Re: [PR PATCH] [Updated] shadow: update to 4.14.5.

[dataCobra <dataCobra@users.noreply.github.com>]

[-- Attachment #1: Type: text/plain, Size: 674 bytes --]

There is an updated pull request by dataCobra against master on the void-packages repository

https://github.com/dataCobra/void-packages shadow
https://github.com/void-linux/void-packages/pull/48813

shadow: update to 4.14.5.
#### Testing the changes
- I tested the changes in this PR: **YES**

#### Local build testing
- I built this PR locally for my native architecture, (x86_64-glibc)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - x86_64-musl
  - i686

I welcome everyone to test this version. Maybe also on a new installation.

A patch file from https://github.com/void-linux/void-packages/pull/48813.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-shadow-48813.patch --]
[-- Type: text/x-diff, Size: 36524 bytes --]

From 0eb68566b5438528d79dba87ab17bb788bc4510c Mon Sep 17 00:00:00 2001
From: dataCobra <datacobra@thinkbot.de>
Date: Tue, 20 Feb 2024 16:11:21 +0100
Subject: [PATCH] shadow: update to 4.14.5.

---
 common/shlibs                                 |   1 +
 srcpkgs/shadow/files/login.defs               |  87 ---
 ...pt-login.defs-for-PAM-and-util-linux.patch | 721 ++++++++++++++++++
 ...d-Arch-Linux-defaults-for-login.defs.patch |  55 ++
 .../patches/fix-undefined-reference.patch     |  19 +
 .../shadow/patches/shadow-strncpy-usage.patch |  23 -
 srcpkgs/shadow/patches/useradd-defaults.patch |  21 +
 srcpkgs/shadow/patches/xstrdup.patch          |   9 -
 srcpkgs/shadow/template                       |  46 +-
 9 files changed, 843 insertions(+), 139 deletions(-)
 delete mode 100644 srcpkgs/shadow/files/login.defs
 create mode 100644 srcpkgs/shadow/patches/0002-Adapt-login.defs-for-PAM-and-util-linux.patch
 create mode 100644 srcpkgs/shadow/patches/0003-Add-Arch-Linux-defaults-for-login.defs.patch
 create mode 100644 srcpkgs/shadow/patches/fix-undefined-reference.patch
 delete mode 100644 srcpkgs/shadow/patches/shadow-strncpy-usage.patch
 create mode 100644 srcpkgs/shadow/patches/useradd-defaults.patch
 delete mode 100644 srcpkgs/shadow/patches/xstrdup.patch

diff --git a/common/shlibs b/common/shlibs
index 34596bac98f4b5..6bd786075ec1d8 100644
--- a/common/shlibs
+++ b/common/shlibs
@@ -4277,3 +4277,4 @@ libunicode_ucd.so.0.4 libunicode-0.4.0_1
 libunicode_loader.so.0.4 libunicode-0.4.0_1
 force-stage.so.0.1 void-force-stage-0.1_1
 libliftoff.so.0 libliftoff-0.4.1_1
+libsubid.so.4 shadow-4.14.5_1
diff --git a/srcpkgs/shadow/files/login.defs b/srcpkgs/shadow/files/login.defs
deleted file mode 100644
index 350764846af4b0..00000000000000
--- a/srcpkgs/shadow/files/login.defs
+++ /dev/null
@@ -1,87 +0,0 @@
-# Configuration file for login(1). For more information see
-# login.defs(5).
-
-# Directory where mailboxes reside, _or_ name of file, relative to the
-# home directory. If you do define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR 		/var/mail
-#MAIL_FILE 		.mail
-
-# Password aging controls:
-#
-#	PASS_MAX_DAYS	Maximum number of days a password may be used.
-#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
-#	PASS_MIN_LEN	Minimum acceptable password length.
-#	PASS_WARN_AGE	Number of days warning given before a password expires.
-PASS_MAX_DAYS 		99999
-PASS_MIN_DAYS 		0
-PASS_WARN_AGE		7
-
-# Min/max values for automatic uid selection in useradd
-UID_MIN 		1000
-UID_MAX 		60000
-# System accounts
-SYS_UID_MIN 		100
-SYS_UID_MAX 		999
-
-# Min/max values for automatic gid selection in groupadd
-GID_MIN 		1000
-GID_MAX 		60000
-# System accounts
-SYS_GID_MIN		100
-SYS_GID_MAX		999
-
-# If useradd should create home directories for users by default
-CREATE_HOME		yes
-
-# This enables userdel to remove user groups if no members exist.
-USERGROUPS_ENAB		yes
-
-# Disable MOTD_FILE (empty); use pam_motd(8) instead.
-MOTD_FILE
-
-
-# If defined, either full pathname of a file containing device names or
-# a ":" delimited list of device names.  Root logins will be allowed only
-# upon these devices.
-#
-CONSOLE 		/etc/securetty
-
-# Terminal permissions
-#
-#	TTYGROUP	Login tty will be assigned this group ownership.
-#	TTYPERM		Login tty will be set to this permission.
-#
-# If you have a "write" program which is "setgid" to a special group
-# which owns the terminals, define TTYGROUP to the group number and
-# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
-# TTYPERM to either 622 or 600.
-#
-TTYGROUP 		tty
-TTYPERM 		0600
-
-# Login configuration initializations:
-#
-#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
-#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#	UMASK		Default "umask" value.
-#
-# The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
-#
-ERASECHAR 		0177
-KILLCHAR 		025
-UMASK			022
-HOME_MODE		0700
-
-# Max number of login retries if password is bad
-#
-LOGIN_RETRIES 		5
-
-#
-# Max time in seconds for login
-#
-LOGIN_TIMEOUT 		60
diff --git a/srcpkgs/shadow/patches/0002-Adapt-login.defs-for-PAM-and-util-linux.patch b/srcpkgs/shadow/patches/0002-Adapt-login.defs-for-PAM-and-util-linux.patch
new file mode 100644
index 00000000000000..dc794a7c14591f
--- /dev/null
+++ b/srcpkgs/shadow/patches/0002-Adapt-login.defs-for-PAM-and-util-linux.patch
@@ -0,0 +1,721 @@
+From dcc12b1d2bd612923c6c73d0da92fbe1aefa46b1 Mon Sep 17 00:00:00 2001
+From: David Runge <dvzrv@archlinux.org>
+Date: Mon, 31 Oct 2022 09:45:13 +0100
+Subject: [PATCH 2/3] Adapt login.defs for PAM and util-linux
+
+etc/login.defs:
+Remove unused login.defs options, that are either irrelevant due to the
+use of PAM or because the util-linux version of a binary does not
+support them.
+Modify all options that are ignored when using PAM, but are supported by
+util-linux.
+
+Removed options because they are part of PAMDEFS (options in PAMDEFS are
+options silently ignored by shadow when built with PAM enabled):
+* CHFN_AUTH
+* CRACKLIB_DICTPATH
+* ENV_HZ
+* ENVIRON_FILE
+* ENV_TZ
+* FAILLOG_ENAB
+* FTMP_FILE
+* ISSUE_FILE
+* LASTLOG_ENAB
+* LOGIN_STRING
+* MAIL_CHECK_ENAB
+* NOLOGINS_FILE
+* OBSCURE_CHECKS_ENAB
+* PASS_ALWAYS_WARN
+* PASS_CHANGE_TRIES
+* PASS_MAX_LEN
+* PASS_MIN_LEN
+* PORTTIME_CHECKS_ENAB
+* QUOTAS_ENAB
+* SU_WHEEL_ONLY
+* SYSLOG_SU_ENAB
+* ULIMIT
+
+Removed options because they are not availablbe with PAM enabled:
+* BCRYPT_MIN_ROUNDS
+* BCRYPT_MAX_ROUNDS
+* CONSOLE_GROUPS
+* CONSOLE
+* MD5_CRYPT_ENAB
+* PREVENT_NO_AUTH
+
+Removed encryption methods (`ENCRYPT_METHOD`), because they are unsafe
+or not available with PAM:
+* BCRYPT
+* MD5
+
+Removed options because they are not supported by login from util-linux:
+* ERASECHAR
+* KILLCHAR
+* LOG_OK_LOGINS
+* TTYTYPE_FILE
+
+Removed options because they are not supported by su from util-linux:
+* SULOG_FILE
+* SU_NAME
+
+Adapted options because they are in PAMDEFS but are supported by login
+from util-linux:
+* MOTD_FILE
+
+man/login.defs.5.xml:
+Remove unavailable options from man 5 login.defs.
+---
+ etc/login.defs       | 228 +------------------------------------------
+ man/login.defs.5.xml | 150 +---------------------------
+ 2 files changed, 8 insertions(+), 370 deletions(-)
+
+diff --git a/etc/login.defs b/etc/login.defs
+index 114dbcd9..797ca6b3 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -3,6 +3,8 @@
+ #
+ #	$Id$
+ #
++# NOTE: This file is adapted for the use on Arch Linux!
++#       Unsupported options due to the use of util-linux or PAM are removed.
+ 
+ #
+ # Delay in seconds before being allowed another attempt after a login failure
+@@ -11,26 +13,11 @@
+ #
+ FAIL_DELAY		3
+ 
+-#
+-# Enable logging and display of /var/log/faillog login(1) failure info.
+-#
+-FAILLOG_ENAB		yes
+-
+ #
+ # Enable display of unknown usernames when login(1) failures are recorded.
+ #
+ LOG_UNKFAIL_ENAB	no
+ 
+-#
+-# Enable logging of successful logins
+-#
+-LOG_OK_LOGINS		no
+-
+-#
+-# Enable logging and display of /var/log/lastlog login(1) time info.
+-#
+-LASTLOG_ENAB		yes
+-
+ #
+ # Limit the highest user ID number for which the lastlog entries should
+ # be updated.
+@@ -40,88 +27,13 @@ LASTLOG_ENAB		yes
+ #
+ #LASTLOG_UID_MAX
+ 
+-#
+-# Enable checking and display of mailbox status upon login.
+-#
+-# Disable if the shell startup files already check for mail
+-# ("mailx -e" or equivalent).
+-#
+-MAIL_CHECK_ENAB		yes
+-
+-#
+-# Enable additional checks upon password changes.
+-#
+-OBSCURE_CHECKS_ENAB	yes
+-
+-#
+-# Enable checking of time restrictions specified in /etc/porttime.
+-#
+-PORTTIME_CHECKS_ENAB	yes
+-
+-#
+-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
+-#
+-QUOTAS_ENAB		yes
+-
+-#
+-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
+-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
+-#
+-SYSLOG_SU_ENAB		yes
+-SYSLOG_SG_ENAB		yes
+-
+-#
+-# If defined, either full pathname of a file containing device names or
+-# a ":" delimited list of device names.  Root logins will be allowed only
+-# from these devices.
+-#
+-CONSOLE		/etc/securetty
+-#CONSOLE	console:tty01:tty02:tty03:tty04
+-
+-#
+-# If defined, all su(1) activity is logged to this file.
+-#
+-#SULOG_FILE	/var/log/sulog
+-
+ #
+ # If defined, ":" delimited list of "message of the day" files to
+ # be displayed upon login.
+ #
+-MOTD_FILE	/etc/motd
++MOTD_FILE
+ #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
+ 
+-#
+-# If defined, this file will be output before each login(1) prompt.
+-#
+-#ISSUE_FILE	/etc/issue
+-
+-#
+-# If defined, file which maps tty line to TERM environment parameter.
+-# Each line of the file is in a format similar to "vt100  tty01".
+-#
+-#TTYTYPE_FILE	/etc/ttytype
+-
+-#
+-# If defined, login(1) failures will be logged here in a utmp format.
+-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
+-#
+-FTMP_FILE	/var/log/btmp
+-
+-#
+-# If defined, name of file whose presence will inhibit non-root
+-# logins.  The content of this file should be a message indicating
+-# why logins are inhibited.
+-#
+-NOLOGINS_FILE	/etc/nologin
+-
+-#
+-# If defined, the command name to display when running "su -".  For
+-# example, if this is defined as "su" then ps(1) will display the
+-# command as "-su".  If not defined, then ps(1) will display the
+-# name of the shell actually being run, e.g. something like "-sh".
+-#
+-SU_NAME		su
+-
+ #
+ # *REQUIRED*
+ #   Directory where mailboxes reside, _or_ name of file, relative to the
+@@ -139,21 +51,6 @@ MAIL_DIR	/var/spool/mail
+ HUSHLOGIN_FILE	.hushlogin
+ #HUSHLOGIN_FILE	/etc/hushlogins
+ 
+-#
+-# If defined, either a TZ environment parameter spec or the
+-# fully-rooted pathname of a file containing such a spec.
+-#
+-#ENV_TZ		TZ=CST6CDT
+-#ENV_TZ		/etc/tzname
+-
+-#
+-# If defined, an HZ environment parameter spec.
+-#
+-# for Linux/x86
+-ENV_HZ		HZ=100
+-# For Linux/Alpha...
+-#ENV_HZ		HZ=1024
+-
+ #
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+@@ -175,23 +72,6 @@ ENV_PATH	PATH=/bin:/usr/bin
+ TTYGROUP	tty
+ TTYPERM		0600
+ 
+-#
+-# Login configuration initializations:
+-#
+-#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+-#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+-#	ULIMIT		Default "ulimit" value.
+-#
+-# The ERASECHAR and KILLCHAR are used only on System V machines.
+-# The ULIMIT is used only if the system supports it.
+-# (now it works with setrlimit too; ulimit is in 512-byte units)
+-#
+-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+-#
+-ERASECHAR	0177
+-KILLCHAR	025
+-#ULIMIT		2097152
+-
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
+ # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+@@ -211,27 +91,12 @@ UMASK		022
+ #
+ #	PASS_MAX_DAYS	Maximum number of days a password may be used.
+ #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+-#	PASS_MIN_LEN	Minimum acceptable password length.
+ #	PASS_WARN_AGE	Number of days warning given before a password expires.
+ #
+ PASS_MAX_DAYS	99999
+ PASS_MIN_DAYS	0
+-PASS_MIN_LEN	5
+ PASS_WARN_AGE	7
+ 
+-#
+-# If "yes", the user must be listed as a member of the first gid 0 group
+-# in /etc/group (called "root" on most Linux systems) to be able to "su"
+-# to uid 0 accounts.  If the group doesn't exist or is empty, no one
+-# will be able to "su" to uid 0.
+-#
+-SU_WHEEL_ONLY	no
+-
+-#
+-# If compiled with cracklib support, sets the path to the dictionaries
+-#
+-CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
+-
+ #
+ # Min/max values for automatic uid selection in useradd(8)
+ #
+@@ -268,28 +133,6 @@ LOGIN_RETRIES		5
+ #
+ LOGIN_TIMEOUT		60
+ 
+-#
+-# Maximum number of attempts to change password if rejected (too easy)
+-#
+-PASS_CHANGE_TRIES	5
+-
+-#
+-# Warn about weak passwords (but still allow them) if you are root.
+-#
+-PASS_ALWAYS_WARN	yes
+-
+-#
+-# Number of significant characters in the password for crypt().
+-# Default is 8, don't change unless your crypt() is better.
+-# Ignored if MD5_CRYPT_ENAB set to "yes".
+-#
+-#PASS_MAX_LEN		8
+-
+-#
+-# Require password before chfn(1)/chsh(1) can make any changes.
+-#
+-CHFN_AUTH		yes
+-
+ #
+ # Which fields may be changed by regular users using chfn(1) - use
+ # any combination of letters "frwh" (full name, room number, work
+@@ -298,38 +141,13 @@ CHFN_AUTH		yes
+ #
+ CHFN_RESTRICT		rwh
+ 
+-#
+-# Password prompt (%s will be replaced by user name).
+-#
+-# XXX - it doesn't work correctly yet, for now leave it commented out
+-# to use the default which is just "Password: ".
+-#LOGIN_STRING		"%s's Password: "
+-
+-#
+-# Only works if compiled with MD5_CRYPT defined:
+-# If set to "yes", new passwords will be encrypted using the MD5-based
+-# algorithm compatible with the one used by recent releases of FreeBSD.
+-# It supports passwords of unlimited length and longer salt strings.
+-# Set to "no" if you need to copy encrypted passwords to other systems
+-# which don't understand the new algorithm.  Default is "no".
+-#
+-# Note: If you use PAM, it is recommended to use a value consistent with
+-# the PAM modules configuration.
+-#
+-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
+-#
+-#MD5_CRYPT_ENAB	no
+-
+ #
+ # Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+-# If set to MD5, MD5-based algorithm will be used for encrypting password
+ # If set to SHA256, SHA256-based algorithm will be used for encrypting password
+ # If set to SHA512, SHA512-based algorithm will be used for encrypting password
+-# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+ # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+ # If set to DES, DES-based algorithm will be used for encrypting password (default)
+ # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+-# Overrides the MD5_CRYPT_ENAB option
+ #
+ # Note: If you use PAM, it is recommended to use a value consistent with
+ # the PAM modules configuration.
+@@ -353,21 +171,6 @@ CHFN_RESTRICT		rwh
+ #SHA_CRYPT_MIN_ROUNDS 5000
+ #SHA_CRYPT_MAX_ROUNDS 5000
+ 
+-#
+-# Only works if ENCRYPT_METHOD is set to BCRYPT.
+-#
+-# Define the number of BCRYPT rounds.
+-# With a lot of rounds, it is more difficult to brute-force the password.
+-# However, more CPU resources will be needed to authenticate users if
+-# this value is increased.
+-#
+-# If not specified, 13 rounds will be attempted.
+-# If only one of the MIN or MAX values is set, then this value will be used.
+-# If MIN > MAX, the highest value will be used.
+-#
+-#BCRYPT_MIN_ROUNDS 13
+-#BCRYPT_MAX_ROUNDS 13
+-
+ #
+ # Only works if ENCRYPT_METHOD is set to YESCRYPT.
+ #
+@@ -381,17 +184,6 @@ CHFN_RESTRICT		rwh
+ #
+ #YESCRYPT_COST_FACTOR 5
+ 
+-#
+-# List of groups to add to the user's supplementary group set
+-# when logging in from the console (as determined by the CONSOLE
+-# setting).  Default is none.
+-#
+-# Use with caution - it is possible for users to gain permanent
+-# access to these groups, even when not logged in from the console.
+-# How to do it is left as an exercise for the reader...
+-#
+-#CONSOLE_GROUPS		floppy:audio:cdrom
+-
+ #
+ # Should login be allowed if we can't cd to the home directory?
+ # Default is no.
+@@ -406,12 +198,6 @@ DEFAULT_HOME	yes
+ #
+ NONEXISTENT	/nonexistent
+ 
+-#
+-# If this file exists and is readable, login environment will be
+-# read from it.  Every line should be in the form name=value.
+-#
+-ENVIRON_FILE	/etc/environment
+-
+ #
+ # If defined, this command is run when removing a user.
+ # It should remove any at/cron/print jobs etc. owned by
+@@ -459,14 +245,6 @@ USERGROUPS_ENAB yes
+ #
+ #GRANT_AUX_GROUP_SUBIDS yes
+ 
+-#
+-# Prevents an empty password field to be interpreted as "no authentication
+-# required".
+-# Set to "yes" to prevent for all accounts
+-# Set to "superuser" to prevent for UID 0 / root (default)
+-# Set to "no" to not prevent for any account (dangerous, historical default)
+-PREVENT_NO_AUTH superuser
+-
+ #
+ # Select the HMAC cryptography algorithm.
+ # Used in pam_timestamp module to calculate the keyed-hash message
+diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
+index ab62fa86..d82c47f1 100644
+--- a/man/login.defs.5.xml
++++ b/man/login.defs.5.xml
+@@ -7,69 +7,38 @@
+ -->
+ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN" 
+   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+-<!ENTITY CHFN_AUTH             SYSTEM "login.defs.d/CHFN_AUTH.xml">
+ <!ENTITY CHFN_RESTRICT         SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
+-<!ENTITY CHSH_AUTH             SYSTEM "login.defs.d/CHSH_AUTH.xml">
+-<!ENTITY CONSOLE               SYSTEM "login.defs.d/CONSOLE.xml">
+-<!ENTITY CONSOLE_GROUPS        SYSTEM "login.defs.d/CONSOLE_GROUPS.xml">
+ <!ENTITY CREATE_HOME           SYSTEM "login.defs.d/CREATE_HOME.xml">
+ <!ENTITY DEFAULT_HOME          SYSTEM "login.defs.d/DEFAULT_HOME.xml">
+ <!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
+-<!ENTITY ENV_HZ                SYSTEM "login.defs.d/ENV_HZ.xml">
+ <!ENTITY ENV_PATH              SYSTEM "login.defs.d/ENV_PATH.xml">
+ <!ENTITY ENV_SUPATH            SYSTEM "login.defs.d/ENV_SUPATH.xml">
+-<!ENTITY ENV_TZ                SYSTEM "login.defs.d/ENV_TZ.xml">
+-<!ENTITY ENVIRON_FILE          SYSTEM "login.defs.d/ENVIRON_FILE.xml">
+-<!ENTITY ERASECHAR             SYSTEM "login.defs.d/ERASECHAR.xml">
+ <!ENTITY FAIL_DELAY            SYSTEM "login.defs.d/FAIL_DELAY.xml">
+-<!ENTITY FAILLOG_ENAB          SYSTEM "login.defs.d/FAILLOG_ENAB.xml">
+-<!ENTITY FAKE_SHELL            SYSTEM "login.defs.d/FAKE_SHELL.xml">
+-<!ENTITY FTMP_FILE             SYSTEM "login.defs.d/FTMP_FILE.xml">
+ <!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
+ <!ENTITY HMAC_CRYPTO_ALGO      SYSTEM "login.defs.d/HMAC_CRYPTO_ALGO.xml">
+ <!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
+ <!ENTITY HUSHLOGIN_FILE        SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
+-<!ENTITY ISSUE_FILE            SYSTEM "login.defs.d/ISSUE_FILE.xml">
+-<!ENTITY KILLCHAR              SYSTEM "login.defs.d/KILLCHAR.xml">
+-<!ENTITY LASTLOG_ENAB          SYSTEM "login.defs.d/LASTLOG_ENAB.xml">
+ <!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
+-<!ENTITY LOG_OK_LOGINS         SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
+ <!ENTITY LOG_UNKFAIL_ENAB      SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
+ <!ENTITY LOGIN_RETRIES         SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
+-<!ENTITY LOGIN_STRING          SYSTEM "login.defs.d/LOGIN_STRING.xml">
+ <!ENTITY LOGIN_TIMEOUT         SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
+-<!ENTITY MAIL_CHECK_ENAB       SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
+ <!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
+ <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
+-<!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
+ <!ENTITY MOTD_FILE             SYSTEM "login.defs.d/MOTD_FILE.xml">
+-<!ENTITY NOLOGINS_FILE         SYSTEM "login.defs.d/NOLOGINS_FILE.xml">
+ <!ENTITY NONEXISTENT           SYSTEM "login.defs.d/NONEXISTENT.xml">
+-<!ENTITY OBSCURE_CHECKS_ENAB   SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml">
+-<!ENTITY PASS_ALWAYS_WARN      SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml">
+-<!ENTITY PASS_CHANGE_TRIES     SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml">
+-<!ENTITY PASS_MAX_LEN          SYSTEM "login.defs.d/PASS_MAX_LEN.xml">
+ <!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
+ <!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
+ <!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
+-<!ENTITY PORTTIME_CHECKS_ENAB  SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml">
+-<!ENTITY QUOTAS_ENAB           SYSTEM "login.defs.d/QUOTAS_ENAB.xml">
+ <!ENTITY SHA_CRYPT_MIN_ROUNDS  SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
+-<!ENTITY SULOG_FILE            SYSTEM "login.defs.d/SULOG_FILE.xml">
+-<!ENTITY SU_NAME               SYSTEM "login.defs.d/SU_NAME.xml">
+-<!ENTITY SU_WHEEL_ONLY         SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
+ <!ENTITY SUB_GID_COUNT         SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
+ <!ENTITY SUB_UID_COUNT         SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
+ <!ENTITY SYS_GID_MAX           SYSTEM "login.defs.d/SYS_GID_MAX.xml">
+ <!ENTITY SYSLOG_SG_ENAB        SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml">
+-<!ENTITY SYSLOG_SU_ENAB        SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
+ <!ENTITY SYS_UID_MAX           SYSTEM "login.defs.d/SYS_UID_MAX.xml">
+ <!ENTITY TCB_AUTH_GROUP        SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
+ <!ENTITY TCB_SYMLINKS          SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
+ <!ENTITY TTYGROUP              SYSTEM "login.defs.d/TTYGROUP.xml">
+-<!ENTITY TTYTYPE_FILE          SYSTEM "login.defs.d/TTYTYPE_FILE.xml">
+ <!ENTITY UID_MAX               SYSTEM "login.defs.d/UID_MAX.xml">
+-<!ENTITY ULIMIT                SYSTEM "login.defs.d/ULIMIT.xml">
+ <!ENTITY UMASK                 SYSTEM "login.defs.d/UMASK.xml">
+ <!ENTITY USERDEL_CMD           SYSTEM "login.defs.d/USERDEL_CMD.xml">
+ <!ENTITY USERGROUPS_ENAB       SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
+@@ -145,47 +114,25 @@
+     <para>The following configuration items are provided:</para>
+ 
+     <variablelist remap='IP'>
+-      &CHFN_AUTH;
+       &CHFN_RESTRICT;
+-      &CHSH_AUTH;
+-      &CONSOLE;
+-      &CONSOLE_GROUPS;
+       &CREATE_HOME;
+       &DEFAULT_HOME;
+       &ENCRYPT_METHOD;
+-      &ENV_HZ;
+       &ENV_PATH;
+       &ENV_SUPATH;
+-      &ENV_TZ;
+-      &ENVIRON_FILE;
+-      &ERASECHAR;
+       &FAIL_DELAY;
+-      &FAILLOG_ENAB;
+-      &FAKE_SHELL;
+-      &FTMP_FILE;
+       &GID_MAX; <!-- documents also GID_MIN -->
+       &HMAC_CRYPTO_ALGO;
+       &HOME_MODE;
+       &HUSHLOGIN_FILE;
+-      &ISSUE_FILE;
+-      &KILLCHAR;
+-      &LASTLOG_ENAB;
+       &LASTLOG_UID_MAX;
+-      &LOG_OK_LOGINS;
+       &LOG_UNKFAIL_ENAB;
+       &LOGIN_RETRIES;
+-      &LOGIN_STRING;
+       &LOGIN_TIMEOUT;
+-      &MAIL_CHECK_ENAB;
+       &MAIL_DIR;
+       &MAX_MEMBERS_PER_GROUP;
+-      &MD5_CRYPT_ENAB;
+       &MOTD_FILE;
+-      &NOLOGINS_FILE;
+       &NONEXISTENT;
+-      &OBSCURE_CHECKS_ENAB;
+-      &PASS_ALWAYS_WARN;
+-      &PASS_CHANGE_TRIES;
+       &PASS_MAX_DAYS;
+       &PASS_MIN_DAYS;
+       &PASS_WARN_AGE;
+@@ -195,25 +142,16 @@
+         time of account creation. Any changes to these settings won't affect
+         existing accounts.
+       </para>
+-      &PASS_MAX_LEN; <!-- documents also PASS_MIN_LEN -->
+-      &PORTTIME_CHECKS_ENAB;
+-      &QUOTAS_ENAB;
+       &SHA_CRYPT_MIN_ROUNDS; <!-- documents also SHA_CRYPT_MAX_ROUNDS -->
+-      &SULOG_FILE;
+-      &SU_NAME;
+-      &SU_WHEEL_ONLY;
+       &SUB_GID_COUNT; <!-- documents also SUB_GID_MIN SUB_GID_MAX -->
+       &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX -->
+       &SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
+       &SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
+       &SYSLOG_SG_ENAB;
+-      &SYSLOG_SU_ENAB;
+       &TCB_AUTH_GROUP;
+       &TCB_SYMLINKS;
+       &TTYGROUP;
+-      &TTYTYPE_FILE;
+       &UID_MAX; <!-- documents also UID_MIN -->
+-      &ULIMIT;
+       &UMASK;
+       &USERDEL_CMD;
+       &USERGROUPS_ENAB;
+@@ -239,9 +177,7 @@
+ 	<term>chfn</term>
+ 	<listitem>
+ 	  <para>
+-	    <phrase condition="no_pam">CHFN_AUTH</phrase>
+ 	    CHFN_RESTRICT
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -249,7 +185,7 @@
+ 	<term>chgpasswd</term>
+ 	<listitem>
+ 	  <para>
+-	    ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
++	    ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP
+ 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+ 	    SHA_CRYPT_MIN_ROUNDS</phrase>
+ 	  </para>
+@@ -259,8 +195,6 @@
+ 	<term>chpasswd</term>
+ 	<listitem>
+ 	  <para>
+-	    <phrase condition="no_pam">ENCRYPT_METHOD
+-	    MD5_CRYPT_ENAB </phrase>
+ 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+ 	    SHA_CRYPT_MIN_ROUNDS</phrase>
+ 	  </para>
+@@ -270,7 +204,7 @@
+ 	<term>chsh</term>
+ 	<listitem>
+ 	  <para>
+-	    CHSH_AUTH LOGIN_STRING
++	    CHSH_AUTH
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+@@ -280,7 +214,7 @@
+ 	<term>gpasswd</term>
+ 	<listitem>
+ 	  <para>
+-	    ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
++	    ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP
+ 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+ 	    SHA_CRYPT_MIN_ROUNDS</phrase>
+ 	  </para>
+@@ -339,35 +273,6 @@
+ 	  <para>LASTLOG_UID_MAX</para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>login</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENV_PATH ENV_SUPATH
+-	    ENV_TZ ENVIRON_FILE</phrase>
+-	    ERASECHAR FAIL_DELAY
+-	    <phrase condition="no_pam">FAILLOG_ENAB</phrase>
+-	    FAKE_SHELL
+-	    <phrase condition="no_pam">FTMP_FILE</phrase>
+-	    HUSHLOGIN_FILE
+-	    <phrase condition="no_pam">ISSUE_FILE</phrase>
+-	    KILLCHAR
+-	    <phrase condition="no_pam">LASTLOG_ENAB LASTLOG_UID_MAX</phrase>
+-	    LOGIN_RETRIES
+-	    <phrase condition="no_pam">LOGIN_STRING</phrase>
+-	    LOGIN_TIMEOUT LOG_OK_LOGINS LOG_UNKFAIL_ENAB
+-	    <phrase condition="no_pam">MAIL_CHECK_ENAB MAIL_DIR MAIL_FILE
+-	    MOTD_FILE NOLOGINS_FILE PORTTIME_CHECKS_ENAB
+-	    QUOTAS_ENAB</phrase>
+-	    TTYGROUP TTYPERM TTYTYPE_FILE
+-	    <phrase condition="no_pam">ULIMIT UMASK</phrase>
+-	    USERGROUPS_ENAB
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <!-- logoutd: no variables -->
+       <varlistentry>
+ 	<term>newgrp / sg</term>
+ 	<listitem>
+@@ -382,7 +287,7 @@
+ 	  <para>
+ 	    ENCRYPT_METHOD
+ 	    GID_MAX GID_MIN
+-	    MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
++	    MAX_MEMBERS_PER_GROUP
+ 	    HOME_MODE
+ 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
+ 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+@@ -399,8 +304,7 @@
+ 	<term>passwd</term>
+ 	<listitem>
+ 	  <para>
+-	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
+-	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
++	    ENCRYPT_METHOD
+ 	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
+ 	    SHA_CRYPT_MIN_ROUNDS</phrase>
+ 	  </para>
+@@ -432,32 +336,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>su</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="no_pam">CONSOLE</phrase>
+-	    CONSOLE_GROUPS DEFAULT_HOME
+-	    <phrase condition="no_pam">ENV_HZ ENVIRON_FILE</phrase>
+-	    ENV_PATH ENV_SUPATH
+-	    <phrase condition="no_pam">ENV_TZ LOGIN_STRING MAIL_CHECK_ENAB
+-	    MAIL_DIR MAIL_FILE QUOTAS_ENAB</phrase>
+-	    SULOG_FILE SU_NAME
+-	    <phrase condition="no_pam">SU_WHEEL_ONLY</phrase>
+-	    SYSLOG_SU_ENAB
+-	    <phrase condition="no_pam">USERGROUPS_ENAB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry>
+-	<term>sulogin</term>
+-	<listitem>
+-	  <para>
+-	    ENV_HZ
+-	    <phrase condition="no_pam">ENV_TZ</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+       <varlistentry>
+ 	<term>useradd</term>
+ 	<listitem>
+@@ -486,24 +364,6 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
+-      <varlistentry>
+-	<term>usermod</term>
+-	<listitem>
+-	  <para>
+-	    LASTLOG_UID_MAX
+-	    MAIL_DIR MAIL_FILE MAX_MEMBERS_PER_GROUP
+-	    <phrase condition="tcb">TCB_SYMLINKS USE_TCB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+-      <varlistentry condition="tcb">
+-	<term>vipw</term>
+-	<listitem>
+-	  <para>
+-	    <phrase condition="tcb">USE_TCB</phrase>
+-	  </para>
+-	</listitem>
+-      </varlistentry>
+     </variablelist>
+   </refsect1>
+ 
+-- 
+2.43.2
+
diff --git a/srcpkgs/shadow/patches/0003-Add-Arch-Linux-defaults-for-login.defs.patch b/srcpkgs/shadow/patches/0003-Add-Arch-Linux-defaults-for-login.defs.patch
new file mode 100644
index 00000000000000..e8b5885d1250bf
--- /dev/null
+++ b/srcpkgs/shadow/patches/0003-Add-Arch-Linux-defaults-for-login.defs.patch
@@ -0,0 +1,55 @@
+From 7eb2d0b9eff128c404ef7a6d07aa597ac9ca2d84 Mon Sep 17 00:00:00 2001
+From: David Runge <dvzrv@archlinux.org>
+Date: Mon, 31 Oct 2022 10:10:22 +0100
+Subject: [PATCH 3/3] Add Arch Linux defaults for login.defs
+
+etc/login.defs:
+- Change `ENV_SUPATH` and `ENV_SUPATH` to only use
+  /usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr and
+  bin merge distribution.
+- Set `HOME_MODE` to `0700` to be able to rely on a `UMASK` of `022`
+  while creating home directories in a privacy conserving manner.
+- Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for
+  distribution added UIDs and GIDs of system users.
+- Change ENCRYPT_METHOD to YESCRYPT as it is a safer hashing algorithm
+  than DES.
+---
+ etc/login.defs | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/etc/login.defs b/etc/login.defs
+index 797ca6b3..c4accbf8 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -55,8 +55,8 @@ HUSHLOGIN_FILE	.hushlogin
+ # *REQUIRED*  The default PATH settings, for superuser and normal users.
+ #
+ # (they are minimal, add the rest in the shell startup files)
+-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
+-ENV_PATH	PATH=/bin:/usr/bin
++ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
++ENV_PATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+ 
+ #
+ # Terminal permissions
+@@ -84,7 +84,7 @@ UMASK		022
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+ # home directories.
+ # If HOME_MODE is not set, the value of UMASK is used to create the mode.
+-#HOME_MODE	0700
++HOME_MODE	0700
+ 
+ #
+ # Password aging controls:
+@@ -152,7 +152,7 @@ CHFN_RESTRICT		rwh
+ # Note: If you use PAM, it is recommended to use a value consistent with
+ # the PAM modules configuration.
+ #
+-#ENCRYPT_METHOD DES
++ENCRYPT_METHOD YESCRYPT
+ 
+ #
+ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+-- 
+2.43.2
+
diff --git a/srcpkgs/shadow/patches/fix-undefined-reference.patch b/srcpkgs/shadow/patches/fix-undefined-reference.patch
new file mode 100644
index 00000000000000..4a3e742b9837b7
--- /dev/null
+++ b/srcpkgs/shadow/patches/fix-undefined-reference.patch
@@ -0,0 +1,19 @@
+--- a/lib/alloc.h
++++ b/lib/alloc.h
+@@ -84,14 +84,14 @@
+ }
+ 
+ 
+-inline void *
++static inline void *
+ mallocarray(size_t nmemb, size_t size)
+ {
+ 	return reallocarray(NULL, nmemb, size);
+ }
+ 
+ 
+-inline void *
++static inline void *
+ reallocarrayf(void *p, size_t nmemb, size_t size)
+ {
+ 	void  *q;
diff --git a/srcpkgs/shadow/patches/shadow-strncpy-usage.patch b/srcpkgs/shadow/patches/shadow-strncpy-usage.patch
deleted file mode 100644
index c5564fffdc3852..00000000000000
--- a/srcpkgs/shadow/patches/shadow-strncpy-usage.patch
+++ /dev/null
@@ -1,23 +0,0 @@
---- a/src/usermod.c	2012-02-13 08:19:43.792146449 -0500
-+++ b/src/usermod.c	2012-02-13 08:21:19.375114500 -0500
-@@ -182,7 +182,7 @@
-	struct tm *tp;
-
-	if (date < 0) {
--		strncpy (buf, "never", maxsize);
-+		strncpy (buf, "never", maxsize - 1);
-	} else {
-		time_t t = (time_t) date;
-		tp = gmtime (&t);
---- a/src/login.c	2012-02-13 08:19:50.951994454 -0500
-+++ b/src/login.c	2012-02-13 08:21:04.490430937 -0500
-@@ -752,7 +752,8 @@
- 			          _("%s login: "), hostn);
- 		} else {
- 			strncpy (loginprompt, _("login: "),
--			         sizeof (loginprompt));
-+			         sizeof (loginprompt) - 1);
-+			loginprompt[sizeof (loginprompt) - 1] = '\0';
- 		}
- 
- 		retcode = pam_set_item (pamh, PAM_USER_PROMPT, loginprompt);
diff --git a/srcpkgs/shadow/patches/useradd-defaults.patch b/srcpkgs/shadow/patches/useradd-defaults.patch
new file mode 100644
index 00000000000000..38035df40cfcab
--- /dev/null
+++ b/srcpkgs/shadow/patches/useradd-defaults.patch
@@ -0,0 +1,21 @@
+diff --git a/src/useradd.c b/src/useradd.c
+index 677ea5a636f..49f55211a17 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -87,14 +87,14 @@ const char *Prog;
+ /*
+  * These defaults are used if there is no defaults file.
+  */
+-static gid_t def_group = 1000;
++static gid_t def_group = 100;
+ static const char *def_groups = "";
+ static const char *def_gname = "other";
+ static const char *def_home = "/home";
+ static const char *def_shell = "/bin/bash";
+ static const char *def_template = SKEL_DIR;
+ static const char *def_usrtemplate = USRSKELDIR;
+-static const char *def_create_mail_spool = "yes";
++static const char *def_create_mail_spool = "no";
+ static const char *def_log_init = "yes";
+
+ static long def_inactive = -1;
diff --git a/srcpkgs/shadow/patches/xstrdup.patch b/srcpkgs/shadow/patches/xstrdup.patch
deleted file mode 100644
index 562febcf4164f1..00000000000000
--- a/srcpkgs/shadow/patches/xstrdup.patch
+++ /dev/null
@@ -1,9 +0,0 @@
---- a/libmisc/xmalloc.c	2008-08-30 21:55:44.000000000 -0500
-+++ b/libmisc/xmalloc.c.new	2008-08-30 21:55:36.000000000 -0500
-@@ -61,5 +61,6 @@
- 
- char *xstrdup (const char *str)
- {
-+	if(str == NULL) return NULL;
- 	return strcpy (xmalloc (strlen (str) + 1), str);
- }
diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template
index c7ece33540c9a0..c7cdec783bf7a8 100644
--- a/srcpkgs/shadow/template
+++ b/srcpkgs/shadow/template
@@ -1,23 +1,35 @@
 # Template file for 'shadow'
 pkgname=shadow
-version=4.8.1
-revision=3
+version=4.14.5
+revision=1
 build_style=gnu-configure
-configure_args="--bindir=/usr/bin --sbindir=/usr/bin
- --enable-shared --disable-static
- --with-libpam --without-selinux --with-acl --with-attr --without-su
- --disable-nls --enable-subordinate-ids --disable-account-tools-setuid
+configure_args="--bindir=/usr/bin --sbindir=/usr/bin --libdir=/usr/lib
+ --enable-shared --disable-static --enable-lastlog --with-libpam --with-yescrypt
+ --without-selinux --with-acl --with-attr --without-su --disable-nls
+ --enable-subordinate-ids --disable-account-tools-setuid
  --with-group-name-max-length=32"
-hostmakedepends="libtool"
-makedepends="acl-devel pam-devel"
+hostmakedepends="libtool pkg-config"
+makedepends="acl-devel pam-devel libbsd-devel"
 depends="pam"
 short_desc="Shadow password file utilities"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="BSD-3-Clause"
 homepage="https://github.com/shadow-maint/shadow"
 distfiles="${homepage}/releases/download/${version}/shadow-${version}.tar.xz"
-checksum=a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62
-conf_files="/etc/pam.d/* /etc/default/* /etc/login.defs"
+checksum=cba74bc7b05d89c015afe23131f9159ece38779d40a8af4cf162852e6e85ca23
+conf_files="
+ /etc/pam.d/chage
+ /etc/pam.d/chgpasswd
+ /etc/pam.d/chpasswd
+ /etc/pam.d/groupadd
+ /etc/pam.d/groupdel
+ /etc/pam.d/groupmems
+ /etc/pam.d/groupmod
+ /etc/pam.d/newusers
+ /etc/pam.d/passwd
+ /etc/pam.d/useradd
+ /etc/pam.d/userdel
+ /etc/pam.d/usermod"
 
 if [ "$XBPS_TARGET_LIBC" = "glibc" ]; then
 	makedepends+=" libxcrypt-devel"
@@ -32,14 +44,16 @@ pre_configure() {
 
 do_build() {
 	# Don't install groups(1), we use the one from coreutils.
-	sed -i 's/groups$(EXEEXT) //' src/Makefile
-	for f in $(find man -name Makefile); do
+	sed -i 's/groups$(EXEEXT) //' src/Makefile.in
+	for f in $(find man -name Makefile.in); do
 		sed -i 's/groups\.1 / /' $f
 	done
 	make ${makejobs}
 }
 
 post_install() {
+	make -C man DESTDIR="$DESTDIR" install-man
+
 	mv ${DESTDIR}/usr/sbin/* ${DESTDIR}/usr/bin
 
 	# Install our pam files not the ones supplied with shadow.
@@ -51,14 +65,6 @@ post_install() {
 		 groupmod newusers useradd userdel usermod; do
 		install -m644 $DESTDIR/etc/pam.d/chage $DESTDIR/etc/pam.d/${f}
 	done
-	install -m644 ${FILESDIR}/login.defs ${DESTDIR}/etc
-
-	# Disable creating mailbox files by default.
-	sed -i -e 's/yes/no/' $DESTDIR/etc/default/useradd
-	# Change default group to the users gid (100).
-	sed -i -e 's/^\(GROUP\)=\(.*\)$/\1=100/' ${DESTDIR}/etc/default/useradd
-
-	chmod 644 ${DESTDIR}/etc/default/useradd
 
 	# Install the cron daily job.
 	install -Dm744 ${FILESDIR}/shadow.cron-daily \