android root

Android Root
Root Root
/system/bin//system/xbin/su
exe su

android su getuid()
AID_ROOT AID_SHELL su
:

<SPAN style="FONT-SIZE: 18px"><STRONG>/* Until we have something better, only

root and the shell can use su. */
myuid = getuid();
if (myuid != AID_ROOT && myuid != AID_SHELL) {
fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
return 1;
}</STRONG></SPAN>

Superuser android su
su , android root
Superuser
:

Process process = Runtime.getRuntime().exec("su");

DataOutputStream os = new DataOutputStream(process.getOutputStream());
os.writeBytes("mount -oremount,rw /dev/block/mtdblock3 /system\n");
os.writeBytes("busybox cp /data/data/com.koushikdutta.superuser/su
/system/bin/su\n");
os.writeBytes("busybox chown 0:0 /system/bin/su\n");
os.writeBytes("chmod 4755 /system/bin/su\n");
os.writeBytes("exit\n");
os.flush();

Superuser android su
:

if(setgid(gid) || setuid(uid)) {
fprintf(stderr,"su: permission denied\n");
return 1;
}

susu
-rwsr-xr-x. 1 root root 34904 11 3 2010 /bin/su
su
 android root
su root
z4root android android root
rageagainstthecage root

root root
:

Process process = Runtime.getRuntime().exec("su");

DataOutputStream os = new DataOutputStream(process.getOutputStream());
......
os.writeBytes("exit\n");
os.flush();

su root su android
root Android su root shell su
root
root Linux su
su SUID root su

su root busybox busybox

SUID SGID rootSUID SGID
Linux ID ID
busybox busybox root su
root su busybox
root
root su SUID Linux su
SUID UC su
 su SUID su su root
su root SUID root

Android su
su root shell
su su
su su
root root Linux Linux
root su
su
root SuperUser
root
Android root root
su su root
root root
Android
:

1 adb
2 adb shell root

root adb SDK adb

adbd adb adbd adb
/system/core/adb Android.mk adb adbd

adb.c adb_main adbd

:

int adb_main(int is_daemon)

{
......
property_get("ro.secure", value, "");
if (strcmp(value, "1") == 0) {
// don't run as root if ro.secure is set...
secure = 1;
......
}
if (secure) {
......

adbd ro.secure 1
shell /default.prop
:
ro.secure=1

adbd shell
adbd init.rc
init init.rc
:

# adbd is controlled by the persist.service.adb.enable system property

service adbd /sbin/adbd
disabled

Android init.rc
root init root root adbd

/* then switch user and group to "shell" */

setgid(AID_SHELL);
setuid(AID_SHELL);

root shell
root root setgid
setuid root
RageAgainstTheCage Android adb setuid
RageAgainstTheCage
:

1 ro.secure 1 adbd shell

2adb ratc shell
3ratc ratc shell
shell shell
RLIMIT_NPROC adbdratc ratc
adbdadbd Android Android
ratc adbd setgid setuid ratc
shell adbd setgid
setuid adbd adbd
root
3 adb adb root

RageAgainstTheCage adbd root

adb root root su
Android root

 adbd
:

/* then switch user and group to "shell" */

if (setgid(AID_SHELL) != 0) {
exit(1);
}
if (setuid(AID_SHELL) != 0) {
exit(1);
}

setgid setuid adbd

X

rom
root root root