sys-apps/shadow: update to 4.11.1

Sync with Gentoo to update sys-apps/shadow to 4.11.1, mainly to address
CVE-2013-4235.

Gentoo ref: defe2a377e43a756441b183b66e2c4aae2be27b5

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest

@@ -1 +1 @@
-DIST shadow-4.8.tar.xz 1609060 BLAKE2B 9d0b515e40f45c0baf420ef7ffaf5b6dd7989b26c93fc6dd610876263ac22e61fbc2821649d347c28055ae84f64cd5ab5c2435450c55339c80b4ae5062ccc44f SHA512 1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece
+DIST shadow-4.11.1.tar.xz 1656584 BLAKE2B d459a1e0ffb342b6b455caf65e6af60b32eee72d4a9b1ab126485fb4632503a42061d3f0b960554c8155af6dc0564c585335b27aecca6538b394a0d58d927588 SHA512 12fbe4d6ac929ad3c21525ed0f1026b5b678ccec9762f2ec7e611d9c180934def506325f2835fb750dd30af035b592f827ff151cd6e4c805aaaf8e01425c279f

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty

@@ -1,33 +0,0 @@
-# /etc/securetty: list of terminals on which root is allowed to login.
-# See securetty(5) and login(1).
-console
-
-vc/0
-vc/1
-vc/2
-vc/3
-vc/4
-vc/5
-vc/6
-vc/7
-vc/8
-vc/9
-vc/10
-vc/11
-vc/12
-tty0
-tty1
-tty2
-tty3
-tty4
-tty5
-tty6
-tty7
-tty8
-tty9
-tty10
-tty11
-tty12
-
-tts/0
-ttyS0

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch

@@ -1,15 +0,0 @@
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 97839741..ff153d92 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -2,8 +2,8 @@
- EXTRA_DIST = \
- 	.indent.pro
- 
--ubindir = ${bindir}
--usbindir = ${sbindir}
-+ubindir = ${prefix}/bin
-+usbindir = ${prefix}/sbin
- suidperms = 4755
- sgidperms = 2755
- 

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf

@@ -1,5 +0,0 @@
-L   /etc/login.defs     -   -   -   -   ../usr/share/shadow/login.defs
-L   /etc/securetty      -   -   -   -   ../usr/share/shadow/securetty
-
-d   /etc/default            -   -   -   -   -
-L   /etc/default/useradd    -   -   -   -   ../../usr/share/shadow/useradd

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf

@@ -1 +0,0 @@
-f   /var/log/faillog        -   -   -   -   -

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>base-system@gentoo.org</email>
@@ -9,7 +9,9 @@
 		<flag name="bcrypt">build the bcrypt password encryption algorithm</flag>
 		<flag name="su">build the su program</flag>
 	</use>
-	<!-- only for USE=pam -->
+	<slots>
+		<subslots>Reflect ABI of libsubids.so</subslots>
+	</slots>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:debian:shadow</remote-id>
 		<remote-id type="github">shadow-maint/shadow</remote-id>

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.11.1.ebuild

@@ -1,19 +1,19 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-TMPFILES_OPTIONAL=1
+inherit libtool pam
-inherit autotools libtool pam systemd tmpfiles
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow"
-SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz"
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/v${PV}/${P}.tar.xz"
 
 LICENSE="BSD GPL-2"
-SLOT="0"
+# Subslot is for libsubid's SONAME.
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86"
+SLOT="0/4"
-IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su xattr"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr"
 # Taken from the man/Makefile.am file.
 LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
 
@@ -24,6 +24,7 @@ BDEPEND="
 	sys-devel/gettext
 "
 COMMON_DEPEND="
+	virtual/libcrypt:=
 	acl? ( sys-apps/acl:0= )
 	audit? ( >=sys-process/audit-2.6:0= )
 	cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
@@ -40,26 +41,33 @@ DEPEND="${COMMON_DEPEND}
 	>=sys-kernel/linux-headers-4.14
 "
 RDEPEND="${COMMON_DEPEND}
+	!<sys-apps/man-pages-5.11-r1
+	!=sys-apps/man-pages-5.12-r0
+	!=sys-apps/man-pages-5.12-r1
+	nls? (
+		!<app-i18n/man-pages-it-5.06-r1
+		!<app-i18n/man-pages-ja-20180315-r1
+		!<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1
+	)
 	pam? ( >=sys-auth/pambase-20150213 )
 	su? ( !sys-apps/util-linux[su(-)] )
 "
 
 PATCHES=(
 	"${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"
-	"${FILESDIR}/${P}-revert-bin-merge.patch"
 )
 
 src_prepare() {
 	default
-	eautoreconf
+
-	#elibtoolize
+	#eautoreconf
+	elibtoolize
 }
 
 src_configure() {
 	local myeconfargs=(
 		--disable-account-tools-setuid
-		--enable-shared=no
+		--disable-static
-		--enable-static=yes
 		--with-btrfs
 		--without-group-name-max-length
 		--without-tcb
@@ -77,8 +85,6 @@ src_configure() {
 	)
 	econf "${myeconfargs[@]}"
 
-	has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052
-
 	if use nls ; then
 		local l langs="po" # These are the pot files.
 		for l in ${LANGS[*]} ; do
@@ -89,66 +95,52 @@ src_configure() {
 }
 
 set_login_opt() {
-	local comment="" opt=$1 val=$2
+	local comment="" opt=${1} val=${2}
 	if [[ -z ${val} ]]; then
 		comment="#"
 		sed -i \
 			-e "/^${opt}\>/s:^:#:" \
-			"${ED}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 	else
 		sed -i -r \
 			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
-			"${ED}"/usr/share/shadow/login.defs
+			"${ED}"/etc/login.defs
 	fi
-	local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs)
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
-	einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}"
+	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
 }
 
 src_install() {
 	emake DESTDIR="${D}" suidperms=4711 install
 
-	# Remove libshadow and libmisc; see bug 37725 and the following
+	# 4.9 regression: https://github.com/shadow-maint/shadow/issues/389
-	# comment from shadow's README.linux:
+	emake DESTDIR="${D}" -C man install
-	#   Currently, libshadow.a is for internal use only, so if you see
-	#   -lshadow in a Makefile of some other package, it is safe to
-	#   remove it.
-	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
 
-	# Remove files from /etc, they will be symlinks to /usr instead.
+	find "${ED}" -name '*.la' -type f -delete || die
-	rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
 
-	# CoreOS: break shadow.conf into two files so that we only have to apply
+	insinto /etc
-	# etc-shadow.conf in the initrd.
-	dotmpfiles "${FILESDIR}"/tmpfiles.d/etc-shadow.conf
-	dotmpfiles "${FILESDIR}"/tmpfiles.d/var-shadow.conf
-	# Package the symlinks for the SDK and containers.
-	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/*
-
-	insinto /usr/share/shadow
 	if ! use pam ; then
 		insopts -m0600
 		doins etc/login.access etc/limits
 	fi
-	# Using a securetty with devfs device names added
-	# (compat names kept for non-devfs compatibility)
-	insopts -m0600 ; doins "${FILESDIR}"/securetty
-	# Output arch-specific cruft
-	local devs
-	case $(tc-arch) in
-		ppc*)  devs="hvc0 hvsi0 ttyPSC0";;
-		hppa)  devs="ttyB0";;
-		arm)   devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";;
-		sh)    devs="ttySC0 ttySC1";;
-		amd64|x86)      devs="hvc0";;
-	esac
-	if [[ -n ${devs} ]]; then
-		printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty
-	fi
 
 	# needed for 'useradd -D'
+	insinto /etc/default
 	insopts -m0600
 	doins "${FILESDIR}"/default/useradd
 
+	if use split-usr ; then
+		# move passwd to / to help recover broke systems #64441
+		# We cannot simply remove this or else net-misc/scponly
+		# and other tools will break because of hardcoded passwd
+		# location
+		dodir /bin
+		mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
+		dosym ../../bin/passwd /usr/bin/passwd
+	fi
+
+	cd "${S}" || die
+	insinto /etc
 	insopts -m0644
 	newins etc/login.defs login.defs
 
@@ -202,7 +194,7 @@ src_install() {
 			-e 'b exit' \
 			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
 			-e ': exit' \
-			"${ED}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 
 		# remove manpages that pam will install for us
 		# and/or don't apply when using pam
@@ -218,9 +210,13 @@ src_install() {
 	fi
 
 	# Remove manpages that are handled by other packages
-	find "${ED}"/usr/share/man \
+	find "${ED}"/usr/share/man -type f \
-		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
+		'(' -name id.1 -o -name getspnam.3 ')' \
-		-delete
+		-delete || die
+
+	if ! use su ; then
+		find "${ED}"/usr/share/man -type f -name su.1 -delete || die
+	fi
 
 	cd "${S}" || die
 	dodoc ChangeLog NEWS TODO
@@ -233,3 +229,28 @@ pkg_preinst() {
 	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
 		"${EROOT}/etc/login.defs.new"
 }
+
+pkg_postinst() {
+	# Missing entries from /etc/passwd can cause odd system blips.
+	# See bug #829872.
+	if ! pwck -r -q -R "${EROOT:-/}" &>/dev/null ; then
+		ewarn "Running 'pwck' returned errors. Please run it manually to fix any errors."
+	fi
+
+	# Enable shadow groups.
+	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
+		if grpck -r -R "${EROOT:-/}" 2>/dev/null ; then
+			grpconv -R "${EROOT:-/}"
+		else
+			ewarn "Running 'grpck' returned errors. Please run it by hand, and then"
+			ewarn "run 'grpconv' afterwards!"
+		fi
+	fi
+
+	[[ ! -f "${EROOT}"/etc/subgid ]] &&
+		touch "${EROOT}"/etc/subgid
+	[[ ! -f "${EROOT}"/etc/subuid ]] &&
+		touch "${EROOT}"/etc/subuid
+
+	einfo "The 'adduser' symlink to 'useradd' has been dropped."
+}