lib/fs/mkstemp/: mkostemp(): Split API from fmkomstemp()

This reduces the complexity of fmkomstemp().

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/fs/mkstemp/, src/: fmkomstemp(): Move function to separate file

And make it inline.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdef.c: Use countof() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Move macros to "typetraits.h"

The macros that remain in "must_be.h" really belong in "typetraits.h".
Move them there, and remove "must_be.h".

Signed-off-by: Alejandro Colomar <alx@kernel.org>

autogen.sh, lib/: Replace must_be_array() by -Werror=sizeof-pointer-div

The error works as well as the magic macro, and we get cleaner code.
Plus, very soon we'll get the countof() operator from GCC 16 and
Clang 21, which doesn't even need this diagnostic to work safely.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/sizeof.h: Define SIZEOF_ARRAY() in terms of countof()

This will allow us to eventually get rid of must_be_array(), once
we make sure countof() is safe.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/, tests/: Use the standard countof() instead of our NITEMS()

countof() is the name blessed by the C Committee for ISO C2y.
Use it if available, and define it if not.

countof() will be provided by GCC 16 and Clang 21.

This is mostly a scripted change:

$ grep -rl NITEMS | xargs sed -i s/NITEMS/countof/;

Apart from the scripted changes, I've adjusted white-space alignment,
and of course the definition at "lib/sizeof.h".

Link: <https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3550.pdf#subsubsection.0.6.5.4.5>
Link: <https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3550.pdf#section.0.7.21>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/fields.c: valid_field(): Clarify comments

And apply minor style changes.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/fields.c: valid_field(): Use strchriscntrl() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/fields.c: valid_field(): Use strisprint() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/fields.c: valid_field(): Return early on error

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/fields.c: valid_field(): Remove useless check

We only call this function with a string literal, and it makes little
sense to pass something else.  Let's simplify.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/fields.*: valid_field: Make sure that $2 is a string literal

and thus, nonnull.

Suggested-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Move prototypes of "lib/fields.c" to "lib/fields.h"

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/ctype/strchrisascii/: strchriscntrl(): Add function

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/ctype/strisascii/: strisprint(): Add function

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/nss.c: Use !strcaseprefix() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

contrib/, lib/: Use strcaseprefix() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/strcmp/: strcaseprefix(): Add API

Signed-off-by: Alejandro Colomar <alx@kernel.org>

tests/: test chage last changed date

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: test chage expiration date

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: implement binding for `chage`

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: test useradd expiration date

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: test usermod expiration date

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

lib/strtoday.c: Actually return a date from get_date()

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Move get_date() to lib/strtoday.c

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/strtoday.c: strtoday(): Remove obsolete comment

get_date() doesn't treat "" as a date anymore, so the comment is
obsolete.  We still need the code, though, as for example usermod(8)
uses an empty string as a synonym for -1.

Link: <https://github.com/shadow-maint/shadow/pull/1217#issuecomment-2668174079>
Reported-by: Chris Hofstaedtler <zeha@debian.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/strtoday.c: strtoday(): Attempt parsing with str2sl() directly

If it fails, let's fall back to get_date().

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdate.c: Use strptime(3) to simplify

The following trick:

t = 0;
gmtime_r(&t, &tm);

is a clever way to clear the tm(3type) structure, and set it to use UTC.

We need to set it to set UTC with this trick, because strptime(3)
doesn't set the timezone.  I (Alex) tried previously using

bzero(&tm, sizeof(tm));
strptime("UTC", "%Z", &tm);

but glibc ignores the timezone, and musl (at least I tried in an Alpine
container) seems to report an error.

The idea to use gmtime_r(3) was from lanodan.

Link: <https://inbox.sourceware.org/libc-alpha/Z_LqUgildoq33vI-@cloudsdale.the-delta.net.eu.org/T/#u>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Rich Felker <dalias@libc.org>
Co-authored-by: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
Signed-off-by: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: get_date(): Remove unused parameter

And rename the remaining parameter.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Fix indentation and alignment

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdate.*: Reimplement in pure C

This removes all yacc(1) code from this project.  Add copyright and
license, since there remains nothing of the original code.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: sget*ent(): Remove unnecessary 'static', and rename variable

For consistency, use 'fields[]' in all these functions,
and don't make it unnecessarily 'static'.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/sgetpwent.c: sgetpwent(): Trim the trailing '\n'

Just like the other sget*ent() functions do.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Rename local variable

Call it 'dup', which reminds that it's a strdup(3)d string.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Remove arbitrary limitation by calling strdup(3)

This makes these APIs more consistent with the ones for groups,
which strdup(3) memory as necessary.

It also makes the code simpler.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Simplify by calling strdup(3)

While at it, rename the function parameter.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Use strtolower() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/ctype/strtoascii/: strtolower(): Add API

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/atoi/str2i/, *: Simplify implementations

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/atoi/a2i/: Simplify these macros by calling a2i()

I applied a similar patch in liba2i, where I've tested it.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

configure.ac: Remove unused check for futimes(3)

Reported-by: Chris Hofstaedtler <zeha@debian.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

configure.ac, contrib/, src/: Remove dead code

Both glibc and musl provide getusershell(3).  It's an API from 4.3BSD,
according to the manual page, so let's assume it exists everywhere that
we would care, even if it's not in POSIX.

Reported-by: Chris Hofstaedtler <zeha@debian.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, configure.ac, po/: Remove dead file <lib/shadow.c>

We didn't even have prototypes for these APIs since long ago, when the
prototypes were removed, but misteriously the implementations remained.

Both glibc and musl provide getspnam(3), so this file was effectively
being ignored by the compiler.  Just remove it.

Also remove the check for getspnam, which isn't used elsewhere.

Fixes: 0ee095abd8db (2007-10-07; "[svn-upgrade] Integrating new upstream version, shadow (4.0.7)")
Closes: <https://github.com/shadow-maint/shadow/issues/1228>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/strdup/strndupa.h: STRNDUPA(): Simplify implementation

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/strdup/strndupa.h: strndupa(3): Add macro

musl doesn't provide strndupa(3).

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Treat strpbrk(3)'s return value as a boolean

with the meaning "a character was found".

strpbrk(3) is just like strchr(3), but searches for multiple characters.
Both functions have a boolean-like return value, which evaluates to true
if a character was found.

A better name for strpbrk(3) would have been strchrs().

Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/: Simplify, using strpbrk(3)

Checking a boolean (actually, a boolean-like pointer) is more readable
than comparing against a length.

This removes the only uses of strcspn(3) in this project.

strpbrk(3) is a simpler call, even though it has a weird name.  It's
just like strchr(3) but searches for several characters.  I'd have named
it strchrs().

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Use strprefix() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Use !strprefix() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/: Use strprefix() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/env.c: sanitize_env(): Use !strprefix() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Use strprefix() instead of its pattern

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Use s=strprefix(s,p)?:s instead of its pattern

This skips an optional prefix.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/string/strcmp/: strprefix(): Add API

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/, src/: Reduce scope of local variables

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/sizeof.h: Make sure STRLEN() only accepts string literals

Link: <https://stackoverflow.com/a/79369560/6872717>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

tests/: extend basic groupdel tests

Add additional check for gshadow entry.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: extend basic groupmod test

Add additional check for gshadow entry.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: extend basic groupadd test

Add additional check for gshadow entry.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: extend basic userdel test

Add additional checks for shadow and gshadow entries.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: extend basic usermod test

Add additional checks for shadow and gshadow entries.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: extend basic useradd test

The test framework PoC only provided basic checks. I've added additional
functionality to the framework by checking shadow and gshadow entries
and I've extended the basic useradd test to check those too.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: improve version detection

Alpine Linux versions also contain the revision, and this needs to be
taken into account when detecting it.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: improve distribution detection

openSUSE includes comment lines in `/etc/os-release` file and this can
cause some issues during the distribution detection. Ignore those lines
as they don't cause any effect on the system.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: enable `FORCE_SHADOW` in configuration

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: implement `days_since_epoch()`

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: implement feature detection

Implement a general function to detect features in shadow host.

Apparently, musl doesn't provide `getent gshadow`, but shadow still needs
it to check for several group attributes. Thus, check whether it exists
in the host, and if it does run it. If not, let's just skip that part of
the test.

Link: <https://gitlab.alpinelinux.org/alpine/aports/-/issues/16979>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: implement binding for `getent gshadow $name`

Provide a way for the system framework to run `getent gshadow $name` and
check its output in a meaningful way.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

tests/: implement binding for `getent shadow $name`

Provide a way for the system framework to run `getent shadow $name` and
check its output in a meaningful way.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Dan Lavu <dlavu@redhat.com>

newgidmap: better error logging on failure

Much like the previous commit, similarly relies on `sub_gid_open`
preserving `errno`.

newuidmap: better error logging on failure

The handling for `sub_uid_open` relies on `commonio_open` preserving
`errno`, which it appears to make an effort do, but doesn't explicitly
document.

Closes: https://github.com/shadow-maint/shadow/issues/1253

lib/strtoday.c: strtoday(): Replace obsolete comment

Signed-off-by: Alejandro Colomar <alx@kernel.org>

man/: Localized dates are not accepted anymore

Signed-off-by: Alejandro Colomar <alx@kernel.org>

man/: Consistently express dates in standard format

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdate.y: Don't parse a raw number; just a calendar date

Our caller, strtoday(), already handles a raw number.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdate.y: Don't parse dates in local formats; just YYYY-MM-DD

lib/getdate.y: Remove unnecessary variable

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdate.y: Don't parse week days

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdate.y: Don't parse relative dates, such as 'yesterday'

Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/getdate.y: Don't parse times; just dates

Signed-off-by: Alejandro Colomar <alx@kernel.org>

man/useradd.8.xml: fix the CREATE_HOME description

Fixes: #1249
Signed-off-by: Serge Hallyn <serge@hallyn.com>

ci: add `gawk` as a fedora dependency

Recently fedora 42 was released and `gawk` was missing as a dependency.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

Add LOGIN_ENV_SAFELIST to FOREIGNDEFS

util-linux-2.41 introduced new variable: LOGIN_ENV_SAFELIST.
Add it to known login.defs variables.

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>

Accept /usr/sbin/nologin as an alternate to /sbin/nologin

Relevant on fully-usr-merged distributions.

Signed-off-by: Chris Hofstaedtler <zeha@debian.org>
Reported-by: Marc Haber
Reviewed-by: Alejandro Colomar <alx@kernel.org>

Quick fix: define E_PAM_ERR in lib/pam_pass.c

The exit code situation is a hot mess. Do a
  git grep "define.*E_SUCCESS"
Each src/*.c is defining its own set of error codes, and
they are frequently conflicting, e.g. more than one use
10.

We should probably have a common set defined in lib/exitcodes.h.
I'm thinking for a first cut, we just move all the definitions
from src/*.c to lib/exitcodes.h, and let the conflicts stand.
If we later want to change some defines to make them unambiguous
across the project, we can do that separately.

Signed-off-by: Serge Hallyn <serge@hallyn.com>

pwconv.8 man page improvements

Bug-Debian: https://bugs.debian.org/1004418

chfn.1 man page improvements

Bug-Debian: https://bugs.debian.org/1004688

passwd: document exit code when PAM has errored

closes #1219

When pam returns an error, we were exiting with exit code 10,
which was hardcoded and not documented.  Create a name for it,
and document it in the manpage.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
Reported-by: Marc Haber <githubvisible@zugschlus.de>
Reviewed-by: Alejandro Colomar <alx@kernel.org>

CI: purge man-db

This accelerates the CI.

Closes: https://github.com/shadow-maint/shadow/issues/1240
Link: <https://101010.pl/@nabijaczleweli/114149412203886808>
Reported-by: наб <nabijaczleweli@nabijaczleweli.xyz>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Alejandro Colomar <alx@kernel.org>

release 4.17.4

Signed-off-by: Serge Hallyn <serge@hallyn.com>

tests/unit/test_xasprintf.c: Fix sign-mismatch diagnostic

Add a signed wrapper around mock() which returns a signed integer.
This makes it possible to compare the return value with literal -1.

Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/lastlog.c: Use ssizeof() to avoid a -Wsign-compare diagnostic

Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/sizeof.h: ssizeof(): Add signed variant of sizeof

Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

autogen.sh: Promote -Wsign-compare to an error

It is usually a sign of deep errors.  We really want to avoid them.

Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

lib/fs/readlink/: readlinknul(): Use ssize_t to simplify

Consistently using a signed type allows us to avoid sign-mismatch
diagnostics, while keeping the code simple.  It feels weird to
accept a ssize_t instead of a size_t, but it's a matter of getting
used to it.

Another way to achieve this with a single 'len' variable and no casts
would be to compare against SIZE_MAX, but that's less readable than -1.
Or one could write a SIZE_C() macro a la UINT64_C(), and compare the
size_t against SIZE_C(-1), but that's still suboptimal (regarding
readability) compared to consistently using signed size types.

Fixes: b9d00b64a19f (2024-12-09; "lib/fs/readlink/readlinknul.h: readlinknul(): Silence warning")
Acked-by: Serge Hallyn <serge@hallyn.com>
Cc: Martin Uecker <uecker@tugraz.at>
Cc: "Robert C. Seacord" <rcseacord@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

doc/: Remove list of distributions

Since c8e8557803f3 (2025-01-21; "ci: add openSUSE Tumbleweed") we also
run openSUSE in CI. Since the set may grow let's not list each of them
in the documentation.

lib/commonio.c: Rely on the POSIX.1-2008 behavior of realpath(3)

Link: <https://github.com/shadow-maint/shadow/pull/1222#discussion_r1966612238>
Link: <https://stackoverflow.com/questions/60802732/are-realpath-portability-concerns-obsolete>
Reported-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

src/: update group audit messages

Auditing has been broken for a long time upstream and Fedora had some
downstream patches that fixed it, upstreaming that content to fix the
problem for everybody.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Alejandro Colomar <alx@kernel.org>

lib/: audit function for groups

Link: https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Alejandro Colomar <alx@kernel.org>