The patch from upstream (shadow-4.0.11.1-SUPATH.patch) sets environ too
early when using PAM, so move it to !USE_PAM.

--- shadow-4.0.14/src/su.c
+++ shadow-4.0.14/src/su.c
@@ -594,11 +594,6 @@
 		addenv ("PATH", cp);
 	}

-#ifndef USE_PAM
-	/* setup the environment for PAM later on, else we run into auth problems */
-	environ = newenvp;	/* make new environment active */
-#endif
-
 	if (getenv ("IFS"))	/* don't export user IFS ... */
 		addenv ("IFS= \t\n", NULL);	/* ... instead, set a safe IFS */
 
@@ -666,6 +664,8 @@
 		exit (1);
 	}
 #else				/* !USE_PAM */
+	environ = newenvp;	/* make new environment active */
+	
 	if (!amroot)		/* no limits if su from root */
 		setup_limits (&pwent);