* configure.in: Added option --enable-account-tools-setuid to

	enable/disable the usage of PAM to authenticate the callers of
	account management tools: chage, chgpasswd, chpasswd, groupadd,
	groupdel, groupmod, useradd, userdel, usermod.
	* src/Makefile.am: Do not link the above tools with libpam if
	account-tools-setuid is disabled.
	* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
	src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
	src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
	(--enable-account-tools-setuid).
	* etc/pam.d/Makefile.am: Install the pam service file for the
	above tools only when needed.
	* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
	needed to initialize retval to PAM_SUCCESS.

diff --git a/ChangeLog b/ChangeLog
index 3e402217a7b453bbbb846f7a37347197830bb8d8..0c2afdc8d4cf451bc491e0cc08b63826ff0a4b35 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2008-09-06  Nicolas François  <nicolas.francois@centraliens.net>
+
+       * configure.in: Added option --enable-account-tools-setuid to
+       enable/disable the usage of PAM to authenticate the callers of
+       account management tools: chage, chgpasswd, chpasswd, groupadd,
+       groupdel, groupmod, useradd, userdel, usermod.
+       * src/Makefile.am: Do not link the above tools with libpam if
+       account-tools-setuid is disabled.
+       * src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
+       src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
+       src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
+       (--enable-account-tools-setuid).
+       * etc/pam.d/Makefile.am: Install the pam service file for the
+       above tools only when needed.
+
 2008-09-06  Nicolas François  <nicolas.francois@centraliens.net>
 
        * libmisc/tz.c: tz() is only used when USE_PAM is not defined.
@@ -32,6 +47,8 @@
        src/chsh.c: Simplify the PAM error handling. Do not keep the pamh
        handle, but terminate the PAM transaction as soon as possible if
        there are no PAM session opened.
+       * src/useradd.c, src/userdel.c, src/usermod.c: It is no more
+       needed to initialize retval to PAM_SUCCESS.
 
 2008-09-06  Nicolas François  <nicolas.francois@centraliens.net>
 

diff --git a/configure.in b/configure.in
index fd2bba706028ab5f9af516a5977d34401ce3f387..ebbb6d5c335011c27e28f9f3102ddd16b70e2360 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -219,6 +219,18 @@ AC_ARG_ENABLE(man,
        [enable_man=no]
 )
 
+AC_ARG_ENABLE(account-tools-setuid,
+       [AC_HELP_STRING([--enable-account-tools-setuid],
+               [Install the user and group management tools setuid and authenticate the callers. This requires --with-pam.])],
+       [case "${enableval}" in
+        yes) enable_acct_tools_setuid="yes" ;;
+         no) enable_acct_tools_setuid="no" ;;
+          *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
+          ;;
+        esac],
+       [enable_acct_tools_setuid="yes"]
+)
+
 AC_ARG_WITH(audit, 
        [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
        [with_audit=$withval], [with_audit=maybe])
@@ -417,6 +429,16 @@ else
        AC_MSG_RESULT(yes)
 fi
 
+if test "$enable_acct_tools_setuid" = "yes"; then
+       if test "$with_libpam" != "yes"; then
+               AC_MSG_ERROR(PAM support is required for --enable-account-tools-setuid)
+       fi
+       AC_DEFINE(ACCT_TOOLS_SETUID,
+                 1,
+                 [Define if account management tools should be installed setuid and authenticate the callers])
+fi
+AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
+
 AC_SUBST(LIBSKEY)
 AC_SUBST(LIBMD)
 if test "$with_skey" = "yes"; then
@@ -475,6 +497,9 @@ echo
 echo " auditing support:               $with_audit"
 echo " CrackLib support:               $with_libcrack"
 echo " PAM support:                    $with_libpam"
+if test "$with_libpam" = "yes"; then
+echo " suid account management tools:  $enable_acct_tools_setuid"
+fi
 echo " SELinux support:                $with_selinux"
 echo " shadow group support:           $enable_shadowgrp"
 echo " S/Key support:                  $with_skey"

diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am
index 44deb6f74956e4381e792d3326ee2a36ed476588..293c1e5062a1c4b62c971b88226c49905503267d 100644 (file)
--- a/etc/pam.d/Makefile.am
+++ b/etc/pam.d/Makefile.am
@@ -2,22 +2,26 @@
 # and also cooperate to make a distribution for `make dist'
 
 pamd_files = \
-       chage \
        chfn \
+       chsh \
+       groupmems \
+       login \
+       passwd \
+       su
+
+if ACCT_TOOLS_SETUID
+pamd_files += \
+       chage \
        chgpasswd \
        chpasswd \
-       chsh \
        groupadd \
        groupdel \
-       groupmems \
        groupmod \
-       login \
        newusers \
-       passwd \
-       su \
        useradd \
        userdel \
        usermod
+endif
 
 if USE_PAM
 pamddir = $(sysconfdir)/pam.d

diff --git a/src/Makefile.am b/src/Makefile.am
index e827fe097049af4ed0cb8e7de5754887bb6125c2..6cf8867d7f68680884703cd646d30ca33b2e13ac 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -49,22 +49,31 @@ noinst_PROGRAMS = id sulogin
 
 suidbins       = su
 suidubins      = chage chfn chsh expiry gpasswd newgrp passwd
+if ACCT_TOOLS_SETUID
+       suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
+endif
 
 LDADD          = $(INTLLIBS) \
                 $(top_builddir)/libmisc/libmisc.a \
                 $(top_builddir)/lib/libshadow.la
 AM_CPPFLAGS    = -DLOCALEDIR=\"$(datadir)/locale\"
 
-chage_LDADD    = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+if ACCT_TOOLS_SETUID
+LIBPAM_SUID  = $(LIBPAM)
+else
+LIBPAM_SUID  =
+endif
+
+chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
 chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
 gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
-groupadd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
-groupdel_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX)
-groupmod_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 grpck_LDADD    = $(LDADD) $(LIBSELINUX)
 grpconv_LDADD  = $(LDADD) $(LIBSELINUX)
 grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
@@ -73,7 +82,7 @@ login_SOURCES  = \
        login_nopam.c
 login_LDADD    = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
 newgrp_LDADD   = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT)
-newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+newusers_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
 nologin_LDADD  =
 passwd_LDADD   = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
 pwck_LDADD     = $(LDADD) $(LIBSELINUX)
@@ -84,9 +93,9 @@ su_SOURCES     = \
        suauth.c
 su_LDADD       = $(LDADD) $(LIBPAM) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
 sulogin_LDADD  = $(LDADD) $(LIBCRYPT)
-useradd_LDADD  = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
-userdel_LDADD  = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
-usermod_LDADD  = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+useradd_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+userdel_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+usermod_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 vipw_LDADD     = $(LDADD) $(LIBSELINUX)
 
 install-am: all-am

diff --git a/src/chage.c b/src/chage.c
index 5766e0ab26427c49c1e2aced077282b14eac68fe..680b57d98435b343095ef4be028814a3c5d0171e 100644 (file)
--- a/src/chage.c
+++ b/src/chage.c
@@ -42,9 +42,11 @@
 #include <stdlib.h>
 #include <sys/types.h>
 #include <time.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include <pwd.h>
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
@@ -484,11 +486,13 @@ static void check_flags (int argc, int opt_index)
  */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        struct passwd *pampw;
        int retval;
-#endif
+#endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
        /*
         * An unprivileged user can ask for their own aging information, but
@@ -501,6 +505,7 @@ static void check_perms (void)
                fail_exit (E_NOPERM);
        }
 
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
        if (NULL == pampw) {
@@ -525,6 +530,7 @@ static void check_perms (void)
                fail_exit (E_NOPERM);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 }
 
 /*

diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index aaa39e1cb33a92327cda4dab77cb7293b54447b3..011c009fe5e0fd74e8df23b6929c22484ca27273 100644 (file)
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -39,9 +39,11 @@
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include "defines.h"
 #include "exitcodes.h"
 #include "nscd.h"
@@ -246,6 +248,7 @@ static void check_flags (void)
  */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
@@ -274,6 +277,7 @@ static void check_perms (void)
                exit (1);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 }
 
 /*

diff --git a/src/chpasswd.c b/src/chpasswd.c
index 99093ffa6b8d8f4025674372e25ed47853854a8b..014a25ae47f0ecb3a8c27e7ca730e82610876697 100644 (file)
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -39,9 +39,11 @@
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include "defines.h"
 #include "exitcodes.h"
 #include "nscd.h"
@@ -240,6 +242,7 @@ static void check_flags (void)
  */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
@@ -268,6 +271,7 @@ static void check_perms (void)
                exit (1);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 }
 
 /*

diff --git a/src/groupadd.c b/src/groupadd.c
index f6ff407923ddc2021416dab3c43d6f011ef8ca07..c7c7c28c70906fc6e2d856f6946ad8cdd5d0331f 100644 (file)
--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -41,10 +41,12 @@
 #include <grp.h>
 #include <stdio.h>
 #include <sys/types.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #include <pwd.h>
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include "chkname.h"
 #include "defines.h"
 #include "getdef.h"
@@ -565,6 +567,7 @@ static void check_flags (void)
  */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
@@ -593,6 +596,7 @@ static void check_perms (void)
                exit (1);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 }
 
 /*

diff --git a/src/groupdel.c b/src/groupdel.c
index 1981ab1983464148bf17197343e13cf7d516fef8..c1245e1ad1e938d3301532320e7a90ebd8242d78 100644 (file)
--- a/src/groupdel.c
+++ b/src/groupdel.c
@@ -38,9 +38,11 @@
 #include <fcntl.h>
 #include <grp.h>
 #include <pwd.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include <stdio.h>
 #include <sys/types.h>
 #include "defines.h"
@@ -309,10 +311,12 @@ static void group_busy (gid_t gid)
 
 int main (int argc, char **argv)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
-#endif
+#endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
 #ifdef WITH_AUDIT
        audit_help_open ();
@@ -336,6 +340,7 @@ int main (int argc, char **argv)
 
        OPENLOG ("groupdel");
 
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        {
                struct passwd *pampw;
@@ -364,6 +369,7 @@ int main (int argc, char **argv)
                exit (1);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
 #ifdef SHADOWGRP
        is_shadow_grp = sgr_file_present ();

diff --git a/src/groupmod.c b/src/groupmod.c
index 6d09d2b67f87f2c4cab384cb9b7c894a431e95e3..13362b15a94b26280cadc220cc2a6d90b06815c2 100644 (file)
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -40,10 +40,12 @@
 #include <grp.h>
 #include <stdio.h>
 #include <sys/types.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #include <pwd.h>
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include "chkname.h"
 #include "defines.h"
 #include "groupio.h"
@@ -679,10 +681,12 @@ void update_primary_groups (gid_t ogid, gid_t ngid)
  */
 int main (int argc, char **argv)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
-#endif
+#endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
 #ifdef WITH_AUDIT
        audit_help_open ();
@@ -701,6 +705,7 @@ int main (int argc, char **argv)
 
        OPENLOG ("groupmod");
 
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        {
                struct passwd *pampw;
@@ -729,6 +734,7 @@ int main (int argc, char **argv)
                fail_exit (1);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
 #ifdef SHADOWGRP
        is_shadow_grp = sgr_file_present ();

diff --git a/src/newusers.c b/src/newusers.c
index e30a159bc3f0121a31a9b5e141b18f2e761336ec..1eefb7e243a454680c2398fa81d75ad51d91a7f0 100644 (file)
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -50,9 +50,11 @@
 #include <fcntl.h>
 #include <getopt.h>
 #include <ctype.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include "prototypes.h"
 #include "defines.h"
 #include "getdef.h"
@@ -561,6 +563,7 @@ static void check_flags (void)
  */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
@@ -589,6 +592,7 @@ static void check_perms (void)
                fail_exit (1);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 }
 
 /*

diff --git a/src/useradd.c b/src/useradd.c
index 40421c393e471ac9722c54ee46084a397be44900..dba04f0ccd001a69e9985fa48767b264bfaab604 100644 (file)
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -42,9 +42,11 @@
 #include <grp.h>
 #include <lastlog.h>
 #include <pwd.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -1748,10 +1750,12 @@ static void create_mail (void)
  */
 int main (int argc, char **argv)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
-#endif
+#endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
 #ifdef WITH_AUDIT
        audit_help_open ();
@@ -1785,9 +1789,8 @@ int main (int argc, char **argv)
 
        process_flags (argc, argv);
 
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
-       retval = PAM_SUCCESS;
-
        {
                struct passwd *pampw;
                pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
@@ -1815,6 +1818,7 @@ int main (int argc, char **argv)
                fail_exit (1);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
        /*
         * See if we are messing with the defaults file, or creating

diff --git a/src/userdel.c b/src/userdel.c
index 13dc8cac91bebf42aff5d50cdde6078da9a4a319..6559785b70bf75e64bc3ec411843d6151a02d200 100644 (file)
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -43,9 +43,11 @@
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/stat.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include "defines.h"
 #include "getdef.h"
 #include "groupio.h"
@@ -781,10 +783,12 @@ int main (int argc, char **argv)
 {
        int errors = 0; /* Error in the removal of the home directory */
 
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
-#endif
+#endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
 #ifdef WITH_AUDIT
        audit_help_open ();
@@ -830,9 +834,8 @@ int main (int argc, char **argv)
 
        OPENLOG ("userdel");
 
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
-       retval = PAM_SUCCESS;
-
        {
                struct passwd *pampw;
                pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
@@ -860,6 +863,7 @@ int main (int argc, char **argv)
                exit (E_PW_UPDATE);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
        is_shadow_pwd = spw_file_present ();
 #ifdef SHADOWGRP

diff --git a/src/usermod.c b/src/usermod.c
index 1ca0afd33967c8af1b3238e00b6bcd38e24acf2e..709e2984d6061dd6919eabeb6dfdb4629fca59c9 100644 (file)
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -41,9 +41,11 @@
 #include <grp.h>
 #include <lastlog.h>
 #include <pwd.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -1620,10 +1622,12 @@ static void move_mailbox (void)
  */
 int main (int argc, char **argv)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
        pam_handle_t *pamh = NULL;
        int retval;
-#endif
+#endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
 #ifdef WITH_AUDIT
        audit_help_open ();
@@ -1651,9 +1655,8 @@ int main (int argc, char **argv)
 
        process_flags (argc, argv);
 
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
-       retval = PAM_SUCCESS;
-
        {
                struct passwd *pampw;
                pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
@@ -1681,6 +1684,7 @@ int main (int argc, char **argv)
                exit (1);
        }
 #endif                         /* USE_PAM */
+#endif                         /* ACCT_TOOLS_SETUID */
 
        /*
         * Do the hard stuff - open the files, change the user entries,