commit: b00bbb83ed671930402d3e49e775fd54e9f94c3c parent 9142dd840830bed1eb76030c4cb20202f7a7fb07 Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me> Date: Sat, 18 Dec 2021 21:11:04 +0100 sys-apps/shadow: Add tcb shadowDiffstat:
15 files changed, 584 insertions(+), 0 deletions(-)
diff --git a/sys-apps/shadow/Manifest b/sys-apps/shadow/Manifest @@ -0,0 +1 @@ +DIST shadow-4.9.tar.xz 1627008 BLAKE2B 7a9a6a489115c7a20520cfec61f008fc0f70f7f50aaf539e94dfdcb20035d2de88ab3198e76812a4e3eb944b92c76c0ca2e85e35f4342537711c2c033248a72b SHA512 254cda49bb14505a7604821e7fa898bf4bf317d648e9ddc881ab80a6860d52053dfffacad6feab87c7d16608c35ed6b6cee99e7757eac930da3a7b31cdcd4b95 diff --git a/sys-apps/shadow/files/default/useradd b/sys-apps/shadow/files/default/useradd @@ -0,0 +1,7 @@ +# useradd defaults file +GROUP=100 +HOME=/home +INACTIVE=-1 +EXPIRE= +SHELL=/bin/sh +SKEL=/etc/skel diff --git a/sys-apps/shadow/files/pam.d-include/chpasswd b/sys-apps/shadow/files/pam.d-include/chpasswd @@ -0,0 +1,3 @@ +#%PAM-1.0 + +password include system-auth diff --git a/sys-apps/shadow/files/pam.d-include/passwd b/sys-apps/shadow/files/pam.d-include/passwd @@ -0,0 +1,8 @@ +#%PAM-1.0 + +auth sufficient pam_rootok.so +auth include system-auth + +account include system-auth + +password include system-auth diff --git a/sys-apps/shadow/files/pam.d-include/shadow b/sys-apps/shadow/files/pam.d-include/shadow @@ -0,0 +1,8 @@ +#%PAM-1.0 + +auth sufficient pam_rootok.so +auth required pam_permit.so + +account include system-auth + +password required pam_permit.so diff --git a/sys-apps/shadow/files/pam.d-include/shadow-r1 b/sys-apps/shadow/files/pam.d-include/shadow-r1 @@ -0,0 +1,7 @@ +#%PAM-1.0 + +auth sufficient pam_rootok.so + +account include system-auth + +password required pam_permit.so diff --git a/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch b/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch @@ -0,0 +1,10 @@ +--- shadow-4.1.3/libmisc/chkname.c ++++ shadow-4.1.3/libmisc/chkname.c +@@ -66,6 +66,7 @@ + ( ('0' <= *name) && ('9' >= *name) ) || + ('_' == *name) || + ('-' == *name) || ++ ('.' == *name) || + ( ('$' == *name) && ('\0' == *(name + 1)) ) + )) { + return false; diff --git a/sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch b/sys-apps/shadow/files/shadow-4.9-SHA-rounds.patch @@ -0,0 +1,57 @@ +From 234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert <floppym@gentoo.org> +Date: Sat, 14 Aug 2021 13:24:34 -0400 +Subject: [PATCH] libmisc: fix default value in SHA_get_salt_rounds() + +If SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS are both unspecified, +use SHA_ROUNDS_DEFAULT. + +Previously, the code fell through, calling shadow_random(-1, -1). This +ultimately set rounds = (unsigned long) -1, which ends up being a very +large number! This then got capped to SHA_ROUNDS_MAX later in the +function. + +The new behavior matches BCRYPT_get_salt_rounds(). + +Bug: https://bugs.gentoo.org/808195 +Fixes: https://github.com/shadow-maint/shadow/issues/393 +--- + libmisc/salt.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/libmisc/salt.c b/libmisc/salt.c +index 91d528fd..30eefb9c 100644 +--- a/libmisc/salt.c ++++ b/libmisc/salt.c +@@ -223,20 +223,21 @@ static /*@observer@*/const unsigned long SHA_get_salt_rounds (/*@null@*/int *pre + if ((-1 == min_rounds) && (-1 == max_rounds)) { + rounds = SHA_ROUNDS_DEFAULT; + } ++ else { ++ if (-1 == min_rounds) { ++ min_rounds = max_rounds; ++ } + +- if (-1 == min_rounds) { +- min_rounds = max_rounds; +- } ++ if (-1 == max_rounds) { ++ max_rounds = min_rounds; ++ } + +- if (-1 == max_rounds) { +- max_rounds = min_rounds; +- } ++ if (min_rounds > max_rounds) { ++ max_rounds = min_rounds; ++ } + +- if (min_rounds > max_rounds) { +- max_rounds = min_rounds; ++ rounds = (unsigned long) shadow_random (min_rounds, max_rounds); + } +- +- rounds = (unsigned long) shadow_random (min_rounds, max_rounds); + } else if (0 == *prefered_rounds) { + rounds = SHA_ROUNDS_DEFAULT; + } else { diff --git a/sys-apps/shadow/files/shadow-4.9-configure-typo.patch b/sys-apps/shadow/files/shadow-4.9-configure-typo.patch @@ -0,0 +1,19 @@ +https://github.com/shadow-maint/shadow/commit/049f9a7f6b320c728a6274299041e360381d7cd5 + +From 049f9a7f6b320c728a6274299041e360381d7cd5 Mon Sep 17 00:00:00 2001 +From: Andy Zaugg <andy.zaugg@gmail.com> +Date: Tue, 21 Sep 2021 21:51:10 -0700 +Subject: [PATCH] Fix parentheses in configure.ac + +Resolving issue https://github.com/shadow-maint/shadow/issues/419 +--- a/configure.ac ++++ b/configure.ac +@@ -345,7 +345,7 @@ if test "$with_sssd" = "yes"; then + [AC_MSG_ERROR([posix_spawn is needed for sssd support])]) + fi + +-AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])]) ++AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])) + AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"]) + + dnl Check for some functions in libc first, only if not found check for diff --git a/sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch b/sys-apps/shadow/files/shadow-4.9-gpasswd-double-free.patch @@ -0,0 +1,35 @@ +https://github.com/shadow-maint/shadow/commit/117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 + +From 117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 Mon Sep 17 00:00:00 2001 +From: Michael Vetter <jubalh@iodoru.org> +Date: Mon, 20 Sep 2021 11:04:50 +0200 +Subject: [PATCH] Only free sgent if it was initialized + +`sgent` is only initialized in `get_group()` if `is_shadowgrp` is true. +So we should also only attempt to free it if this is actually the case. + +Can otherwise lead to: +``` +free() double free detected in tcache 2 (gpasswd) +``` +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -1207,11 +1207,13 @@ int main (int argc, char **argv) + sssd_flush_cache (SSSD_DB_GROUP); + + #ifdef SHADOWGRP +- if (sgent.sg_adm) { +- xfree(sgent.sg_adm); +- } +- if (sgent.sg_mem) { +- xfree(sgent.sg_mem); ++ if (is_shadowgrp) { ++ if (sgent.sg_adm) { ++ xfree(sgent.sg_adm); ++ } ++ if (sgent.sg_mem) { ++ xfree(sgent.sg_mem); ++ } + } + #endif + if (grent.gr_mem) { diff --git a/sys-apps/shadow/files/shadow-4.9-libcrack.patch b/sys-apps/shadow/files/shadow-4.9-libcrack.patch @@ -0,0 +1,27 @@ +From 6becc82e262205f8a23bf9fe1127af57286826ee Mon Sep 17 00:00:00 2001 +From: Mike Gilbert <floppym@gentoo.org> +Date: Mon, 2 Aug 2021 11:51:44 -0400 +Subject: [PATCH] libsubid: fix build with libcrack + +Fixes a link failure: + + ../libsubid/.libs/libsubid.so: undefined reference to `FascistCheck' + +Bug: https://bugs.gentoo.org/806124 +Signed-off-by: Mike Gilbert <floppym@gentoo.org> +--- + libsubid/Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am +index 8bba02ab..bfc982ef 100644 +--- a/libsubid/Makefile.am ++++ b/libsubid/Makefile.am +@@ -11,6 +11,7 @@ MISCLIBS = \ + $(LIBAUDIT) \ + $(LIBSELINUX) \ + $(LIBSEMANAGE) \ ++ $(LIBCRACK) \ + $(LIBCRYPT_NOPAM) \ + $(LIBSKEY) \ + $(LIBMD) \ diff --git a/sys-apps/shadow/files/shadow-4.9-libsubid_oot_build.patch b/sys-apps/shadow/files/shadow-4.9-libsubid_oot_build.patch @@ -0,0 +1,109 @@ +From 537b8cd90be7b47b45c45cfd27765ef85eb0ebf1 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge@hallyn.com> +Date: Fri, 23 Jul 2021 17:51:13 -0500 +Subject: [PATCH] Fix out of tree builds with respect to libsubid includes + +There's a better way to do this, and I hope to clean that up, +but this fixes out of tree builds for me right now. + +Closes #386 + +Signed-off-by: Serge Hallyn <serge@hallyn.com> +--- + lib/Makefile.am | 2 ++ + libmisc/Makefile.am | 2 +- + libsubid/Makefile.am | 4 ++-- + src/Makefile.am | 6 ++++++ + 4 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index ecf3ee25..5ac2e111 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -10,6 +10,8 @@ if HAVE_VENDORDIR + libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\" + endif + ++libshadow_la_CPPFLAGS += -I$(top_srcdir) ++ + libshadow_la_SOURCES = \ + commonio.c \ + commonio.h \ +diff --git a/libmisc/Makefile.am b/libmisc/Makefile.am +index 9766a7ec..9f237e0d 100644 +--- a/libmisc/Makefile.am ++++ b/libmisc/Makefile.am +@@ -1,7 +1,7 @@ + + EXTRA_DIST = .indent.pro xgetXXbyYY.c + +-AM_CPPFLAGS = -I$(top_srcdir)/lib $(ECONF_CPPFLAGS) ++AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS) + + noinst_LTLIBRARIES = libmisc.la + +diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am +index 83051560..99308c1f 100644 +--- a/libsubid/Makefile.am ++++ b/libsubid/Makefile.am +@@ -20,8 +20,8 @@ MISCLIBS = \ + $(LIBPAM) + + libsubid_la_LIBADD = \ +- $(top_srcdir)/lib/libshadow.la \ +- $(top_srcdir)/libmisc/libmisc.la \ ++ $(top_builddir)/lib/libshadow.la \ ++ $(top_builddir)/libmisc/libmisc.la \ + $(MISCLIBS) -ldl + + AM_CPPFLAGS = \ +diff --git a/src/Makefile.am b/src/Makefile.am +index 35027013..7c1a3491 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -10,6 +10,7 @@ sgidperms = 2755 + AM_CPPFLAGS = \ + -I${top_srcdir}/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -DLOCALEDIR=\"$(datadir)/locale\" + + # XXX why are login and su in /bin anyway (other than for +@@ -183,6 +184,7 @@ list_subid_ranges_LDADD = \ + list_subid_ranges_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libsubid + + get_subid_owners_LDADD = \ +@@ -194,11 +196,13 @@ get_subid_owners_LDADD = \ + get_subid_owners_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libsubid + + new_subid_range_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libsubid + + new_subid_range_LDADD = \ +@@ -210,6 +214,7 @@ new_subid_range_LDADD = \ + free_subid_range_CPPFLAGS = \ + -I$(top_srcdir)/lib \ + -I$(top_srcdir)/libmisc \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libsubid + + free_subid_range_LDADD = \ +@@ -220,6 +225,7 @@ free_subid_range_LDADD = \ + + check_subid_range_CPPFLAGS = \ + -I$(top_srcdir)/lib \ ++ -I$(top_srcdir) \ + -I$(top_srcdir)/libmisc + + check_subid_range_LDADD = \ diff --git a/sys-apps/shadow/files/shadow-4.9-libsubid_pam_linking.patch b/sys-apps/shadow/files/shadow-4.9-libsubid_pam_linking.patch @@ -0,0 +1,28 @@ +From f4a84efb468b8be21be124700ce35159c444e9d6 Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao <xry111@mengyan1223.wang> +Date: Fri, 23 Jul 2021 14:38:08 +0800 +Subject: [PATCH] libsubid: link to PAM libraries + +libsubid.so links to libmisc.a, which contains several routines referring to +PAM functions. +--- + libsubid/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsubid/Makefile.am b/libsubid/Makefile.am +index 189165b0..83051560 100644 +--- a/libsubid/Makefile.am ++++ b/libsubid/Makefile.am +@@ -16,7 +16,8 @@ MISCLIBS = \ + $(LIBCRYPT) \ + $(LIBACL) \ + $(LIBATTR) \ +- $(LIBTCB) ++ $(LIBTCB) \ ++ $(LIBPAM) + + libsubid_la_LIBADD = \ + $(top_srcdir)/lib/libshadow.la \ +-- +2.32.0 + diff --git a/sys-apps/shadow/metadata.xml b/sys-apps/shadow/metadata.xml @@ -0,0 +1,13 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <use> + <flag name="bcrypt">build the bcrypt password encryption algorithm</flag> + <flag name="su">build the su program</flag> + </use> + <!-- only for USE=pam --> + <upstream> + <remote-id type="cpe">cpe:/a:debian:shadow</remote-id> + <remote-id type="github">shadow-maint/shadow</remote-id> + </upstream> +</pkgmetadata> diff --git a/sys-apps/shadow/shadow-4.9-r4.ebuild b/sys-apps/shadow/shadow-4.9-r4.ebuild @@ -0,0 +1,252 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools pam + +DESCRIPTION="Utilities to deal with user accounts" +HOMEPAGE="https://github.com/shadow-maint/shadow" +SRC_URI="https://github.com/shadow-maint/shadow/releases/download/v${PV}/${P}.tar.xz" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="acl audit bcrypt cracklib nls pam selinux skey split-usr +su tcb xattr" +# Taken from the man/Makefile.am file. +LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) + +REQUIRED_USE="?? ( cracklib pam )" + +BDEPEND=" + app-arch/xz-utils + sys-devel/gettext +" +COMMON_DEPEND=" + virtual/libcrypt:= + acl? ( sys-apps/acl:0= ) + audit? ( >=sys-process/audit-2.6:0= ) + cracklib? ( >=sys-libs/cracklib-2.7-r3:0= ) + nls? ( virtual/libintl ) + pam? ( sys-libs/pam:0= ) + skey? ( sys-auth/skey:0= ) + selinux? ( + >=sys-libs/libselinux-1.28:0= + sys-libs/libsemanage:0= + ) + tcb? ( sys-apps/tcb ) + xattr? ( sys-apps/attr:0= ) +" +DEPEND="${COMMON_DEPEND} + >=sys-kernel/linux-headers-4.14 +" +RDEPEND="${COMMON_DEPEND} + !<sys-apps/man-pages-5.11-r1 + !=sys-apps/man-pages-5.12-r0 + !=sys-apps/man-pages-5.12-r1 + nls? ( + !<app-i18n/man-pages-it-5.06-r1 + !<app-i18n/man-pages-ja-20180315-r1 + !<app-i18n/man-pages-ru-5.03.2390.2390.20191017-r1 + ) + pam? ( >=sys-auth/pambase-20150213 ) + su? ( !sys-apps/util-linux[su(-)] ) +" + +PATCHES=( + "${FILESDIR}/${PN}-4.1.3-dots-in-usernames.patch" + "${FILESDIR}/${P}-libsubid_pam_linking.patch" + "${FILESDIR}/${P}-libsubid_oot_build.patch" + "${FILESDIR}/shadow-4.9-libcrack.patch" + "${FILESDIR}/shadow-4.9-SHA-rounds.patch" + "${FILESDIR}/${P}-gpasswd-double-free.patch" + "${FILESDIR}/${P}-configure-typo.patch" +) + +src_prepare() { + default + eautoreconf + #elibtoolize +} + +src_configure() { + local myeconfargs=( + --disable-account-tools-setuid + --with-btrfs + --without-group-name-max-length + $(use_enable nls) + $(use_with acl) + $(use_with audit) + $(use_with bcrypt) + $(use_with cracklib libcrack) + $(use_with elibc_glibc nscd) + $(use_with pam libpam) + $(use_with selinux) + $(use_with skey) + $(use_with su) + $(use_with tcb) + $(use_with xattr attr) + ) + econf "${myeconfargs[@]}" + + has_version 'sys-libs/uclibc[-rpc]' && sed -i '/RLOGIN/d' config.h #425052 + + if use nls ; then + local l langs="po" # These are the pot files. + for l in ${LANGS[*]} ; do + has ${l} ${LINGUAS-${l}} && langs+=" ${l}" + done + sed -i "/^SUBDIRS = /s:=.*:= ${langs}:" man/Makefile || die + fi +} + +set_login_opt() { + local comment="" opt=${1} val=${2} + if [[ -z ${val} ]]; then + comment="#" + sed -i \ + -e "/^${opt}\>/s:^:#:" \ + "${ED}"/etc/login.defs || die + else + sed -i -r \ + -e "/^#?${opt}\>/s:.*:${opt} ${val}:" \ + "${ED}"/etc/login.defs + fi + local res=$(grep "^${comment}${opt}\>" "${ED}"/etc/login.defs) + einfo "${res:-Unable to find ${opt} in /etc/login.defs}" +} + +src_install() { + emake DESTDIR="${D}" suidperms=4711 install + + # 4.9 regression: https://github.com/shadow-maint/shadow/issues/389 + emake DESTDIR="${D}" -C man install + + find "${ED}" -name '*.la' -type f -delete || die + + insinto /etc + if ! use pam ; then + insopts -m0600 + doins etc/login.access etc/limits + fi + + # needed for 'useradd -D' + insinto /etc/default + insopts -m0600 + doins "${FILESDIR}"/default/useradd + + if use split-usr ; then + # move passwd to / to help recover broke systems #64441 + # We cannot simply remove this or else net-misc/scponly + # and other tools will break because of hardcoded passwd + # location + dodir /bin + mv "${ED}"/usr/bin/passwd "${ED}"/bin/ || die + dosym ../../bin/passwd /usr/bin/passwd + fi + + cd "${S}" || die + insinto /etc + insopts -m0644 + newins etc/login.defs login.defs + + set_login_opt CREATE_HOME yes + if ! use pam ; then + set_login_opt MAIL_CHECK_ENAB no + set_login_opt SU_WHEEL_ONLY yes + set_login_opt CRACKLIB_DICTPATH /usr/lib/cracklib_dict + set_login_opt LOGIN_RETRIES 3 + set_login_opt ENCRYPT_METHOD SHA512 + set_login_opt CONSOLE + else + dopamd "${FILESDIR}"/pam.d-include/shadow + + for x in chsh shfn ; do + newpamd "${FILESDIR}"/pam.d-include/passwd ${x} + done + + for x in chpasswd newusers ; do + newpamd "${FILESDIR}"/pam.d-include/chpasswd ${x} + done + + newpamd "${FILESDIR}"/pam.d-include/shadow-r1 groupmems + + # comment out login.defs options that pam hates + local opt sed_args=() + for opt in \ + CHFN_AUTH \ + CONSOLE \ + CRACKLIB_DICTPATH \ + ENV_HZ \ + ENVIRON_FILE \ + FAILLOG_ENAB \ + FTMP_FILE \ + LASTLOG_ENAB \ + MAIL_CHECK_ENAB \ + MOTD_FILE \ + NOLOGINS_FILE \ + OBSCURE_CHECKS_ENAB \ + PASS_ALWAYS_WARN \ + PASS_CHANGE_TRIES \ + PASS_MIN_LEN \ + PORTTIME_CHECKS_ENAB \ + QUOTAS_ENAB \ + SU_WHEEL_ONLY + do + set_login_opt ${opt} + sed_args+=( -e "/^#${opt}\>/b pamnote" ) + done + sed -i "${sed_args[@]}" \ + -e 'b exit' \ + -e ': pamnote; i# NOTE: This setting should be configured via /etc/pam.d/ and not in this file.' \ + -e ': exit' \ + "${ED}"/etc/login.defs || die + + # remove manpages that pam will install for us + # and/or don't apply when using pam + find "${ED}"/usr/share/man -type f \ + '(' -name 'limits.5*' -o -name 'suauth.5*' ')' \ + -delete + + # Remove pam.d files provided by pambase. + rm "${ED}"/etc/pam.d/{login,passwd} || die + if use su ; then + rm "${ED}"/etc/pam.d/su || die + fi + fi + + # Remove manpages that are handled by other packages + find "${ED}"/usr/share/man -type f \ + '(' -name id.1 -o -name getspnam.3 ')' \ + -delete + + cd "${S}" || die + dodoc ChangeLog NEWS TODO + newdoc README README.download + cd doc || die + dodoc HOWTO README* WISHLIST *.txt +} + +pkg_preinst() { + rm -f "${EROOT}"/etc/pam.d/system-auth.new \ + "${EROOT}/etc/login.defs.new" +} + +pkg_postinst() { + # Enable shadow groups. + if [ ! -f "${EROOT}"/etc/gshadow ] ; then + if grpck -r -R "${EROOT}" 2>/dev/null ; then + grpconv -R "${EROOT}" + else + ewarn "Running 'grpck' returned errors. Please run it by hand, and then" + ewarn "run 'grpconv' afterwards!" + fi + fi + + [[ ! -f "${EROOT}"/etc/subgid ]] && + touch "${EROOT}"/etc/subgid + [[ ! -f "${EROOT}"/etc/subuid ]] && + touch "${EROOT}"/etc/subuid + + einfo "The 'adduser' symlink to 'useradd' has been dropped." +}