一段su的源码
/*
**
** Copyright 2008, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#define LOG_TAG "su"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <pwd.h>
//#include <private/android_filesystem_config.h>
/*
* SU can be given a specific command to exec. UID _must_ be
* specified for this (ie argc => 3).
*
* Usage:
* su 1000
* su 1000 ls -l
*/
int main(int argc, char **argv)
{
struct passwd *pw;
int uid, gid, myuid;
if(argc < 2) {
uid = gid = 0;
} else {
pw = getpwnam(argv[1]);
if(pw == 0) {
uid = gid = atoi(argv[1]);
} else {
uid = pw->pw_uid;
gid = pw->pw_gid;
}
}
/* Until we have something better, only root and the shell can use su. */
/*
myuid = getuid();
if (myuid != AID_ROOT && myuid != AID_SHELL) {
fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
return 1;
}
*/
if(setgid(gid) || setuid(uid)) {
fprintf(stderr,"lilisu: permission denied\n : %s", strerror(errno));
return 1;
}
/* User specified command for exec. */
if (argc == 3 ) {
if (execlp(argv[2], argv[2], NULL) < 0) {
fprintf(stderr, "lilisu: exec failed for %s Error:%s\n", argv[2],
strerror(errno));
return -errno;
}
} else if (argc > 3) {
/* Copy the rest of the args from main. */
char *exec_args[argc - 1];
memset(exec_args, 0, sizeof(exec_args));
memcpy(exec_args, &argv[2], sizeof(exec_args));
if (execvp(argv[2], exec_args) < 0) {
fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
strerror(errno));
return -errno;
}
}
/* Default exec shell. */
execlp("/system/bin/sh", "sh", NULL);
fprintf(stderr, "lilisu: exec failed\n");
return 1;
}
默认至少 UID 为 root 或 shell 才可以提权,我们这里屏蔽掉相应代码
Android 的 su 必须放入 System 分区,建议 /System/xbin
root@lte26007:/ # mount
...
/dev/block/platform/comip-mmc.1/by-name/system /system ext4 rw,seclabel,relatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,data=ordered 0 0
/dev/block/platform/comip-mmc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,data=ordered 0 0
/dev/block/vold/179:129 /mnt/media_rw/sdcard1 vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0请看 /data 下 的 nosuid
要把 su 拷贝入 /system/xbin
一般需要先把此分区只读属性去掉 mount -o remount,rw /system 需要在 root 权限下执行
su 的权限应该是这样子的 -rwsr-sr-x root root su
其中第一个 s 表示可以通过设置 setuid (来提权), 第二个 s 表示可以 setgid, 第三个。。。是 t
su 已经放入 /system/xbin,并设置了正确的权限,还不能执行
4.4有些厂商增加了drop capbnd,甚至有些kernel还增加了no_new_privs,普通应用不能提权的
看看应用的pid,观察一下CapBnd:是否是全F,不是的话就没set*id 这个能力。
cat /proc/pid/status
!!! FUCK MIUI
6298
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
