diff --git a/include/extern.h b/include/extern.h
index d03b6df89..7b4600174 100644
--- a/include/extern.h
+++ b/include/extern.h
@@ -1,4 +1,4 @@
-/* NetHack 3.7	extern.h	$NHDT-Date: 1603507384 2020/10/24 02:43:04 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.873 $ */
+/* NetHack 3.7	extern.h	$NHDT-Date: 1605493683 2020/11/16 02:28:03 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.878 $ */
 /* Copyright (c) Steve Creps, 1988.				  */
 /* NetHack may be freely redistributed.  See license for details. */
 
@@ -2768,7 +2768,7 @@ E void NDECL(port_help);
 E void FDECL(sethanguphandler, (void (*)(int)));
 E boolean NDECL(authorize_wizard_mode);
 E void FDECL(append_slash, (char *));
-E boolean FDECL(check_user_string, (char *));
+E boolean FDECL(check_user_string, (const char *));
 E char *NDECL(get_login_name);
 E unsigned long NDECL(sys_random_seed);
 #endif /* UNIX */
@@ -2952,6 +2952,9 @@ E char *NDECL(verify_termcap);
 E void NDECL(privoff);
 E void NDECL(privon);
 #endif
+#ifdef SYSCF
+E boolean FDECL(check_user_string, (const char *));
+#endif
 #ifdef SHELL
 E int NDECL(dosh);
 #endif
diff --git a/sys/unix/unixmain.c b/sys/unix/unixmain.c
index 87e255064..c6fea0d3b 100644
--- a/sys/unix/unixmain.c
+++ b/sys/unix/unixmain.c
@@ -1,4 +1,4 @@
-/* NetHack 3.7	unixmain.c	$NHDT-Date: 1596498297 2020/08/03 23:44:57 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.87 $ */
+/* NetHack 3.7	unixmain.c	$NHDT-Date: 1605493691 2020/11/16 02:28:11 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.90 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Robert Patrick Rankin, 2011. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -647,11 +647,11 @@ char *name;
 
 boolean
 check_user_string(optstr)
-char *optstr;
+const char *optstr;
 {
     struct passwd *pw;
     int pwlen;
-    char *eop, *w;
+    const char *eop, *w;
     char *pwname = 0;
 
     if (optstr[0] == '*')
@@ -663,7 +663,7 @@ char *optstr;
     if (!pwname || !*pwname)
         return FALSE;
     pwlen = (int) strlen(pwname);
-    eop = eos(optstr);
+    eop = eos((char *) optstr); /* temporarily cast away 'const' */
     w = optstr;
     while (w + pwlen <= eop) {
         if (!*w)
diff --git a/sys/unix/unixunix.c b/sys/unix/unixunix.c
index 9364200f5..77d3527db 100644
--- a/sys/unix/unixunix.c
+++ b/sys/unix/unixunix.c
@@ -1,4 +1,4 @@
-/* NetHack 3.7	unixunix.c	$NHDT-Date: 1596498298 2020/08/03 23:44:58 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.31 $ */
+/* NetHack 3.7	unixunix.c	$NHDT-Date: 1605493693 2020/11/16 02:28:13 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.32 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Kenneth Lorber, Kensington, Maryland, 2015. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -271,9 +271,8 @@ dosh()
 #ifdef SYSCF
     if (!sysopt.shellers || !sysopt.shellers[0]
         || !check_user_string(sysopt.shellers)) {
-        /* FIXME: should no longer assume a particular command keystroke,
-           and perhaps ought to say "unavailable" rather than "unknown" */
-        Norep("Unknown command '!'.");
+        /* FIXME: should no longer assume a particular command keystroke */
+        Norep("Unavailable command '!'.");
         return 0;
     }
 #endif
diff --git a/sys/vms/vmsunix.c b/sys/vms/vmsunix.c
index e6f2fca07..66afa88a2 100644
--- a/sys/vms/vmsunix.c
+++ b/sys/vms/vmsunix.c
@@ -1,4 +1,4 @@
-/* NetHack 3.7	vmsunix.c	$NHDT-Date: 1596498310 2020/08/03 23:45:10 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.23 $ */
+/* NetHack 3.7	vmsunix.c	$NHDT-Date: 1605493693 2020/11/16 02:28:13 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.24 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Robert Patrick Rankin, 2011. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -54,7 +54,7 @@ int fd;
     if (fstat(fd, &buf))
         return 0; /* cannot get status */
 #ifndef INSURANCE
-    if (buf.st_size != sizeof(int))
+    if (buf.st_size != sizeof (int))
         return 0; /* not an xlock file */
 #endif
     (void) time(&date);
@@ -62,7 +62,7 @@ int fd;
         int lockedpid; /* should be the same size as hackpid */
         unsigned long status, dummy, code = JPI$_PID;
 
-        if (read(fd, (genericptr_t) &lockedpid, sizeof(lockedpid))
+        if (read(fd, (genericptr_t) &lockedpid, sizeof lockedpid)
             != sizeof(lockedpid)) /* strange ... */
             return 0;
         status = lib$getjpi(&code, &lockedpid, 0, &dummy);
@@ -138,7 +138,7 @@ getlock()
     error(g.locknum ? "Too many hacks running now."
                   : "There is a game in progress under your name.");
 
-gotlock:
+ gotlock:
     fd = creat(g.lock, FCMASK);
     unlock_file(HLOCK);
     if (fd == -1) {
@@ -373,6 +373,45 @@ privon()
 }
 #endif /* CHDIR || SHELL || SECURE */
 
+#ifdef SYSCF
+boolean
+check_user_string(userlist)
+const char *userlist;
+{
+    char usrnambuf[BUFSZ];
+    const char *sptr, *p, *q;
+    int ln;
+
+    if (!strcmp(userlist, "*"))
+        return TRUE;
+
+    /* FIXME: ought to use $getjpi or $getuai to retrieve user name here... */
+    Strcpy(usrnambuf, nh_getenv("USER"));
+    ln = (int) strlen(usrnambuf);
+    if (!ln)
+        return FALSE;
+
+    while ((sptr = strstri(userlist, usrnambuf)) != 0) {
+        /* check for full word: start of list or following a space or comma */
+        if ((sptr == userlist || sptr[-1] == ' ' || sptr[-1] == ',')
+            /* and also preceding a space or comma or at end of list */
+            && (sptr[ln] == ' ' || sptr[ln] == ',' || sptr[ln] == '\0'))
+            return TRUE;
+        /* doesn't match full word, but maybe we got a false hit when
+           looking for "jane" in the list "janedoe jane" so keep going */
+        p = index(sptr + 1, ' ');
+        q = index(sptr + 1, ',');
+        if (!p || (q && q < p))
+            p = q;
+        if (!p)
+            break;
+        userlist = p + 1;
+    }
+
+    return FALSE;
+}
+#endif /* SYSCF */
+
 #if defined(SHELL) || defined(SUSPEND)
 static void
 hack_escape(screen_manip, msg_str)
@@ -406,6 +445,14 @@ unsigned long dosh_pid = 0, /* this should cover any interactive escape */
 int
 dosh()
 {
+#ifdef SYSCF
+    if (!sysopt.shellers || !sysopt.shellers[0]
+        || !check_user_string(sysopt.shellers)) {
+        /* FIXME: should no longer assume a particular command keystroke */
+        Norep("Unavailable command '!'.");
+        return 0;
+    }
+#endif
     return vms_doshell("", TRUE); /* call for interactive child process */
 }
 
@@ -617,7 +664,7 @@ int how; /* 1: exit after traceback; 2: stay in debugger */
            in a last-gasp environment so apply the KISS principle...) */
         DBGCMD("set Module/Calls ; show Calls 18"),
         /* epilogue; "exit" ends the sequence it's part of, but it doesn't
-           seem able to cause program termination end when used separately;
+           seem able to cause program termination when used separately;
            instead of relying on it, we'll redirect debugger input to come
            from the null device so that it'll get an end-of-input condition
            when it tries to get a command from the user */
@@ -844,7 +891,7 @@ const unsigned long lib$initialize[] = { (unsigned long) (void *) vmsexeini };
 #endif
 /*      We also need to link against a linker options file containing:
 sys$library:starlet.olb/Include=(lib$initialize)
-psect_attr=lib$initialize, Con,Usr,noPic,Rel,Gbl,noShr,noExe,Rd,noWrt,Long
+psect_attr=lib$initialize, Con,Rel,Gbl,noShr,noExe,Rd,noWrt
  */
 #endif /* C_LIB$INITIALIZE */
 /* End of debugger hackery. */