[Q] SU as a Service? - Android Q&A, Help & Troubleshooting

Mods, in case this is the wrong forum for this kind of discussion, feel free to move it. I'm a newbie here and the rules are always a bit ambiguous until you get a feel for how that particular community interprets them.
The problem I'm having is this: My phone is rooted and I've written a short application that moves the apk of another application to the SD, replacing it with a dummy file that in turn launches my application.
Moving the data to the SD isn't a problem and neither is moving it back, but informing the OS that it has been moved back is a different matter, as the particular broadcast message needed to inform other applications of the availability is protected by a UID check which will only allow root or system to proceed. While I can spawn a root shell, I haven't found a way to make this shell interact with the Android system, so the broadcast comes from my application which has a non-system UID and is therefoe denied.
I know I could sign my application with the system keys and add it to the shared system UID group, but let's be honest: that's more trouble than it's worth and would require me to re-sign all system applications on any device where I want my little app to run.
So I need a few API calls executed by an application that is already owned by a system user; a mediator which listens for requests from unprivileged applications and, after a user prompt, executes them in its own context.
I'm quite willing to write such a mediator service myself, but I don't want to duplicate work that's already being done... does anybody else know about
a) methods that would make such a mediator unnecessary
b) existing mediator services available on custom ROMs?
Update:
Right now I'm digging through the app_process source code, as it interfaces with the Android runtime from C++, which might allow for executing Android code under the UID of a Linux binary...

Related

[Q] HOME=/sdcard a security problem?

I am running CyanogenMod, and probably should raise this issue with them. However, I can't get either their forum registration nor their feature request mechanism to work.
By default, /etc/bash/bashrc sets HOME=/sdcard, with the result that when a user types 'bash' into the shell, bash looks for and executes /sdcard/.bashrc. The problem with this is that, according to my understanding, /sdcard is writable by most apps. So, the fairly innocuous "write to sdcard" permission is in effect an "elevate to root if user runs bash" permission. Am I wrong in this analysis? In my /etc/bash/bashrc I went ahead and set HOME=/data/local/root.

Android Root Password

Noob question.
What is the actual password to su on various smartphone models, say Galaxy S5 or LG L3?
Is it a fixed character string or a formula based upon some hw specific like MAC ID?
Why don't vendors and network providers verify certain apps for su and give those sw vendors their devices' root password, or is it done that way now?
OK found the following on the web.
root in Linux (or any Unix-like system) is just the user with User ID 0. The su program (which actually stands for "Switch User", not "Super User") is just a program to start another program with a different user ID than the starting program (by default to uid 0, which is to user root). Android does not use the traditional /etc/passwd, however it still uses Linux User ID and Group ID for managing permissions.
If you want to intercept su requests so you can ask for password or enforce other rules, you will need to replace /sbin/su with your own version of su. Alternative approach is the one described here:
http://www.koushikdutta.com/2008/11/fixing-su-security-hole-on-modified.html
though that will require applications to cooperate by firing an Intent when they want to switch user.
Android security framework is more or less like this: each installed application runs on its own User ID (selected at installation time), and application permissions is implemented as user groups.
Can i change the root password after rooting my android device by simply typing "passwd"?
Android does not use /etc/passwd so it also does not have*passwd*program.
how is the rooting process working ? i mean what is the "one click root" apps doing to my phone?
I'm not quire sure with the exact process myself, you probably want to ask to rooting developers. However, my guess is it just reverts the security check that originally prevent developer from setuid 0.
End of paste.
So the above is saying there are no passwords in Android. To give an app or file root privilege you must change the app's user id that runs it or users id of the user who created the file to 0 (zero).
Therefore giving root privilege to an app on Android is a su app that changes the user id to 0 of the app you want to give root privilege to.
So why don't hw vendors and network providers who provide the Android ROM include a special su app that checks (look up in a file) whether app is OK for root and then grants it ?

Disable New User Creation in Marshmallow

I have a rooted Nexus 9 for which I'd like to disable new user account creation (both full access users and guest users). This is prompted by the fact that I cannot figure out how to restore either adb or Titanium app data backups to a non-primary user.
The google led me to an archived thread on disabling new user creation on 5.X lollipop.
On my Nexus 9, running 6.0.1, I can't find the settings.db database that holds the setting to disable guest account creation. I first used adb shell commands and then ES File Explorer to locate the db file, without any success. Any ideas what I'm doing wrong, or is the settings.db no longer stored there?
I also searched reference materials at http://developer.android.com/ for "guest_user_enabled" and didn't find any indication that it had moved.
If there is a better place for this thread, please let me know and/or move it.

rooted phone user changes & dir permissions

Is there a way, once rooting is done, and i have customized my phone a bit (a change in one of the config files of linux), to change the user accounts and permissions? To create a new user account and change the user that is used by the phone to be a non-root, non-sudo, standard user. And all apps to use this or another standard user account.
And my app (that i installed after rooting) use another account. Only this account will have permission to read and write my app's directory.
Finally change the root user password, so that others cannot get into it unless they have that password.
So in effect protect my apps directory and allow the phone to work with a non sudo user from then on?
Next time phone re boots it uses another user say A (non sudo); without access to my apps directory. And when my app runs it uses user B (also non sudo) which has access to its dir. Others cannot read or list files in it or change permissions. So in effect my apps directory cannot be read by the user of the phone, in this new set up. I understand there will be ways around this.
But is this possible and how?
Rooted using https://forum.xda-developers.com/android/general/root-samsung-galaxy-on5-t3435457 but i can do systemless root if that is the way.
Phone model : Samsung On 5 Pro SM-G5550FY. Thank you much.

Android Boot Process?

I'm not a software engineer, I'm a retired hardware engineer that's messed around with enough software and OS's to be dangerous (mostly to myself), but I make no claim to really understand any modern OS.
I've always set the boundary of how much detail I want to deal with at the Windows Taskmanager level which in the case of Android is the Running Process/Cached Background level. I require a basic understanding of all the processes and services that are ostensibly operating on my behalf on any and all devices I supposedly own.
I don't begrudge companies like Microsoft, Google, Samsung and others doing their business, in fact I encourage them to do so, however, I do object to their forcing me to run processes and services that are far more beneficial to them than they are to me. But luckily I don't have to. I have my own launcher, keyboard and set of apps and tools that I can load on pretty much any generic android device and it will pretty much do what I want.
The prime offender in my opinion is Google Play Services. It runs 17 services on my devices most of which my only understanding is a couple words in Running Services but I'm pretty sure are not something I want. In general I keep Google Play Services uninstalled (--user 0) except for when I install or update something from the Play Store after which it's promptly uninstalled. Any app or portion thereof which is non-functional without Play Services installed is either ignored or uninstalled. I've also uninstalled (--user 0) over 240 pieces of Samsung bloatware.
With the above I mind I've been using a handful of Android tablets (Meize, Tabuta, Cwowdefu, Onn and others) which all had their idiosyncrasies but all behaved similarly. Specifically they all seemed to go through a minimal boot process leaving a handful of previously active apps in the cached background all of which went away once I selected a 0 Background Process Limit in Developer Options.
Anyway these were all pretty cheap tablets and I needed to get a top line phone to get the best screen, battery and multitasking support so I recently bought a Samsung Galaxy Fold3, Flip3, Tab A7 lite and Tab 8 to try out and they boot up differently than the close to a dozen tablets I've tried. First off the Samsung devices seem to cycle ALL installed (including system) apps (even disabled apps) through Running Processes to the Cached Background and left them there ignoring the Kill Background Processes and Limit Background Processes settings in Developer Options. Note there have always been a few apps like Nova7 that prefer to operate in the Cached Background but previous to getting the Samsung's, Nova7 and sometimes Android Core Apps were the only ones. The Samsung's literally had hundreds of apps in the Cached Background before I uninstalled over 240 of them off the Fold3. Now at least it pretty much only cycles through apps I've installed and will begrudgingly delete them all but only after I set a 0 background cache limit and manually delete each one except for Nova7 and sometimes Android Core Apps.
Can anyone help me understand what's going on here?
I read your post with care, but I admit that I don't understand what you are asking.
TL;DR Why Samsung runs too much bloat in background?
ze7zez said:
I read your post with care, but I admit that I don't understand what you are asking.
Click to expand...
Click to collapse
Thank you for your response. Ultimately I'm asking for someone that understands the sequence of actions that Android goes through each time a device boots up to explain the process to me.
I understand this is a somewhat abstract, open ended and difficult question.
I basically described two methods of booting. The first method is as described above used by the Meize, Tabuta, Cwowdefu and Onn tablets where the boot process only cycles through a handful of system apps (Settings, Keyboard, Launcher, Android Core Apps, etc.) during bootup and then obeys the "Don't Keep Activities" and "Background Process Limit" Developer Options settings.
The 2nd boot method I described was how all 4 Samsung devices I mentioned worked where the boot process seemed to cycle through pretty much every app installed on the device and then the "Don't Keep Activities" and "Background Process Limit" Developer Options settings are pretty much ignored.
These two boot sequences are not consistent. Can each device vendor just do whatever they want and if so is there anything I can do about it? Would rooting the Samsung devices help?
alecxs said:
TL;DR Why Samsung runs too much bloat in background?
Click to expand...
Click to collapse
Because they can.
In Samsung's defense bloat is very subjective. One person's bloatware is another person's favorite and most useful function. But with that said in general all 4 Samsung devices had 4 or 5 times more of what I consider bloat than any other vendors with which I have experience.
alecxs said:
TL;DR Why Samsung runs too much bloat in background?
Click to expand...
Click to collapse
I followed the *** read before you post *** link and that is exactly what I'm trying to do which is to understand the why behind the way things work so that eventually I can figure it out myself.
Mumblefratz said:
I followed the *** read before you post *** link and that is exactly what I'm trying to do which is to understand the why behind the way things work so that eventually I can figure it out myself.
Click to expand...
Click to collapse
Things like the bootloader and kernel are loaded, which are required to because otherwise the system cannot even be booted.
there is much stuff but basically you are interested in OS? what comes after linux kernel and init?
Service Manager -> Zygote -> System Server?
Minionguyjpro said:
Things like the bootloader and kernel are loaded, which are required to because otherwise the system cannot even be booted.
Click to expand...
Click to collapse
OK. But what happens after that? What decides which apps get loaded as active as listed in Running Services in Developer Options? Is there any way for me change which apps get started or to stop apps from being started in the first place? Again, would rooting the phone give me any additional control on which apps are started and which aren't?
Mumblefratz said:
OK. But what happens after that? What decides which apps get loaded as active as listed in Running Services in Developer Options? Is there any way for me change which apps get started or to stop apps from being started in the first place? Again, would rooting the phone give me any additional control on which apps are started and which aren't?
Click to expand...
Click to collapse
Multiple things, although I not know all the things. You could try what @alecxs said.
alecxs said:
there is much stuff but basically you are interested in OS? what comes after linux kernel and init?
Service Manager -> Zygote -> System Server?
Click to expand...
Click to collapse
You're not kidding when you say "there is much stuff".
I'm interested in what decides which processes and services are started as listed under Running Services in Developer Options and which aren't.
Will look into google sources later, that is always the best documentation. here is just a quick overview for now.
Note: I am a layman in this.
https://elinux.org/Android_Zygote_Startup
alecxs said:
Will look into google sources later, that is always the best documentation. here is just a quick overview for now.
Note: I am a layman in this.
https://elinux.org/Android_Zygote_Startup
Click to expand...
Click to collapse
Thanks for the link that's all very helpful information.
I thought I was the layman in this but if you're a layman than on a relative scale I'm a clueless noob.
I have nowhere near the level of understanding I would need to start messing around with the Android Boot Process but I find that every time I boot up an Android I go through a process of setting a number of Developer Options settings, stopping a few processes and services listed under Running Services and even sometimes clearing an apps cache and data storage to stop it from misbehaving.
I'm guessing I could accomplish what I want with an init.rc type script that kills a few unwanted processes, maybe start a process I want, set a couple Developer Options settings, and, maybe clear an apps data storage. I assume doing something like this would require root but I'm not sure that even then I'll be able to do what I want.
I'm pretty close to feeling confident enough to attempt rooting my 2nd best phone (the Flip3). If I brick it, oh well. But before I make the attempt I'd like to have some assurance that I'll be somehow able to do the things I described in the paragraph above.
of course, messing with OS would require root. however, on US/Canada devices bootloader unlocking is not allowed.
you can run startup script with such app (no root) or automate tasks with Macrodroid, Tasker, Automate etc. (no root)
init.d scripts support - Apps on Google Play
We allow init.d scripts for non rooted users or kernels that don't support
play.google.com
you can debloat by just disabling packages. however, be prepared for factory reset is the only way to undo in case you accidentally disabled essential packages (no root)
How to uninstall carrier/OEM bloatware without root access
If you want to get rid of carrier/OEM apps from your phone, here's how you can uninstall bloatware from your device without root access!
www.xda-developers.com
any open source GUI adb tool for macos can disable/delete bloatware?
list apps and delete/disable each of them by issuing command is boring. anyone knows any open source lightweight gui tool to do so? thanks
forum.xda-developers.com
regarding boot, read the comments in SystemServer.java
alecxs said:
of course, messing with OS would require root. however, on US/Canada devices bootloader unlocking is not allowed.
you can run startup script with such app (no root) or automate tasks with Macrodroid, Tasker, Automate etc. (no root)
init.d scripts support - Apps on Google Play
We allow init.d scripts for non rooted users or kernels that don't support
play.google.com
you can debloat by just disabling packages. however, be prepared for factory reset is the only way to undo in case you accidentally disabled essential packages (no root)
How to uninstall carrier/OEM bloatware without root access
If you want to get rid of carrier/OEM apps from your phone, here's how you can uninstall bloatware from your device without root access!
www.xda-developers.com
any open source GUI adb tool for macos can disable/delete bloatware?
list apps and delete/disable each of them by issuing command is boring. anyone knows any open source lightweight gui tool to do so? thanks
forum.xda-developers.com
regarding boot, read the comments in SystemServer.java
Click to expand...
Click to collapse
That sounds very good. We just need to wait for Mumble...
I think it's what he already did in past.
alecxs said:
there is much stuff but basically you are interested in OS? what comes after linux kernel and init?
Click to expand...
Click to collapse
With today's 32/64 Android it's more like:
Code:
PBL (primary boot loader in ROM)
└── xbl (secondary boot loader)
└── abl (Android boot loader)
└── kernel
└── init (PID 1)
├── /system/bin/app_process64 (zygote64)
│ ├── system_server
│ └── most user applications
├── /system/bin/app_process (zygote)
│ └── only user applications with user libs that are only supplied in armeabi-v7a
├── adbd
└── other init services
I think that the Pixel 7 doesn't run the 32 bit zygote by default.
yes, that is also explained here. but it's too early. I wouldn't call it Android Boot process.
[INFO] BOOT PROCESS: ANDROID vs. LINUX
NOTE: I'm not a developer or Android expert. All information provided here is copied from different internet sources and is to the best of my knowledge. I'll not be responsible for any harm to you or your device resulting from this. 1. PC BOOT...
forum.xda-developers.com
Reverse Engineering Android Boot Process - Need Help
Tl;dr = I have studied the boot process. I understand the Qualcomm SOC boot process PBL > SBL/XBL > And so on. I am trying to get a disassembly of the SBL. I dumped the EMMC and can view all its partitions. Now I am stuck at the 80 bytes header...
forum.xda-developers.com
alecxs said:
yes, that is also explained here.
Click to expand...
Click to collapse
Oh, yeah, there's tons of stuff going on.
And that's not even touching the Baseband Processor (modem, radio) or TrustZone.
I was amazed at how much stuff is going on in xbl.
See: https://forum.xda-developers.com/t/...tloader-packing-signing.4473815/post-88159647
My diagram above is more like "dominoes falling" than details.
More to the point for Android users, it's important to make clear (if they don't know it already) that the Android "subsystem" is just a minor feature on top of Linux.
If you're rooted the command stop something can be used to stop any init service, like adbd, vold.
With just plain stop it will stop the zygote(s), which will kill all Android related stuff.
init (and everything else started by it) will happily continue running.
Code:
# ps -e | grep zygote
root 918 1 5434548 89856 poll_schedule_timeout 7d517830c8 S zygote64
root 919 1 1745416 76032 poll_schedule_timeout f079e6e0 S zygote
# stop
# ps -e | grep zygote
# start
Poke3:/ # ps -e | grep zygote
root 6814 1 5434548 92888 poll_schedule_timeout 7d9005f0c8 S zygote64
root 6815 1 1440552 42828 poll_schedule_timeout f41e46e0 S zygote

Categories

Resources