Android 'su' unlocked for get root privileges
Please note, this post is for developer who is building custom Android image and have access to Androud su.c source. If you are an android user and are looking for a way to root your device this post will not help you, sorry.
The question is really simple. basically, in a standard Android distribution is not possible to execute the su tool from apps. The reasons of this behavious can be easily understood looking the su.c source as follow (system/extras/su/su.c):
int main(int argc, char **argv)
{
struct passwd *pw;
int uid, gid, myuid;
/* Until we have something better, only root and the shell can use su. */
myuid = getuid();
if (myuid != AID_ROOT && myuid != AID_SHELL) {
fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
return 1;
}
if(argc < 2) {
uid = gid = 0;
} else {
pw = getpwnam(argv[1]);
if(pw == 0) {
uid = gid = atoi(argv[1]);
} else {
uid = pw->pw_uid;
gid = pw->pw_gid;
}
}
if(setgid(gid) || setuid(uid)) {
fprintf(stderr,"su: permission denied\n");
return 1;
}
/* User specified command for exec. */
if (argc == 3 ) {
if (execlp(argv[2], argv[2], NULL) < 0) {
fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
strerror(errno));
return -errno;
}
} else if (argc > 3) {
/* Copy the rest of the args from main. */
char *exec_args[argc - 1];
memset(exec_args, 0, sizeof(exec_args));
memcpy(exec_args, &argv[2], sizeof(exec_args));
if (execvp(argv[2], exec_args) < 0) {
fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
strerror(errno));
return -errno;
}
}
/* Default exec shell. */
execlp("/system/bin/sh", "sh", NULL);
fprintf(stderr, "su: exec failed\n");
return 1;
}
As you can see the code is very simple. However there is an important addition at the beginning (the red part). Basically the modify allow execution of the code for obtain root privileges only for user root and shell. All the standard apps installed are executed using user system than no one of them will be able to use this su tool. Now what should we do for allow all users to be able execute and use this tool? Simply remove the red part and recompile. Once done the new su can be used by each apps. As you can easily understand this modify create a very dangerous security hole and should be made only in images for trusted environment so use it with caution!
Comments
Post a Comment