Android Root principle

Linux and Unix-like systems were originally designed for multi-user operating systems, and the management of user rights was very strict, while the root user (Superuser) was the sole administrator of the entire system, with all the privileges equivalent to the operating system. So once you get the root permission, you can access and modify the entire system. With root access under Android, you can customize your system, uninstall some preinstalled software, and take control of your device.

0x01 SetUID

Before discussing the principle of root, there is a very important concept, which is the setuid permission of the file. Linux under Normal file permissions Everyone is very clear, readable, writable, executable, very clear a common executable file root permissions, R (readable), W (writable), X (executable).

However, to consider a situation, for example, a user is authorized to modify their own password, but the record password file/etc/shadow only the root user is writable, how can ordinary users modify their own password? Thanks to Setuid's settings, the command that was used when the password was modified passwd the binary program that corresponds to/USR/BIN/PASSWD

can see passwd binary file permissions bit is not only rwx, more than a s permission, and this s permission is our protagonist, setuid permissions.

Because passwd has setuid permissions, the Linux system can temporarily assign the owner (root) role of this file to a normal user, so that ordinary users can modify their password.

So how do you set setuid permissions?

Ordinary file permission bits are usually used by 3, 3, 3 a total of 9 bits of binary numbers composed of---|---|---, corresponding to the owner of the file, the file owner of the same user group permissions and other user rights. At the beginning of the executable named Root is Rwxrwxr-x, the corresponding BITS is 111 111 101, then every three bits corresponding to 421 is converted to 16, that is 775. The new SetUID permission is added in front of the three-bit, respectively, the setgid, SetUID, stick bit permissions, and we now only care about SetUID permissions. Therefore, with setuid permissions, the file's permissions should consist of 4-bit numbers, such as the previous root file plus setuid permission is 4755. The passwd file that modifies the password has the corresponding permission bit 4755.

A small example can be used to intuitively feel that the usual use of the cat command corresponding to the binary file is not setuid permissions:

You can try using cat to read the contents of the/etc/shadow file under a normal User:

Prompt permission is not enough, then add setuid permissions to Cat and then read the contents of/etc/shadow:

Can be read, but the content in the/etc/shadow is encrypted.

0x02 root under Linux

For Linux distributions that you normally use, you need to switch to the root user, use the SU command directly, and then enter the SU user's password to switch to the root user.

0x03 root for Android

However, on an Android device that does not have a SU binary, the direct execution of the SU command will prompt "Su not found".

Then go to the root of the device to view, the usual command in the ADB shell of the binary files are in the/system/bin directory, is the existence of the Su file:

You can see that su here is just a link to/system/xbin/.

You can see that su here has the setuid permission bit.

To add the file itself in the system partition/system/xbin requires root permission, and the owner of the Su file is the root user also needs root permission, set setuid permissions also need root permission.

This goes into a dead loop, to use Su, first of all to have root authority. Therefore, there is a need to exploit the vulnerabilities of Android, the Android system itself has a lot of root permissions to run the original process, and these root processes, if there is a vulnerability to exploit, you can take advantage of the process root identity:

1. Copy the Su file to the/system/xbin system partition;
2. Set the Su file owner to be the root user;
3. Set the setuid permissions on the Su file to allow your process to execute the SU command to get root privileges.

Android Root principle