--- modules/pam_unix/pam_unix_acct.c
+++ modules/pam_unix/pam_unix_acct.c	2013/09/12 07:19:05
@@ -121,7 +121,12 @@
     if (geteuid() == 0) {
       /* must set the real uid to 0 so the helper will not error
          out if pam is called from setuid binary (su, sudo...) */
-      setuid(0);
+      if (setuid(0) == -1) {
+          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+          printf("-1\n");
+          fflush(stdout);
+          _exit(PAM_AUTHINFO_UNAVAIL);
+      }
     }
 
     /* exec binary helper */
--- modules/pam_unix/pam_unix_passwd.c
+++ modules/pam_unix/pam_unix_passwd.c	2013/09/12 07:24:40
@@ -255,7 +255,7 @@
 	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
 	close(fds[1]);
 	/* wait for helper to complete: */
-	while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR);
+	while ((rc=waitpid(child, &retval, 0) < 0) && errno == EINTR);
 	if (rc<0) {
 	  pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m");
 	  retval = PAM_AUTHTOK_ERR;
--- modules/pam_unix/support.c
+++ modules/pam_unix/support.c	2013/09/12 07:20:51
@@ -586,7 +586,10 @@
 	if (geteuid() == 0) {
           /* must set the real uid to 0 so the helper will not error
 	     out if pam is called from setuid binary (su, sudo...) */
-	  setuid(0);
+	  if (setuid(0) == -1) {
+             D(("setuid failed"));
+	     _exit(PAM_AUTHINFO_UNAVAIL);
+          }
 	}
 
 	/* exec binary helper */