Index: cups/globals.c
===================================================================
--- cups/globals.c	(revision 8973)
+++ cups/globals.c	(working copy)
@@ -38,20 +38,44 @@
 static void
 cups_env_init(_cups_globals_t *g)	/* I - Global data */
 {
-  if ((g->cups_datadir = getenv("CUPS_DATADIR")) == NULL)
-    g->cups_datadir = CUPS_DATADIR;
+#ifdef HAVE_GETEUID
+  if ((geteuid() != getuid() && getuid()) || getegid() != getgid())
+#else
+  if (!getuid())
+#endif /* HAVE_GETEUID */
+  {
+   /*
+    * When running setuid/setgid, don't allow environment variables to override
+    * the directories...
+    */
 
-  if ((g->cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
-    g->cups_serverbin = CUPS_SERVERBIN;
-
-  if ((g->cups_serverroot = getenv("CUPS_SERVERROOT")) == NULL)
+    g->cups_datadir    = CUPS_DATADIR;
+    g->cups_serverbin  = CUPS_SERVERBIN;
     g->cups_serverroot = CUPS_SERVERROOT;
+    g->cups_statedir   = CUPS_STATEDIR;
+    g->localedir       = CUPS_LOCALEDIR;
+  }
+  else
+  {
+   /*
+    * Allow directories to be overridden by environment variables.
+    */
 
-  if ((g->cups_statedir = getenv("CUPS_STATEDIR")) == NULL)
-    g->cups_statedir = CUPS_STATEDIR;
+    if ((g->cups_datadir = getenv("CUPS_DATADIR")) == NULL)
+      g->cups_datadir = CUPS_DATADIR;
 
-  if ((g->localedir = getenv("LOCALEDIR")) == NULL)
-    g->localedir = CUPS_LOCALEDIR;
+    if ((g->cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL)
+      g->cups_serverbin = CUPS_SERVERBIN;
+
+    if ((g->cups_serverroot = getenv("CUPS_SERVERROOT")) == NULL)
+      g->cups_serverroot = CUPS_SERVERROOT;
+
+    if ((g->cups_statedir = getenv("CUPS_STATEDIR")) == NULL)
+      g->cups_statedir = CUPS_STATEDIR;
+
+    if ((g->localedir = getenv("LOCALEDIR")) == NULL)
+      g->localedir = CUPS_LOCALEDIR;
+  }
 }
 
 
Index: systemv/lppasswd.c
===================================================================
--- systemv/lppasswd.c	(revision 8973)
+++ systemv/lppasswd.c	(working copy)
@@ -31,9 +31,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 
-#include <cups/string.h>
-#include <cups/cups.h>
-#include <cups/i18n.h>
+#include <cups/globals.h>
 #include <cups/md5.h>
 
 #ifndef WIN32
@@ -79,7 +77,6 @@
 		groupline[17],		/* Group from line */
 		md5line[33],		/* MD5-sum from line */
 		md5new[33];		/* New MD5 sum */
-  const char	*root;			/* CUPS server root directory */
   char		passwdmd5[1024],	/* passwd.md5 file */
 		passwdold[1024],	/* passwd.old file */
 		passwdnew[1024];	/* passwd.tmp file */
@@ -88,6 +85,7 @@
   int		flag;			/* Password check flags... */
   int		fd;			/* Password file descriptor */
   int		error;			/* Write error */
+  _cups_globals_t *cg = _cupsGlobals();	/* Global data */
 #if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
   struct sigaction action;		/* Signal action */
 #endif /* HAVE_SIGACTION && !HAVE_SIGSET*/
@@ -113,19 +111,12 @@
 
  /*
   * Find the server directory...
-  *
-  * We use the CUPS_SERVERROOT environment variable when we are running
-  * as root or when lppasswd is not setuid...
   */
 
-  if ((root = getenv("CUPS_SERVERROOT")) == NULL ||
-      (getuid() != geteuid() && getuid()))
-    root = CUPS_SERVERROOT;
+  snprintf(passwdmd5, sizeof(passwdmd5), "%s/passwd.md5", cg->cups_serverroot);
+  snprintf(passwdold, sizeof(passwdold), "%s/passwd.old", cg->cups_serverroot);
+  snprintf(passwdnew, sizeof(passwdnew), "%s/passwd.new", cg->cups_serverroot);
 
-  snprintf(passwdmd5, sizeof(passwdmd5), "%s/passwd.md5", root);
-  snprintf(passwdold, sizeof(passwdold), "%s/passwd.old", root);
-  snprintf(passwdnew, sizeof(passwdnew), "%s/passwd.new", root);
-
  /*
   * Find the default system group...
   */