Android root Principle

Android root Principle
0x00 about root

Both linux and Unix-like systems were originally designed for multi-user operating systems, with very strict management of user permissions, while root users (superusers) are the only administrators of the entire system, it has all permissions equivalent to the operating system. Therefore, once the root permission is obtained, the entire system can be accessed and modified. After obtaining the root permission in Android, you can customize the system, uninstall some pre-installed software, and have full control over your devices.

0x01 setUID

Before discussing the root principle, a very important concept is the setUID permission of the file. In linux, the common file permissions are clear, readable, writable, and executable. It is clear that the root permission of a common executable file is r (readable ), w (writable), x (executable ).

However, you need to consider a situation where, for example, a user has the right to modify his/her password, but only the root user can write the/etc/shadow file that records the password, how can a common user modify his/her password? All of this is due to the setting of setUID. The binary program corresponding to passwd used to change the password is/usr/bin/passwd.

We can see that the permission bit of the passwd binary file is not only rwx, but also an s permission. This s permission is our main character and the setUID permission.

Because passwd has the setUID permission, the linux system can temporarily assign the root identity role of this file to common users so that common users can modify their own passwords.

How can I set the setUID permission?

Common File Permission bits consist of 9 binary numbers (3, 3, and 3) --- | ---, which correspond to the file owner respectively, the file owner has the same user group permission and other user permissions. The initial executable file named root has the permission of rwxrwxr-x, and the corresponding binary bits are 111 111 101. Then, each three digits correspond to 421 in hexadecimal format, which is 775. The new setUID permission is added with three new permissions, indicating the setGID, setUID, and stick bit permissions. Currently, we only care about the setUID permission. Therefore, after the setUID permission is added, the file permission should be composed of four digits. For example, if you add the setUID permission to the previous root file, it is 4755. The permission bit of the passwd file for password modification is 4755.

You can use a small example to intuitively feel that the binary file corresponding to the common cat command does not have the setUID permission:

You can use cat to read the content of the/etc/shadow file as follows:

Prompt that the permission is insufficient. Add the setUID permission to cat and then read the/etc/shadow content:

Yes, but the content in/etc/shadow is encrypted.

0x02 root in Linux

If you want to switch to the root user for a linux release, you can directly use the su command and enter the su user password to switch to the root user.

0x03 root of Android

However, there is no su binary file on the Android device that is not root. If you run the su command directly, the message "su not found" is displayed ".

Go to the root device and check that the binary files corresponding to the commands used in the adb shell are in the/system/bin directory, and the su files exist:

We can see that the su here is only a link pointing to/system/xbin.

We can see that su has the setUID permission bit.

To add a file in the system partition/system/xbin, the root permission is required, and setting the su file owner as the root user also requires the root permission, setting the setUID permission also requires the root permission.

This enters an endless loop. To use su, you must first have the root permission. Therefore, you need to exploit the Android vulnerabilities. Many native processes run with root permissions exist in the Android system. If these root processes have vulnerabilities that can be exploited, you can use the root identity of the process:

1. Copy the su file to the/system/xbin system partition;
2. Set the su file owner to the root user;
3. Set the setUID permission of the su file to facilitate the process to execute the su command to obtain the root permission.

From: http://www.cnblogs.com/lanrenxinxin/p/5572640.html

Address: http://www.linuxprobe.com/android-root-theory.html