diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index d66e30285..f0b539452 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -242,16 +242,26 @@ done:
 }
 
 int
-pam_end_session(sudo_auth *auth)
+pam_end_session(struct passwd *pw, sudo_auth *auth)
 {
     int status = PAM_SUCCESS;
 
-    if (pamh) {
 #ifndef NO_PAM_SESSION
-	(void) pam_close_session(pamh, PAM_SILENT);
+    /* If the user did not have to authenticate there is no pam handle yet. */
+    if (pamh == NULL)
+	pam_init(pw, NULL, NULL);
+
+    /*
+     * Update PAM_USER to reference the user we are running the command
+     * as to match the call to pam_open_session().
+     */
+    (void) pam_set_item(pamh, PAM_USER, pw->pw_name);
+
+    (void) pam_close_session(pamh, PAM_SILENT);
 #endif
+
+    if (pamh != NULL)
 	status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
-    }
     return status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
 }
 
diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c
index f82b5cb7f..66d8f46a4 100644
--- a/plugins/sudoers/auth/sudo_auth.c
+++ b/plugins/sudoers/auth/sudo_auth.c
@@ -274,14 +274,14 @@ int auth_begin_session(struct passwd *pw)
     return TRUE;
 }
 
-int auth_end_session(void)
+int auth_end_session(struct passwd *pw)
 {
     sudo_auth *auth;
     int status;
 
     for (auth = auth_switch; auth->name; auth++) {
 	if (auth->end_session && !IS_DISABLED(auth)) {
-	    status = (auth->end_session)(auth);
+	    status = (auth->end_session)(pw, auth);
 	    if (status == AUTH_FATAL) {	/* XXX log */
 		return -1;		/* assume error msg already printed */
 	    }
diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h
index 91124bfea..83ea46398 100644
--- a/plugins/sudoers/auth/sudo_auth.h
+++ b/plugins/sudoers/auth/sudo_auth.h
@@ -33,7 +33,7 @@ typedef struct sudo_auth {
     int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth);
     int (*cleanup)(struct passwd *pw, struct sudo_auth *auth);
     int (*begin_session)(struct passwd *pw, struct sudo_auth *auth);
-    int (*end_session)(struct sudo_auth *auth);
+    int (*end_session)(struct passwd *pw, struct sudo_auth *auth);
 } sudo_auth;
 
 /* Values for sudo_auth.flags.  */
@@ -62,7 +62,7 @@ int pam_init(struct passwd *pw, char **prompt, sudo_auth *auth);
 int pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth);
 int pam_cleanup(struct passwd *pw, sudo_auth *auth);
 int pam_begin_session(struct passwd *pw, sudo_auth *auth);
-int pam_end_session(sudo_auth *auth);
+int pam_end_session(struct passwd *pw, sudo_auth *auth);
 int sia_setup(struct passwd *pw, char **prompt, sudo_auth *auth);
 int sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth);
 int sia_cleanup(struct passwd *pw, sudo_auth *auth);
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 9f27fe812..d2595dd8d 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -254,7 +254,7 @@ sudoers_policy_close(int exit_status, int error_code)
 
     /* Close the session we opened in sudoers_policy_init_session(). */
     if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT))
-	(void)auth_end_session();
+	(void)auth_end_session(runas_pw);
 
     /* Free remaining references to password and group entries. */
     pw_delref(sudo_user.pw);