From 2b733fd76a46402b224554444c613065dcc9a025 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Fri, 18 Feb 2022 11:39:17 +0100
Subject: [PATCH 1/4] sys-apps/shadow: update to 4.11.1

Sync with Gentoo to update sys-apps/shadow to 4.11.1, mainly to address
CVE-2013-4235.

Gentoo ref: defe2a377e43a756441b183b66e2c4aae2be27b5
---
 .../coreos-overlay/sys-apps/shadow/Manifest   |   2 +-
 .../sys-apps/shadow/files/securetty           |  33 -----
 .../files/shadow-4.8-revert-bin-merge.patch   |  15 --
 .../shadow/files/tmpfiles.d/etc-shadow.conf   |   5 -
 .../shadow/files/tmpfiles.d/var-shadow.conf   |   1 -
 .../sys-apps/shadow/metadata.xml              |   6 +-
 ...dow-4.8-r5.ebuild => shadow-4.11.1.ebuild} | 129 ++++++++++--------
 7 files changed, 80 insertions(+), 111 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf
 rename sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/{shadow-4.8-r5.ebuild => shadow-4.11.1.ebuild} (64%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
index e78c96da24..d6747cbe3b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest
@@ -1 +1 @@
-DIST shadow-4.8.tar.xz 1609060 BLAKE2B 9d0b515e40f45c0baf420ef7ffaf5b6dd7989b26c93fc6dd610876263ac22e61fbc2821649d347c28055ae84f64cd5ab5c2435450c55339c80b4ae5062ccc44f SHA512 1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece
+DIST shadow-4.11.1.tar.xz 1656584 BLAKE2B d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f0b960554c8155af6dc0564c585335b27aecca6538b394a0d58d927588 SHA512 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty
deleted file mode 100644
index c7042fae2c..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/securetty: list of terminals on which root is allowed to login.
-# See securetty(5) and login(1).
-console
-
-vc/0
-vc/1
-vc/2
-vc/3
-vc/4
-vc/5
-vc/6
-vc/7
-vc/8
-vc/9
-vc/10
-vc/11
-vc/12
-tty0
-tty1
-tty2
-tty3
-tty4
-tty5
-tty6
-tty7
-tty8
-tty9
-tty10
-tty11
-tty12
-
-tts/0
-ttyS0
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
deleted file mode 100644
index 08382fcb95..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 97839741..ff153d92 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -2,8 +2,8 @@
- EXTRA_DIST = \
- 	.indent.pro
- 
--ubindir = ${bindir}
--usbindir = ${sbindir}
-+ubindir = ${prefix}/bin
-+usbindir = ${prefix}/sbin
- suidperms = 4755
- sgidperms = 2755
- 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
deleted file mode 100644
index 0acaf6838a..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-L   /etc/login.defs     -   -   -   -   ../usr/share/shadow/login.defs
-L   /etc/securetty      -   -   -   -   ../usr/share/shadow/securetty
-
-d   /etc/default            -   -   -   -   -
-L   /etc/default/useradd    -   -   -   -   ../../usr/share/shadow/useradd
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf
deleted file mode 100644
index 612187d6ae..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf
+++ /dev/null
@@ -1 +0,0 @@
-f   /var/log/faillog        -   -   -   -   -
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml
index 908eabb59f..732ee860c2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>base-system@gentoo.org</email>
@@ -9,7 +9,9 @@
 		<flag name="bcrypt">build the bcrypt password encryption algorithm</flag>
 		<flag name="su">build the su program</flag>
 	</use>
-	<!-- only for USE=pam -->
+	<slots>
+		<subslots>Reflect ABI of libsubids.so</subslots>
+	</slots>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:debian:shadow</remote-id>
 		<remote-id type="github">shadow-maint/shadow</remote-id>
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
similarity index 64%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
index 8419e240b0..ded6bdddef 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
@@ -1,19 +1,19 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-TMPFILES_OPTIONAL=1
-inherit autotools libtool pam systemd tmpfiles
+inherit libtool pam
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow"
-SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz"
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/v${PV}/${P}.tar.xz"
 
 LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86"
-IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su xattr"
+# Subslot is for libsubid's SONAME.
+SLOT="0/4"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr"
 # Taken from the man/Makefile.am file.
 LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
 
@@ -24,6 +24,7 @@ BDEPEND="
 	sys-devel/gettext
 "
 COMMON_DEPEND="
+	virtual/libcrypt:=
 	acl? ( sys-apps/acl:0= )
 	audit? ( >=sys-process/audit-2.6:0= )
 	cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
@@ -40,26 +41,33 @@ DEPEND="${COMMON_DEPEND}
 	>=sys-kernel/linux-headers-4.14
 "
 RDEPEND="${COMMON_DEPEND}
+	!<sys-apps/man-pages-5.11-r1
+	!=sys-apps/man-pages-5.12-r0
+	!=sys-apps/man-pages-5.12-r1
+	nls? (
+		!<app-i18n/man-pages-it-5.06-r1
+		!<app-i18n/man-pages-ja-20180315-r1
+		!<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1
+	)
 	pam? ( >=sys-auth/pambase-20150213 )
 	su? ( !sys-apps/util-linux[su(-)] )
 "
 
 PATCHES=(
 	"${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"
-	"${FILESDIR}/${P}-revert-bin-merge.patch"
 )
 
 src_prepare() {
 	default
-	eautoreconf
-	#elibtoolize
+
+	#eautoreconf
+	elibtoolize
 }
 
 src_configure() {
 	local myeconfargs=(
 		--disable-account-tools-setuid
-		--enable-shared=no
-		--enable-static=yes
+		--disable-static
 		--with-btrfs
 		--without-group-name-max-length
 		--without-tcb
@@ -77,8 +85,6 @@ src_configure() {
 	)
 	econf "${myeconfargs[@]}"
 
-	has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052
-
 	if use nls ; then
 		local l langs="po" # These are the pot files.
 		for l in ${LANGS[*]} ; do
@@ -89,66 +95,52 @@ src_configure() {
 }
 
 set_login_opt() {
-	local comment="" opt=$1 val=$2
+	local comment="" opt=${1} val=${2}
 	if [[ -z ${val} ]]; then
 		comment="#"
 		sed -i \
 			-e "/^${opt}\>/s:^:#:" \
-			"${ED}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 	else
 		sed -i -r \
 			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
-			"${ED}"/usr/share/shadow/login.defs
+			"${ED}"/etc/login.defs
 	fi
-	local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs)
-	einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}"
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
+	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
 }
 
 src_install() {
 	emake DESTDIR="${D}" suidperms=4711 install
 
-	# Remove libshadow and libmisc; see bug 37725 and the following
-	# comment from shadow's README.linux:
-	#   Currently, libshadow.a is for internal use only, so if you see
-	#   -lshadow in a Makefile of some other package, it is safe to
-	#   remove it.
-	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
+	# 4.9 regression: https://github.com/shadow-maint/shadow/issues/389
+	emake DESTDIR="${D}" -C man install
 
-	# Remove files from /etc, they will be symlinks to /usr instead.
-	rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
+	find "${ED}" -name '*.la' -type f -delete || die
 
-	# CoreOS: break shadow.conf into two files so that we only have to apply
-	# etc-shadow.conf in the initrd.
-	dotmpfiles "${FILESDIR}"/tmpfiles.d/etc-shadow.conf
-	dotmpfiles "${FILESDIR}"/tmpfiles.d/var-shadow.conf
-	# Package the symlinks for the SDK and containers.
-	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/*
-
-	insinto /usr/share/shadow
+	insinto /etc
 	if ! use pam ; then
 		insopts -m0600
 		doins etc/login.access etc/limits
 	fi
-	# Using a securetty with devfs device names added
-	# (compat names kept for non-devfs compatibility)
-	insopts -m0600 ; doins "${FILESDIR}"/securetty
-	# Output arch-specific cruft
-	local devs
-	case $(tc-arch) in
-		ppc*)  devs="hvc0 hvsi0 ttyPSC0";;
-		hppa)  devs="ttyB0";;
-		arm)   devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";;
-		sh)    devs="ttySC0 ttySC1";;
-		amd64|x86)      devs="hvc0";;
-	esac
-	if [[ -n ${devs} ]]; then
-		printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty
-	fi
 
 	# needed for 'useradd -D'
+	insinto /etc/default
 	insopts -m0600
 	doins "${FILESDIR}"/default/useradd
 
+	if use split-usr ; then
+		# move passwd to / to help recover broke systems #64441
+		# We cannot simply remove this or else net-misc/scponly
+		# and other tools will break because of hardcoded passwd
+		# location
+		dodir /bin
+		mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
+		dosym ../../bin/passwd /usr/bin/passwd
+	fi
+
+	cd "${S}" || die
+	insinto /etc
 	insopts -m0644
 	newins etc/login.defs login.defs
 
@@ -202,7 +194,7 @@ src_install() {
 			-e 'b exit' \
 			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
 			-e ': exit' \
-			"${ED}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 
 		# remove manpages that pam will install for us
 		# and/or don't apply when using pam
@@ -218,9 +210,13 @@ src_install() {
 	fi
 
 	# Remove manpages that are handled by other packages
-	find "${ED}"/usr/share/man \
-		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
-		-delete
+	find "${ED}"/usr/share/man -type f \
+		'(' -name id.1 -o -name getspnam.3 ')' \
+		-delete || die
+
+	if ! use su ; then
+		find "${ED}"/usr/share/man -type f -name su.1 -delete || die
+	fi
 
 	cd "${S}" || die
 	dodoc ChangeLog NEWS TODO
@@ -233,3 +229,28 @@ pkg_preinst() {
 	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
 		"${EROOT}/etc/login.defs.new"
 }
+
+pkg_postinst() {
+	# Missing entries from /etc/passwd can cause odd system blips.
+	# See bug #829872.
+	if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then
+		ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors."
+	fi
+
+	# Enable shadow groups.
+	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
+		if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then
+			grpconv -R "${EROOT:-/}"
+		else
+			ewarn "Running 'grpck' returned errors. Please run it by hand, and then"
+			ewarn "run 'grpconv' afterwards!"
+		fi
+	fi
+
+	[[ ! -f "${EROOT}"/etc/subgid ]] &&
+		touch "${EROOT}"/etc/subgid
+	[[ ! -f "${EROOT}"/etc/subuid ]] &&
+		touch "${EROOT}"/etc/subuid
+
+	einfo "The 'adduser' symlink to 'useradd' has been dropped."
+}

From a44f3b8fbdbe3850c503ed74dfb7d7077b2c3619 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Fri, 18 Feb 2022 11:43:11 +0100
Subject: [PATCH 2/4] sys-apps/shadow: Apply Flatcar modifications

  - Carry over our custom tmpfiles and securetty files
  - Remove /etc files and install them to /usr, use tmpfiles
  - Switch /etc/login.defs edits to /usr/share/shadow/login.defs
  - Drop moving passwd out of /usr since we don't have split-usr
  - Drop pkg_postinst
---
 .../sys-apps/shadow/files/securetty           | 33 ++++++++
 .../shadow/files/tmpfiles.d/etc-shadow.conf   |  5 ++
 .../shadow/files/tmpfiles.d/var-shadow.conf   |  1 +
 .../sys-apps/shadow/shadow-4.11.1.ebuild      | 78 ++++++++-----------
 4 files changed, 72 insertions(+), 45 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty
new file mode 100644
index 0000000000..c7042fae2c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty
@@ -0,0 +1,33 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+vc/0
+vc/1
+vc/2
+vc/3
+vc/4
+vc/5
+vc/6
+vc/7
+vc/8
+vc/9
+vc/10
+vc/11
+vc/12
+tty0
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+tty8
+tty9
+tty10
+tty11
+tty12
+
+tts/0
+ttyS0
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
new file mode 100644
index 0000000000..0acaf6838a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
@@ -0,0 +1,5 @@
+L   /etc/login.defs     -   -   -   -   ../usr/share/shadow/login.defs
+L   /etc/securetty      -   -   -   -   ../usr/share/shadow/securetty
+
+d   /etc/default            -   -   -   -   -
+L   /etc/default/useradd    -   -   -   -   ../../usr/share/shadow/useradd
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf
new file mode 100644
index 0000000000..612187d6ae
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf
@@ -0,0 +1 @@
+f   /var/log/faillog        -   -   -   -   -
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
index ded6bdddef..4570e82f7e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild
@@ -3,7 +3,8 @@
 
 EAPI=7
 
-inherit libtool pam
+TMPFILES_OPTIONAL=1
+inherit libtool pam systemd tmpfiles
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow"
@@ -100,14 +101,14 @@ set_login_opt() {
 		comment="#"
 		sed -i \
 			-e "/^${opt}\>/s:^:#:" \
-			"${ED}"/etc/login.defs || die
+			"${ED}"/usr/share/shadow/login.defs || die
 	else
 		sed -i -r \
 			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
-			"${ED}"/etc/login.defs
+			"${ED}"/usr/share/shadow/login.defs
 	fi
-	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
-	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs)
+	einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}"
 }
 
 src_install() {
@@ -118,29 +119,41 @@ src_install() {
 
 	find "${ED}" -name '*.la' -type f -delete || die
 
-	insinto /etc
+	# Remove files from /etc, they will be symlinks to /usr instead.
+	rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
+
+	# CoreOS: break shadow.conf into two files so that we only have to apply
+	# etc-shadow.conf in the initrd.
+	dotmpfiles "${FILESDIR}"/tmpfiles.d/etc-shadow.conf
+	dotmpfiles "${FILESDIR}"/tmpfiles.d/var-shadow.conf
+	# Package the symlinks for the SDK and containers.
+	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/*
+
+	insinto /usr/share/shadow
 	if ! use pam ; then
 		insopts -m0600
 		doins etc/login.access etc/limits
 	fi
+	# Using a securetty with devfs device names added
+	# (compat names kept for non-devfs compatibility)
+	insopts -m0600 ; doins "${FILESDIR}"/securetty
+	# Output arch-specific cruft
+	local devs
+	case $(tc-arch) in
+		ppc*)  devs="hvc0 hvsi0 ttyPSC0";;
+		hppa)  devs="ttyB0";;
+		arm)   devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";;
+		sh)    devs="ttySC0 ttySC1";;
+		amd64|x86)      devs="hvc0";;
+	esac
+	if [[ -n ${devs} ]]; then
+		printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty
+	fi
 
 	# needed for 'useradd -D'
-	insinto /etc/default
 	insopts -m0600
 	doins "${FILESDIR}"/default/useradd
 
-	if use split-usr ; then
-		# move passwd to / to help recover broke systems #64441
-		# We cannot simply remove this or else net-misc/scponly
-		# and other tools will break because of hardcoded passwd
-		# location
-		dodir /bin
-		mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
-		dosym ../../bin/passwd /usr/bin/passwd
-	fi
-
-	cd "${S}" || die
-	insinto /etc
 	insopts -m0644
 	newins etc/login.defs login.defs
 
@@ -194,7 +207,7 @@ src_install() {
 			-e 'b exit' \
 			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
 			-e ': exit' \
-			"${ED}"/etc/login.defs || die
+			"${ED}"/usr/share/shadow/login.defs || die
 
 		# remove manpages that pam will install for us
 		# and/or don't apply when using pam
@@ -229,28 +242,3 @@ pkg_preinst() {
 	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
 		"${EROOT}/etc/login.defs.new"
 }
-
-pkg_postinst() {
-	# Missing entries from /etc/passwd can cause odd system blips.
-	# See bug #829872.
-	if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then
-		ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors."
-	fi
-
-	# Enable shadow groups.
-	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
-		if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then
-			grpconv -R "${EROOT:-/}"
-		else
-			ewarn "Running 'grpck' returned errors. Please run it by hand, and then"
-			ewarn "run 'grpconv' afterwards!"
-		fi
-	fi
-
-	[[ ! -f "${EROOT}"/etc/subgid ]] &&
-		touch "${EROOT}"/etc/subgid
-	[[ ! -f "${EROOT}"/etc/subuid ]] &&
-		touch "${EROOT}"/etc/subuid
-
-	einfo "The 'adduser' symlink to 'useradd' has been dropped."
-}

From 2037f0a173a91902eca32f52d579ca4ea49edf35 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Fri, 18 Feb 2022 14:26:41 +0100
Subject: [PATCH 3/4] changelog: add changelog for shadow 4.11.1

---
 .../changelog/security/2022-02-18-shadow-4.11.1.md               | 1 +
 .../changelog/updates/2022-02-18-shadow-4.11.1-update.md         | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/security/2022-02-18-shadow-4.11.1.md
 create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-02-18-shadow-4.11.1-update.md

diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-02-18-shadow-4.11.1.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-02-18-shadow-4.11.1.md
new file mode 100644
index 0000000000..2b4b1d02cf
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-02-18-shadow-4.11.1.md
@@ -0,0 +1 @@
+- shadow ([CVE-2013-4235](https://nvd.nist.gov/vuln/detail/CVE-2013-4235))
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-02-18-shadow-4.11.1-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-02-18-shadow-4.11.1-update.md
new file mode 100644
index 0000000000..2c621b4181
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-02-18-shadow-4.11.1-update.md
@@ -0,0 +1 @@
+- shadow ([4.11.1](https://github.com/shadow-maint/shadow/releases/tag/v4.11.1))

From fe7a6c904b216a5dc3f1b88077a3b8d181c8656a Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Tue, 22 Feb 2022 11:53:56 +0100
Subject: [PATCH 4/4] profiles: enable su USE flag for shadow

Enable su USE flag for shadow, because shadow >= 4.11 does not have it
by default.
Ideally util-linux should have the su binary, but that is currently not
possible, because of a bunch of additional dependencies in SDK like
pam_sssd in baselayout.
---
 .../coreos-overlay/profiles/coreos/base/package.use         | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index df8d6d701f..57f2da854f 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -139,3 +139,9 @@ dev-libs/openssl fips
 
 # enables ELF support to e.g. allow tc to handle BPF filters.
 sys-apps/iproute2 elf
+
+# Enable su for shadow, because shadow >= 4.11 does not have it by default.
+# Ideally util-linux should have the su binary, but that is currently not
+# possible, because of a bunch of additional dependencies in SDK like
+# pam_sssd in baselayout.
+sys-apps/shadow su