From 889d83d1a7e3e3bb9e83e54ceba4cf969e79a34e Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Thu, 3 Apr 2025 16:00:05 +0200
Subject: [PATCH] sys-apps/shadow: Sync with Gentoo

It's from Gentoo commit 694a496c860b098f4643a708d423e8f6177d9090.
---
 .../portage-stable/sys-apps/shadow/Manifest   |   4 +-
 .../sys-apps/shadow/files/securetty           |  33 -----
 .../files/shadow-4.13-CVE-2023-29383.patch    | 100 -------------
 .../files/shadow-4.13-configure-clang16.patch |  38 -----
 .../files/shadow-4.13-password-leak.patch     | 135 ------------------
 .../shadow-4.13-usermod-prefix-gid.patch      |  33 -----
 .../shadow/files/tmpfiles.d/etc-shadow.conf   |   5 -
 .../shadow/files/tmpfiles.d/var-shadow.conf   |   1 -
 .../sys-apps/shadow/metadata.xml              |   1 -
 ...ow-4.13-r4.ebuild => shadow-4.14.8.ebuild} | 103 ++++++-------
 10 files changed, 46 insertions(+), 407 deletions(-)
 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/securetty
 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch
 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch
 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-password-leak.patch
 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch
 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
 delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf
 rename sdk_container/src/third_party/portage-stable/sys-apps/shadow/{shadow-4.13-r4.ebuild => shadow-4.14.8.ebuild} (69%)

diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/Manifest
index ca3ab73585..6071c4e93f 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/Manifest
@@ -1,2 +1,2 @@
-DIST shadow-4.13.tar.xz 1762908 BLAKE2B 315ab8a7e598aeefb50c11293e20cfa0982c3c3ae21c35ae243d09a4facf97a13c1d672990876e74ef94f5284402acf14997663743e2aaefa6cfc4369b7d24dc SHA512 2949a728c3312bef13d23138d6b79caf402781b1cb179e33b5be546c1790971ec20778d0e9cd3dbe09691d928ffcbe88e60da42fab58c69a90d5ebe5e3e2ab8e
-DIST shadow-4.13.tar.xz.asc 488 BLAKE2B de1f8285c5713a772343a2a7c638d1d13429dd4fa867d4f91d4922aa0d083b4a3110d38e8a8ab82137fdf4fecb12ba3677f3fb235401fc6438ae663fbd9bfbd2 SHA512 f8549c4e699c65721d53946d61b6127712572f7ad9ee13018ef3a25307002992aa727471c948d1bb22dcddf112715bed387d28f436123f30e153ae6bc0cd3648
+DIST shadow-4.14.8.tar.xz 1806352 BLAKE2B a6ed45e44560c68baec97072399c106060be859a0f9514da2e5b0ec373e5b9c9f54b402132f39c20401496a5b3faeaa0bc90e1b9f02dd2e3b3ffc7389d0745bb SHA512 6f98ef412874f91cfa3f08877f3fe058d725636705b07d473aa1ea44cb6864059701bd11513caf692d270a7ed8ab1956e04421e53dfb8c74e925b8ec12ab8634
+DIST shadow-4.14.8.tar.xz.asc 833 BLAKE2B 1b8b8f3f36e06c1dda0a4e0d1508b1ad0ef85f0fa993a92a583831687076ba22d05f47109d56c1e740b60632c3bbeeb6c8cc001e41f46b1a2f9177ce62854f8c SHA512 1db2647babe3f434204c93e7700ff6a0ece078f6c5adb96ae0c0ac9d82a862835c4ab8afb37b0ffc80cf62e9a59f1ba33a92ff454e7ae0ca2aa535b19627615e
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/securetty b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/securetty
deleted file mode 100644
index c7042fae2c..0000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/securetty
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/securetty: list of terminals on which root is allowed to login.
-# See securetty(5) and login(1).
-console
-
-vc/0
-vc/1
-vc/2
-vc/3
-vc/4
-vc/5
-vc/6
-vc/7
-vc/8
-vc/9
-vc/10
-vc/11
-vc/12
-tty0
-tty1
-tty2
-tty3
-tty4
-tty5
-tty6
-tty7
-tty8
-tty9
-tty10
-tty11
-tty12
-
-tts/0
-ttyS0
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch
deleted file mode 100644
index 49868ba67c..0000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-CVE-2023-29383.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
-From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
-Date: Thu, 23 Mar 2023 23:39:38 +0000
-Subject: [PATCH] Added control character check
-
-Added control character check, returning -1 (to "err") if control characters are present.
----
- lib/fields.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/lib/fields.c b/lib/fields.c
-index 640be931f..fb51b5829 100644
---- a/lib/fields.c
-+++ b/lib/fields.c
-@@ -21,9 +21,9 @@
-  *
-  * The supplied field is scanned for non-printable and other illegal
-  * characters.
-- *  + -1 is returned if an illegal character is present.
-- *  +  1 is returned if no illegal characters are present, but the field
-- *       contains a non-printable character.
-+ *  + -1 is returned if an illegal or control character is present.
-+ *  +  1 is returned if no illegal or control characters are present,
-+ *       but the field contains a non-printable character.
-  *  +  0 is returned otherwise.
-  */
- int valid_field (const char *field, const char *illegal)
-@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
- 	}
- 
- 	if (0 == err) {
--		/* Search if there are some non-printable characters */
-+		/* Search if there are non-printable or control characters */
- 		for (cp = field; '\0' != *cp; cp++) {
- 			if (!isprint (*cp)) {
- 				err = 1;
-+			}
-+			if (!iscntrl (*cp)) {
-+				err = -1;
- 				break;
- 			}
- 		}
-From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Fri, 31 Mar 2023 14:46:50 +0200
-Subject: [PATCH] Overhaul valid_field()
-
-e5905c4b ("Added control character check") introduced checking for
-control characters but had the logic inverted, so it rejects all
-characters that are not control ones.
-
-Cast the character to `unsigned char` before passing to the character
-checking functions to avoid UB.
-
-Use strpbrk(3) for the illegal character test and return early.
----
- lib/fields.c | 24 ++++++++++--------------
- 1 file changed, 10 insertions(+), 14 deletions(-)
-
-diff --git a/lib/fields.c b/lib/fields.c
-index fb51b5829..539292485 100644
---- a/lib/fields.c
-+++ b/lib/fields.c
-@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
- 
- 	/* For each character of field, search if it appears in the list
- 	 * of illegal characters. */
-+	if (illegal && NULL != strpbrk (field, illegal)) {
-+		return -1;
-+	}
-+
-+	/* Search if there are non-printable or control characters */
- 	for (cp = field; '\0' != *cp; cp++) {
--		if (strchr (illegal, *cp) != NULL) {
-+		unsigned char c = *cp;
-+		if (!isprint (c)) {
-+			err = 1;
-+		}
-+		if (iscntrl (c)) {
- 			err = -1;
- 			break;
- 		}
- 	}
- 
--	if (0 == err) {
--		/* Search if there are non-printable or control characters */
--		for (cp = field; '\0' != *cp; cp++) {
--			if (!isprint (*cp)) {
--				err = 1;
--			}
--			if (!iscntrl (*cp)) {
--				err = -1;
--				break;
--			}
--		}
--	}
--
- 	return err;
- }
- 
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch
deleted file mode 100644
index 4e703db93a..0000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-configure-clang16.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef
-https://github.com/shadow-maint/shadow/pull/595
-
-From a281f241b592aec636d1b93a99e764499d68c7ef Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Mon, 21 Nov 2022 11:52:45 +0100
-Subject: [PATCH] Fix HAVE_SHADOWGRP configure check
-
-The missing #include <gshadow.h> causes the configure check to fail
-spuriously, resulting in HAVE_SHADOWGRP not being defined even
-on systems that actually have sgetsgent (such as current glibc).
---- a/configure.ac
-+++ b/configure.ac
-@@ -116,6 +116,10 @@ if test "$ac_cv_header_shadow_h" = "yes"; then
- 		ac_cv_libc_shadowgrp,
- 		AC_RUN_IFELSE([AC_LANG_SOURCE([
- 				#include <shadow.h>
-+				#ifdef HAVE_GSHADOW_H
-+				#include <gshadow.h>
-+				#endif
-+				int
- 				main()
- 				{
- 					struct sgrp *sg = sgetsgent("test:x::");
-
---- a/configure
-+++ b/configure
-@@ -15684,6 +15684,10 @@ else $as_nop
- /* end confdefs.h.  */
- 
- 				#include <shadow.h>
-+				#ifdef HAVE_GSHADOW_H
-+				#include <gshadow.h>
-+				#endif
-+				int
- 				main()
- 				{
- 					struct sgrp *sg = sgetsgent("test:x::");
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-password-leak.patch b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-password-leak.patch
deleted file mode 100644
index 25b5ec39c5..0000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-password-leak.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
-
-From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
-From: Alejandro Colomar <alx@kernel.org>
-Date: Sat, 10 Jun 2023 16:20:05 +0200
-Subject: [PATCH] gpasswd(1): Fix password leak
-
-How to trigger this password leak?
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-When gpasswd(1) asks for the new password, it asks twice (as is usual
-for confirming the new password).  Each of those 2 password prompts
-uses agetpass() to get the password.  If the second agetpass() fails,
-the first password, which has been copied into the 'static' buffer
-'pass' via STRFCPY(), wasn't being zeroed.
-
-agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
-can fail for any of the following reasons:
-
--  malloc(3) or readpassphrase(3) failure.
-
-   These are going to be difficult to trigger.  Maybe getting the system
-   to the limits of memory utilization at that exact point, so that the
-   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
-   About readpassphrase(3), ENFILE and EINTR seem the only plausible
-   ones, and EINTR probably requires privilege or being the same user;
-   but I wouldn't discard ENFILE so easily, if a process starts opening
-   files.
-
--  The password is longer than PASS_MAX.
-
-   The is plausible with physical access.  However, at that point, a
-   keylogger will be a much simpler attack.
-
-And, the attacker must be able to know when the second password is being
-introduced, which is not going to be easy.
-
-How to read the password after the leak?
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Provoking the leak yourself at the right point by entering a very long
-password is easy, and inspecting the process stack at that point should
-be doable.  Try to find some consistent patterns.
-
-Then, search for those patterns in free memory, right after the victim
-leaks their password.
-
-Once you get the leak, a program should read all the free memory
-searching for patterns that gpasswd(1) leaves nearby the leaked
-password.
-
-On 6/10/23 03:14, Seth Arnold wrote:
-> An attacker process wouldn't be able to use malloc(3) for this task.
-> There's a handful of tools available for userspace to allocate memory:
->
-> -  brk / sbrk
-> -  mmap MAP_ANONYMOUS
-> -  mmap /dev/zero
-> -  mmap some other file
-> -  shm_open
-> -  shmget
->
-> Most of these return only pages of zeros to a process.  Using mmap of an
-> existing file, you can get some of the contents of the file demand-loaded
-> into the memory space on the first use.
->
-> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
-> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
->
-> malloc(3) doesn't zero memory, to our collective frustration, but all the
-> garbage in the allocations is from previous allocations in the current
-> process.  It isn't leftover from other processes.
->
-> The avenues available for reading the memory:
-> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
-> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
-> -  ptrace (requires ptrace privileges, mediated by YAMA)
-> -  causing memory to be swapped to disk, and then inspecting the swap
->
-> These all require a certain amount of privileges.
-
-How to fix it?
-~~~~~~~~~~~~~
-
-memzero(), which internally calls explicit_bzero(3), or whatever
-alternative the system provides with a slightly different name, will
-make sure that the buffer is zeroed in memory, and optimizations are not
-allowed to impede this zeroing.
-
-This is not really 100% effective, since compilers may place copies of
-the string somewhere hidden in the stack.  Those copies won't get zeroed
-by explicit_bzero(3).  However, that's arguably a compiler bug, since
-compilers should make everything possible to avoid optimizing strings
-that are later passed to explicit_bzero(3).  But we all know that
-sometimes it's impossible to have perfect knowledge in the compiler, so
-this is plausible.  Nevertheless, there's nothing we can do against such
-issues, except minimizing the time such passwords are stored in plain
-text.
-
-Security concerns
-~~~~~~~~~~~~~~~~
-
-We believe this isn't easy to exploit.  Nevertheless, and since the fix
-is trivial, this fix should probably be applied soon, and backported to
-all supported distributions, to prevent someone else having more
-imagination than us to find a way.
-
-Affected versions
-~~~~~~~~~~~~~~~~
-
-All.  Bug introduced in shadow 19990709.  That's the second commit in
-the git history.
-
-Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
-Reported-by: Alejandro Colomar <alx@kernel.org>
-Cc: Serge Hallyn <serge@hallyn.com>
-Cc: Iker Pedrosa <ipedrosa@redhat.com>
-Cc: Seth Arnold <seth.arnold@canonical.com>
-Cc: Christian Brauner <christian@brauner.io>
-Cc: Balint Reczey <rbalint@debian.org>
-Cc: Sam James <sam@gentoo.org>
-Cc: David Runge <dvzrv@archlinux.org>
-Cc: Andreas Jaeger <aj@suse.de>
-Cc: <~hallyn/shadow@lists.sr.ht>
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
---- a/src/gpasswd.c
-+++ b/src/gpasswd.c
-@@ -898,6 +898,7 @@ static void change_passwd (struct group *gr)
- 		erase_pass (cp);
- 		cp = agetpass (_("Re-enter new password: "));
- 		if (NULL == cp) {
-+			memzero (pass, sizeof pass);
- 			exit (1);
- 		}
- 
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch
deleted file mode 100644
index 50cbe699d1..0000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/shadow-4.13-usermod-prefix-gid.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-https://bugs.gentoo.org/903083
-https://github.com/shadow-maint/shadow/pull/691
-https://github.com/shadow-maint/shadow/commit/bd2d0079c90241f24671a7946a3ad175dc1a3aeb
-
-From fcb04de38a0ddc263288a1c450b35bfb1503d523 Mon Sep 17 00:00:00 2001
-From: Mike Gilbert <floppym@gentoo.org>
-Date: Sat, 25 Mar 2023 21:16:55 -0400
-Subject: [PATCH] usermod: respect --prefix for --gid option
-
-The --gid option accepts a group name or id. When a name is provided, it
-is resolved to an id by looking up the name in the group database
-(/etc/group).
-
-The --prefix option overides the location of the passwd and group
-databases. I suspect the --gid option was overlooked when wiring up the
---prefix option.
-
-useradd --gid already respects --prefix; this change makes usermod
-behave the same way.
-
-Fixes: b6b2c756c91806b1c3e150ea0ee4721c6cdaf9d0
-Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---- a/src/usermod.c
-+++ b/src/usermod.c
-@@ -1072,7 +1072,7 @@ static void process_flags (int argc, char **argv)
- 				fflg = true;
- 				break;
- 			case 'g':
--				grp = getgr_nam_gid (optarg);
-+				grp = prefix_getgr_nam_gid (optarg);
- 				if (NULL == grp) {
- 					fprintf (stderr,
- 					         _("%s: group '%s' does not exist\n"),
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
deleted file mode 100644
index 0acaf6838a..0000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/tmpfiles.d/etc-shadow.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-L   /etc/login.defs     -   -   -   -   ../usr/share/shadow/login.defs
-L   /etc/securetty      -   -   -   -   ../usr/share/shadow/securetty
-
-d   /etc/default            -   -   -   -   -
-L   /etc/default/useradd    -   -   -   -   ../../usr/share/shadow/useradd
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf
deleted file mode 100644
index 612187d6ae..0000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/files/tmpfiles.d/var-shadow.conf
+++ /dev/null
@@ -1 +0,0 @@
-f   /var/log/faillog        -   -   -   -   -
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/metadata.xml
index 732ee860c2..dcb8aecd00 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/metadata.xml
@@ -6,7 +6,6 @@
 		<name>Gentoo Base System</name>
 	</maintainer>
 	<use>
-		<flag name="bcrypt">build the bcrypt password encryption algorithm</flag>
 		<flag name="su">build the su program</flag>
 	</use>
 	<slots>
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/shadow-4.13-r4.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/shadow-4.14.8.ebuild
similarity index 69%
rename from sdk_container/src/third_party/portage-stable/sys-apps/shadow/shadow-4.13-r4.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-apps/shadow/shadow-4.14.8.ebuild
index 51cecb5afd..364c20cca6 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/shadow/shadow-4.13-r4.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/shadow/shadow-4.14.8.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -7,11 +7,7 @@ EAPI=8
 # official. Don't keyword the pre-releases!
 # Check https://github.com/shadow-maint/shadow/releases.
 
-# Flatcar:
-TMPFILES_OPTIONAL=1
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sergehallyn.asc
-# Flatcar: install systemd units and tmpfiles
-inherit libtool pam verify-sig systemd tmpfiles
+inherit libtool pam verify-sig
 
 DESCRIPTION="Utilities to deal with user accounts"
 HOMEPAGE="https://github.com/shadow-maint/shadow"
@@ -21,8 +17,8 @@ SRC_URI+=" verify-sig? ( https://github.com/shadow-maint/shadow/releases/downloa
 LICENSE="BSD GPL-2"
 # Subslot is for libsubid's SONAME.
 SLOT="0/4"
-KEYWORDS="~alpha amd64 ~arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr su xattr"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="acl audit cracklib nls pam selinux skey split-usr su systemd xattr"
 # Taken from the man/Makefile.am file.
 LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
 
@@ -40,7 +36,9 @@ COMMON_DEPEND="
 		>=sys-libs/libselinux-1.28:=
 		sys-libs/libsemanage:=
 	)
+	systemd? ( sys-apps/systemd:= )
 	xattr? ( sys-apps/attr:= )
+	!<sys-libs/glibc-2.38
 "
 DEPEND="
 	${COMMON_DEPEND}
@@ -48,47 +46,45 @@ DEPEND="
 "
 RDEPEND="
 	${COMMON_DEPEND}
-	!<sys-apps/man-pages-5.11-r1
-	!=sys-apps/man-pages-5.12-r0
-	!=sys-apps/man-pages-5.12-r1
-	nls? (
-		!<app-i18n/man-pages-it-5.06-r1
-		!<app-i18n/man-pages-ja-20180315-r1
-		!<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1
-	)
 	pam? ( >=sys-auth/pambase-20150213 )
 	su? ( !sys-apps/util-linux[su(-)] )
 "
 BDEPEND="
 	app-arch/xz-utils
 	sys-devel/gettext
-	verify-sig? ( sec-keys/openpgp-keys-sergehallyn )
 "
 
-PATCHES=(
-	"${FILESDIR}"/${P}-configure-clang16.patch
-	"${FILESDIR}"/${P}-CVE-2023-29383.patch
-	"${FILESDIR}"/${P}-usermod-prefix-gid.patch
-	"${FILESDIR}"/${P}-password-leak.patch
-)
+if [[ ${PV} == *.0 ]]; then
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-sergehallyn )"
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sergehallyn.asc
+else
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-alejandro-colomar )"
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/alejandro-colomar.asc
+fi
 
 src_prepare() {
 	default
-
 	elibtoolize
 }
 
 src_configure() {
 	local myeconfargs=(
+		# Negate new upstream default of disabling for now
+		--enable-lastlog
 		--disable-account-tools-setuid
 		--disable-static
 		--with-btrfs
+		# Use bundled replacements for readpassphrase and freezero
+		--without-libbsd
 		--without-group-name-max-length
 		--without-tcb
+		--with-bcrypt
+		--with-yescrypt
 		$(use_enable nls)
+		# TODO: wire up upstream for elogind too (bug #931119)
+		$(use_enable systemd logind)
 		$(use_with acl)
 		$(use_with audit)
-		$(use_with bcrypt)
 		$(use_with cracklib libcrack)
 		$(use_with elibc_glibc nscd)
 		$(use_with pam libpam)
@@ -110,20 +106,19 @@ src_configure() {
 }
 
 set_login_opt() {
-	# Flatcar: /etc/login.defs becomes /usr/share/shadow/login.defs
 	local comment="" opt=${1} val=${2}
 	if [[ -z ${val} ]]; then
 		comment="#"
 		sed -i \
 			-e "/^${opt}\>/s:^:#:" \
-			"${ED}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 	else
 		sed -i -r \
 			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
-			"${ED}"/usr/share/shadow/login.defs
+			"${ED}"/etc/login.defs
 	fi
-	local res=$(grep "^${comment}${opt}\>" "${ED}"/usr/share/shadow/login.defs)
-	einfo "${res:-Unable to find ${opt} in /usr/share/shadow/login.defs}"
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
+	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
 }
 
 src_install() {
@@ -134,43 +129,29 @@ src_install() {
 
 	find "${ED}" -name '*.la' -type f -delete || die
 
-	# Flatcar:
-	# Remove files from /etc, they will be symlinks to /usr instead.
-	rm -f "${ED}"/etc/{limits,login.access,login.defs,securetty,default/useradd}
-
-	# CoreOS: break shadow.conf into two files so that we only have to apply
-	# etc-shadow.conf in the initrd.
-	dotmpfiles "${FILESDIR}"/tmpfiles.d/etc-shadow.conf
-	dotmpfiles "${FILESDIR}"/tmpfiles.d/var-shadow.conf
-	# Package the symlinks for the SDK and containers.
-	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/tmpfiles.d/*
-
-	insinto /usr/share/shadow
+	insinto /etc
 	if ! use pam ; then
 		insopts -m0600
 		doins etc/login.access etc/limits
 	fi
-	# Flatcar:
-	# Using a securetty with devfs device names added
-	# (compat names kept for non-devfs compatibility)
-	insopts -m0600 ; doins "${FILESDIR}"/securetty
-	# Output arch-specific cruft
-	local devs
-	case $(tc-arch) in
-		ppc*)  devs="hvc0 hvsi0 ttyPSC0";;
-		hppa)  devs="ttyB0";;
-		arm)   devs="ttyFB0 ttySAC0 ttySAC1 ttySAC2 ttySAC3 ttymxc0 ttymxc1 ttymxc2 ttymxc3 ttyO0 ttyO1 ttyO2";;
-		sh)    devs="ttySC0 ttySC1";;
-		amd64|x86)      devs="hvc0";;
-	esac
-	if [[ -n ${devs} ]]; then
-		printf '%s\n' ${devs} >> "${ED}"/usr/share/shadow/securetty
-	fi
 
 	# needed for 'useradd -D'
+	insinto /etc/default
 	insopts -m0600
 	doins "${FILESDIR}"/default/useradd
 
+	if use split-usr ; then
+		# move passwd to / to help recover broke systems #64441
+		# We cannot simply remove this or else net-misc/scponly
+		# and other tools will break because of hardcoded passwd
+		# location
+		dodir /bin
+		mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
+		dosym ../../bin/passwd /usr/bin/passwd
+	fi
+
+	cd "${S}" || die
+	insinto /etc
 	insopts -m0644
 	newins etc/login.defs login.defs
 
@@ -224,7 +205,7 @@ src_install() {
 			-e 'b exit' \
 			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
 			-e ': exit' \
-			"${ED}"/usr/share/shadow/login.defs || die
+			"${ED}"/etc/login.defs || die
 
 		# Remove manpages that pam will install for us
 		# and/or don't apply when using pam
@@ -253,6 +234,10 @@ src_install() {
 	newdoc README README.download
 	cd doc || die
 	dodoc HOWTO README* WISHLIST *.txt
+
+	if use elibc_musl; then
+		QA_CONFIG_IMPL_DECL_SKIP+=( sgetsgent )
+	fi
 }
 
 pkg_preinst() {