diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 865dc29..8ec4449 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -121,7 +121,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
     if (geteuid() == 0) {
       /* must set the real uid to 0 so the helper will not error
          out if pam is called from setuid binary (su, sudo...) */
-      setuid(0);
+      if (setuid(0) == -1) {
+          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+          printf("-1\n");
+          fflush(stdout);
+          _exit(PAM_AUTHINFO_UNAVAIL);
+      }
     }
 
     /* exec binary helper */
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 9bc1cd9..9aae3b0 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -255,7 +255,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
 	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
 	close(fds[1]);
 	/* wait for helper to complete: */
-	while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR);
+	while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
 	if (rc<0) {
 	  pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m");
 	  retval = PAM_AUTHTOK_ERR;
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index d8f4a6f..19d72e6 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -176,7 +176,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
 	  free (val);
 
 	  /* read number of rounds for crypt algo */
-	  if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
+	  if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
 	    val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
 
 	    if (val) {
@@ -586,7 +586,10 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
 	if (geteuid() == 0) {
           /* must set the real uid to 0 so the helper will not error
 	     out if pam is called from setuid binary (su, sudo...) */
-	  setuid(0);
+	  if (setuid(0) == -1) {
+             D(("setuid failed"));
+	     _exit(PAM_AUTHINFO_UNAVAIL);
+          }
 	}
 
 	/* exec binary helper */