Android 'su' unlocked for get root privileges


Please note, this post is for developer who is building custom Android image and have access to Androud su.c source. If you are an android user and are looking for a way to root your device this post will not help you, sorry.


The question is really simple. basically, in a standard Android distribution is not possible to execute the su tool from apps. The reasons of this behavious can be easily understood looking the su.c source as follow (system/extras/su/su.c):

int main(int argc, char **argv)
{
    struct passwd *pw;
    int uid, gid, myuid;

    /* Until we have something better, only root and the shell can use su. */
    myuid = getuid();
    if (myuid != AID_ROOT && myuid != AID_SHELL) {
        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
        return 1;
    }

    if(argc < 2) {
        uid = gid = 0;
    } else {
        pw = getpwnam(argv[1]);

        if(pw == 0) {
            uid = gid = atoi(argv[1]);
        } else {
            uid = pw->pw_uid;
            gid = pw->pw_gid;
        }
    }

    if(setgid(gid) || setuid(uid)) {
        fprintf(stderr,"su: permission denied\n");
        return 1;
    }

    /* User specified command for exec. */
    if (argc == 3 ) {
        if (execlp(argv[2], argv[2], NULL) < 0) {
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
                    strerror(errno));
            return -errno;
        }
    } else if (argc > 3) {
        /* Copy the rest of the args from main. */
        char *exec_args[argc - 1];
        memset(exec_args, 0, sizeof(exec_args));
        memcpy(exec_args, &argv[2], sizeof(exec_args));
        if (execvp(argv[2], exec_args) < 0) {
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
                    strerror(errno));
            return -errno;
        }
    }

    /* Default exec shell. */
    execlp("/system/bin/sh", "sh", NULL);

    fprintf(stderr, "su: exec failed\n");
    return 1;
}

As you can see the code is very simple. However there is an important addition at the beginning (the red part). Basically the modify allow execution of the code for obtain root privileges only for user root and shell. All the standard apps installed are executed using user system than no one of them will be able to use this su tool. Now what should we do for allow all users to be able execute and use this tool? Simply remove the red part and recompile. Once done the new su can be used by each apps. As you can easily understand this modify create a very dangerous security hole and should be made only in images for trusted environment so use it with caution!



Comments

  1. Hi. This is just what I want to do. I have an Udoo board and its android kernel source. I went to su.c and .. those lines are not there. Yet, I execute it from my app and I get "broken pipe" errors. If I install SuperSU, it works. Something is not rooted. Any suggestion?

    ReplyDelete
  2. Hi
    Udoo board run with android version 4.3. This version have additional security features and the patch reported in this post is not enough for have root privileges (it was enough in version 4.2). For have total unlocked version it require some other pathces into the framework java code.

    ReplyDelete

Post a Comment

Popular posts from this blog

Access GPIO from Linux user space

Launch an app from Android shell terminal