Hello, auth_approval(3) doesn't always set errno(2) on failure:
--- usr.bin/su/su.c.orig Sat Dec 7 20:23:21 2019
+++ usr.bin/su/su.c Fri Oct 30 14:38:11 2020
@@ -358,7 +358,7 @@ main(int argc, char **argv)
err(1, "pledge");
if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") == 0)
- auth_err(as, 1, "approval failure");
+ auth_errx(as, 1, "approval failure");
auth_close(as);
execv(shell, np);
