diff --git a/etc/login.defs b/etc/login.defs
index 33622c296..acfa8d55a 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -471,3 +471,10 @@ PREVENT_NO_AUTH superuser
# that are available in your system.
#
#HMAC_CRYPTO_ALGO SHA512
+
+#
+# Should system users be automatically added to supplementary groups
+# from the GROUPS option in the /etc/default/useradd?
+# Default is no.
+#
+#SYS_USER_AUTO_GROUPS_ENAB no
\ No newline at end of file
diff --git a/lib/getdef.c b/lib/getdef.c
index d234fe18b..38bc8ccb7 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -142,6 +142,7 @@ static struct itemdef def_table[] = {
{"UMASK", NULL},
{"USERDEL_CMD", NULL},
{"USERGROUPS_ENAB", NULL},
+ {"SYS_USER_AUTO_GROUPS_ENAB", NULL},
#ifndef USE_PAM
PAMDEFS
#endif
diff --git a/lib/list.c b/lib/list.c
index 27aa02565..227ca8ec6 100644
--- a/lib/list.c
+++ b/lib/list.c
@@ -156,6 +156,17 @@ dup_list(char *const *list)
return tmp;
}
+/*
+ * free_list - free input list
+ */
+void
+free_list(char **list)
+{
+ for (size_t i = 0; list[i] != NULL; i++)
+ free(list[i]);
+ list[0] = NULL;
+}
+
/*
* Check if member is part of the input list
* The input list is not modified, but in order to allow the use of this
diff --git a/lib/prototypes.h b/lib/prototypes.h
index 6b978a975..a96e06aff 100644
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -200,6 +200,7 @@ extern void setup_limits (const struct passwd *);
extern /*@only@*/char **add_list (/*@returned@*/ /*@only@*/char **, const char *);
extern /*@only@*/char **del_list (/*@returned@*/ /*@only@*/char **, const char *);
extern /*@only@*/char **dup_list (char *const *);
+extern void free_list (char **);
extern bool is_on_list (char *const *list, const char *member);
extern /*@only@*/char **comma_to_list (const char *);
diff --git a/man/Makefile.am b/man/Makefile.am
index 14055097c..a5a84e638 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -191,6 +191,7 @@ login_defs_v = \
SUB_UID_COUNT.xml \
SYS_GID_MAX.xml \
SYS_UID_MAX.xml \
+ SYS_USER_AUTO_GROUPS_ENAB.xml \
YESCRYPT_COST_FACTOR.xml
EXTRA_DIST = \
diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
index 7263395cf..71b73250b 100644
--- a/man/login.defs.5.xml
+++ b/man/login.defs.5.xml
@@ -7,75 +7,76 @@
-->
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
]>
@@ -209,6 +210,7 @@
&SUB_UID_COUNT;
&SYS_GID_MAX;
&SYS_UID_MAX;
+ &SYS_USER_AUTO_GROUPS_ENAB;
&SYSLOG_SG_ENAB;
&SYSLOG_SU_ENAB;
&TCB_AUTH_GROUP;
@@ -489,6 +491,7 @@
SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
+ SYS_USER_AUTO_GROUPS_ENAB
UMASK
TCB_AUTH_GROUP TCB_SYMLINK USE_TCB
diff --git a/man/login.defs.d/SYS_USER_AUTO_GROUPS_ENAB.xml b/man/login.defs.d/SYS_USER_AUTO_GROUPS_ENAB.xml
new file mode 100644
index 000000000..2cb87dcff
--- /dev/null
+++ b/man/login.defs.d/SYS_USER_AUTO_GROUPS_ENAB.xml
@@ -0,0 +1,10 @@
+
+ (boolean)
+
+
+ Indicate if the option
+ in the file /etc/default/useradd
+ should add system users to those supplementary groups by default.
+
+
+
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
index 001e7d14c..a3014a8cc 100644
--- a/man/useradd.8.xml
+++ b/man/useradd.8.xml
@@ -6,25 +6,26 @@
-->
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
]>
@@ -489,6 +490,14 @@
specify the options if you want to update
the files for a system account to be created.
+
+ Note that the option
+ in the file /etc/default/useradd
+ will not add system users to those supplementary groups by default.
+ The default behavior is defined by
+ the
+ variable in /etc/login.defs.
+
@@ -752,6 +761,7 @@
&SUB_UID_COUNT;
&SYS_GID_MAX;
&SYS_UID_MAX;
+ &SYS_USER_AUTO_GROUPS_ENAB;
&TCB_AUTH_GROUP;
&TCB_SYMLINKS;
&UID_MAX;
diff --git a/src/useradd.c b/src/useradd.c
index 7623dabd4..1625008f1 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -764,11 +764,7 @@ static int get_groups (char *list)
/*
* Free previous group list before creating a new one.
*/
- int i = 0;
- while (NULL != user_groups[i]) {
- free(user_groups[i]);
- user_groups[i++] = NULL;
- }
+ free_list(user_groups);
if (streq(list, "")) {
return 0;
@@ -1595,6 +1591,13 @@ static void process_flags (int argc, char **argv)
if (getdef_bool ("CREATE_HOME")) {
mflg = true;
}
+ } else {
+ /* If SYS_USER_AUTO_GROUPS_ENAB is disabled,
+ * then do not automatically add supplements groups for system users. */
+ if (!getdef_bool("SYS_USER_AUTO_GROUPS_ENAB") && !Gflg && do_grp_update) {
+ free_list(user_groups);
+ do_grp_update = false;
+ }
}
if (Mflg) {
diff --git a/tests/run_all b/tests/run_all
index 584e1bd34..d45ce3994 100755
--- a/tests/run_all
+++ b/tests/run_all
@@ -772,6 +772,9 @@ run_test ./usertools/useradd/65_useradd_locked_group/useradd.test
run_test ./usertools/useradd/66_useradd_locked_shadow/useradd.test
run_test ./usertools/useradd/67_useradd_locked_gshadow/useradd.test
run_test ./usertools/useradd/68_useradd-s_empty/useradd.test
+run_test ./usertools/useradd/69_useradd_default_GROUPS_name/useradd.test
+run_test ./usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/useradd.test
+run_test ./usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/useradd.test
run_test ./usertools/userdel/01_userdel_usage/userdel.test
run_test ./usertools/userdel/02_userdel_usage_invalid_option/userdel.test
run_test ./usertools/userdel/03_userdel_usage_no_users/userdel.test
diff --git a/tests/run_all.coverage b/tests/run_all.coverage
index 94fe7fa4f..18debb9af 100755
--- a/tests/run_all.coverage
+++ b/tests/run_all.coverage
@@ -788,6 +788,9 @@ run_test ./usertools/useradd/65_useradd_locked_group/useradd.test
run_test ./usertools/useradd/66_useradd_locked_shadow/useradd.test
run_test ./usertools/useradd/67_useradd_locked_gshadow/useradd.test
run_test ./usertools/useradd/68_useradd-s_empty/useradd.test
+run_test ./usertools/useradd/69_useradd_default_GROUPS_name/useradd.test
+run_test ./usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/useradd.test
+run_test ./usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/useradd.test
run_test ./usertools/userdel/01_userdel_usage/userdel.test
run_test ./usertools/userdel/02_userdel_usage_invalid_option/userdel.test
run_test ./usertools/userdel/03_userdel_usage_no_users/userdel.test
diff --git a/tests/usertools/useradd/69_useradd_default_GROUPS_name/data/group b/tests/usertools/useradd/69_useradd_default_GROUPS_name/data/group
index 02214e633..4624a4461 100644
--- a/tests/usertools/useradd/69_useradd_default_GROUPS_name/data/group
+++ b/tests/usertools/useradd/69_useradd_default_GROUPS_name/data/group
@@ -1,4 +1,4 @@
- root:x:0:
+root:x:0:
daemon:x:1:
bin:x:2:foo
sys:x:3:
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config.txt b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config.txt
new file mode 100644
index 000000000..4909c6cba
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config.txt
@@ -0,0 +1,5 @@
+# no testsuite password
+# root password: rootF00barbaz
+# myuser password: myuserF00barbaz
+
+user foo
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/default/useradd b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/default/useradd
new file mode 100644
index 000000000..9e75e5433
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/default/useradd
@@ -0,0 +1,40 @@
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+# Similar to DHSELL in adduser. However, we use "sh" here because
+# useradd is a low level utility and should be as general
+# as possible
+SHELL=/bin/foobar
+#
+# The default group for users
+# 100=users on Debian systems
+# Same as USERS_GID in adduser
+# This argument is used when the -n flag is specified.
+# The default behavior (when -n and -g are not specified) is to create a
+# primary user group with the same name as the user being added to the
+# system.
+GROUP=10
+#
+# Addional supplementary groups for users
+GROUPS=bin,adm,man,cdrom
+#
+# The default home directory. Same as DHOME for adduser
+#
+HOME=/tmp
+#
+# The number of days after a password expires until the account
+# is permanently disabled
+INACTIVE=12
+#
+# The default expire date
+EXPIRE=2007-12-02
+#
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+# SKEL=/etc/skel
+#
+# Defines whether the mail spool should be created while
+# creating the account
+# CREATE_MAIL_SPOOL=yes
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/group b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/group
new file mode 100644
index 000000000..101239088
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/group
@@ -0,0 +1,41 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+crontab:x:101:
+Debian-exim:x:102:
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/gshadow b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/gshadow
new file mode 100644
index 000000000..ae4248659
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/gshadow
@@ -0,0 +1,41 @@
+root:*::
+daemon:*::
+bin:*::
+sys:*::
+adm:*::
+tty:*::
+disk:*::
+lp:*::
+mail:*::
+news:*::
+uucp:*::
+man:*::
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*::
+voice:*::
+cdrom:*::
+floppy:*::
+tape:*::
+sudo:*::
+audio:*::
+dip:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+sasl:*::
+plugdev:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
+crontab:x::
+Debian-exim:x::
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/login.defs b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/login.defs
new file mode 100644
index 000000000..edcfe530f
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/login.defs
@@ -0,0 +1,485 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+# $Id$
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
+# pam_unix(8) enforces a 2s delay)
+#
+FAIL_DELAY 3
+
+#
+# Enable logging and display of /var/log/faillog login(1) failure info.
+#
+FAILLOG_ENAB yes
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable logging and display of /var/log/lastlog login(1) time info.
+#
+LASTLOG_ENAB yes
+
+#
+# Limit the highest user ID number for which the lastlog entries should
+# be updated.
+#
+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
+# lastlog entries.
+#
+#LASTLOG_UID_MAX
+
+#
+# Enable checking and display of mailbox status upon login.
+#
+# Disable if the shell startup files already check for mail
+# ("mailx -e" or equivalent).
+#
+MAIL_CHECK_ENAB yes
+
+#
+# Enable additional checks upon password changes.
+#
+OBSCURE_CHECKS_ENAB yes
+
+#
+# Enable checking of time restrictions specified in /etc/porttime.
+#
+PORTTIME_CHECKS_ENAB yes
+
+#
+# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
+#
+QUOTAS_ENAB yes
+
+#
+# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# from these devices.
+#
+CONSOLE /etc/securetty
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su(1) activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, ":" delimited list of "message of the day" files to
+# be displayed upon login.
+#
+MOTD_FILE /etc/motd
+#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
+
+#
+# If defined, this file will be output before each login(1) prompt.
+#
+#ISSUE_FILE /etc/issue
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format similar to "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, login(1) failures will be logged here in a utmp format.
+# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
+#
+FTMP_FILE /var/log/btmp
+
+#
+# If defined, name of file whose presence will inhibit non-root
+# logins. The content of this file should be a message indicating
+# why logins are inhibited.
+#
+NOLOGINS_FILE /etc/nologin
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then ps(1) will display the
+# command as "-su". If not defined, then ps(1) will display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR /var/spool/mail
+#MAIL_FILE .mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# If defined, either a TZ environment parameter spec or the
+# fully-rooted pathname of a file containing such a spec.
+#
+#ENV_TZ TZ=CST6CDT
+#ENV_TZ /etc/tzname
+
+#
+# If defined, an HZ environment parameter spec.
+#
+# for Linux/x86
+ENV_HZ HZ=100
+# For Linux/Alpha...
+#ENV_HZ HZ=1024
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a write(1) program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP as the number of such group
+# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
+# set TTYPERM to either 622 or 600.
+#
+TTYGROUP tty
+TTYPERM 0600
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# ULIMIT Default "ulimit" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+#ULIMIT 2097152
+
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories if HOME_MODE is not set.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up their mind.
+UMASK 022
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_MIN_LEN Minimum acceptable password length.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_MIN_LEN 5
+PASS_WARN_AGE 7
+
+#
+# If "yes", the user must be listed as a member of the first gid 0 group
+# in /etc/group (called "root" on most Linux systems) to be able to "su"
+# to uid 0 accounts. If the group doesn't exist or is empty, no one
+# will be able to "su" to uid 0.
+#
+SU_WHEEL_ONLY no
+
+#
+# If compiled with cracklib support, sets the path to the dictionaries
+#
+CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
+
+#
+# Min/max values for automatic uid selection in useradd(8)
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+SYS_UID_MIN 101
+SYS_UID_MAX 999
+# Extra per user uids
+SUB_UID_MIN 100000
+SUB_UID_MAX 600100000
+SUB_UID_COUNT 65536
+
+#
+# Min/max values for automatic gid selection in groupadd(8)
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+SYS_GID_MIN 101
+SYS_GID_MAX 999
+# Extra per user group ids
+SUB_GID_MIN 100000
+SUB_GID_MAX 600100000
+SUB_GID_COUNT 65536
+
+#
+# Max number of login(1) retries if password is bad
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login(1)
+#
+LOGIN_TIMEOUT 60
+
+#
+# Maximum number of attempts to change password if rejected (too easy)
+#
+PASS_CHANGE_TRIES 5
+
+#
+# Warn about weak passwords (but still allow them) if you are root.
+#
+PASS_ALWAYS_WARN yes
+
+#
+# Number of significant characters in the password for crypt().
+# Default is 8, don't change unless your crypt() is better.
+# Ignored if MD5_CRYPT_ENAB set to "yes".
+#
+#PASS_MAX_LEN 8
+
+#
+# Require password before chfn(1)/chsh(1) can make any changes.
+#
+CHFN_AUTH yes
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# Password prompt (%s will be replaced by user name).
+#
+# XXX - it doesn't work correctly yet, for now leave it commented out
+# to use the default which is just "Password: ".
+#LOGIN_STRING "%s's Password: "
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD instead.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+#ENCRYPT_METHOD DES
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, the libc will choose the default number of rounds (5000),
+# which is orders of magnitude too low for modern hardware.
+# The values must be within the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# Only works if ENCRYPT_METHOD is set to BCRYPT.
+#
+# Define the number of BCRYPT rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, 13 rounds will be attempted.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#BCRYPT_MIN_ROUNDS 13
+#BCRYPT_MAX_ROUNDS 13
+
+#
+# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+#
+# Define the YESCRYPT cost factor.
+# With a higher cost factor, it is more difficult to brute-force the password.
+# However, more CPU time and more memory will be needed to authenticate users
+# if this value is increased.
+#
+# If not specified, a cost factor of 5 will be used.
+# The value must be within the 1-11 range.
+#
+#YESCRYPT_COST_FACTOR 5
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in from the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in from the console.
+# How to do it is left as an exercise for the reader...
+#
+#CONSOLE_GROUPS floppy:audio:cdrom
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME yes
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist. Some system accounts intentionally do
+# not have a home directory. Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT /nonexistent
+
+#
+# If this file exists and is readable, login environment will be
+# read from it. Every line should be in the form name=value.
+#
+ENVIRON_FILE /etc/environment
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel(8) to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-zero number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permits to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP 0
+
+#
+# If useradd(8) should create home directories for users by default (non
+# system users only).
+# This option is overridden with the -M or -m flags on the useradd(8)
+# command-line.
+#
+#CREATE_HOME yes
+
+#
+# Force use shadow, even if shadow passwd & shadow group files are
+# missing.
+#
+#FORCE_SHADOW yes
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+PREVENT_NO_AUTH superuser
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+#HMAC_CRYPTO_ALGO SHA512
+
+#
+# Should system users be automatically added to supplementary groups
+# from the GROUPS option in the /etc/default/useradd?
+# Default is no.
+#
+#SYS_USER_AUTO_GROUPS_ENAB no
\ No newline at end of file
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/passwd b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/passwd
new file mode 100644
index 000000000..43fc135a4
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/passwd
@@ -0,0 +1,19 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+Debian-exim:x:102:102::/var/spool/exim4:/bin/false
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/shadow b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/shadow
new file mode 100644
index 000000000..5f50d1873
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config/etc/shadow
@@ -0,0 +1,19 @@
+root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7:::
+daemon:*:12977:0:99999:7:::
+bin:*:12977:0:99999:7:::
+sys:*:12977:0:99999:7:::
+sync:*:12977:0:99999:7:::
+games:*:12977:0:99999:7:::
+man:*:12977:0:99999:7:::
+lp:*:12977:0:99999:7:::
+mail:*:12977:0:99999:7:::
+news:*:12977:0:99999:7:::
+uucp:*:12977:0:99999:7:::
+proxy:*:12977:0:99999:7:::
+www-data:*:12977:0:99999:7:::
+backup:*:12977:0:99999:7:::
+list:*:12977:0:99999:7:::
+irc:*:12977:0:99999:7:::
+gnats:*:12977:0:99999:7:::
+nobody:*:12977:0:99999:7:::
+Debian-exim:!:12977:0:99999:7:::
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/group b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/group
new file mode 100644
index 000000000..b5b6ce2f5
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/group
@@ -0,0 +1,42 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+crontab:x:101:
+Debian-exim:x:102:
+foo:x:999:
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/gshadow b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/gshadow
new file mode 100644
index 000000000..bfc067537
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/gshadow
@@ -0,0 +1,42 @@
+root:*::
+daemon:*::
+bin:*::
+sys:*::
+adm:*::
+tty:*::
+disk:*::
+lp:*::
+mail:*::
+news:*::
+uucp:*::
+man:*::
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*::
+voice:*::
+cdrom:*::
+floppy:*::
+tape:*::
+sudo:*::
+audio:*::
+dip:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+sasl:*::
+plugdev:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
+crontab:x::
+Debian-exim:x::
+foo:!::
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/passwd b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/passwd
new file mode 100644
index 000000000..640a0cccc
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/passwd
@@ -0,0 +1,20 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+Debian-exim:x:102:102::/var/spool/exim4:/bin/false
+foo:x:101:999::/tmp/foo:/bin/foobar
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/shadow b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/shadow
new file mode 100644
index 000000000..823c4c05a
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/data/shadow
@@ -0,0 +1,20 @@
+root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7:::
+daemon:*:12977:0:99999:7:::
+bin:*:12977:0:99999:7:::
+sys:*:12977:0:99999:7:::
+sync:*:12977:0:99999:7:::
+games:*:12977:0:99999:7:::
+man:*:12977:0:99999:7:::
+lp:*:12977:0:99999:7:::
+mail:*:12977:0:99999:7:::
+news:*:12977:0:99999:7:::
+uucp:*:12977:0:99999:7:::
+proxy:*:12977:0:99999:7:::
+www-data:*:12977:0:99999:7:::
+backup:*:12977:0:99999:7:::
+list:*:12977:0:99999:7:::
+irc:*:12977:0:99999:7:::
+gnats:*:12977:0:99999:7:::
+nobody:*:12977:0:99999:7:::
+Debian-exim:!:12977:0:99999:7:::
+foo:!:@TODAY@::::::
diff --git a/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/useradd.test b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/useradd.test
new file mode 100755
index 000000000..ce49ac940
--- /dev/null
+++ b/tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/useradd.test
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname $0)"
+
+. ../../../common/config.sh
+. ../../../common/log.sh
+
+log_start "$0" "useradd ignores supplementary groups from GROUPS field in /etc/default/useradd for system user because SYS_USER_AUTO_GROUPS_ENAB is 'no'"
+
+save_config
+
+# restore the files on exit
+trap 'log_status "$0" "FAILURE"; restore_config' 0
+
+change_config
+
+printf "Create system user foo, without group associations with bin,adm,man,cdrom..."
+useradd -r foo
+printf "OK\n"
+
+printf "Check the passwd file..."
+../../../common/compare_file.pl data/passwd /etc/passwd
+printf "OK\n"
+printf "Check the group file..."
+../../../common/compare_file.pl data/group /etc/group
+printf "OK\n"
+printf "Check the shadow file..."
+../../../common/compare_file.pl data/shadow /etc/shadow
+printf "OK\n"
+printf "Check the gshadow file..."
+../../../common/compare_file.pl data/gshadow /etc/gshadow
+printf "OK\n"
+
+log_status "$0" "SUCCESS"
+restore_config
+trap '' 0
+
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config.txt b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config.txt
new file mode 100644
index 000000000..74c5907a7
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config.txt
@@ -0,0 +1,8 @@
+# no testsuite password
+# root password: rootF00barbaz
+# myuser password: myuserF00barbaz
+
+user foo, in group bin
+user foo, in group adm
+user foo, in group man
+user foo, in group cdrom
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/default/useradd b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/default/useradd
new file mode 100644
index 000000000..9e75e5433
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/default/useradd
@@ -0,0 +1,40 @@
+# Default values for useradd(8)
+#
+# The SHELL variable specifies the default login shell on your
+# system.
+# Similar to DHSELL in adduser. However, we use "sh" here because
+# useradd is a low level utility and should be as general
+# as possible
+SHELL=/bin/foobar
+#
+# The default group for users
+# 100=users on Debian systems
+# Same as USERS_GID in adduser
+# This argument is used when the -n flag is specified.
+# The default behavior (when -n and -g are not specified) is to create a
+# primary user group with the same name as the user being added to the
+# system.
+GROUP=10
+#
+# Addional supplementary groups for users
+GROUPS=bin,adm,man,cdrom
+#
+# The default home directory. Same as DHOME for adduser
+#
+HOME=/tmp
+#
+# The number of days after a password expires until the account
+# is permanently disabled
+INACTIVE=12
+#
+# The default expire date
+EXPIRE=2007-12-02
+#
+# The SKEL variable specifies the directory containing "skeletal" user
+# files; in other words, files such as a sample .profile that will be
+# copied to the new user's home directory when it is created.
+# SKEL=/etc/skel
+#
+# Defines whether the mail spool should be created while
+# creating the account
+# CREATE_MAIL_SPOOL=yes
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/group b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/group
new file mode 100644
index 000000000..101239088
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/group
@@ -0,0 +1,41 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+crontab:x:101:
+Debian-exim:x:102:
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/gshadow b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/gshadow
new file mode 100644
index 000000000..ae4248659
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/gshadow
@@ -0,0 +1,41 @@
+root:*::
+daemon:*::
+bin:*::
+sys:*::
+adm:*::
+tty:*::
+disk:*::
+lp:*::
+mail:*::
+news:*::
+uucp:*::
+man:*::
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*::
+voice:*::
+cdrom:*::
+floppy:*::
+tape:*::
+sudo:*::
+audio:*::
+dip:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+sasl:*::
+plugdev:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
+crontab:x::
+Debian-exim:x::
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/login.defs b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/login.defs
new file mode 100644
index 000000000..511d275ec
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/login.defs
@@ -0,0 +1,485 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+# $Id$
+#
+
+#
+# Delay in seconds before being allowed another attempt after a login failure
+# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
+# pam_unix(8) enforces a 2s delay)
+#
+FAIL_DELAY 3
+
+#
+# Enable logging and display of /var/log/faillog login(1) failure info.
+#
+FAILLOG_ENAB yes
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# Enable logging and display of /var/log/lastlog login(1) time info.
+#
+LASTLOG_ENAB yes
+
+#
+# Limit the highest user ID number for which the lastlog entries should
+# be updated.
+#
+# No LASTLOG_UID_MAX means that there is no user ID limit for writing
+# lastlog entries.
+#
+#LASTLOG_UID_MAX
+
+#
+# Enable checking and display of mailbox status upon login.
+#
+# Disable if the shell startup files already check for mail
+# ("mailx -e" or equivalent).
+#
+MAIL_CHECK_ENAB yes
+
+#
+# Enable additional checks upon password changes.
+#
+OBSCURE_CHECKS_ENAB yes
+
+#
+# Enable checking of time restrictions specified in /etc/porttime.
+#
+PORTTIME_CHECKS_ENAB yes
+
+#
+# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
+#
+QUOTAS_ENAB yes
+
+#
+# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
+# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
+#
+SYSLOG_SU_ENAB yes
+SYSLOG_SG_ENAB yes
+
+#
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# from these devices.
+#
+CONSOLE /etc/securetty
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+#
+# If defined, all su(1) activity is logged to this file.
+#
+#SULOG_FILE /var/log/sulog
+
+#
+# If defined, ":" delimited list of "message of the day" files to
+# be displayed upon login.
+#
+MOTD_FILE /etc/motd
+#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
+
+#
+# If defined, this file will be output before each login(1) prompt.
+#
+#ISSUE_FILE /etc/issue
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format similar to "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, login(1) failures will be logged here in a utmp format.
+# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
+#
+FTMP_FILE /var/log/btmp
+
+#
+# If defined, name of file whose presence will inhibit non-root
+# logins. The content of this file should be a message indicating
+# why logins are inhibited.
+#
+NOLOGINS_FILE /etc/nologin
+
+#
+# If defined, the command name to display when running "su -". For
+# example, if this is defined as "su" then ps(1) will display the
+# command as "-su". If not defined, then ps(1) will display the
+# name of the shell actually being run, e.g. something like "-sh".
+#
+SU_NAME su
+
+#
+# *REQUIRED*
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define both, MAIL_DIR takes precedence.
+#
+MAIL_DIR /var/spool/mail
+#MAIL_FILE .mail
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# If defined, either a TZ environment parameter spec or the
+# fully-rooted pathname of a file containing such a spec.
+#
+#ENV_TZ TZ=CST6CDT
+#ENV_TZ /etc/tzname
+
+#
+# If defined, an HZ environment parameter spec.
+#
+# for Linux/x86
+ENV_HZ HZ=100
+# For Linux/Alpha...
+#ENV_HZ HZ=1024
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ENV_PATH PATH=/bin:/usr/bin
+
+#
+# Terminal permissions
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+# If you have a write(1) program which is "setgid" to a special group
+# which owns the terminals, define TTYGROUP as the number of such group
+# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
+# set TTYPERM to either 622 or 600.
+#
+TTYGROUP tty
+TTYPERM 0600
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+# ULIMIT Default "ulimit" value.
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+# The ULIMIT is used only if the system supports it.
+# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
+#
+ERASECHAR 0177
+KILLCHAR 025
+#ULIMIT 2097152
+
+# Default initial "umask" value used by login(1) on non-PAM enabled systems.
+# Default "umask" value for pam_umask(8) on PAM enabled systems.
+# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
+# home directories if HOME_MODE is not set.
+# 022 is the default value, but 027, or even 077, could be considered
+# for increased privacy. There is no One True Answer here: each sysadmin
+# must make up their mind.
+UMASK 022
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_MIN_LEN Minimum acceptable password length.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_MIN_LEN 5
+PASS_WARN_AGE 7
+
+#
+# If "yes", the user must be listed as a member of the first gid 0 group
+# in /etc/group (called "root" on most Linux systems) to be able to "su"
+# to uid 0 accounts. If the group doesn't exist or is empty, no one
+# will be able to "su" to uid 0.
+#
+SU_WHEEL_ONLY no
+
+#
+# If compiled with cracklib support, sets the path to the dictionaries
+#
+CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
+
+#
+# Min/max values for automatic uid selection in useradd(8)
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+SYS_UID_MIN 101
+SYS_UID_MAX 999
+# Extra per user uids
+SUB_UID_MIN 100000
+SUB_UID_MAX 600100000
+SUB_UID_COUNT 65536
+
+#
+# Min/max values for automatic gid selection in groupadd(8)
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+SYS_GID_MIN 101
+SYS_GID_MAX 999
+# Extra per user group ids
+SUB_GID_MIN 100000
+SUB_GID_MAX 600100000
+SUB_GID_COUNT 65536
+
+#
+# Max number of login(1) retries if password is bad
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login(1)
+#
+LOGIN_TIMEOUT 60
+
+#
+# Maximum number of attempts to change password if rejected (too easy)
+#
+PASS_CHANGE_TRIES 5
+
+#
+# Warn about weak passwords (but still allow them) if you are root.
+#
+PASS_ALWAYS_WARN yes
+
+#
+# Number of significant characters in the password for crypt().
+# Default is 8, don't change unless your crypt() is better.
+# Ignored if MD5_CRYPT_ENAB set to "yes".
+#
+#PASS_MAX_LEN 8
+
+#
+# Require password before chfn(1)/chsh(1) can make any changes.
+#
+CHFN_AUTH yes
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# Password prompt (%s will be replaced by user name).
+#
+# XXX - it doesn't work correctly yet, for now leave it commented out
+# to use the default which is just "Password: ".
+#LOGIN_STRING "%s's Password: "
+
+#
+# Only works if compiled with MD5_CRYPT defined:
+# If set to "yes", new passwords will be encrypted using the MD5-based
+# algorithm compatible with the one used by recent releases of FreeBSD.
+# It supports passwords of unlimited length and longer salt strings.
+# Set to "no" if you need to copy encrypted passwords to other systems
+# which don't understand the new algorithm. Default is "no".
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+# This variable is deprecated. You should use ENCRYPT_METHOD instead.
+#
+#MD5_CRYPT_ENAB no
+
+#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: If you use PAM, it is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+#ENCRYPT_METHOD DES
+
+#
+# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, the libc will choose the default number of rounds (5000),
+# which is orders of magnitude too low for modern hardware.
+# The values must be within the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+#
+# Only works if ENCRYPT_METHOD is set to BCRYPT.
+#
+# Define the number of BCRYPT rounds.
+# With a lot of rounds, it is more difficult to brute-force the password.
+# However, more CPU resources will be needed to authenticate users if
+# this value is increased.
+#
+# If not specified, 13 rounds will be attempted.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+#BCRYPT_MIN_ROUNDS 13
+#BCRYPT_MAX_ROUNDS 13
+
+#
+# Only works if ENCRYPT_METHOD is set to YESCRYPT.
+#
+# Define the YESCRYPT cost factor.
+# With a higher cost factor, it is more difficult to brute-force the password.
+# However, more CPU time and more memory will be needed to authenticate users
+# if this value is increased.
+#
+# If not specified, a cost factor of 5 will be used.
+# The value must be within the 1-11 range.
+#
+#YESCRYPT_COST_FACTOR 5
+
+#
+# List of groups to add to the user's supplementary group set
+# when logging in from the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in from the console.
+# How to do it is left as an exercise for the reader...
+#
+#CONSOLE_GROUPS floppy:audio:cdrom
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME yes
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist. Some system accounts intentionally do
+# not have a home directory. Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT /nonexistent
+
+#
+# If this file exists and is readable, login environment will be
+# read from it. Every line should be in the form name=value.
+#
+ENVIRON_FILE /etc/environment
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# Enable setting of the umask group bits to be the same as owner bits
+# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
+# the same as gid, and username is the same as the primary group name.
+#
+# This also enables userdel(8) to remove user groups if no members exist.
+#
+USERGROUPS_ENAB yes
+
+#
+# If set to a non-zero number, the shadow utilities will make sure that
+# groups never have more than this number of users on one line.
+# This permits to support split groups (groups split into multiple lines,
+# with the same group ID, to avoid limitation of the line length in the
+# group file).
+#
+# 0 is the default value and disables this feature.
+#
+#MAX_MEMBERS_PER_GROUP 0
+
+#
+# If useradd(8) should create home directories for users by default (non
+# system users only).
+# This option is overridden with the -M or -m flags on the useradd(8)
+# command-line.
+#
+#CREATE_HOME yes
+
+#
+# Force use shadow, even if shadow passwd & shadow group files are
+# missing.
+#
+#FORCE_SHADOW yes
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+PREVENT_NO_AUTH superuser
+
+#
+# Select the HMAC cryptography algorithm.
+# Used in pam_timestamp module to calculate the keyed-hash message
+# authentication code.
+#
+# Note: It is recommended to check hmac(3) to see the possible algorithms
+# that are available in your system.
+#
+#HMAC_CRYPTO_ALGO SHA512
+
+#
+# Should system users be automatically added to supplementary groups
+# from the GROUPS option in the /etc/default/useradd?
+# Default is no.
+#
+SYS_USER_AUTO_GROUPS_ENAB yes
\ No newline at end of file
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/passwd b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/passwd
new file mode 100644
index 000000000..43fc135a4
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/passwd
@@ -0,0 +1,19 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+Debian-exim:x:102:102::/var/spool/exim4:/bin/false
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/shadow b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/shadow
new file mode 100644
index 000000000..5f50d1873
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/config/etc/shadow
@@ -0,0 +1,19 @@
+root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7:::
+daemon:*:12977:0:99999:7:::
+bin:*:12977:0:99999:7:::
+sys:*:12977:0:99999:7:::
+sync:*:12977:0:99999:7:::
+games:*:12977:0:99999:7:::
+man:*:12977:0:99999:7:::
+lp:*:12977:0:99999:7:::
+mail:*:12977:0:99999:7:::
+news:*:12977:0:99999:7:::
+uucp:*:12977:0:99999:7:::
+proxy:*:12977:0:99999:7:::
+www-data:*:12977:0:99999:7:::
+backup:*:12977:0:99999:7:::
+list:*:12977:0:99999:7:::
+irc:*:12977:0:99999:7:::
+gnats:*:12977:0:99999:7:::
+nobody:*:12977:0:99999:7:::
+Debian-exim:!:12977:0:99999:7:::
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/group b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/group
new file mode 100644
index 000000000..69e96aa37
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/group
@@ -0,0 +1,42 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:foo
+sys:x:3:
+adm:x:4:foo
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:foo
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:foo
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+crontab:x:101:
+Debian-exim:x:102:
+foo:x:999:
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/gshadow b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/gshadow
new file mode 100644
index 000000000..ec19c4aa4
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/gshadow
@@ -0,0 +1,42 @@
+root:*::
+daemon:*::
+bin:*::foo
+sys:*::
+adm:*::foo
+tty:*::
+disk:*::
+lp:*::
+mail:*::
+news:*::
+uucp:*::
+man:*::foo
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*::
+voice:*::
+cdrom:*::foo
+floppy:*::
+tape:*::
+sudo:*::
+audio:*::
+dip:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+sasl:*::
+plugdev:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
+crontab:x::
+Debian-exim:x::
+foo:!::
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/passwd b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/passwd
new file mode 100644
index 000000000..640a0cccc
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/passwd
@@ -0,0 +1,20 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+Debian-exim:x:102:102::/var/spool/exim4:/bin/false
+foo:x:101:999::/tmp/foo:/bin/foobar
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/shadow b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/shadow
new file mode 100644
index 000000000..823c4c05a
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/data/shadow
@@ -0,0 +1,20 @@
+root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7:::
+daemon:*:12977:0:99999:7:::
+bin:*:12977:0:99999:7:::
+sys:*:12977:0:99999:7:::
+sync:*:12977:0:99999:7:::
+games:*:12977:0:99999:7:::
+man:*:12977:0:99999:7:::
+lp:*:12977:0:99999:7:::
+mail:*:12977:0:99999:7:::
+news:*:12977:0:99999:7:::
+uucp:*:12977:0:99999:7:::
+proxy:*:12977:0:99999:7:::
+www-data:*:12977:0:99999:7:::
+backup:*:12977:0:99999:7:::
+list:*:12977:0:99999:7:::
+irc:*:12977:0:99999:7:::
+gnats:*:12977:0:99999:7:::
+nobody:*:12977:0:99999:7:::
+Debian-exim:!:12977:0:99999:7:::
+foo:!:@TODAY@::::::
diff --git a/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/useradd.test b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/useradd.test
new file mode 100755
index 000000000..a7ba85de6
--- /dev/null
+++ b/tests/usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/useradd.test
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname $0)"
+
+. ../../../common/config.sh
+. ../../../common/log.sh
+
+log_start "$0" "useradd adds supplementary groups based on the GROUPS field in /etc/default/useradd for system user because SYS_USER_AUTO_GROUPS_ENAB is 'yes'"
+
+save_config
+
+# restore the files on exit
+trap 'log_status "$0" "FAILURE"; restore_config' 0
+
+change_config
+
+printf "Create system user foo, with group associations with bin,adm,man,cdrom..."
+useradd -r foo
+printf "OK\n"
+
+printf "Check the passwd file..."
+../../../common/compare_file.pl data/passwd /etc/passwd
+printf "OK\n"
+printf "Check the group file..."
+../../../common/compare_file.pl data/group /etc/group
+printf "OK\n"
+printf "Check the shadow file..."
+../../../common/compare_file.pl data/shadow /etc/shadow
+printf "OK\n"
+printf "Check the gshadow file..."
+../../../common/compare_file.pl data/gshadow /etc/gshadow
+printf "OK\n"
+
+log_status "$0" "SUCCESS"
+restore_config
+trap '' 0
+