Android SU

最新推荐文章于 2023-06-07 15:17:56 发布

zhangxinfa

最新推荐文章于 2023-06-07 15:17:56 发布

阅读量918

点赞数

CC 4.0 BY-SA版权

分类专栏：编辑文章 - 博客频道 - youkuaiyun.com

本文链接：https://blog.youkuaiyun.com/zhangxinfa/article/details/48252963

编辑文章 - 博客频道 - youkuaiyun.com 专栏收录该内容

1 篇文章

订阅专栏

本文详细介绍了如何修改Android源代码以允许非root用户使用su命令，包括更改权限检查逻辑，允许通过命令参数指定用户ID进行操作，以及在无法通过用户名找到用户ID时直接使用提供的ID。此外，提供了构建、推送修改后的su文件以及设置执行权限的步骤，使得用户能够在系统账户下以root权限执行命令，或在root账户下切换到系统shell。

Android source code will check if the current user is root or shell user, otherwise, su command will execute failed, we can comment following code:

/* Until we have something better, only root and the shell can use su. */
    myuid = getuid();
    if (myuid != AID_ROOT && myuid != AID_SHELL) {
        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
        return 1;
    }

to remove this restriction, the updated source code is as below:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>

#include <unistd.h>
#include <time.h>

#include <pwd.h>


/*
 * SU can be given a specific command to exec. UID _must_ be
 * specified for this (ie argc => 3).
 *
 * Usage:
 * su 1000
 * su 1000 ls -l
 */
int main(int argc, char **argv)
{
    struct passwd *pw;
    int uid, gid, myuid;

    if(argc < 2) {
        uid = gid = 0;
    } else {
        pw = getpwnam(argv[1]);

        if(pw == 0) {
            uid = gid = atoi(argv[1]);
        } else {
            uid = pw->pw_uid;
            gid = pw->pw_gid;
        }
    }

    /* Until we have something better, only root and the shell can use su. */
/*    myuid = getuid();
    if (myuid != AID_ROOT && myuid != AID_SHELL) {
        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
        return 1;
    }
*/
    
    if(setgid(gid) || setuid(uid)) {
        fprintf(stderr,"su: permission denied\n");
        return 1;
    }

    /* User specified command for exec. */
    if (argc == 3 ) {
        if (execlp(argv[2], argv[2], NULL) < 0) {
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
                    strerror(errno));
            return -errno;
        }
    } else if (argc > 3) {
        /* Copy the rest of the args from main. */
        char *exec_args[argc - 1];
        memset(exec_args, 0, sizeof(exec_args));
        memcpy(exec_args, &argv[2], sizeof(exec_args));
        if (execvp(argv[2], exec_args) < 0) {
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
                    strerror(errno));
            return -errno;
        }
    }

    /* Default exec shell. */
    if (argc <=2 ) {
        char *exec_args[2];
        exec_args[1] = NULL;
        exec_args[0] = "sh";
        //execv("/system/bin/sh", exec_args);
        execlp("/system/bin/sh","sh",NULL);
	fprintf(stderr, "su: exec failed\n");
        return 1;
    }
}

Now you can build this file with ndk-build, then push it to /system/xbin directory to replace original su file.

set s flag for new su by "chmod 6755 /system/xbin/su"

Make sure the /system folder is read-writable before pushing su file:

mount -o remount,ro /dev/block/mtdblock0 /system

then you can su without any limitation, for example:

su system ; switch to system account from root account

su root ls "a file only accessed by root" ; you can access file/directory which only can be accessed by root account under system account.

su ; switch to root shell from system account