sys-apps/shadow: update to 4.8-r5, sync with Gentoo

Update sys-apps/shadow to 4.8-r5, simply syncing with Gentoo.

It is mainly to resolve
[CVE-2019-19882](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19882).
See also https://security.gentoo.org/glsa/202008-09.

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/Manifest

@@ -1 +1 @@
-DIST shadow-4.6.tar.gz 3804282 BLAKE2B 268c90e7daba138827aec6039f428f52cdcf7929743fa1f49f801cc669de7456ec5a69531194cdb29f051ce7d0b2f1e966fdf2513a9fc8f7fbdeb29d786a509f SHA512 36358333e7f03ef558772f3361bc5851a7d7fd3d85c993a6b732e37304b8068b2893d55607b9bfe8b8eed616a687264f947ff66cefc74ea1a48ba9396d464714
+DIST shadow-4.8.tar.xz 1609060 BLAKE2B 9d0b515e40f45c0baf420ef7ffaf5b6dd7989b26c93fc6dd610876263ac22e61fbc2821649d347c28055ae84f64cd5ab5c2435450c55339c80b4ae5062ccc44f SHA512 1c607aec541400fc179d6cbbac7511289c618ab2ce6ee9d7c18a8bfda00421c62d4b9e58aff52b5f82d485468e7db955c186ea0faad9a08003ffc01bdf2ccece

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/pam.d-include/chpasswd

@@ -0,0 +1,3 @@
+#%PAM-1.0
+
+password   include	system-auth

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/pam.d-include/shadow-r1

@@ -0,0 +1,7 @@
+#%PAM-1.0
+
+auth       sufficient	pam_rootok.so
+
+account    include		system-auth
+
+password   required		pam_permit.so

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/securetty

@@ -1,33 +0,0 @@
-# /etc/securetty: list of terminals on which root is allowed to login.
-# See securetty(5) and login(1).
-console
-
-vc/0
-vc/1
-vc/2
-vc/3
-vc/4
-vc/5
-vc/6
-vc/7
-vc/8
-vc/9
-vc/10
-vc/11
-vc/12
-tty0
-tty1
-tty2
-tty3
-tty4
-tty5
-tty6
-tty7
-tty8
-tty9
-tty10
-tty11
-tty12
-
-tts/0
-ttyS0

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/shadow-4.8-revert-bin-merge.patch

@@ -0,0 +1,15 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 97839741..ff153d92 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -2,8 +2,8 @@
+ EXTRA_DIST = \
+ 	.indent.pro
+ 
+-ubindir = ${bindir}
+-usbindir = ${sbindir}
++ubindir = ${prefix}/bin
++usbindir = ${prefix}/sbin
+ suidperms = 4755
+ sgidperms = 2755
+ 

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf

@@ -1,5 +0,0 @@
-L   /etc/login.defs     -   -   -   -   ../usr/share/shadow/login.defs
-L   /etc/securetty      -   -   -   -   ../usr/share/shadow/securetty
-
-d   /etc/default            -   -   -   -   -
-L   /etc/default/useradd    -   -   -   -   ../../usr/share/shadow/useradd

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf

@@ -1 +0,0 @@
-f   /var/log/faillog        -   -   -   -   -

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/metadata.xml

@@ -1,14 +1,14 @@
-<?xml version='1.0' encoding='UTF-8'?>
+<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>base-system@gentoo.org</email>
 		<name>Gentoo Base System</name>
 	</maintainer>
-	<maintainer type="project">
-		<email>pam-bugs@gentoo.org</email>
-		<name>Pluggable Authentication Method maintenance</name>
-	</maintainer>
+	<use>
+		<flag name="bcrypt">build the bcrypt password encryption algorithm</flag>
+		<flag name="su">build the su program</flag>
+	</use>
 	<!-- only for USE=pam -->
 	<upstream>
 		<remote-id type="cpe">cpe:/a:debian:shadow</remote-id>

sdk_container/src/third_party/coreos-overlay/sys-apps/shadow/shadow-4.8-r5.ebuild

@@ -1,62 +1,77 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=6
+EAPI=7
 
-inherit libtool pam multilib systemd
+inherit autotools libtool pam
 
 DESCRIPTION="Utilities to deal with user accounts"
-HOMEPAGE="https://github.com/shadow-maint/shadow http://pkg-shadow.alioth.debian.org/"
-SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.gz"
+HOMEPAGE="https://github.com/shadow-maint/shadow"
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.xz"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
-IUSE="acl audit +cracklib nls pam selinux skey xattr"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86"
+IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su xattr"
 # Taken from the man/Makefile.am file.
 LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
 
-RDEPEND="acl? ( sys-apps/acl:0= )
+REQUIRED_USE="?? ( cracklib pam )"
+
+BDEPEND="
+	app-arch/xz-utils
+	sys-devel/gettext
+"
+COMMON_DEPEND="
+	acl? ( sys-apps/acl:0= )
 	audit? ( >=sys-process/audit-2.6:0= )
 	cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
-	pam? ( virtual/pam:0= )
+	nls? ( virtual/libintl )
+	pam? ( sys-libs/pam:0= )
 	skey? ( sys-auth/skey:0= )
 	selinux? (
 		>=sys-libs/libselinux-1.28:0=
 		sys-libs/libsemanage:0=
 	)
-	nls? ( virtual/libintl )
-	xattr? ( sys-apps/attr:0= )"
-DEPEND="${RDEPEND}
-	app-arch/xz-utils
-	nls? ( sys-devel/gettext )"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20150213 )"
+	xattr? ( sys-apps/attr:0= )
+"
+DEPEND="${COMMON_DEPEND}
+	>=sys-kernel/linux-headers-4.14
+"
+RDEPEND="${COMMON_DEPEND}
+	pam? ( >=sys-auth/pambase-20150213 )
+	su? ( !sys-apps/util-linux[su(-)] )
+"
 
 PATCHES=(
 	"${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch"
+	"${FILESDIR}/${P}-revert-bin-merge.patch"
 )
 
 src_prepare() {
 	default
-	#eautoreconf
-	elibtoolize
+	eautoreconf
+	#elibtoolize
 }
 
 src_configure() {
 	local myeconfargs=(
-		--without-group-name-max-length
-		--without-tcb
+		--disable-account-tools-setuid
 		--enable-shared=no
 		--enable-static=yes
+		--with-btrfs
+		--without-group-name-max-length
+		--without-tcb
+		$(use_enable nls)
 		$(use_with acl)
 		$(use_with audit)
+		$(use_with bcrypt)
 		$(use_with cracklib libcrack)
-		$(use_with pam libpam)
-		$(use_with skey)
-		$(use_with selinux)
-		$(use_enable nls)
 		$(use_with elibc_glibc nscd)
+		$(use_with pam libpam)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with su)
 		$(use_with xattr attr)
 	)
 	econf "${myeconfargs[@]}"
@@ -78,14 +93,14 @@ set_login_opt() {
 		comment="#"
 		sed -i \
 			-e "/^${opt}\>/s:^:#:" \
-			"${ED%/}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 	else
 		sed -i -r \
 			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
-			"${ED%/}"/usr/share/shadow/login.defs
+			"${ED}"/etc/login.defs
 	fi
-	local res=$(grep "^${comment}${opt}\>" "${ED%/}"/usr/share/shadow/login.defs)
-	einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}"
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
+	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
 }
 
 src_install() {
@@ -96,43 +111,31 @@ src_install() {
 	#   Currently, libshadow.a is for internal use only, so if you see
 	#   -lshadow in a Makefile of some other package, it is safe to
 	#   remove it.
-	rm -f "${ED%/}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
+	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
 
-	# Remove files from /etc, they will be symlinks to /usr instead.
-	rm -f "${ED%/}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
-
-	# CoreOS: break shadow.conf into two files so that we only have to apply
-	# etc-shadow.conf in the initrd.
-	systemd_dotmpfilesd "${FILESDIR}"/tmpfiles.d/etc-shadow.conf
-	systemd_dotmpfilesd "${FILESDIR}"/tmpfiles.d/var-shadow.conf
-	# Package the symlinks for the SDK and containers.
-	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/*
-
-	insinto /usr/share/shadow
+	insinto /etc
 	if ! use pam ; then
 		insopts -m0600
 		doins etc/login.access etc/limits
 	fi
-	# Using a securetty with devfs device names added
-	# (compat names kept for non-devfs compatibility)
-	insopts -m0600 ; doins "${FILESDIR}"/securetty
-	# Output arch-specific cruft
-	local devs
-	case $(tc-arch) in
-		ppc*)  devs="hvc0 hvsi0 ttyPSC0";;
-		hppa)  devs="ttyB0";;
-		arm)   devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";;
-		sh)    devs="ttySC0 ttySC1";;
-		amd64|x86)      devs="hvc0";;
-	esac
-	if [[ -n ${devs} ]]; then
-		printf '%s\n' ${devs} >> "${ED%/}"/usr/share/shadow/securetty
-	fi
 
 	# needed for 'useradd -D'
+	insinto /etc/default
 	insopts -m0600
 	doins "${FILESDIR}"/default/useradd
 
+	if use split-usr ; then
+		# move passwd to / to help recover broke systems #64441
+		# We cannot simply remove this or else net-misc/scponly
+		# and other tools will break because of hardcoded passwd
+		# location
+		dodir /bin
+		mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
+		dosym ../../bin/passwd /usr/bin/passwd
+	fi
+
+	cd "${S}" || die
+	insinto /etc
 	insopts -m0644
 	newins etc/login.defs login.defs
 
@@ -140,22 +143,23 @@ src_install() {
 	if ! use pam ; then
 		set_login_opt MAIL_CHECK_ENAB no
 		set_login_opt SU_WHEEL_ONLY yes
-		set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict
+		set_login_opt CRACKLIB_DICTPATH /usr/lib/cracklib_dict
 		set_login_opt LOGIN_RETRIES 3
 		set_login_opt ENCRYPT_METHOD SHA512
 		set_login_opt CONSOLE
 	else
 		dopamd "${FILESDIR}"/pam.d-include/shadow
 
-		for x in chpasswd chgpasswd newusers; do
+		for x in chsh shfn ; do
 			newpamd "${FILESDIR}"/pam.d-include/passwd ${x}
 		done
 
-		for x in chage chsh chfn \
-				 user{add,del,mod} group{add,del,mod} ; do
-			newpamd "${FILESDIR}"/pam.d-include/shadow ${x}
+		for x in chpasswd newusers ; do
+			newpamd "${FILESDIR}"/pam.d-include/chpasswd ${x}
 		done
 
+		newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems
+
 		# comment out login.defs options that pam hates
 		local opt sed_args=()
 		for opt in \
@@ -185,20 +189,23 @@ src_install() {
 			-e 'b exit' \
 			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
 			-e ': exit' \
-			"${ED%/}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 
 		# remove manpages that pam will install for us
 		# and/or don't apply when using pam
-		find "${ED%/}"/usr/share/man \
+		find "${ED}"/usr/share/man -type f \
 			'(' -name 'limits.5*' -o -name 'suauth.5*' ')' \
 			-delete
 
 		# Remove pam.d files provided by pambase.
-		rm "${ED%/}"/etc/pam.d/{login,passwd,su} || die
+		rm "${ED}"/etc/pam.d/{login,passwd} || die
+		if use su ; then
+			rm "${ED}"/etc/pam.d/su || die
+		fi
 	fi
 
 	# Remove manpages that are handled by other packages
-	find "${ED%/}"/usr/share/man \
+	find "${ED}"/usr/share/man \
 		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
 		-delete
 
@@ -213,3 +220,22 @@ pkg_preinst() {
 	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
 		"${EROOT}/etc/login.defs.new"
 }
+
+pkg_postinst() {
+	# Enable shadow groups.
+	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
+		if grpck -r -R "${EROOT}" 2>/dev/null ; then
+			grpconv -R "${EROOT}"
+		else
+			ewarn "Running 'grpck' returned errors.  Please run it by hand, and then"
+			ewarn "run 'grpconv' afterwards!"
+		fi
+	fi
+
+	[[ ! -f "${EROOT}"/etc/subgid ]] &&
+		touch "${EROOT}"/etc/subgid
+	[[ ! -f "${EROOT}"/etc/subuid ]] &&
+		touch "${EROOT}"/etc/subuid
+
+	einfo "The 'adduser' symlink to 'useradd' has been dropped."
+}