Always ACK before doing anything

native/jni/su/su.c

@@ -192,6 +192,13 @@ int su_client_main(int argc, char *argv[]) {
 	// Tell the daemon we are su
 	write_int(fd, SUPERUSER);
 
+	// Wait for ack from daemon
+	if (read_int(fd)) {
+		// Fast fail
+		fprintf(stderr, "%s\n", strerror(EACCES));
+		return DENY;
+	}
+
 	// Send su_request
 	xwrite(fd, &su_req, 4 * sizeof(unsigned));
 	write_string(fd, su_req.shell);
@@ -220,13 +227,6 @@ int su_client_main(int argc, char *argv[]) {
 	// Send stderr
 	send_fd(fd, (atty & ATTY_ERR) ? -1 : STDERR_FILENO);
 
-	// Wait for ack from daemon
-	if (read_int(fd)) {
-		// Fast fail
-		fprintf(stderr, "%s\n", strerror(EACCES));
-		return DENY;
-	}
-
 	if (atty & ATTY_IN) {
 		setup_sighandlers(sighandler);
 		pump_stdin_async(ptmx);

native/jni/su/su_daemon.c

@@ -227,8 +227,10 @@ void su_daemon_handler(int client, struct ucred *credential) {
 	struct su_info *info = get_su_info(credential->uid);
 
 	// Fail fast
-	if (info->access.policy == DENY && !info->access.log && !info->access.notify) {
+	if (info->access.policy == DENY && DB_STR(info, SU_MANAGER)[0] == '\0') {
+		LOGD("su: fast deny\n");
 		write_int(client, DENY);
+		close(client);
 		return;
 	}
 
@@ -264,6 +266,9 @@ void su_daemon_handler(int client, struct ucred *credential) {
 		.pid = credential->pid
 	};
 
+	// ack
+	write_int(client, 0);
+
 	// Become session leader
 	xsetsid();
 
@@ -334,9 +339,6 @@ void su_daemon_handler(int client, struct ucred *credential) {
 	xdup2(errfd, STDERR_FILENO);
 
 	close(ptsfd);
-
-	// ack and close
-	write_int(client, 0);
 	close(client);
 
 	// Handle namespaces