If you have a rooted Android phone, you are probably using a variation of JesusFreke's RC30 image. With JF's image, there are two ways you can get root:
- For remote root, you can adb shell into the phone
- For local root, run the root setuid su from Terminal Emulator or pTerminal.
The problem with the latter version is that any application can run su and get full unfettered access to everything on the phone. This leaves the door open to malicious applications. However, the answer is not simply removing the su file, as then there is no way to perform superuser tasks from within legitimate applications.
To that end, I wrote the Superuser application that fixes the security hole, and also allows you or any application to get root when properly authorized. I've also written a Shell application to demonstrate how an application can request authorization.
How Superuser sets itself up:
- The standard RC30 install will have a setuid /system/bin/su. (if you deleted disabled it, reenable it for setup)
- Install the Superuser Java application to your phone and run it.
- Superuser will create a copy of su named superuser.
- Superuser will chown superuser to user "root" and group app_gid (where app_gid is the group id of the Superuser application as determined by Android)
- The superuser binary will also be chmod 4750 superuser, so that the Superuser Java application, and only that application, can execute it as root.
- Finally, Superuser will chmod 4700 su to close the security hole.
How other applications get root access with the user's permissions:
- Any application can fire an intent to request access to the locked down /system/bin/su.
- When that happens, Superuser will catch the intent and ask the user if it should grant that application root permissions.
- If allowed, Superuser will chown 0:app_gid /system/bin/su (where app_gid is the gid of the requesting application).
- That application can then use /system/bin/su as normal.
- /system/bin/su will get reset to chown 0:0 after 10 seconds, so the requesting application must start the instance of su up within that grace period. This is a bit of a kludge, but I'm a Linux newbie and don't know a better/cleaner way to do it.
- Since this is an unmodified version of su, 3rd party applications don't have to worry about piping in passwords and such.
- This is using the standard Linux level permissions and restrictions, as well as the Android framework permissions present at the Java level.
Full source code to Superuser and Shell are at the bottom of this post.
So, here's what it the user experience looks like when running Shell and requesting root access:
First, we start up shell and try to run su. Note that running su is not allowed (as the uid of the process did not change). Shell needs to request permission to access su first:
This menu button fires the intent to request permission to su:
Superuser receives the request and asks the user if they wish to grant Shell superuser permissions:
Once granted, the user can properly execute su (as indicated by the root id in the prompt):
Superuser and Shell APK install files (will be on the market too soon).