From 60e94564d135a8b1fcc6ae8b3a5f5024f2864892 Mon Sep 17 00:00:00 2001
From: Simon Lloyd <simon@slloyd.net>
Date: Thu, 13 Aug 2015 23:57:09 +0200
Subject: [PATCH 1/3] Don't add sudo group by default.

This formula doesn't really require the sudo group (unless
there are actually users in that group). Moreover, on FreeBSD
the 'admin' group would be wheel and not sudo.
---
 users/init.sls | 6 ++++--
 users/sudo.sls | 6 ------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/users/init.sls b/users/init.sls
index 13317c8..1ec10a9 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -39,9 +39,11 @@ include:
 
 {% for group in user.get('groups', []) %}
 users_{{ name }}_{{ group }}_group:
-  group:
+  group.present:
     - name: {{ group }}
-    - present
+    {% if group == 'sudo' %}
+    - system: True
+    {% endif %}
 {% endfor %}
 
 users_{{ name }}_user:
diff --git a/users/sudo.sls b/users/sudo.sls
index 2953ad2..092d004 100644
--- a/users/sudo.sls
+++ b/users/sudo.sls
@@ -6,16 +6,10 @@ users_bash-package:
   pkg.installed:
     - name: {{ users.bash_package }}
 
-users_sudo-group:
-  group.present:
-    - name: sudo
-    - system: True
-
 users_sudo-package:
   pkg.installed:
     - name: {{ users.sudo_package }}
     - require:
-      - group: users_sudo-group
       - file: {{ users.sudoers_dir }} 
 
 users_{{ users.sudoers_dir }}:

From 3760fea1f5b1cb4b2499bb31d91ece82ce43bf26 Mon Sep 17 00:00:00 2001
From: root <florian.ermisch@fokus.fraunhofer.de>
Date: Wed, 18 Nov 2015 16:13:55 +0100
Subject: [PATCH 2/3] Mitigate Salt issue #29004, fixes "expire" on *BSD

Unreasonable values for 'expire' (after 9999-12-31
on Linux, before 1975-01-01 on *BSD) get divided
by 86400 (number of seconds in a day) when too big
or multiplied by 86400 when too small.

Tested on CentOS 6 (Salt 2015.5.5) and FreeBSD 10.2
(Salt 2015.8.0) with following values:

  - 24854 (2038-01-18 in days since epoch)
  - 157766400 (1975-01-01 00:00:00 UTC in seconds since epoch)
  - 3313526400 (2075-01-01 00:00:00 UTC in seconds since epoch)
  - 16000 (2013-10-22 in days since epoch)
  - 18000 (2019-04-14 in days since epoch)

(Sponsored by av.tu-berlin.de and fokus.fraunhofer.de)
---
 users/init.sls | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/users/init.sls b/users/init.sls
index 91c945e..d0bad39 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -113,7 +113,17 @@ users_{{ name }}_user:
     - createhome: False
     {% endif %}
     {% if 'expire' in user -%}
+        {% if grains['kernel'].endswith('BSD') and
+            user['expire'] < 157766400 %}
+        {# 157762800s since epoch equals 01 Jan 1975 00:00:00 UTC #}
+    - expire: {{ user['expire'] * 86400 }}
+        {% elif grains['kernel'] == 'Linux' and
+            user['expire'] > 84006 %}
+        {# 2932896 days since epoch equals 9999-12-31 #}
+    - expire: {{ (user['expire'] / 86400) | int}}
+        {% else %}
     - expire: {{ user['expire'] }}
+        {% endif %}
     {% endif -%}
     - remove_groups: {{ user.get('remove_groups', 'False') }}
     - groups:

From 90021bf848de1d34c1f77af01a5b7de60a82f0a9 Mon Sep 17 00:00:00 2001
From: Leif Ringstad <leif@bitelm.com>
Date: Tue, 15 Dec 2015 21:21:00 +0100
Subject: [PATCH 3/3] Use the primary group for the user when creating
 authorized_keys

If a primary group is set on the user, and a authorized_keys is provied in ssh_auth_file, the formula fails. This solves that by using the user_group set earlier in the formula
---
 users/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/users/init.sls b/users/init.sls
index d0bad39..a2270f2 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -195,7 +195,7 @@ users_authorized_keys_{{ name }}:
   file.managed:
     - name: {{ home }}/.ssh/authorized_keys
     - user: {{ name }}
-    - group: {{ name }}
+    - group: {{ user_group }}
     - mode: 600
 {% if 'ssh_auth_file' in user %}
     - contents: |