Fixing the "setuid su" security hole on Modified Android RC30

shell

If you have a rooted Android phone, you are probably using a variation of JesusFreke's RC30 image. With JF's image, there are two ways you can get root:

  • For remote root, you can adb shell into the phone
  • For local root, run the root setuid su from Terminal Emulator or pTerminal.

The problem with the latter version is that any application can run su and get full unfettered access to everything on the phone. This leaves the door open to malicious applications. However, the answer is not simply removing the su file, as then there is no way to perform superuser tasks from within legitimate applications.

To that end, I wrote the Superuser application that fixes the security hole, and also allows you or any application to get root when properly authorized. I've also written a Shell application to demonstrate how an application can request authorization.

How Superuser sets itself up:

  • The standard RC30 install will have a setuid /system/bin/su. (if you deleted disabled it, reenable it for setup)
  • Install the Superuser Java application to your phone and run it.
  • Superuser will create a copy of su named superuser.
  • Superuser will chown superuser to user "root" and group app_gid (where app_gid is the group id of the Superuser application as determined by Android)
  • The superuser binary will also be chmod 4750 superuser, so that the Superuser Java application, and only that application, can execute it as root.
  • Finally, Superuser will chmod 4700 su to close the security hole.

How other applications get root access with the user's permissions:

  • Any application can fire an intent to request access to the locked down /system/bin/su.
  • When that happens, Superuser will catch the intent and ask the user if it should grant that application root permissions.
  • If allowed, Superuser will chown 0:app_gid /system/bin/su (where app_gid is the gid of the requesting application).
  • That application can then use /system/bin/su as normal.

Notes:

  • /system/bin/su will get reset to chown 0:0 after 10 seconds, so the requesting application must start the instance of su up within that grace period. This is a bit of a kludge, but I'm a Linux newbie and don't know a better/cleaner way to do it.
  • Since this is an unmodified version of su, 3rd party applications don't have to worry about piping in passwords and such.
  • This is using the standard Linux level permissions and restrictions, as well as the Android framework permissions present at the Java level.

Full source code to Superuser and Shell are at the bottom of this post.

So, here's what it the user experience looks like when running Shell and requesting root access:

First, we start up shell and try to run su. Note that running su is not allowed (as the uid of the process did not change). Shell needs to request permission to access su first:

nosu

This menu button fires the intent to request permission to su:

surequest

Superuser receives the request and asks the user if they wish to grant Shell superuser permissions:


suconfirm

Once granted, the user can properly execute su (as indicated by the root id in the prompt):

suworking

 

Superuser and Shell APK install files (will be on the market too soon).

Superuser and Shell Source Code.

6 comments:

zwerg said...

i tried ur apps but superuser app didnt work bcause idid not reenable /system/bin/su for setup, as you told in first step. then i uninstalled both apps.
now i got a problem here:
pterminal does not make me root anymore :(. if i type "su" i get "su: permission denied"...
what happened? what can i do to undo, what superuser-app changed in my system?

Koush said...

I found that this is a bug a bug with the Superuser application if you have v1.1 of RC30. Please download v1.2 from http://forum.xda-developers.com/showthread.php?t=443713 and reinstall Superuser.

zwerg said...

Thanks an lot. I will do it next days. BTW, i very much like ur idea how to secure rooted G1s with superuser-application. If it will work good, i would not loose my "freedom of choice"-possibilty of beeing root and have good security-feeling too. sounds perfect.
my regards!

Levbert said...

ok i had the v1.1 rc30 and i did not work then i downloaded and installed the v1.2 update now the program works but it does not let me access root. 'shell' is in the white list in superuser, however when i type in 'su' then 'id' it still does not show up as root please help, email me at levbertl@gmail.com

andraj said...

hi,

hey is it working with Android 1.5????

Anonymous said...

I know this is a bit late, but would there be a way to add a blacklist for apps? I have encountered some Android apps which try to su to root for some unknown reason, such as the Blizzard Authenticator, and if they get any result other than permission denied, they will refuse to run.