diff --git a/MANIFEST b/MANIFEST
index 4e115cb10..1bcd47c61 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -618,6 +618,7 @@ plugins/sudoers/canon_path.c
 plugins/sudoers/check.c
 plugins/sudoers/check.h
 plugins/sudoers/check_aliases.c
+plugins/sudoers/check_util.c
 plugins/sudoers/cvtsudoers.c
 plugins/sudoers/cvtsudoers.h
 plugins/sudoers/cvtsudoers_csv.c
diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in
index 347e28907..ab1bfeb17 100644
--- a/plugins/sudoers/Makefile.in
+++ b/plugins/sudoers/Makefile.in
@@ -183,14 +183,15 @@ LIBPARSESUDOERS_OBJS = alias.lo b64_decode.lo canon_path.lo defaults.lo \
 
 LIBPARSESUDOERS_IOBJS = $(LIBPARSESUDOERS_OBJS:.lo=.i) passwd.i
 
-SUDOERS_OBJS = $(AUTH_OBJS) audit.lo boottime.lo check.lo display.lo \
-	       editor.lo env.lo sudoers_hooks.lo env_pattern.lo file.lo \
-	       find_path.lo fmtsudoers.lo gc.lo goodpath.lo group_plugin.lo \
-	       interfaces.lo iolog.lo iolog_path_escapes.lo locale.lo \
-	       log_client.lo logging.lo lookup.lo pivot.lo policy.lo \
-	       prompt.lo serialize_list.lo set_perms.lo starttime.lo \
-	       strlcpy_unesc.lo strvec_join.lo sudo_nss.lo sudoers.lo \
-	       timestamp.lo unesc_str.lo @SUDOERS_OBJS@
+SUDOERS_OBJS = $(AUTH_OBJS) audit.lo boottime.lo check.lo check_util.lo \
+               display.lo editor.lo env.lo sudoers_hooks.lo \
+               env_pattern.lo file.lo find_path.lo fmtsudoers.lo \
+               gc.lo goodpath.lo group_plugin.lo interfaces.lo \
+               iolog.lo iolog_path_escapes.lo locale.lo log_client.lo \
+               logging.lo lookup.lo pivot.lo policy.lo prompt.lo \
+               serialize_list.lo set_perms.lo starttime.lo \
+               strlcpy_unesc.lo strvec_join.lo sudo_nss.lo sudoers.lo \
+               timestamp.lo unesc_str.lo @SUDOERS_OBJS@
 
 SUDOERS_IOBJS = $(SUDOERS_OBJS:.lo=.i)
 
@@ -254,10 +255,10 @@ CHECK_UNESC_OBJS = check_unesc.o strlcpy_unesc.lo strvec_join.lo \
 CHECK_SERIALIZE_LIST_OBJS = check_serialize_list.lo serialize_list.lo \
 			    sudoers_debug.lo
 
-FUZZ_POLICY_OBJS = editor.lo env.lo env_pattern.lo fuzz_policy.o fuzz_stubs.o \
-		   gc.lo iolog_path_escapes.lo locale.lo policy.lo \
-		   serialize_list.lo strlcpy_unesc.lo strvec_join.lo \
-		   sudoers.lo sudoers_hooks.lo
+FUZZ_POLICY_OBJS = editor.lo env.lo env_pattern.lo fuzz_policy.o \
+                   fuzz_stubs.o gc.lo iolog_path_escapes.lo locale.lo \
+                   policy.lo serialize_list.lo strlcpy_unesc.lo \
+                   strvec_join.lo sudoers.lo sudoers_hooks.lo
 
 FUZZ_POLICY_CORPUS = $(srcdir)/regress/corpus/seed/policy/policy.*
 
@@ -1244,6 +1245,30 @@ check_unesc.i: $(srcdir)/regress/unescape/check_unesc.c $(devdir)/def_data.h \
 	$(CC) -E -o $@ $(CPPFLAGS) $<
 check_unesc.plog: check_unesc.i
 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/unescape/check_unesc.c --i-file $< --output-file $@
+check_util.lo: $(srcdir)/check_util.c $(devdir)/def_data.h \
+               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+               $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+               $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/check_util.c
+check_util.i: $(srcdir)/check_util.c $(devdir)/def_data.h \
+               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+               $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+               $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+	$(CC) -E -o $@ $(CPPFLAGS) $<
+check_util.plog: check_util.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/check_util.c --i-file $< --output-file $@
 cvtsudoers.o: $(srcdir)/cvtsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \
               $(incdir)/compat/getopt.h $(incdir)/compat/stdbool.h \
               $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
index 7a148021b..521fb05e8 100644
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -374,28 +374,3 @@ get_authpw(int mode)
 
     debug_return_ptr(pw);
 }
-
-/*
- * Returns true if the specified shell is allowed by /etc/shells, else false.
- */
-bool
-check_user_shell(const struct passwd *pw)
-{
-    const char *shell;
-    debug_decl(check_user_shell, SUDOERS_DEBUG_AUTH);
-
-    if (!def_runas_check_shell)
-	debug_return_bool(true);
-
-    sudo_debug_printf(SUDO_DEBUG_INFO,
-	"%s: checking /etc/shells for %s", __func__, pw->pw_shell);
-
-    setusershell();
-    while ((shell = getusershell()) != NULL) {
-	if (strcmp(shell, pw->pw_shell) == 0)
-	    debug_return_bool(true);
-    }
-    endusershell();
-
-    debug_return_bool(false);
-}
diff --git a/plugins/sudoers/check_util.c b/plugins/sudoers/check_util.c
new file mode 100644
index 000000000..599cddc0a
--- /dev/null
+++ b/plugins/sudoers/check_util.c
@@ -0,0 +1,115 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2019-2020, 2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <pwd.h>
+
+#include "sudoers.h"
+
+/*
+ * Returns true if the specified shell is allowed by /etc/shells, else false.
+ */
+bool
+check_user_shell(const struct passwd *pw)
+{
+    const char *shell;
+    debug_decl(check_user_shell, SUDOERS_DEBUG_AUTH);
+
+    if (!def_runas_check_shell)
+	debug_return_bool(true);
+
+    sudo_debug_printf(SUDO_DEBUG_INFO,
+	"%s: checking /etc/shells for %s", __func__, pw->pw_shell);
+
+    setusershell();
+    while ((shell = getusershell()) != NULL) {
+	if (strcmp(shell, pw->pw_shell) == 0)
+	    debug_return_bool(true);
+    }
+    endusershell();
+
+    debug_return_bool(false);
+}
+
+/*
+ * Check whether user_runchroot matches def_runchroot.
+ * Returns true if matched, false if not matched and -1 on error.
+ */
+int
+check_user_runchroot(void)
+{
+    debug_decl(check_user_runchroot, SUDOERS_DEBUG_AUTH);
+
+    if (user_runchroot == NULL)
+	debug_return_bool(true);
+
+    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+	"def_runchroot %s, user_runchroot %s",
+	def_runchroot ? def_runchroot : "none",
+	user_runchroot ? user_runchroot : "none");
+
+    if (def_runchroot == NULL || (strcmp(def_runchroot, "*") != 0 &&
+	    strcmp(def_runchroot, user_runchroot) != 0)) {
+	debug_return_bool(false);
+    }
+    free(def_runchroot);
+    if ((def_runchroot = strdup(user_runchroot)) == NULL) {
+	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+	debug_return_int(-1);
+    }
+    debug_return_bool(true);
+}
+
+/*
+ * Check whether user_runcwd matches def_runcwd.
+ * Returns true if matched, false if not matched and -1 on error.
+ */
+int
+check_user_runcwd(void)
+{
+    debug_decl(check_user_runcwd, SUDOERS_DEBUG_AUTH);
+
+    if (user_runcwd == NULL)
+	debug_return_bool(true);
+
+    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+        "def_runcwd %s, user_runcwd %s",
+        def_runcwd ? def_runcwd : "none",
+        user_runcwd ? user_runcwd : "none");
+
+    if (def_runcwd == NULL || (strcmp(def_runcwd, "*") != 0 &&
+            strcmp(def_runcwd, user_runcwd) != 0)) {
+        debug_return_bool(false);
+    }
+    free(def_runcwd);
+    if ((def_runcwd = strdup(user_runcwd)) == NULL) {
+	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+	debug_return_int(-1);
+    }
+    debug_return_bool(true);
+}
diff --git a/plugins/sudoers/regress/fuzz/fuzz_policy.c b/plugins/sudoers/regress/fuzz/fuzz_policy.c
index 75fc25319..2fad6cbce 100644
--- a/plugins/sudoers/regress/fuzz/fuzz_policy.c
+++ b/plugins/sudoers/regress/fuzz/fuzz_policy.c
@@ -712,6 +712,20 @@ check_user(int validated, int mode)
     return true;
 }
 
+/* STUB */
+int
+check_user_runchroot(void)
+{
+    return true;
+}
+
+/* STUB */
+int
+check_user_runcwd(void)
+{
+    return true;
+}
+
 /* STUB */
 bool
 check_user_shell(const struct passwd *pw)
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index d5fa51328..d158fc861 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -325,67 +325,6 @@ done:
     debug_return_str(iolog_path);
 }
 
-static int
-check_user_runchroot(void)
-{
-    debug_decl(check_user_runchroot, SUDOERS_DEBUG_PLUGIN);
-
-    if (user_runchroot == NULL)
-	debug_return_bool(true);
-
-    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
-	"def_runchroot %s, user_runchroot %s",
-	def_runchroot ? def_runchroot : "none",
-	user_runchroot ? user_runchroot : "none");
-
-    /* If runchroot set in sudoers, it must match user_runchroot (or be '*'). */
-    if (def_runchroot == NULL || (strcmp(def_runchroot, "*") != 0 &&
-	    strcmp(def_runchroot, user_runchroot) != 0)) {
-	log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
-	    N_("user not allowed to change root directory to %s"),
-	    user_runchroot);
-	sudo_warnx(U_("you are not permitted to use the -R option with %s"),
-	    user_cmnd);
-	debug_return_bool(false);
-    }
-    free(def_runchroot);
-    if ((def_runchroot = strdup(user_runchroot)) == NULL) {
-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	debug_return_int(-1);
-    }
-    debug_return_bool(true);
-}
-
-static int
-check_user_runcwd(void)
-{
-    debug_decl(check_user_runcwd, SUDOERS_DEBUG_PLUGIN);
-
-    if (user_runcwd == NULL)
-	debug_return_bool(true);
-
-    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
-	"def_runcwd %s, user_runcwd %s",
-	def_runcwd ? def_runcwd : "none",
-	user_runcwd ? user_runcwd : "none");
-
-    /* If runcwd set in sudoers, it must match user_runcwd (or be '*'). */
-    if (def_runcwd == NULL || (strcmp(def_runcwd, "*") != 0 &&
-	    strcmp(def_runcwd, user_runcwd) != 0)) {
-	log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
-	    N_("user not allowed to change directory to %s"), user_runcwd);
-	sudo_warnx(U_("you are not permitted to use the -D option with %s"),
-	    user_cmnd);
-	debug_return_bool(false);
-    }
-    free(def_runcwd);
-    if ((def_runcwd = strdup(user_runcwd)) == NULL) {
-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	debug_return_int(-1);
-    }
-    debug_return_bool(true);
-}
-
 /*
  * Find the command, perform a sudoers lookup, ask for a password as
  * needed, and perform post-lokup checks.  Logs success/failure.
@@ -522,6 +461,11 @@ sudoers_check_common(int pwflag)
     case true:
 	break;
     case false:
+	log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
+	    N_("user not allowed to change root directory to %s"),
+	    user_runchroot);
+	sudo_warnx(U_("you are not permitted to use the -R option with %s"),
+	    user_cmnd);
 	goto bad;
     default:
 	goto done;
@@ -532,6 +476,11 @@ sudoers_check_common(int pwflag)
     case true:
 	break;
     case false:
+	log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
+	    N_("user not allowed to change directory to %s"), user_runcwd);
+	sudo_warnx(U_("you are not permitted to use the -D option with %s"),
+	    user_cmnd);
+	debug_return_bool(false);
 	goto bad;
     default:
 	goto done;
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index 98af8a3d3..ae60ef2a8 100644
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -296,9 +296,13 @@ int find_path(const char *infile, char **outfile, struct stat *sbp,
 
 /* check.c */
 int check_user(int validate, int mode);
-bool check_user_shell(const struct passwd *pw);
 bool user_is_exempt(void);
 
+/* check_util.c */
+bool check_user_shell(const struct passwd *pw);
+int check_user_runchroot(void);
+int check_user_runcwd(void);
+
 /* prompt.c */
 char *expand_prompt(const char *old_prompt, const char *auth_user);