I recently found a way to maintain root access on my android device using a dropbear SSH server that I modified to run at boot as root using init.d, a lil scripting magic & some config scripts I made. If you want you can check it out here... Anyways for an experiment I removed the su binary and Superuser.apk from the system. I've managed to get them copied back to the system, but I don't know how to set the appropriate permissions for the su binary. If I look in Super User app on another rooted phone and go to update, it shows -rwsr -sr-x as the permissions on the binary. How can I set these same permission manually & what do they mean? Specifically the s part.
The s part is the setuid bit. Wikipedia:
setuid and setgid (short for "set user ID upon execution" and "set
group ID upon execution", respectively) are Unix access rights flags
that allow users to run an executable with the permissions of the
executable's owner or group respectively and to change behaviour in
directories.
That permission string means:
the owner can read, write, and execute
users in the file's group can read and execute
other users can read and execute
the file has setuid set
You can set that specific permission by running chmod 06755 /system/bin/su. That's the octal (= "out of eight", like decimal is "out of ten" and hexadecimal is "out of sixteen") encoding for:
the setuid bit (4) and setgid bit (2) = 6
all permissions for the owner (7)
read and execute for group (5)
read and execute for others (5)
Related
I have 285 different networks between the different campus apartments for which I am trying to add network profile information to a series of Lenovo Tab4 10 TB-X304F so they may connect without having our Apartment Managers carry around a list of wifi passwords.
So far, I have created a custom wpa_supplicant.conf file with all of the network blocks for each of the networks across the campus. I have rooted the device. I have pushed this custom file to /sdcard/TWRP. I then copied the file from /sdcard/TWRP to /data/misc/wifi.
Now we run into my issue, it appears that this file is stored in at least 3 locations which I have currently found, /etc/wifi, /system/etc/wifi and /data/misc/wifi. The other part of the problem is that these files appear to be rewritten/overwritten on boot.
Which of these file locations should I be updating with my custom wpa_supplicant.conf file? How do I stop the file from being rebuilt on boot? Or, how do I make the process, which builds the file on boot, build it with the networks I want added?
Am I missing any other steps?
I have also tried running " wpa_supplicant -iwlan0 -c/sdcard/TWRP/wpa_supplicant.conf -B " as a command in the adb shell with super user permissions and didn't receive any output or confirmation. What am I misunderstanding about the wpa_supplicant command?
Just in case here are the settings currently in /data/misc/wifi/wpa_supplicant.conf which I have copied into my custom file:
ctrl_interface=/data/misc/wifi/sockets
disable_scan_offload=1
driver_param=use_p2p_group_interface=1
update_config=1
device_name=LenovoTB-X304F
manufacturer=LENOVO
model_name=Lenovo TB-X304F
model_number=Lenovo TB-X304F
serial_number=<SerialNumber>
device_type=10-0050F204-5
config_methods=physical_display virtual_push_button
p2p_disabled=1
pmf=1
external_sim=1
tdls_external_control=1
I do not really know much, but I can successfully edit/replace
/data/misc/wifi/wpa_supplicant.conf
provided that (1) I have the device in Aeroplane Mode and (2) I make sure that the file belongs to user "system" and group "wifi", and has permissions 660. If I forget (1) or (2), somehow the file reverts later to the one before editing/replacing or is reinitialized to virtually empty (I am not sure when either happened exactly, but I noticed both cases). I believe your use of TWRP is effectively equivalent to my use of Aeroplane Mode--but I am not aware that you can "chown" a file in TWRP. I never had to touch any of the other locations where the file can apparently be found.
For reference, the commands to get the right ownership and permissions should be
chmod 660 /data/misc/wifi/wpa_supplicant.conf
chown system:wifi /data/misc/wifi/wpa_supplicant.conf
Of course, all this needs one to be root.
I have an app in Android that needs to modify the private databases of other apps using root. The current method works on all devices up to and including Lollypop, but seems to fail on Marshmallow devices due to SELinux.
To modify databases, the app does the following:
From root:
Copy target database to my app's folder preserving permissions and ownership (cp -p)
Change permissions (chmod 777)
From app, use SQLiteDatabase class to open database and execute queries
From root
Move back database and restore permissions
However, on Marshmallow, attempting to open the copied database with SQLiteDatabase fails and yields the follow AVC denial:
avc: denied { open } for path="/data/data/<my app package>/cache/<database>.db" dev="dm-0" ino=509488 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
The only thing I've tried is running chcon u:r:untrusted_app:s0 on the file as root, but it says permission denied.
Additionally, from what I've read here: https://source.android.com/security/selinux/, it appears that SELinux was set to enforcing mode in the 5.0 release, so how come this is only an issue now on 6.0 but wasn't on 5.0?
I have just completed something like this for one of my apps so it works on Android 7 on a Pixel device.
Like you, I copy the original database files to my app's location. Then I not only chmod them but I also chown/chgrp them to my app's uid. Finally, I chcon the database files to the context found for them in their original location. I am then able to access and manipulate them via SqliteDatabase classes in my app.
Once I am finished, I move the database files back to their original location, chown/chgrp them back to the owning app's uid, and restorecon them.
This is a giant pain. But it seems to work in my limited testing so far. But beware that in later versions of Android the toolbox commands seem to have been replaced with toybox commands and this really impacts the chown/chgrp. Toolbox versions allow changing of owner and group in the same command. Toybox does not so you must issue both chown and chgrp commands.
There may be other command changes as well. for example, on the Pixel, the grep command is now a stand-alone binary and NOT a part of toolbox or toybox.
you can turn off the enforcing mode and move to permissive mode using adb shell su 0 setenforce 0 through code.
In permissive mode you are allowed do to do whatever you would do on normal phone without SELinux.
Once the enforcing mode is turned off you can do whatever you were doing before.
What linux permissions are needed for SystemProperties.set to work? (android)
I am writing an app that runs in system/app on an android device.
It is running as
android:sharedUserId="android.uid.systemui"
in Android.mk
LOCAL_CERTIFICATE := platform
However, I am finding that I cannot create, write or set a property.
In the console, I can do a getprop, setprop.
However, my program cannot create it.
ls -l /data/property/
shows it does not exist.
Slog.d(TAG, "key is not set, will set APPLE");
SystemProperties.set(keyName, favorite);
if(SystemProperties.get(keyName).equals(favorite)) {
Slog.d(TAG, keyName + " = " + SystemProperties.get(keyName));
} else {
Slog.e(TAG, "setting SystemProperties failed. value written = " + SystemProperties.get(keyName));
}
logcat:
Line 1365: D/MyTag( 2593): keyName: persist.fruit.user.favorite
Line 1373: D/MyTag( 2593): keyName has value []
Line 1377: D/MyTag( 2593): key is not set, will set APPLE
Line 1381: E/MyTag( 2593): setting SystemProperties failed. value written =
evidently perhaps it is a matter of insufficient permissions - but which ones?
I had accepted fadden's answer but after more exploration, found it was incorrect though it was very helpful in reaching the correct answer.
step 1:
look at the array in https://android.googlesource.com/platform/system/core/+/kitkat-release/init/property_service.c
{ "persist.sys.", AID_SYSTEM, 0 },
the name of your property should begin with the same key string in the array.
thus I had to change my property name to "persist.sys.fruit.user.favorite"
step 2:
in your android manifest file, run as user id mentioned in the array above.
<manifest android:sharedUserId="android.uid.system" >
It depends. In the 4.4 "KitKat" release, the list was contained in init's property_service.c (look around line 65). You can see, for example, that properties named debug.* can be updated by the "system" or "shell" user. (The mapping of system-recognized user IDs to numeric values can be found in android_filesystem_config.h.)
Some properties, such as ro.*, persist.*, and ctl.*, have additional restrictions or special behaviors.
In Android 5.0 "Lollipop", the list moved, but the behavior is the same.
Use adb shell ps to see what user ID your app is running under. If it's not system or shell, it won't be able to set system properties.
TL;DR: The rules on Android 5+ are more or less the same as for Android 4.4. Check the whitelist from the accepted answer and use a system app for writing sysprops.
Since Android 5 access to system properties is controlled only by SELinux policies. Depending on source security context (where you're calling from) you will have access to different system properties, which live in a designated target security context. A system service running in system server has more access than an app running with shared system UID - a system app.
The rules consist of several files:
property_contexts - maps system property prefixes to SELinux contexts
shell.te - specifies (among other) which properties are settable by ADB shell (or an app with shell UID)
system_app.te - specifies which properties are settable by a system app (an app with system UID)
system_server.te - specifies which properties are accessible from the system server
Context files are available on the device in location that varies with system version. *.te files are compiled to a binary file.
The default values are stored in AOSP repositories and both the values and the location changed over the years.
Lollipop
https://android.googlesource.com/platform/external/sepolicy/+/lollipop-release/property_contexts
https://android.googlesource.com/platform/external/sepolicy/+/lollipop-release/system_app.te
https://android.googlesource.com/platform/external/sepolicy/+/lollipop-release/shell.te
Nougat
https://android.googlesource.com/platform/system/sepolicy/+/nougat-release/property_contexts
https://android.googlesource.com/platform/system/sepolicy/+/nougat-release/system-app.te
https://android.googlesource.com/platform/system/sepolicy/+/nougat-release/shell.te
Oreo
https://android.googlesource.com/platform/system/sepolicy/+/oreo-release/private/property_contexts
https://android.googlesource.com/platform/system/sepolicy/+/oreo-release/public/property.te
https://android.googlesource.com/platform/system/sepolicy/+/oreo-release/public/system_app.te
https://android.googlesource.com/platform/system/sepolicy/+/oreo-release/public/shell.te
Notes
Generally you'd want to set system properties as a system app with one exception. Only a shell UID app may write log.tag. until Pie. A system UID app may also write log.tag. since Pie.
seapp_contexts defines SELinux contexts for apps. On Pie you can't run an app with shell system UID.
For more information see https://source.android.com/security/selinux/images/SELinux_Treble.pdf
I want to copy some files from it's own data folder(e.g. "/data/data/com.example.copy/") to "/data/local/tmp/". I can't access /data/local/tmp/ in my app. Is it possible to do it?
I don't have root access on my device.
Here's my code:
Process p=Runtime.getRuntime().exec("cat "+ this.getApplicationInfo().dataDir +"1.txt > /data/local/tmp/1.txt" );
p.waitFor();
No, you cannot do this from an application unless your device has something like a hacked su which lets you run a helper process as a more privileged user (ie, unless it is "rooted").
You should put the file somewhere else - such as the external storage. (If the adb shell is allowed to create directories under /data/local/tmp you might be able to create one there and chmod or chown it to give your app access, but that's non-portable across versions)
Or if you are merely trying to expose it, change the access permissions (someone will probably come along and point out the java constant for setting a file world readable is superficially deprecated, but actual disabling the capability would require a drastic change to the underlying operating system)
What I'm doing:
I've built GNU emacs for native use on an phone.
I run emacs in daemon mode on the phone, so I connect to it anytime with emacsclient, to continue working with regular files, run processes, etc.
When logging in from the terminal on the phone, I'm currently user 10157, everything works:
$ id
uid=10157(10157) gid=10157(10157)
groups=10157(10157),1015(1015),1023(1023),1028(1028),3003(3003)
When I connect via ssh to the phone from a PC (I use DigiSSHd on the phone), it logs me in as a regular user 10282, everything works:
$ id
uid=10282 gid=10282 groups=1015(1015),1023(1023),1028(1028),3003(3003)
Emacs runs fine etc. However, this way I can't connect via emacsclient to the emacs process running under user 10157. This is desirable, since I don't want to start two emacs processes, since I want to continue working with files that I have open in emacs under user 10157.
Therefore:
$ su - 10157
Fine, I can run emacs etc. However, I cannot access the web.
$ ping -c1 google.com
You must have internet permissions to use ping. Aborting.
$ id
uid=10157(10157) gid=10157(10157) groups=10157(10157)
Thus I'm no longer in group 3003, necessary for internet access, besides other groups also.
Why does this group info get stripped, and how can I remedy this, so I can continue accessing the web when su as this user under ssh?
When i run the command:
busybox --list
I don't see su in the list.
su --help
shows Superuser.apk in the help text. It means su is provided by Superuser app.
I followed the steps described by you and i could su as another user and still have internet permission as shown below.
I have the following apps installed.
BusyBox v1.18.5-Stericson
Superuser v3.0.7
Terminal Emulator v1.0.45
SSHDroid v1.9.6
Suggestion:
I think the issue is with su on your device. You may try this one.
https://play.google.com/store/apps/details?id=com.noshufou.android.su
If i just use adb shell without running SSHDroid still i can su as another user with internet permission.
Note: The BusyBox id command doesn't show groups information always.
According to the standard man page for su (from a linux box)
When - is used, it must be specified as the last su option. The other forms (-l and --login) do not have this restriction.
Based on that, try
$ su 10157 -
I'm probably missing something here because this seems way too obvious but why not just 'sudo -u 10157' your emacs program?
you'd still have access to the net and your emacs would be working. or did I miss something important?
Permissions are not environment variables that can be inherited via su -.
Moreover, gid are are hard coded and their associations with each APP uid cannot be changed after installation.
10157 should be the uid of the DigiSSHd application, thus you could try to rebuild it after changing the AndroidManifest.xml to require the proper permission.
You can find something useful here and here.
The same should work for BusyBox (see here).
However, you could open some security hole by enabling NETWORK access through such applications.