Re: [OE-core] [PATCH 6/9] shadow: update 4.8.1 -> 4.9

[Mark Hatle]

On 8/4/21 1:13 PM, Khem Raj wrote:
> 
> 
> On 8/4/21 3:12 AM, Alexander Kanavin wrote:
>> Yes, plaintext passwords can no longer be there, which is a good thing 
>> I'd say? The hashed/salted passwords can still be provided through the 
>> same class, but this needs to be documented, and perhaps tested too.
>>
> 
> Its perhaps fine to discourage plaintext password setting, but it is a 
> user visible feature as it seems. So the documentation should change for 
> sure to not use it and it should also go into migration guide since it 
> has a potential of tripping a lot of folks. I think documenting the 
> intent to move away from plaintext is urgent, then the question is if
> we want to fist deprecate it or delete this option all in one go.

We SHOULD discourage users from any hardcoded passwords!  But, there is little
to no functional difference between specifying a plain text or salted password,
but there is a HUGE developer/user difference in behavior.

So, if we have a way to set a default password for any account, then we really
do need a way to have a plaintext password specified.

>From a security perspective, there is no advantage between a salted or plain
text password.  (Salted passwords can always be reversed through tables, etc!)

If the current implementation of the plain text passwords is not "secure" due to
bad salts, hash types, etc.  Then lets fix that and move to a more secure style.

If it is decided to remove the -P option for plain text passwords, then we need
to document for the user HOW to generate password hashes.  And if we're showing
them how to do it, it SHOULD be trivial to find a way to do the same thing
_using the build system_.

For example

useradd -P 'foobar' user

to

hash=$(echo 'foobar' | openssl passwd -1 -salt mysalt -stdin)
useradd -p $hash user


or

hash=$(python -c "import crypt; print crypt.crypt('foobar')")
useradd -p $hash user


or




but the point is, we SHOULD discourage _ANY_ hard coded passwords, not just
plain text.  However if a user wants to do this, the system should assist the
user in setting a password into their environment.

--Mark


>> Alex
>>
>> On Wed, 4 Aug 2021 at 10:39, Yi Zhao > > wrote:
>>
>>
>> On 7/30/21 7:45 PM, Alexander Kanavin wrote:
>>> Add a couple backports to fix builds.
>>>
>>> Drop 0002-Allow-for-setting-password-in-clear-text.patch;
>>> what it adds is horribly insecure and AB testing didn't reveal any
>>> regressions or use cases for it.
>>
>> Dropping this patch makes the password setting function in
>> extrausers.bbclass unavailable:
>> https://docs.yoctoproject.org/singleindex.html#extrausers-bbclass
>> 
>>
>>
>> //Yi
>>
>>
>>> Drop /etc/default/ tweaks as files are no longer installed there.
>>>
>>> Drop manpage alternatives as manpages are no longer installed.
>>>
>>> Signed-off-by: Alexander Kanavin  
>>> 
>>> ---
>>>   ...01-Disable-use-of-syslog-for-sysroot.patch |  29 +-
>>>   ...builds-with-respect-to-libsubid-incl.patch | 114 +++
>>>   .../0001-libsubid-link-to-PAM-libraries.patch |  31 ++
>>>   ...w-for-setting-password-in-clear-text.patch | 301 --
>>>   ...nexpected-open-failure-in-chroot-env.patch |   6 +-
>>>   meta/recipes-extended/shadow/shadow.inc   |  21 +-
>>>   .../shadow/{shadow_4.8.1.bb    
>>> =>shadow_4.9.bb  } |   0
>>>   7 files changed, 167 insertions(+), 335 deletions(-)
>>>   create mode 100644 
>>> meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
>>>   create mode 100644 
>>> meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch
>>>   delete mode 100644 
>>> meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch
>>>   rename meta/recipes-extended/shadow/{shadow_4.8.1.bb  
>>>   =>shadow_4.9.bb  } (100%)
>>>
>>> diff --git 
>>> a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
>>>  
>>> b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
>>> index ab317b9aa0..95728bcd3f 100644
>>> --- 
>>> a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
>>> +++ 
>>> b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
>>> @@ -1,4 +1,4 @@
>>> -From fa2d9453656641002802d8165e80adb9e6a729d2 Mon Sep 17 00:00:00 2001
>>> +From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001
>>>   From: Scott Garman  
>>> 
>>>   Date: Thu, 14 Apr 2016 12:28:57 +0200
>>>   Subject: [PATCH] Disable use of syslog for sysroot
>>> @@ -19,12 +19,12 @@ Signed-off-by: Chen Qi  

Re: [OE-core] [PATCH 6/9] shadow: update 4.8.1 -> 4.9

[Khem Raj]

On 8/4/21 3:12 AM, Alexander Kanavin wrote:
Yes, plaintext passwords can no longer be there, which is a good thing 
I'd say? The hashed/salted passwords can still be provided through the 
same class, but this needs to be documented, and perhaps tested too.




Its perhaps fine to discourage plaintext password setting, but it is a 
user visible feature as it seems. So the documentation should change for 
sure to not use it and it should also go into migration guide since it 
has a potential of tripping a lot of folks. I think documenting the 
intent to move away from plaintext is urgent, then the question is if

we want to fist deprecate it or delete this option all in one go.


Alex

On Wed, 4 Aug 2021 at 10:39, Yi Zhao > wrote:



On 7/30/21 7:45 PM, Alexander Kanavin wrote:

Add a couple backports to fix builds.

Drop 0002-Allow-for-setting-password-in-clear-text.patch;
what it adds is horribly insecure and AB testing didn't reveal any
regressions or use cases for it.


Dropping this patch makes the password setting function in
extrausers.bbclass unavailable:
https://docs.yoctoproject.org/singleindex.html#extrausers-bbclass



//Yi



Drop /etc/default/ tweaks as files are no longer installed there.

Drop manpage alternatives as manpages are no longer installed.

Signed-off-by: Alexander Kanavin  

---
  ...01-Disable-use-of-syslog-for-sysroot.patch |  29 +-
  ...builds-with-respect-to-libsubid-incl.patch | 114 +++
  .../0001-libsubid-link-to-PAM-libraries.patch |  31 ++
  ...w-for-setting-password-in-clear-text.patch | 301 --
  ...nexpected-open-failure-in-chroot-env.patch |   6 +-
  meta/recipes-extended/shadow/shadow.inc   |  21 +-
  .../shadow/{shadow_4.8.1.bb    =>shadow_4.9.bb  
} |   0
  7 files changed, 167 insertions(+), 335 deletions(-)
  create mode 100644 
meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
  create mode 100644 
meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch
  delete mode 100644 
meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch
  rename meta/recipes-extended/shadow/{shadow_4.8.1.bb    
=>shadow_4.9.bb  } (100%)

diff --git 
a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
 
b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
index ab317b9aa0..95728bcd3f 100644
--- 
a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
+++ 
b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
@@ -1,4 +1,4 @@
-From fa2d9453656641002802d8165e80adb9e6a729d2 Mon Sep 17 00:00:00 2001
+From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001
  From: Scott Garman  

  Date: Thu, 14 Apr 2016 12:28:57 +0200
  Subject: [PATCH] Disable use of syslog for sysroot
@@ -19,12 +19,12 @@ Signed-off-by: Chen Qi  

   src/groupmems.c | 3 +++
   src/groupmod.c  | 3 +++
   src/useradd.c   | 3 +++
- src/userdel.c   | 3 +++
+ src/userdel.c   | 4 
   src/usermod.c   | 3 +++
- 7 files changed, 21 insertions(+)
+ 7 files changed, 22 insertions(+)
  
  diff --git a/src/groupadd.c b/src/groupadd.c

-index 2dd8eec..e9c4bb7 100644
+index d7f68b1..5fe5f43 100644
  --- a/src/groupadd.c
  +++ b/src/groupadd.c
  @@ -34,6 +34,9 @@
@@ -38,7 +38,7 @@ index 2dd8eec..e9c4bb7 100644
   #include 
   #include 
  diff --git a/src/groupdel.c b/src/groupdel.c
-index f941a84..5a70056 100644
+index 5c89312..2aefc5a 100644
  --- a/src/groupdel.c
  +++ b/src/groupdel.c
  @@ -34,6 +34,9 @@
@@ -52,7 +52,7 @@ index f941a84..5a70056 100644
   #include 
   #include 
  diff --git a/src/groupmems.c b/src/groupmems.c
-index fc91c8b..2842514 100644
+index 654a8f3..6b2026b 100644
  --- a/src/groupmems.c
  +++ b/src/groupmems.c
  @@ -32,6 +32,9 @@
@@ -66,7 +66,7 @@ index fc91c8b..2842514 100644
   #include 
   #include 
  diff --git a/src/groupmod.c b/src/groupmod.c
-index 1dca5fc..bc14438 100644
+index acd6f35..a2c5247 100644
  --- a/src/groupmod.c
  +++ b/src/groupmod.c
  @@ -34,6 +34,9 @@
@@ -80,7 +80,7 @@ index 1dca5fc..bc14438 100644
   #include 
   #include 
  diff --git a/src/useradd.c b/src/useradd.c
-index 4af0f7c..1b7bf06 100644
+index 127177e..b80e505 100644
  --- a/src/useradd.c
  +++ b/src/useradd.c
  @@ -34,6 +34,9 @@
@@ -94,21 +94,22 @@ 

Re: [OE-core] [PATCH 6/9] shadow: update 4.8.1 -> 4.9

[Alexander Kanavin]

Yes, plaintext passwords can no longer be there, which is a good thing I'd
say? The hashed/salted passwords can still be provided through the same
class, but this needs to be documented, and perhaps tested too.

Alex

On Wed, 4 Aug 2021 at 10:39, Yi Zhao  wrote:

>
> On 7/30/21 7:45 PM, Alexander Kanavin wrote:
>
> Add a couple backports to fix builds.
>
> Drop 0002-Allow-for-setting-password-in-clear-text.patch;
> what it adds is horribly insecure and AB testing didn't reveal any
> regressions or use cases for it.
>
> Dropping this patch makes the password setting function in
> extrausers.bbclass unavailable:
> https://docs.yoctoproject.org/singleindex.html#extrausers-bbclass
>
>
> //Yi
>
>
> Drop /etc/default/ tweaks as files are no longer installed there.
>
> Drop manpage alternatives as manpages are no longer installed.
>
> Signed-off-by: Alexander Kanavin  
> 
> ---
>  ...01-Disable-use-of-syslog-for-sysroot.patch |  29 +-
>  ...builds-with-respect-to-libsubid-incl.patch | 114 +++
>  .../0001-libsubid-link-to-PAM-libraries.patch |  31 ++
>  ...w-for-setting-password-in-clear-text.patch | 301 --
>  ...nexpected-open-failure-in-chroot-env.patch |   6 +-
>  meta/recipes-extended/shadow/shadow.inc   |  21 +-
>  .../shadow/{shadow_4.8.1.bb => shadow_4.9.bb} |   0
>  7 files changed, 167 insertions(+), 335 deletions(-)
>  create mode 100644 
> meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
>  create mode 100644 
> meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch
>  delete mode 100644 
> meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch
>  rename meta/recipes-extended/shadow/{shadow_4.8.1.bb => shadow_4.9.bb} (100%)
>
> diff --git 
> a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
>  
> b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
> index ab317b9aa0..95728bcd3f 100644
> --- 
> a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
> +++ 
> b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
> @@ -1,4 +1,4 @@
> -From fa2d9453656641002802d8165e80adb9e6a729d2 Mon Sep 17 00:00:00 2001
> +From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001
>  From: Scott Garman  
>  Date: Thu, 14 Apr 2016 12:28:57 +0200
>  Subject: [PATCH] Disable use of syslog for sysroot
> @@ -19,12 +19,12 @@ Signed-off-by: Chen Qi  
> 
>   src/groupmems.c | 3 +++
>   src/groupmod.c  | 3 +++
>   src/useradd.c   | 3 +++
> - src/userdel.c   | 3 +++
> + src/userdel.c   | 4 
>   src/usermod.c   | 3 +++
> - 7 files changed, 21 insertions(+)
> + 7 files changed, 22 insertions(+)
>
>  diff --git a/src/groupadd.c b/src/groupadd.c
> -index 2dd8eec..e9c4bb7 100644
> +index d7f68b1..5fe5f43 100644
>  --- a/src/groupadd.c
>  +++ b/src/groupadd.c
>  @@ -34,6 +34,9 @@
> @@ -38,7 +38,7 @@ index 2dd8eec..e9c4bb7 100644
>   #include 
>   #include 
>  diff --git a/src/groupdel.c b/src/groupdel.c
> -index f941a84..5a70056 100644
> +index 5c89312..2aefc5a 100644
>  --- a/src/groupdel.c
>  +++ b/src/groupdel.c
>  @@ -34,6 +34,9 @@
> @@ -52,7 +52,7 @@ index f941a84..5a70056 100644
>   #include 
>   #include 
>  diff --git a/src/groupmems.c b/src/groupmems.c
> -index fc91c8b..2842514 100644
> +index 654a8f3..6b2026b 100644
>  --- a/src/groupmems.c
>  +++ b/src/groupmems.c
>  @@ -32,6 +32,9 @@
> @@ -66,7 +66,7 @@ index fc91c8b..2842514 100644
>   #include 
>   #include 
>  diff --git a/src/groupmod.c b/src/groupmod.c
> -index 1dca5fc..bc14438 100644
> +index acd6f35..a2c5247 100644
>  --- a/src/groupmod.c
>  +++ b/src/groupmod.c
>  @@ -34,6 +34,9 @@
> @@ -80,7 +80,7 @@ index 1dca5fc..bc14438 100644
>   #include 
>   #include 
>  diff --git a/src/useradd.c b/src/useradd.c
> -index 4af0f7c..1b7bf06 100644
> +index 127177e..b80e505 100644
>  --- a/src/useradd.c
>  +++ b/src/useradd.c
>  @@ -34,6 +34,9 @@
> @@ -94,21 +94,22 @@ index 4af0f7c..1b7bf06 100644
>   #include 
>   #include 
>  diff --git a/src/userdel.c b/src/userdel.c
> -index cc951e5..153e0be 100644
> +index 79a7c89..c1e010a 100644
>  --- a/src/userdel.c
>  +++ b/src/userdel.c
> -@@ -34,6 +34,9 @@
> -
> - #ident "$Id$"
> +@@ -31,6 +31,10 @@
> +  */
>
> + #include 
> ++
>  +/* Disable use of syslog since we're running this command against a sysroot 
> */
>  +#undef USE_SYSLOG
>  +
>   #include 
> + #include 
>   #include 
> - #include 
>  diff --git a/src/usermod.c b/src/usermod.c
> -index 05b9871..21c6da9 100644
> +index 03bb9b9..e15fdd4 100644
>  --- a/src/usermod.c
>  +++ b/src/usermod.c
>  @@ -34,6 +34,9 @@
> diff --git 
> a/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
>  
> b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
> new file mode 100644
> index 00..c577be6505
> --- /dev/null
> +++ 
> 

Re: [OE-core] [PATCH 6/9] shadow: update 4.8.1 -> 4.9

[Yi Zhao]

On 7/30/21 7:45 PM, Alexander Kanavin wrote:

Add a couple backports to fix builds.

Drop 0002-Allow-for-setting-password-in-clear-text.patch;
what it adds is horribly insecure and AB testing didn't reveal any
regressions or use cases for it.


Dropping this patch makes the password setting function in 
extrausers.bbclass unavailable:

https://docs.yoctoproject.org/singleindex.html#extrausers-bbclass


//Yi




Drop /etc/default/ tweaks as files are no longer installed there.

Drop manpage alternatives as manpages are no longer installed.

Signed-off-by: Alexander Kanavin 
---
  ...01-Disable-use-of-syslog-for-sysroot.patch |  29 +-
  ...builds-with-respect-to-libsubid-incl.patch | 114 +++
  .../0001-libsubid-link-to-PAM-libraries.patch |  31 ++
  ...w-for-setting-password-in-clear-text.patch | 301 --
  ...nexpected-open-failure-in-chroot-env.patch |   6 +-
  meta/recipes-extended/shadow/shadow.inc   |  21 +-
  .../shadow/{shadow_4.8.1.bb => shadow_4.9.bb} |   0
  7 files changed, 167 insertions(+), 335 deletions(-)
  create mode 100644 
meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
  create mode 100644 
meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch
  delete mode 100644 
meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch
  rename meta/recipes-extended/shadow/{shadow_4.8.1.bb => shadow_4.9.bb} (100%)

diff --git 
a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
 
b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
index ab317b9aa0..95728bcd3f 100644
--- 
a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
+++ 
b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
@@ -1,4 +1,4 @@
-From fa2d9453656641002802d8165e80adb9e6a729d2 Mon Sep 17 00:00:00 2001
+From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001
  From: Scott Garman 
  Date: Thu, 14 Apr 2016 12:28:57 +0200
  Subject: [PATCH] Disable use of syslog for sysroot
@@ -19,12 +19,12 @@ Signed-off-by: Chen Qi 
   src/groupmems.c | 3 +++
   src/groupmod.c  | 3 +++
   src/useradd.c   | 3 +++
- src/userdel.c   | 3 +++
+ src/userdel.c   | 4 
   src/usermod.c   | 3 +++
- 7 files changed, 21 insertions(+)
+ 7 files changed, 22 insertions(+)
  
  diff --git a/src/groupadd.c b/src/groupadd.c

-index 2dd8eec..e9c4bb7 100644
+index d7f68b1..5fe5f43 100644
  --- a/src/groupadd.c
  +++ b/src/groupadd.c
  @@ -34,6 +34,9 @@
@@ -38,7 +38,7 @@ index 2dd8eec..e9c4bb7 100644
   #include 
   #include 
  diff --git a/src/groupdel.c b/src/groupdel.c
-index f941a84..5a70056 100644
+index 5c89312..2aefc5a 100644
  --- a/src/groupdel.c
  +++ b/src/groupdel.c
  @@ -34,6 +34,9 @@
@@ -52,7 +52,7 @@ index f941a84..5a70056 100644
   #include 
   #include 
  diff --git a/src/groupmems.c b/src/groupmems.c
-index fc91c8b..2842514 100644
+index 654a8f3..6b2026b 100644
  --- a/src/groupmems.c
  +++ b/src/groupmems.c
  @@ -32,6 +32,9 @@
@@ -66,7 +66,7 @@ index fc91c8b..2842514 100644
   #include 
   #include 
  diff --git a/src/groupmod.c b/src/groupmod.c
-index 1dca5fc..bc14438 100644
+index acd6f35..a2c5247 100644
  --- a/src/groupmod.c
  +++ b/src/groupmod.c
  @@ -34,6 +34,9 @@
@@ -80,7 +80,7 @@ index 1dca5fc..bc14438 100644
   #include 
   #include 
  diff --git a/src/useradd.c b/src/useradd.c
-index 4af0f7c..1b7bf06 100644
+index 127177e..b80e505 100644
  --- a/src/useradd.c
  +++ b/src/useradd.c
  @@ -34,6 +34,9 @@
@@ -94,21 +94,22 @@ index 4af0f7c..1b7bf06 100644
   #include 
   #include 
  diff --git a/src/userdel.c b/src/userdel.c
-index cc951e5..153e0be 100644
+index 79a7c89..c1e010a 100644
  --- a/src/userdel.c
  +++ b/src/userdel.c
-@@ -34,6 +34,9 @@
-
- #ident "$Id$"
+@@ -31,6 +31,10 @@
+  */
   
+ #include 

++
  +/* Disable use of syslog since we're running this command against a sysroot 
*/
  +#undef USE_SYSLOG
  +
   #include 
+ #include 
   #include 
- #include 
  diff --git a/src/usermod.c b/src/usermod.c
-index 05b9871..21c6da9 100644
+index 03bb9b9..e15fdd4 100644
  --- a/src/usermod.c
  +++ b/src/usermod.c
  @@ -34,6 +34,9 @@
diff --git 
a/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
 
b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
new file mode 100644
index 00..c577be6505
--- /dev/null
+++ 
b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
@@ -0,0 +1,114 @@
+From eced8077b57946fe0b723e7c6c510e8f344ce89b Mon Sep 17 00:00:00 2001
+From: Serge Hallyn 
+Date: Fri, 23 Jul 2021 17:51:13 -0500
+Subject: [PATCH] Fix out of tree builds with respect to libsubid includes
+
+There's a better way to do this, and I hope to clean that up,
+but this fixes out of tree builds for me right now.
+
+Closes #386
+
+Signed-off-by: Serge Hallyn 

[OE-core] [PATCH 6/9] shadow: update 4.8.1 -> 4.9

[Alexander Kanavin]

Add a couple backports to fix builds.

Drop 0002-Allow-for-setting-password-in-clear-text.patch;
what it adds is horribly insecure and AB testing didn't reveal any
regressions or use cases for it.

Drop /etc/default/ tweaks as files are no longer installed there.

Drop manpage alternatives as manpages are no longer installed.

Signed-off-by: Alexander Kanavin 
---
 ...01-Disable-use-of-syslog-for-sysroot.patch |  29 +-
 ...builds-with-respect-to-libsubid-incl.patch | 114 +++
 .../0001-libsubid-link-to-PAM-libraries.patch |  31 ++
 ...w-for-setting-password-in-clear-text.patch | 301 --
 ...nexpected-open-failure-in-chroot-env.patch |   6 +-
 meta/recipes-extended/shadow/shadow.inc   |  21 +-
 .../shadow/{shadow_4.8.1.bb => shadow_4.9.bb} |   0
 7 files changed, 167 insertions(+), 335 deletions(-)
 create mode 100644 
meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
 create mode 100644 
meta/recipes-extended/shadow/files/0001-libsubid-link-to-PAM-libraries.patch
 delete mode 100644 
meta/recipes-extended/shadow/files/0002-Allow-for-setting-password-in-clear-text.patch
 rename meta/recipes-extended/shadow/{shadow_4.8.1.bb => shadow_4.9.bb} (100%)

diff --git 
a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
 
b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
index ab317b9aa0..95728bcd3f 100644
--- 
a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
+++ 
b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch
@@ -1,4 +1,4 @@
-From fa2d9453656641002802d8165e80adb9e6a729d2 Mon Sep 17 00:00:00 2001
+From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001
 From: Scott Garman 
 Date: Thu, 14 Apr 2016 12:28:57 +0200
 Subject: [PATCH] Disable use of syslog for sysroot
@@ -19,12 +19,12 @@ Signed-off-by: Chen Qi 
  src/groupmems.c | 3 +++
  src/groupmod.c  | 3 +++
  src/useradd.c   | 3 +++
- src/userdel.c   | 3 +++
+ src/userdel.c   | 4 
  src/usermod.c   | 3 +++
- 7 files changed, 21 insertions(+)
+ 7 files changed, 22 insertions(+)
 
 diff --git a/src/groupadd.c b/src/groupadd.c
-index 2dd8eec..e9c4bb7 100644
+index d7f68b1..5fe5f43 100644
 --- a/src/groupadd.c
 +++ b/src/groupadd.c
 @@ -34,6 +34,9 @@
@@ -38,7 +38,7 @@ index 2dd8eec..e9c4bb7 100644
  #include 
  #include 
 diff --git a/src/groupdel.c b/src/groupdel.c
-index f941a84..5a70056 100644
+index 5c89312..2aefc5a 100644
 --- a/src/groupdel.c
 +++ b/src/groupdel.c
 @@ -34,6 +34,9 @@
@@ -52,7 +52,7 @@ index f941a84..5a70056 100644
  #include 
  #include 
 diff --git a/src/groupmems.c b/src/groupmems.c
-index fc91c8b..2842514 100644
+index 654a8f3..6b2026b 100644
 --- a/src/groupmems.c
 +++ b/src/groupmems.c
 @@ -32,6 +32,9 @@
@@ -66,7 +66,7 @@ index fc91c8b..2842514 100644
  #include 
  #include 
 diff --git a/src/groupmod.c b/src/groupmod.c
-index 1dca5fc..bc14438 100644
+index acd6f35..a2c5247 100644
 --- a/src/groupmod.c
 +++ b/src/groupmod.c
 @@ -34,6 +34,9 @@
@@ -80,7 +80,7 @@ index 1dca5fc..bc14438 100644
  #include 
  #include 
 diff --git a/src/useradd.c b/src/useradd.c
-index 4af0f7c..1b7bf06 100644
+index 127177e..b80e505 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
 @@ -34,6 +34,9 @@
@@ -94,21 +94,22 @@ index 4af0f7c..1b7bf06 100644
  #include 
  #include 
 diff --git a/src/userdel.c b/src/userdel.c
-index cc951e5..153e0be 100644
+index 79a7c89..c1e010a 100644
 --- a/src/userdel.c
 +++ b/src/userdel.c
-@@ -34,6 +34,9 @@
- 
- #ident "$Id$"
+@@ -31,6 +31,10 @@
+  */
  
+ #include 
++
 +/* Disable use of syslog since we're running this command against a sysroot */
 +#undef USE_SYSLOG
 +
  #include 
+ #include 
  #include 
- #include 
 diff --git a/src/usermod.c b/src/usermod.c
-index 05b9871..21c6da9 100644
+index 03bb9b9..e15fdd4 100644
 --- a/src/usermod.c
 +++ b/src/usermod.c
 @@ -34,6 +34,9 @@
diff --git 
a/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
 
b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
new file mode 100644
index 00..c577be6505
--- /dev/null
+++ 
b/meta/recipes-extended/shadow/files/0001-Fix-out-of-tree-builds-with-respect-to-libsubid-incl.patch
@@ -0,0 +1,114 @@
+From eced8077b57946fe0b723e7c6c510e8f344ce89b Mon Sep 17 00:00:00 2001
+From: Serge Hallyn 
+Date: Fri, 23 Jul 2021 17:51:13 -0500
+Subject: [PATCH] Fix out of tree builds with respect to libsubid includes
+
+There's a better way to do this, and I hope to clean that up,
+but this fixes out of tree builds for me right now.
+
+Closes #386
+
+Signed-off-by: Serge Hallyn 
+Upstream-Status: Backport 
[https://github.com/shadow-maint/shadow/commit/537b8cd90be7b47b45c45cfd27765ef85eb0ebf1]
+Signed-off-by: Alexander Kanavin 
+---
+ lib/Makefile.am  | 2 ++
+ libmisc/Makefile.am  | 2 +-
+ libsubid/Makefile.am | 4 ++--
+ src/Makefile.am  | 6 ++
+