Android App调用su

      最近在做一个项目,客户需要在应用成获取临时root权限,刚开始觉得很简单,Android就自带有su命令,只是没编译进去,想着直接编译进去就行,就一口答应客户1天搞好,各种加班悲剧就是这样开始的。
  先在Android源码下找了一下,2分钟找到su源代码system/extras/su。修改了一下Android.mk,mmm编译后push到系统,(我们做系统,所以很多东西可以直接改源码),然后adb shell进入系统执行su,提示没有权限,没权限咱们就给权限被,于是adb root,adb remount 后再adb shell进入系统,chmod 777 /system/xbin/su,在执行su,还是提示permission denied,查看了一下su权限的确是-rwxrwxrwx没错,查看su源码,其实核心就是setuid(0),了解了,su就是切换uid,所以su还得加上s位,chmod 6777 su。在执行,成功了,以为大工告成。su源码如下:

/*
**
** Copyright 2008, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License"); 
** you may not use this file except in compliance with the License. 
** You may obtain a copy of the License at 
**
**     http://www.apache.org/licenses/LICENSE-2.0 
**
** Unless required by applicable law or agreed to in writing, software 
** distributed under the License is distributed on an "AS IS" BASIS, 
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
** See the License for the specific language governing permissions and 
** limitations under the License.
*/

#define LOG_TAG "su"

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>

#include <unistd.h>
#include <time.h>

#include <pwd.h>

#include <private/android_filesystem_config.h>


void pwtoid(const char *tok, uid_t *uid, gid_t *gid)
{
    struct passwd *pw;
    pw = getpwnam(tok);
    if (pw) {
        if (uid) *uid = pw->pw_uid;
        if (gid) *gid = pw->pw_gid;
    } else {
        uid_t tmpid = atoi(tok);
        if (uid) *uid = tmpid;
        if (gid) *gid = tmpid;
    }
}

void extract_uidgids(const char *uidgids, uid_t *uid, gid_t *gid, gid_t *gids,
                     int *gids_count)
{
    char *clobberablegids;
    char *nexttok;
    char *tok;
    int gids_found;

    if (!uidgids || !*uidgids) {
        *gid = *uid = 0;
        *gids_count = 0;
        return;
    }
    clobberablegids = strdup(uidgids);
    strcpy(clobberablegids, uidgids);
    nexttok = clobberablegids;
    tok = strsep(&nexttok, ",");
    pwtoid(tok, uid, gid);
    tok = strsep(&nexttok, ",");
    if (!tok) {
        /* gid is already set above */
        *gids_count = 0;
        free(clobberablegids);
        return;
    }
    pwtoid(tok, NULL, gid);
    gids_found = 0;
    while ((gids_found < *gids_count) && (tok = strsep(&nexttok, ","))) {
        pwtoid(tok, NULL, gids);
        gids_found++;
        gids++;
    }
    if (nexttok && gids_found == *gids_count) {
        fprintf(stderr, "too many group ids\n");
    }
    *gids_count = gids_found;
    free(clobberablegids);
}

/*
 * SU can be given a specific command to exec. UID _must_ be
 * specified for this (ie argc => 3).
 *
 * Usage:
 *   su 1000
 *   su 1000 ls -l
 *  or
 *   su [uid[,gid[,group1]...] [cmd]]
 *  E.g.
 *  su 1000,shell,net_bw_acct,net_bw_stats id
 * will return
 *  uid=1000(system) gid=2000(shell) groups=3006(net_bw_stats),3007(net_bw_acct)
 */
int main(int argc, char **argv)
{
    struct passwd *pw;
    uid_t uid, myuid;
    gid_t gid, gids[10];

    /* Until we have something better, only root and the shell can use su. */
    myuid = getuid();
    if (myuid != AID_ROOT && myuid != AID_SHELL) {
        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
        return 1;
    }

    if(argc < 2) {
        uid = gid = 0;
    } else {
        int gids_count = sizeof(gids)/sizeof(gids[0]);
        extract_uidgids(argv[1], &uid, &gid, gids, &gids_count);
        if(gids_count) {
            if(setgroups(gids_count, gids)) {
                fprintf(stderr, "su: failed to set groups\n");
                return 1;
            }
        }
    }

    if(setgid(gid) || setuid(uid)) {
        fprintf(stderr,"su: permission denied\n");
        return 1;
    }

    /* User specified command for exec. */
    if (argc == 3 ) {
        if (execlp(argv[2], argv[2], NULL) < 0) {
            int saved_errno = errno;
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
                    strerror(errno));
            return -saved_errno;
        }
    } else if (argc > 3) {
        /* Copy the rest of the args from main. */
        char *exec_args[argc - 1];
        memset(exec_args, 0, sizeof(exec_args));
        memcpy(exec_args, &argv[2], sizeof(exec_args));
        if (execvp(argv[2], exec_args) < 0) {
            int saved_errno = errno;
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
                    strerror(errno));
            return -saved_errno;
        }
    }

    /* Default exec shell. */
    execlp("/system/bin/sh", "sh", NULL);

    fprintf(stderr, "su: exec failed\n");
    return 1;
}

   尝试在app中调用

Runtime.getRuntime().exec(“su”);,居然返回错误su:uid5542 not allowed to su,查看su源码

    if (myuid != AID_ROOT && myuid != AID_SHELL) {
        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
        return 1;
    }

原来是不是ROOT和SHEEL用户不让调用su,把这段话注释掉,然后还是出错,su:permission denied.这就奇怪了,明明adb shell是可以执行的,app提示还是没有权限,查找了一些博客,说selnux权限设置问题,花了好长时间修改了还是不行,直接把selinux关掉还不行,郁闷呀,后来在发现SANSUNG还做了band,郁闷呀,z最后放弃了这种方法。

   因为init进程肯定是有权限的,所以就想着写一个services通过init启动,这样就有权限,app通过socket通信创建链接,花了两天,编译到系统,初见成效,决定分享下,将serivce在init.rc中启动

services suserver /system/xbin/suserver

classs main

APP 调用方式 Runtime.getRuntime().exec(“suclient”)代码如下:

             目前还有个问题,执行ls等输出比较多的命令时,如果频繁执行的话,会造层service 挂掉,init要很久才能重启这个service,原因是输出比较多时outpuustream卡死,所以service挂了如果不执行这种命令的话目前还没发现其他问题,因为目前也不会一直执行这种命令,所以想着以后有机会再改!

 
Client:

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <string.h>

int main(int argc, char *argv[]) {
int client_sockfd;
int len;
int i;
char sendline[17824];
struct sockaddr_in remote_addr; //服务器端网络地址结构体
char buf[17824] = { '\0' }; //数据传送的缓冲区

for (i = 1; i < argc; i++) {
strcat(buf, argv[i]);
printf("%s\n", buf);
strcat(buf, " ");
}
strcat(buf, " 2>&1\0");
//printf("%s\n", buf);

memset(&remote_addr, 0, sizeof(remote_addr)); //数据初始化--清零
remote_addr.sin_family = AF_INET; //设置为IP通信
remote_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); //服务器IP地址
remote_addr.sin_port = htons(40000); //服务器端口号

if((argc < 2 )||(strncmp(buf,"cct",3)==0)||(strncmp(buf,"su",2)==0)){
while(1){
fgets(sendline, 17824, stdin);
if(sendline[0]==10)
continue;
for(i=0;i<17824;i++){
if(sendline[i]==10){
sendline[i]=32;
break;
}
}
strcat(sendline," 2>&1\0");
//printf("sendline :%s\n", sendline);
if(strncmp(sendline,"exit",4)==0){
return 0;
}
if ((client_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}
/*将套接字绑定到服务器的网络地址上*/
if (connect(client_sockfd, (struct sockaddr *) &remote_addr,
sizeof(struct sockaddr)) < 0) {
perror("connect");
return 1;
}

len = send(client_sockfd, sendline, strlen(sendline), 0);
len = recv(client_sockfd, buf, 17824, 0);
buf[len] = '\0';
if(strstr(buf,"not found")!=NULL){
write(2,buf,len);
}
else
printf("received:\n%s\n", buf);
close(client_sockfd);
}
return 0;
}
/*创建客户端套接字--IPv4协议,面向连接通信,TCP协议*/
if ((client_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}
/*将套接字绑定到服务器的网络地址上*/
if (connect(client_sockfd, (struct sockaddr *) &remote_addr,
sizeof(struct sockaddr)) < 0) {
perror("connect");
return 1;
}
len = send(client_sockfd, buf, strlen(buf), 0);
len = recv(client_sockfd, buf, 17824, 0);
buf[len] = '\0';
printf("received:\n%s\n", buf);
close(client_sockfd); //关闭套接字


return 0;
}



Service :


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define MAXFILE 65535 // 最大的文件描述符
char* result;
long lenght = 8192;

void executeCMD(const char *cmd) {

char buf_ps[8192];
char ps[8192] = { 0 };
int i = 1;
char *result2 = NULL;
FILE *ptr = NULL;
strcpy(ps, cmd);
if ((ptr = popen(ps, "r")) != NULL) {
result = (char *) malloc(lenght * sizeof(char));
char *result2 = (char *) malloc(lenght * sizeof(char));

while (fgets(buf_ps, 8192, ptr) != NULL) {
result = (char *) malloc(lenght * i * sizeof(char));
if (result2 != NULL)
strcpy(result, result2);
strcat(result, buf_ps);
i++;
result2 = (char *) malloc(lenght * (i - 1) * sizeof(char));
strcpy(result2, result);
}
pclose(ptr);
ptr = NULL;
} else {
printf("popen %s error\n", ps);
}

}

int main() {
pid_t pc;
int i, fd;
/*
pc = fork();

if (pc < 0) {
printf("error fork/n");
exit(1);
} else if (pc > 0)
exit(0); // 父进程退出 , 这个子进程变成孤儿进程 , 由 init 进程接管 ,
*/
setsid(); // 变为后台程序
chdir("/");
umask(0); // 对所有的权限开放
for (i = 0; i < MAXFILE; i++)
close(i); // 关闭所有的不需要的文件描述符

int server_sockfd; //服务器端套接字
int client_sockfd; //客户端套接字
int len;
struct sockaddr_in my_addr; //服务器网络地址结构体
struct sockaddr_in remote_addr; //客户端网络地址结构体
int sin_size;
char buf[8192]; //数据传送的缓冲区
memset(&my_addr, 0, sizeof(my_addr)); //数据初始化--清零
my_addr.sin_family = AF_INET; //设置为IP通信
my_addr.sin_addr.s_addr = INADDR_ANY; //服务器IP地址--允许连接到所有本地地址上
my_addr.sin_port = htons(40000); //服务器端口号

/*创建服务器端套接字--IPv4协议,面向连接通信,TCP协议*/
if ((server_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}

/*将套接字绑定到服务器的网络地址上*/
if (bind(server_sockfd, (struct sockaddr *) &my_addr,
sizeof(struct sockaddr)) < 0) {
perror("bind");
return 1;
}

/*监听连接请求--监听队列长度为5*/
listen(server_sockfd, 5);

sin_size = sizeof(struct sockaddr_in);

while (1) // 守护进程实现的服务
{

//printf("等待连接...\n");

if ((client_sockfd = accept(server_sockfd,
(struct sockaddr *) &remote_addr, &sin_size)) < 0) {
perror("accept");
//return 1;
}
//printf("接受到一个连接:%s \r\n", inet_ntoa(remote_addr.sin_addr));

if ((len = recv(client_sockfd, buf, 8192, 0)) > 0) {
buf[len] = '\0';
//printf("%s\n", buf);
executeCMD(buf);
if (strlen(result) == 0) {
strcpy(result, "Returing is null!");
}
if (send(client_sockfd, result, strlen(result), 0) < 0) {
perror("write");
//return 1;
}
}
close(client_sockfd);
}

close(server_sockfd);
return 0;
}



阅读更多
上一篇android 休眠时间和property设置
下一篇YUV数据总结
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭