I don't think the "end == NULL" check is needed and might? confuse
readers of the code. (But it doesn't break anything, of course.)

Also, the "{}" aren't needed for the if/else, which is just a minor
style nit.

Since you've moved this check up. A good change, I think.
Then you can delete it here.

There could be cases where the gid doesn't actually
exist in the group database or the exports line
was meant to create a different list of group numbers.

The old code just assigned the value, so I think the
new code should do the same as line#3588 did in the old code
for the case where it is numeric.

I'd do this one as cr->cr_uid = name_ul; as well,
for the same reason as the gid one below.
(And maybe get rid of the "end == NULL" and "{}"
for consistency.)

If you do the above change, this needs to be moved
to just after line #3586 (obvious, but thought I'd
mention it).

You need to invert the conditional or interchange
the code blocks for the if/else.
--> This is the "not a number" case

I'd write this as:

groups[cr->cr_ngroups++] = name_ul;

since you've already done the conversion.

To be honest, I've tried to understand why this section is even here because it seems like the cr->cr_uid = pw->pw_uid; on lines 3552 and 3582 can be moved underneath the calls after we do the getpwnam or getpwuid calls on lines 3539 or 3541 respectively?

Or is there a situation where a user doesn't exist in the local password database similar to the scenario you said exists for the groups?

Yes, I think one use of numeric uid/gids is that
they do not exist in the password/group database.
(Maybe the main use?)

Also, this code is very old. The first rendition of
it was written by Herb Hasler when he worked
with me in around 1986. Since then, many have
made changes to it.
--> It may not seem logical, but the semantics

 have been wired into it over the decades
 and it appears creating usernames that start
 with a digit is something only you have done
in all those years.

Ha, thanks for the insight. I will admit, personally, I do not create users starting with digits. However, given the opportunity (as you're probably well-aware) end users will do whatever the system allows them to do 😄

The code from here (line#3564) to line#3566 needs to
be in the "if (names == NULL)" block that
starts at 3564, It is for the case where there is just
a name/number for the user and not the case where
there is a ':' separated list.

Sorry, I didn't spot this on the first review cycle.

Above line#3569 should not be here.
It was set to 1 above and should only
be set to 0 further down, after the
if (names == NULL) block starting
at line#3573.

In case the above is confusing...
delete line# 3569 and move line#3565-3568
to after line#3573 (putting it back the way
it is in the unpatched sources).

The code that needs to be here is what is on the left
(old line#3595 to 3603), but you can replace ole line#3598 with

cr->cr_uid = name_ul;

since you've done the conversion, above.

In other words, put it back to the unpatched version,
except use "name_ul" in old line#3598 instead of atoi(name).

I don't think the "if (name == NULL)" check is
needed here, since the "while" checks that
both "names has a string left in it.
--> strsep_quote() should always return

a non-NULL pointer.

This refers to line#3605->3608.

What was on the left doesn't make sense anymore because pw can't be NULL here now.

And that makes sense because you can't specify only groups, right? So there must be a user we've found by now.

Ah but then you can't specify a uid that doesn't exist on the server.

Getting close. You still need a check here for
"not a numeric string" which generates the error.
You could add that test here by replacing the "else" below with:

    else if (*end != '\0' || end == name) {
                syslog(LOG_ERR, "unknown user: %s", name);
		return;
    } else