#include "su.h"
#include "utils.h"
+extern int is_daemon;
+extern int daemon_from_uid;
+extern int daemon_from_pid;
+
unsigned get_shell_uid() {
struct passwd* ppwd = getpwnam("shell");
if (NULL == ppwd) {
return 2000;
}
-
+
+ return ppwd->pw_uid;
+}
+
+unsigned get_system_uid() {
+ struct passwd* ppwd = getpwnam("system");
+ if (NULL == ppwd) {
+ return 1000;
+ }
+
+ return ppwd->pw_uid;
+}
+
+unsigned get_radio_uid() {
+ struct passwd* ppwd = getpwnam("radio");
+ if (NULL == ppwd) {
+ return 1001;
+ }
+
return ppwd->pw_uid;
}
+int fork_zero_fucks() {
+ int pid = fork();
+ if (pid) {
+ int status;
+ waitpid(pid, &status, 0);
+ return pid;
+ }
+ else {
+ if (pid = fork())
+ exit(0);
+ return 0;
+ }
+}
+
void exec_log(char *priority, char* logline) {
int pid;
if ((pid = fork()) == 0) {
- int zero = open("/dev/zero", O_RDONLY | O_CLOEXEC);
- dup2(zero, 0);
int null = open("/dev/null", O_WRONLY | O_CLOEXEC);
- dup2(null, 1);
- dup2(null, 2);
- execl("/system/bin/log", "/system/bin/log", "-p", priority, "-t", LOG_TAG, logline);
+ dup2(null, STDIN_FILENO);
+ dup2(null, STDOUT_FILENO);
+ dup2(null, STDERR_FILENO);
+ execl("/system/bin/log", "/system/bin/log", "-p", priority, "-t", LOG_TAG, logline, NULL);
_exit(0);
}
+ int status;
+ waitpid(pid, &status, 0);
}
void exec_loge(const char* fmt, ...) {
strncpy(from->name, pw->pw_name, sizeof(from->name));
}
+ if (is_daemon) {
+ from->uid = daemon_from_uid;
+ from->pid = daemon_from_pid;
+ }
+
return 0;
}
char mode[12];
FILE *fp;
if ((fp = fopen(REQUESTOR_MULTIUSER_MODE, "r"))) {
+ fgets(mode, sizeof(mode), fp);
int last = strlen(mode) - 1;
if (mode[last] == '\n')
mode[last] = '\0';
- fgets(mode, sizeof(mode), fp);
if (strcmp(mode, MULTIUSER_VALUE_USER) == 0) {
ret = MULTIUSER_MODE_USER;
} else if (strcmp(mode, MULTIUSER_VALUE_OWNER_MANAGED) == 0) {
pw = getpwuid(ctx->to.uid);
if (pw) {
setenv("HOME", pw->pw_dir, 1);
- setenv("SHELL", ctx->to.shell, 1);
+ if (ctx->to.shell)
+ setenv("SHELL", ctx->to.shell, 1);
+ else
+ setenv("SHELL", DEFAULT_SHELL, 1);
if (ctx->to.login || ctx->to.uid) {
setenv("USER", pw->pw_name, 1);
setenv("LOGNAME", pw->pw_name, 1);
} \
} while (0)
-#define write_string(fd, name, data) \
+#define write_string_data(fd, name, data) \
do { \
write_data(fd, name, strlen(name)); \
write_data(fd, data, strlen(data)); \
do { \
char buf[16]; \
snprintf(buf, sizeof(buf), "%d", data); \
- write_string(fd, name, buf); \
+ write_string_data(fd, name, buf); \
} while (0)
write_token(fd, "version", PROTO_VERSION);
+ write_token(fd, "binary.version", VERSION_CODE);
write_token(fd, "pid", ctx->from.pid);
- write_string(fd, "from.name", ctx->from.name);
- write_string(fd, "to.name", ctx->to.name);
+ write_string_data(fd, "from.name", ctx->from.name);
+ write_string_data(fd, "to.name", ctx->to.name);
write_token(fd, "from.uid", ctx->from.uid);
write_token(fd, "to.uid", ctx->to.uid);
- write_string(fd, "from.bin", ctx->from.bin);
- write_string(fd, "command", get_command(&ctx->to));
+ write_string_data(fd, "from.bin", ctx->from.bin);
+ // TODO: Fix issue where not using -c does not result a in a command
+ write_string_data(fd, "command", get_command(&ctx->to));
write_token(fd, "eof", PROTO_VERSION);
return 0;
}
static int socket_receive_result(int fd, char *result, ssize_t result_len) {
ssize_t len;
-
+
LOGD("waiting for user");
len = read(fd, result, result_len-1);
if (len < 0) {
fprintf(stream,
"Usage: su [options] [--] [-] [LOGIN] [--] [args...]\n\n"
"Options:\n"
+ " --daemon start the su daemon agent\n"
" -c, --command COMMAND pass COMMAND to the invoked shell\n"
" -h, --help display this help message and exit\n"
" -, -l, --login pretend the shell to be a login shell\n"
static __attribute__ ((noreturn)) void deny(struct su_context *ctx) {
char *cmd = get_command(&ctx->to);
- // No send to UI denied requests for shell and root users (they are in the log)
- // if( ctx->from.uid != AID_SHELL && ctx->from.uid != AID_ROOT ) {
+ int send_to_app = 1;
+
+ // no need to log if called by root
+ if (ctx->from.uid == AID_ROOT)
+ send_to_app = 0;
+
+ // dumpstate (which logs to logcat/shell) will spam the crap out of the system with su calls
+ if (strcmp("/system/bin/dumpstate", ctx->from.bin) == 0)
+ send_to_app = 0;
+
+ if (send_to_app)
send_result(ctx, DENY);
- // }
+
LOGW("request rejected (%u->%u %s)", ctx->from.uid, ctx->to.uid, cmd);
fprintf(stderr, "%s\n", strerror(EACCES));
exit(EXIT_FAILURE);
int argc, err;
umask(ctx->umask);
- // No send to UI accepted requests for shell and root users (they are in the log)
- // if( ctx->from.uid != AID_SHELL && ctx->from.uid != AID_ROOT ) {
+ int send_to_app = 1;
+
+ // no need to log if called by root
+ if (ctx->from.uid == AID_ROOT)
+ send_to_app = 0;
+
+ // dumpstate (which logs to logcat/shell) will spam the crap out of the system with su calls
+ if (strcmp("/system/bin/dumpstate", ctx->from.bin) == 0)
+ send_to_app = 0;
+
+ if (send_to_app)
send_result(ctx, ALLOW);
- // }
- arg0 = strrchr (ctx->to.shell, '/');
- arg0 = (arg0) ? arg0 + 1 : ctx->to.shell;
+ char *binary;
+ argc = ctx->to.optind;
+ if (ctx->to.command) {
+ binary = ctx->to.shell;
+ ctx->to.argv[--argc] = ctx->to.command;
+ ctx->to.argv[--argc] = "-c";
+ }
+ else if (ctx->to.shell) {
+ binary = ctx->to.shell;
+ }
+ else {
+ if (ctx->to.argv[argc]) {
+ binary = ctx->to.argv[argc++];
+ }
+ else {
+ binary = DEFAULT_SHELL;
+ }
+ }
+
+ arg0 = strrchr (binary, '/');
+ arg0 = (arg0) ? arg0 + 1 : binary;
if (ctx->to.login) {
int s = strlen(arg0) + 2;
char *p = malloc(s);
set_identity(ctx->to.uid);
#define PARG(arg) \
- (ctx->to.optind + (arg) < ctx->to.argc) ? " " : "", \
- (ctx->to.optind + (arg) < ctx->to.argc) ? ctx->to.argv[ctx->to.optind + (arg)] : ""
+ (argc + (arg) < ctx->to.argc) ? " " : "", \
+ (argc + (arg) < ctx->to.argc) ? ctx->to.argv[argc + (arg)] : ""
- LOGD("%u %s executing %u %s using shell %s : %s%s%s%s%s%s%s%s%s%s%s%s%s%s",
+ LOGD("%u %s executing %u %s using binary %s : %s%s%s%s%s%s%s%s%s%s%s%s%s%s",
ctx->from.uid, ctx->from.bin,
- ctx->to.uid, get_command(&ctx->to), ctx->to.shell,
+ ctx->to.uid, get_command(&ctx->to), binary,
arg0, PARG(0), PARG(1), PARG(2), PARG(3), PARG(4), PARG(5),
(ctx->to.optind + 6 < ctx->to.argc) ? " ..." : "");
- argc = ctx->to.optind;
- if (ctx->to.command) {
- ctx->to.argv[--argc] = ctx->to.command;
- ctx->to.argv[--argc] = "-c";
- }
ctx->to.argv[--argc] = arg0;
- execv(ctx->to.shell, ctx->to.argv + argc);
+ execvp(binary, ctx->to.argv + argc);
err = errno;
PLOGE("exec");
- fprintf(stderr, "Cannot execute %s: %s\n", ctx->to.shell, strerror(err));
+ fprintf(stderr, "Cannot execute %s: %s\n", binary, strerror(err));
exit(EXIT_FAILURE);
}
"enable it under settings -> developer options");
return 1;
}
-
+
}
return 0;
}
+static int is_api_18() {
+ char sdk_ver[PROPERTY_VALUE_MAX];
+ char *data = read_file("/system/build.prop");
+ get_property(data, sdk_ver, "ro.build.version.sdk", "0");
+ int ver = atoi(sdk_ver);
+ free(data);
+ return ver >= 18;
+}
+
int main(int argc, char *argv[]) {
+ // start up in daemon mode if prompted
+ if (argc == 2 && strcmp(argv[1], "--daemon") == 0) {
+ return run_daemon();
+ }
+
+ // attempt to use the daemon client if not root,
+ // or this is api 18 and adb shell (/data is not readable even as root)
+ if ((geteuid() != AID_ROOT && getuid() != AID_ROOT) || (is_api_18() && getuid() == AID_SHELL)) {
+ // attempt to connect to daemon...
+ LOGD("starting daemon client %d %d", getuid(), geteuid());
+ return connect_daemon(argc, argv);
+ }
+
// Sanitize all secure environment variables (from linker_environ.c in AOSP linker).
/* The same list than GLibc at this point */
static const char* const unsec_vars[] = {
.uid = AID_ROOT,
.login = 0,
.keepenv = 0,
- .shell = DEFAULT_SHELL,
+ .shell = NULL,
.command = NULL,
.argv = argv,
.argc = argc,
while ((c = getopt_long(argc, argv, "+c:hlmps:Vvu", long_opts, NULL)) != -1) {
switch(c) {
case 'c':
+ ctx.to.shell = DEFAULT_SHELL;
ctx.to.command = optarg;
break;
case 'h':
if (from_init(&ctx.from) < 0) {
deny(&ctx);
}
-
+
read_options(&ctx);
user_init(&ctx);
-
- if (ctx.user.multiuser_mode == MULTIUSER_MODE_OWNER_ONLY && ctx.user.android_user_id != 0) {
- deny(&ctx);
- }
-
- if (access_disabled(&ctx.from)) {
- LOGD("access_disabled");
- deny(&ctx);
- }
- ctx.umask = umask(027);
-
- if (ctx.from.uid == AID_ROOT || ctx.from.uid == AID_SHELL) {
- LOGD("Allowing root/shell.");
+ // the latter two are necessary for stock ROMs like note 2 which do dumb things with su, or crash otherwise
+ if (ctx.from.uid == AID_ROOT) {
+ LOGD("Allowing root/system/radio.");
allow(&ctx);
}
+ // verify superuser is installed
if (stat(ctx.user.base_path, &st) < 0) {
- silent_run("am start -d market://details?id=" JAVA_PACKAGE_NAME);
+ // send to market (disabled, because people are and think this is hijacking their su)
+ // if (0 == strcmp(JAVA_PACKAGE_NAME, REQUESTOR))
+ // silent_run("am start -d http://www.clockworkmod.com/superuser/install.html -a android.intent.action.VIEW");
PLOGE("stat %s", ctx.user.base_path);
deny(&ctx);
}
+ // odd perms on superuser data dir
if (st.st_gid != st.st_uid) {
LOGE("Bad uid/gid %d/%d for Superuser Requestor application",
(int)st.st_uid, (int)st.st_gid);
deny(&ctx);
}
-
+
+ // always allow if this is the superuser uid
+ // superuser needs to be able to reenable itself when disabled...
if (ctx.from.uid == st.st_uid) {
- // automatically grant the superuser app itself
allow(&ctx);
}
+ // check if superuser is disabled completely
+ if (access_disabled(&ctx.from)) {
+ LOGD("access_disabled");
+ deny(&ctx);
+ }
+
+ // autogrant shell at this point
+ if (ctx.from.uid == AID_SHELL) {
+ LOGD("Allowing shell.");
+ allow(&ctx);
+ }
+
+ // deny if this is a non owner request and owner mode only
+ if (ctx.user.multiuser_mode == MULTIUSER_MODE_OWNER_ONLY && ctx.user.android_user_id != 0) {
+ deny(&ctx);
+ }
+
+ ctx.umask = umask(027);
+
int ret = mkdir(REQUESTOR_CACHE_PATH, 0770);
if (chown(REQUESTOR_CACHE_PATH, st.st_uid, st.st_gid)) {
PLOGE("chown (%s, %ld, %ld)", REQUESTOR_CACHE_PATH, st.st_uid, st.st_gid);
LOGD("db denied");
deny(&ctx); /* never returns too */
}
-
+
socket_serv_fd = socket_create_temp(ctx.sock_path, sizeof(ctx.sock_path));
LOGD(ctx.sock_path);
if (socket_serv_fd < 0) {