来源:蜘蛛抓取(WebSpider)
时间:2017-05-11 11:22
标签:
mysql授予用户权限
Android App 获取 root权限 - quanminchaoren - ITeye技术网站
在博文《Android程序的安全系统》中提到两种让root权限的办法。本文将会以一个例子实现来演示怎样让一个Android应用程序获得root权限。
问题
&&& 现在遇到的问题是想在Java应用程序中动态mount一个NFS的系统,但是执行mount命令必须要要root权限才可以。一般情况下,在Android的Java层是不能获得root权限的。
思路
&& 在博文《Android程序的安全系统》中提到两种思路:
&&& 1、实现一个init实现一个Service,来帮助Android应用程序执行root权限的命令。
&&& 2、实现一个虚拟设备,这个设备帮助Android应用程序执行root权限的命令。
&& 本文将会选择第一种来解决Android应用程序mount NFS文件系统的问题。
Init.rc Service
&& 在Android系统init.rc中定义很多Service,具体定义格式可以参考《Android Platform Developer’s Guide》中的“Android Init Language”。Init.rc中定义的Service将会被Init进程创建,这样将可以获得root权限。
&& 现在问题是Android应用程序怎样启动让init进程知道我们想运行那个进程呢?答案是设置系统属性“ctl.start”,把 “ctl.start”设置为你要运行的Service,假设为“xxx”,Android系统将会帮你运行“ctl.start”系统属性中指定的 Service。那么运行结果init进程将会将会写入命名为“init.svc.+Service名称”的属性中,也就是“init.svc.xxx” 属性,应用程序可以参考查阅这个值来确定Service执行的情况。想更深入了解Android property系统可以参考博文《(翻译)Android属性系统》。
Android property权限
&&& 难道Android属性“ctl.start”是所有进程都可以设置的吗?那世界不就乱套了,谁都可以可以执行init.rc中Service了,查看 property_service.c中的源码,设置Android系统属性的函数为handle_property_set_fd:
&& 1: void handle_property_set_fd(int fd)
&& 3:&&&& ......
&& 4:&&&& switch(msg.cmd) {
&& 5:&&&& case PROP_MSG_SETPROP:
&& 6:&&&&&&&& msg.name[PROP_NAME_MAX-1] = 0;
&& 7:&&&&&&&& msg.value[PROP_VALUE_MAX-1] = 0;
&& 9:&&&&&&&& if(memcmp(msg.name,"ctl.",4) == 0) {
& 10:&&&&&&&&&&&& if (check_control_perms(msg.value, cr.uid, cr.gid)) {
& 11:&&&&&&&&&&&&&&&& handle_control_message((char*) msg.name + 4, (char*) msg.value);
& 12:&&&&&&&&&&&& } else {
& 13:&&&&&&&&&&&&&&&& ERROR("sys_prop: Unable to %s service ctl [%s] uid: %d pid:%d\n",
& 14:&&&&&&&&&&&&&&&&&&&&&&&& msg.name + 4, msg.value, cr.uid, cr.pid);
& 15:&&&&&&&&&&&& }
& 16:&&&&&&&& }
& 17:&&&&&&&& ......
& 18:&&&& }
&&& 从源码中我们发现如果设置“ctl.”开头的Android系统property,将会调用check_control_perms函数来检查调用者的权限,其定义如下:
&& 1: static int check_control_perms(const char *name, int uid, int gid) {
&& 3:&&&& if (uid == AID_SYSTEM || uid == AID_ROOT)
&& 4:&&&&&&&& return 1;
&& 6:&&&& /* Search the ACL */
&& 7:&&&& for (i = 0; control_perms[i]. i++) {
&& 8:&&&&&&&& if (strcmp(control_perms[i].service, name) == 0) {
&& 9:&&&&&&&&&&&& if ((uid && control_perms[i].uid == uid) ||
& 10:&&&&&&&&&&&&&&&& (gid && control_perms[i].gid == gid)) {
& 11:&&&&&&&&&&&&&&&& return 1;
& 12:&&&&&&&&&&&& }
& 13:&&&&&&&& }
& 14:&&&& }
& 15:&&&& return 0;
&&& 我们发现root权限和system权限的应用程序将会授权修改“ctl.”开头的Android系统属性。否则将会检查control_perms全局变量中的定义权限和Service。
&&& 如果想更深入的了解Android Init进程和Android Property的权限控制,请参考《Android Permission》。
实例
&&& 通过上面的介绍我们基本已经有思路了,下面以上面提出的mount nfs文件系统为例说明:
1、首先定义一个执行mount的脚本,我把它位于/system/etc/mount_nfs.sh,定义如下:
&& 1: #!/system/bin/sh
&& 3: /system/bin/busybox mount -o rw,nolock -t nfs 192.168.1.6:/nfs_srv /data/mnt
不要忘了把它加上可执行权限。
2、在init.rc中加入一个Service定义,定义如下:
&& 1: service mount_nfs /system/etc/mount_nfs.sh
&& 2:&&&& oneshot
&& 3:&&&& disabled
3、让自己的应用程序获得system权限,博文《Android程序的安全系统》中提到了怎样获得system权限,请参考,这里就不赘述了。
4、在自己应用程序中设置System系统属性“ctl.start”为“mount_nfs”,这样Android系统将会帮我们运行mount_nfs系统属性了。这里需要强调的是不能够调用System.getProperty, 这个函数只是修改JVM中的系统属性。而不能修改Android的系统属性。可以调用 android.os.SystemProperties(Android 2.1 Eclair系统可以调用这个API),如果你的Android版本不能调用这个类,只能通过JNI,调用C/C++层的API property_get和property_set函数了。如果想详细了解请参考《(翻译)Android属性系统》。代码如下:
&& 1: SystemProperties.set("ctl.start", "mount_nfs");
5、最后在自己应用程序中,读取“init.svc.mount_nfs”Android系统Property,检查执行结果。代码如下:
&& 1: while(true)
&& 3:&&&& mount_rt = SystemProperties.get("init.svc.mount_nfs", "");
&& 4:&&&& if(mount_rt != null && mount_rt.equals("stopped"))
&& 5:&&&& {
&& 6:&&&&&&&&
&& 7:&&&& }
&& 9:&&&& try
& 10:&&&& {
& 11:&&&&&&&& Thread.sleep(1000);
& 12:&&&& }catch(Exception ex){
& 13:&&&&&&&& Log.e(TAG, "Exception: " + ex.getMessage());
& 14:&&&& }
&&& init进程维护一个service的队列,所以我们需要轮训来查询service的执行结果。
&&& 通过上面的这些步骤,Android应用程序就能够调用init.rc中定义的Service了。这样你的Android应用程序也就获得了root权限。
总结
&& 通过上文可以看出,在Android获得root权限还是需要一些前提的,比如:
&&& 1、必须是Android系统开发人员,否则你无法修改init.rc等文件。 2、你的应用程序必须要获得system权限。
&&& 这样可以防止root权限被应用程序无限制的使用,最终危及Android系统安全。
quanminchaoren
浏览: 619666 次
来自: 上海
我勒个去,搜到你的博客了,关注!
楼主,这个修改时间有个问题,退出修改界面就不保存设置的时间了, ...
你好...我也遇到屏幕半屏刷成黑屏的问题...但是我的时在开机 ...
你好...我也遇到屏幕半屏刷成黑屏的问题...但是我的时在开机 ...
推荐android一键反编译神器 apkdec09:19:05 UTC
好厉害,过来顶一下
09:28:55 UTC
09:45:53 UTC
14:55:00 UTC
02:20:42 UTC
怒顶!!!!
06:28:32 UTC
iosre.dylib 之后闪退啊
08:48:39 UTC
Oct 16 16:47:01 FR9Q SpringBoard[28] : LICreateIconForImage passed NULL CGImageRef imageOct 16 16:47:01 FR9Q networkd[148] : Analytics Engine: double ON for app: com.mobisentry.firstdemoOct 16 16:47:01 FR9Q ReportCrash[423] : MS:Notice: Injecting: (null) ReportCrashOct 16 16:47:01 FR9Q ReportCrash[423] : ReportCrash acting against PID 422Oct 16 16:47:01 FR9Q ReportCrash[423] : Formulating crash report for process FirstDemo[422]Oct 16 16:47:01 FR9Q com.apple.launchd1 : (UIKitApplication:com.mobisentry.firstdemo[0x1e46]) Job appears to have crashed: Trace/BPT trap: 5Oct 16 16:47:01 FR9Q com.apple.launchd1 : (UIKitApplication:com.mobisentry.firstdemo[0x1e46]) Throttling respawn: Will start in
secondsOct 16 16:47:01 FR9Q backboardd[34] : Application 'UIKitApplication:com.mobisentry.firstdemo[0x1e46]' exited abnormally with signal 5: Trace/BPT trap: 5Oct 16 16:47:01 FR9Q ReportCrash[423] : Saved crashreport to /var/mobile/Library/Logs/CrashReporter/FirstDemo_-164701_FR9Q.plist using uid: 0 gid: 0, synthetic_euid: 501 egid: 0Oct 16 16:47:02 FR9Q wifid[75] : WiFi:[1350]: Async scan requested by "locationd" for 1 iterations with maxage=0 priority low on en0Oct 16 16:47:02 FR9Q wifid[75] : WiFi:[1927]: Enqueuing command type: "Scan" pending commands: 0Oct 16 16:47:02 FR9Q wifid[75] : WiFi:[2364]: Dequeuing command type: "Scan" pending commands: 0Oct 16 16:47:02 FR9Q wifid[75] : WiFi:[2718]: Attempting Apple80211ScanAsync on en0Oct 16 16:47:02 FR9Q wifid[75] : WiFi:[9167]: Completed Apple80211ScanAsync on en0 (0)Oct 16 16:47:02 FR9Q wifid[75] : WiFi:[3008]: Async scan request completed for "locationd" (0)Oct 16 16:47:08 FR9Q wifid[75] : WiFi:[8251]: WiFiLocaleManagerCheckLocale: trying to determine locale...
10:36:14 UTC
是不是缺少什么工具啊
15:04:17 UTC
你注入到了哪个App里?
02:28:39 UTC
就是上一个例子中生成的RootApp.app啊
02:29:02 UTC
就是上一个例子中生成的RootApp.app啊
02:45:56 UTC
在不注入的情况下,你的RooApp可以正常工作吗?我把RootApp的工程源码上传到了,你下载了编译一下,拿我的版本试试能不能成功注入dylib
05:26:26 UTC
没注入之前是可以正常工作的
08:21:18 UTC
注入完之后app 闪退 但是登录手机后台运行可以成功,只是中间的按钮没法交互
求大神解释一下原因(ps
没注入前 app出现的红色背景上的按钮 也不能交互)
10:51:58 UTC
全部成功了 偶也
13:10:55 UTC
你上面提到的问题都是怎么解决的,在帖子里说明一下,也给后来人提供一些帮助啊
03:50:50 UTC
好啊,抽空。现在没注入iosre.dylib库之前点击按钮可以重启,重启之后点击按钮还可以重启,但是当注入之后,北京颜色可以改变,点击按钮重启之后,再点击app会闪退,是Demo就这样啊,还是我的步骤有问题
04:43:03 UTC
闪退原因是什么?syslog里面查查看
06:38:17 UTC
注入玩之后,可以重启了,但是第二次重启 程序闪退啊日志如下:Oct 23 14:33:19 FR9Q wifid[75] : WiFi:[8831]: Client identityservices set type to background applicationOct 23 14:33:19 FR9Q wifid[75] : WiFi:[9486]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd identityservices Oct 23 14:33:19 FR9Q wifid[75] : WiFi:[9834]: Already connected to LinkSys2013.Oct 23 14:33:19 FR9Q com.apple.imfoundation.IMRemoteURLConnectionAgent[522] : MS:Notice: Injecting: com.apple.imfoundation.IMRemoteURLConnectionAgent com.apple.imfoundation.IMRemoteURLConnectionAgentOct 23 14:33:19 FR9Q wifid[75] : WiFi:[5152]: Creating client for "IMRemoteURLConne"Oct 23 14:33:21 FR9Q SpringBoard[28] : LICreateIconForImage passed NULL CGImageRef imageOct 23 14:33:21 FR9Q networkd[152] : Analytics Engine: double ON for app: com.mobisentry.rootappOct 23 14:33:21 FR9Q ReportCrash[526] : MS:Notice: Injecting: (null) ReportCrashOct 23 14:33:21 FR9Q ReportCrash[526] : ReportCrash acting against PID 524Oct 23 14:33:21 FR9Q ReportCrash[526] : Formulating crash report for process RootApp[524]Oct 23 14:33:21 FR9Q com.apple.launchd1 : (UIKitApplication:com.mobisentry.rootapp[0x2988]) Job appears to have crashed: Trace/BPT trap: 5Oct 23 14:33:21 FR9Q com.apple.launchd1 : (UIKitApplication:com.mobisentry.rootapp[0x2988]) Throttling respawn: Will start in
secondsOct 23 14:33:21 FR9Q backboardd[34] : Application 'UIKitApplication:com.mobisentry.rootapp[0x2988]' exited abnormally with signal 5: Trace/BPT trap: 5Oct 23 14:33:21 FR9Q ReportCrash[526] : Saved crashreport to /Library/Logs/CrashReporter/RootApp_-143321_FR9Q.plist using uid: 0 gid: 0, synthetic_euid: 0 egid: 0Oct 23 14:33:25 FR9Q wifid[75] : WiFi:[7847]: MIS state is DisabledOct 23 14:33:25 FR9Q wifid[75] : WiFi:[8378]: MIS state queried by "identityservices" is DisableOct 23 14:33:25 FR9Q wifid[75] : WiFi:[3084]: Client identityservices set type to normal applicationOct 23 14:33:25 FR9Q wifid[75] : WiFi:[3875]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd Oct 23 14:33:27 FR9Q wifid[75] : WiFi:[0726]: Client identityservices set type to background applicationOct 23 14:33:27 FR9Q wifid[75] : WiFi:[1012]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd identityservices Oct 23 14:33:27 FR9Q wifid[75] : WiFi:[1322]: Already connected to LinkSys2013.Oct 23 14:33:31 FR9Q wifid[75] : WiFi:[3107]: MIS state is DisabledOct 23 14:33:31 FR9Q wifid[75] : WiFi:[3615]: MIS state queried by "identityservices" is DisableOct 23 14:33:31 FR9Q wifid[75] : WiFi:[7730]: Client identityservices set type to normal applicationOct 23 14:33:31 FR9Q wifid[75] : WiFi:[8338]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd Oct 23 14:33:31 FR9Q wifid[75] : WiFi:[7320]: WiFi unquiescing requested by "locationd"Oct 23 14:33:32 FR9Q wifid[75] : WiFi:[5318]: WiFi unquiescing requested by "locationd"Oct 23 14:33:42 FR9Q wifid[75] : WiFi:[3478]: WiFi unquiescing requested by "locationd"Oct 23 14:33:52 FR9Q wifid[75] : WiFi:[3926]: Client identityservices set type to background applicationOct 23 14:33:52 FR9Q wifid[75] : WiFi:[4218]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd identityservices Oct 23 14:33:52 FR9Q wifid[75] : WiFi:[4530]: Already connected to LinkSys2013.Oct 23 14:33:54 FR9Q wifid[75] : WiFi:[9713]: MIS state is DisabledOct 23 14:33:54 FR9Q wifid[75] : WiFi:[0213]: MIS state queried by "identityservices" is DisableOct 23 14:33:54 FR9Q wifid[75] : WiFi:[4242]: Client identityservices set type to normal applicationOct 23 14:33:54 FR9Q wifid[75] : WiFi:[4934]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd Oct 23 14:33:56 FR9Q wifid[75] : WiFi:[0840]: IMRemoteURLConne requesting removal of BGScan networksOct 23 14:33:56 FR9Q wifid[75] : WiFi:[4658]: No change in Background Scan candidates. Skip re-programming Background ScanOct 23 14:33:56 FR9Q wifid[75] : WiFi:[5721]: Already connected to LinkSys2013.Oct 23 14:33:56 FR9Q wifid[75] : WiFi:[6210]: Removing client for "IMRemoteURLConne"Oct 23 14:33:56 FR9Q wifid[75] : WiFi:[5078]: Client identityservices set type to background application
06:39:07 UTC
注入玩之后,可以重启了,但是第二次重启 程序闪退啊日志如下:Oct 23 14:33:19 FR9Q wifid[75] : WiFi:[8831]: Client identityservices set type to background applicationOct 23 14:33:19 FR9Q wifid[75] : WiFi:[9486]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd identityservices Oct 23 14:33:19 FR9Q wifid[75] : WiFi:[9834]: Already connected to LinkSys2013.Oct 23 14:33:19 FR9Q com.apple.imfoundation.IMRemoteURLConnectionAgent[522] : MS:Notice: Injecting: com.apple.imfoundation.IMRemoteURLConnectionAgent com.apple.imfoundation.IMRemoteURLConnectionAgentOct 23 14:33:19 FR9Q wifid[75] : WiFi:[5152]: Creating client for "IMRemoteURLConne"Oct 23 14:33:21 FR9Q SpringBoard[28] : LICreateIconForImage passed NULL CGImageRef imageOct 23 14:33:21 FR9Q networkd[152] : Analytics Engine: double ON for app: com.mobisentry.rootappOct 23 14:33:21 FR9Q ReportCrash[526] : MS:Notice: Injecting: (null) ReportCrashOct 23 14:33:21 FR9Q ReportCrash[526] : ReportCrash acting against PID 524Oct 23 14:33:21 FR9Q ReportCrash[526] : Formulating crash report for process RootApp[524]Oct 23 14:33:21 FR9Q com.apple.launchd1 : (UIKitApplication:com.mobisentry.rootapp[0x2988]) Job appears to have crashed: Trace/BPT trap: 5Oct 23 14:33:21 FR9Q com.apple.launchd1 : (UIKitApplication:com.mobisentry.rootapp[0x2988]) Throttling respawn: Will start in
secondsOct 23 14:33:21 FR9Q backboardd[34] : Application 'UIKitApplication:com.mobisentry.rootapp[0x2988]' exited abnormally with signal 5: Trace/BPT trap: 5Oct 23 14:33:21 FR9Q ReportCrash[526] : Saved crashreport to /Library/Logs/CrashReporter/RootApp_-143321_FR9Q.plist using uid: 0 gid: 0, synthetic_euid: 0 egid: 0Oct 23 14:33:25 FR9Q wifid[75] : WiFi:[7847]: MIS state is DisabledOct 23 14:33:25 FR9Q wifid[75] : WiFi:[8378]: MIS state queried by "identityservices" is DisableOct 23 14:33:25 FR9Q wifid[75] : WiFi:[3084]: Client identityservices set type to normal applicationOct 23 14:33:25 FR9Q wifid[75] : WiFi:[3875]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd Oct 23 14:33:27 FR9Q wifid[75] : WiFi:[0726]: Client identityservices set type to background applicationOct 23 14:33:27 FR9Q wifid[75] : WiFi:[1012]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd identityservices Oct 23 14:33:27 FR9Q wifid[75] : WiFi:[1322]: Already connected to LinkSys2013.Oct 23 14:33:31 FR9Q wifid[75] : WiFi:[3107]: MIS state is DisabledOct 23 14:33:31 FR9Q wifid[75] : WiFi:[3615]: MIS state queried by "identityservices" is DisableOct 23 14:33:31 FR9Q wifid[75] : WiFi:[7730]: Client identityservices set type to normal applicationOct 23 14:33:31 FR9Q wifid[75] : WiFi:[8338]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd Oct 23 14:33:31 FR9Q wifid[75] : WiFi:[7320]: WiFi unquiescing requested by "locationd"Oct 23 14:33:32 FR9Q wifid[75] : WiFi:[5318]: WiFi unquiescing requested by "locationd"Oct 23 14:33:42 FR9Q wifid[75] : WiFi:[3478]: WiFi unquiescing requested by "locationd"Oct 23 14:33:52 FR9Q wifid[75] : WiFi:[3926]: Client identityservices set type to background applicationOct 23 14:33:52 FR9Q wifid[75] : WiFi:[4218]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd identityservices Oct 23 14:33:52 FR9Q wifid[75] : WiFi:[4530]: Already connected to LinkSys2013.Oct 23 14:33:54 FR9Q wifid[75] : WiFi:[9713]: MIS state is DisabledOct 23 14:33:54 FR9Q wifid[75] : WiFi:[0213]: MIS state queried by "identityservices" is DisableOct 23 14:33:54 FR9Q wifid[75] : WiFi:[4242]: Client identityservices set type to normal applicationOct 23 14:33:54 FR9Q wifid[75] : WiFi:[4934]: BG Application: Not Present, BG Daemon: Present. Daemons: networkd lockdownd sharingd apsd Oct 23 14:33:56 FR9Q wifid[75] : WiFi:[0840]: IMRemoteURLConne requesting removal of BGScan networksOct 23 14:33:56 FR9Q wifid[75] : WiFi:[4658]: No change in Background Scan candidates. Skip re-programming Background ScanOct 23 14:33:56 FR9Q wifid[75] : WiFi:[5721]: Already connected to LinkSys2013.Oct 23 14:33:56 FR9Q wifid[75] : WiFi:[6210]: Removing client for "IMRemoteURLConne"Oct 23 14:33:56 FR9Q wifid[75] : WiFi:[5078]: Client identityservices set type to background application问题对人有帮助,内容完整,我也想知道答案
问题没有实际价值,缺少关键内容,没有改进余地
(注:这两种方式都是能够成功root的)
android app请求root权限 弹出授权窗口的方式和设备已经root,无需请求授权的方式,有什么区别?
这两种root方式的相同点和不同点以及各自的原理是怎样的,还请对这方面熟悉的大神,解答一下!
同步到新浪微博
分享到微博?
Hi,欢迎来到 SegmentFault 技术社区!⊙▽⊙ 在这里,你可以提出编程相关的疑惑,关注感兴趣的问题,对认可的回答投赞同票;大家会帮你解决编程的问题,和你探讨技术更新,为你的回答投上赞同票。
明天提醒我
关闭理由:
删除理由:
忽略理由:
推广(招聘、广告、SEO 等)方面的内容
与已有问题重复(请编辑该提问指向已有相同问题)
答非所问,不符合答题要求
宜作评论而非答案
带有人身攻击、辱骂、仇恨等违反条款的内容
无法获得确切结果的问题
非开发直接相关的问题
非技术提问的讨论型问题
其他原因(请补充说明)
我要该,理由是:
扫扫下载 App
