:(

xgetXXbyYY: Avoid duplicated error handling block
The error handling is performed after the loop. By just calling break it is possible to reuse the error handling if status is not ERANGE. Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2023-05-28 03:50:23 +00:00 · 2023-05-26 16:03:27 -05:00 · 2023-05-26 16:03:27 -05:00 · 2023-05-26 15:16:29 -05:00 · 2023-05-26 15:14:02 -05:00 · 2023-05-25 21:22:08 -05:00
449 changed files with 8603 additions and 10388 deletions
--- a/.builds/alpine-edge.yml
+++ b/.builds/alpine-edge.yml
@ -9,9 +9,11 @@ packages:
  - gettext
  - gettext-dev
  - gettext-lang
+  - libbsd-dev
  - libcap-dev
  - libtool
  - linux-pam-dev
+  - pkgconf
  - sed
 sources:
  - https://github.com/shadow-maint/shadow
--- a/.builds/fedora.yml
+++ b/.builds/fedora.yml
@ -8,10 +8,12 @@ packages:
  - gettext
  - gettext-devel
  - git
+  - libbsd-devel
  - libselinux-devel
  - libsemanage-devel
  - libtool
  - libxslt
+  - pkgconf
 sources:
  - https://github.com/shadow-maint/shadow
 tasks:
--- a/.builds/ubuntu-focal.yml
+++ b/.builds/ubuntu-focal.yml
@ -3,11 +3,13 @@ packages:
  - automake
  - autopoint
  - xsltproc
+  - libbsd-dev
  - libselinux1-dev
  - gettext
  - expect
  - byacc
  - libtool
+  - pkgconf
 sources:
  - https://github.com/shadow-maint/shadow
 tasks:
--- a/.builds/ubuntu-jammy.yml
+++ b/.builds/ubuntu-jammy.yml
@ -3,11 +3,13 @@ packages:
  - automake
  - autopoint
  - xsltproc
+  - libbsd-dev
  - libselinux1-dev
  - gettext
  - expect
  - byacc
  - libtool
+  - pkgconf
 sources:
  - https://github.com/shadow-maint/shadow
 tasks:
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,4 @@
+root = true
+
+[*.{c,h}]
+indent_style = tab
--- a/.github/actions/install-dependencies/action.yml
+++ b/.github/actions/install-dependencies/action.yml
@ -6,7 +6,7 @@ runs:
  - shell: bash
    run: |
      sudo apt-get update -y
-      sudo apt-get install -y ubuntu-dev-tools
+      sudo apt-get install -y ubuntu-dev-tools libbsd-dev
      sudo sed -Ei 's/^# deb-src /deb-src /' /etc/apt/sources.list
      sudo apt-get update -y
      sudo apt-get -y build-dep shadow
--- a/.github/workflows/runner.yml
+++ b/.github/workflows/runner.yml
@ -0,0 +1,76 @@
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: debug
+      run: |
+        id
+        which bash
+        whoami
+        env
+        ps -ef
+        pwd
+        cat /proc/self/uid_map
+        cat /proc/self/status
+        systemd-detect-virt
+    - name: Install dependencies
+      run: |
+        sudo cat /etc/apt/sources.list
+        sudo sed -i '/deb-src/d' /etc/apt/sources.list
+        sudo sed -i '/^deb /p;s/ /-src /' /etc/apt/sources.list
+        export DEBIAN_PRIORITY=critical
+        export DEBIAN_FRONTEND=noninteractive
+        # let's try to work around upgrade breakage in a pkg we don't care about
+        sudo apt-mark hold grub-efi-amd64-bin grub-efi-amd64-signed
+        sudo apt-get update
+        sudo apt-get -y dist-upgrade
+        sudo apt-get -y install ubuntu-dev-tools automake autopoint xsltproc gettext expect byacc libtool libbsd-dev pkgconf
+        sudo apt-get -y build-dep shadow
+    - name: configure
+      run: |
+        autoreconf -v -f --install
+        ./autogen.sh --without-selinux --disable-man --with-yescrypt
+    - run: make
+    - run: make install DESTDIR=${HOME}/rootfs
+    - run: sudo make install
+    - name: run tests in shell with tty
+      shell: 'script -q -e -c "bash {0}"'
+      run: |
+        set -e
+        cd tests
+        sudo ./run_some
+        cat testsuite.log
+
+  container-build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [alpine, debian, fedora]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Build container
+      run: |
+        docker buildx build -f ./share/containers/${{ matrix.os }}.dockerfile . --output build-out
+
+    - name: Store artifacts
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{ matrix.os }}-build
+        path: |
+          ./build-out/config.log
+          ./build-out/config.h
+        if-no-files-found: ignore
--- a/.github/workflows/static-code-analysis.yml
+++ b/.github/workflows/static-code-analysis.yml
@ -14,7 +14,7 @@ jobs:
      security-events: write
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3

    - name: Install dependencies
      id: dependencies
@ -32,19 +32,20 @@ jobs:
    - name: Build shadow-utils
      run: |
        PROCESSORS=$(/usr/bin/getconf _NPROCESSORS_ONLN)
-        make -j$PROCESSORS
+        make -kj$PROCESSORS || true
+
+    - name: Check build errors
+      run: make

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2

  differential-shellcheck:
-    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write
-      pull-requests: write

    steps:
      - name: Checkout repository
--- a/.travis.yml
+++ b/.travis.yml
@ -36,7 +36,7 @@ addons:
    notification_email: christian.brauner@ubuntu.com,serge@hallyn.com

    build_command_prepend: "./autogen.sh --without-selinux --disable-man"
-    build_command: "make -j4"
+    build_command: "make -kj4 || make"
    branch_pattern: master

 script:
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -3,6 +3,7 @@ reports and various comments. This list may be incomplete, I received
 a lot of mail...

 # Maintainers
+* Marek Michałkiewicz <marekm72@gmail.com> (1995-2000)
 * Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
 * Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
 * Serge E. Hallyn <serge@hallyn.com> (2014-now)
--- a/14
+++ b/14
@ -9558,7 +9558,7 @@
 	* NEWS: release date corrected.

 	* NEWS, src/su.c:
-	fixed set enviroment too early when using PAM, so move it to !USE_PAM
+	fixed set environment too early when using PAM, so move it to !USE_PAM
 	(patch submitted by Mike Frysinger <vapier@gentoo.org>).

 2006-07-30  Tomasz Kłoczko  <kloczek@pld.org.pl>
@ -10245,7 +10245,7 @@
 	* NEWS: cleanups.

 	* autogen.sh:
-	by default in development enviroment use CFLAGS="-O2 -Wall".
+	by default in development environment use CFLAGS="-O2 -Wall".

 	* src/chgpasswd.c (main): remove two unused variables (newgr and now).

@ -11654,7 +11654,7 @@
 	in OPTIONS section). Describe -a and -k options.

 	* NEWS, src/su.c:
-	fixed twice copy enviroment which causes auth problems (bug was introduced in 4.0.12;
+	fixed twice copy environment which causes auth problems (bug was introduced in 4.0.12;
 	fix by Nicolas François <nicolas.francois@centraliens.net>).

 	* src/passwd.c, po/ja.po, po/ko.po, po/nb.po, po/nl.po, po/nn.po, po/pl.po, po/pt.po, po/pt_BR.po, po/ro.po, po/ru.po, po/sk.po, po/sq.po, po/sv.po, po/tl.po, po/tr.po, po/uk.po, po/vi.po, po/zh_CN.po, po/zh_TW.po, po/bs.po, po/ca.po, po/cs.po, po/da.po, po/de.po, po/el.po, po/es.po, po/eu.po, po/fi.po, po/fr.po, po/he.po, po/id.po, po/it.po:
@ -12584,7 +12584,7 @@
 	http://bugs.debian.org/48002

 	* src/login.c, NEWS:
-	fixed loggin of username on succesful login (was using the normal username,
+	fixed loggin of username on successful login (was using the normal username,
 	when it should have used pam_user) http://bugs.debian.org/47819

 2005-06-02  Tomasz Kłoczko  <kloczek@pld.org.pl>
@ -13029,7 +13029,7 @@
 	* man/pl/usermod.8: finish sync with english version.

 	* man/hu/login.1, man/pl/login.1, NEWS, man/Attic/login.1, man/de/login.1:
-	removed fragment about abilities pass enviroment variables in login prompt.
+	removed fragment about abilities pass environment variables in login prompt.

 	* man/Attic/gpasswd.1, man/Attic/newgrp.1:
 	fixes by Nicolas Nicolas François <nicolas.francois@centraliens.net> (not all
@ -13508,7 +13508,7 @@
 	removed not used translations.

 	* NEWS, src/su.c:
-	fix adding of pam_env env variables to enviroment (Martin Schlemmer <azarah@nosferatu.za.org>).
+	fix adding of pam_env env variables to environment (Martin Schlemmer <azarah@nosferatu.za.org>).

 	* NEWS, configure.in:
 	fixed filling MAIL_SPOOL_DIR and MAIL_SPOOL_FILE variables which was allways
@ -13605,7 +13605,7 @@

 	* NEWS, src/su.c:
 	add pam_open_session() support. If builded without PAM support
-	propagate $DISPLAY and $XAUTHORITY enviroment variables.
+	propagate $DISPLAY and $XAUTHORITY environment variables.
 	Based on http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch?rev=1.1

 2004-10-23  Tomasz Kłoczko  <kloczek@pld.org.pl>
--- a/14
+++ b/14
@ -696,7 +696,7 @@ shadow-4.0.18 -> shadow-4.0.18.1					03-08-2006
 shadow-4.0.17 -> shadow-4.0.18						01-08-2006

 *** general:
- su: fixed set enviroment too early when using PAM, so move it to !USE_PAM
+- su: fixed set environment too early when using PAM, so move it to !USE_PAM
  (patch submitted by Mike Frysinger <vapier@gentoo.org>),
 - groupadd, groupmod, useradd, usermod: fixed UID/GID overflow (fixed
  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198920)
@ -855,7 +855,7 @@ shadow-4.0.14 -> shadow-4.0.15						13-03-2006
 - su: move exit() outside libmisc/shell.c::shell() for handle shell() errors
  on higher level (now is better visable where some programs exit with 126
  and 127 exit codes); added new shell() parameter (char *const envp[])
-  which allow fix preserving enviroment in su on using -p, (patch by
+  which allow fix preserving environment in su on using -p, (patch by
  Alexander Gattin <xrgtn@yandex.ru>),
 - su: added handle -c,--command option for GNU su compliance (merge
  437_su_-c_option Debian patch),
@ -966,7 +966,7 @@ shadow-4.0.12 -> shadow-4.0.13						10-10-2005
  to example described in ident(1) man page (modern compilers like latest GCC
  removes not used functions by global optimization).
  So "ident /usr/bin/passwd" will show again some useable informations
- su: fixed twice copy enviroment which causes auth problems
+- su: fixed twice copy environment which causes auth problems
  (bug was introduced in 4.0.12; fix by Nicolas François <nicolas.francois@centraliens.net>),
 - chage: differentiate the different failure causes by the exit value
  This will permit to adduser Debian script to detect if chage failed because the
@ -1133,7 +1133,7 @@ shadow-4.0.9 -> shadow-4.0.10						28-06-2005
  http://bugs.debian.org/53702
 - login: check for hushed login and pass PAM_SILENT if true,
  http://bugs.debian.org/48002
- login: fixed username on succesful login (was using the normal username,
+- login: fixed username on successful login (was using the normal username,
  when it should have used pam_user) http://bugs.debian.org/47819
 - remove using SHADOWPWD #define so now shadow is always built with shadow
  password support,
@ -1212,7 +1212,7 @@ shadow-4.0.7 -> shadow-4.0.8						26-04-2005
  (without gshadow) doesn't permit to use newgrp,
 - newgrp(1): newgrp uses /bin/sh (not bash),
 - faillog(8): updated after rewritten faillog command for use getopt_long(),
- login(1): removed fragment about abilities pass enviroment variables in login prompt,
+- login(1): removed fragment about abilities pass environment variables in login prompt,
 - gshadow(5): new file (by Nicolas Nicolas François <nicolas.francois@centraliens.net>),
 - usermod(8): fixed #302388 Debian bug: added separated -o option description,

@ -1242,7 +1242,7 @@ shadow-4.0.6 -> shadow-4.0.7						26-01-2005

 shadow-4.0.5 -> shadow-4.0.6						08-11-2004

- su: fixed adding of pam_env env variables to enviroment
+- su: fixed adding of pam_env env variables to environment
  (Martin Schlemmer <azarah@nosferatu.za.org>),
 - autoconf: fixed filling MAIL_SPOOL_DIR and MAIL_SPOOL_FILE variables
  which was always empty (Gregorio Guidi <g.guidi@sns.it>),
@ -1275,7 +1275,7 @@ shadow-4.0.4.1 -> shadow-4.0.5						27-10-2004
  including symlinks placed into /etc/skel/public_html for example.
  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=66819
 - su: add pam_open_session() support. If built without PAM support
-  propagate $DISPLAY and $XAUTHORITY enviroment variables.
+  propagate $DISPLAY and $XAUTHORITY environment variables.
  Based on http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-apps/shadow/files/shadow-4.0.4.1-su-pam_open_session.patch?rev=1.1
 - applied 036_pam_access_with_preauth.patch Debian patch submited by Bjorn
  Torkelsson <Bjorn.Torkelsson@hpc2n.umu.se>: add support for PAM account
--- a/README.md
+++ b/README.md
@ -31,6 +31,11 @@ There are several ways to contact us:
  https://alioth-lists-archive.debian.net/pipermail/pkg-shadow-commits/),
  only used for historical purposes

+## Contributions
+
+Contributions are welcome. Follow the
+[guidelines](doc/contributions/introduction.md) before posting any patches.
+
 ## Authors and maintainers
 Authors and maintainers are listed in [AUTHORS.md](
 https://github.com/shadow-maint/shadow/blob/master/AUTHORS.md).
--- a/SECURITY.md
+++ b/SECURITY.md
@ -9,3 +9,4 @@ At the moment only the latest release is supported.
 Security vulnerabilities may be reported to
 * Serge Hallyn <serge@hallyn.com> (B175CFA98F192AF2)
 * Christian Brauner <christian@brauner.io> (4880B8C9BD0E5106FC070F4F7B3C391EFEA93624)
+* Iker Pedrosa <ipedrosa@redhat.com> (4E80EF49C7987B6DE2F81F5005079C6C3A653E57)
--- a/configure.ac
+++ b/configure.ac
@ -36,31 +36,25 @@ LT_INIT
 dnl Checks for libraries.

 dnl Checks for header files.
-AC_HEADER_STDBOOL
-
-AC_CHECK_HEADERS(crypt.h errno.h fcntl.h limits.h unistd.h sys/time.h utmp.h \
-	utmpx.h termios.h termio.h sgtty.h sys/ioctl.h syslog.h paths.h \
-	utime.h ulimit.h sys/capability.h sys/random.h sys/resource.h \
-	gshadow.h lastlog.h locale.h rpc/key_prot.h netdb.h acl/libacl.h \
+AC_CHECK_HEADERS(crypt.h utmp.h \
+	termio.h sgtty.h sys/ioctl.h paths.h \
+	sys/capability.h sys/random.h \
+	gshadow.h lastlog.h rpc/key_prot.h acl/libacl.h \
 	attr/libattr.h attr/error_context.h)

 dnl shadow now uses the libc's shadow implementation
 AC_CHECK_HEADER([shadow.h],,[AC_MSG_ERROR([You need a libc with shadow.h])])

-AC_CHECK_FUNCS(arc4random_buf l64a fchmod fchown fsync futimes \
+AC_CHECK_FUNCS(arc4random_buf futimes \
 	getentropy getrandom getspnam getusershell \
-	getutent initgroups lckpwdf lutimes \
-	setgroups updwtmp updwtmpx innetgr getpwnam_r \
-	getpwuid_r getgrnam_r getgrgid_r getspnam_r \
-	memset_s explicit_bzero)
+	initgroups lckpwdf lutimes mempcpy \
+	setgroups updwtmp updwtmpx innetgr \
+	getspnam_r \
+	rpmatch \
+	memset_explicit explicit_bzero stpecpy stpeprintf)
 AC_SYS_LARGEFILE

 dnl Checks for typedefs, structures, and compiler characteristics.
-AC_CHECK_MEMBERS([struct stat.st_atim])
-AC_CHECK_MEMBERS([struct stat.st_atimensec])
-AC_CHECK_MEMBERS([struct stat.st_mtim])
-AC_CHECK_MEMBERS([struct stat.st_mtimensec])
-AC_STRUCT_TM

 AC_CHECK_MEMBERS([struct utmp.ut_type,
                  struct utmp.ut_id,
@ -74,14 +68,6 @@ AC_CHECK_MEMBERS([struct utmp.ut_type,
                  struct utmp.ut_xtime,
                  struct utmp.ut_tv],,,[[#include <utmp.h>]])

-AC_CHECK_MEMBERS([struct utmpx.ut_name,
-                  struct utmpx.ut_host,
-                  struct utmpx.ut_syslen,
-                  struct utmpx.ut_addr,
-                  struct utmpx.ut_addr_v6,
-                  struct utmpx.ut_time,
-                  struct utmpx.ut_xtime],,,[[#include <utmpx.h>]])
-
 if test "$ac_cv_header_lastlog_h" = "yes"; then
 	AC_CACHE_CHECK(for ll_host in struct lastlog,
 		ac_cv_struct_lastlog_ll_host,
@ -102,9 +88,8 @@ fi
 dnl Checks for library functions.
 AC_TYPE_GETGROUPS
 AC_FUNC_UTIME_NULL
-AC_REPLACE_FUNCS(mkdir putgrent putpwent putspent rename rmdir)
+AC_REPLACE_FUNCS(putgrent putpwent putspent)
 AC_REPLACE_FUNCS(sgetgrent sgetpwent sgetspent)
-AC_REPLACE_FUNCS(snprintf strcasecmp strdup strerror strstr)

 AC_CHECK_FUNC(setpgrp)
 AC_CHECK_FUNC(secure_getenv, [AC_DEFINE(HAS_SECURE_GETENV,
@ -116,6 +101,10 @@ if test "$ac_cv_header_shadow_h" = "yes"; then
 		ac_cv_libc_shadowgrp,
 		AC_RUN_IFELSE([AC_LANG_SOURCE([
 				#include <shadow.h>
+				#ifdef HAVE_GSHADOW_H
+				#include <gshadow.h>
+				#endif
+				int
 				main()
 				{
 					struct sgrp *sg = sgetsgent("test:x::");
@ -191,7 +180,7 @@ AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd",
 	[Path to passwd program.])

 dnl XXX - quick hack, should disappear before anyone notices :).
-AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().])
+dnl XXX - I just read the above message :).
 if test "$ac_cv_func_ruserok" = "yes"; then
 	AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for rlogind.])
 	AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value (0 or 1).])
@ -226,17 +215,6 @@ AC_ARG_ENABLE(account-tools-setuid,
 	[enable_acct_tools_setuid="no"]
 )

-AC_ARG_ENABLE(utmpx,
-	[AS_HELP_STRING([--enable-utmpx],
-	                [enable loggin in utmpx / wtmpx @<:@default=no@:>@])],
-	[case "${enableval}" in
-	 yes) enable_utmpx="yes" ;;
-	  no) enable_utmpx="no" ;;
-	   *) AC_MSG_ERROR(bad value ${enableval} for --enable-utmpx) ;;
-	 esac],
-	[enable_utmpx="no"]
-)
-
 AC_ARG_ENABLE(subordinate-ids,
 	[AS_HELP_STRING([--enable-subordinate-ids],
 		[support subordinate ids @<:@default=yes@:>@])],
@ -336,12 +314,12 @@ dnl Check for some functions in libc first, only if not found check for
 dnl other libraries.  This should prevent linking libnsl if not really
 dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).

-AC_SEARCH_LIBS(inet_ntoa, inet)
-AC_SEARCH_LIBS(socket, socket)
 AC_SEARCH_LIBS(gethostbyname, nsl)

 AC_CHECK_LIB([econf],[econf_readDirs],[LIBECONF="-leconf"],[LIBECONF=""])
 if test -n "$LIBECONF"; then
+        AC_DEFINE_UNQUOTED([VENDORDIR], ["$enable_vendordir"],
+					[Directory for distribution provided configuration files])
 	ECONF_CPPFLAGS="-DUSE_ECONF=1"
 	AC_ARG_ENABLE([vendordir],
 		AS_HELP_STRING([--enable-vendordir=DIR], [Directory for distribution provided configuration files]),,[])
@ -349,6 +327,9 @@ fi
 AC_SUBST(ECONF_CPPFLAGS)
 AC_SUBST(LIBECONF)
 AC_SUBST([VENDORDIR], [$enable_vendordir])
+if test "x$enable_vendordir" != x; then
+	AC_DEFINE(HAVE_VENDORDIR, 1, [Define to support vendor settings.])
+fi
 AM_CONDITIONAL([HAVE_VENDORDIR], [test "x$enable_vendordir" != x])

 if test "$enable_shadowgrp" = "yes"; then
@ -401,6 +382,21 @@ AC_SUBST(LIYESCRYPT)
 AC_CHECK_LIB(crypt, crypt, [LIYESCRYPT=-lcrypt],
 	[AC_MSG_ERROR([crypt() not found])])

+AC_SEARCH_LIBS([readpassphrase], [bsd], [], [
+	AC_MSG_ERROR([readpassphrase() is missing, either from libc or libbsd])
+])
+AS_IF([test "$ac_cv_search_readpassphrase" = "-lbsd"], [
+	PKG_CHECK_MODULES([LIBBSD], [libbsd-overlay])
+])
+dnl Make sure either the libc or libbsd provide the header.
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $LIBBSD_CFLAGS"
+AC_CHECK_HEADERS([readpassphrase.h])
+AS_IF([test "$ac_cv_header_readpassphrase_h" != "yes"], [
+	AC_MSG_ERROR([readpassphrase.h is missing])
+])
+CFLAGS="$save_CFLAGS"
+
 AC_SUBST(LIBACL)
 if test "$with_acl" != "no"; then
 	AC_CHECK_HEADERS(acl/libacl.h attr/error_context.h, [acl_header="yes"], [acl_header="no"])
@ -682,15 +678,6 @@ if test "$with_skey" = "yes"; then
 	]])],[AC_DEFINE(SKEY_BSD_STYLE, 1, [Define to support newer BSD S/Key API])],[])
 fi

-if test "$enable_utmpx" = "yes"; then
-	if test "$ac_cv_header_utmpx_h" != "yes"; then
-		AC_MSG_ERROR([The utmpx.h header file is required for utmpx support.])
-	fi
-	AC_DEFINE(USE_UTMPX,
-	          1,
-	          [Define if utmpx should be used])
-fi
-
 AC_DEFINE_UNQUOTED(SHELL, ["$SHELL"], [The default shell.])

 AM_GNU_GETTEXT_VERSION([0.19])
@ -759,4 +746,5 @@ echo "	sssd support:			$with_sssd"
 echo "	subordinate IDs support:	$enable_subids"
 echo "	use file caps:			$with_fcaps"
 echo "	install su:			$with_su"
+echo "	enabled vendor dir:             $enable_vendordir"
 echo
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@ -2,5 +2,5 @@
 # and also cooperate to make a distribution for `make dist'

 EXTRA_DIST = README adduser.c adduser.sh adduser2.sh \
- atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
+ atudel groupmems.shar shadow-anonftp.patch \
 udbachk.tgz
--- a/contrib/adduser.c
+++ b/contrib/adduser.c
@ -60,7 +60,7 @@
 ** Added in the password date field, which should always reflect the last
 **     date the password was changed, for expiry purposes.  "passwd" always
 **     updates this field, so the adduser program should set it up right
-**     initially (or a user could keep thier initial password forever ;)
+**     initially (or a user could keep their initial password forever ;)
 **     The number is in days since Jan 1st, 1970.
 **
 **                       Have fun with it, and someone please make
@ -489,7 +489,7 @@ safeget (char *buf, int maxlen)
  while ((c = getc (stdin)) != EOF && (c != '\n') && (++i < maxlen))
    {
      bad = (!isalnum (c) && (c != '_') && (c != ' '));
-      *(buf++) = (char) c;
+      *(buf++) = c;
    }
  *buf = '\0';

--- a/contrib/pwdauth.c
+++ b/contrib/pwdauth.c
@ -1,308 +0,0 @@
-/*
- * pwdauth.c - program to verify a given username/password pair.
- *
- * Run it with username in argv[1] (may be omitted - default is the
- * current user), and send it the password over a pipe on stdin.
- * Exit status: 0 - correct password, 1 - wrong password, >1 - other
- * errors.  For use with shadow passwords, this program should be
- * installed setuid root.
- *
- * This can be used, for example, by xlock - you don't have to install
- * this large and complex (== possibly insecure) program setuid root,
- * just modify it to run this simple program to do the authentication.
- *
- * Recent versions (xlockmore-3.9) are cleaner, and drop privileges as
- * soon as possible after getting the user's encrypted password.
- * Using this program probably doesn't make it more secure, and has one
- * disadvantage: since we don't get the encrypted user's password at
- * startup (but at the time the user is authenticated), it is not clear
- * how we should handle errors (like getpwnam() returning NULL).
- * - fail the authentication?  Problem: no way to unlock (other than kill
- *   the process from somewhere else) if the NIS server stops responding.
- * - succeed and unlock?  Problem: it's too easy to unlock by unplugging
- *   the box from the network and waiting until NIS times out...
- *
- * This program is Copyright (C) 1996 Marek Michalkiewicz
- * <marekm@i17linuxb.ists.pwr.wroc.pl>.
- *
- * It may be used and distributed freely for any purposes.  There is no
- * warranty - use at your own risk.  I am not liable for any damages etc.
- * If you improve it, please send me your changes.
- */
-
-static char rcsid[] = "$Id$";
-
-/*
- * Define USE_SYSLOG to use syslog() to log successful and failed
- * authentication.  This should be safe even if your system has
- * the infamous syslog buffer overrun security problem...
- */
-#define USE_SYSLOG
-
-/*
- * Define HAVE_GETSPNAM to get shadow passwords using getspnam().
- * Some systems don't have getspnam(), but getpwnam() returns
- * encrypted passwords only if running as root.
- *
- * According to the xlock source (not tested, except Linux) -
- * define: Linux, Solaris 2.x, SVR4, ...
- * undef: HP-UX with Secured Passwords, FreeBSD, NetBSD, QNX.
- * Known not supported (yet): Ultrix, OSF/1, SCO.
- */
-#define HAVE_GETSPNAM
-
-/*
- * Define HAVE_PW_ENCRYPT to use pw_encrypt() instead of crypt().
- * pw_encrypt() is like the standard crypt(), except that it may
- * support better password hashing algorithms.
- *
- * Define if linking with libshadow.a from the shadow password
- * suite (Linux, SunOS 4.x?).
- */
-#undef HAVE_PW_ENCRYPT
-
-/*
- * Define HAVE_AUTH_METHODS to support the shadow suite specific
- * extension: the encrypted password field contains a list of
- * administrator defined authentication methods, separated by
- * semicolons.  This program only supports the standard password
- * authentication method (a string that doesn't start with '@').
- */
-#undef HAVE_AUTH_METHODS
-
-/*
- * FAIL_DELAY - number of seconds to sleep before exiting if the
- * password was wrong, to slow down password guessing attempts.
- */
-#define FAIL_DELAY 2
-
-/* No user-serviceable parts below :-).  */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-#include <pwd.h>
-
-#ifdef USE_SYSLOG
-#include <syslog.h>
-#ifndef LOG_AUTHPRIV
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-#endif
-
-#ifdef HAVE_GETSPNAM
-#include <shadow.h>
-#endif
-
-#ifdef HAVE_PW_ENCRYPT
-extern char *pw_encrypt();
-#define crypt pw_encrypt
-#endif
-
-/*
- * Read the password (one line) from fp.  We don't turn off echo
- * because we expect input from a pipe.
- */
-static char *
-get_line(fp)
-	FILE *fp;
-{
-	static char buf[128];
-	char *cp;
-	int ch;
-
-	cp = buf;
-	while ((ch = getc(fp)) != EOF && ch != '\0' && ch != '\n') {
-		if (cp >= buf + sizeof buf - 1)
-			break;
-		*cp++ = ch;
-	}
-	*cp = '\0';
-	return buf;
-}
-
-/*
- * Get the password file entry for the current user.  If the name
- * returned by getlogin() is correct (matches the current real uid),
- * return the entry for that user.  Otherwise, return the entry (if
- * any) matching the current real uid.  Return NULL on failure.
- */
-static struct passwd *
-get_my_pwent()
-{
-	uid_t uid = getuid();
-	char *name = getlogin();
-
-	if (name && *name) {
-		struct passwd *pw = getpwnam(name);
-
-		if (pw && pw->pw_uid == uid)
-			return pw;
-	}
-	return getpwuid(uid);
-}
-
-/*
- * Verify the password.  The system-dependent shadow support is here.
- */
-static int
-password_auth_ok(pw, pass)
-	const struct passwd *pw;
-	const char *pass;
-{
-	int result;
-	char *cp;
-#ifdef HAVE_AUTH_METHODS
-	char *buf;
-#endif
-#ifdef HAVE_GETSPNAM
-	struct spwd *sp;
-#endif
-
-	if (pw) {
-#ifdef HAVE_GETSPNAM
-		sp = getspnam(pw->pw_name);
-		if (sp)
-			cp = sp->sp_pwdp;
-		else
-#endif
-			cp = pw->pw_passwd;
-	} else
-		cp = "xx";
-
-#ifdef HAVE_AUTH_METHODS
-	buf = strdup(cp);  /* will be modified by strtok() */
-	if (!buf) {
-		fprintf(stderr, "Out of memory.\n");
-		exit(13);
-	}
-	cp = strtok(buf, ";");
-	while (cp && *cp == '@')
-		cp = strtok(NULL, ";");
-
-	/* fail if no password authentication for this user */
-	if (!cp)
-		cp = "xx";
-#endif
-
-	if (*pass || *cp)
-		result = (strcmp(crypt(pass, cp), cp) == 0);
-	else
-		result = 1;  /* user with no password */
-
-#ifdef HAVE_AUTH_METHODS
-	free(buf);
-#endif
-	return result;
-}
-
-/*
- * Main program.
- */
-int
-main(argc, argv)
-	int argc;
-	char **argv;
-{
-	struct passwd *pw;
-	char *pass, *name;
-	char myname[32];
-
-#ifdef USE_SYSLOG
-	openlog("pwdauth", LOG_PID | LOG_CONS, LOG_AUTHPRIV);
-#endif
-	pw = get_my_pwent();
-	if (!pw) {
-#ifdef USE_SYSLOG
-		syslog(LOG_ERR, "can't get login name for uid %d.\n",
-		       (int) getuid());
-#endif
-		fprintf(stderr, "Who are you?\n");
-		exit(2);
-	}
-	strncpy(myname, pw->pw_name, sizeof myname - 1);
-	myname[sizeof myname - 1] = '\0';
-	name = myname;
-
-	if (argc > 1) {
-		name = argv[1];
-		pw = getpwnam(name);
-	}
-
-	pass = get_line(stdin);
-	if (password_auth_ok(pw, pass)) {
-#ifdef USE_SYSLOG
-		syslog(pw->pw_uid ? LOG_INFO : LOG_NOTICE,
-		       "user `%s' entered correct password for `%.32s'.\n",
-		       myname, name);
-#endif
-		exit(0);
-	}
-#ifdef USE_SYSLOG
-	/* be careful not to overrun the syslog buffer */
-	syslog((!pw || pw->pw_uid) ? LOG_NOTICE : LOG_WARNING,
-	       "user `%s' entered incorrect password for `%.32s'.\n",
-	       myname, name);
-#endif
-#ifdef FAIL_DELAY
-	sleep(FAIL_DELAY);
-#endif
-	fprintf(stderr, "Wrong password.\n");
-	exit(1);
-}
-
-#if 0
-/*
- * You can use code similar to the following to run this program.
- * Return values: >=0 - program exit status (use the <sys/wait.h>
- * macros to get the exit code, it is shifted left by 8 bits),
- * -1 - check errno.
- */
-int
-verify_password(const char *username, const char *password)
-{
-	int pipe_fd[2];
-	int pid, wpid, status;
-
-	if (pipe(pipe_fd))
-		return -1;
-	
-	if ((pid = fork()) == 0) {
-		char *arg[3];
-		char *env[1];
-
-		/* child */
-		close(pipe_fd[1]);
-		if (pipe_fd[0] != 0) {
-			if (dup2(pipe_fd[0], 0) != 0)
-				_exit(127);
-			close(pipe_fd[0]);
-		}
-		arg[0] = "/usr/bin/pwdauth";
-		arg[1] = username;
-		arg[2] = NULL;
-		env[0] = NULL;
-		execve(arg[0], arg, env);
-		_exit(127);
-	} else if (pid == -1) {
-		/* error */
-		close(pipe_fd[0]);
-		close(pipe_fd[1]);
-		return -1;
-	}
-	/* parent */
-	close(pipe_fd[0]);
-	write(pipe_fd[1], password, strlen(password));
-	write(pipe_fd[1], "\n", 1);
-	close(pipe_fd[1]);
-
-	while ((wpid = wait(&status)) != pid) {
-		if (wpid == -1)
-			return -1;
-	}
-	return status;
-}
-#endif
--- a/doc/WISHLIST
+++ b/doc/WISHLIST
@ -26,7 +26,6 @@ New ideas to add to this list are welcome, too.  --marekm
 - vipw: check password files for errors after editing
 - add "maximum time users allowed to stay logged in" limit option to logoutd
 - handle quotes in /etc/environment like the shell does (but sshd doesn't...)
- better utmpx support (logoutd, ...)
 - better OPIE support (report number of logins left, etc.)
 - new option for /etc/suauth: don't load user's environment (force "su -")
  suggested by Ulisses Alonso Camaro
--- a/doc/contributions/build_install.md
+++ b/doc/contributions/build_install.md
@ -0,0 +1,68 @@
+# Build & install
+
+The following page explains how to build and install the shadow project.
+Additional information on how to do this in a container environment is provided
+at the end of the page.
+
+## Local
+
+### Dependency installation
+
+This projects depends on other software packages that need to be installed
+before building it. We recommend using the dependency installation commands
+provided by the distributions to install them. Some examples below.
+
+Debian:
+```
+apt-get build-dep shadow
+```
+
+Fedora:
+```
+dnf builddep shadow-utils
+```
+
+### Configure
+
+The first step is to configure it. You can use the
+`autogen.sh` script provided by the project. Example:
+
+```
+./autogen.sh --without-selinux --enable-man --with-yescrypt
+```
+
+### Build
+
+The next step is to build the project:
+
+```
+make -j4
+```
+
+### Install
+
+The last step is to install it. We recommend avoiding this step and using a
+disposable system like a VM or a container instead.
+
+```
+make install
+```
+
+## Containers
+
+Alternatively, you can use any of the preconfigured container images builders
+to build and install shadow.
+
+You can either generate a single image by running the following command from
+the root folder of the project (i.e. Alpine):
+
+```
+docker build -f share/containers/alpine.dockerfile . --output build-out/alpine
+```
+
+Or generate all of the images with the `container-build.sh` script, as if you
+were running some of the CI checks locally:
+
+```
+share/container-build.sh
+```
--- a/doc/contributions/ci.md
+++ b/doc/contributions/ci.md
@ -0,0 +1,25 @@
+# Continuous Integration (CI)
+
+Shadow runs a CI workflow every time a pull-request (PR) is updated. This
+workflow contains several checks to assure the quality of the project, and
+only pull-requests with green results are merged.
+
+## Build & install
+
+The project is built & installed on Ubuntu, Alpine, Debian and Fedora. The last
+three distributions are built & installed on containers, and the workflow can
+be triggered locally by following the instructions specified in the
+[Build & install](build_install.md#containers) page.
+
+## System tests
+
+The project is tested on Ubuntu. For that purpose it is built & installed in
+this distribution in a VM. You can run this step locally by following the
+instructions provided in the [Tests](tests.md#system-tests) page.
+
+## Static code analysis
+
+C and shell static code analysis is also executed. For that purpose
+[CodeQL](https://codeql.github.com/) and
+[Differential ShellCheck](https://github.com/marketplace/actions/differential-shellcheck)
+are used.
--- a/doc/contributions/coding_style.md
+++ b/doc/contributions/coding_style.md
@ -0,0 +1,12 @@
+# Coding style
+
+* For a general guidance refer to the
+[Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html)
+
+* Patches that change the existing coding style are not welcome, as they make
+downstream porting harder for the distributions
+
+## Indentation
+
+Tabs are preferred over spaces for indentation. Loading the `.editorconfig`
+file in your preferred IDE may help you configure it.
--- a/doc/contributions/introduction.md
+++ b/doc/contributions/introduction.md
@ -0,0 +1,77 @@
+# Introduction
+
+## Git and Github
+
+We recommend you to get familiar with the
+[git](https://guides.github.com/introduction/git-handbook) and
+[Github](https://guides.github.com) workflows before posting any changes.
+
+### Set up in a nut shell
+
+The following steps describe the process in a nut shell to provide you a basic
+template:
+
+* Create an account on [GitHub](https://github.com)
+* Fork the [shadow repository](https://github.com/shadow-maint/shadow)
+* Clone the shadow repository
+
+```
+git clone https://github.com/shadow-maint/shadow.git
+```
+
+* Add your fork as an extra remote
+
+```
+git remote add $ghusername git@github.com:$ghusername/shadow.git
+```
+
+* Setup your name contact e-mail that you want to use for the development
+
+```
+git config user.name "John Smith"
+git config user.email "john.smith@home.com"
+```
+
+**Note**: this will setup the user information only for this repository. You
+can also add `--global` switch to the `git config` command to setup these
+options globally and thus making them available in every git repository.
+
+* Create a working branch
+
+```
+git checkout -b my-changes
+```
+
+* Commit changes
+
+```
+vim change-what-you-need
+git commit -s
+```
+
+Check
+[the kernel patches guide](https://www.kernel.org/doc/html/v4.14/process/submitting-patches.html#describe-your-changes)
+to get an idea on how to write a good commit message.
+
+* Push your changes to your GitHub repository
+
+```
+git push $ghusername my-changes --force
+```
+
+* Open a Pull Request against shadow project by clicking on the link provided
+in the output of the previous step
+
+* Make sure that all Continuous Integration checks are green and wait review
+
+## Internal guidelines
+
+Additionally, you should also check the following internal guidelines to
+understand the project's development model:
+
+* [Build & install](build_install.md)
+* [Coding style](coding_style.md)
+* [Tests](tests.md)
+* [Continuous Integration](CI.md)
+* [Releases](releases.md)
+* [License](license.md)
--- a/doc/contributions/license.md
+++ b/doc/contributions/license.md
@ -0,0 +1,10 @@
+# License
+
+All new source code committed to the shadow project is assumed to be made
+available under the [BSD-3-Clause](../../COPYING) license unless the submitter
+specifies another license at that time. The shadow maintainers reserve the
+right to refuse a submission if the license is deemed incompatible with the
+goals of the project.
+
+**Note**: old code may be made available under another license, check the
+license tag for each file to get additional information.
--- a/doc/contributions/releases.md
+++ b/doc/contributions/releases.md
@ -0,0 +1,7 @@
+# Releases
+
+The shadow project doesn't follow any specific timeline to release new software
+versions. Usually, they are released when a major milestone is finished.
+
+Released source code, alongside the release notes, are provided in the
+[release Github page](https://github.com/shadow-maint/shadow/releases).
--- a/doc/contributions/tests.md
+++ b/doc/contributions/tests.md
@ -0,0 +1,18 @@
+# Tests
+
+Currently, shadow only provides system tests.
+
+## System tests
+
+These type of tests are written in shell. Unfortunately, the testing framework
+is tightly coupled to the Ubuntu distribution and it can only be run in this
+distribution. Besides, if anything fails during the execution the system can
+be left in an unstable state. Taking that into account you shouldn't run this
+workflow in your host machine, we recommend to use a disposable system like a
+VM or a container instead.
+
+You can execute system tests by running:
+
+```
+cd tests && ./run_all`.
+```
--- a/etc/login.defs
+++ b/etc/login.defs
@ -127,7 +127,7 @@ SU_NAME		su
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
 #
-MAIL_DIR	/var/spool/mail
+MAIL_DIR	/var/mail
 #MAIL_FILE	.mail

 #
@ -159,7 +159,7 @@ ENV_HZ		HZ=100
 #
 # (they are minimal, add the rest in the shell startup files)
 ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH	PATH=/bin:/usr/bin
+ENV_PATH	PATH=/usr/bin:/usr/local/bin

 #
 # Terminal permissions
@ -335,6 +335,7 @@ CHFN_RESTRICT		rwh
 # the PAM modules configuration.
 #
 #ENCRYPT_METHOD DES
+ENCRYPT_METHOD SHA512

 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@ -351,7 +352,9 @@ CHFN_RESTRICT		rwh
 # If MIN > MAX, the highest value will be used.
 #
 #SHA_CRYPT_MIN_ROUNDS 5000
+SHA_CRYPT_MIN_ROUNDS 500000
 #SHA_CRYPT_MAX_ROUNDS 5000
+SHA_CRYPT_MAX_ROUNDS 500000

 #
 # Only works if ENCRYPT_METHOD is set to BCRYPT.
--- a/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh
+++ b/etc/shadow-maint/groupdel-pre.d/01-kill_group_procs.sh
@ -0,0 +1,26 @@
+#!/bin/sh
+
+PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+GROUPID=`awk -F: '$1 == "'"${SUBJECT}"'" { print $3 }' /etc/group`
+
+if [ "${GROUPID}" = "" ]; then
+    exit 0
+fi
+
+for status in /proc/*/status; do
+    # either this isn't a process or its already dead since expanding the list
+    [ -f "$status" ] || continue
+
+    tbuf=${status%/status}
+    pid=${tbuf#/proc/}
+    case "$pid" in
+        "$$") continue;;
+        [0-9]*) :;;
+        *) continue
+    esac
+    
+    grep -q '^Groups:.*\b'"${GROUPID}"'\b.*' "/proc/$pid/status" || continue
+
+    kill -9 "$pid" || echo "cannot kill $pid" 1>&2
+done
+
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@ -11,6 +11,7 @@ libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
 endif

 libshadow_la_CPPFLAGS += -I$(top_srcdir)
+libshadow_la_CFLAGS = $(LIBBSD_CFLAGS)

 libshadow_la_SOURCES = \
 	commonio.c \
@ -65,8 +66,7 @@ libshadow_la_SOURCES = \
 	shadowio.c \
 	shadowio.h \
 	shadowmem.c \
-	spawn.c \
-	utent.c
+	spawn.c

 if WITH_TCB
 libshadow_la_SOURCES += tcbfuncs.c tcbfuncs.h
--- a/lib/alloc.h
+++ b/lib/alloc.h
@ -0,0 +1,122 @@
+/*
+ * SPDX-FileCopyrightText:  2023, Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier:  BSD-3-Clause
+ */
+
+
+#ifndef SHADOW_INCLUDE_LIB_MALLOC_H_
+#define SHADOW_INCLUDE_LIB_MALLOC_H_
+
+
+#include <config.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "defines.h"
+
+
+#define ALLOCARRAY(n, type)    ((type *) alloca(sizeof(type) * (n)))
+#define CALLOC(n, type)        ((type *) calloc(n, sizeof(type)))
+#define XCALLOC(n, type)       ((type *) xcalloc(n, sizeof(type)))
+#define MALLOCARRAY(n, type)   ((type *) mallocarray(n, sizeof(type)))
+#define XMALLOCARRAY(n, type)  ((type *) xmallocarray(n, sizeof(type)))
+
+#define ALLOCA(type)           ALLOCARRAY(1, type)
+#define MALLOC(type)           MALLOCARRAY(1, type)
+#define XMALLOC(type)          XMALLOCARRAY(1, type)
+#define REALLOC(ptr, type)     REALLOCARRAY(ptr, 1, type)
+#define REALLOCF(ptr, type)    REALLOCARRAYF(ptr, 1, type)
+
+#define REALLOCARRAY(ptr, n, type)                                            \
+({                                                                            \
+	__auto_type  p_ = (ptr);                                              \
+                                                                              \
+	static_assert(__builtin_types_compatible_p(typeof(p_), type *), "");  \
+                                                                              \
+	(type *) reallocarray(p_, n, sizeof(type));                           \
+})
+
+#define REALLOCARRAYF(ptr, n, type)                                           \
+({                                                                            \
+	__auto_type  p_ = (ptr);                                              \
+                                                                              \
+	static_assert(__builtin_types_compatible_p(typeof(p_), type *), "");  \
+                                                                              \
+	(type *) reallocarrayf(p_, n, sizeof(type));                          \
+})
+
+#define XREALLOCARRAY(ptr, n, type)                                           \
+({                                                                            \
+	__auto_type  p_ = (ptr);                                              \
+                                                                              \
+	static_assert(__builtin_types_compatible_p(typeof(p_), type *), "");  \
+                                                                              \
+	(type *) xreallocarray(p_, n, sizeof(type));                          \
+})
+
+
+ATTR_MALLOC(free)
+inline void *xmalloc(size_t size);
+ATTR_MALLOC(free)
+inline void *xmallocarray(size_t nmemb, size_t size);
+ATTR_MALLOC(free)
+inline void *mallocarray(size_t nmemb, size_t size);
+ATTR_MALLOC(free)
+inline void *reallocarrayf(void *p, size_t nmemb, size_t size);
+ATTR_MALLOC(free)
+inline char *xstrdup(const char *str);
+
+ATTR_MALLOC(free)
+void *xcalloc(size_t nmemb, size_t size);
+ATTR_MALLOC(free)
+void *xreallocarray(void *p, size_t nmemb, size_t size);
+
+
+inline void *
+xmalloc(size_t size)
+{
+	return xmallocarray(1, size);
+}
+
+
+inline void *
+xmallocarray(size_t nmemb, size_t size)
+{
+	return xreallocarray(NULL, nmemb, size);
+}
+
+
+inline void *
+mallocarray(size_t nmemb, size_t size)
+{
+	return reallocarray(NULL, nmemb, size);
+}
+
+
+inline void *
+reallocarrayf(void *p, size_t nmemb, size_t size)
+{
+	void  *q;
+
+	q = reallocarray(p, nmemb, size);
+
+	/* realloc(p, 0) is equivalent to free(p);  avoid double free.  */
+	if (q == NULL && nmemb != 0 && size != 0)
+		free(p);
+	return q;
+}
+
+
+inline char *
+xstrdup(const char *str)
+{
+	return strcpy(XMALLOCARRAY(strlen(str) + 1, char), str);
+}
+
+
+#endif  // include guard
--- a/lib/bit.h
+++ b/lib/bit.h
@ -0,0 +1,53 @@
+/*
+ * SPDX-FileCopyrightText:  2022 - 2023, Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier:  BSD-3-Clause
+ */
+
+
+#ifndef SHADOW_INCLUDE_LIB_BIT_H_
+#define SHADOW_INCLUDE_LIB_BIT_H_
+
+
+#include <config.h>
+
+#include <limits.h>
+
+
+#ifndef ULONG_WIDTH
+#define ULONG_WIDTH (sizeof(unsigned long) * CHAR_BIT)
+#endif
+
+
+inline unsigned long bit_ceilul(unsigned long x);
+inline unsigned long bit_ceil_wrapul(unsigned long x);
+inline int leading_zerosul(unsigned long x);
+
+
+/* stdc_bit_ceilul(3) */
+inline unsigned long
+bit_ceilul(unsigned long x)
+{
+	return 1 + (ULONG_MAX >> leading_zerosul(x));
+}
+
+
+/* stdc_bit_ceilul(3), but wrap instead of having Undefined Behavior */
+inline unsigned long
+bit_ceil_wrapul(unsigned long x)
+{
+	if (x == 0)
+		return 0;
+
+	return bit_ceilul(x);
+}
+
+/* stdc_leading_zerosul(3) */
+inline int
+leading_zerosul(unsigned long x)
+{
+	return (x == 0) ? ULONG_WIDTH : __builtin_clzl(x);
+}
+
+
+#endif  // include guard
--- a/lib/commonio.c
+++ b/lib/commonio.c
@ -21,6 +21,8 @@
 #include <errno.h>
 #include <stdio.h>
 #include <signal.h>
+
+#include "alloc.h"
 #include "nscd.h"
 #include "sssd.h"
 #ifdef WITH_TCB
@ -251,25 +253,13 @@ static /*@null@*/ /*@dependent@*/FILE *fopen_set_perms (
 		return NULL;
 	}

-#ifdef HAVE_FCHOWN
 	if (fchown (fileno (fp), sb->st_uid, sb->st_gid) != 0) {
 		goto fail;
 	}
-#else				/* !HAVE_FCHOWN */
-	if (chown (name, sb->st_mode) != 0) {
-		goto fail;
-	}
-#endif				/* !HAVE_FCHOWN */
-
-#ifdef HAVE_FCHMOD
 	if (fchmod (fileno (fp), sb->st_mode & 0664) != 0) {
 		goto fail;
 	}
-#else				/* !HAVE_FCHMOD */
-	if (chmod (name, sb->st_mode & 0664) != 0) {
-		goto fail;
-	}
-#endif				/* !HAVE_FCHMOD */
+
 	return fp;

      fail:
@ -374,11 +364,11 @@ int commonio_lock_nowait (struct commonio_db *db, bool log)
 	}
 	file_len = strlen(db->filename) + 11;/* %lu max size */
 	lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
-	file = (char*)malloc(file_len);
+	file = MALLOCARRAY(file_len, char);
 	if (file == NULL) {
 		goto cleanup_ENOMEM;
 	}
-	lock = (char*)malloc(lock_file_len);
+	lock = MALLOCARRAY(lock_file_len, char);
 	if (lock == NULL) {
 		goto cleanup_ENOMEM;
 	}
@ -618,7 +608,7 @@ int commonio_open (struct commonio_db *db, int mode)

 	fd = open (db->filename,
 	             (db->readonly ? O_RDONLY : O_RDWR)
-	           | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW);
+	           | O_NOCTTY | O_NONBLOCK | O_NOFOLLOW | O_CLOEXEC);
 	saved_errno = errno;
 	db->fp = NULL;
 	if (fd >= 0) {
@ -649,22 +639,19 @@ int commonio_open (struct commonio_db *db, int mode)
 		return 0;
 	}

-	/* Do not inherit fd in spawned processes (e.g. nscd) */
-	fcntl (fileno (db->fp), F_SETFD, FD_CLOEXEC);
-
 	buflen = BUFLEN;
-	buf = (char *) malloc (buflen);
+	buf = MALLOCARRAY (buflen, char);
 	if (NULL == buf) {
 		goto cleanup_ENOMEM;
 	}

-	while (db->ops->fgets (buf, (int) buflen, db->fp) == buf) {
+	while (db->ops->fgets (buf, buflen, db->fp) == buf) {
 		while (   ((cp = strrchr (buf, '\n')) == NULL)
 		       && (feof (db->fp) == 0)) {
 			size_t len;

 			buflen += BUFLEN;
-			cp = (char *) realloc (buf, buflen);
+			cp = REALLOCARRAY (buf, buflen, char);
 			if (NULL == cp) {
 				goto cleanup_buf;
 			}
@ -698,7 +685,7 @@ int commonio_open (struct commonio_db *db, int mode)
 			}
 		}

-		p = (struct commonio_entry *) malloc (sizeof *p);
+		p = MALLOC (struct commonio_entry);
 		if (NULL == p) {
 			goto cleanup_entry;
 		}
@ -775,7 +762,7 @@ commonio_sort (struct commonio_db *db, int (*cmp) (const void *, const void *))
 		return 0;
 	}

-	entries = malloc (n * sizeof (struct commonio_entry *));
+	entries = MALLOCARRAY (n, struct commonio_entry *);
 	if (entries == NULL) {
 		return -1;
 	}
@ -998,13 +985,11 @@ int commonio_close (struct commonio_db *db)
 	if (fflush (db->fp) != 0) {
 		errors++;
 	}
-#ifdef HAVE_FSYNC
+
 	if (fsync (fileno (db->fp)) != 0) {
 		errors++;
 	}
-#else				/* !HAVE_FSYNC */
-	sync ();
-#endif				/* !HAVE_FSYNC */
+
 	if (fclose (db->fp) != 0) {
 		errors++;
 	}
@ -1096,7 +1081,7 @@ int commonio_update (struct commonio_db *db, const void *eptr)
 		return 1;
 	}
 	/* not found, new entry */
-	p = (struct commonio_entry *) malloc (sizeof *p);
+	p = MALLOC (struct commonio_entry);
 	if (NULL == p) {
 		db->ops->free (nentry);
 		errno = ENOMEM;
@ -1133,7 +1118,7 @@ int commonio_append (struct commonio_db *db, const void *eptr)
 		return 0;
 	}
 	/* new entry */
-	p = (struct commonio_entry *) malloc (sizeof *p);
+	p = MALLOC (struct commonio_entry);
 	if (NULL == p) {
 		db->ops->free (nentry);
 		errno = ENOMEM;
@ -1200,6 +1185,8 @@ int commonio_remove (struct commonio_db *db, const char *name)
 		db->ops->free (p->eptr);
 	}

+	free(p);
+
 	return 1;
 }

--- a/lib/commonio.h
+++ b/lib/commonio.h
@ -123,6 +123,7 @@ extern int commonio_setname (struct commonio_db *, const char *);
 extern bool commonio_present (const struct commonio_db *db);
 extern int commonio_lock (struct commonio_db *);
 extern int commonio_lock_nowait (struct commonio_db *, bool log);
+extern int do_fcntl_lock (const char *file, bool log, short type);
 extern int commonio_open (struct commonio_db *, int);
 extern /*@observer@*/ /*@null@*/const void *commonio_locate (struct commonio_db *, const char *);
 extern int commonio_update (struct commonio_db *, const void *);
--- a/lib/defines.h
+++ b/lib/defines.h
@ -6,41 +6,8 @@

 #include "config.h"

-#if HAVE_STDBOOL_H
-# include <stdbool.h>
-#else
-# if ! HAVE__BOOL
-#  ifdef __cplusplus
-typedef bool _Bool;
-#  else
-typedef unsigned char _Bool;
-#  endif
-# endif
-# define bool _Bool
-# define false (0)
-# define true  (1)
-# define __bool_true_false_are_defined 1
-#endif
-
-/* Take care of NLS matters.  */
-#ifdef S_SPLINT_S
-extern char *setlocale(int categories, const char *locale);
-# define LC_ALL		(6)
-extern char * bindtextdomain (const char * domainname, const char * dirname);
-extern char * textdomain (const char * domainname);
-# define _(Text) Text
-# define ngettext(Msgid1, Msgid2, N) \
-    ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2))
-#else
-#ifdef HAVE_LOCALE_H
-# include <locale.h>
-#else
-# undef setlocale
-# define setlocale(category, locale)	(NULL)
-# ifndef LC_ALL
-#  define LC_ALL	6
-# endif
-#endif
+#include <stdbool.h>
+#include <locale.h>

 #define gettext_noop(String) (String)
 /* #define gettext_def(String) "#define String" */
@ -57,22 +24,17 @@ extern char * textdomain (const char * domainname);
 # define ngettext(Msgid1, Msgid2, N) \
    ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2))
 #endif
-#endif

 #include <stdlib.h>
 #include <string.h>

-#if HAVE_ERRNO_H
-# include <errno.h>
-#endif
+#include <errno.h>

 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>

-#if HAVE_UNISTD_H
-# include <unistd.h>
-#endif
+#include <unistd.h>

 /*
 * crypt(3), crypt_gensalt(3), and their
@ -85,17 +47,15 @@ extern char * textdomain (const char * domainname);
 #include <sys/time.h>
 #include <time.h>

-#ifdef HAVE_MEMSET_S
-# define memzero(ptr, size) memset_s((ptr), 0, (size))
+#ifdef HAVE_MEMSET_EXPLICIT
+# define memzero(ptr, size) memset_explicit((ptr), 0, (size))
 #elif defined HAVE_EXPLICIT_BZERO	/* !HAVE_MEMSET_S */
 # define memzero(ptr, size) explicit_bzero((ptr), (size))
 #else					/* !HAVE_MEMSET_S && HAVE_EXPLICIT_BZERO */
 static inline void memzero(void *ptr, size_t size)
 {
-	volatile unsigned char * volatile p = ptr;
-	while (size--) {
-		*p++ = '\0';
-	}
+	ptr = memset(ptr, '\0', size);
+	__asm__ __volatile__ ("" : : "r"(ptr) : "memory");
 }
 #endif					/* !HAVE_MEMSET_S && !HAVE_EXPLICIT_BZERO */

@ -123,7 +83,6 @@ static inline void memzero(void *ptr, size_t size)
 #endif
 #endif

-#ifdef USE_SYSLOG
 #include <syslog.h>

 #ifndef LOG_WARN
@ -170,14 +129,6 @@ static inline void memzero(void *ptr, size_t size)
 #define SYSLOG(x) syslog x
 #endif				/* !ENABLE_NLS */

-#else				/* !USE_SYSLOG */
-
-#define SYSLOG(x)		/* empty */
-#define openlog(a,b,c)		/* empty */
-#define closelog()		/* empty */
-
-#endif				/* !USE_SYSLOG */
-
 /* The default syslog settings can now be changed here,
   in just one place.  */

@ -192,33 +143,10 @@ static inline void memzero(void *ptr, size_t size)

 #define OPENLOG(progname) openlog(progname, SYSLOG_OPTIONS, SYSLOG_FACILITY)

-#ifndef F_OK
-# define F_OK 0
-# define X_OK 1
-# define W_OK 2
-# define R_OK 4
-#endif
-
-#ifndef SEEK_SET
-# define SEEK_SET 0
-# define SEEK_CUR 1
-# define SEEK_END 2
-#endif
-
-#if HAVE_TERMIOS_H
-# include <termios.h>
-# define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio)
-# define GTTY(fd, termio) tcgetattr(fd, termio)
-# define TERMIO struct termios
-# define USE_TERMIOS
-#else				/* assumed HAVE_TERMIO_H */
-# include <sys/ioctl.h>
-# include <termio.h>
-# define STTY(fd, termio) ioctl(fd, TCSETA, termio)
-# define GTTY(fd, termio) ioctl(fd, TCGETA, termio)
-# define TEMRIO struct termio
-# define USE_TERMIO
-#endif
+#include <termios.h>
+#define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio)
+#define GTTY(fd, termio) tcgetattr(fd, termio)
+#define TERMIO struct termios

 /*
 * Password aging constants
@ -241,6 +169,10 @@ static inline void memzero(void *ptr, size_t size)
 #define SCALE DAY
 #endif

+#define WIDTHOF(x)   (sizeof(x) * CHAR_BIT)
+#define NITEMS(arr)  (sizeof((arr)) / sizeof((arr)[0]))
+#define STRLEN(s)    (NITEMS(s) - 1)
+
 /* Copy string pointed by B to array A with size checking.  It was originally
   in lmain.c but is _very_ useful elsewhere.  Some setuid root programs with
   very sloppy coding used to assume that BUFSIZ will always be enough...  */
@ -267,18 +199,6 @@ static inline void memzero(void *ptr, size_t size)
 #endif
 #endif

-#ifndef NULL
-#define NULL ((void *) 0)
-#endif
-
-#ifdef sun			/* hacks for compiling on SunOS */
-# ifndef SOLARIS
-extern int fputs ();
-extern char *strdup ();
-extern char *strerror ();
-# endif
-#endif
-
 /*
 * string to use for the pw_passwd field in /etc/passwd when using
 * shadow passwords - most systems use "x" but there are a few
@ -303,33 +223,28 @@ extern char *strerror ();

 /* To be used for verified unused parameters */
 #if defined(__GNUC__) && !defined(__STRICT_ANSI__)
-# define unused __attribute__((unused))
+# define unused    __attribute__((unused))
+# define NORETURN  __attribute__((__noreturn__))
 # define format_attr(type, index, check) __attribute__((format (type, index, check)))
 #else
 # define unused
+# define NORETURN
 # define format_attr(type, index, check)
 #endif

 /* Maximum length of usernames */
-#ifdef HAVE_UTMPX_H
-# include <utmpx.h>
-# define USER_NAME_MAX_LENGTH (sizeof (((struct utmpx *)NULL)->ut_user))
-#else
-# include <utmp.h>
-# ifdef HAVE_STRUCT_UTMP_UT_USER
-#  define USER_NAME_MAX_LENGTH (sizeof (((struct utmp *)NULL)->ut_user))
-# else
-#  ifdef HAVE_STRUCT_UTMP_UT_NAME
-#   define USER_NAME_MAX_LENGTH (sizeof (((struct utmp *)NULL)->ut_name))
-#  else
-#   define USER_NAME_MAX_LENGTH 32
-#  endif
-# endif
-#endif
+#include <utmp.h>
+#define USER_NAME_MAX_LENGTH (sizeof (((struct utmp *)NULL)->ut_user))

 /* Maximum length of passwd entry */
 #define PASSWD_ENTRY_MAX_LENGTH 32768

+#if (__GNUC__ >= 11) && !defined(__clang__)
+# define ATTR_MALLOC(deallocator)  [[gnu::malloc(deallocator)]]
+#else
+# define ATTR_MALLOC(deallocator)
+#endif
+
 #ifdef HAVE_SECURE_GETENV
 #  define shadow_getenv(name) secure_getenv(name)
 # else
--- a/lib/fields.c
+++ b/lib/fields.c
@ -21,9 +21,9 @@
 *
 * The supplied field is scanned for non-printable and other illegal
 * characters.
- *  + -1 is returned if an illegal character is present.
- *  +  1 is returned if no illegal characters are present, but the field
- *       contains a non-printable character.
+ *  + -1 is returned if an illegal or control character is present.
+ *  +  1 is returned if no illegal or control characters are present,
+ *       but the field contains a non-printable character.
 *  +  0 is returned otherwise.
 */
 int valid_field (const char *field, const char *illegal)
@ -37,20 +37,19 @@ int valid_field (const char *field, const char *illegal)

 	/* For each character of field, search if it appears in the list
 	 * of illegal characters. */
-	for (cp = field; '\0' != *cp; cp++) {
-		if (strchr (illegal, *cp) != NULL) {
-			err = -1;
-			break;
-		}
+	if (illegal && NULL != strpbrk (field, illegal)) {
+		return -1;
 	}

-	if (0 == err) {
-		/* Search if there are some non-printable characters */
-		for (cp = field; '\0' != *cp; cp++) {
-			if (!isprint (*cp)) {
-				err = 1;
-				break;
-			}
+	/* Search if there are non-printable or control characters */
+	for (cp = field; '\0' != *cp; cp++) {
+		unsigned char c = *cp;
+		if (!isprint (c)) {
+			err = 1;
+		}
+		if (iscntrl (c)) {
+			err = -1;
+			break;
 		}
 	}

@ -74,7 +73,7 @@ void change_field (char *buf, size_t maxsize, const char *prompt)

 	printf ("\t%s [%s]: ", prompt, buf);
 	(void) fflush (stdout);
-	if (fgets (newf, (int) maxsize, stdin) != newf) {
+	if (fgets (newf, maxsize, stdin) != newf) {
 		return;
 	}

@ -91,17 +90,16 @@ void change_field (char *buf, size_t maxsize, const char *prompt)
 		 * entering a space.  --marekm
 		 */

-		while (--cp >= newf && isspace (*cp));
-		cp++;
+		while (newf < cp && isspace (cp[-1])) {
+			cp--;
+		}
 		*cp = '\0';

 		cp = newf;
-		while (('\0' != *cp) && isspace (*cp)) {
+		while (isspace (*cp)) {
 			cp++;
 		}

-		strncpy (buf, cp, maxsize - 1);
-		buf[maxsize - 1] = '\0';
+		strcpy (buf, cp);
 	}
 }
-
--- a/lib/get_gid.c
+++ b/lib/get_gid.c
@ -25,7 +25,7 @@ int get_gid (const char *gidstr, gid_t *gid)
 		return 0;
 	}

-	*gid = (gid_t)val;
+	*gid = val;
 	return 1;
 }

--- a/lib/get_pid.c
+++ b/lib/get_pid.c
@ -10,6 +10,9 @@

 #include "prototypes.h"
 #include "defines.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>

 int get_pid (const char *pidstr, pid_t *pid)
 {
@ -21,11 +24,79 @@ int get_pid (const char *pidstr, pid_t *pid)
 	if (   ('\0' == *pidstr)
 	    || ('\0' != *endptr)
 	    || (ERANGE == errno)
+	    || (val < 1)
 	    || (/*@+longintegral@*/val != (pid_t)val)/*@=longintegral@*/) {
 		return 0;
 	}

-	*pid = (pid_t)val;
+	*pid = val;
 	return 1;
 }

+/*
+ * If use passed in fd:4 as an argument, then return the
+ * value '4', the fd to use.
+ * On error, return -1.
+ */
+int get_pidfd_from_fd(const char *pidfdstr)
+{
+	long long int val;
+	char *endptr;
+	struct stat st;
+	dev_t proc_st_dev, proc_st_rdev;
+
+	errno = 0;
+	val = strtoll (pidfdstr, &endptr, 10);
+	if (   ('\0' == *pidfdstr)
+	    || ('\0' != *endptr)
+	    || (ERANGE == errno)
+	    || (val < 0)
+	    || (/*@+longintegral@*/val != (int)val)/*@=longintegral@*/) {
+		return -1;
+	}
+
+	if (stat("/proc/self/uid_map", &st) < 0) {
+		return -1;
+	}
+
+	proc_st_dev = st.st_dev;
+	proc_st_rdev = st.st_rdev;
+
+	if (fstat(val, &st) < 0) {
+		return -1;
+	}
+
+	if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
+		return -1;
+	}
+
+	return (int)val;
+}
+
+int open_pidfd(const char *pidstr)
+{
+	int proc_dir_fd;
+	int written;
+	char proc_dir_name[32];
+	pid_t target;
+
+	if (get_pid(pidstr, &target) == 0)
+		return -ENOENT;
+
+	/* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */
+	written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/",
+		target);
+	if ((written <= 0) || ((size_t)written >= sizeof(proc_dir_name))) {
+		fprintf(stderr, "snprintf of proc path failed for %u: %s\n",
+			target, strerror(errno));
+		return -EINVAL;
+	}
+
+	proc_dir_fd = open(proc_dir_name, O_DIRECTORY);
+	if (proc_dir_fd < 0) {
+		fprintf(stderr, _("Could not open proc directory for target %u: %s\n"),
+			target, strerror(errno));
+		return -EINVAL;
+	}
+	return proc_dir_fd;
+}
--- a/lib/get_uid.c
+++ b/lib/get_uid.c
@ -25,7 +25,7 @@ int get_uid (const char *uidstr, uid_t *uid)
 		return 0;
 	}

-	*uid = (uid_t)val;
+	*uid = val;
 	return 1;
 }

--- a/lib/getdef.c
+++ b/lib/getdef.c
@ -13,6 +13,7 @@

 #include "prototypes.h"
 #include "defines.h"
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <ctype.h>
@ -20,8 +21,11 @@
 #ifdef USE_ECONF
 #include <libeconf.h>
 #endif
+
+#include "alloc.h"
 #include "getdef.h"
 #include "shadowlog_internal.h"
+
 /*
 * A configuration item definition.
 */
@ -132,10 +136,8 @@ static struct itemdef def_table[] = {
 #ifndef USE_PAM
 	PAMDEFS
 #endif
-#ifdef USE_SYSLOG
 	{"SYSLOG_SG_ENAB", NULL},
 	{"SYSLOG_SU_ENAB", NULL},
-#endif
 #ifdef WITH_TCB
 	{"TCB_AUTH_GROUP", NULL},
 	{"TCB_SYMLINKS", NULL},
@ -193,7 +195,7 @@ static void def_load (void);
 	}

 	d = def_find (item);
-	return ((NULL == d)? (const char *) NULL : d->value);
+	return (NULL == d) ? NULL : d->value;
 }


@ -251,7 +253,7 @@ int getdef_num (const char *item, int dflt)
 		return dflt;
 	}

-	return (int) val;
+	return val;
 }


@ -286,7 +288,7 @@ unsigned int getdef_unum (const char *item, unsigned int dflt)
 		return dflt;
 	}

-	return (unsigned int) val;
+	return val;
 }


@ -430,7 +432,7 @@ static /*@observer@*/ /*@null@*/struct itemdef *def_find (const char *name)
 	SYSLOG ((LOG_CRIT, "unknown configuration item `%s'", name));

 out:
-	return (struct itemdef *) NULL;
+	return NULL;
 }

 /*
@ -446,14 +448,14 @@ void setdef_config_file (const char* file)
 	char* cp;

 	len = strlen(file) + strlen(sysconfdir) + 2;
-	cp = malloc(len);
+	cp = MALLOCARRAY(len, char);
 	if (cp == NULL)
 		exit (13);
 	snprintf(cp, len, "%s/%s", file, sysconfdir);
 	sysconfdir = cp;
 #ifdef VENDORDIR
 	len = strlen(file) + strlen(vendordir) + 2;
-	cp = malloc(len);
+	cp = MALLOCARRAY(len, char);
 	if (cp == NULL)
 		exit (13);
 	snprintf(cp, len, "%s/%s", file, vendordir);
@ -470,18 +472,13 @@ void setdef_config_file (const char* file)
 * Loads the user-configured options from the default configuration file
 */

+#ifdef USE_ECONF
 static void def_load (void)
 {
-#ifdef USE_ECONF
 	econf_file *defs_file = NULL;
 	econf_err error;
 	char **keys;
 	size_t key_number;
-#else
-	int i;
-	FILE *fp;
-	char buf[1024], *name, *value, *s;
-#endif

 	/*
 	 * Set the initialized flag.
@ -489,8 +486,6 @@ static void def_load (void)
 	 */
 	def_loaded = true;

-#ifdef USE_ECONF
-
 	error = econf_readDirs (&defs_file, vendordir, sysconfdir, "login", "defs", " \t", "#");
 	if (error) {
 		if (error == ECONF_NOFILE)
@ -510,7 +505,12 @@ static void def_load (void)
 	for (size_t i = 0; i < key_number; i++) {
 		char *value;

-		econf_getStringValue(defs_file, NULL, keys[i], &value);
+		error = econf_getStringValue(defs_file, NULL, keys[i], &value);
+		if (error) {
+			SYSLOG ((LOG_CRIT, "failed reading key %zu from econf [%s]",
+				i, econf_errString(error)));
+			exit (EXIT_FAILURE);
+		}

 		/*
 		 * Store the value in def_table.
@ -520,11 +520,26 @@ static void def_load (void)
 		 * syslog. The tools will just use their default values.
 		 */
 		(void)putdef_str (keys[i], value);
+
+		free(value);
 	}

 	econf_free (keys);
 	econf_free (defs_file);
-#else
+}
+#else /* USE_ECONF */
+static void def_load (void)
+{
+	int i;
+	FILE *fp;
+	char buf[1024], *name, *value, *s;
+
+	/*
+	 * Set the initialized flag.
+	 * (do it early to prevent recursion in putdef_str())
+	 */
+	def_loaded = true;
+
 	/*
 	 * Open the configuration definitions file.
 	 */
@ -542,12 +557,12 @@ static void def_load (void)
 	/*
 	 * Go through all of the lines in the file.
 	 */
-	while (fgets (buf, (int) sizeof (buf), fp) != NULL) {
+	while (fgets (buf, sizeof (buf), fp) != NULL) {

 		/*
 		 * Trim trailing whitespace.
 		 */
-		for (i = (int) strlen (buf) - 1; i >= 0; --i) {
+		for (i = (ptrdiff_t) strlen (buf) - 1; i >= 0; --i) {
 			if (!isspace (buf[i])) {
 				break;
 			}
@ -588,8 +603,8 @@ static void def_load (void)
 	}

 	(void) fclose (fp);
-#endif
 }
+#endif /* USE_ECONF */


 #ifdef CKDEFS
--- a/lib/groupio.c
+++ b/lib/groupio.c
@ -15,6 +15,7 @@
 #include <assert.h>
 #include <stdio.h>

+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
 #include "commonio.h"
@ -50,7 +51,7 @@ static const char *group_getname (const void *ent)

 static void *group_parse (const char *line)
 {
-	return (void *) sgetgrent (line);
+	return sgetgrent (line);
 }

 static int group_put (const void *ent, FILE * file)
@ -159,7 +160,7 @@ int gr_open (int mode)

 int gr_update (const struct group *gr)
 {
-	return commonio_update (&group_db, (const void *) gr);
+	return commonio_update (&group_db, gr);
 }

 int gr_remove (const char *name)
@ -247,8 +248,8 @@ static int group_open_hook (void)

 	for (gr1 = group_db.head; NULL != gr1; gr1 = gr1->next) {
 		for (gr2 = gr1->next; NULL != gr2; gr2 = gr2->next) {
-			struct group *g1 = (struct group *)gr1->eptr;
-			struct group *g2 = (struct group *)gr2->eptr;
+			struct group *g1 = gr1->eptr;
+			struct group *g2 = gr2->eptr;
 			if (NULL != g1 &&
 			    NULL != g2 &&
 			    0 == strcmp (g1->gr_name, g2->gr_name) &&
@ -302,8 +303,8 @@ static /*@null@*/struct commonio_entry *merge_group_entries (
 		return NULL;
 	}

-	gptr1 = (struct group *)gr1->eptr;
-	gptr2 = (struct group *)gr2->eptr;
+	gptr1 = gr1->eptr;
+	gptr2 = gr2->eptr;
 	if (NULL == gptr2 || NULL == gptr1) {
 		errno = EINVAL;
 		return NULL;
@ -311,9 +312,8 @@ static /*@null@*/struct commonio_entry *merge_group_entries (

 	/* Concatenate the 2 lines */
 	new_line_len = strlen (gr1->line) + strlen (gr2->line) +1;
-	new_line = (char *)malloc (new_line_len + 1);
+	new_line = MALLOCARRAY (new_line_len + 1, char);
 	if (NULL == new_line) {
-		errno = ENOMEM;
 		return NULL;
 	}
 	snprintf(new_line, new_line_len + 1, "%s\n%s", gr1->line, gr2->line);
@ -333,10 +333,9 @@ static /*@null@*/struct commonio_entry *merge_group_entries (
 			members++;
 		}
 	}
-	new_members = (char **)calloc ( (members+1), sizeof(char*) );
+	new_members = CALLOC (members + 1, char *);
 	if (NULL == new_members) {
 		free (new_line);
-		errno = ENOMEM;
 		return NULL;
 	}
 	for (i=0; NULL != gptr1->gr_mem[i]; i++) {
@ -377,7 +376,7 @@ static int split_groups (unsigned int max_members)
 	struct commonio_entry *gr;

 	for (gr = group_db.head; NULL != gr; gr = gr->next) {
-		struct group *gptr = (struct group *)gr->eptr;
+		struct group *gptr = gr->eptr;
 		struct commonio_entry *new;
 		struct group *new_gptr;
 		unsigned int members = 0;
@ -395,9 +394,8 @@ static int split_groups (unsigned int max_members)
 			continue;
 		}

-		new = (struct commonio_entry *) malloc (sizeof *new);
+		new = MALLOC (struct commonio_entry);
 		if (NULL == new) {
-			errno = ENOMEM;
 			return 0;
 		}
 		new->eptr = group_dup(gr->eptr);
@ -406,7 +404,7 @@ static int split_groups (unsigned int max_members)
 			errno = ENOMEM;
 			return 0;
 		}
-		new_gptr = (struct group *)new->eptr;
+		new_gptr = new->eptr;
 		new->line = NULL;
 		new->changed = true;

--- a/lib/groupmem.c
+++ b/lib/groupmem.c
@ -12,6 +12,7 @@

 #ident "$Id$"

+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
 #include "groupio.h"
@ -21,7 +22,7 @@
 	struct group *gr;
 	int i;

-	gr = (struct group *) malloc (sizeof *gr);
+	gr = MALLOC (struct group);
 	if (NULL == gr) {
 		return NULL;
 	}
@ -46,7 +47,7 @@
 	for (i = 0; grent->gr_mem[i]; i++);

 	/*@-mustfreeonly@*/
-	gr->gr_mem = (char **) malloc ((i + 1) * sizeof (char *));
+	gr->gr_mem = MALLOCARRAY (i + 1, char *);
 	/*@=mustfreeonly@*/
 	if (NULL == gr->gr_mem) {
 		gr_free(gr);
@ -86,33 +87,3 @@ void gr_free (/*@out@*/ /*@only@*/struct group *grent)
 	gr_free_members(grent);
 	free (grent);
 }
-
-bool gr_append_member(struct group *grp, char *member)
-{
-	int i;
-
-	if (NULL == grp->gr_mem || grp->gr_mem[0] == NULL) {
-		grp->gr_mem = (char **)malloc(2 * sizeof(char *));
-		if (!grp->gr_mem) {
-			return false;
-		}
-		grp->gr_mem[0] = strdup(member);
-		if (!grp->gr_mem[0]) {
-			return false;
-		}
-		grp->gr_mem[1] = NULL;
-		return true;
-	}
-
-	for (i = 0; grp->gr_mem[i]; i++) ;
-	grp->gr_mem = realloc(grp->gr_mem, (i + 2) * sizeof(char *));
-	if (NULL == grp->gr_mem) {
-		return false;
-	}
-	grp->gr_mem[i] = strdup(member);
-	if (NULL == grp->gr_mem[i]) {
-		return false;
-	}
-	grp->gr_mem[i + 1] = NULL;
-	return true;
-}
--- a/lib/gshadow.c
+++ b/lib/gshadow.c
@ -15,8 +15,12 @@
 #ident "$Id$"

 #include <stdio.h>
+#include <string.h>
+
+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
+
 static /*@null@*/FILE *shadow;
 static /*@null@*//*@only@*/char **members = NULL;
 static size_t nmembers = 0;
@ -62,7 +66,7 @@ static /*@null@*/char **build_list (char *s, char **list[], size_t * nlist)

 	while (s != NULL && *s != '\0') {
 		size = (nelem + 1) * sizeof (ptr);
-		ptr = realloc (*list, size);
+		ptr = REALLOCARRAY (*list, size, char *);
 		if (NULL != ptr) {
 			ptr[nelem] = s;
 			nelem++;
@ -76,7 +80,7 @@ static /*@null@*/char **build_list (char *s, char **list[], size_t * nlist)
 		}
 	}
 	size = (nelem + 1) * sizeof (ptr);
-	ptr = realloc (*list, size);
+	ptr = REALLOCARRAY (*list, size, char *);
 	if (NULL != ptr) {
 		ptr[nelem] = NULL;
 		*list = ptr;
@ -102,7 +106,7 @@ void endsgent (void)
 		(void) fclose (shadow);
 	}

-	shadow = (FILE *) 0;
+	shadow = NULL;
 }

 /*@observer@*//*@null@*/struct sgrp *sgetsgent (const char *string)
@ -116,7 +120,7 @@ void endsgent (void)
 	size_t len = strlen (string) + 1;

 	if (len > sgrbuflen) {
-		char *buf = (char *) realloc (sgrbuf, sizeof (char) * len);
+		char *buf = REALLOCARRAY (sgrbuf, len, char);
 		if (NULL == buf) {
 			return NULL;
 		}
@ -124,8 +128,7 @@ void endsgent (void)
 		sgrbuflen = len;
 	}

-	strncpy (sgrbuf, string, len);
-	sgrbuf[len-1] = '\0';
+	strcpy (sgrbuf, string);

 	cp = strrchr (sgrbuf, '\n');
 	if (NULL != cp) {
@ -195,7 +198,7 @@ void endsgent (void)
 	char *cp;

 	if (0 == buflen) {
-		buf = (char *) malloc (BUFSIZ);
+		buf = MALLOCARRAY (BUFSIZ, char);
 		if (NULL == buf) {
 			return NULL;
 		}
@ -207,16 +210,16 @@ void endsgent (void)
 	}

 #ifdef	USE_NIS
-	while (fgetsx (buf, (int) buflen, fp) == buf)
+	while (fgetsx (buf, buflen, fp) == buf)
 #else
-	if (fgetsx (buf, (int) buflen, fp) == buf)
+	if (fgetsx (buf, buflen, fp) == buf)
 #endif
 	{
 		while (   ((cp = strrchr (buf, '\n')) == NULL)
 		       && (feof (fp) == 0)) {
 			size_t len;

-			cp = (char *) realloc (buf, buflen*2);
+			cp = REALLOCARRAY (buf, buflen * 2, char);
 			if (NULL == cp) {
 				return NULL;
 			}
@ -399,7 +402,7 @@ void endsgent (void)
 		nis_disabled = true;
 	}
 #endif
-	while ((sgrp = getsgent ()) != (struct sgrp *) 0) {
+	while ((sgrp = getsgent ()) != NULL) {
 		if (strcmp (name, sgrp->sg_name) == 0) {
 			break;
 		}
@ -437,7 +440,7 @@ int putsgent (const struct sgrp *sgrp, FILE * fp)
 		size += strlen (sgrp->sg_mem[i]) + 1;
 	}

-	buf = malloc (size);
+	buf = MALLOCARRAY (size, char);
 	if (NULL == buf) {
 		return -1;
 	}
@ -502,5 +505,5 @@ int putsgent (const struct sgrp *sgrp, FILE * fp)
 	return 0;
 }
 #else
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/*} SHADOWGRP */
--- a/lib/lockpw.c
+++ b/lib/lockpw.c
@ -81,5 +81,5 @@ int ulckpwdf (void)
 	return (pw_unlock () && spw_unlock ())? 0 : -1;
 }
 #else
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif
--- a/lib/mempcpy.h
+++ b/lib/mempcpy.h
@ -0,0 +1,31 @@
+/*
+ * SPDX-FileCopyrightText:  2023, Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier:  BSD-3-Clause
+ */
+
+
+#ifndef SHADOW_INCLUDE_LIB_MEMPCPY_H_
+#define SHADOW_INCLUDE_LIB_MEMPCPY_H_
+
+
+#include <config.h>
+
+#if !defined(HAVE_MEMPCPY)
+
+#include <stddef.h>
+#include <string.h>
+
+
+inline void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
+
+
+inline void *
+mempcpy(void *restrict dst, const void *restrict src, size_t n)
+{
+	return memcpy(dst, src, n) + n;
+}
+
+
+#endif  // !HAVE_MEMPCPY
+#endif  // include guard
--- a/lib/nscd.c
+++ b/lib/nscd.c
@ -53,6 +53,6 @@ int nscd_flush_cache (const char *service)
 	return 0;
 }
 #else				/* USE_NSCD */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* USE_NSCD */

--- a/lib/nss.c
+++ b/lib/nss.c
@ -6,6 +6,8 @@
 #include <strings.h>
 #include <ctype.h>
 #include <stdatomic.h>
+
+#include "alloc.h"
 #include "prototypes.h"
 #include "../libsubid/subid.h"
 #include "shadowlog_internal.h"
@ -59,6 +61,9 @@ void nss_init(const char *nsswitch_path) {
 	//   subid:	files
 	nssfp = fopen(nsswitch_path, "r");
 	if (!nssfp) {
+		if (errno != ENOENT)
+			fprintf(shadow_logfd, "Failed opening %s: %m\n", nsswitch_path);
+
 		atomic_store(&nss_init_completed, true);
 		return;
 	}
@ -97,7 +102,7 @@ void nss_init(const char *nsswitch_path) {
 				subid_nss = NULL;
 				goto done;
 			}
-			subid_nss = malloc(sizeof(*subid_nss));
+			subid_nss = MALLOC(struct subid_nss_ops);
 			if (!subid_nss) {
 				dlclose(h);
 				goto done;
--- a/lib/pam_defs.h
+++ b/lib/pam_defs.h
@ -15,7 +15,7 @@
 #endif


-static struct pam_conv conv = {
+static const struct pam_conv conv = {
 	SHADOW_PAM_CONVERSATION,
 	NULL
 };
--- a/lib/port.c
+++ b/lib/port.c
@ -79,7 +79,7 @@ static void endportent (void)
 		(void) fclose (ports);
 	}

-	ports = (FILE *) 0;
+	ports = NULL;
 }

 /*
@ -130,11 +130,11 @@ static struct port *getportent (void)
      again:

 	/*
-	 * Get the next line and remove the last character, which
-	 * is a '\n'.  Lines which begin with '#' are all ignored.
+	 * Get the next line and remove optional trailing '\n'.
+	 * Lines which begin with '#' are all ignored.
 	 */

-	if (fgets (buf, (int) sizeof buf, ports) == 0) {
+	if (fgets (buf, sizeof buf, ports) == 0) {
 		errno = saveerr;
 		return 0;
 	}
@ -149,7 +149,7 @@ static struct port *getportent (void)
 	 * TTY devices.
 	 */

-	buf[strlen (buf) - 1] = 0;
+	buf[strcspn (buf, "\n")] = 0;

 	port.pt_names = ttys;
 	for (cp = buf, j = 0; j < PORT_TTY; j++) {
@ -172,13 +172,13 @@ static struct port *getportent (void)
 	}
 	*cp = '\0';
 	cp++;
-	port.pt_names[j + 1] = (char *) 0;
+	port.pt_names[j + 1] = NULL;

 	/*
 	 * Get the list of user names.  It is the second colon
 	 * separated field, and is a comma separated list of user
 	 * names.  The entry '*' is used to specify all usernames.
-	 * The last entry in the list is a (char *) 0 pointer.
+	 * The last entry in the list is a NULL pointer.
 	 */

 	if (':' != *cp) {
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@ -21,12 +21,9 @@

 #include <config.h>

+#include <sys/socket.h>
 #include <sys/stat.h>
-#ifdef USE_UTMPX
-#include <utmpx.h>
-#else
 #include <utmp.h>
-#endif
 #include <sys/types.h>
 #include <pwd.h>
 #include <grp.h>
@ -44,6 +41,12 @@ extern int add_groups (const char *);
 /* age.c */
 extern void agecheck (/*@null@*/const struct spwd *);
 extern int expire (const struct passwd *, /*@null@*/const struct spwd *);
+
+/* agetpass.c */
+extern void erase_pass(char *pass);
+ATTR_MALLOC(erase_pass)
+extern char *agetpass(const char *prompt);
+
 /* isexpired.c */
 extern int isexpired (const struct passwd *, /*@null@*/const struct spwd *);

@ -157,6 +160,8 @@ extern int getlong (const char *numstr, /*@out@*/long int *result);

 /* get_pid.c */
 extern int get_pid (const char *pidstr, pid_t *pid);
+extern int get_pidfd_from_fd(const char *pidfdstr);
+extern int open_pidfd(const char *pidstr);

 /* getrange */
 extern int getrange (const char *range,
@ -186,7 +191,6 @@ extern void __gr_set_changed (void);
 extern /*@null@*/ /*@only@*/struct group *__gr_dup (const struct group *grent);
 extern void gr_free_members (struct group *grent);
 extern void gr_free (/*@out@*/ /*@only@*/struct group *grent);
-extern bool gr_append_member (struct group *grp, char *member);

 /* hushed.c */
 extern bool hushed (const char *username);
@ -229,7 +233,7 @@ extern void dolastlog (
 extern int login_access (const char *user, const char *from);

 /* loginprompt.c */
-extern void login_prompt (const char *, char *, int);
+extern void login_prompt (char *, int);

 /* mail.c */
 extern void mailcheck (void);
@ -353,6 +357,11 @@ extern /*@dependent@*/ /*@null@*/struct commonio_entry *__pw_get_head (void);
 extern /*@null@*/ /*@only@*/struct passwd *__pw_dup (const struct passwd *pwent);
 extern void pw_free (/*@out@*/ /*@only@*/struct passwd *pwent);

+/* csrand.c */
+unsigned long csrand (void);
+unsigned long csrand_uniform (unsigned long n);
+unsigned long csrand_interval (unsigned long min, unsigned long max);
+
 /* remove_tree.c */
 extern int remove_tree (const char *root, bool remove_root);

@ -376,7 +385,7 @@ extern int check_selinux_permit (const char *perm_name);

 /* semanage.c */
 #ifdef WITH_SELINUX
-extern int set_seuser(const char *login_name, const char *seuser_name);
+extern int set_seuser(const char *login_name, const char *seuser_name, const char *serange);
 extern int del_seuser(const char *login_name);
 #endif

@ -460,30 +469,16 @@ extern int set_filesize_limit (int blocks);
 extern int user_busy (const char *name, uid_t uid);

 /* utmp.c */
-#ifndef USE_UTMPX
 extern /*@null@*/struct utmp *get_current_utmp (void);
 extern struct utmp *prepare_utmp (const char *name,
                                  const char *line,
                                  const char *host,
                                  /*@null@*/const struct utmp *ut);
 extern int setutmp (struct utmp *ut);
-#else
-extern /*@null@*/struct utmpx *get_current_utmp (void);
-extern struct utmpx *prepare_utmpx (const char *name,
-                                    const char *line,
-                                    const char *host,
-                                    /*@null@*/const struct utmpx *ut);
-extern int setutmpx (struct utmpx *utx);
-#endif				/* USE_UTMPX */

 /* valid.c */
 extern bool valid (const char *, const struct passwd *);

-/* xmalloc.c */
-extern /*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/void *xmalloc (size_t size)
-  /*@ensures MaxSet(result) == (size - 1); @*/;
-extern /*@maynotreturn@*/ /*@only@*//*@notnull@*/char *xstrdup (const char *);
-
 /* xgetpwnam.c */
 extern /*@null@*/ /*@only@*/struct passwd *xgetpwnam (const char *);
 /* xgetpwuid.c */
--- a/lib/pwauth.c
+++ b/lib/pwauth.c
@ -207,5 +207,5 @@ int pw_auth (const char *cipher,
 	return retval;
 }
 #else				/* !USE_PAM */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* !USE_PAM */
--- a/lib/pwio.c
+++ b/lib/pwio.c
@ -42,7 +42,7 @@ static const char *passwd_getname (const void *ent)

 static void *passwd_parse (const char *line)
 {
-	return (void *) sgetpwent (line);
+	return sgetpwent (line);
 }

 static int passwd_put (const void *ent, FILE * file)
@ -137,7 +137,7 @@ int pw_open (int mode)

 int pw_update (const struct passwd *pw)
 {
-	return commonio_update (&passwd_db, (const void *) pw);
+	return commonio_update (&passwd_db, pw);
 }

 int pw_remove (const char *name)
--- a/lib/pwmem.c
+++ b/lib/pwmem.c
@ -13,6 +13,8 @@
 #ident "$Id$"

 #include <stdio.h>
+
+#include "alloc.h"
 #include "defines.h"
 #include "prototypes.h"
 #include "pwio.h"
@ -21,12 +23,11 @@
 {
 	struct passwd *pw;

-	pw = (struct passwd *) malloc (sizeof *pw);
+	pw = CALLOC (1, struct passwd);
 	if (NULL == pw) {
 		return NULL;
 	}
 	/* The libc might define other fields. They won't be copied. */
-	memset (pw, 0, sizeof *pw);
 	pw->pw_uid = pwent->pw_uid;
 	pw->pw_gid = pwent->pw_gid;
 	/*@-mustfreeonly@*/
--- a/lib/run_part.c
+++ b/lib/run_part.c
@ -8,6 +8,8 @@
 #include <sys/wait.h>
 #include <unistd.h>
 #include <lib/prototypes.h>
+
+#include "alloc.h"
 #include "run_part.h"
 #include "shadowlog_internal.h"

@ -57,7 +59,7 @@ int run_parts (const char *directory, const char *name, const char *action)
 		struct stat sb;

 		path_length=strlen(directory) + strlen(namelist[n]->d_name) + 2;
-		char *s = (char*)malloc(path_length);
+		char *s = MALLOCARRAY(path_length, char);
 		if (!s) {
 			printf ("could not allocate memory\n");
 			for (; n<scanlist; n++) {
--- a/lib/selinux.c
+++ b/lib/selinux.c
@ -188,7 +188,7 @@ int check_selinux_permit (const char *perm_name)
 		return 0;
 	}

-	selinux_set_callback (SELINUX_CB_LOG, (union selinux_callback) selinux_log_cb);
+	selinux_set_callback (SELINUX_CB_LOG, (union selinux_callback) { .func_log = selinux_log_cb });

 	if (getprevcon_raw (&user_context_raw) != 0) {
 		fprintf (shadow_logfd,
@ -206,5 +206,5 @@ int check_selinux_permit (const char *perm_name)
 }

 #else				/* !WITH_SELINUX */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* !WITH_SELINUX */
--- a/lib/semanage.c
+++ b/lib/semanage.c
@ -22,10 +22,6 @@

 #include "shadowlog_internal.h"

-#ifndef DEFAULT_SERANGE
-#define DEFAULT_SERANGE "s0"
-#endif
-

 format_attr(printf, 3, 4)
 static void semanage_error_callback (unused void *varg,
@ -101,6 +97,8 @@ static semanage_handle_t *semanage_init (void)
 	return handle;

 fail:
+	if (handle)
+		semanage_disconnect (handle);
 	semanage_handle_destroy (handle);
 	return NULL;
 }
@ -109,7 +107,8 @@ fail:
 static int semanage_user_mod (semanage_handle_t *handle,
                              semanage_seuser_key_t *key,
                              const char *login_name,
-                              const char *seuser_name)
+                              const char *seuser_name,
+                              const char *serange)
 {
 	int ret;
 	semanage_seuser_t *seuser = NULL;
@ -122,11 +121,12 @@ static int semanage_user_mod (semanage_handle_t *handle,
 		goto done;
 	}

-	if (semanage_mls_enabled(handle)) {
-		ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+	if (serange && semanage_mls_enabled(handle)) {
+		ret = semanage_seuser_set_mlsrange (handle, seuser, serange);
 		if (ret != 0) {
 			fprintf (shadow_logfd,
-			         _("Could not set serange for %s\n"), login_name);
+			         _("Could not set serange for %s to %s\n"),
+			         login_name, serange);
 			ret = 1;
 			goto done;
 		}
@ -158,9 +158,10 @@ done:


 static int semanage_user_add (semanage_handle_t *handle,
-                             semanage_seuser_key_t *key,
+                             const semanage_seuser_key_t *key,
                             const char *login_name,
-                             const char *seuser_name)
+                             const char *seuser_name,
+                             const char *serange)
 {
 	int ret;
 	semanage_seuser_t *seuser = NULL;
@ -181,11 +182,12 @@ static int semanage_user_add (semanage_handle_t *handle,
 		goto done;
 	}

-	if (semanage_mls_enabled(handle)) {
-		ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+	if (serange && semanage_mls_enabled(handle)) {
+		ret = semanage_seuser_set_mlsrange (handle, seuser, serange);
 		if (ret != 0) {
 			fprintf (shadow_logfd,
-			         _("Could not set serange for %s\n"), login_name);
+			         _("Could not set serange for %s to %s\n"),
+			         login_name, serange);
 			ret = 1;
 			goto done;
 		}
@ -216,7 +218,7 @@ done:
 }


-int set_seuser (const char *login_name, const char *seuser_name)
+int set_seuser (const char *login_name, const char *seuser_name, const char *serange)
 {
 	semanage_handle_t *handle = NULL;
 	semanage_seuser_key_t *key = NULL;
@ -250,7 +252,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
 	}

 	if (0 != seuser_exists) {
-		ret = semanage_user_mod (handle, key, login_name, seuser_name);
+		ret = semanage_user_mod (handle, key, login_name, seuser_name, serange);
 		if (ret != 0) {
 			fprintf (shadow_logfd,
 			         _("Cannot modify SELinux user mapping\n"));
@ -258,7 +260,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
 			goto done;
 		}
 	} else {
-		ret = semanage_user_add (handle, key, login_name, seuser_name);
+		ret = semanage_user_add (handle, key, login_name, seuser_name, serange);
 		if (ret != 0) {
 			fprintf (shadow_logfd,
 			         _("Cannot add SELinux user mapping\n"));
@ -279,6 +281,8 @@ int set_seuser (const char *login_name, const char *seuser_name)

 done:
 	semanage_seuser_key_free (key);
+	if (handle)
+		semanage_disconnect (handle);
 	semanage_handle_destroy (handle);
 	return ret;
 }
@ -353,9 +357,12 @@ int del_seuser (const char *login_name)

 	ret = 0;
 done:
+	semanage_seuser_key_free (key);
+	if (handle)
+		semanage_disconnect (handle);
 	semanage_handle_destroy (handle);
 	return ret;
 }
 #else				/* !WITH_SELINUX */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* !WITH_SELINUX */
--- a/lib/sgetgrent.c
+++ b/lib/sgetgrent.c
@ -14,6 +14,8 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <grp.h>
+
+#include "alloc.h"
 #include "defines.h"
 #include "prototypes.h"

@ -34,10 +36,9 @@
 */
 static char **list (char *s)
 {
-	static char **members = 0;
+	static char **members = NULL;
 	static int size = 0;	/* max members + 1 */
 	int i;
-	char **rbuf;

 	i = 0;
 	for (;;) {
@ -45,21 +46,9 @@ static char **list (char *s)
 		   member name, or terminating NULL).  */
 		if (i >= size) {
 			size = i + 100;	/* at least: i + 1 */
-			if (members) {
-				rbuf =
-				    realloc (members, size * sizeof (char *));
-			} else {
-				/* for old (before ANSI C) implementations of
-				   realloc() that don't handle NULL properly */
-				rbuf = malloc (size * sizeof (char *));
-			}
-			if (!rbuf) {
-				free (members);
-				members = 0;
-				size = 0;
-				return (char **) 0;
-			}
-			members = rbuf;
+			members = REALLOCARRAYF(members, size, char *);
+			if (!members)
+				return NULL;
 		}
 		if (!s || s[0] == '\0')
 			break;
@ -71,14 +60,14 @@ static char **list (char *s)
 			*s++ = '\0';
 		}
 	}
-	members[i] = (char *) 0;
+	members[i] = NULL;
 	return members;
 }


 struct group *sgetgrent (const char *buf)
 {
-	static char *grpbuf = 0;
+	static char *grpbuf = NULL;
 	static size_t size = 0;
 	static char *grpfields[NFIELDS];
 	static struct group grent;
@ -90,10 +79,10 @@ struct group *sgetgrent (const char *buf)
 		   allocate a larger block */
 		free (grpbuf);
 		size = strlen (buf) + 1000;	/* at least: strlen(buf) + 1 */
-		grpbuf = malloc (size);
-		if (!grpbuf) {
+		grpbuf = MALLOCARRAY (size, char);
+		if (grpbuf == NULL) {
 			size = 0;
-			return 0;
+			return NULL;
 		}
 	}
 	strcpy (grpbuf, buf);
@ -112,16 +101,16 @@ struct group *sgetgrent (const char *buf)
 		}
 	}
 	if (i < (NFIELDS - 1) || *grpfields[2] == '\0' || cp != NULL) {
-		return (struct group *) 0;
+		return NULL;
 	}
 	grent.gr_name = grpfields[0];
 	grent.gr_passwd = grpfields[1];
 	if (get_gid (grpfields[2], &grent.gr_gid) == 0) {
-		return (struct group *) 0;
+		return NULL;
 	}
 	grent.gr_mem = list (grpfields[3]);
 	if (NULL == grent.gr_mem) {
-		return (struct group *) 0;	/* out of memory */
+		return NULL;	/* out of memory */
 	}

 	return &grent;
--- a/lib/sgetspent.c
+++ b/lib/sgetspent.c
@ -182,6 +182,6 @@ struct spwd *sgetspent (const char *string)
 	return (&spwd);
 }
 #else
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif

--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@ -14,6 +14,7 @@

 #ident "$Id$"

+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
 #include "commonio.h"
@ -25,13 +26,12 @@
 	struct sgrp *sg;
 	int i;

-	sg = (struct sgrp *) malloc (sizeof *sg);
+	sg = CALLOC (1, struct sgrp);
 	if (NULL == sg) {
 		return NULL;
 	}
 	/* Do the same as the other _dup function, even if we know the
 	 * structure. */
-	memset (sg, 0, sizeof *sg);
 	/*@-mustfreeonly@*/
 	sg->sg_name = strdup (sgent->sg_name);
 	/*@=mustfreeonly@*/
@ -50,7 +50,7 @@

 	for (i = 0; NULL != sgent->sg_adm[i]; i++);
 	/*@-mustfreeonly@*/
-	sg->sg_adm = (char **) malloc ((i + 1) * sizeof (char *));
+	sg->sg_adm = MALLOCARRAY (i + 1, char *);
 	/*@=mustfreeonly@*/
 	if (NULL == sg->sg_adm) {
 		free (sg->sg_passwd);
@ -75,7 +75,7 @@

 	for (i = 0; NULL != sgent->sg_mem[i]; i++);
 	/*@-mustfreeonly@*/
-	sg->sg_mem = (char **) malloc ((i + 1) * sizeof (char *));
+	sg->sg_mem = MALLOCARRAY (i + 1, char *);
 	/*@=mustfreeonly@*/
 	if (NULL == sg->sg_mem) {
 		for (i = 0; NULL != sg->sg_adm[i]; i++) {
@ -151,7 +151,7 @@ static const char *gshadow_getname (const void *ent)

 static void *gshadow_parse (const char *line)
 {
-	return (void *) sgetsgent (line);
+	return sgetsgent (line);
 }

 static int gshadow_put (const void *ent, FILE * file)
@ -253,7 +253,7 @@ int sgr_open (int mode)

 int sgr_update (const struct sgrp *sg)
 {
-	return commonio_update (&gshadow_db, (const void *) sg);
+	return commonio_update (&gshadow_db, sg);
 }

 int sgr_remove (const char *name)
@ -302,5 +302,5 @@ int sgr_sort ()
 	return commonio_sort_wrt (&gshadow_db, __gr_get_db ());
 }
 #else
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif
--- a/lib/shadow.c
+++ b/lib/shadow.c
@ -94,7 +94,7 @@ void endspent (void)
 		(void) fclose (shadow);
 	}

-	shadow = (FILE *) 0;
+	shadow = NULL;
 }

 /*
@ -336,9 +336,9 @@ struct spwd *fgetspent (FILE * fp)
 	}

 #ifdef	USE_NIS
-	while (fgets (buf, (int) sizeof buf, fp) != (char *) 0)
+	while (fgets (buf, sizeof buf, fp) != NULL)
 #else
-	if (fgets (buf, (int) sizeof buf, fp) != (char *) 0)
+	if (fgets (buf, sizeof buf, fp) != NULL)
 #endif
 	{
 		cp = strchr (buf, '\n');
@ -511,7 +511,7 @@ struct spwd *getspnam (const char *name)
 		nis_disabled = true;
 	}
 #endif
-	while ((sp = getspent ()) != (struct spwd *) 0) {
+	while ((sp = getspent ()) != NULL) {
 		if (strcmp (name, sp->sp_namp) == 0) {
 			break;
 		}
@ -525,6 +525,6 @@ struct spwd *getspnam (const char *name)
 	return (sp);
 }
 #else
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif

--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@ -47,7 +47,7 @@ static const char *shadow_getname (const void *ent)

 static void *shadow_parse (const char *line)
 {
-	return (void *) sgetspent (line);
+	return sgetspent (line);
 }

 static int shadow_put (const void *ent, FILE * file)
@ -164,7 +164,7 @@ int spw_open (int mode)

 int spw_update (const struct spwd *sp)
 {
-	return commonio_update (&shadow_db, (const void *) sp);
+	return commonio_update (&shadow_db, sp);
 }

 int spw_remove (const char *name)
--- a/lib/shadowlog_internal.h
+++ b/lib/shadowlog_internal.h
@ -2,6 +2,6 @@
 #define _SHADOWLOG_INTERNAL_H

 extern const char *shadow_progname; /* Program name showed in error messages */
-extern FILE *shadow_logfd;  /* file descripter to which error messages are printed */
+extern FILE *shadow_logfd;  /* file descriptor to which error messages are printed */

 #endif /* _SHADOWLOG_INTERNAL_H */
--- a/lib/shadowmem.c
+++ b/lib/shadowmem.c
@ -16,18 +16,19 @@
 #include "defines.h"
 #include <shadow.h>
 #include <stdio.h>
+
+#include "alloc.h"
 #include "shadowio.h"

 /*@null@*/ /*@only@*/struct spwd *__spw_dup (const struct spwd *spent)
 {
 	struct spwd *sp;

-	sp = (struct spwd *) malloc (sizeof *sp);
+	sp = CALLOC (1, struct spwd);
 	if (NULL == sp) {
 		return NULL;
 	}
 	/* The libc might define other fields. They won't be copied. */
-	memset (sp, 0, sizeof *sp);
 	sp->sp_lstchg = spent->sp_lstchg;
 	sp->sp_min    = spent->sp_min;
 	sp->sp_max    = spent->sp_max;
--- a/lib/sssd.c
+++ b/lib/sssd.c
@ -4,8 +4,11 @@
 #ifdef USE_SSSD

 #include <stdio.h>
+#include <sys/stat.h>
 #include <sys/wait.h>
 #include <sys/types.h>
+
+#include "alloc.h"
 #include "exitcodes.h"
 #include "defines.h"
 #include "prototypes.h"
@ -19,12 +22,17 @@ int sssd_flush_cache (int dbflags)
 {
 	int status, code, rv;
 	const char *cmd = "/usr/sbin/sss_cache";
+	struct stat sb;
 	char *sss_cache_args = NULL;
 	const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
 	const char *spawnedEnv[] = {NULL};
 	int i = 0;

-	sss_cache_args = malloc(4);
+	rv = stat(cmd, &sb);
+	if (rv == -1 && errno == ENOENT)
+		return 0;
+
+	sss_cache_args = MALLOCARRAY(4, char);
 	if (sss_cache_args == NULL) {
 	    return -1;
 	}
@ -70,6 +78,6 @@ int sssd_flush_cache (int dbflags)
 	return 0;
 }
 #else				/* USE_SSSD */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* USE_SSSD */

--- a/lib/stpecpy.h
+++ b/lib/stpecpy.h
@ -0,0 +1,92 @@
+/*
+ * SPDX-FileCopyrightText:  2022 - 2023, Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier:  BSD-3-Clause
+ */
+
+
+#ifndef SHADOW_INCLUDE_LIB_STPECPY_H_
+#define SHADOW_INCLUDE_LIB_STPECPY_H_
+
+
+#include <config.h>
+
+#if !defined(HAVE_STPECPY)
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <string.h>
+
+#include "defines.h"
+
+
+inline char *stpecpy(char *dst, char *end, const char *restrict src);
+
+
+/*
+ * SYNOPSIS
+ *	char *_Nullable stpecpy(char *_Nullable dst, char end[0],
+ *	                        const char *restrict src);
+ *
+ * ARGUMENTS
+ *	dst	Destination buffer where to copy a string.
+ *
+ *	end	Pointer to one after the last element of the buffer
+ *		pointed to by `dst`.  Usually, it should be calculated
+ *		as `dst + NITEMS(dst)`.
+ *
+ *	src	Source string to be copied into dst.
+ *
+ * DESCRIPTION
+ *	This function copies the string pointed to by src, into a string
+ *	at the buffer pointed to by dst.  If the destination buffer,
+ *	limited by a pointer to its end --one after its last element--,
+ *	isn't large enough to hold the copy, the resulting string is
+ *	truncated.
+ *
+ *	This function can be chained with calls to [v]stpeprintf().
+ *
+ * RETURN VALUE
+ *	dst + strlen(dst)
+ *		•  On success, this function returns a pointer to the
+ *		   terminating NUL byte.
+ *
+ *	end
+ *		•  If this call truncated the resulting string.
+ *		•  If `dst == end` (a previous chained call to these
+ *		   functions truncated).
+ *	NULL
+ *		•  If `dst == NULL` (a previous chained call to
+ *		   [v]stpeprintf() failed).
+ *
+ * ERRORS
+ *	This function doesn't set errno.
+ */
+
+
+inline char *
+stpecpy(char *dst, char *end, const char *restrict src)
+{
+	bool    trunc;
+	char    *p;
+	size_t  dsize, dlen, slen;
+
+	if (dst == end)
+		return end;
+	if (dst == NULL)
+		return NULL;
+
+	dsize = end - dst;
+	slen = strnlen(src, dsize);
+	trunc = (slen == dsize);
+	dlen = slen - trunc;
+
+	p = mempcpy(dst, src, dlen);
+	*p = '\0';
+
+	return p + trunc;
+}
+
+
+#endif  // !HAVE_STPECPY
+#endif  // include guard
--- a/lib/stpeprintf.h
+++ b/lib/stpeprintf.h
@ -0,0 +1,119 @@
+/*
+ * SPDX-FileCopyrightText:  2022 - 2023, Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier:  BSD-3-Clause
+ */
+
+
+#ifndef SHADOW_INCLUDE_LIB_STPEPRINTF_H_
+#define SHADOW_INCLUDE_LIB_STPEPRINTF_H_
+
+
+#include <config.h>
+
+#if !defined(HAVE_STPEPRINTF)
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+
+#include "defines.h"
+
+
+format_attr(printf, 3, 4)
+inline char *stpeprintf(char *dst, char *end, const char *restrict fmt, ...);
+
+format_attr(printf, 3, 0)
+inline char *vstpeprintf(char *dst, char *end, const char *restrict fmt,
+    va_list ap);
+
+
+/*
+ * SYNOPSIS
+ *	[[gnu::format(printf, 3, 4)]]
+ *	char *_Nullable stpeprintf(char *_Nullable dst, char end[0],
+ *	                           const char *restrict fmt, ...);
+ *
+ *	[[gnu::format(printf, 3, 0)]]
+ *	char *_Nullable vstpeprintf(char *_Nullable dst, char end[0],
+ *	                           const char *restrict fmt, va_list ap);
+ *
+ *
+ * ARGUMENTS
+ *	dst	Destination buffer where to write a string.
+ *
+ *	end	Pointer to one after the last element of the buffer
+ *		pointed to by `dst`.  Usually, it should be calculated
+ *		as `dst + NITEMS(dst)`.
+ *
+ *	fmt	Format string
+ *
+ *	...
+ *	ap	Variadic argument list
+ *
+ * DESCRIPTION
+ *	These functions are very similar to [v]snprintf(3).
+ *
+ *	The destination buffer is limited by a pointer to its end --one
+ *	after its last element-- instead of a size.  This allows
+ *	chaining calls to it safely, unlike [v]snprintf(3), which is
+ *	difficult to chain without invoking Undefined Behavior.
+ *
+ * RETURN VALUE
+ *	dst + strlen(dst)
+ *		•  On success, these functions return a pointer to the
+ *		   terminating NUL byte.
+ *
+ *	end
+ *		•  If this call truncated the resulting string.
+ *		•  If `dst == end` (a previous chained call to these
+ *		   functions truncated).
+ *	NULL
+ *		•  If this function failed (see ERRORS).
+ *		•  If `dst == NULL` (a previous chained call to these
+ *		   functions failed).
+ *
+ * ERRORS
+ *	These functions may fail for the same reasons as vsnprintf(3).
+ */
+
+
+inline char *
+stpeprintf(char *dst, char *end, const char *restrict fmt, ...)
+{
+	char     *p;
+	va_list  ap;
+
+	va_start(ap, fmt);
+	p = vstpeprintf(dst, end, fmt, ap);
+	va_end(ap);
+
+	return p;
+}
+
+
+inline char *
+vstpeprintf(char *dst, char *end, const char *restrict fmt, va_list ap)
+{
+	int        len;
+	ptrdiff_t  size;
+
+	if (dst == end)
+		return end;
+	if (dst == NULL)
+		return NULL;
+
+	size = end - dst;
+	len = vsnprintf(dst, size, fmt, ap);
+
+	if (len == -1)
+		return NULL;
+	if (len >= size)
+		return end;
+
+	return dst + len;
+}
+
+
+#endif  // !HAVE_STPEPRINTF
+#endif  // include guard
--- a/lib/subordinateio.c
+++ b/lib/subordinateio.c
@ -17,6 +17,8 @@
 #include <ctype.h>
 #include <fcntl.h>

+#include "alloc.h"
+
 #define ID_SIZE 31

 /*
@ -32,7 +34,7 @@ static /*@null@*/ /*@only@*/void *subordinate_dup (const void *ent)
 	const struct subordinate_range *rangeent = ent;
 	struct subordinate_range *range;

-	range = (struct subordinate_range *) malloc (sizeof *range);
+	range = MALLOC (struct subordinate_range);
 	if (NULL == range) {
 		return NULL;
 	}
@ -314,12 +316,12 @@ static bool have_range(struct commonio_db *db,
 static bool append_range(struct subid_range **ranges, const struct subordinate_range *new, int n)
 {
 	if (!*ranges) {
-		*ranges = malloc(sizeof(struct subid_range));
+		*ranges = MALLOC(struct subid_range);
 		if (!*ranges)
 			return false;
 	} else {
 		struct subid_range *alloced;
-		alloced = realloc(*ranges, (n + 1) * (sizeof(struct subid_range)));
+		alloced = REALLOCARRAY(*ranges, n + 1, struct subid_range);
 		if (!alloced)
 			return false;
 		*ranges = alloced;
@ -355,13 +357,14 @@ static int subordinate_range_cmp (const void *p1, const void *p2)
 {
 	struct subordinate_range *range1, *range2;

-	if ((*(struct commonio_entry **) p1)->eptr == NULL)
-		return 1;
-	if ((*(struct commonio_entry **) p2)->eptr == NULL)
-		return -1;

-	range1 = ((struct subordinate_range *) (*(struct commonio_entry **) p1)->eptr);
-	range2 = ((struct subordinate_range *) (*(struct commonio_entry **) p2)->eptr);
+	range1 = (*(struct commonio_entry **) p1)->eptr;
+	if (range1 == NULL)
+		return 1;
+
+	range2 = (*(struct commonio_entry **) p2)->eptr;
+	if (range2 == NULL)
+		return -1;

 	if (range1->start < range2->start)
 		return -1;
@ -620,17 +623,28 @@ bool have_sub_uids(const char *owner, uid_t start, unsigned long count)
 	return have_range (&subordinate_uid_db, owner, start, count);
 }

+/*
+ * sub_uid_add: add a subuid range, perhaps through nss.
+ *
+ * Return 1 if the range is already present or on success.  On error
+ * return 0 and set errno appropriately.
+ */
 int sub_uid_add (const char *owner, uid_t start, unsigned long count)
 {
-	if (get_subid_nss_handle())
-		return -EOPNOTSUPP;
+	if (get_subid_nss_handle()) {
+		errno = EOPNOTSUPP;
+		return 0;
+	}
 	return add_range (&subordinate_uid_db, owner, start, count);
 }

+/* Return 1 on success.  on failure, return 0 and set errno appropriately */
 int sub_uid_remove (const char *owner, uid_t start, unsigned long count)
 {
-	if (get_subid_nss_handle())
-		return -EOPNOTSUPP;
+	if (get_subid_nss_handle()) {
+		errno = EOPNOTSUPP;
+		return 0;
+	}
 	return remove_range (&subordinate_uid_db, owner, start, count);
 }

@ -716,17 +730,28 @@ bool local_sub_gid_assigned(const char *owner)
 	return range_exists (&subordinate_gid_db, owner);
 }

+/*
+ * sub_gid_add: add a subgid range, perhaps through nss.
+ *
+ * Return 1 if the range is already present or on success.  On error
+ * return 0 and set errno appropriately.
+ */
 int sub_gid_add (const char *owner, gid_t start, unsigned long count)
 {
-	if (get_subid_nss_handle())
-		return -EOPNOTSUPP;
+	if (get_subid_nss_handle()) {
+		errno = EOPNOTSUPP;
+		return 0;
+	}
 	return add_range (&subordinate_gid_db, owner, start, count);
 }

+/* Return 1 on success.  on failure, return 0 and set errno appropriately */
 int sub_gid_remove (const char *owner, gid_t start, unsigned long count)
 {
-	if (get_subid_nss_handle())
-		return -EOPNOTSUPP;
+	if (get_subid_nss_handle()) {
+		errno = EOPNOTSUPP;
+		return 0;
+	}
 	return remove_range (&subordinate_gid_db, owner, start, count);
 }

@ -910,7 +935,7 @@ static int append_uids(uid_t **uids, const char *owner, int n)
 			return n;
 	}

-	ret = realloc(*uids, (n + 1) * sizeof(uid_t));
+	ret = REALLOCARRAY(*uids, n + 1, uid_t);
 	if (!ret) {
 		free(*uids);
 		return -1;
@ -985,7 +1010,7 @@ bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, b
 	switch (id_type) {
 	case ID_TYPE_UID:
 		if (!sub_uid_lock()) {
-			printf("Failed loging subuids (errno %d)\n", errno);
+			printf("Failed locking subuids (errno %d)\n", errno);
 			return false;
 		}
 		if (!sub_uid_open(O_CREAT | O_RDWR)) {
@ -997,7 +1022,7 @@ bool new_subid_range(struct subordinate_range *range, enum subid_type id_type, b
 		break;
 	case ID_TYPE_GID:
 		if (!sub_gid_lock()) {
-			printf("Failed loging subgids (errno %d)\n", errno);
+			printf("Failed locking subgids (errno %d)\n", errno);
 			return false;
 		}
 		if (!sub_gid_open(O_CREAT | O_RDWR)) {
@ -1057,7 +1082,7 @@ bool release_subid_range(struct subordinate_range *range, enum subid_type id_typ
 	switch (id_type) {
 	case ID_TYPE_UID:
 		if (!sub_uid_lock()) {
-			printf("Failed loging subuids (errno %d)\n", errno);
+			printf("Failed locking subuids (errno %d)\n", errno);
 			return false;
 		}
 		if (!sub_uid_open(O_CREAT | O_RDWR)) {
@ -1069,7 +1094,7 @@ bool release_subid_range(struct subordinate_range *range, enum subid_type id_typ
 		break;
 	case ID_TYPE_GID:
 		if (!sub_gid_lock()) {
-			printf("Failed loging subgids (errno %d)\n", errno);
+			printf("Failed locking subgids (errno %d)\n", errno);
 			return false;
 		}
 		if (!sub_gid_open(O_CREAT | O_RDWR)) {
@ -1097,6 +1122,6 @@ bool release_subid_range(struct subordinate_range *range, enum subid_type id_typ
 }

 #else				/* !ENABLE_SUBIDS */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* !ENABLE_SUBIDS */

--- a/lib/tcbfuncs.c
+++ b/lib/tcbfuncs.c
@ -141,7 +141,7 @@ static /*@null@*/ char *shadowtcb_path_rel_existing (const char *name)
 		         shadow_progname, link);
 		return NULL;
 	}
-	link[(size_t)ret] = '\0';
+	link[ret] = '\0';
 	rval = strdup (link);
 	if (NULL == rval) {
 		OUT_OF_MEMORY;
--- a/lib/utent.c
+++ b/lib/utent.c
@ -1,70 +0,0 @@
-/*
- * SPDX-FileCopyrightText: 1993 - 1994, Julianne Frances Haugh
- * SPDX-FileCopyrightText: 1996 - 1998, Marek Michałkiewicz
- * SPDX-FileCopyrightText: 2005       , Tomasz Kłoczko
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#include <config.h>
-
-#ifndef	HAVE_GETUTENT
-
-#include "defines.h"
-#include <stdio.h>
-#include <fcntl.h>
-#include <utmp.h>
-
-#ifndef	lint
-static char rcsid[] = "$Id$";
-#endif
-
-static int utmp_fd = -1;
-static struct utmp utmp_buf;
-
-/*
- * setutent - open or rewind the utmp file
- */
-
-void setutent (void)
-{
-	if (utmp_fd == -1)
-		if ((utmp_fd = open (_UTMP_FILE, O_RDWR)) == -1)
-			utmp_fd = open (_UTMP_FILE, O_RDONLY);
-
-	if (utmp_fd != -1)
-		lseek (utmp_fd, (off_t) 0L, SEEK_SET);
-}
-
-/*
- * endutent - close the utmp file
- */
-
-void endutent (void)
-{
-	if (utmp_fd != -1)
-		close (utmp_fd);
-
-	utmp_fd = -1;
-}
-
-/*
- * getutent - get the next record from the utmp file
- */
-
-struct utmp *getutent (void)
-{
-	if (utmp_fd == -1)
-		setutent ();
-
-	if (utmp_fd == -1)
-		return 0;
-
-	if (read (utmp_fd, &utmp_buf, sizeof utmp_buf) != sizeof utmp_buf)
-		return 0;
-
-	return &utmp_buf;
-}
-#else
-extern int errno;		/* warning: ANSI C forbids an empty source file */
-#endif
--- a/libmisc/Makefile.am
+++ b/libmisc/Makefile.am
@ -5,11 +5,15 @@ AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)

 noinst_LTLIBRARIES = libmisc.la

+libmisc_la_CFLAGS = $(LIBBSD_CFLAGS)
 libmisc_la_SOURCES = \
 	addgrps.c \
 	age.c \
+	agetpass.c \
+	alloc.c \
 	audit_help.c \
 	basename.c \
+	bit.c \
 	chkname.c \
 	chkname.h \
 	chowndir.c \
@ -41,6 +45,7 @@ libmisc_la_SOURCES = \
 	list.c log.c \
 	loginprompt.c \
 	mail.c \
+	mempcpy.c \
 	motd.c \
 	myname.c \
 	obscure.c \
@ -50,6 +55,7 @@ libmisc_la_SOURCES = \
 	pwd2spwd.c \
 	pwdcheck.c \
 	pwd_init.c \
+	csrand.c \
 	remove_tree.c \
 	rlogin.c \
 	root_flag.c \
@ -57,6 +63,8 @@ libmisc_la_SOURCES = \
 	setugid.c \
 	setupenv.c \
 	shell.c \
+	stpecpy.c \
+	stpeprintf.c \
 	strtoday.c \
 	sub.c \
 	sulog.c \
@ -71,7 +79,6 @@ libmisc_la_SOURCES = \
 	xgetgrnam.c \
 	xgetgrgid.c \
 	xgetspnam.c \
-	xmalloc.c \
 	yesno.c

 if WITH_BTRFS
--- a/libmisc/addgrps.c
+++ b/libmisc/addgrps.c
@ -17,6 +17,8 @@
 #include <stdio.h>
 #include <grp.h>
 #include <errno.h>
+
+#include "alloc.h"
 #include "shadowlog.h"

 #ident "$Id$"
@ -29,7 +31,7 @@
 */
 int add_groups (const char *list)
 {
-	GETGROUPS_T *grouplist, *tmp;
+	GETGROUPS_T *grouplist;
 	size_t i;
 	int ngroups;
 	bool added;
@ -46,7 +48,7 @@ int add_groups (const char *list)

 	i = 16;
 	for (;;) {
-		grouplist = (gid_t *) malloc (i * sizeof (GETGROUPS_T));
+		grouplist = MALLOCARRAY (i, GETGROUPS_T);
 		if (NULL == grouplist) {
 			return -1;
 		}
@ -88,19 +90,17 @@ int add_groups (const char *list)
 			fputs (_("Warning: too many groups\n"), shadow_logfd);
 			break;
 		}
-		tmp = (gid_t *) realloc (grouplist, (size_t)(ngroups + 1) * sizeof (GETGROUPS_T));
-		if (NULL == tmp) {
-			free (grouplist);
+		grouplist = REALLOCARRAYF(grouplist, (size_t) ngroups + 1, GETGROUPS_T);
+		if (grouplist == NULL) {
 			return -1;
 		}
-		tmp[ngroups] = grp->gr_gid;
+		grouplist[ngroups] = grp->gr_gid;
 		ngroups++;
-		grouplist = tmp;
 		added = true;
 	}

 	if (added) {
-		ret = setgroups ((size_t)ngroups, grouplist);
+		ret = setgroups (ngroups, grouplist);
 		free (grouplist);
 		return ret;
 	}
@ -109,6 +109,6 @@ int add_groups (const char *list)
 	return 0;
 }
 #else				/* HAVE_SETGROUPS && !USE_PAM */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* HAVE_SETGROUPS && !USE_PAM */

--- a/libmisc/age.c
+++ b/libmisc/age.c
@ -112,7 +112,7 @@ int expire (const struct passwd *pw, /*@null@*/const struct spwd *sp)
 			_exit (126);
 		}

-		(void) execl (PASSWD_PROGRAM, PASSWD_PROGRAM, pw->pw_name, (char *) 0);
+		(void) execl (PASSWD_PROGRAM, PASSWD_PROGRAM, pw->pw_name, (char *) NULL);
 		err = errno;
 		perror ("Can't execute " PASSWD_PROGRAM);
 		_exit ((ENOENT == err) ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
@ -139,7 +139,7 @@ int expire (const struct passwd *pw, /*@null@*/const struct spwd *sp)

 void agecheck (/*@null@*/const struct spwd *sp)
 {
-	long now = (long) time ((time_t *) 0) / SCALE;
+	long now = time(NULL) / SCALE;
 	long remain;

 	if (NULL == sp) {
--- a/libmisc/agetpass.c
+++ b/libmisc/agetpass.c
@ -0,0 +1,130 @@
+/*
+ * SPDX-FileCopyrightText:  2022, Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier:  BSD-3-Clause
+ */
+
+
+#include <config.h>
+
+#include <limits.h>
+#include <readpassphrase.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ident "$Id$"
+
+#include "alloc.h"
+#include "prototypes.h"
+
+
+#if !defined(PASS_MAX)
+#define PASS_MAX  BUFSIZ - 1
+#endif
+
+
+/*
+ * SYNOPSIS
+ *	[[gnu::malloc(erase_pass)]]
+ *	char *agetpass(const char *prompt);
+ *
+ *	void erase_pass(char *pass);
+ *
+ * ARGUMENTS
+ *   agetpass()
+ *	prompt	String to be printed before reading a password.
+ *
+ *   erase_pass()
+ *	pass	password previously returned by agetpass().
+ *
+ * DESCRIPTION
+ *   agetpass()
+ *	This function is very similar to getpass(3).  It has several
+ *	advantages compared to getpass(3):
+ *
+ *	- Instead of using a static buffer, agetpass() allocates memory
+ *	  through malloc(3).  This makes the function thread-safe, and
+ *	  also reduces the visibility of the buffer.
+ *
+ *	- agetpass() doesn't reallocate internally.  Some
+ *	  implementations of getpass(3), such as glibc, do that, as a
+ *	  consequence of calling getline(3).  That's a bug in glibc,
+ *	  which allows leaking prefixes of passwords in freed memory.
+ *
+ *	- agetpass() doesn't overrun the output buffer.  If the input
+ *	  password is too long, it simply fails.  Some implementations
+ *	  of getpass(3), share the same bug that gets(3) has.
+ *
+ *	As soon as possible, the password obtained from agetpass() be
+ *	erased by calling erase_pass(), to avoid possibly leaking the
+ *	password.
+ *
+ *   erase_pass()
+ *	This function first clears the password, by calling
+ *	explicit_bzero(3) (or an equivalent call), and then frees the
+ *	allocated memory by calling free(3).
+ *
+ *	NULL is a valid input pointer, and in such a case, this call is
+ *	a no-op.
+ *
+ * RETURN VALUE
+ *	agetpass() returns a newly allocated buffer containing the
+ *	password on success.  On error, errno is set to indicate the
+ *	error, and NULL is returned.
+ *
+ * ERRORS
+ *   agetpass()
+ *	This function may fail for any errors that malloc(3) or
+ *	readpassphrase(3) may fail, and in addition it may fail for the
+ *	following errors:
+ *
+ *	ENOBUFS
+ *		The input password was longer than PASS_MAX.
+ *
+ * CAVEATS
+ *	If a password is passed twice to erase_pass(), the behavior is
+ *	undefined.
+ */
+
+
+char *
+agetpass(const char *prompt)
+{
+	char    *pass;
+	size_t  len;
+
+	/*
+	 * Since we want to support passwords upto PASS_MAX, we need
+	 * PASS_MAX bytes for the password itself, and one more byte for
+	 * the terminating '\0'.  We also want to detect truncation, and
+	 * readpassphrase(3) doesn't detect it, so we need some trick.
+	 * Let's add one more byte, and if the password uses it, it
+	 * means the introduced password was longer than PASS_MAX.
+	 */
+	pass = MALLOCARRAY(PASS_MAX + 2, char);
+	if (pass == NULL)
+		return NULL;
+
+	if (readpassphrase(prompt, pass, PASS_MAX + 2, RPP_REQUIRE_TTY) == NULL)
+		goto fail;
+
+	len = strlen(pass);
+	if (len == PASS_MAX + 1) {
+		errno = ENOBUFS;
+		goto fail;
+	}
+
+	return pass;
+
+fail:
+	freezero(pass, PASS_MAX + 2);
+	return NULL;
+}
+
+
+void
+erase_pass(char *pass)
+{
+	freezero(pass, PASS_MAX + 2);
+}
--- a/libmisc/xmalloc.c
+++ b/libmisc/xmalloc.c
@ -3,6 +3,7 @@
 * SPDX-FileCopyrightText: 1996 - 1998, Marek Michałkiewicz
 * SPDX-FileCopyrightText: 2003 - 2006, Tomasz Kłoczko
 * SPDX-FileCopyrightText: 2008       , Nicolas François
+ * SPDX-FileCopyrightText: 2023       , Alejandro Colomar <alx@kernel.org>
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -11,7 +12,7 @@
   to be worth copyrighting :-).  I did that because a lot of code used
   malloc and strdup without checking for NULL pointer, and I like some
   message better than a core dump...  --marekm
-   
+
   Yeh, but.  Remember that bailing out might leave the system in some
   bizarre state.  You really want to put in error checking, then add
   some back-out failure recovery code. -- jfh */
@ -20,27 +21,53 @@

 #ident "$Id$"

-#include <stdio.h>
+#include "alloc.h"
+
 #include <errno.h>
+#include <stddef.h>
+#include <stdio.h>
+
 #include "defines.h"
 #include "prototypes.h"
 #include "shadowlog.h"

-/*@maynotreturn@*/ /*@only@*//*@out@*//*@notnull@*/void *xmalloc (size_t size)
-{
-	void *ptr;

-	ptr = malloc (size);
-	if (NULL == ptr) {
-		(void) fprintf (log_get_logfd(),
-		                _("%s: failed to allocate memory: %s\n"),
-		                log_get_progname(), strerror (errno));
-		exit (13);
-	}
-	return ptr;
+extern inline void *xmalloc(size_t size);
+extern inline void *xmallocarray(size_t nmemb, size_t size);
+extern inline void *mallocarray(size_t nmemb, size_t size);
+extern inline void *reallocarrayf(void *p, size_t nmemb, size_t size);
+extern inline char *xstrdup(const char *str);
+
+
+void *
+xcalloc(size_t nmemb, size_t size)
+{
+	void  *p;
+
+	p = calloc(nmemb, size);
+	if (p == NULL)
+		goto x;
+
+	return p;
+
+x:
+	fprintf(log_get_logfd(), _("%s: %s\n"),
+	        log_get_progname(), strerror(errno));
+	exit(13);
 }

-/*@maynotreturn@*/ /*@only@*//*@notnull@*/char *xstrdup (const char *str)
+
+void *
+xreallocarray(void *p, size_t nmemb, size_t size)
 {
-	return strcpy (xmalloc (strlen (str) + 1), str);
+	p = reallocarrayf(p, nmemb, size);
+	if (p == NULL)
+		goto x;
+
+	return p;
+
+x:
+	fprintf(log_get_logfd(), _("%s: %s\n"),
+	        log_get_progname(), strerror(errno));
+	exit(13);
 }
--- a/libmisc/audit_help.c
+++ b/libmisc/audit_help.c
@ -62,7 +62,7 @@ void audit_logger (int type, unused const char *pgname, const char *op,
 		return;
 	} else {
 		audit_log_acct_message (audit_fd, type, NULL, op, name, id,
-		                        NULL, NULL, NULL, (int) result);
+		                        NULL, NULL, NULL, result);
 	}
 }

@ -77,11 +77,11 @@ void audit_logger_message (const char *message, shadow_audit_result result)
 		                        NULL, /* hostname */
 		                        NULL, /* addr */
 		                        NULL, /* tty */
-		                        (int) result);
+		                        result);
 	}
 }

 #else				/* WITH_AUDIT */
-extern int errno;	/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* WITH_AUDIT */

--- a/libmisc/basename.c
+++ b/libmisc/basename.c
@ -21,6 +21,10 @@
 #include "prototypes.h"
 /*@observer@*/const char *Basename (const char *str)
 {
+	if (str == NULL) {
+		abort ();
+	}
+
 	char *cp = strrchr (str, '/');

 	return (NULL != cp) ? cp + 1 : str;
--- a/libmisc/bit.c
+++ b/libmisc/bit.c
@ -0,0 +1,19 @@
+/*
+ * SPDX-FileCopyrightText:  2022 - 2023, Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier:  BSD-3-Clause
+ */
+
+
+#include <config.h>
+
+#ident "$Id$"
+
+#include "bit.h"
+
+#include <limits.h>
+
+
+extern inline unsigned long bit_ceilul(unsigned long x);
+extern inline unsigned long bit_ceil_wrapul(unsigned long x);
+extern inline int leading_zerosul(unsigned long x);
--- a/libmisc/chowntty.c
+++ b/libmisc/chowntty.c
@ -51,7 +51,7 @@ void chown_tty (const struct passwd *info)
 	 */

 	if (   (fchown (STDIN_FILENO, info->pw_uid, gid) != 0)
-	    || (fchmod (STDIN_FILENO, (mode_t)getdef_num ("TTYPERM", 0600)) != 0)) {
+	    || (fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600)) != 0)) {
 		int err = errno;
 		FILE *shadow_logfd = log_get_logfd();

--- a/libmisc/cleanup_group.c
+++ b/libmisc/cleanup_group.c
@ -22,7 +22,7 @@
 */
 void cleanup_report_add_group (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;

 	SYSLOG ((LOG_ERR, "failed to add group %s", name));
 #ifdef WITH_AUDIT
@ -40,7 +40,7 @@ void cleanup_report_add_group (void *group_name)
 */
 void cleanup_report_del_group (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;

 	SYSLOG ((LOG_ERR, "failed to remove group %s", name));
 #ifdef WITH_AUDIT
@ -95,7 +95,7 @@ void cleanup_report_mod_gshadow (void *cleanup_info)
 */
 void cleanup_report_add_group_group (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;

 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, gr_dbname ()));
 #ifdef WITH_AUDIT
@ -115,7 +115,7 @@ void cleanup_report_add_group_group (void *group_name)
 */
 void cleanup_report_add_group_gshadow (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;

 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, sgr_dbname ()));
 #ifdef WITH_AUDIT
@ -136,7 +136,7 @@ void cleanup_report_add_group_gshadow (void *group_name)
 */
 void cleanup_report_del_group_group (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;

 	SYSLOG ((LOG_ERR,
 	         "failed to remove group %s from %s",
@ -159,7 +159,7 @@ void cleanup_report_del_group_group (void *group_name)
 */
 void cleanup_report_del_group_gshadow (void *group_name)
 {
-	const char *name = (const char *)group_name;
+	const char *name = group_name;

 	SYSLOG ((LOG_ERR,
 	         "failed to remove group %s from %s",
--- a/libmisc/cleanup_user.c
+++ b/libmisc/cleanup_user.c
@ -16,13 +16,13 @@
 #include "shadowlog.h"

 /*
- * cleanup_report_add_user - Report failure to add an user to the system
+ * cleanup_report_add_user - Report failure to add a user to the system
 *
- * It should be registered when it is decided to add an user to the system.
+ * It should be registered when it is decided to add a user to the system.
 */
 void cleanup_report_add_user (void *user_name)
 {
-	const char *name = (const char *)user_name;
+	const char *name = user_name;

 	SYSLOG ((LOG_ERR, "failed to add user %s", name));
 #ifdef WITH_AUDIT
@ -51,15 +51,15 @@ void cleanup_report_mod_passwd (void *cleanup_info)
 }

 /*
- * cleanup_report_add_user_passwd - Report failure to add an user to
+ * cleanup_report_add_user_passwd - Report failure to add a user to
 * /etc/passwd
 *
- * It should be registered when it is decided to add an user to the
+ * It should be registered when it is decided to add a user to the
 * /etc/passwd database.
 */
 void cleanup_report_add_user_passwd (void *user_name)
 {
-	const char *name = (const char *)user_name;
+	const char *name = user_name;

 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, pw_dbname ()));
 #ifdef WITH_AUDIT
@ -71,15 +71,15 @@ void cleanup_report_add_user_passwd (void *user_name)
 }

 /*
- * cleanup_report_add_user_shadow - Report failure to add an user to
+ * cleanup_report_add_user_shadow - Report failure to add a user to
 * /etc/shadow
 *
- * It should be registered when it is decided to add an user to the
+ * It should be registered when it is decided to add a user to the
 * /etc/shadow database.
 */
 void cleanup_report_add_user_shadow (void *user_name)
 {
-	const char *name = (const char *)user_name;
+	const char *name = user_name;

 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, spw_dbname ()));
 #ifdef WITH_AUDIT
--- a/libmisc/console.c
+++ b/libmisc/console.c
@ -44,8 +44,7 @@ static bool is_listed (const char *cfgin, const char *tty, bool def)

 	if (*cons != '/') {
 		char *pbuf;
-		strncpy (buf, cons, sizeof (buf));
-		buf[sizeof (buf) - 1] = '\0';
+		strlcpy (buf, cons, sizeof (buf));
 		pbuf = &buf[0];
 		while ((s = strtok (pbuf, ":")) != NULL) {
 			if (strcmp (s, tty) == 0) {
@ -71,8 +70,9 @@ static bool is_listed (const char *cfgin, const char *tty, bool def)
 	 * See if this tty is listed in the console file.
 	 */

-	while (fgets (buf, (int) sizeof (buf), fp) != NULL) {
-		buf[strlen (buf) - 1] = '\0';
+	while (fgets (buf, sizeof (buf), fp) != NULL) {
+		/* Remove optional trailing '\n'. */
+		buf[strcspn (buf, "\n")] = '\0';
 		if (strcmp (buf, tty) == 0) {
 			(void) fclose (fp);
 			return true;
--- a/libmisc/copydir.c
+++ b/libmisc/copydir.c
@ -17,6 +17,8 @@
 #include <sys/time.h>
 #include <fcntl.h>
 #include <stdio.h>
+
+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
 #ifdef WITH_SELINUX
@ -226,7 +228,7 @@ static /*@exposed@*/ /*@null@*/struct link_name *check_link (const char *name, c
 		return NULL;
 	}

-	lp = (struct link_name *) xmalloc (sizeof *lp);
+	lp = XMALLOC (struct link_name);
 	src_len = strlen (src_orig);
 	dst_len = strlen (dst_orig);
 	name_len = strlen (name);
@ -234,7 +236,7 @@ static /*@exposed@*/ /*@null@*/struct link_name *check_link (const char *name, c
 	lp->ln_ino = sb->st_ino;
 	lp->ln_count = sb->st_nlink;
 	len = name_len - src_len + dst_len + 1;
-	lp->ln_name = (char *) xmalloc (len);
+	lp->ln_name = XMALLOCARRAY (len, char);
 	(void) snprintf (lp->ln_name, len, "%s%s", dst_orig, name + src_len);
 	lp->ln_next = links;
 	links = lp;
@ -324,8 +326,8 @@ static int copy_tree_impl (const struct path_info *src, const struct path_info *
 			src_len += strlen (src->full_path);
 			dst_len += strlen (dst->full_path);

-			src_name = (char *) malloc (src_len);
-			dst_name = (char *) malloc (dst_len);
+			src_name = MALLOCARRAY (src_len, char);
+			dst_name = MALLOCARRAY (dst_len, char);

 			if ((NULL == src_name) || (NULL == dst_name)) {
 				err = -1;
@ -419,35 +421,25 @@ static int copy_entry (const struct path_info *src, const struct path_info *dst,
 	if (fstatat(src->dirfd, src->name, &sb, AT_SYMLINK_NOFOLLOW) == -1) {
 		/* If we cannot stat the file, do not care. */
 	} else {
-#ifdef HAVE_STRUCT_STAT_ST_ATIM
 		mt[0].tv_sec  = sb.st_atim.tv_sec;
 		mt[0].tv_nsec = sb.st_atim.tv_nsec;
-#else				/* !HAVE_STRUCT_STAT_ST_ATIM */
-		mt[0].tv_sec  = sb.st_atime;
-# ifdef HAVE_STRUCT_STAT_ST_ATIMENSEC
-		mt[0].tv_nsec = sb.st_atimensec;
-# else				/* !HAVE_STRUCT_STAT_ST_ATIMENSEC */
-		mt[0].tv_nsec = 0;
-# endif				/* !HAVE_STRUCT_STAT_ST_ATIMENSEC */
-#endif				/* !HAVE_STRUCT_STAT_ST_ATIM */

-#ifdef HAVE_STRUCT_STAT_ST_MTIM
 		mt[1].tv_sec  = sb.st_mtim.tv_sec;
 		mt[1].tv_nsec = sb.st_mtim.tv_nsec;
-#else				/* !HAVE_STRUCT_STAT_ST_MTIM */
-		mt[1].tv_sec  = sb.st_mtime;
-# ifdef HAVE_STRUCT_STAT_ST_MTIMENSEC
-		mt[1].tv_nsec = sb.st_mtimensec;
-# else				/* !HAVE_STRUCT_STAT_ST_MTIMENSEC */
-		mt[1].tv_nsec = 0;
-# endif				/* !HAVE_STRUCT_STAT_ST_MTIMENSEC */
-#endif				/* !HAVE_STRUCT_STAT_ST_MTIM */

 		if (S_ISDIR (sb.st_mode)) {
 			err = copy_dir (src, dst, reset_selinux, &sb, mt,
 			                old_uid, new_uid, old_gid, new_gid);
 		}

+		/*
+		 * If the destination already exists do nothing.
+		 * This is after the copy_dir above to still iterate into subdirectories.
+		 */
+		if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) {
+			return 0;
+		}
+
 		/*
 		 * Copy any symbolic links
 		 */
@ -507,6 +499,7 @@ static int copy_dir (const struct path_info *src, const struct path_info *dst,
                     gid_t old_gid, gid_t new_gid)
 {
 	int err = 0;
+	struct stat dst_sb;

 	/*
 	 * Create a new target directory, make it owned by
@ -518,6 +511,15 @@ static int copy_dir (const struct path_info *src, const struct path_info *dst,
 		return -1;
 	}
 #endif				/* WITH_SELINUX */
+        /*
+         * If the destination is already a directory, don't change it
+         * but copy into it (recursively).
+        */
+        if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) {
+            return (copy_tree_impl (src, dst, false, reset_selinux,
+                           old_uid, new_uid, old_gid, new_gid) != 0);
+        }
+
 	if (   (mkdirat (dst->dirfd, dst->name, 0700) != 0)
 	    || (chownat_if_needed (dst, statp,
 	                         old_uid, new_uid, old_gid, new_gid) != 0)
@ -559,7 +561,7 @@ static /*@null@*/char *readlink_malloc (const char *filename)

 	while (true) {
 		ssize_t nchars;
-		char *buffer = (char *) malloc (size);
+		char *buffer = MALLOCARRAY (size, char);
 		if (NULL == buffer) {
 			return NULL;
 		}
@ -624,7 +626,7 @@ static int copy_symlink (const struct path_info *src, const struct path_info *ds
 	 */
 	if (strncmp (oldlink, src_orig, strlen (src_orig)) == 0) {
 		size_t len = strlen (dst_orig) + strlen (oldlink) - strlen (src_orig) + 1;
-		char *dummy = (char *) xmalloc (len);
+		char *dummy = XMALLOCARRAY (len, char);
 		(void) snprintf (dummy, len, "%s%s",
 		                 dst_orig,
 		                 oldlink + strlen (src_orig));
@ -768,7 +770,7 @@ static ssize_t full_write(int fd, const void *buf, size_t count) {

 		written += res;
 		buf = (const unsigned char*)buf + res;
-		count -= (size_t)res;
+		count -= res;
 	}

 	return written;
@ -850,7 +852,7 @@ static int copy_file (const struct path_info *src, const struct path_info *dst,
 			break;
 		}

-		if (full_write (ofd, buf, (size_t)cnt) < 0) {
+		if (full_write (ofd, buf, cnt) < 0) {
 			(void) close (ofd);
 			(void) close (ifd);
 			return -1;
--- a/libmisc/csrand.c
+++ b/libmisc/csrand.c
@ -0,0 +1,141 @@
+/*
+ * SPDX-FileCopyrightText:  Alejandro Colomar <alx@kernel.org>
+ *
+ * SPDX-License-Identifier:  BSD-3-Clause
+ */
+
+#include <config.h>
+
+#ident "$Id$"
+
+#include <limits.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#if HAVE_SYS_RANDOM_H
+#include <sys/random.h>
+#endif
+#include "bit.h"
+#include "defines.h"
+#include "prototypes.h"
+#include "shadowlog.h"
+
+
+static uint32_t csrand_uniform32(uint32_t n);
+static unsigned long csrand_uniform_slow(unsigned long n);
+
+
+/*
+ * Return a uniformly-distributed CS random u_long value.
+ */
+unsigned long
+csrand(void)
+{
+	FILE           *fp;
+	unsigned long  r;
+
+#ifdef HAVE_GETENTROPY
+	/* getentropy may exist but lack kernel support.  */
+	if (getentropy(&r, sizeof(r)) == 0)
+		return r;
+#endif
+
+#ifdef HAVE_GETRANDOM
+	/* Likewise getrandom.  */
+	if (getrandom(&r, sizeof(r), 0) == sizeof(r))
+		return r;
+#endif
+
+#ifdef HAVE_ARC4RANDOM_BUF
+	/* arc4random_buf can never fail.  */
+	arc4random_buf(&r, sizeof(r));
+	return r;
+#endif
+
+	/* Use /dev/urandom as a last resort.  */
+	fp = fopen("/dev/urandom", "r");
+	if (NULL == fp) {
+		goto fail;
+	}
+
+	if (fread(&r, sizeof(r), 1, fp) != 1) {
+		fclose(fp);
+		goto fail;
+	}
+
+	fclose(fp);
+	return r;
+
+fail:
+	fprintf(log_get_logfd(), _("Unable to obtain random bytes.\n"));
+	exit(1);
+}
+
+
+/*
+ * Return a uniformly-distributed CS random value in the interval [0, n-1].
+ */
+unsigned long
+csrand_uniform(unsigned long n)
+{
+	if (n == 0 || n > UINT32_MAX)
+		return csrand_uniform_slow(n);
+
+	return csrand_uniform32(n);
+}
+
+
+/*
+ * Return a uniformly-distributed CS random value in the interval [min, max].
+ */
+unsigned long
+csrand_interval(unsigned long min, unsigned long max)
+{
+	return csrand_uniform(max - min + 1) + min;
+}
+
+
+/*
+ * Fast Random Integer Generation in an Interval
+ * ACM Transactions on Modeling and Computer Simulation 29 (1), 2019
+ * <https://arxiv.org/abs/1805.10941>
+ */
+static uint32_t
+csrand_uniform32(uint32_t n)
+{
+	uint32_t  bound, rem;
+	uint64_t  r, mult;
+
+	if (n == 0)
+		return csrand();
+
+	bound = -n % n;  // analogous to `2^64 % n`, since `x % y == (x-y) % y`
+
+	do {
+		r = csrand();
+		mult = r * n;
+		rem = mult;  // analogous to `mult % 2^64`
+	} while (rem < bound);  // p = (2^64 % n) / 2^64;  W.C.: n=2^63+1, p=0.5
+
+	r = mult >> WIDTHOF(n);  // analogous to `mult / 2^64`
+
+	return r;
+}
+
+
+static unsigned long
+csrand_uniform_slow(unsigned long n)
+{
+	unsigned long  r, max, mask;
+
+	max = n - 1;
+	mask = bit_ceil_wrapul(n) - 1;
+
+	do {
+		r = csrand();
+		r &= mask;  // optimization
+	} while (r > max);  // p = ((mask+1) % n) / (mask+1);  W.C.: p=0.5
+
+	return r;
+}
--- a/libmisc/date_to_str.c
+++ b/libmisc/date_to_str.c
@ -33,14 +33,24 @@

 #include "prototypes.h"

-void date_to_str (size_t size, char buf[size], long date)
+void
+date_to_str(size_t size, char buf[size], long date)
 {
-	time_t t;
+	time_t           t;
+	const struct tm  *tm;

 	t = date;
-	if (date < 0)
-		(void) strncpy (buf, "never", size);
-	else
-		(void) strftime (buf, size, "%Y-%m-%d", gmtime (&t));
+	if (date < 0) {
+		(void) strlcpy(buf, "never", size);
+		return;
+	}
+
+	tm = gmtime(&t);
+	if (tm == NULL) {
+		(void) strlcpy(buf, "future", size);
+		return;
+	}
+
+	(void) strftime(buf, size, "%Y-%m-%d", tm);
 	buf[size - 1] = '\0';
 }
--- a/libmisc/entry.c
+++ b/libmisc/entry.c
@ -13,6 +13,8 @@

 #include <sys/types.h>
 #include <stdio.h>
+
+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
 #include <pwd.h>
@ -24,7 +26,7 @@ void pw_entry (const char *name, struct passwd *pwent)
 	struct spwd *spwd;

 	if (!(passwd = getpwnam (name))) { /* local, no need for xgetpwnam */
-		pwent->pw_name = (char *) 0;
+		pwent->pw_name = NULL;
 		return;
 	} else {
 		pwent->pw_name = xstrdup (passwd->pw_name);
--- a/libmisc/env.c
+++ b/libmisc/env.c
@ -15,6 +15,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+
+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
 #include "shadowlog.h"
@ -26,7 +28,6 @@
 #define NEWENVP_STEP 16
 size_t newenvc = 0;
 /*@null@*/char **newenvp = NULL;
-extern char **environ;

 static const char *const forbid[] = {
 	"_RLD_=",
@ -42,7 +43,7 @@ static const char *const forbid[] = {
 	"PATH=",
 	"SHELL=",
 	"SHLIB_PATH=",
-	(char *) 0
+	NULL
 };

 /* these are allowed, but with no slashes inside
@ -51,7 +52,7 @@ static const char *const noslash[] = {
 	"LANG=",
 	"LANGUAGE=",
 	"LC_",			/* anything with the LC_ prefix */
-	(char *) 0
+	NULL
 };

 /*
@ -59,7 +60,7 @@ static const char *const noslash[] = {
 */
 void initenv (void)
 {
-	newenvp = (char **) xmalloc (NEWENVP_STEP * sizeof (char *));
+	newenvp = XMALLOCARRAY (NEWENVP_STEP, char *);
 	*newenvp = NULL;
 }

@ -73,7 +74,7 @@ void addenv (const char *string, /*@null@*/const char *value)
 	if (NULL != value) {
 		size_t len = strlen (string) + strlen (value) + 2;
 		int wlen;
-		newstring = xmalloc (len);
+		newstring = XMALLOCARRAY (len, char);
 		wlen = snprintf (newstring, len, "%s=%s", string, value);
 		assert (wlen == (int) len -1);
 	} else {
@ -127,16 +128,16 @@ void addenv (const char *string, /*@null@*/const char *value)
 	 */

 	if ((newenvc & (NEWENVP_STEP - 1)) == 0) {
-		char **__newenvp;
-		size_t newsize;
+		bool  update_environ;
+		char  **__newenvp;

 		/*
 		 * If the resize operation succeeds we can
 		 * happily go on, else print a message.
 		 */
+		update_environ = (environ == newenvp);

-		newsize = (newenvc + NEWENVP_STEP) * sizeof (char *);
-		__newenvp = (char **) realloc (newenvp, newsize);
+		__newenvp = REALLOCARRAY(newenvp, newenvc + NEWENVP_STEP, char *);

 		if (NULL != __newenvp) {
 			/*
@ -144,9 +145,8 @@ void addenv (const char *string, /*@null@*/const char *value)
 			 * environ so that it doesn't point to some
 			 * free memory area (realloc() could move it).
 			 */
-			if (environ == newenvp) {
+			if (update_environ)
 				environ = __newenvp;
-			}
 			newenvp = __newenvp;
 		} else {
 			(void) fputs (_("Environment overflow\n"), log_get_logfd());
--- a/libmisc/failure.c
+++ b/libmisc/failure.c
@ -53,7 +53,7 @@ void failure (uid_t uid, const char *tty, struct faillog *fl)
 	 */

 	if (   (lseek (fd, offset_uid, SEEK_SET) != offset_uid)
-	    || (read (fd, (char *) fl, sizeof *fl) != (ssize_t) sizeof *fl)) {
+	    || (read (fd, fl, sizeof *fl) != (ssize_t) sizeof *fl)) {
 		/* This is not necessarily a failure. The file is
 		 * initially zero length.
 		 *
@ -86,7 +86,7 @@ void failure (uid_t uid, const char *tty, struct faillog *fl)
 	 */

 	if (   (lseek (fd, offset_uid, SEEK_SET) != offset_uid)
-	    || (write (fd, (char *) fl, sizeof *fl) != (ssize_t) sizeof *fl)
+	    || (write (fd, fl, sizeof *fl) != (ssize_t) sizeof *fl)
 	    || (close (fd) != 0)) {
 		SYSLOG ((LOG_WARN,
 		         "Can't write faillog entry for UID %lu in %s.",
@ -163,7 +163,7 @@ int failcheck (uid_t uid, struct faillog *fl, bool failed)
 	 */

 	if (   (lseek (fd, offset_uid, SEEK_SET) != offset_uid)
-	    || (read (fd, (char *) fl, sizeof *fl) != (ssize_t) sizeof *fl)) {
+	    || (read (fd, fl, sizeof *fl) != (ssize_t) sizeof *fl)) {
 		(void) close (fd);
 		return 1;
 	}
@ -185,7 +185,7 @@ int failcheck (uid_t uid, struct faillog *fl, bool failed)
 		fail.fail_cnt = 0;

 		if (   (lseek (fd, offset_uid, SEEK_SET) != offset_uid)
-		    || (write (fd, (const void *) &fail, sizeof fail) != (ssize_t) sizeof fail)
+		    || (write (fd, &fail, sizeof fail) != (ssize_t) sizeof fail)
 		    || (close (fd) != 0)) {
 			SYSLOG ((LOG_WARN,
 			         "Can't reset faillog entry for UID %lu in %s.",
@ -242,13 +242,7 @@ void failprint (const struct faillog *fail)
 *	maintains a record of all login failures.
 */

-void failtmp (const char *username,
-#ifdef USE_UTMPX
-		     const struct utmpx *failent
-#else				/* !USE_UTMPX */
-		     const struct utmp *failent
-#endif				/* !USE_UTMPX */
-    )
+void failtmp (const char *username, const struct utmp *failent)
 {
 	const char *ftmp;
 	int fd;
@ -284,7 +278,7 @@ void failtmp (const char *username,
 	 * Append the new failure record and close the log file.
 	 */

-	if (   (write (fd, (const void *) failent, sizeof *failent) != (ssize_t) sizeof *failent)
+	if (   (write (fd, failent, sizeof *failent) != (ssize_t) sizeof *failent)
 	    || (close (fd) != 0)) {
 		SYSLOG ((LOG_WARN,
 		         "Can't append failure of user %s to %s.",
--- a/libmisc/failure.h
+++ b/libmisc/failure.h
@ -13,11 +13,7 @@

 #include "defines.h"
 #include "faillog.h"
-#ifdef USE_UTMPX
-#include <utmpx.h>
-#else					/* !USE_UTMPX */
 #include <utmp.h>
-#endif					/* !USE_UTMPX */

 /*
 * failure - make failure entry
@ -51,11 +47,7 @@ extern void failprint (const struct faillog *);
 *	failtmp updates the (struct utmp) formatted failure log which
 *	maintains a record of all login failures.
 */
-#ifdef USE_UTMPX
-extern void failtmp (const char *username, const struct utmpx *);
-#else				/* !USE_UTMPX */
 extern void failtmp (const char *username, const struct utmp *);
-#endif				/* !USE_UTMPX */

 #endif

--- a/libmisc/find_new_gid.c
+++ b/libmisc/find_new_gid.c
@ -12,6 +12,7 @@
 #include <stdio.h>
 #include <errno.h>

+#include "alloc.h"
 #include "prototypes.h"
 #include "groupio.h"
 #include "getdef.h"
@ -40,15 +41,14 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
 		*preferred_min = (gid_t) 1;

 		/* Get the minimum ID range from login.defs or default to 101 */
-		*min_id = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+		*min_id = getdef_ulong ("SYS_GID_MIN", 101UL);

 		/*
 		 * If SYS_GID_MAX is unspecified, we should assume it to be one
 		 * less than the GID_MIN (which is reserved for non-system accounts)
 		 */
-		gid_def_max = (gid_t) getdef_ulong ("GID_MIN", 1000UL) - 1;
-		*max_id = (gid_t) getdef_ulong ("SYS_GID_MAX",
-				(unsigned long) gid_def_max);
+		gid_def_max = getdef_ulong ("GID_MIN", 1000UL) - 1;
+		*max_id = getdef_ulong ("SYS_GID_MAX", gid_def_max);

 		/* Check that the ranges make sense */
 		if (*max_id < *min_id) {
@ -71,8 +71,8 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
 		/* Non-system groups */

 		/* Get the values from login.defs or use reasonable defaults */
-		*min_id = (gid_t) getdef_ulong ("GID_MIN", 1000UL);
-		*max_id = (gid_t) getdef_ulong ("GID_MAX", 60000UL);
+		*min_id = getdef_ulong ("GID_MIN", 1000UL);
+		*max_id = getdef_ulong ("GID_MAX", 60000UL);

 		/*
 		 * The preferred minimum should match the standard ID minimum
@ -99,6 +99,7 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id,
 *
 * On success, return 0
 * If the ID is in use, return EEXIST
+ * If the ID might clash with -1, return EINVAL
 * If the ID is outside the range, return ERANGE
 * In other cases, return errno from getgrgid()
 */
@ -112,6 +113,11 @@ static int check_gid (const gid_t gid,
 		return ERANGE;
 	}

+	/* Check for compatibility with 16b and 32b gid_t error codes */
+	if (gid == UINT16_MAX || gid == UINT32_MAX) {
+		return EINVAL;
+	}
+
 	/*
 	 * Check whether we already detected this GID
 	 * using the gr_next() loop
@ -183,10 +189,10 @@ int find_new_gid (bool sys_group,
 			 * gr_locate_gid() found the GID in an as-yet uncommitted
 			 * entry. We'll proceed below and auto-set a GID.
 			 */
-		} else if (result == EEXIST || result == ERANGE) {
+		} else if (result == EEXIST || result == ERANGE || result == EINVAL) {
 			/*
 			 * Continue on below. At this time, we won't
-			 * treat these two cases differently.
+			 * treat these three cases differently.
 			 */
 		} else {
 			/*
@ -226,14 +232,13 @@ int find_new_gid (bool sys_group,
 	 */

 	/* Create an array to hold all of the discovered GIDs */
-	used_gids = malloc (sizeof (bool) * (gid_max +1));
+	used_gids = CALLOC (gid_max + 1, bool);
 	if (NULL == used_gids) {
 		fprintf (log_get_logfd(),
 			 _("%s: failed to allocate memory: %s\n"),
 			 log_get_progname(), strerror (errno));
 		return -1;
 	}
-	memset (used_gids, false, sizeof (bool) * (gid_max + 1));

 	/* First look for the lowest and highest value in the local database */
 	(void) gr_rewind ();
@ -297,8 +302,11 @@ int find_new_gid (bool sys_group,
 				*gid = id;
 				free (used_gids);
 				return 0;
-			} else if (result == EEXIST) {
-				/* This GID is in use, we'll continue to the next */
+			} else if (result == EEXIST || result == EINVAL) {
+				/*
+				 * This GID is in use or unusable, we'll
+				 * continue to the next.
+				 */
 			} else {
 				/*
 				 * An unexpected error occurred.
@ -340,8 +348,11 @@ int find_new_gid (bool sys_group,
 					*gid = id;
 					free (used_gids);
 					return 0;
-				} else if (result == EEXIST) {
-					/* This GID is in use, we'll continue to the next */
+				} else if (result == EEXIST || result == EINVAL) {
+					/*
+					 * This GID is in use or unusable, we'll
+					 * continue to the next.
+					 */
 				} else {
 					/*
 					 * An unexpected error occurred.
@ -400,8 +411,11 @@ int find_new_gid (bool sys_group,
 				*gid = id;
 				free (used_gids);
 				return 0;
-			} else if (result == EEXIST) {
-				/* This GID is in use, we'll continue to the next */
+			} else if (result == EEXIST || result == EINVAL) {
+				/*
+				 * This GID is in use or unusable, we'll
+				 * continue to the next.
+				 */
 			} else {
 				/*
 				 * An unexpected error occurred.
@ -443,8 +457,11 @@ int find_new_gid (bool sys_group,
 					*gid = id;
 					free (used_gids);
 					return 0;
-				} else if (result == EEXIST) {
-					/* This GID is in use, we'll continue to the next */
+				} else if (result == EEXIST || result == EINVAL) {
+					/*
+					 * This GID is in use or unusable, we'll
+					 * continue to the next.
+					 */
 				} else {
 					/*
 					 * An unexpected error occurred.
--- a/libmisc/find_new_sub_gids.c
+++ b/libmisc/find_new_sub_gids.c
@ -59,6 +59,6 @@ int find_new_sub_gids (gid_t *range_start, unsigned long *range_count)
 	return 0;
 }
 #else				/* !ENABLE_SUBIDS */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* !ENABLE_SUBIDS */

--- a/libmisc/find_new_sub_uids.c
+++ b/libmisc/find_new_sub_uids.c
@ -59,6 +59,6 @@ int find_new_sub_uids (uid_t *range_start, unsigned long *range_count)
 	return 0;
 }
 #else				/* !ENABLE_SUBIDS */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* !ENABLE_SUBIDS */

--- a/libmisc/find_new_uid.c
+++ b/libmisc/find_new_uid.c
@ -12,6 +12,7 @@
 #include <stdio.h>
 #include <errno.h>

+#include "alloc.h"
 #include "prototypes.h"
 #include "pwio.h"
 #include "getdef.h"
@ -40,15 +41,14 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
 		*preferred_min = (uid_t) 1;

 		/* Get the minimum ID range from login.defs or default to 101 */
-		*min_id = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
+		*min_id = getdef_ulong ("SYS_UID_MIN", 101UL);

 		/*
 		 * If SYS_UID_MAX is unspecified, we should assume it to be one
 		 * less than the UID_MIN (which is reserved for non-system accounts)
 		 */
-		uid_def_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1;
-		*max_id = (uid_t) getdef_ulong ("SYS_UID_MAX",
-				(unsigned long) uid_def_max);
+		uid_def_max = getdef_ulong ("UID_MIN", 1000UL) - 1;
+		*max_id = getdef_ulong ("SYS_UID_MAX", uid_def_max);

 		/* Check that the ranges make sense */
 		if (*max_id < *min_id) {
@ -71,8 +71,8 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
 		/* Non-system users */

 		/* Get the values from login.defs or use reasonable defaults */
-		*min_id = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
-		*max_id = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
+		*min_id = getdef_ulong ("UID_MIN", 1000UL);
+		*max_id = getdef_ulong ("UID_MAX", 60000UL);

 		/*
 		 * The preferred minimum should match the standard ID minimum
@ -99,6 +99,7 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id,
 *
 * On success, return 0
 * If the ID is in use, return EEXIST
+ * If the ID might clash with -1, return EINVAL
 * If the ID is outside the range, return ERANGE
 * In other cases, return errno from getpwuid()
 */
@ -112,6 +113,11 @@ static int check_uid(const uid_t uid,
 		return ERANGE;
 	}

+	/* Check for compatibility with 16b and 32b uid_t error codes */
+	if (uid == UINT16_MAX || uid == UINT32_MAX) {
+		return EINVAL;
+	}
+
 	/*
 	 * Check whether we already detected this UID
 	 * using the pw_next() loop
@ -183,10 +189,10 @@ int find_new_uid(bool sys_user,
 			 * pw_locate_uid() found the UID in an as-yet uncommitted
 			 * entry. We'll proceed below and auto-set an UID.
 			 */
-		} else if (result == EEXIST || result == ERANGE) {
+		} else if (result == EEXIST || result == ERANGE || result == EINVAL) {
 			/*
 			 * Continue on below. At this time, we won't
-			 * treat these two cases differently.
+			 * treat these three cases differently.
 			 */
 		} else {
 			/*
@ -226,7 +232,7 @@ int find_new_uid(bool sys_user,
 	 */

 	/* Create an array to hold all of the discovered UIDs */
-	used_uids = malloc (sizeof (bool) * (uid_max +1));
+	used_uids = MALLOCARRAY (uid_max + 1, bool);
 	if (NULL == used_uids) {
 		fprintf (log_get_logfd(),
 			 _("%s: failed to allocate memory: %s\n"),
@ -297,8 +303,11 @@ int find_new_uid(bool sys_user,
 				*uid = id;
 				free (used_uids);
 				return 0;
-			} else if (result == EEXIST) {
-				/* This UID is in use, we'll continue to the next */
+			} else if (result == EEXIST || result == EINVAL) {
+				/*
+				 * This GID is in use or unusable, we'll
+				 * continue to the next.
+				 */
 			} else {
 				/*
 				 * An unexpected error occurred.
@ -340,8 +349,11 @@ int find_new_uid(bool sys_user,
 					*uid = id;
 					free (used_uids);
 					return 0;
-				} else if (result == EEXIST) {
-					/* This UID is in use, we'll continue to the next */
+				} else if (result == EEXIST || result == EINVAL) {
+					/*
+					 * This GID is in use or unusable, we'll
+					 * continue to the next.
+					 */
 				} else {
 					/*
 					 * An unexpected error occurred.
@ -400,8 +412,11 @@ int find_new_uid(bool sys_user,
 				*uid = id;
 				free (used_uids);
 				return 0;
-			} else if (result == EEXIST) {
-				/* This UID is in use, we'll continue to the next */
+			} else if (result == EEXIST || result == EINVAL) {
+				/*
+				 * This GID is in use or unusable, we'll
+				 * continue to the next.
+				 */
 			} else {
 				/*
 				 * An unexpected error occurred.
@ -443,8 +458,11 @@ int find_new_uid(bool sys_user,
 					*uid = id;
 					free (used_uids);
 					return 0;
-				} else if (result == EEXIST) {
-					/* This UID is in use, we'll continue to the next */
+				} else if (result == EEXIST || result == EINVAL) {
+					/*
+					 * This GID is in use or unusable, we'll
+					 * continue to the next.
+					 */
 				} else {
 					/*
 					 * An unexpected error occurred.
--- a/libmisc/getgr_nam_gid.c
+++ b/libmisc/getgr_nam_gid.c
@ -36,7 +36,7 @@ extern /*@only@*//*@null@*/struct group *getgr_nam_gid (/*@null@*/const char *gr
 	    && ('\0' == *endptr)
 	    && (ERANGE != errno)
 	    && (/*@+longintegral@*/gid == (gid_t)gid)/*@=longintegral@*/) {
-		return xgetgrgid ((gid_t) gid);
+		return xgetgrgid (gid);
 	}
 	return xgetgrnam (grname);
 }
--- a/libmisc/gettime.c
+++ b/libmisc/gettime.c
@ -22,7 +22,7 @@
 * Epoch, 1970-01-01 00:00:00 +0000 (UTC), except that if the SOURCE_DATE_EPOCH
 * environment variable is exported it will use that instead.
 */
-/*@observer@*/time_t gettime ()
+/*@observer@*/time_t gettime (void)
 {
 	char *endptr;
 	char *source_date_epoch;
@ -55,13 +55,13 @@
 		fprintf (shadow_logfd,
 			 _("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to %lu but was found to be: %llu\n"),
 			 ULONG_MAX, epoch);
-	} else if (epoch > fallback) {
+	} else if ((time_t)epoch > fallback) {
 		fprintf (shadow_logfd,
 			 _("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to the current time (%lu) but was found to be: %llu\n"),
 			 fallback, epoch);
 	} else {
 		/* Valid */
-		return (time_t)epoch;
+		return epoch;
 	}

 	return fallback;
--- a/libmisc/hushed.c
+++ b/libmisc/hushed.c
@ -66,7 +66,7 @@ bool hushed (const char *username)
 	if (NULL == fp) {
 		return false;
 	}
-	for (found = false; !found && (fgets (buf, (int) sizeof buf, fp) == buf);) {
+	for (found = false; !found && (fgets (buf, sizeof buf, fp) == buf);) {
 		buf[strcspn (buf, "\n")] = '\0';
 		found = (strcmp (buf, pw->pw_shell) == 0) ||
 		        (strcmp (buf, pw->pw_name) == 0);
--- a/libmisc/idmapping.c
+++ b/libmisc/idmapping.c
@ -11,7 +11,10 @@
 #include <limits.h>
 #include <stdlib.h>
 #include <stdio.h>
+
+#include "alloc.h"
 #include "prototypes.h"
+#include "stpeprintf.h"
 #include "idmapping.h"
 #if HAVE_SYS_CAPABILITY_H
 #include <sys/prctl.h>
@ -43,7 +46,7 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 		return NULL;
 	}

-	mappings = calloc(ranges, sizeof(*mappings));
+	mappings = CALLOC(ranges, struct map_range);
 	if (!mappings) {
 		fprintf(log_get_logfd(), _( "%s: Memory allocation failure\n"),
 			log_get_progname());
@ -99,7 +102,7 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 *  8bytes --> 21 ascii estimated -> 18446744073709551616 (20 real)
 * 16bytes --> 39 ascii estimated -> 340282366920938463463374607431768211456 (39 real)
 */
-#define ULONG_DIGITS ((((sizeof(unsigned long) * CHAR_BIT) + 9)/10)*3)
+#define ULONG_DIGITS (((WIDTHOF(unsigned long) + 9)/10)*3)

 #if HAVE_SYS_CAPABILITY_H
 static inline bool maps_lower_root(int cap, int ranges, const struct map_range *mappings)
@ -141,7 +144,7 @@ void write_mapping(int proc_dir_fd, int ranges, const struct map_range *mappings
 	int idx;
 	const struct map_range *mapping;
 	size_t bufsize;
-	char *buf, *pos;
+	char *buf, *pos, *end;
 	int fd;

 #if HAVE_SYS_CAPABILITY_H
@ -188,22 +191,21 @@ void write_mapping(int proc_dir_fd, int ranges, const struct map_range *mappings
 #endif

 	bufsize = ranges * ((ULONG_DIGITS + 1) * 3);
-	pos = buf = xmalloc(bufsize);
+	pos = buf = XMALLOCARRAY(bufsize, char);
+	end = buf + bufsize;

 	/* Build the mapping command */
 	mapping = mappings;
 	for (idx = 0; idx < ranges; idx++, mapping++) {
 		/* Append this range to the string that will be written */
-		int written = snprintf(pos, bufsize - (pos - buf),
-			"%lu %lu %lu\n",
-			mapping->upper,
-			mapping->lower,
-			mapping->count);
-		if ((written <= 0) || (written >= (bufsize - (pos - buf)))) {
-			fprintf(log_get_logfd(), _("%s: snprintf failed!\n"), log_get_progname());
-			exit(EXIT_FAILURE);
-		}
-		pos += written;
+		pos = stpeprintf(pos, end, "%lu %lu %lu\n",
+		                 mapping->upper,
+		                 mapping->lower,
+		                 mapping->count);
+	}
+	if (pos == end || pos == NULL) {
+		fprintf(log_get_logfd(), _("%s: stpeprintf failed!\n"), log_get_progname());
+		exit(EXIT_FAILURE);
 	}

 	/* Write the mapping to the mapping file */
--- a/libmisc/isexpired.c
+++ b/libmisc/isexpired.c
@ -40,7 +40,7 @@ int isexpired (const struct passwd *pw, /*@null@*/const struct spwd *sp)
 {
 	long now;

-	now = (long) time ((time_t *) 0) / SCALE;
+	now = time(NULL) / SCALE;

 	if (NULL == sp) {
 		return 0;
--- a/libmisc/limits.c
+++ b/libmisc/limits.c
@ -28,11 +28,7 @@
 #include <pwd.h>
 #include "getdef.h"
 #include "shadowlog.h"
-#ifdef HAVE_SYS_RESOURCE_H
 #include <sys/resource.h>
-#define LIMITS
-#endif
-#ifdef LIMITS
 #ifndef LIMITS_FILE
 #define LIMITS_FILE "/etc/limits"
 #endif
@ -72,7 +68,7 @@ static int setrlimit_value (unsigned int resource,
 			return 0;
 		}
 		longlimit *= multiplier;
-		limit = (rlim_t)longlimit;
+		limit = longlimit;
 		if (longlimit != limit)
 		{
 			/* FIXME: Again, silent error handling...
@ -99,7 +95,7 @@ static int set_prio (const char *value)
 	    || (prio != (int) prio)) {
 		return 0;
 	}
-	if (setpriority (PRIO_PROCESS, 0, (int) prio) != 0) {
+	if (setpriority (PRIO_PROCESS, 0, prio) != 0) {
 		return LOGIN_ERROR_RLIMIT;
 	}
 	return 0;
@ -115,7 +111,7 @@ static int set_umask (const char *value)
 		return 0;
 	}

-	(void) umask ((mode_t) mask);
+	(void) umask (mask);
 	return 0;
 }

@ -123,11 +119,7 @@ static int set_umask (const char *value)
 /* Counts the number of user logins and check against the limit */
 static int check_logins (const char *name, const char *maxlogins)
 {
-#ifdef USE_UTMPX
-	struct utmpx *ut;
-#else				/* !USE_UTMPX */
 	struct utmp *ut;
-#endif				/* !USE_UTMPX */
 	unsigned long limit, count;

 	if (getulong (maxlogins, &limit) == 0) {
@ -140,13 +132,8 @@ static int check_logins (const char *name, const char *maxlogins)
 	}

 	count = 0;
-#ifdef USE_UTMPX
-	setutxent ();
-	while ((ut = getutxent ()))
-#else				/* !USE_UTMPX */
 	setutent ();
 	while ((ut = getutent ()))
-#endif				/* !USE_UTMPX */
 	{
 		if (USER_PROCESS != ut->ut_type) {
 			continue;
@ -162,11 +149,7 @@ static int check_logins (const char *name, const char *maxlogins)
 			break;
 		}
 	}
-#ifdef USE_UTMPX
-	endutxent ();
-#else				/* !USE_UTMPX */
 	endutent ();
-#endif				/* !USE_UTMPX */
 	/*
 	 * This is called after setutmp(), so the number of logins counted
 	 * includes the user who is currently trying to log in.
@ -243,34 +226,26 @@ static int do_user_limits (const char *buf, const char *name)

 	while ('\0' != *pp) {
 		switch (*pp++) {
-#ifdef RLIMIT_AS
 		case 'a':
 		case 'A':
 			/* RLIMIT_AS - max address space (KB) */
 			retval |= setrlimit_value (RLIMIT_AS, pp, 1024);
 			break;
-#endif
-#ifdef RLIMIT_CORE
 		case 'c':
 		case 'C':
 			/* RLIMIT_CORE - max core file size (KB) */
 			retval |= setrlimit_value (RLIMIT_CORE, pp, 1024);
 			break;
-#endif
-#ifdef RLIMIT_DATA
 		case 'd':
 		case 'D':
 			/* RLIMIT_DATA - max data size (KB) */
 			retval |= setrlimit_value (RLIMIT_DATA, pp, 1024);
 			break;
-#endif
-#ifdef RLIMIT_FSIZE
 		case 'f':
 		case 'F':
 			/* RLIMIT_FSIZE - Maximum filesize (KB) */
 			retval |= setrlimit_value (RLIMIT_FSIZE, pp, 1024);
 			break;
-#endif
 #ifdef RLIMIT_NICE
 		case 'i':
 		case 'I':
@ -294,13 +269,11 @@ static int do_user_limits (const char *buf, const char *name)
 			retval |= setrlimit_value (RLIMIT_MEMLOCK, pp, 1024);
 			break;
 #endif
-#ifdef RLIMIT_NOFILE
 		case 'n':
 		case 'N':
 			/* RLIMIT_NOFILE - max number of open files */
 			retval |= setrlimit_value (RLIMIT_NOFILE, pp, 1);
 			break;
-#endif
 #ifdef RLIMIT_RTPRIO
 		case 'o':
 		case 'O':
@ -319,20 +292,16 @@ static int do_user_limits (const char *buf, const char *name)
 			retval |= setrlimit_value (RLIMIT_RSS, pp, 1024);
 			break;
 #endif
-#ifdef RLIMIT_STACK
 		case 's':
 		case 'S':
 			/* RLIMIT_STACK - max stack size (KB) */
 			retval |= setrlimit_value (RLIMIT_STACK, pp, 1024);
 			break;
-#endif
-#ifdef RLIMIT_CPU
 		case 't':
 		case 'T':
 			/* RLIMIT_CPU - max CPU time (MIN) */
 			retval |= setrlimit_value (RLIMIT_CPU, pp, 60);
 			break;
-#endif
 #ifdef RLIMIT_NPROC
 		case 'u':
 		case 'U':
@ -479,7 +448,6 @@ static int setup_user_limits (const char *uname)
 	}
 	return do_user_limits (limits, uname);
 }
-#endif				/* LIMITS */


 static void setup_usergroups (const struct passwd *info)
@ -523,7 +491,6 @@ void setup_limits (const struct passwd *info)
 	 */

 	if (getdef_bool ("QUOTAS_ENAB")) {
-#ifdef LIMITS
 		if (info->pw_uid != 0) {
 			if ((setup_user_limits (info->pw_name) & LOGIN_ERROR_LOGIN) != 0) {
 				(void) fputs (_("Too many logins.\n"), log_get_logfd());
@ -531,7 +498,6 @@ void setup_limits (const struct passwd *info)
 				exit (EXIT_FAILURE);
 			}
 		}
-#endif
 		for (cp = info->pw_gecos; cp != NULL; cp = strchr (cp, ',')) {
 			if (',' == *cp) {
 				cp++;
@ -542,7 +508,7 @@ void setup_limits (const struct passwd *info)
 				if (   (getlong (cp + 4, &inc) == 1)
 				    && (inc >= -20) && (inc <= 20)) {
 					errno = 0;
-					if (   (nice ((int) inc) != -1)
+					if (   (nice (inc) != -1)
 					    || (0 != errno)) {
 						continue;
 					}
@ -559,7 +525,7 @@ void setup_limits (const struct passwd *info)
 				long int blocks;
 				if (   (getlong (cp + 7, &blocks) == 0)
 				    || (blocks != (int) blocks)
-				    || (set_filesize_limit ((int) blocks) != 0)) {
+				    || (set_filesize_limit (blocks) != 0)) {
 					SYSLOG ((LOG_WARN,
 					         "Can't set the ulimit for user %s",
 					         info->pw_name));
@ -574,7 +540,7 @@ void setup_limits (const struct passwd *info)
 					         "Can't set umask value for user %s",
 					         info->pw_name));
 				} else {
-					(void) umask ((mode_t) mask);
+					(void) umask (mask);
 				}

 				continue;
@ -584,6 +550,6 @@ void setup_limits (const struct passwd *info)
 }

 #else				/* !USE_PAM */
-extern int errno;		/* warning: ANSI C forbids an empty source file */
+extern int ISO_C_forbids_an_empty_translation_unit;
 #endif				/* !USE_PAM */

--- a/libmisc/list.c
+++ b/libmisc/list.c
@ -11,6 +11,8 @@
 #ident "$Id$"

 #include <assert.h>
+
+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
 /*
@ -33,7 +35,7 @@
 	 * pointer if it is present.
 	 */

-	for (i = 0; list[i] != (char *) 0; i++) {
+	for (i = 0; list[i] != NULL; i++) {
 		if (strcmp (list[i], member) == 0) {
 			return list;
 		}
@ -44,7 +46,7 @@
 	 * old entries, and the new entries as well.
 	 */

-	tmp = (char **) xmalloc ((i + 2) * sizeof member);
+	tmp = XMALLOCARRAY (i + 2, char *);

 	/*
 	 * Copy the original list to the new list, then append the
@ -52,12 +54,12 @@
 	 * is returned to the invoker.
 	 */

-	for (i = 0; list[i] != (char *) 0; i++) {
+	for (i = 0; list[i] != NULL; i++) {
 		tmp[i] = list[i];
 	}

 	tmp[i] = xstrdup (member);
-	tmp[i+1] = (char *) 0;
+	tmp[i+1] = NULL;

 	return tmp;
 }
@ -83,7 +85,7 @@
 	 * pointer if it is not present.
 	 */

-	for (i = j = 0; list[i] != (char *) 0; i++) {
+	for (i = j = 0; list[i] != NULL; i++) {
 		if (strcmp (list[i], member) != 0) {
 			j++;
 		}
@ -98,7 +100,7 @@
 	 * old entries.
 	 */

-	tmp = (char **) xmalloc ((j + 1) * sizeof member);
+	tmp = XMALLOCARRAY (j + 1, char *);

 	/*
 	 * Copy the original list except the deleted members to the
@ -106,14 +108,14 @@
 	 * is returned to the invoker.
 	 */

-	for (i = j = 0; list[i] != (char *) 0; i++) {
+	for (i = j = 0; list[i] != NULL; i++) {
 		if (strcmp (list[i], member) != 0) {
 			tmp[j] = list[i];
 			j++;
 		}
 	}

-	tmp[j] = (char *) 0;
+	tmp[j] = NULL;

 	return tmp;
 }
@ -133,7 +135,7 @@

 	for (i = 0; NULL != list[i]; i++);

-	tmp = (char **) xmalloc ((i + 1) * sizeof (char *));
+	tmp = XMALLOCARRAY (i + 1, char *);

 	i = 0;
 	while (NULL != *list) {
@ -142,7 +144,7 @@
 		list++;
 	}

-	tmp[i] = (char *) 0;
+	tmp[i] = NULL;
 	return tmp;
 }

@ -210,14 +212,14 @@ bool is_on_list (char *const *list, const char *member)
 	 * Allocate the array we're going to store the pointers into.
 	 */

-	array = (char **) xmalloc (sizeof (char *) * i);
+	array = XMALLOCARRAY (i, char *);

 	/*
 	 * Empty list is special - 0 members, not 1 empty member.  --marekm
 	 */

 	if ('\0' == *members) {
-		*array = (char *) 0;
+		*array = NULL;
 		free (members);
 		return array;
 	}
@ -235,7 +237,7 @@ bool is_on_list (char *const *list, const char *member)
 			cp2++;
 			cp = cp2;
 		} else {
-			array[i + 1] = (char *) 0;
+			array[i + 1] = NULL;
 			break;
 		}
 	}
--- a/libmisc/log.c
+++ b/libmisc/log.c
@ -67,7 +67,7 @@ void dolastlog (
 	 * the way we read the old one in.
 	 */

-	if (read (fd, (void *) &newlog, sizeof newlog) != (ssize_t) sizeof newlog) {
+	if (read (fd, &newlog, sizeof newlog) != (ssize_t) sizeof newlog) {
 		memzero (&newlog, sizeof newlog);
 	}
 	if (NULL != ll) {
@ -82,7 +82,7 @@ void dolastlog (
 	strncpy (newlog.ll_host, host, sizeof (newlog.ll_host) - 1);
 #endif
 	if (   (lseek (fd, offset, SEEK_SET) != offset)
-	    || (write (fd, (const void *) &newlog, sizeof newlog) != (ssize_t) sizeof newlog)
+	    || (write (fd, &newlog, sizeof newlog) != (ssize_t) sizeof newlog)
 	    || (close (fd) != 0)) {
 		SYSLOG ((LOG_WARN,
 		         "Can't write lastlog entry for UID %lu in %s.",
--- a/libmisc/loginprompt.c
+++ b/libmisc/loginprompt.c
@ -14,14 +14,15 @@
 #include <assert.h>
 #include <stdio.h>
 #include <signal.h>
-#include <ctype.h>
+
+#include "alloc.h"
 #include "prototypes.h"
 #include "defines.h"
 #include "getdef.h"

 static void login_exit (unused int sig)
 {
-	exit (EXIT_FAILURE);
+	_exit (EXIT_FAILURE);
 }

 /*
@ -31,7 +32,7 @@ static void login_exit (unused int sig)
 * is set in login.defs, this file is displayed before the prompt.
 */

-void login_prompt (const char *prompt, char *name, int namesize)
+void login_prompt (char *name, int namesize)
 {
 	char buf[1024];

@ -40,45 +41,38 @@ void login_prompt (const char *prompt, char *name, int namesize)
 	char *cp;
 	int i;
 	FILE *fp;
+	const char *fname = getdef_str ("ISSUE_FILE");

 	sighandler_t sigquit;
-#ifdef	SIGTSTP
 	sighandler_t sigtstp;
-#endif

 	/*
 	 * There is a small chance that a QUIT character will be part of
 	 * some random noise during a prompt.  Deal with this by exiting
-	 * instead of core dumping.  If SIGTSTP is defined, do the same
-	 * thing for that signal.
+	 * instead of core dumping.  Do the same thing for SIGTSTP.
 	 */

 	sigquit = signal (SIGQUIT, login_exit);
-#ifdef	SIGTSTP
 	sigtstp = signal (SIGTSTP, login_exit);
-#endif

 	/*
 	 * See if the user has configured the issue file to
 	 * be displayed and display it before the prompt.
 	 */

-	if (NULL != prompt) {
-		const char *fname = getdef_str ("ISSUE_FILE");
-		if (NULL != fname) {
-			fp = fopen (fname, "r");
-			if (NULL != fp) {
-				while ((i = getc (fp)) != EOF) {
-					(void) putc (i, stdout);
-				}
-
-				(void) fclose (fp);
+	if (NULL != fname) {
+		fp = fopen (fname, "r");
+		if (NULL != fp) {
+			while ((i = getc (fp)) != EOF) {
+				(void) putc (i, stdout);
 			}
+
+			(void) fclose (fp);
 		}
-		(void) gethostname (buf, sizeof buf);
-		printf (prompt, buf);
-		(void) fflush (stdout);
 	}
+	(void) gethostname (buf, sizeof buf);
+	printf (_("\n%s login: "), buf);
+	(void) fflush (stdout);

 	/*
 	 * Read the user's response.  The trailing newline will be
@ -86,7 +80,7 @@ void login_prompt (const char *prompt, char *name, int namesize)
 	 */

 	memzero (buf, sizeof buf);
-	if (fgets (buf, (int) sizeof buf, stdin) != buf) {
+	if (fgets (buf, sizeof buf, stdin) != buf) {
 		exit (EXIT_FAILURE);
 	}

@ -98,58 +92,20 @@ void login_prompt (const char *prompt, char *name, int namesize)

 	/*
 	 * Skip leading whitespace.  This makes "  username" work right.
-	 * Then copy the rest (up to the end or the first "non-graphic"
-	 * character into the username.
+	 * Then copy the rest (up to the end) into the username.
 	 */

 	for (cp = buf; *cp == ' ' || *cp == '\t'; cp++);

-	for (i = 0; i < namesize - 1 && isgraph (*cp); name[i++] = *cp++);
-	while (isgraph (*cp)) {
-		cp++;
-	}
-
-	if ('\0' != *cp) {
-		cp++;
-	}
+	for (i = 0; i < namesize - 1 && *cp != '\0'; name[i++] = *cp++);

 	name[i] = '\0';

-	/*
-	 * This is a disaster, at best.  The user may have entered extra
-	 * environmental variables at the prompt.  There are several ways
-	 * to do this, and I just take the easy way out.
-	 */
-
-	if ('\0' != *cp) {	/* process new variables */
-		char *nvar;
-		int count = 1;
-		int envc;
-
-		for (envc = 0; envc < MAX_ENV; envc++) {
-			nvar = strtok ((0 != envc) ? (char *) 0 : cp, " \t,");
-			if (NULL == nvar) {
-				break;
-			}
-			if (strchr (nvar, '=') != NULL) {
-				envp[envc] = nvar;
-			} else {
-				size_t len = strlen (nvar) + 32;
-				envp[envc] = xmalloc (len);
-				(void) snprintf (envp[envc], len,
-				                 "L%d=%s", count++, nvar);
-			}
-		}
-		set_env (envc, envp);
-	}
-
 	/*
 	 * Set the SIGQUIT handler back to its original value
 	 */

 	(void) signal (SIGQUIT, sigquit);
-#ifdef	SIGTSTP
 	(void) signal (SIGTSTP, sigtstp);
-#endif
 }

--- a/Show More
+++ b/Show More