一段su的源码

/***** Copyright 2008, The Android Open Source Project**** Licensed under the Apache License, Version 2.0 (the "License");** you may not use this file except in compliance with the License.** You may obtain a copy of the License at****     http://www.apache.org/licenses/LICENSE-2.0**** Unless required by applicable law or agreed to in writing, software** distributed under the License is distributed on an "AS IS" BASIS,** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.** See the License for the specific language governing permissions and** limitations under the License.*/#define LOG_TAG "su"#include #include #include #include #include #include #include #include #include //#include /* * SU can be given a specific command to exec. UID _must_ be * specified for this (ie argc => 3). * * Usage: * su 1000 * su 1000 ls -l */int main(int argc, char **argv){    struct passwd *pw;    int uid, gid, myuid;    if(argc < 2) {        uid = gid = 0;    } else {        pw = getpwnam(argv[1]);        if(pw == 0) {            uid = gid = atoi(argv[1]);        } else {            uid = pw->pw_uid;            gid = pw->pw_gid;        }    }    /* Until we have something better, only root and the shell can use su. */    /*    myuid = getuid();    if (myuid != AID_ROOT && myuid != AID_SHELL) {        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);        return 1;    }     */    if(setgid(gid) || setuid(uid)) {        fprintf(stderr,"lilisu: permission denied\n : %s", strerror(errno));        return 1;    }    /* User specified command for exec. */    if (argc == 3 ) {        if (execlp(argv[2], argv[2], NULL) < 0) {            fprintf(stderr, "lilisu: exec failed for %s Error:%s\n", argv[2],                    strerror(errno));            return -errno;        }    } else if (argc > 3) {        /* Copy the rest of the args from main. */        char *exec_args[argc - 1];        memset(exec_args, 0, sizeof(exec_args));        memcpy(exec_args, &argv[2], sizeof(exec_args));        if (execvp(argv[2], exec_args) < 0) {            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],                    strerror(errno));            return -errno;        }    }    /* Default exec shell. */    execlp("/system/bin/sh", "sh", NULL);    fprintf(stderr, "lilisu: exec failed\n");    return 1;}

默认至少 UIDrootshell 才可以提权,我们这里屏蔽掉相应代码

Android 的 su 必须放入 System 分区,建议 /System/xbin

[email protected]:/ # mount.../dev/block/platform/comip-mmc.1/by-name/system /system ext4 rw,seclabel,relatime,data=ordered 0 0/dev/block/platform/comip-mmc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0/dev/block/platform/comip-mmc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,data=ordered 0 0/dev/block/vold/179:129 /mnt/media_rw/sdcard1 vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0

请看 /data 下 的 nosuid

要把 su 拷贝入 /system/xbin

一般需要先把此分区只读属性去掉 mount -o remount,rw /system 需要在 root 权限下执行

su 的权限应该是这样子的 -rwsr-sr-x root root su

其中第一个 s 表示可以通过设置 setuid (来提权), 第二个 s 表示可以 setgid, 第三个。。。是 t

su 已经放入 /system/xbin,并设置了正确的权限,还不能执行

4.4有些厂商增加了drop capbnd,甚至有些kernel还增加了no_new_privs,普通应用不能提权的
看看应用的pid,观察一下CapBnd:是否是全F,不是的话就没set*id 这个能力。
cat /proc/pid/status
!!! FUCK MIUI

http://bbs.pediy.com/showthread.php?p=1268886

更多相关文章

  1. Android中的访问权限
  2. android:动态获取权限
  3. ScrollView里面放入多个子控件
  4. Android动态获取定位权限(包括Android10.0)
  5. android系统权限大全
  6. Android应用程序获取ROOT权限的方法 (基础篇)
  7. 程序中如何获取Android的Root权限
  8. Android的权限分类

随机推荐

  1. SlidingUpPanel
  2. Android版本和API对应关系
  3. mono for android Main.axml
  4. android中怎么在文字两边划线
  5. Android应用程序剖析
  6. android wear-Drawing Watch Faces
  7. Android(安卓)Interprocess Communicatio
  8. android-环境
  9. Android(安卓)SDK r23
  10. Android(安卓)Tip : think more about An