Hi all,
this thread would like to be a shortly introduction about root user permission on general android platform!
As we all know the root user in Unix-based OS is the user with UID equal to 0.
Many threads talks about gain root on android by means of magic oneclick tool or by way of flashing custom recovery on device then copy the fantastic ChainsDD's su binary and install superuser or another apk to manage privileged action request .
Do we really need? Probably! But we maybe only want a root prompt, root privilege through adb shell or on the terminal emulator, this is certainly possible.
Deafult android shell is /system/bin/sh, if we could run it through, for example, an executable owned by user with UID 0, and if there was a Unix access rights flags that allow users to run an executable with the permissions of the executable's owner, we probably would get a root shell only by running that executable! Easy!
Only one thing, we should know a method for push our unsecure setuidded executable owned by root under the /system/xbin directory, which is also owned by root!
For example, might be possible to dump our /system, mount the filesystem data on a Linux box (which we know the root password), copy the unsecure elf under the correct path, and then flash back the modified /system image to our device.
Once done, if we run the executable, ta daaan....
If someone wants to get his hands dirty:
this can be enough!
this thread would like to be a shortly introduction about root user permission on general android platform!
As we all know the root user in Unix-based OS is the user with UID equal to 0.
Many threads talks about gain root on android by means of magic oneclick tool or by way of flashing custom recovery on device then copy the fantastic ChainsDD's su binary and install superuser or another apk to manage privileged action request .
Do we really need? Probably! But we maybe only want a root prompt, root privilege through adb shell or on the terminal emulator, this is certainly possible.
Deafult android shell is /system/bin/sh, if we could run it through, for example, an executable owned by user with UID 0, and if there was a Unix access rights flags that allow users to run an executable with the permissions of the executable's owner, we probably would get a root shell only by running that executable! Easy!
Only one thing, we should know a method for push our unsecure setuidded executable owned by root under the /system/xbin directory, which is also owned by root!
For example, might be possible to dump our /system, mount the filesystem data on a Linux box (which we know the root password), copy the unsecure elf under the correct path, and then flash back the modified /system image to our device.
Once done, if we run the executable, ta daaan....
If someone wants to get his hands dirty:
Code:
void main()
{
setuid(0);
system("/system/bin/sh");
}