From: Hadi Chokr <hadichokr@icloud.com>
Date: Tue, 27 Jan 2026 14:35:42 +0000 (+0100)
Subject: src/: Disable and remove account-tools-setuid conditionals
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed61576cbafd7811c3991864761753b0b4b0f204;p=thirdparty%2Fshadow.git

src/: Disable and remove account-tools-setuid conditionals

Signed-off-by: Hadi Chokr <hadichokr@icloud.com>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
---

diff --git a/src/Makefile.am b/src/Makefile.am
index c387ef8a4..de78dde78 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -69,9 +69,6 @@ endif
 if !WITH_TCB
 suidubins += passwd
 endif
-if ACCT_TOOLS_SETUID
-suidusbins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
-endif
 if ENABLE_SUBIDS
 if !FCAPS
 suidubins += newgidmap newuidmap
@@ -86,12 +83,6 @@ LDADD          = $(INTLLIBS) \
 		 $(top_builddir)/lib/libshadow.la \
 		 $(LIBTCB)
 
-if ACCT_TOOLS_SETUID
-LIBPAM_SUID  = $(LIBPAM)
-else
-LIBPAM_SUID  =
-endif
-
 if USE_PAM
 LIBCRYPT_NOPAM =
 else
@@ -102,15 +93,15 @@ chage_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
 newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
+chgpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
 chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
 chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF) -ldl
 expiry_LDADD = $(LDADD) $(LIBECONF)
 gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) $(LIBECONF)
-groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
-groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
+groupadd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
+groupdel_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
 groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
-groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
+groupmod_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
 grpck_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
 grpconv_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
 grpunconv_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
@@ -131,9 +122,9 @@ su_SOURCES     = \
 	suauth.c
 su_LDADD       = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF) $(LIBSELINUX)
 sulogin_LDADD  = $(LDADD) $(LIBCRYPT) $(LIBECONF)
-useradd_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBECONF) -ldl
-userdel_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) -ldl
-usermod_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBECONF) -ldl
+useradd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBECONF) -ldl
+userdel_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBECONF) -ldl
+usermod_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBSEMANAGE) $(LIBACL) $(LIBECONF) -ldl
 vipw_LDADD     = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF)
 
 install-am: all-am
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 38e9eae17..334d44872 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -18,11 +18,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 #include "atoi/a2i.h"
 #include "defines.h"
 #include "nscd.h"
@@ -80,7 +75,6 @@ NORETURN static void fail_exit (int code, bool process_selinux);
 NORETURN static void usage (int status);
 static void process_flags (int argc, char **argv, struct option_flags *flags);
 static void check_flags (void);
-static void check_perms (void);
 static void open_files (bool process_selinux);
 static void close_files(const struct option_flags *flags);
 
@@ -292,56 +286,6 @@ static void check_flags (void)
 	}
 }
 
-/*
- * check_perms - check if the caller is allowed to add a group
- *
- *	With PAM support, the setuid bit can be set on chgpasswd to allow
- *	non-root users to groups.
- *	Without PAM support, only users who can write in the group databases
- *	can add groups.
- *
- *	It will not return if the user is not allowed.
- */
-static void check_perms (void)
-{
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	int retval;
-	struct passwd *pampw;
-
-	pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-	if (NULL == pampw) {
-		fprintf (stderr,
-		         _("%s: Cannot determine your user name.\n"),
-		         Prog);
-		exit (1);
-	}
-
-	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		exit (1);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-}
-
 /*
  * open_files - lock and open the group databases
  */
@@ -463,8 +407,6 @@ int main (int argc, char **argv)
 
 	OPENLOG (Prog);
 
-	check_perms ();
-
 #ifdef SHADOWGRP
 	is_shadow_grp = sgr_file_present ();
 #endif
diff --git a/src/chpasswd.c b/src/chpasswd.c
index 131e4a09a..0339ecf94 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -79,7 +79,6 @@ NORETURN static void fail_exit (int code, bool process_selinux);
 NORETURN static void usage (int status);
 static void process_flags (int argc, char **argv, struct option_flags *flags);
 static void check_flags (void);
-static void check_perms (void);
 static void open_files(const struct option_flags *flags);
 static void close_files(const struct option_flags *flags);
 
@@ -288,60 +287,6 @@ static void check_flags (void)
 	}
 }
 
-/*
- * check_perms - check if the caller is allowed to add a group
- *
- *	With PAM support, the setuid bit can be set on chpasswd to allow
- *	non-root users to groups.
- *	Without PAM support, only users who can write in the group databases
- *	can add groups.
- *
- *	It will not return if the user is not allowed.
- */
-static void check_perms (void)
-{
-#ifdef USE_PAM
-#ifdef ACCT_TOOLS_SETUID
-	/* If chpasswd uses PAM and is SUID, check the permissions,
-	 * otherwise, the permissions are enforced by the access to the
-	 * passwd and shadow files.
-	 */
-	pam_handle_t *pamh = NULL;
-	int retval;
-	struct passwd *pampw;
-
-	pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-	if (NULL == pampw) {
-		fprintf (stderr,
-		         _("%s: Cannot determine your user name.\n"),
-		         Prog);
-		exit (1);
-	}
-
-	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		exit (1);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* ACCT_TOOLS_SETUID */
-#endif				/* USE_PAM */
-}
-
 /*
  * open_files - lock and open the password databases
  */
@@ -503,8 +448,6 @@ int main (int argc, char **argv)
 
 	OPENLOG (Prog);
 
-	check_perms ();
-
 #ifdef USE_PAM
 	if (!use_pam)
 #endif				/* USE_PAM */
diff --git a/src/groupadd.c b/src/groupadd.c
index fab8111b4..4d84bb678 100644
--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -18,12 +18,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/types.h>
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#include <pwd.h>
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 
 #include "atoi/getnum.h"
 #include "chkname.h"
@@ -100,7 +94,6 @@ static void close_files(const struct option_flags *flags);
 static void open_files(const struct option_flags *flags);
 static void process_flags (int argc, char **argv, struct option_flags *flags);
 static void check_flags (void);
-static void check_perms (void);
 
 /*
  * usage - display usage message and exit
@@ -550,56 +543,6 @@ static void check_flags (void)
 	}
 }
 
-/*
- * check_perms - check if the caller is allowed to add a group
- *
- *	With PAM support, the setuid bit can be set on groupadd to allow
- *	non-root users to groups.
- *	Without PAM support, only users who can write in the group databases
- *	can add groups.
- *
- *	It will not return if the user is not allowed.
- */
-static void check_perms (void)
-{
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	int retval;
-	struct passwd *pampw;
-
-	pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-	if (NULL == pampw) {
-		fprintf (stderr,
-		         _("%s: Cannot determine your user name.\n"),
-		         Prog);
-		fail_exit (1);
-	}
-
-	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		fail_exit (1);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-}
-
 /*
  * main - groupadd command
  */
@@ -634,8 +577,6 @@ int main (int argc, char **argv)
 	 */
 	process_flags (argc, argv, &flags);
 
-	check_perms ();
-
 	if (run_parts ("/etc/shadow-maint/groupadd-pre.d", group_name,
 			Prog)) {
 		exit(1);
diff --git a/src/groupdel.c b/src/groupdel.c
index 5b4bb8d1f..47a080d5e 100644
--- a/src/groupdel.c
+++ b/src/groupdel.c
@@ -15,11 +15,6 @@
 #include <fcntl.h>
 #include <grp.h>
 #include <pwd.h>
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 #include <stdio.h>
 #include <sys/types.h>
 #include <getopt.h>
@@ -362,12 +357,6 @@ static void process_flags (int argc, char **argv, struct option_flags *flags)
 
 int main (int argc, char **argv)
 {
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	int retval;
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 	struct option_flags  flags = {.chroot = false, .prefix = false};
 
 	log_set_progname(Prog);
@@ -394,41 +383,6 @@ int main (int argc, char **argv)
 
 	process_flags (argc, argv, &flags);
 
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	{
-		struct passwd *pampw;
-		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-		if (pampw == NULL) {
-			fprintf (stderr,
-			         _("%s: Cannot determine your user name.\n"),
-			         Prog);
-			fail_exit (1);
-		}
-
-		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		fail_exit (1);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 
 #ifdef SHADOWGRP
 	is_shadow_grp = sgr_file_present ();
diff --git a/src/groupmod.c b/src/groupmod.c
index c29f90508..ce265c8e4 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -20,12 +20,6 @@
 #include <string.h>
 #include <strings.h>
 #include <sys/types.h>
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#include <pwd.h>
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 
 #include "alloc/malloc.h"
 #include "atoi/getnum.h"
@@ -783,12 +777,6 @@ void update_primary_groups (gid_t ogid, gid_t ngid)
  */
 int main (int argc, char **argv)
 {
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	int retval;
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 	struct option_flags  flags = {.chroot = false, .prefix = false};
 
 	log_set_progname(Prog);
@@ -815,42 +803,6 @@ int main (int argc, char **argv)
 
 	process_flags (argc, argv, &flags);
 
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	{
-		struct passwd *pampw;
-		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-		if (NULL == pampw) {
-			fprintf (stderr,
-			         _("%s: Cannot determine your user name.\n"),
-			         Prog);
-			exit (E_PAM_USERNAME);
-		}
-
-		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		exit (E_PAM_ERROR);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-
 #ifdef SHADOWGRP
 	is_shadow_grp = sgr_file_present ();
 #endif
diff --git a/src/newusers.c b/src/newusers.c
index e9353fdc0..952fa4172 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -36,11 +36,6 @@
 #include "atoi/a2i.h"
 #include "atoi/getnum.h"
 #include "attr.h"
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 #include "chkname.h"
 #include "defines.h"
 #include "getdef.h"
@@ -118,7 +113,6 @@ static int update_passwd (struct passwd *, const char *);
 static int add_passwd (struct passwd *, const char *);
 static void process_flags (int argc, char **argv, struct option_flags *flags);
 static void check_flags (void);
-static void check_perms(const struct option_flags *flags);
 static void open_files (bool process_selinux);
 static void close_files(const struct option_flags *flags);
 
@@ -788,60 +782,6 @@ static void check_flags (void)
 #endif				/* !USE_PAM */
 }
 
-/*
- * check_perms - check if the caller is allowed to add a group
- *
- *	With PAM support, the setuid bit can be set on groupadd to allow
- *	non-root users to groups.
- *	Without PAM support, only users who can write in the group databases
- *	can add groups.
- *
- *	It will not return if the user is not allowed.
- */
-static void
-check_perms(MAYBE_UNUSED const struct option_flags *flags)
-{
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	int retval;
-	struct passwd *pampw;
-	bool process_selinux;
-
-	process_selinux = !flags->chroot;
-
-	pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-	if (NULL == pampw) {
-		fprintf (stderr,
-		         _("%s: Cannot determine your user name.\n"),
-		         Prog);
-		fail_exit (EXIT_FAILURE, process_selinux);
-	}
-
-	retval = pam_start ("newusers", pampw->pw_name, &conv, &pamh);
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		fail_exit (EXIT_FAILURE, process_selinux);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-}
-
 /*
  * open_files - lock and open the password, group and shadow databases
  */
@@ -1088,8 +1028,6 @@ int main (int argc, char **argv)
 	process_flags (argc, argv, &flags);
 	process_selinux = !flags.chroot;
 
-	check_perms (&flags);
-
 	is_shadow = spw_file_present ();
 
 #ifdef SHADOWGRP
diff --git a/src/useradd.c b/src/useradd.c
index 0ff354681..b2fa8f792 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -23,11 +23,6 @@
 #include <libgen.h>
 #include <pwd.h>
 #include <signal.h>
-#ifdef ACCT_TOOLS_SETUID
-# ifdef USE_PAM
-#  include "pam_defs.h"
-# endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 #include <paths.h>
 #include <stddef.h>
 #include <stdio.h>
@@ -2454,13 +2449,6 @@ static void check_uid_range(int rflg, uid_t user_id)
  */
 int main (int argc, char **argv)
 {
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	int retval;
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-
 #ifdef ENABLE_SUBIDS
 	uid_t uid_min;
 	uid_t uid_max;
@@ -2524,42 +2512,6 @@ int main (int argc, char **argv)
 		exit(1);
 	}
 
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	{
-		struct passwd *pampw;
-		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-		if (pampw == NULL && getuid ()) {
-			fprintf (stderr,
-			         _("%s: Cannot determine your user name.\n"),
-			         Prog);
-			fail_exit (1, process_selinux);
-		}
-
-		retval = pam_start (Prog, pampw?pampw->pw_name:"root", &conv, &pamh);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		fail_exit (1, process_selinux);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-
 	/*
 	 * See if we are messing with the defaults file, or creating
 	 * a new user.
diff --git a/src/userdel.c b/src/userdel.c
index f02127643..925092abe 100644
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -20,11 +20,6 @@
 #include <sys/types.h>
 #include <unistd.h>
 
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 #include "defines.h"
 #include "getdef.h"
 #include "groupio.h"
@@ -909,12 +904,6 @@ int main (int argc, char **argv)
 {
 	bool errors = false; /* Error in the removal of the home directory */
 
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	int retval;
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 	struct option_flags  flags = {.chroot = false, .prefix = false};
 	bool process_selinux;
 
@@ -1001,42 +990,6 @@ int main (int argc, char **argv)
 		usage (E_USAGE);
 	}
 
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	{
-		struct passwd *pampw;
-		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-		if (pampw == NULL) {
-			fprintf (stderr,
-			         _("%s: Cannot determine your user name.\n"),
-			         Prog);
-			exit (E_PW_UPDATE);
-		}
-
-		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		exit (E_PW_UPDATE);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-
 	is_shadow_pwd = spw_file_present ();
 #ifdef SHADOWGRP
 	is_shadow_grp = sgr_file_present ();
diff --git a/src/usermod.c b/src/usermod.c
index 7cd7a8596..13c9e1b41 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -21,11 +21,6 @@
 #include <lastlog.h>
 #endif /* ENABLE_LASTLOG */
 #include <pwd.h>
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 #include <paths.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -2172,12 +2167,6 @@ static void move_mailbox (void)
  */
 int main (int argc, char **argv)
 {
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	int retval;
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 	struct option_flags  flags = {.chroot = false, .prefix = false};
 	bool process_selinux;
 
@@ -2226,42 +2215,6 @@ int main (int argc, char **argv)
 		exit (E_USER_BUSY);
 	}
 
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	{
-		struct passwd *pampw;
-		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-		if (pampw == NULL) {
-			fprintf (stderr,
-			         _("%s: Cannot determine your user name.\n"),
-			         Prog);
-			exit (1);
-		}
-
-		retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		exit (1);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-
 #ifdef WITH_TCB
 	if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) {
 		exit (E_PW_UPDATE);