reinit the tree, so we can have metadata

12 files changed, 659 insertions, 0 deletions

diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest
new file mode 100644
index 000000000000..94620e46e930
--- /dev/null
+++ b/sys-apps/shadow/Manifest
@@ -0,0 +1,15 @@
+AUX default/useradd 96 SHA256 31aa2cbe4a34a9f7d4d134c1fecd007c9bbf4d40e19d0dcddbcd396f1853b490 SHA512 87b01ac88c2065392fa988871489d8403ef93341b4cfbadb4504f39a2a3396ddef756efc6378868d00627a58a1feb9612eb52a8135558a211a09c6a9ccf3404f WHIRLPOOL 9022a371e34e96a4c3193f24752979da27cdcd60aec1c8db1d2b427ab880b16917578ddcb4d8af02fd1d0eedc6b346cf43d7ae892e8580321e32e50f5498980b
+AUX pam.d-include/passwd 144 SHA256 8c54d2e3aab50b2a8d3d36aa37f7d7bb32c15d9a3af9a10b7ec5b5ffcff9a5fb SHA512 31611a08d97cd2c129f18d451a555ff6c781f91603c77fc0c66ff406b5fa4a97db19ae4ce104816a6324529d10e131de0d5329646bdab2abc8dc3ee5b82b057f WHIRLPOOL 879370adfb6a78c0acdeebf2c10a503d94925c34dceadb8677693f6c34e4e973f2584b221a9a81fdf23f084c430bbafa23a03440c1a95c798b58faedf4d412bd
+AUX pam.d-include/shadow 152 SHA256 7fc1ccca85d2b1ac4dad9909792453c8d26e9aeab48c620d861a92b9355ac69f SHA512 d07611c350d0d6f3386db5080c80a84e4135cf33e44fd3a390cb1092e034f9bd2a69495fadd4bda6ede9962e9658e77f2c8e12d3189cdcda6c7b3c607336f0c3 WHIRLPOOL 2b5282f983b5bf52c0311c2153dba2d12f6c07ae803d1723010bf4bbf4962d120aea026d32b1f3b062778da5222e7cb16dc39660e53b72173fba723a57b616de
+AUX shadow-4.1.3-dots-in-usernames.patch 302 SHA256 2299ffaec204d20e00d791bf5b982571c9261a74c7a7b865a9f7cad1cdcb43ba SHA512 ad20fb3f4f0292f39b5da796e41df71e9e8b1b81dd11a99b2d988440c1b435b0061333a0a5a37a909598d5a840a75946e8c59c74426bae7452de88cf673a5f7d WHIRLPOOL f0258b24f7731ab7b15a1fca391593c8bbd6bdf2ddad57af1d7960d05af49bc5b706039caa576646cb3d817d2d4ad8e89526b12fe046301c63c1518d01dcf173
+AUX shadow-4.4-CVE-2017-2616.patch 2159 SHA256 1f6d321372ee9cf1260c9de3c5d5070f6e263e20c2761c1d93df176505fcb7df SHA512 72cba0857ac6611532a99769d22568816d21a29f77f76f9d22e6b5b400cb936088087e811e9715cb891c70a11c76321653611a2c49d85acb1b163158863634fe WHIRLPOOL cd85fc3377d92a6116b825a866cea041a2b8c783710767b68fcd08b7f33fc8d2544dc0c80e0686b24de06b9c48c09aea118402dc2437e11318042c39905ba5e5
+AUX shadow-4.4-load_defaults.patch 1027 SHA256 3c5679b99dd79d69d161e8916175b298540fad21e6391224e5c0021a27d04060 SHA512 c821149fdcb71b0c1c7b0de72126a3ec625bd54f2edaff1666ccd30abe3f3d516db329dbe873ae020a6670f93caaf7d235283666113d5b02936043d6dd976d36 WHIRLPOOL 81389edb7a04fa34ba1d8560e63b626eb83662c11c2a532d91e207a128337ffc3e6d4b1a8a99ab1693a943d156ad1dd82f3dd7b09f9e320fd9b2706b62a76430
+AUX shadow-4.4-prototypes.patch 1232 SHA256 5b66e3ae613a01209ea4be1ebdd4bf3e88e7a1a78ff3f27779865bd82007ae78 SHA512 970f79efaf77e91baa22049230f2a97e6a045f2f03ef846f4c35dc4f5702941e61db5b6544c24d112faafd6d516fc5054725039f28fe81e17926a5e8ef6f0432 WHIRLPOOL 1d9ec7f3c84046621e5176697b76ee9d428533d1f873d138ce61038fe780cd3475cbab869c00c7457fcb4535edd93bb5e596eae4c12a2d640356c212f016e4c4
+AUX shadow-4.4-su-snprintf.patch 849 SHA256 6a9c8f35de35a5cfd72b2983a58619b189e77afd970ef0d45efd3dc2b06f8fbd SHA512 2aaa1c847ec34002c6e63af66fb36664e0fc5dc0b719ab38959043f990e84191f5e2f85c2dc44e324abcfe67691c9a9b8181da49077031e2eaaf979dde95b2d9 WHIRLPOOL 20457ef69fde1e3e974640e27c16e70d030036bbe9e889bdc1e63e9220e88776dd6c04a1f84fbafbffd92293940aaaacc810569abdbaab07f9a514e318ea7a92
+DIST shadow-4.4.tar.gz 3706812 SHA256 2398fe436e548786c17ec387b4c41f5339f72ec9ee2f3f7a6e0cc2cb240bb482 SHA512 c1e0f65a4fbd0f9d8de38e488b4a374cac5c476180e233269fc666988d9201c0dcc694605c5e54d54f81039c2e30c95b14c12f10adef749a45cc31f0b4b5d5a6 WHIRLPOOL a22fc0f90ec0623cbbcef253378a16ad605cf71345074880e3fd12fb5914058d3e721f378730c9684497cc597595b7defc7e710206268ae320a090c8c35fd41e
+DIST shadow-4.5.tar.gz 3804933 SHA256 ed2d53bd0e80cf32261e82b8d93684334e8809266dba1ec7a42bfa747605989e SHA512 02d6482a1159689e404dd49a68b4e2db85e9ffdcdfbacc8efcbd9043f14a1ec3fc4d749700df915d375df67d589219b6b0f57a6cfd9fb5b197012888a608913b WHIRLPOOL 73552aff621cf34ef977095a05d9b679b7b6ffa78979d69eeb43089564aca5cc1d841dc9cbb6f0fba4c4f712f0e89f6cc683b733ea1041e4633b5d9fe58b5499
+EBUILD shadow-4.4-r2.ebuild 5520 SHA256 6faffddd4a8a4d950d3d5e962d6b09a9ca178c0ad4312e2a5698ec9337992f62 SHA512 c6becedeaf7faf85960cd3e198dff4c0e60d13af6b27127110f146f049bac0fdf068b65ba472ff035c97afc18aa3e9f5d2cdf2f17869b76828329ba7f481a51b WHIRLPOOL 6b0295f648bab88918ddebf10fd187a73790f42a9d1f152bb4f8595bdd28ba02c4ff36d28c81460f69e41d972d610147bf582d43234afa454b929d5e8a224a47
+EBUILD shadow-4.5.ebuild 5363 SHA256 ce3015885fd40e388d534a75af4442a5904251f7ce941ce871237fb132534ec8 SHA512 4f24d90b0e0e796915d3a0b6c4c100d2fb3d186e269bc64b973281d9e5f4071dfe0b22a9a9b38f07fb85f2153b01ce35174bb1dc46f9a2ea453bbbc172d8a936 WHIRLPOOL dffb76d9dfc424de739d23b4a8da3c5e1a22cbe4aaa3922969e49d45a07eaf5af4e0339c32095081daa7ae0b61d886a9d99783a2c0eda714e032df868be63dd0
+MISC ChangeLog 4723 SHA256 b09aaf93b341c840a85e4f81ed72b1ab7f421d1ff4e6e55410f79cbcd8060b15 SHA512 366b0aa5ff325929c4a8d9523e82e4eeda9dc0ed4e1dcfed123c08a9c632a7d79b50baee39c2c5a26325d7764295a03438d990b2b28f1dc3252ff4850fe97bb4 WHIRLPOOL 513e5c3afa9f5fe3036a35639b8cf926f42627101836ee201afcd4c9c8c463b71f387197e53112184511e057739ce6b43942a87a71cb49e77affe282e5364526
+MISC ChangeLog-2015 51089 SHA256 bbd5750c5403da96d5875738418b68a3884025a85391885fced1d202f97187ee SHA512 8741d75131d25e4524c7a243338e26e614ce81411c0c58725028717c16ace08ec3aa665b8af3eaa4a6f94a23debfed07524bda6d2e2652a05bc290c30322b9ab WHIRLPOOL eb08c4506cbab719018752c00167a531cc6ca5075965921466906cfc3db75dd69276e06115a5893cb7a22f099a563a86b295ccac7e410af037c968ea53c1620a
+MISC metadata.xml 565 SHA256 22160798da478d70befbd4da3ef283bc66ad650168d2cf8947a4aa9935748dc0 SHA512 be29faf2eb981bdb0d643ca691d48b10ee702c3a32ca7fca1d00365aa1c4beb5b1b4bec8104be4352fed32f3fabc3108061b8eb8f0054e612c268b5c6f4b1469 WHIRLPOOL 2194536e374b86cd2e2b078e076f2ce6b3758794ac8812a9db2a189d88013c35f142bc34e0ef4320b04f3b253632c317a8f8c2a901e965c0a85e9ba5bb5a32d9
diff --git a/sys-apps/shadow/files/default/useradd b/sys-apps/shadow/files/default/useradd
new file mode 100644
index 000000000000..ae81dbb3a02b
--- /dev/null
+++ b/sys-apps/shadow/files/default/useradd
@@ -0,0 +1,7 @@
+# useradd defaults file
+GROUP=100
+HOME=/home
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
diff --git a/sys-apps/shadow/files/pam.d-include/passwd b/sys-apps/shadow/files/pam.d-include/passwd
new file mode 100644
index 000000000000..960b32eab3eb
--- /dev/null
+++ b/sys-apps/shadow/files/pam.d-include/passwd
@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+auth       sufficient   pam_rootok.so
+auth       include	system-auth
+
+account    include	system-auth
+
+password   include	system-auth
diff --git a/sys-apps/shadow/files/pam.d-include/shadow b/sys-apps/shadow/files/pam.d-include/shadow
new file mode 100644
index 000000000000..743b2f0260d6
--- /dev/null
+++ b/sys-apps/shadow/files/pam.d-include/shadow
@@ -0,0 +1,8 @@
+#%PAM-1.0 
+
+auth       sufficient	pam_rootok.so
+auth       required		pam_permit.so
+
+account    include		system-auth
+
+password   required		pam_permit.so
diff --git a/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch
new file mode 100644
index 000000000000..efcb33dbd9ef
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch
@@ -0,0 +1,10 @@
+--- shadow-4.1.3/libmisc/chkname.c
++++ shadow-4.1.3/libmisc/chkname.c
+@@ -66,6 +66,7 @@
+ 		      ( ('0' <= *name) && ('9' >= *name) ) ||
+ 		      ('_' == *name) ||
+ 		      ('-' == *name) ||
++		      ('.' == *name) ||
+ 		      ( ('$' == *name) && ('\0' == *(name + 1)) )
+ 		     )) {
+ 			return false;
diff --git a/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch b/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch
new file mode 100644
index 000000000000..b788ec35342f
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.4-CVE-2017-2616.patch
@@ -0,0 +1,62 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index f20d230..d86aa86 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void)
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void)
+ 		snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 
diff --git a/sys-apps/shadow/files/shadow-4.4-load_defaults.patch b/sys-apps/shadow/files/shadow-4.4-load_defaults.patch
new file mode 100644
index 000000000000..4c0b84f68036
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.4-load_defaults.patch
@@ -0,0 +1,37 @@
+From 507f96cdeb54079fb636c7ce21e371f7a16a520e Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 25 Aug 2016 11:20:34 +0200
+Subject: [PATCH] Fix regression in useradd not loading defaults properly.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The get_defaults() has to be called before processing the flags.
+
+Signed-off-by: Tomáš Mráz <tmraz@fedoraproject.org>
+---
+ src/useradd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index fefa234..6c43e7e 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -2027,6 +2027,8 @@ int main (int argc, char **argv)
+ 	is_shadow_grp = sgr_file_present ();
+ #endif
+ 
++	get_defaults ();
++
+ 	process_flags (argc, argv);
+ 
+ #ifdef ENABLE_SUBIDS
+@@ -2036,8 +2038,6 @@ int main (int argc, char **argv)
+ 	    (!user_id || (user_id <= uid_max && user_id >= uid_min));
+ #endif				/* ENABLE_SUBIDS */
+ 
+-	get_defaults ();
+-
+ #ifdef ACCT_TOOLS_SETUID
+ #ifdef USE_PAM
+ 	{
diff --git a/sys-apps/shadow/files/shadow-4.4-prototypes.patch b/sys-apps/shadow/files/shadow-4.4-prototypes.patch
new file mode 100644
index 000000000000..5209a2988f7b
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.4-prototypes.patch
@@ -0,0 +1,42 @@
+https://github.com/shadow-maint/shadow/pull/53
+
+From 32c0b283ef5d68b63e4ec05fb22ed0db938fea67 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 5 Dec 2016 17:15:29 -0500
+Subject: [PATCH] include getdef.h for getdef_bool prototype
+
+Otherwise we get build warnings like:
+sgroupio.c:255:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration]
+shadowio.c:131:6: warning: implicit declaration of function 'getdef_bool' [-Wimplicit-function-declaration]
+---
+ lib/sgroupio.c | 1 +
+ lib/shadowio.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/lib/sgroupio.c b/lib/sgroupio.c
+index f2685779a12b..5423626a01da 100644
+--- a/lib/sgroupio.c
++++ b/lib/sgroupio.c
+@@ -40,6 +40,7 @@
+ #include "prototypes.h"
+ #include "defines.h"
+ #include "commonio.h"
++#include "getdef.h"
+ #include "sgroupio.h"
+ 
+ /*@null@*/ /*@only@*/struct sgrp *__sgr_dup (const struct sgrp *sgent)
+diff --git a/lib/shadowio.c b/lib/shadowio.c
+index 6e44ab24d69c..5fa3d312bbf9 100644
+--- a/lib/shadowio.c
++++ b/lib/shadowio.c
+@@ -40,6 +40,7 @@
+ #include <shadow.h>
+ #include <stdio.h>
+ #include "commonio.h"
++#include "getdef.h"
+ #include "shadowio.h"
+ #ifdef WITH_TCB
+ #include <tcb.h>
+-- 
+2.11.0.rc2
+
diff --git a/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch b/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch
new file mode 100644
index 000000000000..45667c8e4bf9
--- /dev/null
+++ b/sys-apps/shadow/files/shadow-4.4-su-snprintf.patch
@@ -0,0 +1,29 @@
+fix from upstream
+
+From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sun, 18 Sep 2016 21:31:18 -0500
+Subject: [PATCH] su.c: fix missing length argument to snprintf
+
+---
+ src/su.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 0c50a9456afd..93ffd2fbe2b4 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void)
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+-		snprintf (kill_msg, _(" ...killed.\n"));
+-		snprintf (wait_msg, _(" ...waiting for child to terminate.\n"));
++		snprintf (kill_msg, 256, _(" ...killed.\n"));
++		snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
+ 
+ 		(void) signal (SIGALRM, kill_child);
+ 		(void) alarm (2);
+-- 
+2.11.0.rc2
+
diff --git a/sys-apps/shadow/metadata.xml b/sys-apps/shadow/metadata.xml
new file mode 100644
index 000000000000..2cabe8fe4fe6
--- /dev/null
+++ b/sys-apps/shadow/metadata.xml
@@ -0,0 +1,17 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<maintainer type="project">
+		<email>pam-bugs@gentoo.org</email>
+		<name>Pluggable Authentication Method maintenance</name>
+	</maintainer>
+	<!-- only for USE=pam -->
+	<upstream>
+		<remote-id type="cpe">cpe:/a:debian:shadow</remote-id>
+		<remote-id type="github">shadow-maint/shadow</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sys-apps/shadow/shadow-4.4-r2.ebuild b/sys-apps/shadow/shadow-4.4-r2.ebuild
new file mode 100644
index 000000000000..c14915cc1965
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.4-r2.ebuild
@@ -0,0 +1,214 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils libtool pam multilib
+
+DESCRIPTION="Utilities to deal with user accounts"
+HOMEPAGE="https://github.com/shadow-maint/shadow http://pkg-shadow.alioth.debian.org/"
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.gz"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86"
+IUSE="acl audit cracklib nls pam selinux skey xattr"
+# Taken from the man/Makefile.am file.
+LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
+IUSE+=" $(printf 'linguas_%s ' ${LANGS[*]})"
+
+RDEPEND="acl? ( sys-apps/acl:0= )
+	audit? ( >=sys-process/audit-2.6:0= )
+	cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
+	pam? ( virtual/pam:0= )
+	skey? ( sys-auth/skey:0= )
+	selinux? (
+		>=sys-libs/libselinux-1.28:0=
+		sys-libs/libsemanage:0=
+	)
+	nls? ( virtual/libintl )
+	xattr? ( sys-apps/attr:0= )"
+DEPEND="${RDEPEND}
+	app-arch/xz-utils
+	nls? ( sys-devel/gettext )"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20150213 )"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-4.1.3-dots-in-usernames.patch
+	"${FILESDIR}"/${P}-su-snprintf.patch
+	"${FILESDIR}"/${P}-prototypes.patch
+	"${FILESDIR}"/${P}-load_defaults.patch
+	"${FILESDIR}"/${P}-CVE-2017-2616.patch #610804
+)
+
+src_prepare() {
+	epatch "${PATCHES[@]}"
+	epatch_user
+	#eautoreconf
+	elibtoolize
+}
+
+src_configure() {
+	econf \
+		--without-group-name-max-length \
+		--without-tcb \
+		--enable-shared=no \
+		--enable-static=yes \
+		$(use_with acl) \
+		$(use_with audit) \
+		$(use_with cracklib libcrack) \
+		$(use_with pam libpam) \
+		$(use_with skey) \
+		$(use_with selinux) \
+		$(use_enable nls) \
+		$(use_with elibc_glibc nscd) \
+		$(use_with xattr attr)
+	has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052
+
+	if use nls ; then
+		local l langs="po" # These are the pot files.
+		for l in ${LANGS[*]} ; do
+			use linguas_${l} && langs+=" ${l}"
+		done
+		sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die
+	fi
+}
+
+set_login_opt() {
+	local comment="" opt=$1 val=$2
+	if [[ -z ${val} ]]; then
+		comment="#"
+		sed -i \
+			-e "/^${opt}\>/s:^:#:" \
+			"${ED}"/etc/login.defs || die
+	else
+		sed -i -r \
+			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
+			"${ED}"/etc/login.defs
+	fi
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
+	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
+}
+
+src_install() {
+	emake DESTDIR="${D}" suidperms=4711 install
+
+	# Remove libshadow and libmisc; see bug 37725 and the following
+	# comment from shadow's README.linux:
+	#   Currently, libshadow.a is for internal use only, so if you see
+	#   -lshadow in a Makefile of some other package, it is safe to
+	#   remove it.
+	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
+
+	insinto /etc
+	if ! use pam ; then
+		insopts -m0600
+		doins etc/login.access etc/limits
+	fi
+
+	# needed for 'useradd -D'
+	insinto /etc/default
+	insopts -m0600
+	doins "${FILESDIR}"/default/useradd
+
+	# move passwd to / to help recover broke systems #64441
+	mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
+	dosym /bin/passwd /usr/bin/passwd
+
+	cd "${S}"
+	insinto /etc
+	insopts -m0644
+	newins etc/login.defs login.defs
+
+	set_login_opt CREATE_HOME yes
+	if ! use pam ; then
+		set_login_opt MAIL_CHECK_ENAB no
+		set_login_opt SU_WHEEL_ONLY yes
+		set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict
+		set_login_opt LOGIN_RETRIES 3
+		set_login_opt ENCRYPT_METHOD SHA512
+		set_login_opt CONSOLE
+	else
+		dopamd "${FILESDIR}"/pam.d-include/shadow
+
+		for x in chpasswd chgpasswd newusers; do
+			newpamd "${FILESDIR}"/pam.d-include/passwd ${x}
+		done
+
+		for x in chage chsh chfn \
+				 user{add,del,mod} group{add,del,mod} ; do
+			newpamd "${FILESDIR}"/pam.d-include/shadow ${x}
+		done
+
+		# comment out login.defs options that pam hates
+		local opt sed_args=()
+		for opt in \
+			CHFN_AUTH \
+			CONSOLE \
+			CRACKLIB_DICTPATH \
+			ENV_HZ \
+			ENVIRON_FILE \
+			FAILLOG_ENAB \
+			FTMP_FILE \
+			LASTLOG_ENAB \
+			MAIL_CHECK_ENAB \
+			MOTD_FILE \
+			NOLOGINS_FILE \
+			OBSCURE_CHECKS_ENAB \
+			PASS_ALWAYS_WARN \
+			PASS_CHANGE_TRIES \
+			PASS_MIN_LEN \
+			PORTTIME_CHECKS_ENAB \
+			QUOTAS_ENAB \
+			SU_WHEEL_ONLY
+		do
+			set_login_opt ${opt}
+			sed_args+=( -e "/^#${opt}\>/b pamnote" )
+		done
+		sed -i "${sed_args[@]}" \
+			-e 'b exit' \
+			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
+			-e ': exit' \
+			"${ED}"/etc/login.defs || die
+
+		# remove manpages that pam will install for us
+		# and/or don't apply when using pam
+		find "${ED}"/usr/share/man \
+			'(' -name 'limits.5*' -o -name 'suauth.5*' ')' \
+			-delete
+
+		# Remove pam.d files provided by pambase.
+		rm "${ED}"/etc/pam.d/{login,passwd,su} || die
+	fi
+
+	# Remove manpages that are handled by other packages
+	find "${ED}"/usr/share/man \
+		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
+		-delete
+
+	cd "${S}"
+	dodoc ChangeLog NEWS TODO
+	newdoc README README.download
+	cd doc
+	dodoc HOWTO README* WISHLIST *.txt
+}
+
+pkg_preinst() {
+	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
+		"${EROOT}/etc/login.defs.new"
+}
+
+pkg_postinst() {
+	# Enable shadow groups.
+	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
+		if grpck -r -R "${EROOT}" 2>/dev/null ; then
+			grpconv -R "${EROOT}"
+		else
+			ewarn "Running 'grpck' returned errors.  Please run it by hand, and then"
+			ewarn "run 'grpconv' afterwards!"
+		fi
+	fi
+
+	einfo "The 'adduser' symlink to 'useradd' has been dropped."
+}
diff --git a/sys-apps/shadow/shadow-4.5.ebuild b/sys-apps/shadow/shadow-4.5.ebuild
new file mode 100644
index 000000000000..343a1aa381d0
--- /dev/null
+++ b/sys-apps/shadow/shadow-4.5.ebuild
@@ -0,0 +1,210 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils libtool pam multilib
+
+DESCRIPTION="Utilities to deal with user accounts"
+HOMEPAGE="https://github.com/shadow-maint/shadow http://pkg-shadow.alioth.debian.org/"
+SRC_URI="https://github.com/shadow-maint/shadow/releases/download/${PV}/${P}.tar.gz"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm ~arm64 ~hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh ~sparc x86"
+IUSE="acl audit cracklib nls pam selinux skey xattr"
+# Taken from the man/Makefile.am file.
+LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
+IUSE+=" $(printf 'linguas_%s ' ${LANGS[*]})"
+
+RDEPEND="acl? ( sys-apps/acl:0= )
+	audit? ( >=sys-process/audit-2.6:0= )
+	cracklib? ( >=sys-libs/cracklib-2.7-r3:0= )
+	pam? ( virtual/pam:0= )
+	skey? ( sys-auth/skey:0= )
+	selinux? (
+		>=sys-libs/libselinux-1.28:0=
+		sys-libs/libsemanage:0=
+	)
+	nls? ( virtual/libintl )
+	xattr? ( sys-apps/attr:0= )"
+DEPEND="${RDEPEND}
+	app-arch/xz-utils
+	nls? ( sys-devel/gettext )"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20150213 )"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-4.1.3-dots-in-usernames.patch
+)
+
+src_prepare() {
+	epatch "${PATCHES[@]}"
+	epatch_user
+	#eautoreconf
+	elibtoolize
+}
+
+src_configure() {
+	econf \
+		--without-group-name-max-length \
+		--without-tcb \
+		--enable-shared=no \
+		--enable-static=yes \
+		$(use_with acl) \
+		$(use_with audit) \
+		$(use_with cracklib libcrack) \
+		$(use_with pam libpam) \
+		$(use_with skey) \
+		$(use_with selinux) \
+		$(use_enable nls) \
+		$(use_with elibc_glibc nscd) \
+		$(use_with xattr attr)
+	has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052
+
+	if use nls ; then
+		local l langs="po" # These are the pot files.
+		for l in ${LANGS[*]} ; do
+			use linguas_${l} && langs+=" ${l}"
+		done
+		sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die
+	fi
+}
+
+set_login_opt() {
+	local comment="" opt=$1 val=$2
+	if [[ -z ${val} ]]; then
+		comment="#"
+		sed -i \
+			-e "/^${opt}\>/s:^:#:" \
+			"${ED}"/etc/login.defs || die
+	else
+		sed -i -r \
+			-e "/^#?${opt}\>/s:.*:${opt} ${val}:" \
+			"${ED}"/etc/login.defs
+	fi
+	local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs)
+	einfo "${res:-Unable to find ${opt} in /etc/login.defs}"
+}
+
+src_install() {
+	emake DESTDIR="${D}" suidperms=4711 install
+
+	# Remove libshadow and libmisc; see bug 37725 and the following
+	# comment from shadow's README.linux:
+	#   Currently, libshadow.a is for internal use only, so if you see
+	#   -lshadow in a Makefile of some other package, it is safe to
+	#   remove it.
+	rm -f "${ED}"/{,usr/}$(get_libdir)/lib{misc,shadow}.{a,la}
+
+	insinto /etc
+	if ! use pam ; then
+		insopts -m0600
+		doins etc/login.access etc/limits
+	fi
+
+	# needed for 'useradd -D'
+	insinto /etc/default
+	insopts -m0600
+	doins "${FILESDIR}"/default/useradd
+
+	# move passwd to / to help recover broke systems #64441
+	mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die
+	dosym /bin/passwd /usr/bin/passwd
+
+	cd "${S}"
+	insinto /etc
+	insopts -m0644
+	newins etc/login.defs login.defs
+
+	set_login_opt CREATE_HOME yes
+	if ! use pam ; then
+		set_login_opt MAIL_CHECK_ENAB no
+		set_login_opt SU_WHEEL_ONLY yes
+		set_login_opt CRACKLIB_DICTPATH /usr/$(get_libdir)/cracklib_dict
+		set_login_opt LOGIN_RETRIES 3
+		set_login_opt ENCRYPT_METHOD SHA512
+		set_login_opt CONSOLE
+	else
+		dopamd "${FILESDIR}"/pam.d-include/shadow
+
+		for x in chpasswd chgpasswd newusers; do
+			newpamd "${FILESDIR}"/pam.d-include/passwd ${x}
+		done
+
+		for x in chage chsh chfn \
+				 user{add,del,mod} group{add,del,mod} ; do
+			newpamd "${FILESDIR}"/pam.d-include/shadow ${x}
+		done
+
+		# comment out login.defs options that pam hates
+		local opt sed_args=()
+		for opt in \
+			CHFN_AUTH \
+			CONSOLE \
+			CRACKLIB_DICTPATH \
+			ENV_HZ \
+			ENVIRON_FILE \
+			FAILLOG_ENAB \
+			FTMP_FILE \
+			LASTLOG_ENAB \
+			MAIL_CHECK_ENAB \
+			MOTD_FILE \
+			NOLOGINS_FILE \
+			OBSCURE_CHECKS_ENAB \
+			PASS_ALWAYS_WARN \
+			PASS_CHANGE_TRIES \
+			PASS_MIN_LEN \
+			PORTTIME_CHECKS_ENAB \
+			QUOTAS_ENAB \
+			SU_WHEEL_ONLY
+		do
+			set_login_opt ${opt}
+			sed_args+=( -e "/^#${opt}\>/b pamnote" )
+		done
+		sed -i "${sed_args[@]}" \
+			-e 'b exit' \
+			-e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \
+			-e ': exit' \
+			"${ED}"/etc/login.defs || die
+
+		# remove manpages that pam will install for us
+		# and/or don't apply when using pam
+		find "${ED}"/usr/share/man \
+			'(' -name 'limits.5*' -o -name 'suauth.5*' ')' \
+			-delete
+
+		# Remove pam.d files provided by pambase.
+		rm "${ED}"/etc/pam.d/{login,passwd,su} || die
+	fi
+
+	# Remove manpages that are handled by other packages
+	find "${ED}"/usr/share/man \
+		'(' -name id.1 -o -name passwd.5 -o -name getspnam.3 ')' \
+		-delete
+
+	cd "${S}"
+	dodoc ChangeLog NEWS TODO
+	newdoc README README.download
+	cd doc
+	dodoc HOWTO README* WISHLIST *.txt
+}
+
+pkg_preinst() {
+	rm -f "${EROOT}"/etc/pam.d/system-auth.new \
+		"${EROOT}/etc/login.defs.new"
+}
+
+pkg_postinst() {
+	# Enable shadow groups.
+	if [ ! -f "${EROOT}"/etc/gshadow ] ; then
+		if grpck -r -R "${EROOT}" 2>/dev/null ; then
+			grpconv -R "${EROOT}"
+		else
+			ewarn "Running 'grpck' returned errors.  Please run it by hand, and then"
+			ewarn "run 'grpconv' afterwards!"
+		fi
+	fi
+
+	einfo "The 'adduser' symlink to 'useradd' has been dropped."
+}