From: Marcin Krol <hawk@tld-linux.org>
Date: Fri, 31 Aug 2018 21:48:06 +0000 (+0000)
Subject: - from PLD
X-Git-Url: https://git.tld-linux.org/?p=packages%2Fshadow.git;a=commitdiff_plain;h=a9f467efba7d0653cbb5c452d37632ba210bc346

- from PLD
---

a9f467efba7d0653cbb5c452d37632ba210bc346
diff --git a/chage.pamd b/chage.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/chage.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/chfn.pamd b/chfn.pamd
new file mode 100644
index 0000000..0aa09c4
--- /dev/null
+++ b/chfn.pamd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_listfile.so item=user sense=allow file=/etc/security/chfn.allow onerr=fail
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
diff --git a/chgpasswd.pamd b/chgpasswd.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/chgpasswd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/chpasswd.pamd b/chpasswd.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/chpasswd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/chsh.pamd b/chsh.pamd
new file mode 100644
index 0000000..ac578e1
--- /dev/null
+++ b/chsh.pamd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_listfile.so item=user sense=allow file=/etc/security/chsh.allow onerr=fail
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
diff --git a/groupadd.pamd b/groupadd.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/groupadd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/groupdel.pamd b/groupdel.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/groupdel.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/groupmems.pamd b/groupmems.pamd
new file mode 100644
index 0000000..0aa09c4
--- /dev/null
+++ b/groupmems.pamd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_listfile.so item=user sense=allow file=/etc/security/chfn.allow onerr=fail
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
diff --git a/groupmod.pamd b/groupmod.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/groupmod.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/newusers.pamd b/newusers.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/newusers.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/passwd.pamd b/passwd.pamd
new file mode 100644
index 0000000..6a4fd03
--- /dev/null
+++ b/passwd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		required	pam_listfile.so item=user sense=deny file=/etc/security/blacklist.passwd onerr=succeed
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
diff --git a/shadow-goodname.patch b/shadow-goodname.patch
new file mode 100644
index 0000000..1fdd84f
--- /dev/null
+++ b/shadow-goodname.patch
@@ -0,0 +1,118 @@
+diff -up shadow-4.1.5.1/libmisc/chkname.c.goodname shadow-4.1.5.1/libmisc/chkname.c
+--- shadow-4.1.5.1/libmisc/chkname.c.goodname	2009-07-13 00:24:45.000000000 +0200
++++ shadow-4.1.5.1/libmisc/chkname.c	2012-09-19 18:43:53.492160653 +0200
+@@ -49,20 +49,28 @@
+ static bool is_valid_name (const char *name)
+ {
+ 	/*
+-	 * User/group names must match [a-z_][a-z0-9_-]*[$]
+-	 */
+-	if (('\0' == *name) ||
+-	    !((('a' <= *name) && ('z' >= *name)) || ('_' == *name))) {
++         * User/group names must match gnu e-regex:
++         *    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,30}[a-zA-Z0-9_.$-]?
++         *
++         * as a non-POSIX, extension, allow "$" as the last char for
++         * sake of Samba 3.x "add machine script"
++         */
++	if ( ('\0' == *name) ||
++             !((*name >= 'a' && *name <= 'z') ||
++               (*name >= 'A' && *name <= 'Z') ||
++               (*name >= '0' && *name <= '9') ||
++               (*name == '_') || (*name == '.') 
++	      )) {
+ 		return false;
+ 	}
+ 
+ 	while ('\0' != *++name) {
+-		if (!(( ('a' <= *name) && ('z' >= *name) ) ||
+-		      ( ('0' <= *name) && ('9' >= *name) ) ||
+-		      ('_' == *name) ||
+-		      ('-' == *name) ||
+-		      ( ('$' == *name) && ('\0' == *(name + 1)) )
+-		     )) {
++                if (!(  (*name >= 'a' && *name <= 'z') ||
++                        (*name >= 'A' && *name <= 'Z') ||
++                        (*name >= '0' && *name <= '9') ||
++                        (*name == '_') || (*name == '.') || (*name == '-') ||
++                        (*name == '$' && *(name + 1) == '\0') 
++                     )) {
+ 			return false;
+ 		}
+ 	}
+diff -up shadow-4.1.5.1/man/groupadd.8.xml.goodname shadow-4.1.5.1/man/groupadd.8.xml
+--- shadow-4.1.5.1/man/groupadd.8.xml.goodname	2012-05-25 13:45:27.000000000 +0200
++++ shadow-4.1.5.1/man/groupadd.8.xml	2012-09-19 18:43:53.492160653 +0200
+@@ -259,12 +259,6 @@
+    <refsect1 id='caveats'>
+      <title>CAVEATS</title>
+      <para>
+-       Groupnames must start with a lower case letter or an underscore,
+-       followed by lower case letters, digits, underscores, or dashes.
+-       They can end with a dollar sign.
+-       In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+-     </para>
+-     <para>
+        Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
+      </para>
+      <para>
+diff -up shadow-4.1.5.1/man/man8/groupadd.8.goodname shadow-4.1.5.1/man/man8/groupadd.8
+--- shadow-4.1.5.1/man/man8/groupadd.8.goodname	2012-05-25 13:58:40.000000000 +0200
++++ shadow-4.1.5.1/man/man8/groupadd.8	2012-09-19 18:44:42.175123079 +0200
+@@ -190,9 +190,7 @@ Shadow password suite configuration\&.
+ .RE
+ .SH "CAVEATS"
+ .PP
+-Groupnames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]?
+-.PP
+-Groupnames may only be up to 16 characters long\&.
++Groupnames may only be up to 32 characters long\&.
+ .PP
+ You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&.
+ .PP
+diff -up shadow-4.1.5.1/man/man8/useradd.8.goodname shadow-4.1.5.1/man/man8/useradd.8
+--- shadow-4.1.5.1/man/man8/useradd.8.goodname	2012-05-25 13:59:28.000000000 +0200
++++ shadow-4.1.5.1/man/man8/useradd.8	2012-09-19 18:46:09.249033949 +0200
+@@ -224,7 +224,7 @@ is not enabled, no home directories are
+ .PP
+ \fB\-M\fR
+ .RS 4
+-Do no create the user\*(Aqs home directory, even if the system wide setting from
++Do not create the user\*(Aqs home directory, even if the system wide setting from
+ /etc/login\&.defs
+ (\fBCREATE_HOME\fR) is set to
+ \fIyes\fR\&.
+@@ -430,8 +430,6 @@ Similarly, if the username already exist
+ \fBuseradd\fR
+ will deny the user account creation request\&.
+ .PP
+-Usernames must start with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. In regular expression terms: [a\-z_][a\-z0\-9_\-]*[$]?
+-.PP
+ Usernames may only be up to 32 characters long\&.
+ .SH "CONFIGURATION"
+ .PP
+diff -up shadow-4.1.5.1/man/useradd.8.xml.goodname shadow-4.1.5.1/man/useradd.8.xml
+--- shadow-4.1.5.1/man/useradd.8.xml.goodname	2012-05-25 13:45:29.000000000 +0200
++++ shadow-4.1.5.1/man/useradd.8.xml	2012-09-19 18:43:53.493160675 +0200
+@@ -366,7 +366,7 @@
+ 	</term>
+ 	<listitem>
+ 	  <para>
+-	    Do no create the user's home directory, even if the system
++	    Do not create the user's home directory, even if the system
+ 	    wide setting from <filename>/etc/login.defs</filename>
+ 	    (<option>CREATE_HOME</option>) is set to
+ 	    <replaceable>yes</replaceable>.
+@@ -654,12 +654,6 @@
+     </para>
+ 
+     <para>
+-      Usernames must start with a lower case letter or an underscore,
+-      followed by lower case letters, digits, underscores, or dashes.
+-      They can end with a dollar sign.
+-      In regular expression terms: [a-z_][a-z0-9_-]*[$]?
+-    </para>
+-    <para>
+       Usernames may only be up to 32 characters long.
+     </para>
+   </refsect1>
diff --git a/shadow-login.defs b/shadow-login.defs
new file mode 100644
index 0000000..25b4b05
--- /dev/null
+++ b/shadow-login.defs
@@ -0,0 +1,387 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+#	$Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+# Note: When PAM is used, some modules may enfore a minimal delay (e.g.
+#       pam_unix enforces a 2s delay)
+#
+FAIL_DELAY		3
+
+#
+# Enable logging and display of /var/log/faillog login failure info.
+#
+FAILLOG_ENAB		yes
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable logging and display of /var/log/lastlog login time info.
+#
+LASTLOG_ENAB		yes
+
+#
+# Enable checking and display of mailbox status upon login.
+#
+# Disable if the shell startup files already check for mail
+# ("mailx -e" or equivalent).
+#
+MAIL_CHECK_ENAB		yes
+
+#
+# Enable additional checks upon password changes.
+#
+OBSCURE_CHECKS_ENAB	yes
+
+#
+# Enable checking of time restrictions specified in /etc/porttime.
+#
+PORTTIME_CHECKS_ENAB	yes
+
+#
+# Enable setting of ulimit, umask, and niceness from passwd gecos field.
+#
+QUOTAS_ENAB		yes
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE		/etc/securetty
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, ":" delimited list of "message of the day" files to
+# be displayed upon login.
+#
+MOTD_FILE	/etc/motd
+#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
+
+#
+# If defined, this file will be output before each login prompt.
+#
+#ISSUE_FILE	/etc/issue
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, login failures will be logged here in a utmp format.
+# last, when invoked as lastb, will read /var/log/btmp, so...
+#
+FTMP_FILE	/var/log/btmp
+
+#
+# If defined, name of file whose presence which will inhibit non-root
+# logins.  The contents of this file should be a message indicating
+# why logins are inhibited.
+#
+NOLOGINS_FILE	/etc/nologin
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR	/var/mail
+#MAIL_FILE	.mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# If defined, either a TZ environment parameter spec or the
+# fully-rooted pathname of a file containing such a spec.
+#
+#ENV_TZ		TZ=CST6CDT
+#ENV_TZ		/etc/tzname
+
+#
+# If defined, an HZ environment parameter spec.
+#
+# for Linux/x86
+ENV_HZ		HZ=100
+# For Linux/Alpha...
+#ENV_HZ		HZ=1024
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH	PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#	ULIMIT		Default "ulimit" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+#ULIMIT		2097152
+
+# Default initial "umask" value used by login on non-PAM enabled systems.
+# Default "umask" value for pam_umask on PAM enabled systems.
+# UMASK is also used by useradd and newusers to set the mode of new home
+# directories.
+# 022 is the default value, but 027, or even 077, could be considered
+# better for privacy. There is no One True Answer here: each sysadmin
+# must make up her mind.
+UMASK		022
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_MIN_LEN	Minimum acceptable password length.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_MIN_LEN	5
+PASS_WARN_AGE	7
+
+#
+# If "yes", the user must be listed as a member of the first gid 0 group
+# in /etc/group (called "root" on most Linux systems) to be able to "su"
+# to uid 0 accounts.  If the group doesn't exist or is empty, no one
+# will be able to "su" to uid 0.
+#
+SU_WHEEL_ONLY	no
+
+#
+# If compiled with cracklib support, where are the dictionaries
+#
+CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+SYS_UID_MIN		  1
+SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+SYS_GID_MIN		  10
+SYS_GID_MAX		  999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Maximum number of attempts to change password if rejected (too easy)
+#
+PASS_CHANGE_TRIES	5
+
+#
+# Warn about weak passwords (but still allow them) if you are root.
+#
+PASS_ALWAYS_WARN	yes
+
+#
+# Number of significant characters in the password for crypt().
+# Default is 8, don't change unless your crypt() is better.
+# Ignored if MD5_CRYPT_ENAB set to "yes".
+#
+#PASS_MAX_LEN		8
+
+#
+# Require password before chfn/chsh can make any changes.
+#
+CHFN_AUTH		yes
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# Password prompt (%s will be replaced by user name).
+#
+# XXX - it doesn't work correctly yet, for now leave it commented out
+# to use the default which is just "Password: ".
+#LOGIN_STRING		"%s's Password: "
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm.  Default is "no".
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB	no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+#ENCRYPT_METHOD DES
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If this file exists and is readable, login environment will be
+# read from it.  Every line should be in the form name=value.
+#
+ENVIRON_FILE	/etc/environment
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+#USERGROUPS_ENAB yes
+
+#
+# If set to a non-nul number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permit to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP	0
+
+#
+# If useradd should create home directories for users by default (non
+# system users only)
+# This option is overridden with the -M or -m flags on the useradd command
+# line.
+#
+#CREATE_HOME     yes
+
diff --git a/shadow-pld.patch b/shadow-pld.patch
new file mode 100644
index 0000000..69836c2
--- /dev/null
+++ b/shadow-pld.patch
@@ -0,0 +1,51 @@
+--- shadow-4.0.6/src/useradd.c	2004-11-18 21:45:00.713398344 +0100
++++ shadow-4.0.16/src/useradd.c	2006-06-08 01:17:05.580340031 +0300
+@@ -72,10 +72,10 @@
+ /*
+  * These defaults are used if there is no defaults file.
+  */
+-static gid_t def_group = 100;
++static gid_t def_group = 1000;
+ static const char *def_gname = "other";
+-static const char *def_home = "/home";
+-static const char *def_shell = "";
++static const char *def_home = "/home/users";
++static const char *def_shell = "/sbin/nologin";
+ static const char *def_template = SKEL_DIR;
+ static const char *def_create_mail_spool = "no";
+ 
+@@ -89,7 +89,7 @@
+ #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
+ 
+ static const char *user_name = "";
+-static const char *user_pass = "!";
++static const char *user_pass = "!!";
+ static uid_t user_id;
+ static gid_t user_gid;
+ static const char *user_comment = "";
+--- shadow-4.5/libmisc/find_new_gid.c~	2017-01-29 22:37:22.000000000 +0200
++++ shadow-4.5/libmisc/find_new_gid.c	2017-05-17 23:13:32.785253060 +0300
+@@ -61,8 +61,8 @@
+ 		/* A requested ID is allowed to be below the autoselect range */
+ 		*preferred_min = (gid_t) 1;
+ 
+-		/* Get the minimum ID range from login.defs or default to 101 */
+-		*min_id = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
++		/* Get the minimum ID range from login.defs or default to 10 */
++		*min_id = (gid_t) getdef_ulong ("SYS_GID_MIN", 10UL);
+ 
+ 		/*
+ 		 * If SYS_GID_MAX is unspecified, we should assume it to be one
+--- shadow-4.5/libmisc/find_new_uid.c~	2017-01-29 22:37:22.000000000 +0200
++++ shadow-4.5/libmisc/find_new_uid.c	2017-05-17 23:10:38.366687971 +0300
+@@ -61,8 +61,8 @@
+ 		/* A requested ID is allowed to be below the autoselect range */
+ 		*preferred_min = (uid_t) 1;
+ 
+-		/* Get the minimum ID range from login.defs or default to 101 */
+-		*min_id = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
++		/* Get the minimum ID range from login.defs or default to 1 */
++		*min_id = (uid_t) getdef_ulong ("SYS_UID_MIN", 1UL);
+ 
+ 		/*
+ 		 * If SYS_UID_MAX is unspecified, we should assume it to be one
diff --git a/shadow.spec b/shadow.spec
new file mode 100644
index 0000000..ab458da
--- /dev/null
+++ b/shadow.spec
@@ -0,0 +1,648 @@
+# TODO
+# - /etc/login.defs contains options valid only when PAM is disabled:
+# gpasswd -M chef_server chef_server
+#configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
+#configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
+#configuration error - unknown item 'MAIL_CHECK_ENAB' (notify administrator)
+#configuration error - unknown item 'OBSCURE_CHECKS_ENAB' (notify administrator)
+#configuration error - unknown item 'PORTTIME_CHECKS_ENAB' (notify administrator)
+#configuration error - unknown item 'QUOTAS_ENAB' (notify administrator)
+#configuration error - unknown item 'MOTD_FILE' (notify administrator)
+#configuration error - unknown item 'FTMP_FILE' (notify administrator)
+#configuration error - unknown item 'NOLOGINS_FILE' (notify administrator)
+#configuration error - unknown item 'ENV_HZ' (notify administrator)
+#configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
+#configuration error - unknown item 'SU_WHEEL_ONLY' (notify administrator)
+#configuration error - unknown item 'CRACKLIB_DICTPATH' (notify administrator)
+#configuration error - unknown item 'PASS_CHANGE_TRIES' (notify administrator)
+#configuration error - unknown item 'PASS_ALWAYS_WARN' (notify administrator)
+#configuration error - unknown item 'CHFN_AUTH' (notify administrator)
+#configuration error - unknown item 'ENVIRON_FILE' (notify administrator)
+# - sync pam files from pwdutils
+# - tcb support?
+# - ensure Conflicts with various packages (util-linux,sysvinit,coreutils) is up to date
+
+# Conditional build:
+%bcond_without	selinux		# build without SE-Linux support
+%bcond_with	shared		# build with shared libshadow (linking with selinux is broken)
+
+Summary:	Shadow password file utilities for Linux
+Summary(de.UTF-8):	Shadow-PaÃwortdatei-Dienstprogramme fÃ¼r Linux
+Summary(es.UTF-8):	Utilitarios para el archivo de contraseÃ±as Shadow
+Summary(fr.UTF-8):	Fichiers utilitaires pour Shadow password pour Linux
+Summary(pl.UTF-8):	NarzÄdzia do obsÅugi mechanizmu ukrytych haseÅ
+Summary(pt_BR.UTF-8):	UtilitÃ¡rios para o arquivo de senhas Shadow
+Summary(tr.UTF-8):	GÃ¶lge parola dosyasÄ± araÃ§larÄ±
+Name:		shadow
+Version:	4.6
+#BuildRequires:	useradd -g is broken, use pwdutils, or fix it:
+# http://zie.pg.gda.pl/mailman/pipermail/shadow/2006-September/000395.html
+Release:	0.1
+Epoch:		1
+License:	BSD
+Group:		Applications/System
+Source0:	https://github.com/shadow-maint/shadow/releases/download/%{version}/%{name}-%{version}.tar.xz
+# Source0-md5:	b491fecbf1232632c32ff8f1437fd60e
+Source2:	%{name}-login.defs
+Source3:	%{name}.useradd
+Source10:	chage.pamd
+Source11:	chfn.pamd
+Source12:	chgpasswd.pamd
+Source13:	chpasswd.pamd
+Source14:	chsh.pamd
+Source15:	groupadd.pamd
+Source16:	groupdel.pamd
+Source17:	groupmems.pamd
+Source18:	groupmod.pamd
+Source19:	newusers.pamd
+Source20:	passwd.pamd
+Source21:	useradd.pamd
+Source22:	userdel.pamd
+Source23:	usermod.pamd
+Patch0:		%{name}-pld.patch
+# allow names with upper case letters or containing dot in the middle
+Patch1:		%{name}-goodname.patch
+URL:		https://github.com/shadow-maint/shadow
+BuildRequires:	acl-devel
+BuildRequires:	attr-devel
+BuildRequires:	audit-libs-devel
+BuildRequires:	autoconf >= 2.64
+BuildRequires:	automake >= 1:1.11
+BuildRequires:	gettext-tools >= 0.12.1
+%{?with_selinux:BuildRequires:	libselinux-devel}
+%{?with_selinux:BuildRequires:	libsemanage-devel}
+BuildRequires:	libtool
+BuildRequires:	pam-devel
+BuildRequires:	tar >= 1:1.22
+BuildRequires:	xz
+Requires:	pam >= 0.99.7.1
+Provides:	passwd
+Provides:	shadow-utils
+Obsoletes:	passwd
+Obsoletes:	pwdutils
+Obsoletes:	shadow-extras
+Obsoletes:	shadow-utils
+Conflicts:	util-linux < 2.12-10
+BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%description
+This package includes the programs necessary to convert standard UNIX
+password files to the shadow password format, as well as programs for
+command-line management of the user's accounts.
+- pwconv - converts everything to the shadow password format,
+- pwunconv - unconverts from shadow password, generating a file in the
+  current directory called npasswd that is a standard UNIX password
+  file,
+- pwck - checks the integrity of the password and shadow files,
+- useradd, userdel, usermod - for accounts management,
+- groupadd, groupdel, groupmod - for group management.
+
+A number of man pages are also included that relate to these
+utilities, and shadow passwords in general.
+
+%description -l es.UTF-8
+Este paquete incluye los programas necesarios para convertir Archivos
+padrÃ³n UNIX de contraseÃ±a al formato shadow.
+- pwconv5 - convierte todo al formato de contraseÃ±as del shadow,
+- pwunconv - deshace la conversiÃ³n de contraseÃ±as shadow, creando un
+  archivo en el directorio corriente llamado npasswd que es el archivo
+  padrÃ³n UNIX de contraseÃ±a,
+- pwck - chequea la integridad de la contraseÃ±a y de los archivos
+  shadow,
+
+EstÃ¡n tambiÃ©n incluidas, en general, varias pÃ¡ginas de manual sobre
+estos utilitarios y contraseÃ±as shadow.
+
+%description -l pl.UTF-8
+Pakiet zawiera programy do obsÅugi mechanizmu ukrytych haseÅ (shadow
+password). ZnajdujÄ siÄ w nim programy do konwersji standardowego
+pliku haseÅ do wersji shadow password a takÅ¼e programy do zarzÄdzania
+kontami uÅ¼ytkownikÃ³w w systemie:
+- pwconv - konwertuje do formatu shadow password
+- pwunconv - konwertuje z shadow password do formatu standardowego
+  pliku haseÅ. W bieÅ¼Äcym katalogu tworzy plik npasswd bÄdÄcy
+  standardowym plikiem z hasÅami,
+- useradd, userdel, usermod - do zarzÄdzania kontami uÅ¼ytkownikÃ³w,
+- groupadd, groupdel, groupmod - do zarzÄdzania grupami.
+
+OstrzeÅ¼enie:
+
+Programy znajdujÄce siÄ w tym pakiecie sÄ niezbÄdne do prawidÅowej
+pracy systemu i podobnie jak pakiet z bibliotekami systemowymi (glibc)
+nigdy nie powinien zostaÄ odinstalowany!
+
+%description -l pt_BR.UTF-8
+Este pacote inclui os programas necessÃ¡rios para converter
+arquivos-padrÃ£o UNIX de senha para o formato shadow.
+- pwconv - converte tudo para o formato de senhas do shadow,
+- pwunconv - desconverte senhas shadow, gerando um arquivo no
+  diretÃ³rio corrente chamado npasswd que Ã© o arquivo-padrÃ£o UNIX de
+  senha,
+- pwck - checa a integridade da senha e dos arquivos shadow,
+
+VÃ¡rias pÃ¡ginas de manual estÃ£o tambÃ©m incluÃ­das sobre estes
+utilitÃ¡rios e senhas shadow em geral.
+
+%prep
+%setup -q
+%patch0 -p1
+%patch1 -p1
+
+%build
+# NOTE:
+# - cracklib option refers to non-PAM passwd code
+# - skey referes to non-PAM pw_auth/passwd_check (login, su, chfn, chsh) code
+%configure \
+	--bindir=/bin \
+	--sbindir=/sbin \
+	--enable-shadowgrp \
+	%{?with_shared:--enable-shared --disable-static} \
+	--disable-silent-rules \
+	--enable-subordinate-ids \
+	--with-acl \
+	--with-attr \
+	--with-audit \
+	--with-group-name-max-length=32 \
+	--with-libpam \
+	--with-nscd \
+	--without-libcrack \
+	%{?with_selinux:--with-selinux} \
+	--with-sha-crypt \
+	--without-tcb
+
+%{__make}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT{/sbin,%{_sysconfdir}/{default,pam.d,security,skel/tmp}}
+
+%{__make} install \
+	DESTDIR=$RPM_BUILD_ROOT
+
+cp -p %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/login.defs
+cp -p %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/default/useradd
+
+cp -p %{SOURCE10} $RPM_BUILD_ROOT/etc/pam.d/chage
+cp -p %{SOURCE11} $RPM_BUILD_ROOT/etc/pam.d/chfn
+cp -p %{SOURCE12} $RPM_BUILD_ROOT/etc/pam.d/chgpasswd
+cp -p %{SOURCE13} $RPM_BUILD_ROOT/etc/pam.d/chpasswd
+cp -p %{SOURCE14} $RPM_BUILD_ROOT/etc/pam.d/chsh
+cp -p %{SOURCE15} $RPM_BUILD_ROOT/etc/pam.d/groupadd
+cp -p %{SOURCE16} $RPM_BUILD_ROOT/etc/pam.d/groupdel
+cp -p %{SOURCE17} $RPM_BUILD_ROOT/etc/pam.d/groupmems
+cp -p %{SOURCE18} $RPM_BUILD_ROOT/etc/pam.d/groupmod
+cp -p %{SOURCE19} $RPM_BUILD_ROOT/etc/pam.d/newusers
+cp -p %{SOURCE20} $RPM_BUILD_ROOT/etc/pam.d/passwd
+cp -p %{SOURCE21} $RPM_BUILD_ROOT/etc/pam.d/useradd
+cp -p %{SOURCE22} $RPM_BUILD_ROOT/etc/pam.d/userdel
+cp -p %{SOURCE23} $RPM_BUILD_ROOT/etc/pam.d/usermod
+
+> $RPM_BUILD_ROOT%{_sysconfdir}/shadow
+> $RPM_BUILD_ROOT/etc/security/chfn.allow
+> $RPM_BUILD_ROOT/etc/security/chsh.allow
+
+%{__rm} $RPM_BUILD_ROOT/{etc/pam.d,bin}/{login,su}
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man1/{login,su}.1*
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man3/*.3*
+
+# packaged in SysVinit-tools
+%{__rm} $RPM_BUILD_ROOT%{_bindir}/lastlog
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man8/lastlog.8*
+# packaged in coreutils
+%{__rm} $RPM_BUILD_ROOT/bin/groups
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man1/groups.1*
+# packaged in util-linux
+%{__rm} $RPM_BUILD_ROOT/sbin/nologin
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/{,*/}man*/nologin.8*
+
+%find_lang %{name}
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+%{?with_shared:/sbin/ldconfig}
+if [ ! -f /etc/shadow ]; then
+	%{_sbindir}/pwconv
+fi
+
+%{?with_shared:%postun -p /sbin/ldconfig}
+
+%files -f %{name}.lang
+%defattr(644,root,root,755)
+%doc ChangeLog NEWS TODO doc/{HOWTO,WISHLIST}
+%attr(750,root,root) %dir %{_sysconfdir}/default
+%attr(640,root,root) %config %verify(not md5 mtime size) %{_sysconfdir}/default/useradd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chage
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chfn
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chgpasswd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chpasswd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/chsh
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/groupadd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/groupdel
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/groupmems
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/groupmod
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/newusers
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/passwd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/useradd
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/userdel
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/usermod
+
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/chfn.allow
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/chsh.allow
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/login.defs
+%attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) %ghost %{_sysconfdir}/shadow
+%dir /etc/skel
+%dir /etc/skel/tmp
+%{?with_shared:%attr(755,root,root) %{_libdir}/lib*.so.*.*}
+%attr(4755,root,root) %{_bindir}/chfn
+%attr(4755,root,root) %{_bindir}/chsh
+%attr(4755,root,root) %{_bindir}/expiry
+%attr(4755,root,root) %{_bindir}/gpasswd
+%attr(4755,root,root) %{_bindir}/passwd
+%attr(755,root,root) %{_bindir}/chage
+%attr(755,root,root) %{_bindir}/faillog
+%attr(755,root,root) %{_bindir}/newgidmap
+%attr(755,root,root) %{_bindir}/newgrp
+%attr(755,root,root) %{_bindir}/newuidmap
+%attr(755,root,root) %{_bindir}/sg
+%attr(755,root,root) %{_sbindir}/chgpasswd
+%attr(755,root,root) %{_sbindir}/chpasswd
+%attr(755,root,root) %{_sbindir}/groupadd
+%attr(755,root,root) %{_sbindir}/groupdel
+%attr(755,root,root) %{_sbindir}/groupmems
+%attr(755,root,root) %{_sbindir}/groupmod
+%attr(755,root,root) %{_sbindir}/grpck
+%attr(755,root,root) %{_sbindir}/grpconv
+%attr(755,root,root) %{_sbindir}/grpunconv
+%attr(755,root,root) %{_sbindir}/logoutd
+%attr(755,root,root) %{_sbindir}/newusers
+%attr(755,root,root) %{_sbindir}/pwck
+%attr(755,root,root) %{_sbindir}/pwconv
+%attr(755,root,root) %{_sbindir}/pwunconv
+%attr(755,root,root) %{_sbindir}/useradd
+%attr(755,root,root) %{_sbindir}/userdel
+%attr(755,root,root) %{_sbindir}/usermod
+%attr(755,root,root) %{_sbindir}/vigr
+%attr(755,root,root) %{_sbindir}/vipw
+%{_mandir}/man1/chage.1*
+%{_mandir}/man1/chfn.1*
+%{_mandir}/man1/chsh.1*
+%{_mandir}/man1/expiry.1*
+%{_mandir}/man1/gpasswd.1*
+%{_mandir}/man1/newgidmap.1*
+%{_mandir}/man1/newgrp.1*
+%{_mandir}/man1/newuidmap.1*
+%{_mandir}/man1/passwd.1*
+%{_mandir}/man1/sg.1*
+%{_mandir}/man5/faillog.5*
+%{_mandir}/man5/gshadow.5*
+%{_mandir}/man5/login.defs.5*
+%{_mandir}/man5/passwd.5*
+%{_mandir}/man5/shadow.5*
+%{_mandir}/man5/suauth.5*
+%{_mandir}/man5/subgid.5*
+%{_mandir}/man5/subuid.5*
+%{_mandir}/man8/chgpasswd.8*
+%{_mandir}/man8/chpasswd.8*
+%{_mandir}/man8/faillog.8*
+%{_mandir}/man8/groupadd.8*
+%{_mandir}/man8/groupdel.8*
+%{_mandir}/man8/groupmems.8*
+%{_mandir}/man8/groupmod.8*
+%{_mandir}/man8/grpck.8*
+%{_mandir}/man8/grpconv.8*
+%{_mandir}/man8/grpunconv.8*
+%{_mandir}/man8/logoutd.8*
+%{_mandir}/man8/newusers.8*
+%{_mandir}/man8/pwck.8*
+%{_mandir}/man8/pwconv.8*
+%{_mandir}/man8/pwunconv.8*
+%{_mandir}/man8/useradd.8*
+%{_mandir}/man8/userdel.8*
+%{_mandir}/man8/usermod.8*
+%{_mandir}/man8/vigr.8*
+%{_mandir}/man8/vipw.8*
+
+%lang(cs) %{_mandir}/cs/man1/expiry.1*
+%lang(cs) %{_mandir}/cs/man1/gpasswd.1*
+%lang(cs) %{_mandir}/cs/man5/faillog.5*
+%lang(cs) %{_mandir}/cs/man5/gshadow.5*
+%lang(cs) %{_mandir}/cs/man5/passwd.5*
+%lang(cs) %{_mandir}/cs/man5/shadow.5*
+%lang(cs) %{_mandir}/cs/man8/faillog.8*
+%lang(cs) %{_mandir}/cs/man8/groupadd.8*
+%lang(cs) %{_mandir}/cs/man8/groupdel.8*
+%lang(cs) %{_mandir}/cs/man8/groupmod.8*
+%lang(cs) %{_mandir}/cs/man8/grpck.8*
+%lang(cs) %{_mandir}/cs/man8/vipw.8*
+
+%lang(da) %{_mandir}/da/man1/chfn.1*
+%lang(da) %{_mandir}/da/man1/newgrp.1*
+%lang(da) %{_mandir}/da/man1/sg.1*
+%lang(da) %{_mandir}/da/man5/gshadow.5*
+%lang(da) %{_mandir}/da/man8/groupdel.8*
+%lang(da) %{_mandir}/da/man8/logoutd.8*
+%lang(da) %{_mandir}/da/man8/vigr.8
+%lang(da) %{_mandir}/da/man8/vipw.8*
+
+%lang(de) %{_mandir}/de/man1/chage.1*
+%lang(de) %{_mandir}/de/man1/chfn.1*
+%lang(de) %{_mandir}/de/man1/chsh.1*
+%lang(de) %{_mandir}/de/man1/expiry.1*
+%lang(de) %{_mandir}/de/man1/gpasswd.1*
+%lang(de) %{_mandir}/de/man1/newgrp.1*
+%lang(de) %{_mandir}/de/man1/passwd.1*
+%lang(de) %{_mandir}/de/man1/sg.1*
+%lang(de) %{_mandir}/de/man5/faillog.5*
+%lang(de) %{_mandir}/de/man5/gshadow.5*
+%lang(de) %{_mandir}/de/man5/login.defs.5*
+%lang(de) %{_mandir}/de/man5/passwd.5*
+%lang(de) %{_mandir}/de/man5/shadow.5*
+%lang(de) %{_mandir}/de/man5/suauth.5*
+%lang(de) %{_mandir}/de/man8/chgpasswd.8*
+%lang(de) %{_mandir}/de/man8/chpasswd.8*
+%lang(de) %{_mandir}/de/man8/faillog.8*
+%lang(de) %{_mandir}/de/man8/groupadd.8*
+%lang(de) %{_mandir}/de/man8/groupdel.8*
+%lang(de) %{_mandir}/de/man8/groupmems.8*
+%lang(de) %{_mandir}/de/man8/groupmod.8*
+%lang(de) %{_mandir}/de/man8/grpck.8*
+%lang(de) %{_mandir}/de/man8/grpconv.8*
+%lang(de) %{_mandir}/de/man8/grpunconv.8*
+%lang(de) %{_mandir}/de/man8/logoutd.8*
+%lang(de) %{_mandir}/de/man8/newusers.8*
+%lang(de) %{_mandir}/de/man8/pwck.8*
+%lang(de) %{_mandir}/de/man8/pwconv.8*
+%lang(de) %{_mandir}/de/man8/pwunconv.8*
+%lang(de) %{_mandir}/de/man8/useradd.8*
+%lang(de) %{_mandir}/de/man8/userdel.8*
+%lang(de) %{_mandir}/de/man8/usermod.8*
+%lang(de) %{_mandir}/de/man8/vigr.8*
+%lang(de) %{_mandir}/de/man8/vipw.8*
+
+%lang(fi) %{_mandir}/fi/man1/chfn.1*
+%lang(fi) %{_mandir}/fi/man1/chsh.1*
+
+%lang(fr) %{_mandir}/fr/man1/chage.1*
+%lang(fr) %{_mandir}/fr/man1/chfn.1*
+%lang(fr) %{_mandir}/fr/man1/chsh.1*
+%lang(fr) %{_mandir}/fr/man1/expiry.1*
+%lang(fr) %{_mandir}/fr/man1/gpasswd.1*
+%lang(fr) %{_mandir}/fr/man1/newgidmap.1*
+%lang(fr) %{_mandir}/fr/man1/newgrp.1*
+%lang(fr) %{_mandir}/fr/man1/newuidmap.1*
+%lang(fr) %{_mandir}/fr/man1/passwd.1*
+%lang(fr) %{_mandir}/fr/man1/sg.1*
+%lang(fr) %{_mandir}/fr/man5/faillog.5*
+%lang(fr) %{_mandir}/fr/man5/gshadow.5*
+%lang(fr) %{_mandir}/fr/man5/login.defs.5*
+%lang(fr) %{_mandir}/fr/man5/passwd.5*
+%lang(fr) %{_mandir}/fr/man5/shadow.5*
+%lang(fr) %{_mandir}/fr/man5/suauth.5*
+%lang(fr) %{_mandir}/fr/man5/subgid.5*
+%lang(fr) %{_mandir}/fr/man5/subuid.5*
+%lang(fr) %{_mandir}/fr/man8/chgpasswd.8*
+%lang(fr) %{_mandir}/fr/man8/chpasswd.8*
+%lang(fr) %{_mandir}/fr/man8/faillog.8*
+%lang(fr) %{_mandir}/fr/man8/groupadd.8*
+%lang(fr) %{_mandir}/fr/man8/groupdel.8*
+%lang(fr) %{_mandir}/fr/man8/groupmems.8*
+%lang(fr) %{_mandir}/fr/man8/groupmod.8*
+%lang(fr) %{_mandir}/fr/man8/grpck.8*
+%lang(fr) %{_mandir}/fr/man8/grpconv.8*
+%lang(fr) %{_mandir}/fr/man8/grpunconv.8*
+%lang(fr) %{_mandir}/fr/man8/logoutd.8*
+%lang(fr) %{_mandir}/fr/man8/newusers.8*
+%lang(fr) %{_mandir}/fr/man8/pwck.8*
+%lang(fr) %{_mandir}/fr/man8/pwconv.8*
+%lang(fr) %{_mandir}/fr/man8/pwunconv.8*
+%lang(fr) %{_mandir}/fr/man8/useradd.8*
+%lang(fr) %{_mandir}/fr/man8/userdel.8*
+%lang(fr) %{_mandir}/fr/man8/usermod.8*
+%lang(fr) %{_mandir}/fr/man8/vigr.8*
+%lang(fr) %{_mandir}/fr/man8/vipw.8*
+
+%lang(hu) %{_mandir}/hu/man1/passwd.1*
+%lang(hu) %{_mandir}/hu/man1/chsh.1*
+%lang(hu) %{_mandir}/hu/man1/gpasswd.1*
+%lang(hu) %{_mandir}/hu/man1/newgrp.1*
+%lang(hu) %{_mandir}/hu/man1/sg.1*
+%lang(hu) %{_mandir}/hu/man5/passwd.5*
+
+%lang(id) %{_mandir}/id/man1/chsh.1*
+%lang(id) %{_mandir}/id/man8/useradd.8*
+
+%lang(it) %{_mandir}/it/man1/chage.1*
+%lang(it) %{_mandir}/it/man1/chfn.1*
+%lang(it) %{_mandir}/it/man1/chsh.1*
+%lang(it) %{_mandir}/it/man1/expiry.1*
+%lang(it) %{_mandir}/it/man1/gpasswd.1*
+%lang(it) %{_mandir}/it/man1/newgrp.1*
+%lang(it) %{_mandir}/it/man1/passwd.1*
+%lang(it) %{_mandir}/it/man1/sg.1*
+%lang(it) %{_mandir}/it/man5/faillog.5*
+%lang(it) %{_mandir}/it/man5/gshadow.5*
+%lang(it) %{_mandir}/it/man5/login.defs.5*
+%lang(it) %{_mandir}/it/man5/passwd.5*
+%lang(it) %{_mandir}/it/man5/shadow.5*
+%lang(it) %{_mandir}/it/man5/suauth.5*
+%lang(it) %{_mandir}/it/man8/chgpasswd.8*
+%lang(it) %{_mandir}/it/man8/chpasswd.8*
+%lang(it) %{_mandir}/it/man8/faillog.8*
+%lang(it) %{_mandir}/it/man8/groupadd.8*
+%lang(it) %{_mandir}/it/man8/groupdel.8*
+%lang(it) %{_mandir}/it/man8/groupmems.8*
+%lang(it) %{_mandir}/it/man8/groupmod.8*
+%lang(it) %{_mandir}/it/man8/grpck.8*
+%lang(it) %{_mandir}/it/man8/grpconv.8*
+%lang(it) %{_mandir}/it/man8/grpunconv.8*
+%lang(it) %{_mandir}/it/man8/logoutd.8*
+%lang(it) %{_mandir}/it/man8/newusers.8*
+%lang(it) %{_mandir}/it/man8/pwck.8*
+%lang(it) %{_mandir}/it/man8/pwconv.8*
+%lang(it) %{_mandir}/it/man8/pwunconv.8*
+%lang(it) %{_mandir}/it/man8/useradd.8*
+%lang(it) %{_mandir}/it/man8/userdel.8*
+%lang(it) %{_mandir}/it/man8/usermod.8*
+%lang(it) %{_mandir}/it/man8/vigr.8*
+%lang(it) %{_mandir}/it/man8/vipw.8*
+
+%lang(ja) %{_mandir}/ja/man1/chage.1*
+%lang(ja) %{_mandir}/ja/man1/chfn.1*
+%lang(ja) %{_mandir}/ja/man1/chsh.1*
+%lang(ja) %{_mandir}/ja/man1/expiry.1*
+%lang(ja) %{_mandir}/ja/man1/gpasswd.1*
+%lang(ja) %{_mandir}/ja/man1/newgrp.1*
+%lang(ja) %{_mandir}/ja/man1/passwd.1*
+%lang(ja) %{_mandir}/ja/man1/sg.1*
+%lang(ja) %{_mandir}/ja/man5/faillog.5*
+%lang(ja) %{_mandir}/ja/man5/login.defs.5*
+%lang(ja) %{_mandir}/ja/man5/passwd.5*
+%lang(ja) %{_mandir}/ja/man5/shadow.5*
+%lang(ja) %{_mandir}/ja/man5/suauth.5*
+%lang(ja) %{_mandir}/ja/man8/chpasswd.8*
+%lang(ja) %{_mandir}/ja/man8/faillog.8*
+%lang(ja) %{_mandir}/ja/man8/groupadd.8*
+%lang(ja) %{_mandir}/ja/man8/groupdel.8*
+%lang(ja) %{_mandir}/ja/man8/groupmod.8*
+%lang(ja) %{_mandir}/ja/man8/grpck.8*
+%lang(ja) %{_mandir}/ja/man8/grpconv.8*
+%lang(ja) %{_mandir}/ja/man8/grpunconv.8*
+%lang(ja) %{_mandir}/ja/man8/logoutd.8*
+%lang(ja) %{_mandir}/ja/man8/newusers.8*
+%lang(ja) %{_mandir}/ja/man8/pwck.8*
+%lang(ja) %{_mandir}/ja/man8/pwconv.8*
+%lang(ja) %{_mandir}/ja/man8/pwunconv.8*
+%lang(ja) %{_mandir}/ja/man8/useradd.8*
+%lang(ja) %{_mandir}/ja/man8/userdel.8*
+%lang(ja) %{_mandir}/ja/man8/usermod.8*
+%lang(ja) %{_mandir}/ja/man8/vigr.8*
+%lang(ja) %{_mandir}/ja/man8/vipw.8*
+
+%lang(ko) %{_mandir}/ko/man1/chfn.1*
+%lang(ko) %{_mandir}/ko/man1/chsh.1*
+%lang(ko) %{_mandir}/ko/man5/passwd.5*
+%lang(ko) %{_mandir}/ko/man8/vigr.8*
+%lang(ko) %{_mandir}/ko/man8/vipw.8*
+
+%lang(pl) %{_mandir}/pl/man1/chage.1*
+%lang(pl) %{_mandir}/pl/man1/chsh.1*
+%lang(pl) %{_mandir}/pl/man1/expiry.1*
+%lang(pl) %{_mandir}/pl/man1/newgrp.1*
+%lang(pl) %{_mandir}/pl/man1/sg.1*
+%lang(pl) %{_mandir}/pl/man5/faillog.5*
+%lang(pl) %{_mandir}/pl/man8/faillog.8*
+%lang(pl) %{_mandir}/pl/man8/groupadd.8*
+%lang(pl) %{_mandir}/pl/man8/groupdel.8*
+%lang(pl) %{_mandir}/pl/man8/groupmems.8*
+%lang(pl) %{_mandir}/pl/man8/groupmod.8*
+%lang(pl) %{_mandir}/pl/man8/grpck.8*
+%lang(pl) %{_mandir}/pl/man8/logoutd.8*
+%lang(pl) %{_mandir}/pl/man8/userdel.8*
+%lang(pl) %{_mandir}/pl/man8/usermod.8*
+%lang(pl) %{_mandir}/pl/man8/vigr.8*
+%lang(pl) %{_mandir}/pl/man8/vipw.8*
+
+%lang(pt_BR) %{_mandir}/pt_BR/man1/gpasswd.1*
+%lang(pt_BR) %{_mandir}/pt_BR/man5/passwd.5*
+%lang(pt_BR) %{_mandir}/pt_BR/man5/shadow.5*
+%lang(pt_BR) %{_mandir}/pt_BR/man8/groupadd.8*
+%lang(pt_BR) %{_mandir}/pt_BR/man8/groupdel.8*
+%lang(pt_BR) %{_mandir}/pt_BR/man8/groupmod.8*
+
+%lang(ru) %{_mandir}/ru/man1/chage.1*
+%lang(ru) %{_mandir}/ru/man1/chfn.1*
+%lang(ru) %{_mandir}/ru/man1/chsh.1*
+%lang(ru) %{_mandir}/ru/man1/expiry.1*
+%lang(ru) %{_mandir}/ru/man1/gpasswd.1*
+%lang(ru) %{_mandir}/ru/man1/newgrp.1*
+%lang(ru) %{_mandir}/ru/man1/passwd.1*
+%lang(ru) %{_mandir}/ru/man1/sg.1*
+%lang(ru) %{_mandir}/ru/man5/faillog.5*
+%lang(ru) %{_mandir}/ru/man5/gshadow.5*
+%lang(ru) %{_mandir}/ru/man5/login.defs.5*
+%lang(ru) %{_mandir}/ru/man5/passwd.5*
+%lang(ru) %{_mandir}/ru/man5/shadow.5*
+%lang(ru) %{_mandir}/ru/man5/suauth.5*
+%lang(ru) %{_mandir}/ru/man8/chgpasswd.8*
+%lang(ru) %{_mandir}/ru/man8/chpasswd.8*
+%lang(ru) %{_mandir}/ru/man8/faillog.8*
+%lang(ru) %{_mandir}/ru/man8/groupadd.8*
+%lang(ru) %{_mandir}/ru/man8/groupdel.8*
+%lang(ru) %{_mandir}/ru/man8/groupmems.8*
+%lang(ru) %{_mandir}/ru/man8/groupmod.8*
+%lang(ru) %{_mandir}/ru/man8/grpck.8*
+%lang(ru) %{_mandir}/ru/man8/grpconv.8*
+%lang(ru) %{_mandir}/ru/man8/grpunconv.8*
+%lang(ru) %{_mandir}/ru/man8/logoutd.8*
+%lang(ru) %{_mandir}/ru/man8/newusers.8*
+%lang(ru) %{_mandir}/ru/man8/pwck.8*
+%lang(ru) %{_mandir}/ru/man8/pwconv.8*
+%lang(ru) %{_mandir}/ru/man8/pwunconv.8*
+%lang(ru) %{_mandir}/ru/man8/useradd.8*
+%lang(ru) %{_mandir}/ru/man8/userdel.8*
+%lang(ru) %{_mandir}/ru/man8/usermod.8*
+%lang(ru) %{_mandir}/ru/man8/vigr.8*
+%lang(ru) %{_mandir}/ru/man8/vipw.8*
+
+%lang(sv) %{_mandir}/sv/man1/chage.1*
+%lang(sv) %{_mandir}/sv/man1/chsh.1*
+%lang(sv) %{_mandir}/sv/man1/expiry.1*
+%lang(sv) %{_mandir}/sv/man1/newgrp.1*
+%lang(sv) %{_mandir}/sv/man1/passwd.1*
+%lang(sv) %{_mandir}/sv/man1/sg.1*
+%lang(sv) %{_mandir}/sv/man5/faillog.5*
+%lang(sv) %{_mandir}/sv/man5/gshadow.5*
+%lang(sv) %{_mandir}/sv/man5/passwd.5*
+%lang(sv) %{_mandir}/sv/man5/suauth.5*
+%lang(sv) %{_mandir}/sv/man8/faillog.8*
+%lang(sv) %{_mandir}/sv/man8/groupadd.8*
+%lang(sv) %{_mandir}/sv/man8/groupdel.8*
+%lang(sv) %{_mandir}/sv/man8/groupmems.8*
+%lang(sv) %{_mandir}/sv/man8/groupmod.8*
+%lang(sv) %{_mandir}/sv/man8/grpck.8*
+%lang(sv) %{_mandir}/sv/man8/logoutd.8*
+%lang(sv) %{_mandir}/sv/man8/pwck.8*
+%lang(sv) %{_mandir}/sv/man8/userdel.8*
+%lang(sv) %{_mandir}/sv/man8/vigr.8*
+%lang(sv) %{_mandir}/sv/man8/vipw.8*
+
+%lang(tr) %{_mandir}/tr/man1/chage.1*
+%lang(tr) %{_mandir}/tr/man1/chfn.1*
+%lang(tr) %{_mandir}/tr/man1/passwd.1*
+%lang(tr) %{_mandir}/tr/man5/passwd.5*
+%lang(tr) %{_mandir}/tr/man5/shadow.5*
+%lang(tr) %{_mandir}/tr/man8/groupadd.8*
+%lang(tr) %{_mandir}/tr/man8/groupdel.8*
+%lang(tr) %{_mandir}/tr/man8/groupmod.8*
+%lang(tr) %{_mandir}/tr/man8/useradd.8*
+%lang(tr) %{_mandir}/tr/man8/userdel.8*
+%lang(tr) %{_mandir}/tr/man8/usermod.8*
+
+%lang(zh_CN) %{_mandir}/zh_CN/man1/chage.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/chfn.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/chsh.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/expiry.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/gpasswd.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/newgrp.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/passwd.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man1/sg.1*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/faillog.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/gshadow.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/login.defs.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/passwd.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/shadow.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man5/suauth.5*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/chgpasswd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/chpasswd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/faillog.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/groupadd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/groupdel.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/groupmems.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/groupmod.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/grpck.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/grpconv.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/grpunconv.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/logoutd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/newusers.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/pwck.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/pwconv.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/pwunconv.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/useradd.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/userdel.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/usermod.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/vigr.8*
+%lang(zh_CN) %{_mandir}/zh_CN/man8/vipw.8*
+
+%lang(zh_TW) %{_mandir}/zh_TW/man1/chfn.1*
+%lang(zh_TW) %{_mandir}/zh_TW/man1/chsh.1*
+%lang(zh_TW) %{_mandir}/zh_TW/man1/newgrp.1*
+%lang(zh_TW) %{_mandir}/zh_TW/man5/passwd.5*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/chpasswd.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/groupadd.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/groupdel.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/groupmod.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/useradd.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/userdel.8*
+%lang(zh_TW) %{_mandir}/zh_TW/man8/usermod.8*
diff --git a/shadow.useradd b/shadow.useradd
new file mode 100644
index 0000000..0a28b4e
--- /dev/null
+++ b/shadow.useradd
@@ -0,0 +1,7 @@
+# useradd defaults file
+GROUP=1000
+HOME=/home/users
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
diff --git a/useradd.pamd b/useradd.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/useradd.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/userdel.pamd b/userdel.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/userdel.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/usermod.pamd b/usermod.pamd
new file mode 100644
index 0000000..cd2149e
--- /dev/null
+++ b/usermod.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_deny.so
+account		required	pam_permit.so
+password	include		system-auth