Tue Apr 5 14:26:38 UTC 2011

17 files changed, 832 insertions, 0 deletions

diff --git a/core/shadow/PKGBUILD b/core/shadow/PKGBUILD
new file mode 100644
index 000000000..738acfdf9
--- /dev/null
+++ b/core/shadow/PKGBUILD
@@ -0,0 +1,98 @@
+# $Id: PKGBUILD 111984 2011-03-02 21:59:18Z eric $
+# Maintainer: Aaron Griffin <aaron@archlinux.org>
+
+pkgname=shadow
+pkgver=4.1.4.3
+pkgrel=1
+pkgdesc="Shadow password file utilities"
+arch=('i686' 'x86_64')
+url='http://pkg-shadow.alioth.debian.org/'
+license=('custom')
+groups=('base')
+depends=('bash' 'pam')
+backup=(etc/login.defs
+        etc/pam.d/{chage,login,passwd,shadow,useradd,usermod,userdel}
+        etc/pam.d/{chpasswd,newusers,groupadd,groupdel,groupmod}
+        etc/pam.d/{chfn,chgpasswd,groupmems,chsh}
+        etc/default/useradd)
+options=('!libtool')
+install=shadow.install
+source=(ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-$pkgver.tar.bz2
+        useradd.defaults login passwd chgpasswd chpasswd newusers defaults.pam
+	login.defs adduser shadow.cron.daily xstrdup.patch shadow-4.1.4.2-groupmod-pam-check.patch)
+md5sums=('b8608d8294ac88974f27b20f991c0e79' 'beb64d09256ea46a4d96a783f096447f'\
+         'bf137fac19884d71dc55c24b6d08e16c' 'b84204ab731bd02dca49d0637d44ebec'\
+         '65e9ebce249a5b9ed021e2790452b9e1' '453a98456b297d2a69ca7e9b5f40d10b'\
+         '453a98456b297d2a69ca7e9b5f40d10b' 'a31374fef2cba0ca34dfc7078e2969e4'\
+         'fad9a7116366f7775b1099290be840da' '6ce67e423ee19c87ae64f661310b2408'\
+         '1d64b4113e1d402746d9dd65f28a2c6f' '0eebe9d13065bec4b5d7ccf3bf46c509'\
+         '7b747f7dca38b0b6e8ee56434378baae')
+sha1sums=('ad9b85b5531ce8e68f4695efc4ac53ba7266269e' '9ae93de5987dd0ae428f0cc1a5a5a5cd53583f19'\
+         '0b2d98a0ee3bfde8551ade48d4d35cc20ec702a1' '6f183bc7709b0a8d20ad17481a4ad025cf6e5056'\
+         '4ad0e059406a305c8640ed30d93c2a1f62c2f4ad' 'd66096ed9477bd7242e8d2cc28eaa23170269788'\
+         'd66096ed9477bd7242e8d2cc28eaa23170269788' '0e56fed7fc93572c6bf0d8f3b099166558bb46f1'\
+         'fceb6defbf959f9bee5598e89378a49297968d1a' '78ec184a499f9708adcfcf0b7a3b22a60bf39f91'\
+         '5d83ba7e11c765c951867cbe00b0ae7ff57148fa' '6010fffeed1fc6673ad9875492e1193b1a847b53'\
+         '5823f38c0085b27e7e4327ab17ecc13563a43650')
+
+build() {
+  cd "$srcdir/$pkgname-$pkgver"
+
+  #Ugh, force this to build shared libraries, for god's sake
+  sed -i "s/noinst_LTLIBRARIES/lib_LTLIBRARIES/g" lib/Makefile.am
+  libtoolize
+  autoreconf
+  export LDFLAGS="$LDFLAGS -lcrypt"
+
+  patch -Np1 -i "$srcdir/xstrdup.patch"
+  patch -Np1 -i "$srcdir/shadow-4.1.4.2-groupmod-pam-check.patch"
+
+  # supress etc/pam.d/*, we provide our own
+  sed -i '/^SUBDIRS/s/pam.d//' etc/Makefile.in
+
+  ./configure \
+    --prefix=/usr --libdir=/lib \
+    --mandir=/usr/share/man --sysconfdir=/etc \
+    --enable-shared --disable-static \
+    --with-libpam --without-selinux
+  make
+}
+
+package() {
+  cd "$srcdir/$pkgname-$pkgver"
+  make DESTDIR="$pkgdir" install
+
+  # license
+  install -Dm644 COPYING "$pkgdir/usr/share/licenses/shadow/COPYING"
+
+  # interactive useradd
+  install -Dm755 "$srcdir/adduser" "$pkgdir/usr/sbin/adduser"
+
+  # useradd defaults
+  install -Dm644 "$srcdir/useradd.defaults" "$pkgdir/etc/default/useradd"
+
+  # cron job
+  install -Dm744 "$srcdir/shadow.cron.daily" "$pkgdir/etc/cron.daily/shadow"
+
+  # login.defs
+  install -Dm644 "$srcdir/login.defs" "$pkgdir/etc/login.defs"
+
+  # PAM config - cutsom
+  install -Dm644 "$srcdir/login" "$pkgdir/etc/pam.d/login"
+  install -Dm644 "$srcdir/passwd" "$pkgdir/etc/pam.d/passwd"
+  install -Dm644 "$srcdir/chgpasswd" "$pkgdir/etc/pam.d/chgpasswd"
+  install -Dm644 "$srcdir/chpasswd" "$pkgdir/etc/pam.d/chpasswd"
+  install -Dm644 "$srcdir/newusers" "$pkgdir/etc/pam.d/newusers"
+  # PAM config - from tarball
+  install -Dm644 etc/pam.d/groupmems "$pkgdir/etc/pam.d/groupmems"
+
+  # we use the 'useradd' PAM file for other similar utilities
+  for file in chage chfn chsh groupadd groupdel groupmod shadow \
+      useradd usermod userdel; do
+    install -Dm644 "$srcdir/defaults.pam" "$pkgdir/etc/pam.d/$file"
+  done
+
+  # Remove su - using su from coreutils instead
+  rm -v "$pkgdir/bin/su"
+  find "$pkgdir/usr/share/man" -name 'su.1' -exec rm -v {} \;
+}
diff --git a/core/shadow/adduser b/core/shadow/adduser
new file mode 100644
index 000000000..a5d7fd4fa
--- /dev/null
+++ b/core/shadow/adduser
@@ -0,0 +1,399 @@
+#!/bin/bash
+#
+# Copyright 1995  Hrvoje Dogan, Croatia.
+# Copyright 2002, 2003, 2004  Stuart Winter, West Midlands, England, UK.
+# Copyright 2004  Slackware Linux, Inc., Concord, CA, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+#  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
+#  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+#  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+#  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+#  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+#  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+##########################################################################
+# Program: /usr/sbin/adduser
+# Purpose: Interactive front end to /usr/sbin/useradd for Slackware Linux
+# Author : Stuart Winter <stuart@polplex.co.uk>
+#          Based on the original Slackware adduser by Hrvoje Dogan
+#          with modifications by Patrick Volkerding
+# Version: 1.09
+##########################################################################
+# Usage..: adduser [<new_user_name>]
+##########################################################################
+# History #
+###########
+# v1.09 - 07/06/04 
+#       * Added standard Slackware script licence to the head of this file.
+# v1.08 - 25/04/04
+#       * Disallow user names that begin with a numeric because useradd 
+#         (from shadow v4.03) does not allow them. <sw>
+# v1.07 - 07/03/03
+#       * When supplying a null string for the uid (meaning 'Choose next available'), 
+#         if there were file names in the range 'a-z' in the pwd then the 
+#         egrep command considered these files rather than the null string. 
+#         The egrep expression is now in quotes.  
+#         Reported & fixed by Vadim O. Ustiansky <sw>
+# v1.06 - 31/03/03
+#       * Ask to chown user.group the home directory if it already exists.
+#         This helps reduce later confusion when adding users whose home dir
+#         already exists (mounted partition for example) and is owned
+#         by a user other than the user to which the directory is being
+#         assigned as home.  Default is not to chown.
+#         Brought to my attention by mRgOBLIN. <sw>
+# v1.05 - 04/01/03
+#       * Advise & prevent users from creating logins with '.' characters
+#         in the user name. <sw>
+#       * Made pending account creation info look neater <sw>
+# v1.04 - 09/06/02
+#       * Catered for shadow-4.0.3's 'useradd' binary that no longer
+#         will let you create a user that has any uppercase chars in it
+#         This was reported on the userlocal.org forums
+#         by 'xcp' - thanks. <sw,pjv>
+# v1.03 - 20/05/02
+#       * Support 'broken' (null lines in) /etc/passwd and 
+#         /etc/group files <sw>       
+#       * For recycling UIDs (default still 'off'), we now look in 
+#         /etc/login.defs for the UID_MIN value and use it
+#         If not found then default to 1000 <sw>
+# v1.02 - 10/04/02
+#       * Fix user-specified UID bug. <pjv>
+# v1.01 - 23/03/02
+#       * Match Slackware indenting style, simplify. <pjv>
+# v1.00 - 22/03/02
+#       * Created
+#######################################################################
+
+# Path to files
+pfile=/etc/passwd
+gfile=/etc/group
+sfile=/etc/shells
+
+# Paths to binaries
+useradd=/usr/sbin/useradd
+chfn=/usr/bin/chfn
+passwd=/usr/bin/passwd
+
+# Defaults
+defhome=/home
+defshell=/bin/bash
+defgroup=users
+
+# Determine what the minimum UID is (for UID recycling)
+# (we ignore it if it's not at the beginning of the line (i.e. commented out with #))
+export recycleUIDMIN="$(grep ^UID_MIN /etc/login.defs | awk '{print $2}' 2>/dev/null)"
+# If we couldn't find it, set it to the default of 1000
+if [ -z "$recycleUIDMIN" ]; then
+   export recycleUIDMIN=1000  # this is the default from Slackware's /etc/login.defs
+fi
+
+
+# This setting enables the 'recycling' of older unused UIDs.
+# When you userdel a user, it removes it from passwd and shadow but it will
+# never get used again unless you specify it expliticly -- useradd (appears to) just
+# look at the last line in passwd and increment the uid.  I like the idea of 
+# recycling uids but you may have very good reasons not to (old forgotten
+# confidential files still on the system could then be owned by this new user).
+# We'll set this to no because this is what the original adduser shell script
+# did and it's what users expect.
+recycleuids=no
+
+# Function to read keyboard input.
+# bash1 is broken (even ash will take read -ep!), so we work around
+# it (even though bash1 is no longer supported on Slackware).
+function get_input() { 
+  local output
+  if [ "`echo $BASH_VERSION | cut -b1`" = "1" ]; then
+    echo -n "${1} " >&2 # fudge for use with bash v1
+    read output
+  else # this should work with any other /bin/sh
+    read -ep "${1} " output
+  fi
+  echo $output
+}
+
+# Function to display the account info
+function display () {
+  local goose
+  goose="$(echo $2 | cut -d ' ' -f 2-)"  # lop off the prefixed argument useradd needs
+  echo -n "$1 "
+  # If it's null then display the 'other' information
+  if [ -z "$goose" -a ! -z "$3" ]; then 
+    echo "$3" 
+  else 
+    echo "$goose" 
+  fi
+}
+
+# Function to check whether groups exist in the /etc/group file
+function check_group () {
+  local got_error group
+  if [ ! -z "$@" ]; then  
+  for group in $@ ; do
+    local uid_not_named="" uid_not_num=""
+    grep -v "$^" $gfile | awk -F: '{print $1}' | grep "^${group}$" >/dev/null 2>&1 || uid_not_named=yes  
+    grep -v "$^" $gfile | awk -F: '{print $3}' | grep "^${group}$" >/dev/null 2>&1 || uid_not_num=yes
+    if [ ! -z "$uid_not_named" -a ! -z "$uid_not_num" ]; then
+      echo "- Group '$group' does not exist"
+      got_error=yes
+    fi
+  done
+  fi
+  # Return exit code of 1 if at least one of the groups didn't exist
+  if [ ! -z "$got_error" ]; then
+    return 1
+  fi
+}   
+
+#: Read the login name for the new user :#
+#
+# Remember that most Mail Transfer Agents are case independant, so having
+# 'uSer' and 'user' may cause confusion/things to break.  Because of this,
+# useradd from shadow-4.0.3 no longer accepts usernames containing uppercase,
+# and we must reject them, too.
+
+# Set the login variable to the command line param
+echo
+LOGIN="$1"
+needinput=yes
+while [ ! -z $needinput ]; do
+  if [ -z "$LOGIN" ]; then 
+    while [ -z "$LOGIN" ]; do LOGIN="$(get_input "Login name for new user []:")" ; done
+  fi
+  grep "^${LOGIN}:" $pfile >/dev/null 2>&1  # ensure it's not already used
+  if [ $? -eq 0 ]; then
+    echo "- User '$LOGIN' already exists; please choose another"
+    unset LOGIN
+  elif [ ! -z "$( echo $LOGIN | grep "^[0-9]" )" ]; then
+    echo "- User names cannot begin with a number; please choose another"
+    unset LOGIN
+  elif [ ! "$LOGIN" = "`echo $LOGIN | tr A-Z a-z`" ]; then # useradd does not allow uppercase
+    echo "- User '$LOGIN' contains illegal characters (uppercase); please choose another"
+    unset LOGIN
+  elif [ ! -z "$( echo $LOGIN | grep '\.' )" ]; then
+    echo "- User '$LOGIN' contains illegal characters (period/dot); please choose another"
+    unset LOGIN
+  else
+    unset needinput
+  fi
+done
+
+# Display the user name passed from the shell if it hasn't changed
+if [ "$1" = "$LOGIN" ]; then
+  echo "Login name for new user: $LOGIN"
+fi
+
+#: Get the UID for the user & ensure it's not already in use :#
+#
+# Whilst we _can_ allow users with identical UIDs, it's not a 'good thing' because
+# when you change password for the uid, it finds the first match in /etc/passwd 
+# which isn't necessarily the correct user
+#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+  _UID="$(get_input "User ID ('UID') [ defaults to next available ]:")"
+  grep -v "^$" $pfile | awk -F: '{print $3}' | grep "^${_UID}$" >/dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    echo "- That UID is already in use; please choose another"
+  elif [ ! -z "$(echo $_UID | egrep '[A-Za-z]')" ]; then
+    echo "- UIDs are numerics only"         
+  else
+    unset needinput
+  fi
+done
+# If we were given a UID, then syntax up the variable to pass to useradd
+if [ ! -z "$_UID" ]; then 
+  U_ID="-u ${_UID}"
+else
+  # Will we be recycling UIDs?
+  if [ "$recycleuids" = "yes" ]; then
+    U_ID="-u $(awk -F: '{uid[$3]=1} END { for (i=ENVIRON["recycleUIDMIN"];i in uid;i++);print i}' $pfile)"
+  fi   
+fi
+
+#: Get the initial group for the user & ensure it exists :#
+#
+# We check /etc/group for both the text version and the group ID number 
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+  GID="$(get_input "Initial group [ ${defgroup} ]:")"
+  check_group "$GID"
+  if [ $? -gt 0 ]; then
+    echo "- Please choose another"
+  else
+    unset needinput 
+  fi
+done
+# Syntax the variable ready for useradd
+if [ -z "$GID" ]; then
+  GID="-g ${defgroup}"
+else
+  GID="-g ${GID}"
+fi
+
+#: Get additional groups for the user :#
+#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+  AGID="$(get_input "Additional groups (comma separated) []:")"
+  AGID="$(echo "$AGID" | tr -d ' ' | tr , ' ')" # fix up for parsing 
+  if [ ! -z "$AGID" ]; then
+    check_group "$AGID"  # check all groups at once (treated as N # of params)
+    if [ $? -gt 0 ]; then
+      echo "- Please re-enter the group(s)"
+    else
+      unset needinput # we found all groups specified
+      AGID="-G $(echo "$AGID" | tr ' ' ,)"
+    fi
+  else
+    unset needinput   # we don't *have* to have additional groups
+  fi
+done
+
+#: Get the new user's home dir :#
+#       
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+  HME="$(get_input "Home directory [ ${defhome}/${LOGIN} ]")"
+  if [ -z "$HME" ]; then
+    HME="${defhome}/${LOGIN}"
+  fi 
+  # Warn the user if the home dir already exists
+  if [ -d "$HME" ]; then
+    echo "- Warning: '$HME' already exists !"
+    getyn="$(get_input "  Do you wish to change the home directory path ? (Y/n) ")"
+    if [ "$(echo $getyn | grep -i "n")" ]; then
+      unset needinput
+      # You're most likely going to only do this if you have the dir *mounted* for this user's $HOME
+      getyn="$(get_input "  Do you want to chown $LOGIN.$( echo $GID | awk '{print $2}') $HME ? (y/N) ")"
+      if [ "$(echo $getyn | grep -i "y")" ]; then
+         CHOWNHOMEDIR=$HME # set this to the home directory
+      fi
+    fi
+  else
+    unset needinput
+  fi
+done           
+HME="-d ${HME}"  
+    
+#: Get the new user's shell :#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+  unset got_error
+  SHL="$(get_input "Shell [ ${defshell} ]")"
+  if [ -z "$SHL" ]; then
+    SHL="${defshell}"
+  fi 
+  # Warn the user if the shell doesn't exist in /etc/shells or as a file
+  if [ -z "$(grep "^${SHL}$" $sfile)" ]; then
+    echo "- Warning: ${SHL} is not in ${sfile} (potential problem using FTP)"
+    got_error=yes
+  fi
+  if [ ! -f "$SHL" ]; then
+    echo "- Warning: ${SHL} does not exist as a file"
+    got_error=yes
+  fi
+  if [ ! -z "$got_error" ]; then
+    getyn="$(get_input "  Do you wish to change the shell ? (Y/n) ")"
+    if [ "$(echo $getyn | grep -i "n")" ]; then
+      unset needinput
+    fi
+  else
+    unset needinput
+  fi
+done           
+SHL="-s ${SHL}"
+
+#: Get the expiry date :#
+echo
+needinput=yes
+while [ ! -z "$needinput" ]; do
+  EXP="$(get_input "Expiry date (YYYY-MM-DD) []:")"
+  if [ ! -z "$EXP" ]; then
+    # Check to see whether the expiry date is in the valid format
+    if [ -z "$(echo "$EXP" | grep "^[[:digit:]]\{4\}[-]\?[[:digit:]]\{2\}[-]\?[[:digit:]]\{2\}$")" ]; then
+      echo "- That is not a valid expiration date"
+    else
+      unset needinput 
+      EXP="-e ${EXP}" 
+    fi
+  else
+    unset needinput
+  fi
+done
+
+# Display the info about the new impending account
+echo
+echo "New account will be created as follows:"
+echo
+echo "---------------------------------------"
+display "Login name.......: " "$LOGIN"
+display "UID..............: " "$_UID" "[ Next available ]"
+display "Initial group....: " "$GID"
+display "Additional groups: " "$AGID" "[ None ]"
+display "Home directory...: " "$HME"
+display "Shell............: " "$SHL"
+display "Expiry date......: " "$EXP" "[ Never ]"
+echo
+
+echo "This is it... if you want to bail out, hit Control-C.  Otherwise, press"
+echo "ENTER to go ahead and make the account."
+read junk
+
+echo
+echo "Creating new account..."
+echo
+echo
+
+# Add the account to the system
+CMD="$useradd "$HME" -m "$EXP" "$U_ID" "$GID" "$AGID" "$SHL" "$LOGIN""
+$CMD
+
+if [ $? -gt 0 ]; then
+  echo "- Error running useradd command -- account not created!"
+  echo "(cmd: $CMD)"
+  exit 1
+fi
+
+# chown the home dir ?  We can only do this once the useradd has
+# completed otherwise the user name doesn't exist.
+if [ ! -z "${CHOWNHOMEDIR}" ]; then
+  chown "$LOGIN"."$( echo $GID | awk '{print $2}')" "${CHOWNHOMEDIR}"
+fi
+
+# Set the finger information
+$chfn "$LOGIN"
+if [ $? -gt 0 ]; then
+  echo "- Warning: an error occurred while setting finger information"
+fi
+
+# Set a password
+$passwd "$LOGIN"
+if [ $? -gt 0 ]; then
+  echo "* WARNING: An error occured while setting the password for"
+  echo "           this account.  Please manually investigate this *"
+  exit 1
+fi
+
+echo
+echo
+echo "Account setup complete."
+exit 0
+
diff --git a/core/shadow/chage b/core/shadow/chage
new file mode 100644
index 000000000..a7bf8a4a5
--- /dev/null
+++ b/core/shadow/chage
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password	required	pam_permit.so
diff --git a/core/shadow/chgpasswd b/core/shadow/chgpasswd
new file mode 100644
index 000000000..8f49f5cc8
--- /dev/null
+++ b/core/shadow/chgpasswd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
diff --git a/core/shadow/chpasswd b/core/shadow/chpasswd
new file mode 100644
index 000000000..bc14857dc
--- /dev/null
+++ b/core/shadow/chpasswd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password 	required 	pam_unix.so md5 shadow
diff --git a/core/shadow/chsh b/core/shadow/chsh
new file mode 100644
index 000000000..a7bf8a4a5
--- /dev/null
+++ b/core/shadow/chsh
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password	required	pam_permit.so
diff --git a/core/shadow/defaults.pam b/core/shadow/defaults.pam
new file mode 100644
index 000000000..a7bf8a4a5
--- /dev/null
+++ b/core/shadow/defaults.pam
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password	required	pam_permit.so
diff --git a/core/shadow/login b/core/shadow/login
new file mode 100644
index 000000000..51ff96a4a
--- /dev/null
+++ b/core/shadow/login
@@ -0,0 +1,20 @@
+#%PAM-1.0
+auth		required	pam_securetty.so
+auth		requisite	pam_nologin.so
+auth		required	pam_unix.so nullok
+auth		required	pam_tally.so onerr=succeed file=/var/log/faillog
+# use this to lockout accounts for 10 minutes after 3 failed attempts
+#auth		required	pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
+account		required	pam_access.so
+account		required	pam_time.so
+account		required	pam_unix.so
+#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+#password	required	pam_unix.so md5 shadow use_authtok
+session		required	pam_unix.so
+session		required	pam_env.so
+session		required	pam_motd.so
+session		required	pam_limits.so
+session		optional	pam_mail.so dir=/var/spool/mail standard
+session		optional	pam_lastlog.so
+session		optional	pam_loginuid.so
+-session	optional	pam_ck_connector.so nox11
diff --git a/core/shadow/login.defs b/core/shadow/login.defs
new file mode 100644
index 000000000..653e14e4f
--- /dev/null
+++ b/core/shadow/login.defs
@@ -0,0 +1,218 @@
+#
+# /etc/login.defs - Configuration control definitions for the login package.
+#
+# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed.  All other items are optional - if not specified then
+# the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with "#") and blank lines are ignored.
+#
+# Modified for Linux.  --marekm
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+#
+FAIL_DELAY		3
+
+#
+# Enable display of unknown usernames when login failures are recorded.
+#
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# Enable "syslog" logging of su activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp and sg.
+#
+SYSLOG_SU_ENAB		yes
+SYSLOG_SG_ENAB		yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names.  Root logins will be allowed only
+# upon these devices.
+#
+CONSOLE		/etc/securetty
+#CONSOLE	console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su activity is logged to this file.
+#
+#SULOG_FILE	/var/log/sulog
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format something like "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, the command name to display when running "su -".  For
+# example, if this is defined as "su" then a "ps" will display the
+# command is "-su".  If not defined, then "ps" would display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME		su
+
+#
+# *REQUIRED*
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
+#   QMAIL_DIR is for Qmail
+#
+#QMAIL_DIR	Maildir
+MAIL_DIR	/var/spool/mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH	PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+# If you have a "write" program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP to the group number and
+# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
+# TTYPERM to either 622 or 600.
+#
+TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#	UMASK		Default "umask" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR	0177
+KILLCHAR	025
+UMASK		077
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+SYS_UID_MIN		  500
+SYS_UID_MAX		  999
+
+#
+# Min/max values for automatic gid selection in groupadd
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+SYS_GID_MIN		  500
+SYS_GID_MAX		  999
+
+#
+# Max number of login retries if password is bad
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login
+#
+LOGIN_TIMEOUT		60
+
+#
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+# 
+CHFN_RESTRICT		rwh
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting).  Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+#CONSOLE_GROUPS		floppy:audio:cdrom
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
+#
+DEFAULT_HOME	yes
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# When prompting for password without echo, getpass() can optionally
+# display a random number (in the range 1 to GETPASS_ASTERISKS) of '*'
+# characters for each character typed.  This feature is designed to
+# confuse people looking over your shoulder when you enter a password :-).
+# Also, the new getpass() accepts both Backspace (8) and Delete (127)
+# keys to delete previous character (to cope with different terminal
+# types), Control-U to delete all characters, and beeps when there are
+# no more characters to delete, or too many characters entered.
+#
+# Setting GETPASS_ASTERISKS to 1 results in more traditional behaviour -
+# exactly one '*' displayed for each character typed.
+#
+# Setting GETPASS_ASTERISKS to 0 disables the '*' characters (Backspace,
+# Delete, Control-U and beep continue to work as described above).
+#
+# Setting GETPASS_ASTERISKS to -1 reverts to the traditional getpass()
+# without any new features.  This is the default.
+#
+#GETPASS_ASTERISKS 1
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
diff --git a/core/shadow/newusers b/core/shadow/newusers
new file mode 100644
index 000000000..bc14857dc
--- /dev/null
+++ b/core/shadow/newusers
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password 	required 	pam_unix.so md5 shadow
diff --git a/core/shadow/passwd b/core/shadow/passwd
new file mode 100644
index 000000000..1ffd1bdd8
--- /dev/null
+++ b/core/shadow/passwd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+#password	required	pam_unix.so md5 shadow use_authtok
+password	required	pam_unix.so md5 shadow nullok
diff --git a/core/shadow/shadow b/core/shadow/shadow
new file mode 100644
index 000000000..a7bf8a4a5
--- /dev/null
+++ b/core/shadow/shadow
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
+password	required	pam_permit.so
diff --git a/core/shadow/shadow-4.1.4.2-groupmod-pam-check.patch b/core/shadow/shadow-4.1.4.2-groupmod-pam-check.patch
new file mode 100644
index 000000000..f25c4e10f
--- /dev/null
+++ b/core/shadow/shadow-4.1.4.2-groupmod-pam-check.patch
@@ -0,0 +1,21 @@
+http://bugs.gentoo.org/300790
+http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2009-November/007850.html
+
+2009-11-05  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/groupmod.c: Fixed groupmod when configured with
+	--enable-account-tools-setuid.
+
+diff --git a/src/groupmod.c b/src/groupmod.c
+index 4205df2..da6d77f 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -724,7 +724,7 @@ int main (int argc, char **argv)
+ 	{
+ 		struct passwd *pampw;
+ 		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
+-		if (NULL == pamh) {
++		if (NULL == pampw) {
+ 			fprintf (stderr,
+ 			         _("%s: Cannot determine your user name.\n"),
+ 			         Prog);
diff --git a/core/shadow/shadow.cron.daily b/core/shadow/shadow.cron.daily
new file mode 100755
index 000000000..1931a793e
--- /dev/null
+++ b/core/shadow/shadow.cron.daily
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Verify integrity of password and group files
+/usr/sbin/pwck -r
+/usr/sbin/grpck -r
+
diff --git a/core/shadow/shadow.install b/core/shadow/shadow.install
new file mode 100644
index 000000000..c1bd1066b
--- /dev/null
+++ b/core/shadow/shadow.install
@@ -0,0 +1,8 @@
+post_upgrade() {
+  grpck -r &>/dev/null
+  if [ $? -eq 2 ]; then
+    echo "Fixing gshadow file ..."
+    while :; do echo "y"; done | grpck &>/dev/null
+  fi
+  return 0
+}
diff --git a/core/shadow/useradd.defaults b/core/shadow/useradd.defaults
new file mode 100644
index 000000000..b800b1777
--- /dev/null
+++ b/core/shadow/useradd.defaults
@@ -0,0 +1,9 @@
+# useradd defaults file for ArchLinux
+# original changes by TomK
+GROUP=100
+HOME=/home
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
+CREATE_MAIL_SPOOL=no
diff --git a/core/shadow/xstrdup.patch b/core/shadow/xstrdup.patch
new file mode 100644
index 000000000..bce434264
--- /dev/null
+++ b/core/shadow/xstrdup.patch
@@ -0,0 +1,9 @@
+--- shadow-4.1.2.1/libmisc/xmalloc.c	2008-08-30 21:55:44.000000000 -0500
++++ shadow-4.1.2.1/libmisc/xmalloc.c.new	2008-08-30 21:55:36.000000000 -0500
+@@ -61,5 +61,6 @@
+ 
+ char *xstrdup (const char *str)
+ {
++	if(str == NULL) return NULL;
+ 	return strcpy (xmalloc (strlen (str) + 1), str);
+ }