2 files changed, 18 insertions, 7 deletions

diff --git a/daemon.c b/daemon.c
index ac7c134..022ef48 100644
--- a/daemon.c
+++ b/daemon.c
@@ -365,10 +365,28 @@ static int daemon_accept(int fd) {
 
     int ptsfd;
     if (pts_slave[0]) {
+        struct stat st;
+
+        if (stat(pts_slave, &st)) {
+            PLOGE("failed to stat pts_slave");
+            exit(-1);
+        }
+
+        if (st.st_uid != credentials.uid) {
+            PLOGE("caller doesn't own proposed PTY");
+            exit(-1);
+        }
+
+        if (!S_ISCHR(st.st_mode)) {
+            PLOGE("proposed PTY isn't a chardev");
+            exit(-1);
+        }
+
         // Opening the TTY has to occur after the
         // fork() and setsid() so that it becomes
         // our controlling TTY and not the daemon's
         ptsfd = open(pts_slave, O_RDWR);
+
         if (ptsfd == -1) {
             PLOGE("open(pts_slave) daemon");
             exit(-1);
diff --git a/su.c b/su.c
index 20ea8b8..3687c02 100644
--- a/su.c
+++ b/su.c
@@ -439,7 +439,6 @@ int su_main(int argc, char *argv[], int need_client) {
             .name = "",
         },
     };
-    struct stat st;
     int c, socket_serv_fd, fd;
     char buf[64], *result;
     policy_t dballow;
@@ -541,12 +540,6 @@ int su_main(int argc, char *argv[], int need_client) {
         allow(&ctx, NULL);
     }
 
-    // always allow if this is the superuser uid
-    // superuser needs to be able to reenable itself when disabled...
-    if (ctx.from.uid == st.st_uid) {
-        allow(&ctx, NULL);
-    }
-
     // check if superuser is disabled completely
     if (access_disabled(&ctx.from)) {
         ALOGD("access_disabled");