最近在做一个项目,客户需要在应用成获取临时root权限,刚开始觉得很简单,Android就自带有su命令,只是没编译进去,想着直接编译进去就行,就一口答应客户1天搞好,各种加班悲剧就是这样开始的。
先在Android源码下找了一下,2分钟找到su源代码system/extras/su。修改了一下Android.mk,mmm编译后push到系统,(我们做系统,所以很多东西可以直接改源码),然后adb shell进入系统执行su,提示没有权限,没权限咱们就给权限被,于是adb root,adb remount 后再adb shell进入系统,chmod 777 /system/xbin/su,在执行su,还是提示permission denied,查看了一下su权限的确是-rwxrwxrwx没错,查看su源码,其实核心就是setuid(0),了解了,su就是切换uid,所以su还得加上s位,chmod 6777 su。在执行,成功了,以为大工告成。su源码如下:
/*
**
** Copyright 2008, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#define LOG_TAG "su"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <pwd.h>
#include <private/android_filesystem_config.h>
void pwtoid(const char *tok, uid_t *uid, gid_t *gid)
{
struct passwd *pw;
pw = getpwnam(tok);
if (pw) {
if (uid) *uid = pw->pw_uid;
if (gid) *gid = pw->pw_gid;
} else {
uid_t tmpid = atoi(tok);
if (uid) *uid = tmpid;
if (gid) *gid = tmpid;
}
}
void extract_uidgids(const char *uidgids, uid_t *uid, gid_t *gid, gid_t *gids,
int *gids_count)
{
char *clobberablegids;
char *nexttok;
char *tok;
int gids_found;
if (!uidgids || !*uidgids) {
*gid = *uid = 0;
*gids_count = 0;
return;
}
clobberablegids = strdup(uidgids);
strcpy(clobberablegids, uidgids);
nexttok = clobberablegids;
tok = strsep(&nexttok, ",");
pwtoid(tok, uid, gid);
tok = strsep(&nexttok, ",");
if (!tok) {
/* gid is already set above */
*gids_count = 0;
free(clobberablegids);
return;
}
pwtoid(tok, NULL, gid);
gids_found = 0;
while ((gids_found < *gids_count) && (tok = strsep(&nexttok, ","))) {
pwtoid(tok, NULL, gids);
gids_found++;
gids++;
}
if (nexttok && gids_found == *gids_count) {
fprintf(stderr, "too many group ids\n");
}
*gids_count = gids_found;
free(clobberablegids);
}
/*
* SU can be given a specific command to exec. UID _must_ be
* specified for this (ie argc => 3).
*
* Usage:
* su 1000
* su 1000 ls -l
* or
* su [uid[,gid[,group1]...] [cmd]]
* E.g.
* su 1000,shell,net_bw_acct,net_bw_stats id
* will return
* uid=1000(system) gid=2000(shell) groups=3006(net_bw_stats),3007(net_bw_acct)
*/
int main(int argc, char **argv)
{
struct passwd *pw;
uid_t uid, myuid;
gid_t gid, gids[10];
/* Until we have something better, only root and the shell can use su. */
myuid = getuid();
if (myuid != AID_ROOT && myuid != AID_SHELL) {
fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
return 1;
}
if(argc < 2) {
uid = gid = 0;
} else {
int gids_count = sizeof(gids)/sizeof(gids[0]);
extract_uidgids(argv[1], &uid, &gid, gids, &gids_count);
if(gids_count) {
if(setgroups(gids_count, gids)) {
fprintf(stderr, "su: failed to set groups\n");
return 1;
}
}
}
if(setgid(gid) || setuid(uid)) {
fprintf(stderr,"su: permission denied\n");
return 1;
}
/* User specified command for exec. */
if (argc == 3 ) {
if (execlp(argv[2], argv[2], NULL) < 0) {
int saved_errno = errno;
fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
strerror(errno));
return -saved_errno;
}
} else if (argc > 3) {
/* Copy the rest of the args from main. */
char *exec_args[argc - 1];
memset(exec_args, 0, sizeof(exec_args));
memcpy(exec_args, &argv[2], sizeof(exec_args));
if (execvp(argv[2], exec_args) < 0) {
int saved_errno = errno;
fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
strerror(errno));
return -saved_errno;
}
}
/* Default exec shell. */
execlp("/system/bin/sh", "sh", NULL);
fprintf(stderr, "su: exec failed\n");
return 1;
}
尝试在app中调用
Runtime.getRuntime().exec(“su”);,居然返回错误su:uid5542 not allowed to su,查看su源码
if (myuid != AID_ROOT && myuid != AID_SHELL) {
fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
return 1;
}
原来是不是ROOT和SHEEL用户不让调用su,把这段话注释掉,然后还是出错,su:permission denied.这就奇怪了,明明adb shell是可以执行的,app提示还是没有权限,查找了一些博客,说selnux权限设置问题,花了好长时间修改了还是不行,直接把selinux关掉还不行,郁闷呀,后来在发现SANSUNG还做了band,郁闷呀,z最后放弃了这种方法。
因为init进程肯定是有权限的,所以就想着写一个services通过init启动,这样就有权限,app通过socket通信创建链接,花了两天,编译到系统,初见成效,决定分享下,将serivce在init.rc中启动
services suserver /system/xbin/suserver
classs main
APP 调用方式 Runtime.getRuntime().exec(“suclient”)代码如下:
目前还有个问题,执行ls等输出比较多的命令时,如果频繁执行的话,会造层service 挂掉,init要很久才能重启这个service,原因是输出比较多时outpuustream卡死,所以service挂了如果不执行这种命令的话目前还没发现其他问题,因为目前也不会一直执行这种命令,所以想着以后有机会再改!
Client:
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <string.h>
int main(int argc, char *argv[]) {
int client_sockfd;
int len;
int i;
char sendline[17824];
struct sockaddr_in remote_addr; //服务器端网络地址结构体
char buf[17824] = { '\0' }; //数据传送的缓冲区
for (i = 1; i < argc; i++) {
strcat(buf, argv[i]);
printf("%s\n", buf);
strcat(buf, " ");
}
strcat(buf, " 2>&1\0");
//printf("%s\n", buf);
memset(&remote_addr, 0, sizeof(remote_addr)); //数据初始化--清零
remote_addr.sin_family = AF_INET; //设置为IP通信
remote_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); //服务器IP地址
remote_addr.sin_port = htons(40000); //服务器端口号
if((argc < 2 )||(strncmp(buf,"cct",3)==0)||(strncmp(buf,"su",2)==0)){
while(1){
fgets(sendline, 17824, stdin);
if(sendline[0]==10)
continue;
for(i=0;i<17824;i++){
if(sendline[i]==10){
sendline[i]=32;
break;
}
}
strcat(sendline," 2>&1\0");
//printf("sendline :%s\n", sendline);
if(strncmp(sendline,"exit",4)==0){
return 0;
}
if ((client_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}
/*将套接字绑定到服务器的网络地址上*/
if (connect(client_sockfd, (struct sockaddr *) &remote_addr,
sizeof(struct sockaddr)) < 0) {
perror("connect");
return 1;
}
len = send(client_sockfd, sendline, strlen(sendline), 0);
len = recv(client_sockfd, buf, 17824, 0);
buf[len] = '\0';
if(strstr(buf,"not found")!=NULL){
write(2,buf,len);
}
else
printf("received:\n%s\n", buf);
close(client_sockfd);
}
return 0;
}
/*创建客户端套接字--IPv4协议,面向连接通信,TCP协议*/
if ((client_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}
/*将套接字绑定到服务器的网络地址上*/
if (connect(client_sockfd, (struct sockaddr *) &remote_addr,
sizeof(struct sockaddr)) < 0) {
perror("connect");
return 1;
}
len = send(client_sockfd, buf, strlen(buf), 0);
len = recv(client_sockfd, buf, 17824, 0);
buf[len] = '\0';
printf("received:\n%s\n", buf);
close(client_sockfd); //关闭套接字
return 0;
}
Service :
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define MAXFILE 65535 // 最大的文件描述符
char* result;
long lenght = 8192;
void executeCMD(const char *cmd) {
char buf_ps[8192];
char ps[8192] = { 0 };
int i = 1;
char *result2 = NULL;
FILE *ptr = NULL;
strcpy(ps, cmd);
if ((ptr = popen(ps, "r")) != NULL) {
result = (char *) malloc(lenght * sizeof(char));
char *result2 = (char *) malloc(lenght * sizeof(char));
while (fgets(buf_ps, 8192, ptr) != NULL) {
result = (char *) malloc(lenght * i * sizeof(char));
if (result2 != NULL)
strcpy(result, result2);
strcat(result, buf_ps);
i++;
result2 = (char *) malloc(lenght * (i - 1) * sizeof(char));
strcpy(result2, result);
}
pclose(ptr);
ptr = NULL;
} else {
printf("popen %s error\n", ps);
}
}
int main() {
pid_t pc;
int i, fd;
/*
pc = fork();
if (pc < 0) {
printf("error fork/n");
exit(1);
} else if (pc > 0)
exit(0); // 父进程退出 , 这个子进程变成孤儿进程 , 由 init 进程接管 ,
*/
setsid(); // 变为后台程序
chdir("/");
umask(0); // 对所有的权限开放
for (i = 0; i < MAXFILE; i++)
close(i); // 关闭所有的不需要的文件描述符
int server_sockfd; //服务器端套接字
int client_sockfd; //客户端套接字
int len;
struct sockaddr_in my_addr; //服务器网络地址结构体
struct sockaddr_in remote_addr; //客户端网络地址结构体
int sin_size;
char buf[8192]; //数据传送的缓冲区
memset(&my_addr, 0, sizeof(my_addr)); //数据初始化--清零
my_addr.sin_family = AF_INET; //设置为IP通信
my_addr.sin_addr.s_addr = INADDR_ANY; //服务器IP地址--允许连接到所有本地地址上
my_addr.sin_port = htons(40000); //服务器端口号
/*创建服务器端套接字--IPv4协议,面向连接通信,TCP协议*/
if ((server_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}
/*将套接字绑定到服务器的网络地址上*/
if (bind(server_sockfd, (struct sockaddr *) &my_addr,
sizeof(struct sockaddr)) < 0) {
perror("bind");
return 1;
}
/*监听连接请求--监听队列长度为5*/
listen(server_sockfd, 5);
sin_size = sizeof(struct sockaddr_in);
while (1) // 守护进程实现的服务
{
//printf("等待连接...\n");
if ((client_sockfd = accept(server_sockfd,
(struct sockaddr *) &remote_addr, &sin_size)) < 0) {
perror("accept");
//return 1;
}
//printf("接受到一个连接:%s \r\n", inet_ntoa(remote_addr.sin_addr));
if ((len = recv(client_sockfd, buf, 8192, 0)) > 0) {
buf[len] = '\0';
//printf("%s\n", buf);
executeCMD(buf);
if (strlen(result) == 0) {
strcpy(result, "Returing is null!");
}
if (send(client_sockfd, result, strlen(result), 0) < 0) {
perror("write");
//return 1;
}
}
close(client_sockfd);
}
close(server_sockfd);
return 0;
}