How does su work on android? And what are the pre-requisites for it to work? What is rooting on Android?

Asked 5/4, 2012 at 11:50 Answered 9/4, 2012 at 21:27

Possible Duplicate : what does the su mean: process = Runtime.getRuntime().exec("su");

I am tired trying all the different things yet i am still unsuccessful in understanding when will su work. What is rooting a device in Android? Someone please please help me with this.

I replied to the following question. The solution i posted there, i tested and also it worked.

Adding full permission for a image file in android.

Here is my question :

I tried Following.

Copied su.

Installed SuperUser.apk,

From program i called su and then using the newly created process i performed the required operations.

This has 2 results.

1) When the device is rooted(like executing Permanent root option in z4root), It works, it changes the system file permissions.

2) When device is not rooted, It doesnot work.

Kindly explain what extra thing does z4root performs which makes the task possible. Explain in brief please.

Let me know if my question is not clear. Thanks a ton..

Generally answered 5/4, 2012 at 11:50 Comment(1)

Possible duplicate of what does the su mean: process = Runtime.getRuntime().exec("su"); – Careless 14/7, 2018 at 13:34

What z4root (or any other rooting program) does it runs some exploit to change its own uid (user-id) to 0 (root). You can think of it as of performing some kind of hack and tricking kernel into thinking it actually has the right to be root (then if z4root was a virus it could do everything with your phone from installing keyloggers to bricking it). Of course if it is possible to trick kernel in such a way to give you root access it is considered a security vulnerability (any app could do that and perform some malicious stuff) and usually gets fixed in future kernel updates (that's why z4root may not work if you upgrade your firmware).

When z4root has set its uid to 0 it does the following: remounts /system partition as writable (by default it's read-only), copies over su binary, Superuser.apk and busybox and then remounts /system back as read-only.

So how does the su binary give you root access without doing "the hack" thing when normally applications have same uid as parent process? This is because su binary has set-uid flag set and is always ran as uid 0 (root).

Now, if you have copied su binary over to /system/bin then you must have had root access which means you just forgot to change owner/permissions (chown root:root /system/bin/su; chmod 6755 /system/bin/su) but you still need root access to do that.

Fancy answered 9/4, 2012 at 21:27 Comment(10)

Thanks.. But any clue on how to change the Uid to 0 programmatically..? – Generally 16/4, 2012 at 6:33

@happy2Help You can't change your uid unless you are root (uid 0). Only root is allowed to change uid otherwise any user could give himself elevated privileges. Answer: call executable that has setuid flag set (On most Linuxes by default only su and sudo have, but you can create yours - you'll need root access to chown it as root however). – Fancy 21/4, 2012 at 21:34

I think the 3rd paragraph and below are incorrect. Android's su doesn't use setuid flag, because Android doesn't respect the flag. Instead, Android's su contacts a daemon process daemonsu, which is directly forked by init. So the program that you run using su isn't a child process of su, but a child process of daemonsu. – Salmonberry 28/10, 2014 at 6:11

@WuYongzheng This answer is over two years old and at that time I'm pretty confident Android used setuid flag since that's how I rooted my phone (download image -> unpack -> add su binary, setuid -> pack -> flash) – Fancy 29/10, 2014 at 0:47

@Fancy Didn't notice the date. Just checked. Dropping setuid bit was implemented in Android 4.3 and above. – Salmonberry 29/10, 2014 at 0:53

@WuYongzheng Can I ask something? Is the policy of SELinux important regarding the use of daemon? If SELinux is permissive, is a daemon still needed? – Pibroch 25/5, 2016 at 5:43

@SarpSTA, Yes, SELinux is another reason why a daemon is needed, but only disabling SELinux won't enable old school setuid su. – Salmonberry 25/5, 2016 at 9:52

@Fancy Of late, there is a new root method evolved which bypasses the need for z4root and other apps that use "exploits". Its by the way of directly flashing the /system/bin/su at boot/recovery time. Is this a proper way of rooting and able to survive upgrades to the kernel/OS? – Aoudad 7/7, 2016 at 20:26

hello @Fancy can you take a look at android.stackexchange.com/questions/175049/… ? i think u can one click make an ac there or if u prefer i can copy q to this site? – Kemp 4/6, 2017 at 17:16

Nowadays there's no need to root your phone anymore. Just unlock the bootloader, flash a userdebug build and you'll have root access from adb (just call $ adb root) which you can then use to do whatever you want including propagating this to on-device userspace. – Fancy 9/12, 2018 at 15:0

When you root a device you overwrite or modify the OS image in the ROM to give you elevated permissions. Installing applications in user mode cannot possibly give you a privilege escalation in any version of Linux anywhere. If any user could make themselves root by "copying su" there would be no such thing as security.

Excursion answered 5/4, 2012 at 11:55 Comment(2)

What exactly are the OS image differences is what i am trying to understand.. Thanks for replying – Generally 5/4, 2012 at 12:6

"Installing applications...cannot possibly give you a privilege escalation" I agree that it isn't supposed to, but this is generally how device rooting methods work. Exploitation of a security vulnerability is done to escalate the current non-root process to root, then some permanent change is put in place to allow easier privilege escalation later (e.g. copying su into the usually read-only 'system' filesystem). – Romito 29/2, 2016 at 20:6

-1

I'm not sure what you're asking, but it seems a simple thing. You're trying to become "super user", or do stuff with superuser rights. You can only do this if you have the actual rights to do so, given to the user-account currently running on your device. Normally you don't have that right.

Keep in mind that "superuser" is the same as "root"

If you "root" your device it means you give yourself the right to become superuser. You can do stuff that requires to be super user: "su" is one of those commands, as it says "log me in as superuser". You obviously need superuser permissions to become that user.
If you haven't rooted the device, you don't have the rights to do the stuff superuser can. So calling su won't work.

So you can only do root stuff if you've rooted your device.

Cullie answered 5/4, 2012 at 11:56 Comment(2)

"So you can only do root stuff if you've rooted your device" What is the difference between before and after rooting the device is what i am trying to understand. Inside OS is something added which will make su work? or what it is? – Generally 5/4, 2012 at 12:6

Look at it like this: you are "logged in" on your device as a user, just like on any other computer. That user does not have the rights to do superuser stuff. Everything you run (apps, etc) is run with your rights. The change you make is that you allow random users (e.g. you) to become root. Look at it like this: normally it's like you log in to a library computer: you're not administrator. "rooting" would mean "hacking" the computer so the default user would become administrator. – Cullie 5/4, 2012 at 12:35

Recommended topics

Hot tags