Android source code will check if the current user is root or shell user, otherwise, su command will execute failed, we can comment following code:
/* Until we have something better, only root and the shell can use su. */
myuid = getuid();
if (myuid != AID_ROOT && myuid != AID_SHELL) {
fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
return 1;
}
to remove this restriction, the updated source code is as below:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <pwd.h>
/*
* SU can be given a specific command to exec. UID _must_ be
* specified for this (ie argc => 3).
*
* Usage:
* su 1000
* su 1000 ls -l
*/
int main(int argc, char **argv)
{
struct passwd *pw;
int uid, gid, myuid;
if(argc < 2) {
uid = gid = 0;
} else {
pw = getpwnam(argv[1]);
if(pw == 0) {
uid = gid = atoi(argv[1]);
} else {
uid = pw->pw_uid;
gid = pw->pw_gid;
}
}
/* Until we have something better, only root and the shell can use su. */
/* myuid = getuid();
if (myuid != AID_ROOT && myuid != AID_SHELL) {
fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
return 1;
}
*/
if(setgid(gid) || setuid(uid)) {
fprintf(stderr,"su: permission denied\n");
return 1;
}
/* User specified command for exec. */
if (argc == 3 ) {
if (execlp(argv[2], argv[2], NULL) < 0) {
fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
strerror(errno));
return -errno;
}
} else if (argc > 3) {
/* Copy the rest of the args from main. */
char *exec_args[argc - 1];
memset(exec_args, 0, sizeof(exec_args));
memcpy(exec_args, &argv[2], sizeof(exec_args));
if (execvp(argv[2], exec_args) < 0) {
fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
strerror(errno));
return -errno;
}
}
/* Default exec shell. */
if (argc <=2 ) {
char *exec_args[2];
exec_args[1] = NULL;
exec_args[0] = "sh";
//execv("/system/bin/sh", exec_args);
execlp("/system/bin/sh","sh",NULL);
fprintf(stderr, "su: exec failed\n");
return 1;
}
}
Now you can build this file with ndk-build, then push it to /system/xbin directory to replace original su file.
set s flag for new su by "chmod 6755 /system/xbin/su"
Make sure the /system folder is read-writable before pushing su file:
mount -o remount,ro /dev/block/mtdblock0 /system
then you can su without any limitation, for example:
su system ; switch to system account from root account
su root ls "a file only accessed by root" ; you can access file/directory which only can be accessed by root account under system account.
su ; switch to root shell from system account