summaryrefslogtreecommitdiffstats
path: root/patches/source/shadow
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/shadow')
-rw-r--r--patches/source/shadow/adduser445
-rw-r--r--patches/source/shadow/doinst.sh17
-rw-r--r--patches/source/shadow/login.defs389
-rw-r--r--patches/source/shadow/patches/README_PATCHES10
-rw-r--r--patches/source/shadow/patches/unused/r3299.diff12
-rw-r--r--patches/source/shadow/shadow.CVE-2005-4890.relax.diff35
-rwxr-xr-xpatches/source/shadow/shadow.SlackBuild175
-rw-r--r--patches/source/shadow/shadow.glibc217-crypt.diff258
-rw-r--r--patches/source/shadow/shadow.url1
-rw-r--r--patches/source/shadow/slack-desc19
-rw-r--r--patches/source/shadow/useradd8
11 files changed, 1369 insertions, 0 deletions
diff --git a/patches/source/shadow/adduser b/patches/source/shadow/adduser
new file mode 100644
index 00000000..ce06aac5
--- /dev/null
+++ b/patches/source/shadow/adduser
@@ -0,0 +1,445 @@
+#!/bin/bash
+#
+# Copyright 1995 Hrvoje Dogan, Croatia.
+# Copyright 2002-2004, 2008, 2009, 2010 Stuart Winter, Surrey, England, UK.
+# Copyright 2004, 2008-2010 Slackware Linux, Inc., Concord, CA, USA
+# Copyright 2012 Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+##########################################################################
+# Program: /usr/sbin/adduser
+# Purpose: Interactive front end to /usr/sbin/useradd for Slackware Linux
+# Author : Stuart Winter <mozes@slackware.com>
+# Based on the original Slackware adduser by Hrvoje Dogan
+# with modifications by Patrick Volkerding
+# Version: 1.15
+##########################################################################
+# Usage..: adduser [<new_user_name>]
+##########################################################################
+# History #
+###########
+# v1.15 - 2012-09-13
+# * Added scanner group, which may be required by third party drivers.
+# v1.14 - 2012-08-24
+# * Added lp group, which is now required for scanning. <pjv>
+# v1.13 - 13/01/10
+# * Fixed bug that removed underscore characters from UNIX group names.
+# Thanks to mRgOBLIN for the report and Jim Hawkins for the fix. <sw>
+# v1.12 - 21/07/09
+# * Adjusted the search of /etc/passwd to exclude the NIS inclusion
+# string. Thanks to Dominik L. Borkowski.
+# v1.11 - 04/06/09
+# * Add power and netdev to the suggested group list
+# v1.10 - 24/03/08
+# * To facilitate use of the automatic mounting features of HAL,
+# allow the admin to easily add users to the default groups:
+# audio,cdrom,video,plugdev,floppy.
+# The default is not to add new users to these groups.
+# And by the way, this script is "useradd from Slackware" not
+# "superadduser from Gentoo" ;-)
+# v1.09 - 07/06/04
+# * Added standard Slackware script licence to the head of this file.
+# v1.08 - 25/04/04
+# * Disallow user names that begin with a numeric because useradd
+# (from shadow v4.03) does not allow them. <sw>
+# v1.07 - 07/03/03
+# * When supplying a null string for the uid (meaning 'Choose next available'),
+# if there were file names in the range 'a-z' in the pwd then the
+# egrep command considered these files rather than the null string.
+# The egrep expression is now in quotes.
+# Reported & fixed by Vadim O. Ustiansky <sw>
+# v1.06 - 31/03/03
+# * Ask to chown user.group the home directory if it already exists.
+# This helps reduce later confusion when adding users whose home dir
+# already exists (mounted partition for example) and is owned
+# by a user other than the user to which the directory is being
+# assigned as home. Default is not to chown.
+# Brought to my attention by mRgOBLIN. <sw>
+# v1.05 - 04/01/03
+# * Advise & prevent users from creating logins with '.' characters
+# in the user name. <sw>
+# * Made pending account creation info look neater <sw>
+# v1.04 - 09/06/02
+# * Catered for shadow-4.0.3's 'useradd' binary that no longer
+# will let you create a user that has any uppercase chars in it
+# This was reported on the userlocal.org forums
+# by 'xcp' - thanks. <sw,pjv>
+# v1.03 - 20/05/02
+# * Support 'broken' (null lines in) /etc/passwd and
+# /etc/group files <sw>
+# * For recycling UIDs (default still 'off'), we now look in
+# /etc/login.defs for the UID_MIN value and use it
+# If not found then default to 1000 <sw>
+# v1.02 - 10/04/02
+# * Fix user-specified UID bug. <pjv>
+# v1.01 - 23/03/02
+# * Match Slackware indenting style, simplify. <pjv>
+# v1.00 - 22/03/02
+# * Created
+#######################################################################
+
+# Path to files
+pfile=/etc/passwd
+gfile=/etc/group
+sfile=/etc/shells
+
+# Paths to binaries
+useradd=/usr/sbin/useradd
+chfn=/usr/bin/chfn
+passwd=/usr/bin/passwd
+chmod=/bin/chmod
+
+# Defaults
+defhome=/home
+defshell=/bin/bash
+defchmod=711 # home dir permissions - may be preferable to use 701, however.
+defgroup=users
+AGID="audio cdrom floppy plugdev video power netdev lp scanner" # additional groups for desktop users
+
+# Determine what the minimum UID is (for UID recycling)
+# (we ignore it if it's not at the beginning of the line (i.e. commented out with #))
+export recycleUIDMIN="$(grep ^UID_MIN /etc/login.defs | awk '{print $2}' 2>/dev/null)"
+# If we couldn't find it, set it to the default of 1000
+if [ -z "$recycleUIDMIN" ]; then
+ export recycleUIDMIN=1000 # this is the default from Slackware's /etc/login.defs
+fi
+
+
+# This setting enables the 'recycling' of older unused UIDs.
+# When you userdel a user, it removes it from passwd and shadow but it will
+# never get used again unless you specify it expliticly -- useradd (appears to) just
+# look at the last line in passwd and increment the uid. I like the idea of
+# recycling uids but you may have very good reasons not to (old forgotten
+# confidential files still on the system could then be owned by this new user).
+# We'll set this to no because this is what the original adduser shell script
+# did and it's what users expect.
+recycleuids=no
+
+# Function to read keyboard input.
+# bash1 is broken (even ash will take read -ep!), so we work around
+# it (even though bash1 is no longer supported on Slackware).
+function get_input() {
+ local output
+ if [ "`echo $BASH_VERSION | cut -b1`" = "1" ]; then
+ echo -n "${1} " >&2 # fudge for use with bash v1
+ read output
+ else # this should work with any other /bin/sh
+ read -ep "${1} " output
+ fi
+ echo $output
+}
+
+# Function to display the account info
+function display () {
+ local goose
+ goose="$(echo $2 | cut -d ' ' -f 2-)" # lop off the prefixed argument useradd needs
+ echo -n "$1 "
+ # If it's null then display the 'other' information
+ if [ -z "$goose" -a ! -z "$3" ]; then
+ echo "$3"
+ else
+ echo "$goose"
+ fi
+}
+
+# Function to check whether groups exist in the /etc/group file
+function check_group () {
+ local got_error group
+ if [ ! -z "$@" ]; then
+ for group in $@ ; do
+ local uid_not_named="" uid_not_num=""
+ grep -v "$^" $gfile | awk -F: '{print $1}' | grep "^${group}$" >/dev/null 2>&1 || uid_not_named=yes
+ grep -v "$^" $gfile | awk -F: '{print $3}' | grep "^${group}$" >/dev/null 2>&1 || uid_not_num=yes
+ if [ ! -z "$uid_not_named" -a ! -z "$uid_not_num" ]; then
+ echo "- Group '$group' does not exist"
+ got_error=yes
+ fi
+ done
+ fi
+ # Return exit code of 1 if at least one of the groups didn't exist
+ if [ ! -z "$got_error" ]; then
+ return 1
+ fi
+}
+
+#: Read the login name for the new user :#
+#
+# Remember that most Mail Transfer Agents are case independant, so having
+# 'uSer' and 'user' may cause confusion/things to break. Because of this,
+# useradd from shadow-4.0.3 no longer accepts usernames containing uppercase,
+# and we must reject them, too.
+
+# Set the login variable to the command line param
+echo
+LOGIN="$1"
+needinput=yes
+while [ ! -z $needinput ]; do
+ if [ -z "$LOGIN" ]; then
+ while [ -z "$LOGIN" ]; do LOGIN="$(get_input "Login name for new user []:")" ; done
+ fi
+ grep "^${LOGIN}:" $pfile >/dev/null 2>&1 # ensure it's not already used
+ if [ $? -eq 0 ]; then
+ echo "- User '$LOGIN' already exists; please choose another"
+ unset LOGIN
+ elif [ ! -z "$( echo $LOGIN | grep "^[0-9]" )" ]; then
+ echo "- User names cannot begin with a number; please choose another"
+ unset LOGIN
+ elif [ ! "$LOGIN" = "`echo $LOGIN | tr A-Z a-z`" ]; then # useradd does not allow uppercase
+ echo "- User '$LOGIN' contains illegal characters (uppercase); please choose another"
+ unset LOGIN
+ elif [ ! -z "$( echo $LOGIN | grep '\.' )" ]; then
+ echo "- User '$LOGIN' contains illegal characters (period/dot); please choose another"
+ unset LOGIN
+ else
+ unset needinput
+ fi
+done
+
+# Display the user name passed from the shell if it hasn't changed
+if [ "$1" = "$LOGIN" ]; then
+ echo "Login name for new user: $LOGIN"
+fi
+
+#: Get the UID for the user & ensure it's not already in use :#
+#
+# Whilst we _can_ allow users with identical UIDs, it's not a 'good thing' because
+# when you change password for the uid, it finds the first match in /etc/passwd
+# which isn't necessarily the correct user
+#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ _UID="$(get_input "User ID ('UID') [ defaults to next available ]:")"
+ egrep -v "^$|^\+" $pfile | awk -F: '{print $3}' | grep "^${_UID}$" >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo "- That UID is already in use; please choose another"
+ elif [ ! -z "$(echo $_UID | egrep '[A-Za-z]')" ]; then
+ echo "- UIDs are numerics only"
+ else
+ unset needinput
+ fi
+done
+# If we were given a UID, then syntax up the variable to pass to useradd
+if [ ! -z "$_UID" ]; then
+ U_ID="-u ${_UID}"
+else
+ # Will we be recycling UIDs?
+ if [ "$recycleuids" = "yes" ]; then
+ U_ID="-u $(awk -F: '{uid[$3]=1} END { for (i=ENVIRON["recycleUIDMIN"];i in uid;i++);print i}' $pfile)"
+ fi
+fi
+
+#: Get the initial group for the user & ensure it exists :#
+#
+# We check /etc/group for both the text version and the group ID number
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ GID="$(get_input "Initial group [ ${defgroup} ]:")"
+ check_group "$GID"
+ if [ $? -gt 0 ]; then
+ echo "- Please choose another"
+ else
+ unset needinput
+ fi
+done
+# Syntax the variable ready for useradd
+if [ -z "$GID" ]; then
+ GID="-g ${defgroup}"
+else
+ GID="-g ${GID}"
+fi
+
+#: Get additional groups for the user :#
+#
+echo "Additional UNIX groups:"
+echo
+echo "Users can belong to additional UNIX groups on the system."
+echo "For local users using graphical desktop login managers such"
+echo "as XDM/KDM, users may need to be members of additional groups"
+echo "to access the full functionality of removable media devices."
+echo
+echo "* Security implications *"
+echo "Please be aware that by adding users to additional groups may"
+echo "potentially give access to the removable media of other users."
+echo
+echo "If you are creating a new user for remote shell access only,"
+echo "users do not need to belong to any additional groups as standard,"
+echo "so you may press ENTER at the next prompt."
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ history -c
+ history -s "$AGID"
+ echo "Press ENTER to continue without adding any additional groups"
+ echo "Or press the UP arrow key to add/select/edit additional groups"
+ AGID="$(get_input ": " | sed 's/[^A-Za-z0-9 _]//g;s/ */ /g;s/^ $//g' )"
+ if [ ! -z "$AGID" ]; then
+ check_group "$AGID" # check all groups at once (treated as N # of params)
+ if [ $? -gt 0 ]; then
+ echo "- Please re-enter the group(s)"
+ echo
+ else
+ unset needinput # we found all groups specified
+ AGID="-G $(echo $AGID | tr ' ' ,)" # useradd takes comma delimited groups
+ fi
+ else
+ unset needinput # we don't *have* to have additional groups
+ fi
+done
+
+#: Get the new user's home dir :#
+#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ HME="$(get_input "Home directory [ ${defhome}/${LOGIN} ]")"
+ if [ -z "$HME" ]; then
+ HME="${defhome}/${LOGIN}"
+ fi
+ # Warn the user if the home dir already exists
+ if [ -d "$HME" ]; then
+ echo "- Warning: '$HME' already exists !"
+ getyn="$(get_input " Do you wish to change the home directory path ? (Y/n) ")"
+ if [ "$(echo $getyn | grep -i "n")" ]; then
+ unset needinput
+ # You're most likely going to only do this if you have the dir *mounted* for this user's $HOME
+ getyn="$(get_input " Do you want to chown $LOGIN.$( echo $GID | awk '{print $2}') $HME ? (y/N) ")"
+ if [ "$(echo $getyn | grep -i "y")" ]; then
+ CHOWNHOMEDIR=$HME # set this to the home directory
+ fi
+ fi
+ else
+ unset needinput
+ fi
+done
+HME="-d ${HME}"
+
+#: Get the new user's shell :#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ unset got_error
+ SHL="$(get_input "Shell [ ${defshell} ]")"
+ if [ -z "$SHL" ]; then
+ SHL="${defshell}"
+ fi
+ # Warn the user if the shell doesn't exist in /etc/shells or as a file
+ if [ -z "$(grep "^${SHL}$" $sfile)" ]; then
+ echo "- Warning: ${SHL} is not in ${sfile} (potential problem using FTP)"
+ got_error=yes
+ fi
+ if [ ! -f "$SHL" ]; then
+ echo "- Warning: ${SHL} does not exist as a file"
+ got_error=yes
+ fi
+ if [ ! -z "$got_error" ]; then
+ getyn="$(get_input " Do you wish to change the shell ? (Y/n) ")"
+ if [ "$(echo $getyn | grep -i "n")" ]; then
+ unset needinput
+ fi
+ else
+ unset needinput
+ fi
+done
+SHL="-s ${SHL}"
+
+#: Get the expiry date :#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+ EXP="$(get_input "Expiry date (YYYY-MM-DD) []:")"
+ if [ ! -z "$EXP" ]; then
+ # Check to see whether the expiry date is in the valid format
+ if [ -z "$(echo "$EXP" | grep "^[[:digit:]]\{4\}[-]\?[[:digit:]]\{2\}[-]\?[[:digit:]]\{2\}$")" ]; then
+ echo "- That is not a valid expiration date"
+ else
+ unset needinput
+ EXP="-e ${EXP}"
+ fi
+ else
+ unset needinput
+ fi
+done
+
+# Display the info about the new impending account
+echo
+echo "New account will be created as follows:"
+echo
+echo "---------------------------------------"
+display "Login name.......: " "$LOGIN"
+display "UID..............: " "$_UID" "[ Next available ]"
+display "Initial group....: " "$GID"
+display "Additional groups: " "$AGID" "[ None ]"
+display "Home directory...: " "$HME"
+display "Shell............: " "$SHL"
+display "Expiry date......: " "$EXP" "[ Never ]"
+echo
+
+echo "This is it... if you want to bail out, hit Control-C. Otherwise, press"
+echo "ENTER to go ahead and make the account."
+read junk
+
+echo
+echo "Creating new account..."
+echo
+echo
+
+# Add the account to the system
+CMD="$useradd "$HME" -m "$EXP" "$U_ID" "$GID" "$AGID" "$SHL" "$LOGIN""
+$CMD
+
+if [ $? -gt 0 ]; then
+ echo "- Error running useradd command -- account not created!"
+ echo "(cmd: $CMD)"
+ exit 1
+fi
+
+# chown the home dir ? We can only do this once the useradd has
+# completed otherwise the user name doesn't exist.
+if [ ! -z "${CHOWNHOMEDIR}" ]; then
+ chown "$LOGIN"."$( echo $GID | awk '{print $2}')" "${CHOWNHOMEDIR}"
+fi
+
+# Set the finger information
+$chfn "$LOGIN"
+if [ $? -gt 0 ]; then
+ echo "- Warning: an error occurred while setting finger information"
+fi
+
+# Set a password
+$passwd "$LOGIN"
+if [ $? -gt 0 ]; then
+ echo "* WARNING: An error occured while setting the password for"
+ echo " this account. Please manually investigate this *"
+ exit 1
+fi
+
+# If it was created (it should have been!), set the permissions for that user's dir
+HME="$(echo "$HME" | awk '{print $2}')" # We have to remove the -g prefix
+if [ -d "$HME" ]; then
+ $chmod $defchmod "$HME"
+fi
+
+echo
+echo
+echo "Account setup complete."
+exit 0
diff --git a/patches/source/shadow/doinst.sh b/patches/source/shadow/doinst.sh
new file mode 100644
index 00000000..88fefb3a
--- /dev/null
+++ b/patches/source/shadow/doinst.sh
@@ -0,0 +1,17 @@
+config() {
+ NEW="$1"
+ OLD="$(dirname $NEW)/$(basename $NEW .new)"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+config etc/login.access.new
+config etc/login.defs.new
+config var/log/faillog.new
+rm -f var/log/faillog.new
+
diff --git a/patches/source/shadow/login.defs b/patches/source/shadow/login.defs
new file mode 100644
index 00000000..e52f91a5
--- /dev/null
+++ b/patches/source/shadow/login.defs
@@ -0,0 +1,389 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+# $Id: login.defs 3038 2009-07-23 20:41:35Z nekral-guest $
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+#
+FAIL_DELAY 3
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+#
+FAILLOG_ENAB yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable logging and display of /var/log/lastlog login time info.
+#
+LASTLOG_ENAB yes
+
+#
+# Enable checking and display of mailbox status upon login.
+#
+# Disable if the shell startup files already check for mail
+# ("mailx -e" or equivalent).
+#
+MAIL_CHECK_ENAB yes
+
+#
+# Enable additional checks upon password changes.
+#
+OBSCURE_CHECKS_ENAB yes
+
+#
+# Enable checking of time restrictions specified in /etc/porttime.
+#
+PORTTIME_CHECKS_ENAB yes
+
+#
+# Enable setting of ulimit, umask, and niceness from passwd gecos field.
+#
+QUOTAS_ENAB yes
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE /etc/securetty
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, ":" delimited list of "message of the day" files to
+# be displayed upon login.
+#
+MOTD_FILE /etc/motd
+#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
+
+#
+# If defined, this file will be output before each login prompt.
+#
+#ISSUE_FILE /etc/issue
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format.
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE /var/log/btmp
+
+#
+# If defined, name of file whose presence which will inhibit non-root
+# logins. The contents of this file should be a message indicating
+# why logins are inhibited.
+#
+NOLOGINS_FILE /etc/nologin
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su". If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR /var/spool/mail
+#MAIL_FILE .mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# If defined, either a TZ environment parameter spec or the
+# fully-rooted pathname of a file containing such a spec.
+#
+#ENV_TZ TZ=CST6CDT
+#ENV_TZ /etc/tzname
+
+#
+# If defined, an HZ environment parameter spec.
+#
+# for Linux/x86
+ENV_HZ HZ=100
+# For Linux/Alpha...
+#ENV_HZ HZ=1024
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP tty
+TTYPERM 0620
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# ULIMIT Default "ulimit" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+#ULIMIT 2097152
+
+# Default initial "umask" value.
+# UMASK is also used by useradd and newusers to set the mode of new home
+# directories.
+# 022 is the default value, but 027, or even 077, could be considered
+# better for privacy. There is no One True Answer here: each sysadmin
+# must make up her mind.
+UMASK 022
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_MIN_LEN Minimum acceptable password length.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_MIN_LEN 5
+PASS_WARN_AGE 7
+
+#
+# If "yes", the user must be listed as a member of the first gid 0 group
+# in /etc/group (called "root" on most Linux systems) to be able to "su"
+# to uid 0 accounts. If the group doesn't exist or is empty, no one
+# will be able to "su" to uid 0.
+#
+SU_WHEEL_ONLY no
+
+#
+# If compiled with cracklib support, where are the dictionaries
+#
+#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+SYS_UID_MIN 101
+SYS_UID_MAX 999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+SYS_GID_MIN 101
+SYS_GID_MAX 999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT 60
+
+#
+# Maximum number of attempts to change password if rejected (too easy)
+#
+PASS_CHANGE_TRIES 5
+
+#
+# Warn about weak passwords (but still allow them) if you are root.
+#
+PASS_ALWAYS_WARN yes
+
+#
+# Number of significant characters in the password for crypt().
+# Default is 8, don't change unless your crypt() is better.
+# Ignored if MD5_CRYPT_ENAB set to "yes".
+#
+#PASS_MAX_LEN 8
+
+#
+# Require password before chfn/chsh can make any changes.
+#
+CHFN_AUTH yes
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT frwh
+
+#
+# Password prompt (%s will be replaced by user name).
+#
+# XXX - it doesn't work correctly yet, for now leave it commented out
+# to use the default which is just "Password: ".
+#LOGIN_STRING "%s's Password: "
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+ENCRYPT_METHOD SHA256
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# Most of these groups are self-explanatory, but in the case of
+# "lp", it is because group lp is needed to use a scanner that
+# is part of a multifunction printer.
+#
+# Note that users are added to these default groups only when
+# logging into a shell with /bin/login, not when using a login
+# manager such as kdm. In that case, users who should have
+# hardware access must be added to the appropriate groups
+# when the user is added with adduser or useradd, or by editing
+# /etc/group directly, preferably using "vigr"
+#
+CONSOLE_GROUPS floppy:audio:cdrom:video:lp:scanner
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME yes
+
+#
+# If this file exists and is readable, login environment will be
+# read from it. Every line should be in the form name=value.
+#
+ENVIRON_FILE /etc/environment
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-nul number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permit to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP 0
+
+#
+# If useradd should create home directories for users by default (non
+# system users only)
+# This option is overridden with the -M or -m flags on the useradd command
+# line.
+#
+#CREATE_HOME yes
+
diff --git a/patches/source/shadow/patches/README_PATCHES b/patches/source/shadow/patches/README_PATCHES
new file mode 100644
index 00000000..1d1f2173
--- /dev/null
+++ b/patches/source/shadow/patches/README_PATCHES
@@ -0,0 +1,10 @@
+
+r3054.diff: Fixed wrong format string
+r3055.diff: Help output to stderr not stdout.
+r3060.diff: Fix memory leaks
+r3062.diff: Avoid memzero() on a possibly NULL pointer.
+r3096.diff: Fix parsing of gshadow entries.
+r3090.diff: Fix improper sanitizing of locale variables.
+r3160.diff: Fixed limits support (non PAM enabled versions only)
+r3194.diff: shell's name must be -su when a su fakes a login.
+r3299.diff: man/ru/Makefile.am: Remove double inclusion of $(man_nopam)
diff --git a/patches/source/shadow/patches/unused/r3299.diff b/patches/source/shadow/patches/unused/r3299.diff
new file mode 100644
index 00000000..a46b18f0
--- /dev/null
+++ b/patches/source/shadow/patches/unused/r3299.diff
@@ -0,0 +1,12 @@
+Index: man/ru/Makefile.am
+===================================================================
+--- man/ru/Makefile.am (revision 3298)
++++ man/ru/Makefile.am (revision 3299)
+@@ -1,7 +1,6 @@
+ mandir = @mandir@/ru
+
+ man_MANS = \
+- $(man_nopam) \
+ chage.1 \
+ chfn.1 \
+ chgpasswd.8 \
diff --git a/patches/source/shadow/shadow.CVE-2005-4890.relax.diff b/patches/source/shadow/shadow.CVE-2005-4890.relax.diff
new file mode 100644
index 00000000..98425e16
--- /dev/null
+++ b/patches/source/shadow/shadow.CVE-2005-4890.relax.diff
@@ -0,0 +1,35 @@
+From 0f6a809b7c4c9a8f4adb5b25808dd68000e17aa2 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Wed, 04 Dec 2013
+Subject: restrict "su -c" only when callee is not root
+
+Shadow 4.1.5 addressed a tty-hijacking vulnerability in "su -c"
+(CVE-2005-4890) by detaching the controlling terminal in the non-PAM
+case via a TIOCNOTTY request.
+
+Bi-directional protection is excessive and breaks a commonly-used
+methods for privilege escalation on non-PAM systems (e.g. xterm -e
+/bin/su -s /bin/bash -c /bin/bash myscript).
+
+This patch relaxes the restriction and only detaches the controlling
+tty when the callee is not root (which is, after all, the threat vector).
+
+---
+ src/su.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -1076,10 +1076,10 @@ int main (int argc, char **argv)
+
+ set_environment (pw);
+
+- if (!doshell) {
++ if (!doshell && pw->pw_uid != 0) {
+ /* There is no need for a controlling terminal.
+ * This avoids the callee to inject commands on
+- * the caller's tty. */
++ * the caller's tty when the callee is not root. */
+ int err = -1;
+
+ #ifdef USE_PAM
diff --git a/patches/source/shadow/shadow.SlackBuild b/patches/source/shadow/shadow.SlackBuild
new file mode 100755
index 00000000..e5143b8d
--- /dev/null
+++ b/patches/source/shadow/shadow.SlackBuild
@@ -0,0 +1,175 @@
+#!/bin/sh
+
+# Copyright 2005-2014 Patrick J. Volkerding, Sebeka, Minnesota, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+PKGNAM=shadow
+VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-3_slack14.1}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i486 ;;
+ arm*) export ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+fi
+
+NUMJOBS=${NUMJOBS:--j6}
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-shadow
+
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+else
+ SLKCFLAGS="-O2"
+fi
+
+rm -rf $PKG
+mkdir -p $TMP $PKG
+cd $TMP
+rm -rf shadow-$VERSION
+tar xvf $CWD/shadow-$VERSION.tar.?z* || exit 1
+cd shadow-$VERSION
+
+# Apply some patches taken from the svn trunk that
+# fix some of the more serious bugs in 4.1.4.3:
+for patch in $CWD/patches/*.diff.gz ; do
+ zcat $patch | patch -p0 --verbose || exit 1
+done
+
+# Patch to handle newer crypt() that may return NULL:
+zcat $CWD/shadow.glibc217-crypt.diff.gz | patch -p1 --verbose || exit 1
+
+# Relax the restrictions on "su -c" when it is used to become root.
+# It's not likely that root is going to try to inject commands back into
+# the user's shell to hack it, and the unnecessary restriction is causing
+# breakage:
+zcat $CWD/shadow.CVE-2005-4890.relax.diff.gz | patch -p1 --verbose || exit 1
+
+# Re-run automake because of r3299 patch to man/ru/Makefile.am:
+# (not used because it doesn't work... above patch does the intended fix)
+#automake -f
+
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/man \
+ --docdir=/usr/doc/shadow-$VERSION \
+ --disable-shared \
+ --without-libcrack \
+ --build=$ARCH-slackware-linux
+
+# --enable-utmpx # defaults to 'no'
+
+make $NUMJOBS || make || exit 1
+make install DESTDIR=$PKG || exit 1
+
+# Fix user group = 100:
+zcat $CWD/useradd.gz > $PKG/etc/default/useradd
+
+# /bin/groups is provided by coreutils.
+rm -f $PKG/bin/groups
+find $PKG -name groups.1 -exec rm {} \;
+
+# Install a login.defs with unsurprising defaults:
+rm -f $PKG/etc/login.defs
+zcat $CWD/login.defs.gz > $PKG/etc/login.defs.new
+
+mv $PKG/etc/login.access $PKG/etc/login.access.new
+
+# I don't think this works well enough to recommend it.
+#mv $PKG/etc/limits $PKG/etc/limits.new
+rm -f $PKG/etc/limits
+
+# Add the friendly 'adduser' script:
+cat $CWD/adduser > $PKG/usr/sbin/adduser
+chmod 0755 $PKG/usr/sbin/adduser
+
+# Add sulogin to the package:
+cp -a src/sulogin $PKG/sbin
+( cd $PKG/bin ; ln -s ../sbin/sulogin )
+
+# Add the empty faillog log file:
+mkdir -p $PKG/var/log
+touch $PKG/var/log/faillog.new
+
+# Put some stuff back in "old" locations and make symlinks for compat
+( cd $PKG/usr/bin
+ mv faillog ../sbin
+ mv lastlog ../sbin
+ ln -s ../sbin/faillog
+ ln -s ../sbin/lastlog
+)
+
+# Use 4711 rather than 4755 permissions where setuid root is required:
+find $PKG -type f -perm 4755 -exec chmod 4711 "{}" \;
+
+# Compress and if needed symlink the man pages:
+if [ -d $PKG/usr/man ]; then
+ ( cd $PKG/usr/man
+ for manpagedir in $(find . -type d -name "man*") ; do
+ ( cd $manpagedir
+ for eachpage in $( find . -type l -maxdepth 1) ; do
+ ln -s $( readlink $eachpage ).gz $eachpage.gz
+ rm $eachpage
+ done
+ gzip -9 *.?
+ )
+ done
+ )
+fi
+
+mkdir -p $PKG/usr/doc/shadow-$VERSION
+cp -a \
+ COPYING* NEWS README* TODO doc/{README*,HOWTO,WISHLIST,*.txt} \
+ $PKG/usr/doc/shadow-$VERSION
+
+# If there's a ChangeLog, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r ChangeLog ]; then
+ DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION)
+ cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
+ touch -r ChangeLog $DOCSDIR/ChangeLog
+fi
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
+
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/shadow-$VERSION-$ARCH-$BUILD.txz
+
diff --git a/patches/source/shadow/shadow.glibc217-crypt.diff b/patches/source/shadow/shadow.glibc217-crypt.diff
new file mode 100644
index 00000000..e26ca10b
--- /dev/null
+++ b/patches/source/shadow/shadow.glibc217-crypt.diff
@@ -0,0 +1,258 @@
+From a616a72160c17fa193ad6ad95eb2c869633f4fe9 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Fri, 4 Oct 2013 11:25:43
+Subject: [PATCH] Improve handling of NULL returns from crypt().
+
+Signed-off-by: mancha <mancha1@hush.com>
+---
+ ChangeLog | 15 +++++++++++++++
+ lib/encrypt.c | 7 +++----
+ lib/pwauth.c | 7 ++++++-
+ libmisc/valid.c | 1 +
+ src/chgpasswd.c | 4 ++++
+ src/chpasswd.c | 4 ++++
+ src/gpasswd.c | 4 ++++
+ src/newgrp.c | 3 ++-
+ src/newusers.c | 26 +++++++++++++++++++++-----
+ src/passwd.c | 15 +++++++++++++++
+ 10 files changed, 75 insertions(+), 11 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index aab00ae..1416a38 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,18 @@
++2013-05-06 mancha <mancha1@hush.com>
++
++ * lib/encrypt.c: crypt() in glibc/eglibc 2.17 now fails if passed
++ a salt that violates specs. On Linux, crypt() also fails with
++ DES/MD5 salts in FIPS140 mode. Rather than exit() on NULL returns
++ we send them back to the caller for appropriate handling.
++ * lib/pwauth.c: Handle NULL return from crypt().
++ * libmisc/valid.c: Likewise.
++ * src/chgpasswd.c: Likewise.
++ * src/chpasswd.c: Likewise.
++ * src/gpasswd.c: Likewise.
++ * src/newgrp.c: Likewise.
++ * src/newusers.c: Likewise.
++ * src/passwd.c: Likewise.
++
+ 2012-05-25 Nicolas Fran├žois <nicolas.francois@centraliens.net>
+
+ * NEWS: Set release date.
+diff --git a/lib/encrypt.c b/lib/encrypt.c
+index 7daa8da..49cb691 100644
+--- a/lib/encrypt.c
++++ b/lib/encrypt.c
+@@ -49,11 +49,10 @@
+ if (!cp) {
+ /*
+ * Single Unix Spec: crypt() may return a null pointer,
+- * and set errno to indicate an error. The caller doesn't
+- * expect us to return NULL, so...
++ * and set errno to indicate an error. In this case return
++ * the NULL so the caller can handle appropriately.
+ */
+- perror ("crypt");
+- exit (EXIT_FAILURE);
++ return cp;
+ }
+
+ /* The GNU crypt does not return NULL if the algorithm is not
+diff --git a/lib/pwauth.c b/lib/pwauth.c
+index 4b26daa..086a72e 100644
+--- a/lib/pwauth.c
++++ b/lib/pwauth.c
+@@ -73,6 +73,7 @@ int pw_auth (const char *cipher,
+ char prompt[1024];
+ char *clear = NULL;
+ const char *cp;
++ const char *encrypted;
+ int retval;
+
+ #ifdef SKEY
+@@ -177,7 +178,11 @@ int pw_auth (const char *cipher,
+ * the results there as well.
+ */
+
+- retval = strcmp (pw_encrypt (input, cipher), cipher);
++ encrypted = pw_encrypt (input, cipher);
++ if (encrypted!=NULL)
++ retval = strcmp (encrypted, cipher);
++ else
++ retval = -1;
+
+ #ifdef SKEY
+ /*
+diff --git a/libmisc/valid.c b/libmisc/valid.c
+index aa0390a..4b85d67 100644
+--- a/libmisc/valid.c
++++ b/libmisc/valid.c
+@@ -95,6 +95,7 @@ bool valid (const char *password, const struct passwd *ent)
+ */
+
+ if ( (NULL != ent->pw_name)
++ && (NULL != encrypted)
+ && (strcmp (encrypted, ent->pw_passwd) == 0)) {
+ return true;
+ } else {
+diff --git a/src/chgpasswd.c b/src/chgpasswd.c
+index 0f41d0b..6c42a09 100644
+--- a/src/chgpasswd.c
++++ b/src/chgpasswd.c
+@@ -469,6 +469,10 @@ int main (int argc, char **argv)
+ #endif
+ cp = pw_encrypt (newpwd,
+ crypt_make_salt (crypt_method, arg));
++ if (cp == NULL) {
++ perror ("crypt");
++ exit (EXIT_FAILURE);
++ }
+ }
+
+ /*
+diff --git a/src/chpasswd.c b/src/chpasswd.c
+index 928e2d7..4968b0d 100644
+--- a/src/chpasswd.c
++++ b/src/chpasswd.c
+@@ -492,6 +492,10 @@ int main (int argc, char **argv)
+ #endif
+ cp = pw_encrypt (newpwd,
+ crypt_make_salt(crypt_method, arg));
++ if (cp == NULL) {
++ perror ("crypt");
++ exit (EXIT_FAILURE);
++ }
+ }
+
+ /*
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index df8d714..0043610 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -939,6 +939,10 @@ static void change_passwd (struct group *gr)
+ }
+
+ cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL));
++ if (cp==NULL) {
++ perror ("crypt");
++ exit (EXIT_FAILURE);
++ }
+ memzero (pass, sizeof pass);
+ #ifdef SHADOWGRP
+ if (is_shadowgrp) {
+diff --git a/src/newgrp.c b/src/newgrp.c
+index 9330c72..6b87761 100644
+--- a/src/newgrp.c
++++ b/src/newgrp.c
+@@ -184,7 +184,8 @@ static void check_perms (const struct group *grp,
+ cpasswd = pw_encrypt (cp, grp->gr_passwd);
+ strzero (cp);
+
+- if (grp->gr_passwd[0] == '\0' ||
++ if (cpasswd == NULL ||
++ grp->gr_passwd[0] == '\0' ||
+ strcmp (cpasswd, grp->gr_passwd) != 0) {
+ #ifdef WITH_AUDIT
+ snprintf (audit_buf, sizeof(audit_buf),
+diff --git a/src/newusers.c b/src/newusers.c
+index 994898e..5f83a6a 100644
+--- a/src/newusers.c
++++ b/src/newusers.c
+@@ -387,6 +387,7 @@ static int add_user (const char *name, uid_t uid, gid_t gid)
+ static void update_passwd (struct passwd *pwd, const char *password)
+ {
+ void *crypt_arg = NULL;
++ char *cp;
+ if (crypt_method != NULL) {
+ #ifdef USE_SHA_CRYPT
+ if (sflg) {
+@@ -398,9 +399,13 @@ static void update_passwd (struct passwd *pwd, const char *password)
+ if ((crypt_method != NULL) && (0 == strcmp(crypt_method, "NONE"))) {
+ pwd->pw_passwd = (char *)password;
+ } else {
+- pwd->pw_passwd = pw_encrypt (password,
+- crypt_make_salt (crypt_method,
+- crypt_arg));
++ cp=pw_encrypt (password, crypt_make_salt (crypt_method,
++ crypt_arg));
++ if (cp == NULL) {
++ perror ("crypt");
++ exit (EXIT_FAILURE);
++ }
++ pwd->pw_passwd = cp;
+ }
+ }
+ #endif /* !USE_PAM */
+@@ -412,6 +417,7 @@ static int add_passwd (struct passwd *pwd, const char *password)
+ {
+ const struct spwd *sp;
+ struct spwd spent;
++ char *cp;
+
+ #ifndef USE_PAM
+ void *crypt_arg = NULL;
+@@ -448,7 +454,12 @@ static int add_passwd (struct passwd *pwd, const char *password)
+ } else {
+ const char *salt = crypt_make_salt (crypt_method,
+ crypt_arg);
+- spent.sp_pwdp = pw_encrypt (password, salt);
++ cp = pw_encrypt (password, salt);
++ if (cp == NULL) {
++ perror ("crypt");
++ exit (EXIT_FAILURE);
++ }
++ spent.sp_pwdp = cp;
+ }
+ spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+ if (0 == spent.sp_lstchg) {
+@@ -492,7 +503,12 @@ static int add_passwd (struct passwd *pwd, const char *password)
+ spent.sp_pwdp = (char *)password;
+ } else {
+ const char *salt = crypt_make_salt (crypt_method, crypt_arg);
+- spent.sp_pwdp = pw_encrypt (password, salt);
++ cp = pw_encrypt (password, salt);
++ if (cp == NULL) {
++ perror ("crypt");
++ exit (EXIT_FAILURE);
++ }
++ spent.sp_pwdp = cp;
+ }
+ #else
+ /*
+diff --git a/src/passwd.c b/src/passwd.c
+index ac90aa3..ae26666 100644
+--- a/src/passwd.c
++++ b/src/passwd.c
+@@ -242,6 +242,17 @@ static int new_password (const struct pa
+ }
+
+ cipher = pw_encrypt (clear, crypt_passwd);
++ if (cipher == NULL) {
++ strzero (clear);
++ (void) fprintf (stderr,
++ _("Failed to crypt password for %s.\n"),
++ pw->pw_name);
++ SYSLOG ((LOG_INFO,
++ "failed to crypt password for %s",
++ pw->pw_name));
++ return -1;
++ }
++
+ if (strcmp (cipher, crypt_passwd) != 0) {
+ strzero (clear);
+ strzero (cipher);
+@@ -349,6 +360,10 @@ static int new_password (const struct pa
+ * Encrypt the password, then wipe the cleartext password.
+ */
+ cp = pw_encrypt (pass, crypt_make_salt (NULL, NULL));
++ if (cp == NULL) {
++ perror ("crypt");
++ exit (EXIT_FAILURE);
++ }
+ memzero (pass, sizeof pass);
+
+ #ifdef HAVE_LIBCRACK_HIST
+--
+1.7.11.4
+
diff --git a/patches/source/shadow/shadow.url b/patches/source/shadow/shadow.url
new file mode 100644
index 00000000..b18864a8
--- /dev/null
+++ b/patches/source/shadow/shadow.url
@@ -0,0 +1 @@
+ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow
diff --git a/patches/source/shadow/slack-desc b/patches/source/shadow/slack-desc
new file mode 100644
index 00000000..57749146
--- /dev/null
+++ b/patches/source/shadow/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+shadow: shadow (shadow password suite)
+shadow:
+shadow: This set of login related programs utilizes an alternate, non-readable
+shadow: file to contain the actual encrypted passwords. This is presumed to
+shadow: increase system security by increasing the difficulty with which
+shadow: system crackers obtain encrypted passwords. It was written by
+shadow: Julianne Frances Haugh and the Linux port is maintained by Tomasz
+shadow: Kloczko.
+shadow:
+shadow: This package provides 'login', which is needed to log into the system.
+shadow:
diff --git a/patches/source/shadow/useradd b/patches/source/shadow/useradd
new file mode 100644
index 00000000..f3205e49
--- /dev/null
+++ b/patches/source/shadow/useradd
@@ -0,0 +1,8 @@
+# useradd defaults file
+GROUP=100
+HOME=/home
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
+CREATE_MAIL_SPOOL=yes