nosuid on 4.3 isn't the su-killer
Posted on 2013-07-27, 22 comments, 199 +1's, imported from Google+/Chainfire

NOTICE: This content was originally posted to Google+, then imported here. Some formatting may be lost, links may be dead, and images may be missing.

There's been a lot of talk about the nosuid flag on mounts, that this prevents Android apps from executing things like su. While in the standard su setup this is certainly true, it doesn't really matter, and isn't the big reason SuperSU went daemon/proxy.

nosuid is (in the way it is currently setup) trivial to circumvent if you can run stuff at boot as root, as is the case with any flashable/rootable device. In other words - for root uses, it's not really relevant at all.

What is relevant, is the capability bounding set. Most processes (including all normal Android apps, and adb shell, and ...) have these severely limited. As a result, even if you have the (old) su binary installed and you could run it, you would indeed get root user. You would however still be completely unable to do anything interesting like remounting system (as just one example). As such, it may have seemed that the (old) su binary actually worked from adb shell - but it wasn't practically useful.

To read more about the capabilities as referenced here, and what you can and cannot do with them, see this page here: http://linux.die.net/man/7/capabilities . Previously, most processes had all of them. In 4.3, most only have CAP_SETUID and CAP_SETGID available, with the all-important CAP_SYS_ADMIN being missing.

That's the big reason I'm still using daemon/proxy mode for 4.3, not nosuid.


capabilities(7): overview of capabilities - Linux man page

+1199
Fredrik Duprez commented on 2013-07-27 at 20:48:

Intreresting read +Chainfire 

On a side note: you are using a side-effect to start the daemon, using the already existing file /system/etc/install-recovery.sh on the Nexus 4.

I can't see that the file is preserved if you install SuperSU, which might get you in trouble trying to get an OTA for an otherwise stock ROM.

Is it possible to launch the daemon in another way on N4 so that existing system files don't need to be overwritten?

I can't find that file on the Galaxy Nexus or the Nexus 7 before installing SuperSU (stock 4.3) - is this only a problem on the Nexus 4?

Omar Bizreh commented on 2013-07-27 at 20:59:

You sir, +Adam Outler & +CyanogenMod   are the reason why I keep on checking my Google+ account. Thank you very much for your valuable information :-)

Jim DeArras commented on 2013-07-27 at 21:08:

Can that missing command be added to busybox, or it a kernel recompile?

Chainfire commented on 2013-07-27 at 21:19:

+Fredrik Duprez its not a problem to overwrite this file, and most firmwares run it at boot, even if it isn't used. That's the reason I choose this one for now - it doesn't do anything important and it works on most devices.

It may cause problems with OTAs though, I recommend a "full unroot" from SuperSU settings before applying an OTA.

I will strive to solve that problem sooner or later :)

Chainfire commented on 2013-07-27 at 21:21:

+Jim DeArras It can't be easily escaped. Of course on a custom firmware it wouldn't be too difficult to change this (beyond the scope of this post), but on stock it seems to be the "way it is". I can still think of ways around it (like kernel module based hacks) but those solution aren't very portable.

Jacques McKraux commented on 2013-07-28 at 03:11:

hmm why not just give full root rights to every program

Trung Duc Tran commented on 2013-07-28 at 05:16:

+Chainfire it seems with the new su daemon/proxy the exit code of the called script is not passed back to the calling app. I exec su and feed it with shell command "exit 66" but always get 0 exit code not 66.

Chainfire commented on 2013-07-28 at 08:19:

+Trung Duc Tran a (second) bug related to this has been fixed yesterday in my dev build, and this should be resolved in the next update

Cláudio Sampaio commented on 2013-07-28 at 13:19:

So, does this mean we're close to when Android phones won't be rootable by their legitimate owner?

Michael Pujos commented on 2013-07-28 at 16:14:

All this added new difficulty in running su reminds me of Google making mounting difficult in 4.2 due to the multiuser change, then making it even harder in 4.2.2 due to the adb authentication. At this rate, in 5.0, it will be impossible to mount and run su...

John Wong commented on 2013-08-02 at 06:27:

Anyone can share/post original nexus(4|7) /etc/install-recovery.sh to here? Thanks.

Fredrik Duprez commented on 2013-08-02 at 09:34:

+John Wong they are in the OTA zip files. Can't post a link from my phone now.

Steve Bates commented on 2013-08-02 at 10:06:

Wwo

John Wong commented on 2013-08-02 at 10:32:

Yes, ota zip. Is it good idea run original install-recovery.sh before run su daemon?

Thanks.

Fredrik Duprez commented on 2013-08-02 at 11:26:

+John Wong the only thing it does is installing stock recovery. If you haven't changed recovery or want to run a custom one it's no point in running it before rooting.

John Wong commented on 2013-08-02 at 12:33:

+Fredrik Duprez  "the only thing it does is installing stock recovery", do you mean the original /system/etc/install-recovery.sh is only install recovery?? 

sorry, I do not know what original /system/etc/install-recovery.sh does.

I just install stock android 4.3 (download from google) and then rooted with supersu.

so, I do not need original /system/etc/install-recovery.sh ?? right ??

thank you.

Fredrik Duprez commented on 2013-08-02 at 12:40:

+John Wong exactly. It only comes with the ota and is not part of the factory images. You don't need it.

John Wong commented on 2013-08-02 at 12:42:

Understand now, thank you again.

和平年代 commented on 2013-08-05 at 13:57:

不错哦

Adam Bliss commented on 2013-08-08 at 01:44:

Hi, thanks for making SuperSU the most reliable su on 4.3. Is the source code for the daemonsu binary online somewhere?

I'm having a problem with running "screen" inside a terminal under a chroot: it always seems to size to 80x25 even though my parent ptty has plenty of room. I'd like to look at the code where su allocates a new tty to see if there might be a problem there.

Walker Lee commented on 2014-08-01 at 10:05:

Dear Chainfire:

Can I modify the aosp 4.4  code to disable this feature and make any app can call su? I already survey lots of related posts, but I can't find any useful doc or tutorial to do it.

Tigran Aivazian commented on 2016-09-27 at 19:41:

+Adam Bliss You can use stty columns 200 ; stty rows 65 to set the columns/rows to whatever you wish.

This post is over a month old, commenting has been disabled.