shadow: add new recipe 4.1.4.2

(borrow from OpenEmbedded with below tweaks)

Enhance login_defs_pam.sed according to shadow source, to ensuer we don't
leave any unknown definitions in /etc/login.defs when pam is enabled

no need for --disable-account-tools-setuid which is detected upon pam
automatically, and no specific CFLAGS append

move shadow site options to generic site files

adjust indention

RDEPENDS on a list of pam-plugins since they're separately packaged

test with both pam enabled and pam disabled. when pam is enabled, tried
some same tweak with desired effect.

Signed-off-by: Kevin Tian <kevin.tian@intel.com>

17 files changed, 786 insertions, 0 deletions

diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed b/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed
new file mode 100644
index 0000000000..0a1f3be4af
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/login_defs_pam.sed
@@ -0,0 +1,32 @@
+/^FAILLOG_ENAB/b comment
+/^LASTLOG_ENAB/b comment
+/^MAIL_CHECK_ENAB/b comment
+/^OBSCURE_CHECKS_ENAB/b comment
+/^PORTTIME_CHECKS_ENAB/b comment
+/^QUOTAS_ENAB/b comment
+/^MOTD_FILE/b comment
+/^FTMP_FILE/b comment
+/^NOLOGINS_FILE/b comment
+/^ENV_HZ/b comment
+/^ENV_TZ/b comment
+/^PASS_MIN_LEN/b comment
+/^SU_WHEEL_ONLY/b comment
+/^CRACKLIB_DICTPATH/b comment
+/^PASS_CHANGE_TRIES/b comment
+/^PASS_ALWAYS_WARN/b comment
+/^PASS_MAX_LEN/b comment
+/^PASS_MIN_LEN/b comment
+/^CHFN_AUTH/b comment
+/^CHSH_AUTH/b comment
+/^ISSUE_FILE/b comment
+/^LOGIN_STRING/b comment
+/^ULIMIT/b comment
+/^ENVIRON_FILE/b comment
+
+b exit
+
+: comment
+  s:^:#:
+
+: exit
+
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn
new file mode 100644
index 0000000000..baf7698bba
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chfn
@@ -0,0 +1,14 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows root to change user infomation without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+auth       include      common-auth
+account    include      common-account
+session    include      common-session
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd
new file mode 100644
index 0000000000..9e3efa68ba
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chpasswd
@@ -0,0 +1,4 @@
+# The PAM configuration file for the Shadow 'chpasswd' service
+#
+
+password   include      common-password
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh
new file mode 100644
index 0000000000..8fb169f64e
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/chsh
@@ -0,0 +1,19 @@
+#
+# The PAM configuration file for the Shadow `chsh' service
+#
+
+# This will not allow a user to change their shell unless
+# their current one is listed in /etc/shells. This keeps
+# accounts with special shells from changing them.
+auth       required   pam_shells.so
+
+# This allows root to change user shell without being
+# prompted for a password
+auth		sufficient	pam_rootok.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+auth       include      common-auth
+account    include      common-account
+session    include      common-session
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login
new file mode 100644
index 0000000000..e41eb04ec1
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/login
@@ -0,0 +1,91 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+# Note that it is included as a "requisite" module. No password prompts will
+# be displayed if this module fails to avoid having the root password
+# transmitted on unsecure ttys.
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root).
+auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any 
+# lingering context has been cleared. Without out this it is possible 
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+auth       include      common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session    optional   pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Standard Un*x account and session
+account    include      common-account
+password   include      common-password
+session    include      common-session
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers
new file mode 100644
index 0000000000..4aa3dde48b
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/newusers
@@ -0,0 +1,4 @@
+# The PAM configuration file for the Shadow 'newusers' service
+#
+
+password   include      common-password
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd
new file mode 100644
index 0000000000..f534992435
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/passwd
@@ -0,0 +1,5 @@
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+
+password   include      common-password
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su
new file mode 100644
index 0000000000..8e35137f37
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/pam.d/su
@@ -0,0 +1,60 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "root" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+
+# Sets up user limits, please uncomment and read /etc/security/limits.conf
+# to enable this functionality.
+# (Replaces the use of /etc/limits in old login)
+# session    required   pam_limits.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+auth       include      common-auth
+account    include      common-account
+session    include      common-session
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty b/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty
new file mode 100644
index 0000000000..28fa0afb72
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/securetty
@@ -0,0 +1,206 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# Standard serial ports
+ttyS0
+ttyS1
+ttyS2
+ttyS3
+
+# Samsung ARM SoCs
+ttySAC0
+ttySAC1
+ttySAC2
+ttySAC3
+
+# TI OMAP SoCs
+ttyO0
+ttyO1
+ttyO2
+ttyO3
+
+# USB dongles
+ttyUSB0
+ttyUSB1
+ttyUSB2
+
+# PowerMac
+ttyPZ0
+ttyPZ1
+ttyPZ2
+ttyPZ3
+
+# Embedded MPC platforms
+ttyPSC0
+ttyPSC1
+ttyPSC2
+ttyPSC3
+ttyPSC4
+ttyPSC5
+
+# PA-RISC mux ports
+ttyB0
+ttyB1
+
+# Standard hypervisor virtual console
+hvc0
+
+# Oldstyle Xen console
+xvc0
+
+# Standard consoles
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+tty8
+tty9
+tty10
+tty11
+tty12
+tty13
+tty14
+tty15
+tty16
+tty17
+tty18
+tty19
+tty20
+tty21
+tty22
+tty23
+tty24
+tty25
+tty26
+tty27
+tty28
+tty29
+tty30
+tty31
+tty32
+tty33
+tty34
+tty35
+tty36
+tty37
+tty38
+tty39
+tty40
+tty41
+tty42
+tty43
+tty44
+tty45
+tty46
+tty47
+tty48
+tty49
+tty50
+tty51
+tty52
+tty53
+tty54
+tty55
+tty56
+tty57
+tty58
+tty59
+tty60
+tty61
+tty62
+tty63
+
+# Local X displays (allows empty passwords with pam_unix's nullok_secure)
+:0
+:0.0
+:0.1
+:1
+:1.0
+:1.1
+:2
+:2.0
+:2.1
+:3
+:3.0
+:3.1
+
+# Embedded Freescale i.MX ports
+ttymxc0
+ttymxc1
+ttymxc2
+ttymxc3
+ttymxc4
+ttymxc5
+
+# Standard serial ports, with devfs
+tts/0
+tts/1
+
+# Standard consoles, with devfs
+vc/1
+vc/2
+vc/3
+vc/4
+vc/5
+vc/6
+vc/7
+vc/8
+vc/9
+vc/10
+vc/11
+vc/12
+vc/13
+vc/14
+vc/15
+vc/16
+vc/17
+vc/18
+vc/19
+vc/20
+vc/21
+vc/22
+vc/23
+vc/24
+vc/25
+vc/26
+vc/27
+vc/28
+vc/29
+vc/30
+vc/31
+vc/32
+vc/33
+vc/34
+vc/35
+vc/36
+vc/37
+vc/38
+vc/39
+vc/40
+vc/41
+vc/42
+vc/43
+vc/44
+vc/45
+vc/46
+vc/47
+vc/48
+vc/49
+vc/50
+vc/51
+vc/52
+vc/53
+vc/54
+vc/55
+vc/56
+vc/57
+vc/58
+vc/59
+vc/60
+vc/61
+vc/62
+vc/63
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch
new file mode 100644
index 0000000000..7a2ff2e24e
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.3-dots-in-usernames.patch
@@ -0,0 +1,23 @@
+# commit message copied from openembedded:
+#    commit 246c80637b135f3a113d319b163422f98174ee6c
+#    Author: Khem Raj <raj.khem@gmail.com>
+#    Date:   Wed Jun 9 13:37:03 2010 -0700
+#
+#    shadow-4.1.4.2: Add patches to support dots in login id.
+#    
+#    Signed-off-by: Khem Raj <raj.khem@gmail.com>
+#
+# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11
+
+Index: shadow-4.1.4.2/libmisc/chkname.c
+===================================================================
+--- shadow-4.1.4.2.orig/libmisc/chkname.c	2009-04-28 12:14:04.000000000 -0700
++++ shadow-4.1.4.2/libmisc/chkname.c	2010-06-03 17:43:20.638973857 -0700
+@@ -61,6 +61,7 @@ static bool is_valid_name (const char *n
+ 		      ( ('0' <= *name) && ('9' >= *name) ) ||
+ 		      ('_' == *name) ||
+ 		      ('-' == *name) ||
++		      ('.' == *name) ||
+ 		      ( ('$' == *name) && ('\0' == *(name + 1)) )
+ 		     )) {
+ 			return false;
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch
new file mode 100644
index 0000000000..124065c7f9
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-env-reset-keep-locale.patch
@@ -0,0 +1,27 @@
+# commit message copied from openembedded:
+#    commit 246c80637b135f3a113d319b163422f98174ee6c
+#    Author: Khem Raj <raj.khem@gmail.com>
+#    Date:   Wed Jun 9 13:37:03 2010 -0700
+#
+#    shadow-4.1.4.2: Add patches to support dots in login id.
+#    
+#    Signed-off-by: Khem Raj <raj.khem@gmail.com>
+#
+# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11
+
+http://bugs.gentoo.org/283725
+https://alioth.debian.org/tracker/index.php?func=detail&aid=311740&group_id=30580&atid=411480
+
+Index: shadow-4.1.4.2/libmisc/env.c
+===================================================================
+--- shadow-4.1.4.2.orig/libmisc/env.c	2009-04-27 13:07:56.000000000 -0700
++++ shadow-4.1.4.2/libmisc/env.c	2010-06-03 17:44:51.456408474 -0700
+@@ -251,7 +251,7 @@ void sanitize_env (void)
+ 			if (strncmp (*cur, *bad, strlen (*bad)) != 0) {
+ 				continue;
+ 			}
+-			if (strchr (*cur, '/') != NULL) {
++			if (strchr (*cur, '/') == NULL) {
+ 				continue;	/* OK */
+ 			}
+ 			for (move = cur; NULL != *move; move++) {
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch
new file mode 100644
index 0000000000..6682fe8078
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-groupmod-pam-check.patch
@@ -0,0 +1,32 @@
+# commit message copied from openembedded:
+#    commit 246c80637b135f3a113d319b163422f98174ee6c
+#    Author: Khem Raj <raj.khem@gmail.com>
+#    Date:   Wed Jun 9 13:37:03 2010 -0700
+#
+#    shadow-4.1.4.2: Add patches to support dots in login id.
+#    
+#    Signed-off-by: Khem Raj <raj.khem@gmail.com>
+#
+# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11
+
+http://bugs.gentoo.org/300790
+http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2009-November/007850.html
+
+2009-11-05  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/groupmod.c: Fixed groupmod when configured with
+	--enable-account-tools-setuid.
+
+Index: shadow-4.1.4.2/src/groupmod.c
+===================================================================
+--- shadow-4.1.4.2.orig/src/groupmod.c	2009-06-05 15:16:58.000000000 -0700
++++ shadow-4.1.4.2/src/groupmod.c	2010-06-03 17:45:43.828952613 -0700
+@@ -720,7 +720,7 @@ int main (int argc, char **argv)
+ 	{
+ 		struct passwd *pampw;
+ 		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
+-		if (NULL == pamh) {
++		if (NULL == pampw) {
+ 			fprintf (stderr,
+ 			         _("%s: Cannot determine your user name.\n"),
+ 			         Prog);
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch
new file mode 100644
index 0000000000..f67251c840
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow-4.1.4.2-su_no_sanitize_env.patch
@@ -0,0 +1,27 @@
+# commit message copied from openembedded:
+#    commit 246c80637b135f3a113d319b163422f98174ee6c
+#    Author: Khem Raj <raj.khem@gmail.com>
+#    Date:   Wed Jun 9 13:37:03 2010 -0700
+#
+#    shadow-4.1.4.2: Add patches to support dots in login id.
+#    
+#    Signed-off-by: Khem Raj <raj.khem@gmail.com>
+#
+# comment added by Kevin Tian <kevin.tian@intel.com>, 2010-08-11
+
+http://bugs.gentoo.org/show_bug.cgi?id=301957
+https://alioth.debian.org/scm/browser.php?group_id=30580
+
+Index: shadow-4.1.4.2/src/su.c
+===================================================================
+--- shadow-4.1.4.2.orig/src/su.c	2009-07-23 13:38:56.000000000 -0700
++++ shadow-4.1.4.2/src/su.c	2010-06-03 17:46:47.718944010 -0700
+@@ -378,7 +378,7 @@ int main (int argc, char **argv)
+ #endif
+ #endif				/* !USE_PAM */
+ 
+-	sanitize_env ();
++	/* sanitize_env (); */
+ 
+ 	(void) setlocale (LC_ALL, "");
+ 	(void) bindtextdomain (PACKAGE, LOCALEDIR);
diff --git a/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch
new file mode 100644
index 0000000000..36d7be6fd0
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow-4.1.4.2/shadow.automake-1.11.patch
@@ -0,0 +1,102 @@
+# patch is from openembedded:
+#    commit 2db61370333f7a2fc1dbb86385734883387e0217
+#    Author: Martin Jansa <Martin.Jansa@gmail.com>
+#    Date:   Fri Apr 2 07:34:46 2010 +0200
+#
+#    shadow: fix do_install with automake-1.11
+#    
+#    Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+#
+# comment added by Kevin Tian <kevin.tian@intel.com>
+
+man_nopan is for !USE_PAM already included in man_MANS and automake-1.11 hates to install some file twice
+
+diff -uNr shadow-4.1.4.2.orig/man/Makefile.am shadow-4.1.4.2/man/Makefile.am
+--- shadow-4.1.4.2.orig/man/Makefile.am	2009-03-14 15:40:10.000000000 +0100
++++ shadow-4.1.4.2/man/Makefile.am	2010-04-02 07:31:17.000000000 +0200
+@@ -163,7 +163,6 @@
+ 	$(man_MANS) \
+ 	$(man_XMANS) \
+ 	$(addprefix login.defs.d/,$(login_defs_v)) \
+-	$(man_nopam) \
+ 	id.1 \
+ 	id.1.xml \
+ 	sulogin.8 \
+diff -uNr shadow-4.1.4.2.orig/man/fr/Makefile.am shadow-4.1.4.2/man/fr/Makefile.am
+--- shadow-4.1.4.2.orig/man/fr/Makefile.am	2008-09-06 18:44:45.000000000 +0200
++++ shadow-4.1.4.2/man/fr/Makefile.am	2010-04-02 07:42:11.000000000 +0200
+@@ -52,7 +52,6 @@
+ 
+ EXTRA_DIST = \
+ 	$(man_MANS) \
+-	$(man_nopam) \
+ 	id.1
+ 
+ include ../generate_translations.mak
+diff -uNr shadow-4.1.4.2.orig/man/it/Makefile.am shadow-4.1.4.2/man/it/Makefile.am
+--- shadow-4.1.4.2.orig/man/it/Makefile.am	2008-09-06 18:44:45.000000000 +0200
++++ shadow-4.1.4.2/man/it/Makefile.am	2010-04-02 07:42:20.000000000 +0200
+@@ -46,7 +46,6 @@
+                         
+ EXTRA_DIST = \
+ 	$(man_MANS) \
+-	$(man_nopam) \
+ 	id.1 \
+ 	logoutd.8
+ 
+diff -uNr shadow-4.1.4.2.orig/man/ja/Makefile.am shadow-4.1.4.2/man/ja/Makefile.am
+--- shadow-4.1.4.2.orig/man/ja/Makefile.am	2007-12-31 17:48:28.000000000 +0100
++++ shadow-4.1.4.2/man/ja/Makefile.am	2010-04-02 07:42:17.000000000 +0200
+@@ -49,7 +49,6 @@
+ 
+ EXTRA_DIST = \
+ 	$(man_MANS) \
+-	$(man_nopam) \
+ 	id.1 \
+ 	shadow.3 \
+ 	sulogin.8
+diff -uNr shadow-4.1.4.2.orig/man/pl/Makefile.am shadow-4.1.4.2/man/pl/Makefile.am
+--- shadow-4.1.4.2.orig/man/pl/Makefile.am	2008-09-06 18:44:45.000000000 +0200
++++ shadow-4.1.4.2/man/pl/Makefile.am	2010-04-02 07:42:07.000000000 +0200
+@@ -49,7 +49,6 @@
+ 
+ EXTRA_DIST = \
+ 	$(man_MANS) \
+-	$(man_nopam) \
+ 	getspnam.3 \
+ 	id.1 \
+ 	shadow.3 \
+diff -uNr shadow-4.1.4.2.orig/man/ru/Makefile.am shadow-4.1.4.2/man/ru/Makefile.am
+--- shadow-4.1.4.2.orig/man/ru/Makefile.am	2010-04-02 07:39:00.000000000 +0200
++++ shadow-4.1.4.2/man/ru/Makefile.am	2010-04-02 07:42:01.000000000 +0200
+@@ -54,7 +54,6 @@
+ 
+ EXTRA_DIST = \
+ 	$(man_MANS) \
+-	$(man_nopam) \
+ 	id.1 \
+ 	sulogin.8
+ 
+diff -uNr shadow-4.1.4.2.orig/man/sv/Makefile.am shadow-4.1.4.2/man/sv/Makefile.am
+--- shadow-4.1.4.2.orig/man/sv/Makefile.am	2008-09-06 18:44:45.000000000 +0200
++++ shadow-4.1.4.2/man/sv/Makefile.am	2010-04-02 07:42:24.000000000 +0200
+@@ -53,8 +53,7 @@
+ endif
+ 
+ EXTRA_DIST = \
+-	$(man_MANS) \
+-	$(man_nopam)
++	$(man_MANS)
+ 
+ include ../generate_translations.mak
+ 
+--- shadow-4.1.4.2.orig/man/ru/Makefile.am	2010-04-02 07:54:09.000000000 +0200
++++ shadow-4.1.4.2/man/ru/Makefile.am	2010-04-02 07:51:57.000000000 +0200
+@@ -1,7 +1,6 @@
+ mandir = @mandir@/ru
+ 
+ man_MANS = \
+-	$(man_nopam) \
+ 	chage.1 \
+ 	chfn.1 \
+ 	chgpasswd.8 \
diff --git a/meta-lsb/packages/shadow/shadow.inc b/meta-lsb/packages/shadow/shadow.inc
new file mode 100644
index 0000000000..fcbcb3eb75
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow.inc
@@ -0,0 +1,121 @@
+DESCRIPTION = "Tools to change and administer password and group data."
+HOMEPAGE = "http://pkg-shadow.alioth.debian.org/"
+BUGTRACKER = "https://alioth.debian.org/tracker/?group_id=30580"
+SECTION = "base utils"
+LICENSE = "BSD | Artistic"
+LIC_FILES_CHKSUM = "file://COPYING;md5=08c553a87d4e51bbed50b20e0adcaede \
+                    file://src/passwd.c;firstline=8;endline=30;md5=2899a045e90511d0e043b85a7db7e2fe"
+
+PAM_PLUGINS = "  libpam-runtime \
+                 pam-plugin-faildelay \
+                 pam-plugin-securetty \
+                 pam-plugin-nologin \
+                 pam-plugin-env \
+                 pam-plugin-group \
+                 pam-plugin-limits \
+                 pam-plugin-lastlog \
+                 pam-plugin-motd \
+                 pam-plugin-mail \
+                 pam-plugin-shells \
+                 pam-plugin-rootok"
+                 
+DEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+RDEPENDS = "${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_PLUGINS}', '', d)}"
+
+# since we deduce from ${SERIAL_CONSOLE}
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+# Additional Policy files for PAM
+PAM_SRC_URI = "file://pam.d/chfn \
+               file://pam.d/chpasswd \
+               file://pam.d/chsh \
+               file://pam.d/login \
+               file://pam.d/newusers \
+               file://pam.d/passwd \
+               file://pam.d/su"
+
+SRC_URI = "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-${PV}.tar.bz2 \
+           file://login_defs_pam.sed \
+           ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           file://securetty"
+
+inherit autotools gettext
+
+EXTRA_OECONF += "--without-audit \
+                 --without-libcrack \
+                 ${@base_contains('DISTRO_FEATURES', 'pam', '--with-libpam', '--without-libpam', d)} \
+                 --without-selinux"
+
+do_install_append() {
+	# Ensure that the image has as /var/spool/mail dir so shadow can put mailboxes there if the user
+	# reconfigures Shadow to default (see sed below).
+	install -d ${D}${localstatedir}/spool/mail
+
+	if [ -e ${WORKDIR}/pam.d ]; then
+		install -d ${D}${sysconfdir}/pam.d/
+		install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
+		# Remove defaults that are not used when supporting PAM
+		sed -i -f ${WORKDIR}/login_defs_pam.sed ${D}${sysconfdir}/login.defs
+	fi
+
+	# Enable CREATE_HOME by default.
+	sed -i 's/#CREATE_HOME/CREATE_HOME/g' ${D}${sysconfdir}/login.defs
+
+	# As we are on an embedded system ensure the users mailbox is in ~/ not
+	# /var/spool/mail by default as who knows where or how big /var is.
+	# The system MDA will set this later anyway.
+	sed -i 's/MAIL_DIR/#MAIL_DIR/g' ${D}${sysconfdir}/login.defs
+	sed -i 's/#MAIL_FILE/MAIL_FILE/g' ${D}${sysconfdir}/login.defs
+
+	# disable checking emails at all
+	sed -i 's/MAIL_CHECK_ENAB/#MAIL_CHECK_ENAB/g' ${D}${sysconfdir}/login.defs
+
+	# now we don't have a mail system. disable mail creation for now
+	sed -i 's:/bin/bash:/bin/sh:g' ${D}${sysconfdir}/default/useradd
+	sed -i '/^CREATE_MAIL_SPOOL/ s:^:#:' ${D}${sysconfdir}/default/useradd
+
+	install -d ${D}${sbindir} ${D}${base_sbindir} ${D}${base_bindir} 
+	for i in passwd chfn newgrp chsh ; do
+		mv ${D}${bindir}/$i ${D}${bindir}/$i.${PN}
+	done
+
+	mv ${D}${sbindir}/chpasswd ${D}${sbindir}/chpasswd.${PN}
+	mv ${D}${sbindir}/vigr ${D}${base_sbindir}/vigr.${PN}
+	mv ${D}${sbindir}/vipw ${D}${base_sbindir}/vipw.${PN}
+	mv ${D}${bindir}/login ${D}${base_bindir}/login.${PN}
+
+	# Ensure we add a suitable securetty file to the package that has most common embedded TTYs defined.
+	if [ ! -z "${SERIAL_CONSOLE}" ]; then
+	# our SERIAL_CONSOLE contains baud rate too and sometime -L option as well.
+	# the following pearl :) takes that and converts it into newline sepated tty's and appends
+	# them into securetty. So if a machine has a weird looking console device node (e.g. ttyAMA0) that securetty
+	# does not know then it will get appended to securetty and root login will be allowed on
+	# that console.
+		echo "${SERIAL_CONSOLE}" | sed -e 's/[0-9][0-9]\|\-L//g'|tr "[ ]" "[\n]"  >> ${WORKDIR}/securetty
+	fi
+	install -m 0400 ${WORKDIR}/securetty ${D}${sysconfdir}/securetty 
+}
+
+pkg_postinst_${PN} () {
+	update-alternatives --install ${bindir}/passwd passwd passwd.${PN} 200
+	update-alternatives --install ${sbindir}/chpasswd chpasswd chpasswd.${PN} 200
+	update-alternatives --install ${bindir}/chfn chfn chfn.${PN} 200
+	update-alternatives --install ${bindir}/newgrp newgrp newgrp.${PN} 200
+	update-alternatives --install ${bindir}/chsh chsh chsh.${PN} 200
+	update-alternatives --install ${base_bindir}/login login login.${PN} 200
+	update-alternatives --install ${base_sbindir}/vipw vipw vipw.${PN} 200
+	update-alternatives --install ${base_sbindir}/vigr vigr vigr.${PN} 200
+
+	if [ "x$D" != "x" ]; then
+		exit 1
+	fi  
+
+	pwconv
+	grpconv
+}
+
+pkg_prerm_${PN} () {
+	for i in passwd chpasswd chfn newgrp chsh login vipw vigr ; do
+		update-alternatives --remove $i $i.${PN}
+	done
+}
diff --git a/meta-lsb/packages/shadow/shadow_4.1.4.2.bb b/meta-lsb/packages/shadow/shadow_4.1.4.2.bb
new file mode 100644
index 0000000000..bc00c099bf
--- /dev/null
+++ b/meta-lsb/packages/shadow/shadow_4.1.4.2.bb
@@ -0,0 +1,11 @@
+require shadow.inc
+
+PR = "r0"
+
+SRC_URI += "file://shadow.automake-1.11.patch \
+	    file://shadow-4.1.3-dots-in-usernames.patch \
+	    file://shadow-4.1.4.2-env-reset-keep-locale.patch \
+	    file://shadow-4.1.4.2-groupmod-pam-check.patch \
+	    file://shadow-4.1.4.2-su_no_sanitize_env.patch"
+
+EXTRA_OECONF_libc-uclibc += " --with-nscd=no "
diff --git a/meta/site/common b/meta/site/common
index e2dd4b57f7..5da3ff41de 100644
--- a/meta/site/common
+++ b/meta/site/common
@@ -7,3 +7,11 @@ ac_cv_file__dev_random=${ac_cv_file__dev_random=yes}
 # Avoid sudo to assume void for unsetenv in cross environment, or else it conflicts with
 # target stdlib.h prototype which follows POSIX compiliance. Mark for upstream.
 sudo_cv_func_unsetenv_void=no
+
+# shadow dir info, to avoid searching build system
+shadow_cv_maildir=${localstatedir}/spool/mail
+shadow_cv_mailfile=Mailbox
+shadow_cv_utmpdir=${localstatedir}/run
+shadow_cv_logdir=${localstatedir}/log
+shadow_cv_passwd_dir=${bindir}
+