useradd: SYS_USER_AUTO_GROUPS_ENAB option

etc/login.defs

@@ -471,3 +471,10 @@ PREVENT_NO_AUTH superuser
 # that are available in your system.
 #
 #HMAC_CRYPTO_ALGO SHA512
+
+#
+# Should system users be automatically added to supplementary groups
+# from the GROUPS option in the /etc/default/useradd?
+# Default is no.
+#
+#SYS_USER_AUTO_GROUPS_ENAB no

lib/getdef.c

@@ -142,6 +142,7 @@ static struct itemdef def_table[] = {
 	{"UMASK", NULL},
 	{"USERDEL_CMD", NULL},
 	{"USERGROUPS_ENAB", NULL},
+	{"SYS_USER_AUTO_GROUPS_ENAB", NULL},
 #ifndef USE_PAM
 	PAMDEFS
 #endif

lib/list.c

@@ -156,6 +156,17 @@ dup_list(char *const *list)
 	return tmp;
 }
 
+/*
+ * free_list - free input list
+ */
+void
+free_list(char **list)
+{
+	for (size_t i = 0; list[i] != NULL; i++)
+		free(list[i]);
+	list[0] = NULL;
+}
+
 /*
  * Check if member is part of the input list
  * The input list is not modified, but in order to allow the use of this

lib/prototypes.h

@@ -200,6 +200,7 @@ extern void setup_limits (const struct passwd *);
 extern /*@only@*/char **add_list (/*@returned@*/ /*@only@*/char **, const char *);
 extern /*@only@*/char **del_list (/*@returned@*/ /*@only@*/char **, const char *);
 extern /*@only@*/char **dup_list (char *const *);
+extern void free_list (char **);
 extern bool is_on_list (char *const *list, const char *member);
 extern /*@only@*/char **comma_to_list (const char *);
 

man/Makefile.am

@@ -191,6 +191,7 @@ login_defs_v = \
 	SUB_UID_COUNT.xml \
 	SYS_GID_MAX.xml \
 	SYS_UID_MAX.xml \
+	SYS_USER_AUTO_GROUPS_ENAB.xml \
 	YESCRYPT_COST_FACTOR.xml
 
 EXTRA_DIST = \

man/login.defs.5.xml

@@ -7,75 +7,76 @@
 -->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN" 
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-<!ENTITY BCRYPT_MIN_ROUNDS     SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
-<!ENTITY CHFN_AUTH             SYSTEM "login.defs.d/CHFN_AUTH.xml">
-<!ENTITY CHFN_RESTRICT         SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
-<!ENTITY CHSH_AUTH             SYSTEM "login.defs.d/CHSH_AUTH.xml">
-<!ENTITY CONSOLE               SYSTEM "login.defs.d/CONSOLE.xml">
-<!ENTITY CONSOLE_GROUPS        SYSTEM "login.defs.d/CONSOLE_GROUPS.xml">
-<!ENTITY CREATE_HOME           SYSTEM "login.defs.d/CREATE_HOME.xml">
-<!ENTITY DEFAULT_HOME          SYSTEM "login.defs.d/DEFAULT_HOME.xml">
-<!ENTITY ENCRYPT_METHOD        SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
-<!ENTITY ENV_HZ                SYSTEM "login.defs.d/ENV_HZ.xml">
-<!ENTITY ENV_PATH              SYSTEM "login.defs.d/ENV_PATH.xml">
-<!ENTITY ENV_SUPATH            SYSTEM "login.defs.d/ENV_SUPATH.xml">
-<!ENTITY ENV_TZ                SYSTEM "login.defs.d/ENV_TZ.xml">
-<!ENTITY ENVIRON_FILE          SYSTEM "login.defs.d/ENVIRON_FILE.xml">
-<!ENTITY ERASECHAR             SYSTEM "login.defs.d/ERASECHAR.xml">
-<!ENTITY FAIL_DELAY            SYSTEM "login.defs.d/FAIL_DELAY.xml">
-<!ENTITY FAILLOG_ENAB          SYSTEM "login.defs.d/FAILLOG_ENAB.xml">
-<!ENTITY FAKE_SHELL            SYSTEM "login.defs.d/FAKE_SHELL.xml">
-<!ENTITY FTMP_FILE             SYSTEM "login.defs.d/FTMP_FILE.xml">
-<!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
-<!ENTITY HMAC_CRYPTO_ALGO      SYSTEM "login.defs.d/HMAC_CRYPTO_ALGO.xml">
-<!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
-<!ENTITY HUSHLOGIN_FILE        SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
-<!ENTITY ISSUE_FILE            SYSTEM "login.defs.d/ISSUE_FILE.xml">
-<!ENTITY KILLCHAR              SYSTEM "login.defs.d/KILLCHAR.xml">
-<!ENTITY LASTLOG_ENAB          SYSTEM "login.defs.d/LASTLOG_ENAB.xml">
-<!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
-<!ENTITY LOG_OK_LOGINS         SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
-<!ENTITY LOG_UNKFAIL_ENAB      SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
-<!ENTITY LOGIN_RETRIES         SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
-<!ENTITY LOGIN_STRING          SYSTEM "login.defs.d/LOGIN_STRING.xml">
-<!ENTITY LOGIN_TIMEOUT         SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
-<!ENTITY MAIL_CHECK_ENAB       SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
-<!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
-<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
-<!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
-<!ENTITY MOTD_FILE             SYSTEM "login.defs.d/MOTD_FILE.xml">
-<!ENTITY NOLOGINS_FILE         SYSTEM "login.defs.d/NOLOGINS_FILE.xml">
-<!ENTITY NONEXISTENT           SYSTEM "login.defs.d/NONEXISTENT.xml">
-<!ENTITY OBSCURE_CHECKS_ENAB   SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml">
-<!ENTITY PASS_ALWAYS_WARN      SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml">
-<!ENTITY PASS_CHANGE_TRIES     SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml">
-<!ENTITY PASS_MAX_LEN          SYSTEM "login.defs.d/PASS_MAX_LEN.xml">
-<!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
-<!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
-<!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
-<!ENTITY PORTTIME_CHECKS_ENAB  SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml">
-<!ENTITY QUOTAS_ENAB           SYSTEM "login.defs.d/QUOTAS_ENAB.xml">
-<!ENTITY SHA_CRYPT_MIN_ROUNDS  SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
-<!ENTITY SULOG_FILE            SYSTEM "login.defs.d/SULOG_FILE.xml">
-<!ENTITY SU_NAME               SYSTEM "login.defs.d/SU_NAME.xml">
-<!ENTITY SU_WHEEL_ONLY         SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
-<!ENTITY SUB_GID_COUNT         SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
-<!ENTITY SUB_UID_COUNT         SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
-<!ENTITY SYS_GID_MAX           SYSTEM "login.defs.d/SYS_GID_MAX.xml">
-<!ENTITY SYSLOG_SG_ENAB        SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml">
-<!ENTITY SYSLOG_SU_ENAB        SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
-<!ENTITY SYS_UID_MAX           SYSTEM "login.defs.d/SYS_UID_MAX.xml">
-<!ENTITY TCB_AUTH_GROUP        SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
-<!ENTITY TCB_SYMLINKS          SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
-<!ENTITY TTYGROUP              SYSTEM "login.defs.d/TTYGROUP.xml">
-<!ENTITY TTYTYPE_FILE          SYSTEM "login.defs.d/TTYTYPE_FILE.xml">
-<!ENTITY UID_MAX               SYSTEM "login.defs.d/UID_MAX.xml">
-<!ENTITY ULIMIT                SYSTEM "login.defs.d/ULIMIT.xml">
-<!ENTITY UMASK                 SYSTEM "login.defs.d/UMASK.xml">
-<!ENTITY USERDEL_CMD           SYSTEM "login.defs.d/USERDEL_CMD.xml">
-<!ENTITY USERGROUPS_ENAB       SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
-<!ENTITY USE_TCB               SYSTEM "login.defs.d/USE_TCB.xml">
-<!ENTITY YESCRYPT_COST_FACTOR  SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
+<!ENTITY BCRYPT_MIN_ROUNDS         SYSTEM "login.defs.d/BCRYPT_MIN_ROUNDS.xml">
+<!ENTITY CHFN_AUTH                 SYSTEM "login.defs.d/CHFN_AUTH.xml">
+<!ENTITY CHFN_RESTRICT             SYSTEM "login.defs.d/CHFN_RESTRICT.xml">
+<!ENTITY CHSH_AUTH                 SYSTEM "login.defs.d/CHSH_AUTH.xml">
+<!ENTITY CONSOLE                   SYSTEM "login.defs.d/CONSOLE.xml">
+<!ENTITY CONSOLE_GROUPS            SYSTEM "login.defs.d/CONSOLE_GROUPS.xml">
+<!ENTITY CREATE_HOME               SYSTEM "login.defs.d/CREATE_HOME.xml">
+<!ENTITY DEFAULT_HOME              SYSTEM "login.defs.d/DEFAULT_HOME.xml">
+<!ENTITY ENCRYPT_METHOD            SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
+<!ENTITY ENV_HZ                    SYSTEM "login.defs.d/ENV_HZ.xml">
+<!ENTITY ENV_PATH                  SYSTEM "login.defs.d/ENV_PATH.xml">
+<!ENTITY ENV_SUPATH                SYSTEM "login.defs.d/ENV_SUPATH.xml">
+<!ENTITY ENV_TZ                    SYSTEM "login.defs.d/ENV_TZ.xml">
+<!ENTITY ENVIRON_FILE              SYSTEM "login.defs.d/ENVIRON_FILE.xml">
+<!ENTITY ERASECHAR                 SYSTEM "login.defs.d/ERASECHAR.xml">
+<!ENTITY FAIL_DELAY                SYSTEM "login.defs.d/FAIL_DELAY.xml">
+<!ENTITY FAILLOG_ENAB              SYSTEM "login.defs.d/FAILLOG_ENAB.xml">
+<!ENTITY FAKE_SHELL                SYSTEM "login.defs.d/FAKE_SHELL.xml">
+<!ENTITY FTMP_FILE                 SYSTEM "login.defs.d/FTMP_FILE.xml">
+<!ENTITY GID_MAX                   SYSTEM "login.defs.d/GID_MAX.xml">
+<!ENTITY HMAC_CRYPTO_ALGO          SYSTEM "login.defs.d/HMAC_CRYPTO_ALGO.xml">
+<!ENTITY HOME_MODE                 SYSTEM "login.defs.d/HOME_MODE.xml">
+<!ENTITY HUSHLOGIN_FILE            SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
+<!ENTITY ISSUE_FILE                SYSTEM "login.defs.d/ISSUE_FILE.xml">
+<!ENTITY KILLCHAR                  SYSTEM "login.defs.d/KILLCHAR.xml">
+<!ENTITY LASTLOG_ENAB              SYSTEM "login.defs.d/LASTLOG_ENAB.xml">
+<!ENTITY LASTLOG_UID_MAX           SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
+<!ENTITY LOG_OK_LOGINS             SYSTEM "login.defs.d/LOG_OK_LOGINS.xml">
+<!ENTITY LOG_UNKFAIL_ENAB          SYSTEM "login.defs.d/LOG_UNKFAIL_ENAB.xml">
+<!ENTITY LOGIN_RETRIES             SYSTEM "login.defs.d/LOGIN_RETRIES.xml">
+<!ENTITY LOGIN_STRING              SYSTEM "login.defs.d/LOGIN_STRING.xml">
+<!ENTITY LOGIN_TIMEOUT             SYSTEM "login.defs.d/LOGIN_TIMEOUT.xml">
+<!ENTITY MAIL_CHECK_ENAB           SYSTEM "login.defs.d/MAIL_CHECK_ENAB.xml">
+<!ENTITY MAIL_DIR                  SYSTEM "login.defs.d/MAIL_DIR.xml">
+<!ENTITY MAX_MEMBERS_PER_GROUP     SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
+<!ENTITY MD5_CRYPT_ENAB            SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
+<!ENTITY MOTD_FILE                 SYSTEM "login.defs.d/MOTD_FILE.xml">
+<!ENTITY NOLOGINS_FILE             SYSTEM "login.defs.d/NOLOGINS_FILE.xml">
+<!ENTITY NONEXISTENT               SYSTEM "login.defs.d/NONEXISTENT.xml">
+<!ENTITY OBSCURE_CHECKS_ENAB       SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml">
+<!ENTITY PASS_ALWAYS_WARN          SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml">
+<!ENTITY PASS_CHANGE_TRIES         SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml">
+<!ENTITY PASS_MAX_LEN              SYSTEM "login.defs.d/PASS_MAX_LEN.xml">
+<!ENTITY PASS_MAX_DAYS             SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
+<!ENTITY PASS_MIN_DAYS             SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
+<!ENTITY PASS_WARN_AGE             SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
+<!ENTITY PORTTIME_CHECKS_ENAB      SYSTEM "login.defs.d/PORTTIME_CHECKS_ENAB.xml">
+<!ENTITY QUOTAS_ENAB               SYSTEM "login.defs.d/QUOTAS_ENAB.xml">
+<!ENTITY SHA_CRYPT_MIN_ROUNDS      SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
+<!ENTITY SULOG_FILE                SYSTEM "login.defs.d/SULOG_FILE.xml">
+<!ENTITY SU_NAME                   SYSTEM "login.defs.d/SU_NAME.xml">
+<!ENTITY SU_WHEEL_ONLY             SYSTEM "login.defs.d/SU_WHEEL_ONLY.xml">
+<!ENTITY SUB_GID_COUNT             SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
+<!ENTITY SUB_UID_COUNT             SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
+<!ENTITY SYS_GID_MAX               SYSTEM "login.defs.d/SYS_GID_MAX.xml">
+<!ENTITY SYSLOG_SG_ENAB            SYSTEM "login.defs.d/SYSLOG_SG_ENAB.xml">
+<!ENTITY SYSLOG_SU_ENAB            SYSTEM "login.defs.d/SYSLOG_SU_ENAB.xml">
+<!ENTITY SYS_UID_MAX               SYSTEM "login.defs.d/SYS_UID_MAX.xml">
+<!ENTITY SYS_USER_AUTO_GROUPS_ENAB SYSTEM "login.defs.d/SYS_USER_AUTO_GROUPS_ENAB.xml">
+<!ENTITY TCB_AUTH_GROUP            SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
+<!ENTITY TCB_SYMLINKS              SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
+<!ENTITY TTYGROUP                  SYSTEM "login.defs.d/TTYGROUP.xml">
+<!ENTITY TTYTYPE_FILE              SYSTEM "login.defs.d/TTYTYPE_FILE.xml">
+<!ENTITY UID_MAX                   SYSTEM "login.defs.d/UID_MAX.xml">
+<!ENTITY ULIMIT                    SYSTEM "login.defs.d/ULIMIT.xml">
+<!ENTITY UMASK                     SYSTEM "login.defs.d/UMASK.xml">
+<!ENTITY USERDEL_CMD               SYSTEM "login.defs.d/USERDEL_CMD.xml">
+<!ENTITY USERGROUPS_ENAB           SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
+<!ENTITY USE_TCB                   SYSTEM "login.defs.d/USE_TCB.xml">
+<!ENTITY YESCRYPT_COST_FACTOR      SYSTEM "login.defs.d/YESCRYPT_COST_FACTOR.xml">
 <!-- SHADOW-CONFIG-HERE -->
 ]>
 
@@ -209,6 +210,7 @@
       &SUB_UID_COUNT; <!-- documents also SUB_UID_MIN SUB_UID_MAX -->
       &SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
       &SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
+      &SYS_USER_AUTO_GROUPS_ENAB;
       &SYSLOG_SG_ENAB;
       &SYSLOG_SU_ENAB;
       &TCB_AUTH_GROUP;
@@ -489,6 +491,7 @@
 	    SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
 	    SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
 	    SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
+	    SYS_USER_AUTO_GROUPS_ENAB
 	    UMASK
 	    <phrase condition="tcb">TCB_AUTH_GROUP TCB_SYMLINK USE_TCB</phrase>
 	  </para>

man/login.defs.d/SYS_USER_AUTO_GROUPS_ENAB.xml

@@ -0,0 +1,10 @@
+<varlistentry>
+  <term><option>SYS_USER_AUTO_GROUPS_ENAB</option> (boolean)</term>
+  <listitem>
+    <para>
+      Indicate if the option <option>GROUPS</option>
+      in the file <filename>/etc/default/useradd</filename>
+      should add system users to those supplementary groups by default.
+    </para>
+  </listitem>
+</varlistentry>

man/useradd.8.xml

@@ -6,25 +6,26 @@
 -->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-<!ENTITY CREATE_HOME           SYSTEM "login.defs.d/CREATE_HOME.xml">
-<!ENTITY GID_MAX               SYSTEM "login.defs.d/GID_MAX.xml">
-<!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
-<!ENTITY LASTLOG_UID_MAX       SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
-<!ENTITY MAIL_DIR              SYSTEM "login.defs.d/MAIL_DIR.xml">
-<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
-<!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
-<!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
-<!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
-<!ENTITY SUB_GID_COUNT         SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
-<!ENTITY SUB_UID_COUNT         SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
-<!ENTITY SYS_GID_MAX           SYSTEM "login.defs.d/SYS_GID_MAX.xml">
-<!ENTITY SYS_UID_MAX           SYSTEM "login.defs.d/SYS_UID_MAX.xml">
-<!ENTITY UID_MAX               SYSTEM "login.defs.d/UID_MAX.xml">
-<!ENTITY UMASK                 SYSTEM "login.defs.d/UMASK.xml">
-<!ENTITY TCB_AUTH_GROUP        SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
-<!ENTITY TCB_SYMLINKS          SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
-<!ENTITY USE_TCB               SYSTEM "login.defs.d/USE_TCB.xml">
-<!ENTITY USERGROUPS_ENAB       SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
+<!ENTITY CREATE_HOME               SYSTEM "login.defs.d/CREATE_HOME.xml">
+<!ENTITY GID_MAX                   SYSTEM "login.defs.d/GID_MAX.xml">
+<!ENTITY HOME_MODE                 SYSTEM "login.defs.d/HOME_MODE.xml">
+<!ENTITY LASTLOG_UID_MAX           SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
+<!ENTITY MAIL_DIR                  SYSTEM "login.defs.d/MAIL_DIR.xml">
+<!ENTITY MAX_MEMBERS_PER_GROUP     SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
+<!ENTITY PASS_MAX_DAYS             SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
+<!ENTITY PASS_MIN_DAYS             SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
+<!ENTITY PASS_WARN_AGE             SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
+<!ENTITY SUB_GID_COUNT             SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
+<!ENTITY SUB_UID_COUNT             SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
+<!ENTITY SYS_GID_MAX               SYSTEM "login.defs.d/SYS_GID_MAX.xml">
+<!ENTITY SYS_UID_MAX               SYSTEM "login.defs.d/SYS_UID_MAX.xml">
+<!ENTITY SYS_USER_AUTO_GROUPS_ENAB SYSTEM "login.defs.d/SYS_USER_AUTO_GROUPS_ENAB.xml">
+<!ENTITY UID_MAX                   SYSTEM "login.defs.d/UID_MAX.xml">
+<!ENTITY UMASK                     SYSTEM "login.defs.d/UMASK.xml">
+<!ENTITY TCB_AUTH_GROUP            SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
+<!ENTITY TCB_SYMLINKS              SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
+<!ENTITY USE_TCB                   SYSTEM "login.defs.d/USE_TCB.xml">
+<!ENTITY USERGROUPS_ENAB           SYSTEM "login.defs.d/USERGROUPS_ENAB.xml">
 <!-- SHADOW-CONFIG-HERE -->
 ]>
 <refentry id='useradd.8'>
@@ -489,6 +490,14 @@
 	    specify the <option>-F</option> options if you want to update
 	    the files for a system account to be created.
 	  </para>
+	  <para>
+	    Note that the option <option>GROUPS</option>
+	    in the file <filename>/etc/default/useradd</filename>
+	    will not add system users to those supplementary groups by default.
+	    The default behavior is defined by
+	    the <option>SYS_USER_AUTO_GROUPS_ENAB</option>
+	    variable in <filename>/etc/login.defs</filename>.
+	  </para>
 	</listitem>
       </varlistentry>
       <varlistentry>
@@ -752,6 +761,7 @@
       &SUB_UID_COUNT; <!-- documents also SUB_UID_MAX and SUB_UID_MIN -->
       &SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
       &SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
+      &SYS_USER_AUTO_GROUPS_ENAB;
       &TCB_AUTH_GROUP;
       &TCB_SYMLINKS;
       &UID_MAX; <!-- documents also UID_MIN -->

src/useradd.c

@@ -764,11 +764,7 @@ static int get_groups (char *list)
 	/*
 	 * Free previous group list before creating a new one.
 	 */
-	int i = 0;
-	while (NULL != user_groups[i]) {
-		free(user_groups[i]);
-		user_groups[i++] = NULL;
-	}
+	free_list(user_groups);
 
 	if (streq(list, "")) {
 		return 0;
@@ -1595,6 +1591,13 @@ static void process_flags (int argc, char **argv)
 		if (getdef_bool ("CREATE_HOME")) {
 			mflg = true;
 		}
+	} else {
+		/* If SYS_USER_AUTO_GROUPS_ENAB is disabled,
+		 * then do not automatically add supplements groups for system users. */
+		if (!getdef_bool("SYS_USER_AUTO_GROUPS_ENAB") && !Gflg && do_grp_update) {
+			free_list(user_groups);
+			do_grp_update = false;
+		}
 	}
 
 	if (Mflg) {

tests/run_all

@@ -772,6 +772,9 @@ run_test ./usertools/useradd/65_useradd_locked_group/useradd.test
 run_test ./usertools/useradd/66_useradd_locked_shadow/useradd.test
 run_test ./usertools/useradd/67_useradd_locked_gshadow/useradd.test
 run_test ./usertools/useradd/68_useradd-s_empty/useradd.test
+run_test ./usertools/useradd/69_useradd_default_GROUPS_name/useradd.test
+run_test ./usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/useradd.test
+run_test ./usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/useradd.test
 run_test ./usertools/userdel/01_userdel_usage/userdel.test
 run_test ./usertools/userdel/02_userdel_usage_invalid_option/userdel.test
 run_test ./usertools/userdel/03_userdel_usage_no_users/userdel.test

tests/run_all.coverage

@@ -788,6 +788,9 @@ run_test ./usertools/useradd/65_useradd_locked_group/useradd.test
 run_test ./usertools/useradd/66_useradd_locked_shadow/useradd.test
 run_test ./usertools/useradd/67_useradd_locked_gshadow/useradd.test
 run_test ./usertools/useradd/68_useradd-s_empty/useradd.test
+run_test ./usertools/useradd/69_useradd_default_GROUPS_name/useradd.test
+run_test ./usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/useradd.test
+run_test ./usertools/useradd/71_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_yes/useradd.test
 run_test ./usertools/userdel/01_userdel_usage/userdel.test
 run_test ./usertools/userdel/02_userdel_usage_invalid_option/userdel.test
 run_test ./usertools/userdel/03_userdel_usage_no_users/userdel.test

tests/usertools/useradd/69_useradd_default_GROUPS_name/data/group

@@ -1,4 +1,4 @@
- root:x:0:
+root:x:0:
 daemon:x:1:
 bin:x:2:foo
 sys:x:3:

tests/usertools/useradd/70_useradd-r_SYS_USER_AUTO_GROUPS_ENAB_default/config.txt

@@ -0,0 +1,5 @@
+# no testsuite password
+# root password: rootF00barbaz
+# myuser password: myuserF00barbaz
+
+user foo