have a home directory. Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT /nonexistent
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+#HMAC_CRYPTO_ALGO SHA512
+
+################# OBSOLETED BY PAM ##############
+# #
+# These options are now handled by PAM. Please #
+# edit the appropriate file in /etc/pam.d/ to #
+# enable the equivelants of them.
+#
+###############
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+# #
+# These options are no more handled by shadow. #
+# #
+# Shadow utilities will display a warning if they #
+# still appear. #
+# #
+###################################################
+
+# CLOSE_SESSIONS
+# LOGIN_STRING
+# NO_PASSWORD_CONSOLE
+# QMAIL_DIR
+
+
+
diff --git a/debian/login.dirs b/debian/login.dirs
new file mode 100644
index 0000000..1da8fba
--- /dev/null
+++ b/debian/login.dirs
@@ -0,0 +1 @@
+usr/share/lintian/overrides
diff --git a/debian/login.install b/debian/login.install
new file mode 100644
index 0000000..96fe109
--- /dev/null
+++ b/debian/login.install
@@ -0,0 +1,7 @@
+debian/login.defs etc
+usr/share/locale/*/LC_MESSAGES/shadow.mo
+sbin/nologin usr/sbin
+usr/bin/faillog
+usr/bin/lastlog
+usr/bin/newgrp
+bin/login usr/bin
diff --git a/debian/login.links b/debian/login.links
new file mode 100644
index 0000000..3886f8f
--- /dev/null
+++ b/debian/login.links
@@ -0,0 +1 @@
+usr/bin/newgrp usr/bin/sg
diff --git a/debian/login.lintian-overrides b/debian/login.lintian-overrides
new file mode 100644
index 0000000..7d01e40
--- /dev/null
+++ b/debian/login.lintian-overrides
@@ -0,0 +1 @@
+login: elevated-privileges 4755 root/root [usr/bin/newgrp]
diff --git a/debian/login.maintscript b/debian/login.maintscript
new file mode 100644
index 0000000..cec6da2
--- /dev/null
+++ b/debian/login.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/securetty 1:4.7-1~
diff --git a/debian/login.manpages b/debian/login.manpages
new file mode 100644
index 0000000..2792cb2
--- /dev/null
+++ b/debian/login.manpages
@@ -0,0 +1,16 @@
+usr/share/man/*/man1/login.1
+usr/share/man/*/man1/newgrp.1
+usr/share/man/*/man1/sg.1
+usr/share/man/*/man5/faillog.5
+usr/share/man/*/man5/login.defs.5
+usr/share/man/*/man8/faillog.8
+usr/share/man/*/man8/lastlog.8
+usr/share/man/*/man8/nologin.8
+usr/share/man/man1/login.1
+usr/share/man/man1/newgrp.1
+usr/share/man/man1/sg.1
+usr/share/man/man5/faillog.5
+usr/share/man/man5/login.defs.5
+usr/share/man/man8/faillog.8
+usr/share/man/man8/lastlog.8
+usr/share/man/man8/nologin.8
diff --git a/debian/login.pam b/debian/login.pam
new file mode 100644
index 0000000..aaadc64
--- /dev/null
+++ b/debian/login.pam
@@ -0,0 +1,100 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth optional pam_faildelay.so delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth required pam_issue.so issue=/etc/issue
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth requisite pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session required pam_loginuid.so
+
+# Prints the message of the day upon successful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so noupdate
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# pam_selinux.so changes the SELinux context of the used TTY and configures
+# SELinux in order to transition to the user context with the next execve()
+# call.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session required pam_env.so readenv=1
+# locale variables can also be set in /etc/default/locale
+# reading this file *in addition to /etc/environment* does not hurt
+session required pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth optional pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restraint on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account requisite pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account required pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session required pam_limits.so
+
+# Prints the last login info upon successful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session optional pam_lastlog.so
+
+# Prints the status of the user's mailbox upon successful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session optional pam_mail.so standard
+
+# Create a new session keyring.
+session optional pam_keyinit.so force revoke
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password
diff --git a/debian/login.postinst b/debian/login.postinst
new file mode 100644
index 0000000..2261e1b
--- /dev/null
+++ b/debian/login.postinst
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+
+if [ "$1" = "configure" ]; then
+ # Install faillog during initial installs only
+ if [ "$2" = "" ] && [ ! -f "$DPKG_ROOT/var/log/faillog" ] ; then
+ touch "$DPKG_ROOT/var/log/faillog"
+ chown 0:0 "$DPKG_ROOT/var/log/faillog"
+ chmod 644 "$DPKG_ROOT/var/log/faillog"
+ fi
+
+ # Create subuid/subgid if missing
+ if [ ! -e "$DPKG_ROOT/etc/subuid" ]; then
+ touch "$DPKG_ROOT/etc/subuid"
+ chown 0:0 "$DPKG_ROOT/etc/subuid"
+ chmod 644 "$DPKG_ROOT/etc/subuid"
+ fi
+
+ if [ ! -e "$DPKG_ROOT/etc/subgid" ]; then
+ touch "$DPKG_ROOT/etc/subgid"
+ chown 0:0 "$DPKG_ROOT/etc/subgid"
+ chmod 644 "$DPKG_ROOT/etc/subgid"
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 0000000..9d7299a
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1,36 @@
+bin/groups
+etc/default/useradd
+etc/login.defs
+etc/pam.d/chfn
+etc/pam.d/chage
+etc/pam.d/chpasswd
+etc/pam.d/chsh
+etc/pam.d/groupadd
+etc/pam.d/groupdel
+etc/pam.d/groupmems
+etc/pam.d/groupmod
+etc/pam.d/login
+etc/pam.d/newusers
+etc/pam.d/passwd
+etc/pam.d/useradd
+etc/pam.d/userdel
+etc/pam.d/usermod
+usr/bin/sg
+usr/lib/*/libsubid.la
+usr/sbin/logoutd
+usr/sbin/vigr
+usr/share/man/*/man1/groups.1
+usr/share/man/*/man1/logoutd.1
+usr/share/man/*/man1/su.1
+usr/share/man/*/man3/getspnam.3
+usr/share/man/*/man3/shadow.3
+usr/share/man/*/man5/suauth.5
+usr/share/man/*/man8/logoutd.8
+usr/share/man/man1/groups.1
+usr/share/man/man1/logoutd.1
+usr/share/man/man1/su.1
+usr/share/man/man3/getspnam.3
+usr/share/man/man3/shadow.3
+usr/share/man/man5/suauth.5
+usr/share/man/man8/logoutd.8
+
diff --git a/debian/passwd.chage.pam b/debian/passwd.chage.pam
new file mode 100644
index 0000000..d31356e
--- /dev/null
+++ b/debian/passwd.chage.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'chage' service
+#
+
+# This allows root to change password aging being prompted for a password
+auth sufficient pam_rootok.so
+
+# checks for account validity
+account required pam_permit.so
diff --git a/debian/passwd.chfn.pam b/debian/passwd.chfn.pam
new file mode 100644
index 0000000..10fcf07
--- /dev/null
+++ b/debian/passwd.chfn.pam
@@ -0,0 +1,16 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows root to change user infomation without being
+# prompted for a password
+auth sufficient pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+
diff --git a/debian/passwd.chpasswd.pam b/debian/passwd.chpasswd.pam
new file mode 100644
index 0000000..da2adcc
--- /dev/null
+++ b/debian/passwd.chpasswd.pam
@@ -0,0 +1,5 @@
+# The PAM configuration file for the Shadow 'chpasswd' service
+#
+
+@include common-password
+
diff --git a/debian/passwd.chsh.pam b/debian/passwd.chsh.pam
new file mode 100644
index 0000000..7eb604d
--- /dev/null
+++ b/debian/passwd.chsh.pam
@@ -0,0 +1,20 @@
+#
+# The PAM configuration file for the Shadow `chsh' service
+#
+
+# This will not allow a user to change their shell unless
+# their current one is listed in /etc/shells. This keeps
+# accounts with special shells from changing them.
+auth required pam_shells.so
+
+# This allows root to change user shell without being
+# prompted for a password
+auth sufficient pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
diff --git a/debian/passwd.dirs b/debian/passwd.dirs
new file mode 100644
index 0000000..d2a6c07
--- /dev/null
+++ b/debian/passwd.dirs
@@ -0,0 +1,2 @@
+usr/share/lintian/overrides
+etc/default
diff --git a/debian/passwd.examples b/debian/passwd.examples
new file mode 100644
index 0000000..85a2684
--- /dev/null
+++ b/debian/passwd.examples
@@ -0,0 +1 @@
+debian/passwd.expire.cron
diff --git a/debian/passwd.expire.cron b/debian/passwd.expire.cron
new file mode 100644
index 0000000..5e5b69f
--- /dev/null
+++ b/debian/passwd.expire.cron
@@ -0,0 +1,57 @@
+#!/usr/bin/perl
+#
+# passwd.expire.cron: sample expiry notification script for use as a cronjob
+#
+# Copyright 1999 by Ben Collins <bcollins@debian.org>, complete rights granted
+# for use, distribution, modification, etc.
+#
+# Usage:
+# edit the listed options, including the actual email, then rename to
+# /etc/cron.daily/passwd
+#
+# If your users don't have a valid login shell (ie. they are ftp or mail
+# users only), they will need some other way to change their password
+# (telnet will work since login will handle password aging, or a poppasswd
+# program, if they are mail users).
+
+# <CONFIG> #
+
+# should be same as /etc/adduser.conf
+$LOW_UID=1000;
+$HIGH_UID=29999;
+
+# this let's the MTA handle the domain,
+# set it manually if you want. Make sure
+# you also add the @ like "\@domain.com"
+$MAIL_DOM="";
+
+# </CONFIG> #
+
+# Set the current day reference
+$curdays = int(time() / (60 * 60 * 24));
+
+# Now go through the list
+
+open(SH, "< /etc/shadow");
+while (<SH>) {
+ @shent = split(':', $_);
+ @userent = getpwnam($shent[0]);
+ if ($userent[2] >= $LOW_UID && $userent[2] <= $HIGH_UID) {
+ if ($curdays > $shent[2] + $shent[4] - $shent[5] &&
+ $shent[4] != -1 && $shent[4] != 0 &&
+ $shent[5] != -1 && $shent[5] != 0) {
+ $daysleft = ($shent[2] + $shent[4]) - $curdays;
+ if ($daysleft == 1) { $days = "day"; } else {$days = "days"; }
+ if ($daysleft < 0) { next; }
+ open (MAIL, "| mail -s '[WARNING] account will expire in $daysleft $days' $shent[0]${MAIL_DOM}");
+ print MAIL <<EOF;
+Your account will expire in $daysleft $days. Please change your password before
+then or your account will expire
+EOF
+ close (MAIL);
+ # This makes sure we also get a list of almost expired users
+ print "$shent[0]'s account will expire in $daysleft days\n";
+ }
+ }
+ @userent = getpwent();
+}
diff --git a/debian/passwd.groupadd.pam b/debian/passwd.groupadd.pam
new file mode 100644
index 0000000..374c2fe
--- /dev/null
+++ b/debian/passwd.groupadd.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupadd' service
+#
+
+# This allows root to add groups without being prompted for a password
+auth sufficient pam_rootok.so
+
+# checks for account validity
+account required pam_permit.so
diff --git a/debian/passwd.groupdel.pam b/debian/passwd.groupdel.pam
new file mode 100644
index 0000000..da81c19
--- /dev/null
+++ b/debian/passwd.groupdel.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth sufficient pam_rootok.so
+
+# checks for account validity
+account required pam_permit.so
diff --git a/debian/passwd.groupmod.pam b/debian/passwd.groupmod.pam
new file mode 100644
index 0000000..a08d8c4
--- /dev/null
+++ b/debian/passwd.groupmod.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupmod' service
+#
+
+# This allows root to modify groups without being prompted for a password
+auth sufficient pam_rootok.so
+
+# checks for account validity
+account required pam_permit.so
diff --git a/debian/passwd.install b/debian/passwd.install
new file mode 100644
index 0000000..4feedc1
--- /dev/null
+++ b/debian/passwd.install
@@ -0,0 +1,26 @@
+debian/default/useradd etc/default
+debian/shadowconfig usr/sbin
+usr/bin/chage
+usr/bin/chfn
+usr/bin/chsh
+usr/bin/expiry
+usr/bin/gpasswd
+usr/bin/passwd
+usr/sbin/chpasswd
+usr/sbin/chgpasswd
+usr/sbin/cppw
+usr/sbin/groupadd
+usr/sbin/groupdel
+usr/sbin/groupmod
+usr/sbin/groupmems
+usr/sbin/grpck
+usr/sbin/grpconv
+usr/sbin/grpunconv
+usr/sbin/newusers
+usr/sbin/pwck
+usr/sbin/pwconv
+usr/sbin/pwunconv
+usr/sbin/useradd
+usr/sbin/userdel
+usr/sbin/usermod
+usr/sbin/vipw
diff --git a/debian/passwd.links b/debian/passwd.links
new file mode 100644
index 0000000..57b529e
--- /dev/null
+++ b/debian/passwd.links
@@ -0,0 +1,2 @@
+usr/sbin/vipw usr/sbin/vigr
+usr/sbin/cppw usr/sbin/cpgr
diff --git a/debian/passwd.lintian-overrides b/debian/passwd.lintian-overrides
new file mode 100644
index 0000000..b7d689e
--- /dev/null
+++ b/debian/passwd.lintian-overrides
@@ -0,0 +1,6 @@
+passwd: elevated-privileges 2755 root/shadow [usr/bin/chage]
+passwd: elevated-privileges 4755 root/root [usr/bin/chfn]
+passwd: elevated-privileges 4755 root/root [usr/bin/chsh]
+passwd: elevated-privileges 2755 root/shadow [usr/bin/expiry]
+passwd: elevated-privileges 4755 root/root [usr/bin/gpasswd]
+passwd: elevated-privileges 4755 root/root [usr/bin/passwd]
diff --git a/debian/passwd.maintscript b/debian/passwd.maintscript
new file mode 100644
index 0000000..8409a07
--- /dev/null
+++ b/debian/passwd.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/cron.daily/passwd 1:4.7-2~
diff --git a/debian/passwd.manpages b/debian/passwd.manpages
new file mode 100644
index 0000000..8e552c8
--- /dev/null
+++ b/debian/passwd.manpages
@@ -0,0 +1,60 @@
+debian/cpgr.8
+debian/cppw.8
+usr/share/man/*/man1/chage.1
+usr/share/man/*/man1/chfn.1
+usr/share/man/*/man1/chsh.1
+usr/share/man/*/man1/expiry.1
+usr/share/man/*/man1/gpasswd.1
+usr/share/man/*/man1/passwd.1
+usr/share/man/*/man5/passwd.5
+usr/share/man/*/man5/subgid.5
+usr/share/man/*/man5/subuid.5
+usr/share/man/*/man5/shadow.5
+usr/share/man/*/man5/gshadow.5
+usr/share/man/*/man8/chpasswd.8
+usr/share/man/*/man8/chgpasswd.8
+usr/share/man/*/man8/groupadd.8
+usr/share/man/*/man8/groupdel.8
+usr/share/man/*/man8/groupmod.8
+usr/share/man/*/man8/groupmems.8
+usr/share/man/*/man8/grpck.8
+usr/share/man/*/man8/grpconv.8
+usr/share/man/*/man8/grpunconv.8
+usr/share/man/*/man8/newusers.8
+usr/share/man/*/man8/pwck.8
+usr/share/man/*/man8/pwconv.8
+usr/share/man/*/man8/pwunconv.8
+usr/share/man/*/man8/useradd.8
+usr/share/man/*/man8/userdel.8
+usr/share/man/*/man8/usermod.8
+usr/share/man/*/man8/vigr.8
+usr/share/man/*/man8/vipw.8
+usr/share/man/man1/chage.1
+usr/share/man/man1/chfn.1
+usr/share/man/man1/chsh.1
+usr/share/man/man1/expiry.1
+usr/share/man/man1/gpasswd.1
+usr/share/man/man1/passwd.1
+usr/share/man/man5/passwd.5
+usr/share/man/man5/shadow.5
+usr/share/man/man5/gshadow.5
+usr/share/man/man5/subuid.5
+usr/share/man/man5/subgid.5
+usr/share/man/man8/chgpasswd.8
+usr/share/man/man8/chpasswd.8
+usr/share/man/man8/groupadd.8
+usr/share/man/man8/groupdel.8
+usr/share/man/man8/groupmems.8
+usr/share/man/man8/groupmod.8
+usr/share/man/man8/grpck.8
+usr/share/man/man8/grpconv.8
+usr/share/man/man8/grpunconv.8
+usr/share/man/man8/newusers.8
+usr/share/man/man8/pwck.8
+usr/share/man/man8/pwconv.8
+usr/share/man/man8/pwunconv.8
+usr/share/man/man8/useradd.8
+usr/share/man/man8/userdel.8
+usr/share/man/man8/usermod.8
+usr/share/man/man8/vigr.8
+usr/share/man/man8/vipw.8
diff --git a/debian/passwd.newusers.pam b/debian/passwd.newusers.pam
new file mode 100644
index 0000000..552ca90
--- /dev/null
+++ b/debian/passwd.newusers.pam
@@ -0,0 +1,5 @@
+# The PAM configuration file for the Shadow 'newusers' service
+#
+
+@include common-password
+
diff --git a/debian/passwd.passwd.pam b/debian/passwd.passwd.pam
new file mode 100644
index 0000000..5872e7b
--- /dev/null
+++ b/debian/passwd.passwd.pam
@@ -0,0 +1,6 @@
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+
+@include common-password
+
diff --git a/debian/passwd.postinst b/debian/passwd.postinst
new file mode 100644
index 0000000..f6d5221
--- /dev/null
+++ b/debian/passwd.postinst
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+configure)
+ if ! getent group shadow | grep -q '^shadow:[^:]*:42'
+ then
+ groupadd -g 42 shadow || (
+ cat <<EOF
+Group ID 42 has been allocated for the shadow group. You have either
+used 42 yourself or created a shadow group with a different ID.
+Please correct this problem and reconfigure with ``dpkg --configure passwd''.
+
+Note that both user and group IDs in the range 0-99 are globally
+allocated by the Debian project and must be the same on every Debian
+system.
+EOF
+ exit 1
+ )
+ fi
+ ;;
+esac
+
+# Run shadowconfig only on new installs
+[ -z "$2" ] && shadowconfig on
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/passwd.tmpfiles b/debian/passwd.tmpfiles
new file mode 100644
index 0000000..c2075d1
--- /dev/null
+++ b/debian/passwd.tmpfiles
@@ -0,0 +1,8 @@
+# If a password operation is in progress and we lose power, stale lockfiles
+# can be left behind. Clear them on boot.
+r! /etc/gshadow.lock
+r! /etc/shadow.lock
+r! /etc/passwd.lock
+r! /etc/group.lock
+r! /etc/subuid.lock
+r! /etc/subgid.lock
diff --git a/debian/passwd.useradd.pam b/debian/passwd.useradd.pam
new file mode 100644
index 0000000..e1dd6e7
--- /dev/null
+++ b/debian/passwd.useradd.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'useradd' service
+#
+
+# This allows root to add users without being prompted for a password
+auth sufficient pam_rootok.so
+
+# checks for account validity
+account required pam_permit.so
diff --git a/debian/passwd.userdel.pam b/debian/passwd.userdel.pam
new file mode 100644
index 0000000..450ddae
--- /dev/null
+++ b/debian/passwd.userdel.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'userdel' service
+#
+
+# This allows root to remove users without being prompted for a password
+auth sufficient pam_rootok.so
+
+# checks for account validity
+account required pam_permit.so
diff --git a/debian/passwd.usermod.pam b/debian/passwd.usermod.pam
new file mode 100644
index 0000000..da81c19
--- /dev/null
+++ b/debian/passwd.usermod.pam
@@ -0,0 +1,8 @@
+# The PAM configuration file for the Shadow 'groupdel' service
+#
+
+# This allows root to remove groups without being prompted for a password
+auth sufficient pam_rootok.so
+
+# checks for account validity
+account required pam_permit.so
diff --git a/debian/patches/0001-gpasswd-1-Fix-password-leak.patch b/debian/patches/0001-gpasswd-1-Fix-password-leak.patch
new file mode 100644
index 0000000..1596b2d
--- /dev/null
+++ b/debian/patches/0001-gpasswd-1-Fix-password-leak.patch
@@ -0,0 +1,137 @@
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password). Each of those 2 password prompts
+uses agetpass() to get the password. If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+- malloc(3) or readpassphrase(3) failure.
+
+ These are going to be difficult to trigger. Maybe getting the system
+ to the limits of memory utilization at that exact point, so that the
+ next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+ About readpassphrase(3), ENFILE and EINTR seem the only plausible
+ ones, and EINTR probably requires privilege or being the same user;
+ but I wouldn't discard ENFILE so easily, if a process starts opening
+ files.
+
+- The password is longer than PASS_MAX.
+
+ The is plausible with physical access. However, at that point, a
+ keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable. Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> - brk / sbrk
+> - mmap MAP_ANONYMOUS
+> - mmap /dev/zero
+> - mmap some other file
+> - shm_open
+> - shmget
+>
+> Most of these return only pages of zeros to a process. Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process. It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> - ptrace (requires ptrace privileges, mediated by YAMA)
+> - causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack. Those copies won't get zeroed
+by explicit_bzero(3). However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3). But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible. Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit. Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All. Bug introduced in shadow 19990709. That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -896,6 +896,7 @@
+ strzero (cp);
+ cp = getpass (_("Re-enter new password: "));
+ if (NULL == cp) {
++ memzero (pass, sizeof pass);
+ exit (1);
+ }
+
diff --git a/debian/patches/0002-Added-control-character-check.patch b/debian/patches/0002-Added-control-character-check.patch
new file mode 100644
index 0000000..29adce1
--- /dev/null
+++ b/debian/patches/0002-Added-control-character-check.patch
@@ -0,0 +1,45 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+ *
+ * The supplied field is scanned for non-printable and other illegal
+ * characters.
+- * + -1 is returned if an illegal character is present.
+- * + 1 is returned if no illegal characters are present, but the field
+- * contains a non-printable character.
++ * + -1 is returned if an illegal or control character is present.
++ * + 1 is returned if no illegal or control characters are present,
++ * but the field contains a non-printable character.
+ * + 0 is returned otherwise.
+ */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ }
+
+ if (0 == err) {
+- /* Search if there are some non-printable characters */
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+ if (!isprint (*cp)) {
+ err = 1;
++ }
++ if (!iscntrl (*cp)) {
++ err = -1;
+ break;
+ }
+ }
+--
+2.34.1
+
diff --git a/debian/patches/0003-Overhaul-valid_field.patch b/debian/patches/0003-Overhaul-valid_field.patch
new file mode 100644
index 0000000..b7a8428
--- /dev/null
+++ b/debian/patches/0003-Overhaul-valid_field.patch
@@ -0,0 +1,61 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+
+ /* For each character of field, search if it appears in the list
+ * of illegal characters. */
++ if (illegal && NULL != strpbrk (field, illegal)) {
++ return -1;
++ }
++
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+- if (strchr (illegal, *cp) != NULL) {
++ unsigned char c = *cp;
++ if (!isprint (c)) {
++ err = 1;
++ }
++ if (iscntrl (c)) {
+ err = -1;
+ break;
+ }
+ }
+
+- if (0 == err) {
+- /* Search if there are non-printable or control characters */
+- for (cp = field; '\0' != *cp; cp++) {
+- if (!isprint (*cp)) {
+- err = 1;
+- }
+- if (!iscntrl (*cp)) {
+- err = -1;
+- break;
+- }
+- }
+- }
+-
+ return err;
+ }
+
+--
+2.34.1
+
diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP
new file mode 100644
index 0000000..0946ca0
--- /dev/null
+++ b/debian/patches/008_login_log_failure_in_FTMP
@@ -0,0 +1,51 @@
+Goal: Log login failures to the btmp file
+
+Notes:
+ * I'm not sure login should add an entry in the FTMP file when PAM is used.
+ (but nothing in /etc/login.defs indicates that the failure is not logged)
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -827,6 +827,24 @@
+ (void) puts ("");
+ (void) puts (_("Login incorrect"));
+
++ if (getdef_str("FTMP_FILE") != NULL) {
++#ifdef USE_UTMPX
++ struct utmpx *failent =
++ prepare_utmpx (failent_user,
++ tty,
++ /* FIXME: or fromhost? */hostname,
++ utent);
++#else /* !USE_UTMPX */
++ struct utmp *failent =
++ prepare_utmp (failent_user,
++ tty,
++ hostname,
++ utent);
++#endif /* !USE_UTMPX */
++ failtmp (failent_user, failent);
++ free (failent);
++ }
++
+ if (failcount >= retries) {
+ SYSLOG ((LOG_NOTICE,
+ "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -38,7 +38,6 @@
+ {"ENVIRON_FILE", NULL}, \
+ {"ENV_TZ", NULL}, \
+ {"FAILLOG_ENAB", NULL}, \
+- {"FTMP_FILE", NULL}, \
+ {"HMAC_CRYPTO_ALGO", NULL}, \
+ {"ISSUE_FILE", NULL}, \
+ {"LASTLOG_ENAB", NULL}, \
+@@ -80,6 +79,7 @@
+ {"ERASECHAR", NULL},
+ {"FAIL_DELAY", NULL},
+ {"FAKE_SHELL", NULL},
++ {"FTMP_FILE", NULL},
+ {"GID_MAX", NULL},
+ {"GID_MIN", NULL},
+ {"HOME_MODE", NULL},
diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/401_cppw_src.dpatch
new file mode 100644
index 0000000..5244702
--- /dev/null
+++ b/debian/patches/401_cppw_src.dpatch
@@ -0,0 +1,276 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 401_cppw_src.dpatch by Nicolas FRANCOIS <nicolas.francois@centraliens.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add cppw / cpgr
+
+@DPATCH@
+--- /dev/null
++++ b/src/cppw.c
+@@ -0,0 +1,238 @@
++/*
++ cppw, cpgr copy with locking given file over the password or group file
++ with -s will copy with locking given file over shadow or gshadow file
++
++ Copyright (C) 1999 Stephen Frost <sfrost@snowman.net>
++
++ Based on vipw, vigr by:
++ Copyright (C) 1997 Guy Maor <maor@ece.utexas.edu>
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 2 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful, but
++ WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program; if not, write to the Free Software
++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++
++ */
++
++#include <config.h>
++#include "defines.h"
++
++#include <errno.h>
++#include <sys/stat.h>
++#include <unistd.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <sys/types.h>
++#include <signal.h>
++#include <utime.h>
++#include "exitcodes.h"
++#include "prototypes.h"
++#include "pwio.h"
++#include "shadowio.h"
++#include "groupio.h"
++#include "sgroupio.h"
++
++
++const char *Prog;
++
++const char *filename, *filenewname;
++static bool filelocked = false;
++static int (*unlock) (void);
++
++/* local function prototypes */
++static int create_copy (FILE *fp, const char *dest, struct stat *sb);
++static void cppwexit (const char *msg, int syserr, int ret);
++static void cppwcopy (const char *file,
++ const char *in_file,
++ int (*file_lock) (void),
++ int (*file_unlock) (void));
++
++static int create_copy (FILE *fp, const char *dest, struct stat *sb)
++{
++ struct utimbuf ub;
++ FILE *bkfp;
++ int c;
++ mode_t mask;
++
++ mask = umask (077);
++ bkfp = fopen (dest, "w");
++ (void) umask (mask);
++ if (NULL == bkfp) {
++ return -1;
++ }
++
++ rewind (fp);
++ while ((c = getc (fp)) != EOF) {
++ if (putc (c, bkfp) == EOF) {
++ break;
++ }
++ }
++
++ if ( (c != EOF)
++ || (fflush (bkfp) != 0)) {
++ (void) fclose (bkfp);
++ (void) unlink (dest);
++ return -1;
++ }
++ if ( (fsync (fileno (bkfp)) != 0)
++ || (fclose (bkfp) != 0)) {
++ (void) unlink (dest);
++ return -1;
++ }
++
++ ub.actime = sb->st_atime;
++ ub.modtime = sb->st_mtime;
++ if ( (utime (dest, &ub) != 0)
++ || (chmod (dest, sb->st_mode) != 0)
++ || (chown (dest, sb->st_uid, sb->st_gid) != 0)) {
++ (void) unlink (dest);
++ return -1;
++ }
++ return 0;
++}
++
++static void cppwexit (const char *msg, int syserr, int ret)
++{
++ int err = errno;
++ if (filelocked) {
++ (*unlock) ();
++ }
++ if (NULL != msg) {
++ fprintf (stderr, "%s: %s", Prog, msg);
++ if (0 != syserr) {
++ fprintf (stderr, ": %s", strerror (err));
++ }
++ (void) fputs ("\n", stderr);
++ }
++ if (NULL != filename) {
++ fprintf (stderr, _("%s: %s is unchanged\n"), Prog, filename);
++ } else {
++ fprintf (stderr, _("%s: no changes\n"), Prog);
++ }
++
++ exit (ret);
++}
++
++static void cppwcopy (const char *file,
++ const char *in_file,
++ int (*file_lock) (void),
++ int (*file_unlock) (void))
++{
++ struct stat st1;
++ FILE *f;
++ char filenew[1024];
++
++ snprintf (filenew, sizeof filenew, "%s.new", file);
++ unlock = file_unlock;
++ filename = file;
++ filenewname = filenew;
++
++ if (access (file, F_OK) != 0) {
++ cppwexit (file, 1, 1);
++ }
++ if (file_lock () == 0) {
++ cppwexit (_("Couldn't lock file"), 0, 5);
++ }
++ filelocked = true;
++
++ /* file to copy has same owners, perm */
++ if (stat (file, &st1) != 0) {
++ cppwexit (file, 1, 1);
++ }
++ f = fopen (in_file, "r");
++ if (NULL == f) {
++ cppwexit (in_file, 1, 1);
++ }
++ if (create_copy (f, filenew, &st1) != 0) {
++ cppwexit (_("Couldn't make copy"), errno, 1);
++ }
++
++ /* XXX - here we should check filenew for errors; if there are any,
++ * fail w/ an appropriate error code and let the user manually fix
++ * it. Use pwck or grpck to do the check. - Stephen (Shamelessly
++ * stolen from '--marekm's comment) */
++
++ if (rename (filenew, file) != 0) {
++ fprintf (stderr, _("%s: can't copy %s: %s)\n"),
++ Prog, filenew, strerror (errno));
++ cppwexit (NULL,0,1);
++ }
++
++ (*file_unlock) ();
++}
++
++int main (int argc, char **argv)
++{
++ int flag;
++ bool cpshadow = false;
++ char *in_file;
++ int e = E_USAGE;
++ bool do_cppw = true;
++
++ (void) setlocale (LC_ALL, "");
++ (void) bindtextdomain (PACKAGE, LOCALEDIR);
++ (void) textdomain (PACKAGE);
++
++ Prog = Basename (argv[0]);
++ if (strcmp (Prog, "cpgr") == 0) {
++ do_cppw = false;
++ }
++
++ while ((flag = getopt (argc, argv, "ghps")) != EOF) {
++ switch (flag) {
++ case 'p':
++ do_cppw = true;
++ break;
++ case 'g':
++ do_cppw = false;
++ break;
++ case 's':
++ cpshadow = true;
++ break;
++ case 'h':
++ e = E_SUCCESS;
++ /*pass through*/
++ default:
++ (void) fputs (_("Usage:\n\
++`cppw <file>' copys over /etc/passwd `cppw -s <file>' copys over /etc/shadow\n\
++`cpgr <file>' copys over /etc/group `cpgr -s <file>' copys over /etc/gshadow\n\
++"), (E_SUCCESS != e) ? stderr : stdout);
++ exit (e);
++ }
++ }
++
++ if (argc != optind + 1) {
++ cppwexit (_("wrong number of arguments, -h for usage"),0,1);
++ }
++
++ in_file = argv[optind];
++
++ if (do_cppw) {
++ if (cpshadow) {
++ cppwcopy (SHADOW_FILE, in_file, spw_lock, spw_unlock);
++ } else {
++ cppwcopy (PASSWD_FILE, in_file, pw_lock, pw_unlock);
++ }
++ } else {
++#ifdef SHADOWGRP
++ if (cpshadow) {
++ cppwcopy (SGROUP_FILE, in_file, sgr_lock, sgr_unlock);
++ } else
++#endif /* SHADOWGRP */
++ {
++ cppwcopy (GROUP_FILE, in_file, gr_lock, gr_unlock);
++ }
++ }
++
++ return 0;
++}
++
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -34,6 +34,7 @@
+ bin_PROGRAMS += su
+ endif
+ usbin_PROGRAMS = \
++ cppw \
+ chgpasswd \
+ chpasswd \
+ groupadd \
+@@ -102,6 +103,7 @@
+ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
++cppw_LDADD = $(LDADD) $(LIBSELINUX) $(LIBAUDIT)
+ expiry_LDADD = $(LDADD) $(LIBECONF)
+ gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+ groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -91,6 +91,7 @@
+ src/chgpasswd.c
+ src/chpasswd.c
+ src/chsh.c
++src/cppw.c
+ src/expiry.c
+ src/faillog.c
+ src/gpasswd.c
diff --git a/debian/patches/402_cppw_selinux b/debian/patches/402_cppw_selinux
new file mode 100644
index 0000000..5f2da1b
--- /dev/null
+++ b/debian/patches/402_cppw_selinux
@@ -0,0 +1,64 @@
+Goal: Add selinux support to cppw
+
+Fix:
+
+Status wrt upstream: cppw is not available upstream.
+ The patch was made based on the
+ 302_vim_selinux_support patch. It needs to be
+ reviewed by an SE-Linux aware person.
+
+Depends on 401_cppw_src.dpatch
+
+Index: git/src/cppw.c
+===================================================================
+--- git.orig/src/cppw.c
++++ git/src/cppw.c
+@@ -34,6 +34,9 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <utime.h>
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif /* WITH_SELINUX */
+ #include "exitcodes.h"
+ #include "prototypes.h"
+ #include "pwio.h"
+@@ -139,6 +142,22 @@
+ if (access (file, F_OK) != 0) {
+ cppwexit (file, 1, 1);
+ }
++#ifdef WITH_SELINUX
++ /* if SE Linux is enabled then set the context of all new files
++ * to be the context of the file we are editing */
++ if (is_selinux_enabled () > 0) {
++ security_context_t passwd_context=NULL;
++ int ret = 0;
++ if (getfilecon (file, &passwd_context) < 0) {
++ cppwexit (_("Couldn't get file context"), errno, 1);
++ }
++ ret = setfscreatecon (passwd_context);
++ freecon (passwd_context);
++ if (0 != ret) {
++ cppwexit (_("setfscreatecon () failed"), errno, 1);
++ }
++ }
++#endif /* WITH_SELINUX */
+ if (file_lock () == 0) {
+ cppwexit (_("Couldn't lock file"), 0, 5);
+ }
+@@ -167,6 +186,15 @@
+ cppwexit (NULL,0,1);
+ }
+
++#ifdef WITH_SELINUX
++ /* unset the fscreatecon */
++ if (is_selinux_enabled () > 0) {
++ if (setfscreatecon (NULL)) {
++ cppwexit (_("setfscreatecon() failed"), errno, 1);
++ }
++ }
++#endif /* WITH_SELINUX */
++
+ (*file_unlock) ();
+ }
+
diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB
new file mode 100644
index 0000000..d8e6034
--- /dev/null
+++ b/debian/patches/429_login_FAILLOG_ENAB
@@ -0,0 +1,84 @@
+Goal: Re-enable logging and displaying failures on login when login is
+ compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
+ faillog file if it does not exist on postinst (as on Woody).
+Depends: 008_login_more_LOG_UNKFAIL_ENAB
+Fixes: #192849
+
+Note: It could be removed if pam_tally could report the number of failures
+ preceding a successful login.
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -114,9 +114,9 @@
+ #endif
+ );
+
+-#ifndef USE_PAM
+ static struct faillog faillog;
+
++#ifndef USE_PAM
+ static void bad_time_notify (void);
+ static void check_nologin (bool login_to_root);
+ #else
+@@ -787,6 +787,9 @@
+ SYSLOG ((LOG_NOTICE,
+ "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
+ failcount, fromhost, failent_user));
++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++ failure (pwd->pw_uid, tty, &faillog);
++ }
+ fprintf (stderr,
+ _("Maximum number of tries exceeded (%u)\n"),
+ failcount);
+@@ -804,6 +807,14 @@
+ pam_strerror (pamh, retcode)));
+ failed = true;
+ }
++ if ( (NULL != pwd)
++ && getdef_bool("FAILLOG_ENAB")
++ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
++ SYSLOG((LOG_CRIT,
++ "exceeded failure limit for `%s' %s",
++ failent_user, fromhost));
++ failed = 1;
++ }
+
+ if (!failed) {
+ break;
+@@ -827,6 +838,10 @@
+ (void) puts ("");
+ (void) puts (_("Login incorrect"));
+
++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
++ failure (pwd->pw_uid, tty, &faillog);
++ }
++
+ if (getdef_str("FTMP_FILE") != NULL) {
+ #ifdef USE_UTMPX
+ struct utmpx *failent =
+@@ -1295,6 +1310,7 @@
+ */
+ #ifndef USE_PAM
+ motd (); /* print the message of the day */
++#endif
+ if ( getdef_bool ("FAILLOG_ENAB")
+ && (0 != faillog.fail_cnt)) {
+ failprint (&faillog);
+@@ -1307,6 +1323,7 @@
+ username, (int) faillog.fail_cnt));
+ }
+ }
++#ifndef USE_PAM
+ if ( getdef_bool ("LASTLOG_ENAB")
+ && pwd->pw_uid <= (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL)
+ && (ll.ll_time != 0)) {
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -78,6 +78,7 @@
+ {"ENV_SUPATH", NULL},
+ {"ERASECHAR", NULL},
+ {"FAIL_DELAY", NULL},
++ {"FAILLOG_ENAB", NULL},
+ {"FAKE_SHELL", NULL},
+ {"FTMP_FILE", NULL},
+ {"GID_MAX", NULL},
diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM
new file mode 100644
index 0000000..ab32c2a
--- /dev/null
+++ b/debian/patches/463_login_delay_obeys_to_PAM
@@ -0,0 +1,97 @@
+Goal: Do not hardcode pam_fail_delay and let pam_unix do its
+ job to set a delay...or not
+
+Fixes: #87648
+
+Status wrt upstream: Forwarded but not applied yet
+
+Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
+
+--- a/src/login.c
++++ b/src/login.c
+@@ -512,7 +512,6 @@
+ #if !defined(USE_PAM)
+ char ptime[80];
+ #endif
+- unsigned int delay;
+ unsigned int retries;
+ bool subroot = false;
+ #ifndef USE_PAM
+@@ -537,6 +536,7 @@
+ pid_t child;
+ char *pam_user = NULL;
+ #else
++ unsigned int delay;
+ struct spwd *spwd = NULL;
+ #endif
+ /*
+@@ -701,7 +701,6 @@
+ }
+
+ environ = newenvp; /* make new environment active */
+- delay = getdef_unum ("FAIL_DELAY", 1);
+ retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
+
+ #ifdef USE_PAM
+@@ -717,8 +716,7 @@
+
+ /*
+ * hostname & tty are either set to NULL or their correct values,
+- * depending on how much we know. We also set PAM's fail delay to
+- * ours.
++ * depending on how much we know.
+ *
+ * PAM_RHOST and PAM_TTY are used for authentication, only use
+ * information coming from login or from the caller (e.g. no utmp)
+@@ -727,10 +725,6 @@
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item (pamh, PAM_TTY, tty);
+ PAM_FAIL_CHECK;
+-#ifdef HAS_PAM_FAIL_DELAY
+- retcode = pam_fail_delay (pamh, 1000000 * delay);
+- PAM_FAIL_CHECK;
+-#endif
+ /* if fflg, then the user has already been authenticated */
+ if (!fflg) {
+ unsigned int failcount = 0;
+@@ -771,12 +765,6 @@
+ bool failed = false;
+
+ failcount++;
+-#ifdef HAS_PAM_FAIL_DELAY
+- if (delay > 0) {
+- retcode = pam_fail_delay(pamh, 1000000*delay);
+- PAM_FAIL_CHECK;
+- }
+-#endif
+
+ retcode = pam_authenticate (pamh, 0);
+
+@@ -1110,14 +1098,17 @@
+ free (username);
+ username = NULL;
+
++#ifndef USE_PAM
+ /*
+ * Wait a while (a la SVR4 /usr/bin/login) before attempting
+ * to login the user again. If the earlier alarm occurs
+ * before the sleep() below completes, login will exit.
+ */
++ delay = getdef_unum ("FAIL_DELAY", 1);
+ if (delay > 0) {
+ (void) sleep (delay);
+ }
++#endif
+
+ (void) puts (_("Login incorrect"));
+
+--- a/lib/getdef.c
++++ b/lib/getdef.c
+@@ -77,7 +77,6 @@
+ {"ENV_PATH", NULL},
+ {"ENV_SUPATH", NULL},
+ {"ERASECHAR", NULL},
+- {"FAIL_DELAY", NULL},
+ {"FAILLOG_ENAB", NULL},
+ {"FAKE_SHELL", NULL},
+ {"FTMP_FILE", NULL},
diff --git a/debian/patches/501_commonio_group_shadow b/debian/patches/501_commonio_group_shadow
new file mode 100644
index 0000000..cfdf10c
--- /dev/null
+++ b/debian/patches/501_commonio_group_shadow
@@ -0,0 +1,60 @@
+Goal: save the [g]shadow files with the 'shadow' group and mode 0440
+
+Fixes: #166793
+
+--- a/lib/commonio.c
++++ b/lib/commonio.c
+@@ -21,6 +21,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <signal.h>
++#include <grp.h>
+ #include "nscd.h"
+ #include "sssd.h"
+ #ifdef WITH_TCB
+@@ -970,12 +971,23 @@
+ goto fail;
+ }
+ } else {
++ struct group *grp;
+ /*
+ * Default permissions for new [g]shadow files.
+ */
+ sb.st_mode = db->st_mode;
+ sb.st_uid = db->st_uid;
+ sb.st_gid = db->st_gid;
++
++ /*
++ * Try to retrieve the shadow's GID, and fall back to GID 0.
++ */
++ if (sb.st_gid == 0) {
++ if ((grp = getgrnam("shadow")) != NULL)
++ sb.st_gid = grp->gr_gid;
++ else
++ sb.st_gid = 0;
++ }
+ }
+
+ snprintf (buf, sizeof buf, "%s+", db->filename);
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -206,7 +206,7 @@
+ #ifdef WITH_SELINUX
+ NULL, /* scontext */
+ #endif
+- 0400, /* st_mode */
++ 0440, /* st_mode */
+ 0, /* st_uid */
+ 0, /* st_gid */
+ NULL, /* head */
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -84,7 +84,7 @@
+ #ifdef WITH_SELINUX
+ NULL, /* scontext */
+ #endif /* WITH_SELINUX */
+- 0400, /* st_mode */
++ 0440, /* st_mode */
+ 0, /* st_uid */
+ 0, /* st_gid */
+ NULL, /* head */
diff --git a/debian/patches/502_debian_useradd_defaults b/debian/patches/502_debian_useradd_defaults
new file mode 100644
index 0000000..6317ed6
--- /dev/null
+++ b/debian/patches/502_debian_useradd_defaults
@@ -0,0 +1,41 @@
+From: Balint Reczey <balint@balintreczey.hu>
+Description: Keep using Debian's adduser defaults
+ Upstream's bbf4b79bc49fd1826eb41f6629669ef0b647267b commit
+ in 4.9 merged those values from upstream's default configuration file
+ which is not shipped in Debian.
+ This patch keeps the program's compiled in defaults in sync with the
+ configuration files shipped in Debian (debian/default/useradd).
+Bug: https://github.com/shadow-maint/shadow/issues/501
+Bug-Debian: https://bugs.debian.org/1004710
+Forwarded: not-needed
+
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -79,12 +79,12 @@
+ /*
+ * These defaults are used if there is no defaults file.
+ */
+-static gid_t def_group = 1000;
++static gid_t def_group = 100;
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";
+ static const char *def_shell = "/bin/bash";
+ static const char *def_template = SKEL_DIR;
+-static const char *def_create_mail_spool = "yes";
++static const char *def_create_mail_spool = "no";
+ static const char *def_log_init = "yes";
+
+ static long def_inactive = -1;
+diff --git a/man/useradd.8.xml b/man/useradd.8.xml
+index af02a23f..c7f95b47 100644
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -248,7 +248,7 @@
+ command line), useradd will set the primary group of the new
+ user to the value specified by the <option>GROUP</option>
+ variable in <filename>/etc/default/useradd</filename>, or
+- 1000 by default.
++ 100 by default.
+ </para>
+ </listitem>
+ </varlistentry>
diff --git a/debian/patches/503_shadowconfig.8 b/debian/patches/503_shadowconfig.8
new file mode 100644
index 0000000..0f0d339
--- /dev/null
+++ b/debian/patches/503_shadowconfig.8
@@ -0,0 +1,201 @@
+Goal: Document the shadowconfig utility
+
+Status wrt upstream: The shadowconfig utility is debian specific.
+ Its man page also (but it used to be distributed)
+
+Index: git/man/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/shadowconfig.8
+@@ -0,0 +1,41 @@
++.\"Generated by db2man.xsl. Don't modify this, modify the source.
++.de Sh \" Subsection
++.br
++.if t .Sp
++.ne 5
++.PP
++\fB\\$1\fR
++.PP
++..
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Ip \" List item
++.br
++.ie \\n(.$>=3 .ne \\$3
++.el .ne 3
++.IP "\\$1" \\$2
++..
++.TH "SHADOWCONFIG" 8 "19 Apr 1997" "" ""
++.SH NAME
++shadowconfig \- toggle shadow passwords on and off
++.SH "SYNOPSIS"
++.ad l
++.hy 0
++.HP 13
++\fBshadowconfig\fR \fB\fIon\fR\fR | \fB\fIoff\fR\fR
++.ad
++.hy
++
++.SH "DESCRIPTION"
++
++.PP
++\fBshadowconfig\fR on will turn shadow passwords on; \fIshadowconfig off\fR will turn shadow passwords off\&. \fBshadowconfig\fR will print an error message and exit with a nonzero code if it finds anything awry\&. If that happens, you should correct the error and run it again\&. Turning shadow passwords on when they are already on, or off when they are already off, is harmless\&.
++
++.PP
++Read \fI/usr/share/doc/passwd/README\&.Debian\fR for a brief introduction to shadow passwords and related features\&.
++
++.PP
++Note that turning shadow passwords off and on again will lose all password aging information\&.
++
+Index: git/man/shadowconfig.8.xml
+===================================================================
+--- /dev/null
++++ git/man/shadowconfig.8.xml
+@@ -0,0 +1,52 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++<refentry id='shadowconfig.8'>
++ <!-- $Id: shadowconfig.8.xml,v 1.6 2005/06/15 12:39:27 kloczek Exp $ -->
++ <refentryinfo>
++ <date>19 Apr 1997</date>
++ </refentryinfo>
++ <refmeta>
++ <refentrytitle>shadowconfig</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class='date'>19 Apr 1997</refmiscinfo>
++ <refmiscinfo class='source'>Debian GNU/Linux</refmiscinfo>
++ </refmeta>
++ <refnamediv id='name'>
++ <refname>shadowconfig</refname>
++ <refpurpose>toggle shadow passwords on and off</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv id='synopsis'>
++ <cmdsynopsis>
++ <command>shadowconfig</command>
++ <group choice='plain'>
++ <arg choice='plain'><replaceable>on</replaceable></arg>
++ <arg choice='plain'><replaceable>off</replaceable></arg>
++ </group>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id='description'>
++ <title>DESCRIPTION</title>
++ <para><command>shadowconfig</command> on will turn shadow passwords on;
++ <emphasis remap='B'>shadowconfig off</emphasis> will turn shadow
++ passwords off. <command>shadowconfig</command> will print an error
++ message and exit with a nonzero code if it finds anything awry. If
++ that happens, you should correct the error and run it again. Turning
++ shadow passwords on when they are already on, or off when they are
++ already off, is harmless.
++ </para>
++
++ <para>
++ Read <filename>/usr/share/doc/passwd/README.Debian</filename> for a
++ brief introduction
++ to shadow passwords and related features.
++ </para>
++
++ <para>Note that turning shadow passwords off and on again will lose all
++ password
++ aging information.
++ </para>
++ </refsect1>
++</refentry>
+Index: git/man/fr/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/fr/shadowconfig.8
+@@ -0,0 +1,26 @@
++.\" This file was generated with po4a. Translate the source file.
++.\"
++.\"$Id: shadowconfig.8,v 1.4 2001/08/23 23:10:48 kloczek Exp $
++.TH SHADOWCONFIG 8 "19 avril 1997" "Debian GNU/Linux"
++.SH NOM
++shadowconfig \- active ou désactive les mots de passe cachés
++.SH SYNOPSIS
++\fBshadowconfig\fP \fIon\fP | \fIoff\fP
++.SH DESCRIPTION
++.PP
++\fBshadowconfig on\fP active les mots de passe cachés («\ shadow passwords\ »)\ ; \fBshadowconfig off\fP les désactive. \fBShadowconfig\fP affiche un message
++d'erreur et quitte avec une valeur de retour non nulle s'il rencontre
++quelque chose d'inattendu. Dans ce cas, vous devrez corriger l'erreur avant
++de recommencer.
++
++Activer les mots de passe cachés lorsqu'ils sont déjà activés, ou les
++désactiver lorsqu'ils ne sont pas actifs est sans effet.
++
++Lisez \fI/usr/share/doc/passwd/README.Debian\fP pour une brève introduction aux
++mots de passe cachés et à leurs fonctionnalités.
++
++Notez que désactiver puis réactiver les mots de passe cachés aura pour
++conséquence la perte des informations d'âge sur les mots de passe.
++.SH TRADUCTION
++Nicolas FRANÇOIS, 2004.
++Veuillez signaler toute erreur à <\fIdebian\-l10\-french@lists.debian.org\fR>.
+Index: git/man/ja/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/ja/shadowconfig.8
+@@ -0,0 +1,25 @@
++.\" all right reserved,
++.\" Translated Tue Oct 30 11:59:11 JST 2001
++.\" by Maki KURODA <mkuroda@aisys-jp.com>
++.\"
++.TH SHADOWCONFIG 8 "19 Apr 1997" "Debian GNU/Linux"
++.SH 名前
++shadowconfig \- shadow パスワードの設定をオン及びオフに切替える
++.SH 書式
++.B "shadowconfig"
++.IR on " | " off
++.SH 説明
++.PP
++.B shadowconfig on
++は shadow パスワードを有効にする。
++.B shadowconfig off
++は shadow パスワードを無効にする。
++.B shadowconfig
++は何らかの間違いがあると、エラーメッセージを表示し、
++ゼロではない返り値を返す。
++もしそのようなことが起こった場合、エラーを修正し、再度実行しなければならない。
++shadow パスワードの設定がすでにオンの場合にオンに設定したり、
++すでにオフの場合にオフに設定しても、何の影響もない。
++
++.I /usr/share/doc/passwd/README.debian.gz
++には shadow パスワードとそれに関する特徴の簡単な紹介が書かれている。
+Index: git/man/pl/shadowconfig.8
+===================================================================
+--- /dev/null
++++ git/man/pl/shadowconfig.8
+@@ -0,0 +1,27 @@
++.\" $Id: shadowconfig.8,v 1.3 2001/08/23 23:10:51 kloczek Exp $
++.\" {PTM/WK/1999-09-14}
++.TH SHADOWCONFIG 8 "19 kwietnia 1997" "Debian GNU/Linux"
++.SH NAZWA
++shadowconfig - przełącza ochronę haseł i grup przez pliki shadow
++.SH SKŁADNIA
++.B "shadowconfig"
++.IR on " | " off
++.SH OPIS
++.PP
++.B shadowconfig on
++włącza ochronę haseł i grup przez dodatkowe, przesłaniane pliki (shadow);
++.B shadowconfig off
++wyłącza dodatkowe pliki haseł i grup.
++.B shadowconfig
++wyświetla komunikat o błędzie i kończy pracę z niezerowym kodem jeśli
++znajdzie coś nieprawidłowego. W takim wypadku powinieneś poprawić błąd
++.\" if it finds anything awry.
++i uruchomić program ponownie.
++
++Włączenie ochrony haseł, gdy jest ona już włączona lub jej wyłączenie,
++gdy jest wyłączona jest nieszkodliwe.
++
++Przeczytaj
++.IR /usr/share/doc/passwd/README.debian.gz ,
++gdzie znajdziesz krótkie wprowadzenie do ochrony haseł z użyciem dodatkowych
++plików haseł przesłanianych (shadow passwords) i związanych tematów.
diff --git a/debian/patches/505_useradd_recommend_adduser b/debian/patches/505_useradd_recommend_adduser
new file mode 100644
index 0000000..9fb3fe3
--- /dev/null
+++ b/debian/patches/505_useradd_recommend_adduser
@@ -0,0 +1,36 @@
+Goal: Recommend using adduser and deluser.
+
+Fixes: #406046
+
+Status wrt upstream: Debian specific patch.
+
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -83,6 +83,12 @@
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
++ <command>useradd</command> is a low level utility for adding
++ users. On Debian, administrators should usually use
++ <citerefentry><refentrytitle>adduser</refentrytitle>
++ <manvolnum>8</manvolnum></citerefentry> instead.
++ </para>
++ <para>
+ When invoked without the <option>-D</option> option, the
+ <command>useradd</command> command creates a new user account using
+ the values specified on the command line plus the default values from
+--- a/man/userdel.8.xml
++++ b/man/userdel.8.xml
+@@ -59,6 +59,12 @@
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
++ <command>userdel</command> is a low level utility for removing
++ users. On Debian, administrators should usually use
++ <citerefentry><refentrytitle>deluser</refentrytitle>
++ <manvolnum>8</manvolnum></citerefentry> instead.
++ </para>
++ <para>
+ The <command>userdel</command> command modifies the system account
+ files, deleting all entries that refer to the user name <emphasis
+ remap='I'>LOGIN</emphasis>. The named user must exist.
diff --git a/debian/patches/506_relaxed_usernames b/debian/patches/506_relaxed_usernames
new file mode 100644
index 0000000..0e066d9
--- /dev/null
+++ b/debian/patches/506_relaxed_usernames
@@ -0,0 +1,111 @@
+Goal: Relaxed usernames/groupnames checking patch.
+
+Status wrt upstream: Debian specific. Not to be used upstream
+
+Details:
+ Allows any non-empty user/grounames that don't contain ':', ',' or '\n'
+ characters and don't start with '-', '+', or '~'. This patch is more
+ restrictive than original Karl's version. closes: #264879
+ Also closes: #377844
+
+ Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
+
+ I can't come up with a good justification as to why characters other
+ than ':'s and '\0's should be disallowed in group and usernames (other
+ than '-' as the leading character). Thus, the maintenance tools don't
+ anymore. closes: #79682, #166798, #171179
+
+--- a/libmisc/chkname.c
++++ b/libmisc/chkname.c
+@@ -32,44 +32,26 @@
+ }
+
+ /*
+- * User/group names must match gnu e-regex:
+- * [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
+- *
+- * as a non-POSIX, extension, allow "$" as the last char for
+- * sake of Samba 3.x "add machine script"
+- *
+- * Also do not allow fully numeric names or just "." or "..".
+- */
+- int numeric;
+-
+- if ('\0' == *name ||
+- ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
+- '\0' == name[1])) ||
+- !((*name >= 'a' && *name <= 'z') ||
+- (*name >= 'A' && *name <= 'Z') ||
+- (*name >= '0' && *name <= '9') ||
+- *name == '_' ||
+- *name == '.')) {
++ * POSIX indicate that usernames are composed of characters from the
++ * portable filename character set [A-Za-z0-9._-], and that the hyphen
++ * should not be used as the first character of a portable user name.
++ *
++ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\s][^:,\s]*$
++ */
++ if ( ('\0' == *name)
++ || ('-' == *name)
++ || ('~' == *name)
++ || ('+' == *name)) {
+ return false;
+ }
+-
+- numeric = isdigit(*name);
+-
+- while ('\0' != *++name) {
+- if (!((*name >= 'a' && *name <= 'z') ||
+- (*name >= 'A' && *name <= 'Z') ||
+- (*name >= '0' && *name <= '9') ||
+- *name == '_' ||
+- *name == '.' ||
+- *name == '-' ||
+- (*name == '$' && name[1] == '\0')
+- )) {
++ do {
++ if ((':' == *name) || (',' == *name) || isspace(*name)) {
+ return false;
+ }
+- numeric &= isdigit(*name);
+- }
++ name++;
++ } while ('\0' != *name);
+
+- return !numeric;
++ return true;
+ }
+
+ bool is_valid_user_name (const char *name)
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -708,6 +708,14 @@
+ the <command>ls</command> output.
+ </para>
+ <para>
++ On Debian, the only constraints are that usernames must neither start
++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++ colon (':'), a comma (','), or a whitespace (space: ' ',
++ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
++ ('/') may break the default algorithm for the definition of the
++ user's home directory.
++ </para>
++ <para>
+ Usernames may only be up to 32 characters long.
+ </para>
+ </refsect1>
+--- a/man/groupadd.8.xml
++++ b/man/groupadd.8.xml
+@@ -72,6 +72,12 @@
+ also disallowed.
+ </para>
+ <para>
++ On Debian, the only constraints are that groupnames must neither start
++ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
++ colon (':'), a comma (','), or a whitespace (space:' ',
++ end of line: '\n', tabulation: '\t', etc.).
++ </para>
++ <para>
+ Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+ </para>
+ </refsect1>
diff --git a/debian/patches/542_useradd-O_option b/debian/patches/542_useradd-O_option
new file mode 100644
index 0000000..3745826
--- /dev/null
+++ b/debian/patches/542_useradd-O_option
@@ -0,0 +1,40 @@
+Goal: accepts the -O flag for backward compatibility. (was used by adduser?)
+
+Note: useradd.8 needs to be regenerated.
+
+Status wrt upstream: not included as this is just specific
+ backward compatibility for Debian
+
+--- a/man/useradd.8.xml
++++ b/man/useradd.8.xml
+@@ -326,6 +326,11 @@
+ =<replaceable>100</replaceable>&nbsp;<option>-K</option>&nbsp;
+ <replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
+ </para>
++ <para>
++ For the compatibility with previous Debian's
++ <command>useradd</command>, the <option>-O</option> option is
++ also supported.
++ </para>
+ <!--para>
+ Note: <option>-K</option>&nbsp;<replaceable>UID_MIN</replaceable>=<replaceable>10</replaceable>,<replaceable>UID_MAX</replaceable>=<replaceable>499</replaceable>
+ doesn't work yet.
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -1227,7 +1227,7 @@
+ {NULL, 0, NULL, '\0'}
+ };
+ while ((c = getopt_long (argc, argv,
+- "b:c:d:De:f:g:G:hk:K:lmMNop:rR:P:s:u:U"
++ "b:c:d:De:f:g:G:hk:O:K:lmMNop:rR:P:s:u:U"
+ #ifdef WITH_SELINUX
+ "Z:"
+ #endif /* WITH_SELINUX */
+@@ -1367,6 +1367,7 @@
+ kflg = true;
+ break;
+ case 'K':
++ case 'O': /* compatibility with previous Debian useradd */
+ /*
+ * override login.defs defaults (-K name=value)
+ * example: -K UID_MIN=100 -K UID_MAX=499
diff --git a/debian/patches/900_testsuite_groupmems b/debian/patches/900_testsuite_groupmems
new file mode 100644
index 0000000..6bdc497
--- /dev/null
+++ b/debian/patches/900_testsuite_groupmems
@@ -0,0 +1,81 @@
+--- a/debian/passwd.install
++++ b/debian/passwd.install
+@@ -9,6 +9,7 @@
+ usr/sbin/cppw
+ usr/sbin/groupadd
+ usr/sbin/groupdel
++usr/sbin/groupmems
+ usr/sbin/groupmod
+ usr/sbin/grpck
+ usr/sbin/grpconv
+@@ -33,6 +34,7 @@
+ usr/share/man/*/man8/chpasswd.8
+ usr/share/man/*/man8/groupadd.8
+ usr/share/man/*/man8/groupdel.8
++usr/share/man/*/man8/groupmems.8
+ usr/share/man/*/man8/groupmod.8
+ usr/share/man/*/man8/grpck.8
+ usr/share/man/*/man8/grpconv.8
+@@ -59,6 +61,7 @@
+ usr/share/man/man8/chpasswd.8
+ usr/share/man/man8/groupadd.8
+ usr/share/man/man8/groupdel.8
++usr/share/man/man8/groupmems.8
+ usr/share/man/man8/groupmod.8
+ usr/share/man/man8/grpck.8
+ usr/share/man/man8/grpconv.8
+--- a/debian/passwd.postinst
++++ b/debian/passwd.postinst
+@@ -31,6 +31,24 @@
+ exit 1
+ )
+ fi
++ if ! getent group groupmems | grep -q '^groupmems:[^:]*:99'
++ then
++ groupadd -g 99 groupmems || (
++ cat <<EOF
++************************ TESTSUITE *****************************
++Group ID 99 has been allocated for the groupmems group. You have either
++used 99 yourself or created a groupmems group with a different ID.
++Please correct this problem and reconfigure with ``dpkg --configure passwd''.
++
++Note that both user and group IDs in the range 0-99 are globally
++allocated by the Debian project and must be the same on every Debian
++system.
++EOF
++ exit 1
++ )
++# FIXME
++ chgrp groupmems /usr/sbin/groupmems
++ fi
+ ;;
+ esac
+
+--- a/debian/rules
++++ b/debian/rules
+@@ -60,6 +60,7 @@
+ dh_installpam -p passwd --name=chsh
+ dh_installpam -p passwd --name=chpasswd
+ dh_installpam -p passwd --name=newusers
++ dh_installpam -p passwd --name=groupmems
+ ifeq ($(DEB_HOST_ARCH_OS),hurd)
+ # login is not built on The Hurd, but some utilities of passwd depends on
+ # /etc/login.defs.
+@@ -87,3 +88,6 @@
+ chgrp shadow debian/passwd/usr/bin/expiry
+ chmod g+s debian/passwd/usr/bin/chage
+ chmod g+s debian/passwd/usr/bin/expiry
++ chgrp groupmems debian/passwd/usr/sbin/groupmems
++ chmod u+s debian/passwd/usr/sbin/groupmems
++ chmod o-x debian/passwd/usr/sbin/groupmems
+--- /dev/null
++++ b/debian/passwd.groupmems.pam
+@@ -0,0 +1,8 @@
++# The PAM configuration file for the Shadow 'groupmod' service
++#
++
++# This allows root to modify groups without being prompted for a password
++auth sufficient pam_rootok.so
++
++@include common-auth
++@include common-account
diff --git a/debian/patches/901_testsuite_gcov b/debian/patches/901_testsuite_gcov
new file mode 100644
index 0000000..717ccca
--- /dev/null
+++ b/debian/patches/901_testsuite_gcov
@@ -0,0 +1,76 @@
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -1,6 +1,8 @@
+
+ AUTOMAKE_OPTIONS = 1.0 foreign
+
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ DEFS =
+
+ noinst_LTLIBRARIES = libshadow.la
+--- a/libmisc/Makefile.am
++++ b/libmisc/Makefile.am
+@@ -1,6 +1,8 @@
+
+ EXTRA_DIST = .indent.pro xgetXXbyYY.c
+
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ INCLUDES = -I$(top_srcdir)/lib
+
+ noinst_LIBRARIES = libmisc.a
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -7,6 +7,8 @@
+ suidperms = 4755
+ sgidperms = 2755
+
++CFLAGS += -fprofile-arcs -ftest-coverage
++
+ INCLUDES = \
+ -I${top_srcdir}/lib \
+ -I$(top_srcdir)/libmisc
+--- a/debian/rules
++++ b/debian/rules
+@@ -40,6 +40,12 @@
+ endif
+ export CFLAGS
+
++clean:: clean_gcov
++
++clean_gcov:
++ find . -name "*.gcda" -delete
++ find . -name "*.gcno" -delete
++
+ # Add extras to the install process:
+ binary-install/login::
+ dh_installpam -p login
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -174,23 +174,9 @@
+ trust the formatted time received from the unix domain (or worse,
+ UDP) socket. -MM */
+ /* Avoid translated PAM error messages: Set LC_ALL to "C".
++ * This is disabled for coverage testing
+ * --Nekral */
+-#define SYSLOG(x) \
+- do { \
+- char *old_locale = setlocale (LC_ALL, NULL); \
+- char *saved_locale = NULL; \
+- if (NULL != old_locale) { \
+- saved_locale = strdup (old_locale); \
+- } \
+- if (NULL != saved_locale) { \
+- (void) setlocale (LC_ALL, "C"); \
+- } \
+- syslog x ; \
+- if (NULL != saved_locale) { \
+- (void) setlocale (LC_ALL, saved_locale); \
+- free (saved_locale); \
+- } \
+- } while (false)
++#define SYSLOG(x) syslog x
+ #else /* !ENABLE_NLS */
+ #define SYSLOG(x) syslog x
+ #endif /* !ENABLE_NLS */
diff --git a/debian/patches/README.patches b/debian/patches/README.patches
new file mode 100644
index 0000000..a804fe3
--- /dev/null
+++ b/debian/patches/README.patches
@@ -0,0 +1,22 @@
+Small intro to the system for numbering the patches here...
+
+-The 00xx-... patches are forwarded to upstream's git repository
+
+-The 0xx_... series of patches are patches isolated from the latest
+ version of the shadow Debian package not using quilt in order to
+ separate upstream from Debian-specific stuff.
+
+ NO MORE PATCHES SHOULD BE ADDED IN THESE SERIES
+
+-The 4xx series are patches which have been applied to Debian's shadow
+ and have NOT been accepted and/or applied upstream. These patches MUST be kept
+ even after resynced with upstream
+
+-The 5xx series are patches which are applied to Debian's shadow
+ and will never be proposed upstream because they're too specific
+ This list SHOULD BE AS SHORT AS POSSIBLE
+
+In short, while we are working towards synchronisation with upstream,
+our goal is to make 0xx patches disappear by moving them either to 3xx
+series (things already implemented upstream) or to 4xx series
+(Debian-specific patches).
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..ba058e0
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,23 @@
+# CVE-2023-4641
+0001-gpasswd-1-Fix-password-leak.patch
+
+# CVE-2023-29383
+0002-Added-control-character-check.patch
+0003-Overhaul-valid_field.patch
+
+# These patches are only for the testsuite:
+#900_testsuite_groupmems
+#901_testsuite_gcov
+
+008_login_log_failure_in_FTMP
+401_cppw_src.dpatch
+# 402 should be merged in 401, but should be reviewed by SE Linux experts first
+402_cppw_selinux
+429_login_FAILLOG_ENAB
+463_login_delay_obeys_to_PAM
+501_commonio_group_shadow
+502_debian_useradd_defaults
+503_shadowconfig.8
+505_useradd_recommend_adduser
+506_relaxed_usernames
+542_useradd-O_option
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..b7ff08b
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,82 @@
+#!/usr/bin/make -f
+# -*- mode: makefile; coding: utf-8 -*-
+
+# Enable PIE, BINDNOW, and possible future flags.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
+# Adds extra options when calling the configure script:
+DEB_CONFIGURE_EXTRA_FLAGS := --without-libcrack \
+ --mandir=/usr/share/man \
+ --with-libpam \
+ --with-yescrypt \
+ --enable-shadowgrp \
+ --enable-man \
+ --disable-account-tools-setuid \
+ --with-group-name-max-length=32 \
+ --without-acl \
+ --without-attr \
+ --without-su \
+ --without-tcb \
+ SHELL=/bin/sh
+
+ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
+DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
+endif
+
+# Set the default editor for vipw/vigr
+CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
+
+%:
+ dh $@
+
+override_dh_auto_configure:
+ cp debian/HOME_MODE.xml man/login.defs.d/HOME_MODE.xml
+ dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_FLAGS)
+
+override_dh_install-arch:
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+ sed -i 's/session optional pam_keyinit.so/# Linux only # session optional pam_keyinit.so/' debian/login.pam
+endif
+ dh_install -a
+ifeq ($(DEB_HOST_ARCH_OS),hurd)
+ # /bin/login is provided by the hurd package.
+ rm -f debian/login/usr/bin/login
+endif
+
+override_dh_installpam:
+ # Distribute the pam.d files; unless for the commands with disabled PAM
+ # support
+ dh_installpam -p login
+ dh_installpam -p passwd --name=passwd
+ dh_installpam -p passwd --name=chfn
+ dh_installpam -p passwd --name=chsh
+ dh_installpam -p passwd --name=chpasswd
+ dh_installpam -p passwd --name=newusers
+
+override_dh_builddeb-arch:
+ # uidmap
+ chmod u+s debian/uidmap/usr/bin/newuidmap
+ chmod u+s debian/uidmap/usr/bin/newgidmap
+ # login
+ # No real need for login to be setuid root
+ # chmod u+s debian/login/bin/login
+ chmod u+s debian/login/usr/bin/newgrp
+ # passwd
+ chmod u+s debian/passwd/usr/bin/chfn
+ chmod u+s debian/passwd/usr/bin/chsh
+ chmod u+s debian/passwd/usr/bin/gpasswd
+ chmod u+s debian/passwd/usr/bin/passwd
+ chgrp shadow debian/passwd/usr/bin/chage
+ chgrp shadow debian/passwd/usr/bin/expiry
+ chmod g+s debian/passwd/usr/bin/chage
+ chmod g+s debian/passwd/usr/bin/expiry
+ dh_builddeb -a
+
+override_dh_auto_clean:
+ sed -i 's/# Linux only # //' debian/login.pam
+ dh_auto_clean
+
+override_dh_clean:
+ dh_clean ./man/login.defs.d/HOME_MODE.xml
diff --git a/debian/shadowconfig b/debian/shadowconfig
new file mode 100644
index 0000000..b462597
--- /dev/null
+++ b/debian/shadowconfig
@@ -0,0 +1,70 @@
+#!/bin/sh
+# turn shadow passwords on or off on a Debian system
+
+set -e
+
+shadowon () {
+ set -e
+
+ if [ -n "$DPKG_ROOT" ] \
+ && cmp "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/usr/share/base-passwd/passwd.master" 2>/dev/null \
+ && cmp "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/usr/share/base-passwd/group.master" 2>/dev/null; then
+ # If dpkg is run with --force-script-chrootless and if /etc/passwd
+ # and /etc/group are unchanged, we avoid the chroot() call by manually
+ # processing the files. This produces bit-by-bit identical results
+ # compared to the normal case as shown by the CI setup at
+ # https://salsa.debian.org/helmutg/dpkg-root-demo/-/jobs
+ for f in passwd group; do
+ cp -a "${DPKG_ROOT}/etc/$f" "${DPKG_ROOT}/etc/$f-"
+ done
+ chmod 600 "${DPKG_ROOT}/etc/passwd-"
+ sed -i 's/^\([^:]\+\):\*:/\1:x:/' "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/etc/passwd"
+ [ -n "$SOURCE_DATE_EPOCH" ] && epoch=$SOURCE_DATE_EPOCH || epoch=$(date +%s)
+ sed "s/^\([^:]\+\):.*/\1:*:$((epoch/60/60/24)):0:99999:7:::/" "${DPKG_ROOT}/etc/passwd" > "${DPKG_ROOT}/etc/shadow"
+ sed "s/^\([^:]\+\):.*/\1:*::/" "${DPKG_ROOT}/etc/group" > "${DPKG_ROOT}/etc/gshadow"
+ touch "${DPKG_ROOT}/etc/.pwd.lock"
+ chmod 600 "${DPKG_ROOT}/etc/.pwd.lock"
+ else
+ pwck -q -r
+ grpck -r
+ pwconv
+ grpconv
+ fi
+ chown root:root "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+ chmod 644 "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
+ chown root:shadow "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
+ chmod 640 "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
+}
+
+shadowoff () {
+ set -e
+ pwck -q -r
+ grpck -r
+ pwunconv
+ grpunconv
+ # sometimes the passwd perms get munged
+ chown root:root /etc/passwd /etc/group
+ chmod 644 /etc/passwd /etc/group
+}
+
+case "$1" in
+ "on")
+ if shadowon ; then
+ echo Shadow passwords are now on.
+ else
+ echo Please correct the error and rerun \`$0 on\'
+ exit 1
+ fi
+ ;;
+ "off")
+ if shadowoff ; then
+ echo Shadow passwords are now off.
+ else
+ echo Please correct the error and rerun \`$0 off\'
+ exit 1
+ fi
+ ;;
+ *)
+ echo Usage: $0 on \| off
+ ;;
+esac
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..c2b1d88
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: smoke
+Restrictions: needs-root superficial
diff --git a/debian/tests/smoke b/debian/tests/smoke
new file mode 100755
index 0000000..69bbfb0
--- /dev/null
+++ b/debian/tests/smoke
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+echo "Adding an user works"
+useradd shadow-test-user
+grep '^shadow-test-user:x:' /etc/passwd
+grep '^shadow-test-user:!:' /etc/shadow
+
+echo "Removing an user works"
+userdel shadow-test-user
+! grep 'shadow-test-user' /etc/passwd
+! grep 'shadow-test-user' /etc/shadow
diff --git a/debian/uidmap.install b/debian/uidmap.install
new file mode 100644
index 0000000..48eb9e1
--- /dev/null
+++ b/debian/uidmap.install
@@ -0,0 +1,3 @@
+bin/getsubids usr/bin
+usr/bin/newuidmap
+usr/bin/newgidmap
diff --git a/debian/uidmap.lintian-overrides b/debian/uidmap.lintian-overrides
new file mode 100644
index 0000000..7ea41c9
--- /dev/null
+++ b/debian/uidmap.lintian-overrides
@@ -0,0 +1,2 @@
+uidmap: elevated-privileges 4755 root/root [usr/bin/newgidmap]
+uidmap: elevated-privileges 4755 root/root [usr/bin/newuidmap]
diff --git a/debian/uidmap.manpages b/debian/uidmap.manpages
new file mode 100644
index 0000000..a3cd655
--- /dev/null
+++ b/debian/uidmap.manpages
@@ -0,0 +1,5 @@
+usr/share/man/*/man1/newgidmap.1
+usr/share/man/*/man1/newuidmap.1
+usr/share/man/man1/getsubids.1
+usr/share/man/man1/newgidmap.1
+usr/share/man/man1/newuidmap.1
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..f5fd6f4
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,4 @@
+---
+Bug-Database: https://github.com/shadow-maint/shadow/issues
+Bug-Submit: https://github.com/shadow-maint/shadow/issues/new
+Repository-Browse: https://github.com/shadow-maint/shadow
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..e6edc6c
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,80 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBE+oKZQBCACz5WylGAr+eitZjuSigzR+y30W3E+gkU0DSNlBB3WlorOtmzMX
+9F2d+z+ozJuez4NPqwfQ5y2ExKSbL8i1rwYmExZIzTDpm1Q6N3hG+vLbxwbrbsKT
+qW9rPiXriU5yRwuvVJl4NOU6T/Pau3/VD8iFN7U4mVpNFVPlB8vCvDJ+07Z0xIH9
+MXe8uaERG3v2EL7Mv8L5w05XEeuTT/CJiw6NdzwjZc1FymVoFjntetl8HaJ+5JCB
+2ylAbnw/wZJHORgsLxZhOL6/zrJRG8GvjgB+1l8izgl4n0DOqjyyoQIZJ+mfuHR0
+6wDqwvP5F9RZqCh8Md4hYujop5a0BKfAzLfdABEBAAG0IFNlcmdlIEhhbGx5biA8
+c2VyZ2VoQGtlcm5lbC5vcmc+iQFOBBMBCgA4FiEEZtA4fbhdMg+ECBZtsXXPqY8Z
+KvIFAl2r0d0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQsXXPqY8ZKvIM
+nAgAiTpLlXuzyD4C+9I/yCA9N/BqK43jnMfJOl/Ky56vgJ/WbrFJLuO3wubMlRLD
+3jurC6SK2g0TpygyoX2MjwZVT60Sq3ZcgIh71yyWHhtZ29NuUiKsKnajb9IlP+AM
+1V0g9py41YdDUmAuC/5crqyK+8u1CVrB/is7Eym598gIl9nyGvaZrzgjG1cRCjzf
+ZU8pRG+VPMr5Xla8rDKBZl+LcusV90eAUa0E/KVFS5N1dQ6HKckYXPSBN3DKHZy+
+qKa1k7Dq0CnkTjQmjaMu3j5sdOXg4QUfhCHeLDFAtadNdP04I6g5KZRvC44XdQ1A
+bxFMLyObhCsq/QxSh/nYrKsw0rQsU2VyZ2UgSGFsbHluIChrZXJuZWwub3JnKSA8
+c2VyZ2VAaGFsbHluLmNvbT6JATgEEwECACIFAk+oKZQCGwMGCwkIBwMCBhUIAgkK
+CwQWAgMBAh4BAheAAAoJELF1z6mPGSryYfEIAJviOHYwzXjnHWrsbQQ75rJq2wQ4
+NlM5FRljskufCXtIz/DUpKKT3aqG3y7ywtEwl4ePofJmLbC0O5bZF9blgSSCV02z
+zGdeUosAJsxumYHVi9CRHWsiAaNMX8gif9vePqz/iY/caPS4w4gBXJK8vLwvxToI
+4CZDwIlMkMov//3HQ5v5OKfeqbA1rnsGI74vUw9Zt/Sqgudz5bY65693OqeRRWU6
+tOH8zo4HkFew26Ydh80qAn1R7ALnk68zwfXj8vdyR9f05dEqbg/4thZWcjWC/Frn
+QOjcTwKu5DnUCE937a1MPzt4t1FCYUHrqcLN99uzGuOD42o9/S+JAa2HWhe5AQ0E
+T6gplAEIANz2xhKdYCPfLpAT2wY0NQVoqkAVSymulDwt4DTmeHdFTFgN3vmpzR7C
+0ZHX5KWCl6EpB9JdVBPbniMzmUlqc0M9h9+T2T2UzCBJWhM/ZBqzN8OCKvtYopC6
+Pd0HCeZgd0hjaar55oCH/VwJT/+CB1oBOjgQ1CEpMAiK6+IYoGlhf/McCU8i/IWM
+RGwGarTChAq8MayhAQ5vHXO7UZpNZ5NIgScfJGFqMxCspQDFIKH1OHZWPrE6G/H1
+MrqWL55zFi64FU/ReWWDUZ2hAELwpYhMM6tTXyy6PW8QYrhg7NBA/EA2zojzVK9V
+113ZuHvVzICOEevWS6DDc9ZC8t7jIccAEQEAAYkBHwQYAQIACQUCT6gplAIbDAAK
+CRCxdc+pjxkq8mtUCACLsJVcm3yZmI37LPCJlWXOuRFB24HZyC8ZkPoebcwlzVpU
+DcaHS0lwuj5J260I7MpKY9FKydZPX0QrGkMytz2P3s+L1IOsbJQ7HsHPyAqNMjoF
+x880CEDIivkav1IPJPHq1R25KaYSuu+NhY/X8nPuykic3bBB3llVFK9L+s1kaHU1
+TfWh5aVumRTQmkZtmQxe/gkjL7VxofnPOtxEwL0kXF+b9th1qr6MeEy5+dLLRBrd
+CAmQq/PHO+Ugb0FpSa415H5egD0hIQxDMBherElBIvbwSv0hVo2C3PmaoIx/y+4N
+M8amRjKoac6O1A0Xr3nCIDsICvf9ZN6ISXqQqwEWuQENBF2r4KYBCADpPHTIGLuE
+O4VOOtRAvzLcSIsEg/Iu5Ys1AfEs8RT58loJLxthYpOZVIgyZhLLS3Qpt3aWqYib
+nc3E4JfQG6OMYKKvlWykQj5NNNeyRNmzUmxd05sYWhwB4gb4VP1PpEc/pQ51BNUp
+ocxndcp9ZAr5hvTJlo4kD5Bvby8d3eOgwZ6hzusJ9QBXioirsgrNYoL7U9qs/tvo
+s2PbcnfrNjveftQg0LJakPCEDT9NHBUyZY7JN3ZmV0G+kpMcUzRvhP9rzHVGYVG2
++1CBVDphXpGbxmTCH/bDTCRglSDfr8jDIRNTANe4iRsbQBVanjDeMAPfjAOM+bnZ
+HoHW8Z1sS7YNABEBAAGJAmwEGAEKACAWIQRm0Dh9uF0yD4QIFm2xdc+pjxkq8gUC
+XavgpgIbAgFACRCxdc+pjxkq8sB0IAQZAQoAHRYhBKm9P/FwcrbbeA/PlDVw2hcn
+Cs4kBQJdq+CmAAoJEDVw2hcnCs4k9nwH/j4EtPJvVIpLPS1gKfQaWolZ9El8f12I
+UyZka+/FKwh6IGbLQBE9oWi6lsDCKMjqYnuVbrcYtll0Lc7CdQR1fSwfzT95xU/z
+/WrGV8xbQQUULA8MVuYottIZByhtdDNvkBogtLLH4tc40BSm2jqcb6LuT4vswULk
+9UUOuTUKxWECOM3ci2554l9hGaQ4qSxSXhrPPNR0Le0Y8ElLQI11vTP6UEA6fyVh
+I6eg90eMrNP2OHCW5QnIuazPFJ/2lb12BgahKbHXYR/cRqZNCU1rRgH8NWtKL0b9
+/Q9bsBvLl00IlA0xhpZZV4c6S5HCQbU/FXqIIgBmQvfaWzVuQVPHGxcjhwf/UPxw
+ZiKpo+TGL0GQkP/3H/QH/YHPqNmAOPyoNqUn/RimYs3dyfDTtOTumErF6iLAa9pS
+Bo8OJJZBOxskXfylTEDsaxWPbxXHUsULpJZxVHoh+90RT957Hc8PjEa+B3KW5vRd
+HwpwemlNYKn++Hv+kIr+ndqauw88s8e2QpvAUS09h2WxXmEOhrHTiGIFs1l6rq5P
++vK5RNQ+xaPSivZZqyzsK6+3s9aTixwPKTw4WYcSOQ92YQ7C1Lsd3GglHxXT/1aW
+iYoxjXNR2LfJpOFNUG+mZWn02G++RfXetb/PzPxwE2eSqU/YK9GhpH8KbcwsJQSf
+MqXESPQLlFAwkwFyBrkBDQRdq+FiAQgAx36JU5PHoULcaG/Y8BJ5eyfG1v0B/5oG
+M1/SbxYpMuAhL3FBvGA0ly0boASm2QF8BK1EsgDmo5rSJgimQnKcQ9uicnXaq+2U
+npvqDWHcBOFhdAGNNDz1f6uUXNUZCyJ6pqeMj5+JI1sNqs4tBRt4k6uR8W6Svfij
+nGWgoQ0v+TC7WUMb9jYYzFlEt7VpUlRdCDgWISJoT4s0VutQfF01HY8The4kd62d
+4cSJP/Nem8QXgwKKyMlMYAcQLjeuXs6odT8YN1xbS53J/2/fcsIVZNEuWAoodXJS
+sdWFXNsHbPX7GfHGH9tBeOC20g/dmqfwteIudQ1Tn56MmK4DB3ByfwARAQABiQE2
+BBgBCgAgFiEEZtA4fbhdMg+ECBZtsXXPqY8ZKvIFAl2r4WICGwwACgkQsXXPqY8Z
+KvL39Qf/S86hi7pvntTGwk1Hl0IyGw9hXsUUhf26PlcgOj9tC3ZFMxrY+4oxtwMY
+g2wOodeo4WlmrlYMeGrRwSgiqGWSCPW4LvsssbDuZbKJoxshNAOVHM/1z1CPc2QY
+0pboVPBHss+HjeSBfKA7VK1UAMh0dqmLD2EjnasXwWs1jLig1FeFRwM9+fTdqS4h
+sXvmxoIdpg7/GhB4SoT7SpXzZX8VPm0hIzKCTOCr73NSGIDhdCPGJWFIrZwCLSJR
+Ndl5zIS54uTrNn2+QPwllqBKKtMWDG0uueFWlQEkw6B9+/mOY79K6fiz7clsB2Jy
+awWrD3SFaYY3BrQXkdnbSsRUDCR23bkBDQRdq+GrAQgAwoQJz9/x/T8J6cqTPfBc
+YS2UbjpguO1O3a1Zhd231nTiKFVph49qcW2+66PI7cjeNRA2/Z+hTUK065XJ9mpf
+5NeqzQFQ9dbBMKQw7Jz98RDm7QEUmNZi2avaxljgCDWO4mybMjuDdycwsv0tuOls
+dGu4UhPmue/03Abs9RGfVecK3211n93SHu8Ro2QPfuPruuPLxQSVVVzBUaGwJHwK
+SrBnpnClDET3DKr9PFv6/yoQlyiFzlJZtiXvQC3Mc5uiSRbpy9GM3P4FwSmc9+7X
+SVs87/xrXoH3pUN2MMY+PayF82wUtpPwy0V8MB2NlEaWt+/danioVGVJQauMie84
+swARAQABiQE2BBgBCgAgFiEEZtA4fbhdMg+ECBZtsXXPqY8ZKvIFAl2r4asCGyAA
+CgkQsXXPqY8ZKvJbjAf/deT3H5ZTF4k22b7mE5978oGxdBRsHP4kcYWN31hDD3yN
+S8803VF+C0p/fVv4UMpuT9y771s0tJ+EoPPYARERWKiApFxWMkPL1eaZZB3Wij4z
+gYc1iGki3lkrV3cJE4iKqKwtCyKHrj+CX2BugxyxS4dGRzeFUpRva6YJk8bfuFR0
+C86Y4xLv/QoIZLmled+xf7N6BIqOmzXayITFheJGmTFsX0xbt6vr/q6S8cvHiMem
+CJnlKO3/06pSIA6BRJB+GkBQmVovF70TeeP4AGzstX4U6O0jriySqCptijlVehsV
+ImGoVOiDX4qYzOd+x0po5lC5mHe/dO0ZTOTGgxQc9w==
+=Ruhn
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..e71adb7
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,6 @@
+version=4
+opts=downloadurlmangle=s/archive\/refs\/tags\/(.*)\.tar\.gz/releases\/download\/$1\/@PACKAGE@-$1\.tar\.xz/,\
+ pgpsigurlmangle=s/$/.asc/,\
+ dversionmangle=s/\+dfsg1//,repacksuffix=+dfsg1 \
+ https://github.com/shadow-maint/@PACKAGE@/tags \
+ /shadow-maint/@PACKAGE@/archive/refs/tags/([^v].*)\.tar\.gz