Andoid保险机制
Andoid安全机制
Andoid安全机制包括两个层次:系统层和应用层。应用层的安全机制建立在授权与申请基础上,本文不讲。系统层的安全机制包括给每个用户进程分配单独的uid和gid,使用进程本身可以防止地址空间的共享,从而避免使用线程方式对数据的全局可见性。使用了uid则对于外存也加了*,当然这得感谢UNIX的用户空间机制。系统层安全机制还包括对设备访问的控制,在这个方面,Android的做法与传统有所不同。
Android除了给予用户进程以单独的uid外,给系统服务也分配了固定的uid,诸如system/core/include/private/android_filesystem_config.h文件中定义了这些固定的uid:
#define AID_SYSTEM 1000
#define AID_RADIO 1001
#define AID_BLUETOOTH 1002
#define AID_GRAPHICS 1003
#define AID_INPUT 1004
#define AID_AUDIO 1005
#define AID_CAMERA 1006
#define AID_LOG 1007
......................................
传统的做法是,出了root,其它全是普通用户,两类用户的权限在内核里是规定死的,这也保证了UNIX内核的安全性。比如dev目录下的设备文件,一般用户主是root,而且对其他用户不开放读写能力。用户使用设备一般通过系统调用如ioctl,而系统调用属于受信代码。
Android的问题是,引入的这些系统用户,实际上在权限方面是无法与普通uid区分的,如果系统用户能访问一个设备,那么一般用户也能。所以,Andoid没有别的选择,只能默认开启设备文件的全局读写。这在systemcore/init/device.c做 了定义:
{ "/dev/urandom", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/ashmem", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/binder", 0666, AID_ROOT, AID_ROOT, 0 },
设备文件当然还是存放于/dev目录下,但dev目录的填充不是由udev做的,而是由Android的init进程做的。这个步骤由make_device函数完成,各个设备的权限来自于上述device.c文件的规定。
这种设备权限分配的潜在危险是,任何用户进程都可以操作设备,如果底层设备驱动有漏洞,那么整个系统的安全性就是存在风险的,而UNIX系统最大的安全隐患,正是来自于设备驱动。
Android Permission 1. 文件(夹)读写权限
init.rc 中建立test1 test2 test3 文件夹
mkdir /data/misc/test1 0770 root root
mkdir /data/misc/test2 0770 wifi wifi
mkdir /data/misc/test3 0770 system misc
其中
test1 目录的owner是root, group 也是root
test2 目录的owner是wifi , group 也是wifi
test3 目录的owner是system , group 是misc (任何用户都属于group misc)
service xxxx /system/bin/xxxx
user root
disabled
oneshot
service yyyy /system/bin/yyyy
user system
disabled
oneshot
service zzzz /system/bin/zzzz
user wifi
disabled
oneshot
结果:
xxxx 服务可以访问 test1, test2, test3
yyyy 服务可以访问 test3
zzzz 服务可以访问 test2, test3
Android 中mkdir 的定义
view plaincopy to clipboardprint?
1.int do_mkdir(int nargs, char **args)
2.{
3. mode_t mode = 0755;
4.
5. /* mkdir <path> [mode] [owner] [group] */
6.
7. if (nargs >= 3) {
8. mode = strtoul(args[2], 0,
;
9. }
10.
11. if (mkdir(args[1], mode)) {
12. return -errno;
13. }
14.
15. if (nargs >= 4) {
16. uid_t uid = decode_uid(args[3]);
17. gid_t gid = -1;
18.
19. if (nargs == 5) {
20. gid = decode_uid(args[4]);
21. }
22.
23. if (chown(args[1], uid, gid)) {
24. return -errno;
25. }
26. }
27.
28. return 0;
29.}
int do_mkdir(int nargs, char **args) { mode_t mode = 0755; /* mkdir <path> [mode] [owner] [group] */ if (nargs >= 3) { mode = strtoul(args[2], 0,; } if (mkdir(args[1], mode)) { return -errno; } if (nargs >= 4) { uid_t uid = decode_uid(args[3]); gid_t gid = -1; if (nargs == 5) { gid = decode_uid(args[4]); } if (chown(args[1], uid, gid)) { return -errno; } } return 0; }
2. Property 权限
Android Property 也是有权限的。
2.1 以前缀 ctl. 开头的控制属性, 设置前,Android 代码会调用函数check_control_perms()检查调用者的 user id 和 group id
view plaincopy to clipboardprint?
1.struct {
2. const char *service;
3. unsigned int uid;
4. unsigned int gid;
5.} control_perms[] = {
6. { "dumpstate",AID_SHELL, AID_LOG },
7. {NULL, 0, 0 }
8.};
9.
10.static int check_control_perms(const char *name, int uid, int gid) {
11. int i;
12. if (uid == AID_SYSTEM || uid == AID_ROOT)
13. return 1;
14.
15. /* Search the ACL */
16. for (i = 0; control_perms[i].service; i++) {
17. if (strcmp(control_perms[i].service, name) == 0) {
18. if ((uid && control_perms[i].uid == uid) ||
19. (gid && control_perms[i].gid == gid)) {
20. return 1;
21. }
22. }
23. }
24. return 0;
25.}
struct { const char *service; unsigned int uid; unsigned int gid; } control_perms[] = { { "dumpstate",AID_SHELL, AID_LOG }, {NULL, 0, 0 } }; static int check_control_perms(const char *name, int uid, int gid) { int i; if (uid == AID_SYSTEM || uid == AID_ROOT) return 1; /* Search the ACL */ for (i = 0; control_perms[i].service; i++) { if (strcmp(control_perms[i].service, name) == 0) { if ((uid && control_perms[i].uid == uid) || (gid && control_perms[i].gid == gid)) { return 1; } } } return 0; }
2.2 其它属性, 设置前,Android 代码会调用函数check_perms()检查调用者的 user id 和 group id
check_perms(msg.name, cr.uid, cr.gid)
view plaincopy to clipboardprint?
1.struct {
2. const char *prefix;
3. unsigned int uid;
4. unsigned int gid;
5.} property_perms[] = {
6. { "net.rmnet0.", AID_RADIO, 0 },
7. { "net.gprs.", AID_RADIO, 0 },
8. { "net.ppp", AID_RADIO, 0 },
9. { "ril.", AID_RADIO, 0 },
10. { "gsm.", AID_RADIO, 0 },
11. { "persist.radio", AID_RADIO, 0 },
12. { "net.dns", AID_RADIO, 0 },
13. { "net.", AID_SYSTEM, 0 },
14. { "dev.", AID_SYSTEM, 0 },
15. { "runtime.", AID_SYSTEM, 0 },
16. { "hw.", AID_SYSTEM, 0 },
17. { "sys.", AID_SYSTEM, 0 },
18. { "service.", AID_SYSTEM, 0 },
19. { "wlan.", AID_SYSTEM, 0 },
20. { "dhcp.", AID_SYSTEM, 0 },
21. { "dhcp.", AID_DHCP, 0 },
22. { "vpn.", AID_SYSTEM, 0 },
23. { "vpn.", AID_VPN, 0 },
24. { "debug.", AID_SHELL, 0 },
25. { "log.", AID_SHELL, 0 },
26. { "service.adb.root", AID_SHELL, 0 },
27. { "persist.sys.", AID_SYSTEM, 0 },
28. { "persist.service.", AID_SYSTEM, 0 },
29. { NULL, 0, 0 }
30.};
31.
32.static int check_perms(const char *name, unsigned int uid, int gid)
33.{
34. int i;
35. if (uid == 0)
36. return 1;
37.
38. if(!strncmp(name, "ro.", 3))
39. name +=3;
40.
41. for (i = 0; property_perms[i].prefix; i++) {
42. int tmp;
43. if (strncmp(property_perms[i].prefix, name,
44. strlen(property_perms[i].prefix)) == 0) {
45. if ((uid && property_perms[i].uid == uid) ||
46. (gid && property_perms[i].gid == gid)) {
47. return 1;
48. }
49. }
50. }
51.
52. return 0;
53.}
struct { const char *prefix; unsigned int uid; unsigned int gid; } property_perms[] = { { "net.rmnet0.", AID_RADIO, 0 }, { "net.gprs.", AID_RADIO, 0 }, { "net.ppp", AID_RADIO, 0 }, { "ril.", AID_RADIO, 0 }, { "gsm.", AID_RADIO, 0 }, { "persist.radio", AID_RADIO, 0 }, { "net.dns", AID_RADIO, 0 }, { "net.", AID_SYSTEM, 0 }, { "dev.", AID_SYSTEM, 0 }, { "runtime.", AID_SYSTEM, 0 }, { "hw.", AID_SYSTEM, 0 }, { "sys.", AID_SYSTEM, 0 }, { "service.", AID_SYSTEM, 0 }, { "wlan.", AID_SYSTEM, 0 }, { "dhcp.", AID_SYSTEM, 0 }, { "dhcp.", AID_DHCP, 0 }, { "vpn.", AID_SYSTEM, 0 }, { "vpn.", AID_VPN, 0 }, { "debug.", AID_SHELL, 0 }, { "log.", AID_SHELL, 0 }, { "service.adb.root", AID_SHELL, 0 }, { "persist.sys.", AID_SYSTEM, 0 }, { "persist.service.", AID_SYSTEM, 0 }, { NULL, 0, 0 } }; static int check_perms(const char *name, unsigned int uid, int gid) { int i; if (uid == 0) return 1; if(!strncmp(name, "ro.", 3)) name +=3; for (i = 0; property_perms[i].prefix; i++) { int tmp; if (strncmp(property_perms[i].prefix, name, strlen(property_perms[i].prefix)) == 0) { if ((uid && property_perms[i].uid == uid) || (gid && property_perms[i].gid == gid)) { return 1; } } } return 0; }
从代码中可以看到, 任何不以property_perms[] 中定义的前缀开头的property 是
无法被除root以外的用户访问的,包括system用户。
3. 最后补充Android 的uid gid 定义
view plaincopy to clipboardprint?
1.#define AID_ROOT 0 /* traditional unix root user */
2.
3.#define AID_SYSTEM 1000 /* system server */
4.
5.#define AID_RADIO 1001 /* telephony subsystem, RIL */
6.#define AID_BLUETOOTH 1002 /* bluetooth subsystem */
7.#define AID_GRAPHICS 1003 /* graphics devices */
8.#define AID_INPUT 1004 /* input devices */
9.#define AID_AUDIO 1005 /* audio devices */
10.#define AID_CAMERA 1006 /* camera devices */
11.#define AID_LOG 1007 /* log devices */
12.#define AID_COMPASS 1008 /* compass device */
13.#define AID_MOUNT 1009 /* mountd socket */
14.#define AID_WIFI 1010 /* wifi subsystem */
15.#define AID_ADB 1011 /* android debug bridge (adbd) */
16.#define AID_INSTALL 1012 /* group for installing packages */
17.#define AID_MEDIA 1013 /* mediaserver process */
18.#define AID_DHCP 1014 /* dhcp client */
19.#define AID_SDCARD_RW 1015 /* external storage write access */
20.#define AID_VPN 1016 /* vpn system */
21.#define AID_KEYSTORE 1017 /* keystore subsystem */
22.
23.#define AID_SHELL 2000 /* adb and debug shell user */
24.#define AID_CACHE 2001 /* cache access */
25.#define AID_DIAG 2002 /* access to diagnostic resources */
26.
27./* The 3000 series are intended for use as supplemental group id's only.
28. * They indicate special Android capabilities that the kernel is aware of. */
29.#define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */
30.#define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */
31.#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
32.#define AID_NET_RAW 3004 /* can create raw INET sockets */
33.#define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */
34.
35.#define AID_MISC 9998 /* access to misc storage */
36.#define AID_NOBODY 9999
37.
38.#define AID_APP 10000 /* first app user */
#define AID_ROOT 0 /* traditional unix root user */ #define AID_SYSTEM 1000 /* system server */ #define AID_RADIO 1001 /* telephony subsystem, RIL */ #define AID_BLUETOOTH 1002 /* bluetooth subsystem */ #define AID_GRAPHICS 1003 /* graphics devices */ #define AID_INPUT 1004 /* input devices */ #define AID_AUDIO 1005 /* audio devices */ #define AID_CAMERA 1006 /* camera devices */ #define AID_LOG 1007 /* log devices */ #define AID_COMPASS 1008 /* compass device */ #define AID_MOUNT 1009 /* mountd socket */ #define AID_WIFI 1010 /* wifi subsystem */ #define AID_ADB 1011 /* android debug bridge (adbd) */ #define AID_INSTALL 1012 /* group for installing packages */ #define AID_MEDIA 1013 /* mediaserver process */ #define AID_DHCP 1014 /* dhcp client */ #define AID_SDCARD_RW 1015 /* external storage write access */ #define AID_VPN 1016 /* vpn system */ #define AID_KEYSTORE 1017 /* keystore subsystem */ #define AID_SHELL 2000 /* adb and debug shell user */ #define AID_CACHE 2001 /* cache access */ #define AID_DIAG 2002 /* access to diagnostic resources */ /* The 3000 series are intended for use as supplemental group id's only. * They indicate special Android capabilities that the kernel is aware of. */ #define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */ #define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */ #define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */ #define AID_NET_RAW 3004 /* can create raw INET sockets */ #define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */ #define AID_MISC 9998 /* access to misc storage */ #define AID_NOBODY 9999 #define AID_APP 10000 /* first app user */
可见root (AID_ROOT = 0) 的权限最高, app (AID_APP = 10000) 权限最低, misc (AID_MISC = 9998) 权限倒数第三低。
所以#1 中描述的目录test3的group 属性设置成了 misc, 则除了 app/nobody 这两个用户,
android系统中其它所有用户都有该目录的group权限!
本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/evilcode/archive/2011/01/04/6115730.aspx
Andoid安全机制包括两个层次:系统层和应用层。应用层的安全机制建立在授权与申请基础上,本文不讲。系统层的安全机制包括给每个用户进程分配单独的uid和gid,使用进程本身可以防止地址空间的共享,从而避免使用线程方式对数据的全局可见性。使用了uid则对于外存也加了*,当然这得感谢UNIX的用户空间机制。系统层安全机制还包括对设备访问的控制,在这个方面,Android的做法与传统有所不同。
Android除了给予用户进程以单独的uid外,给系统服务也分配了固定的uid,诸如system/core/include/private/android_filesystem_config.h文件中定义了这些固定的uid:
#define AID_SYSTEM 1000
#define AID_RADIO 1001
#define AID_BLUETOOTH 1002
#define AID_GRAPHICS 1003
#define AID_INPUT 1004
#define AID_AUDIO 1005
#define AID_CAMERA 1006
#define AID_LOG 1007
......................................
传统的做法是,出了root,其它全是普通用户,两类用户的权限在内核里是规定死的,这也保证了UNIX内核的安全性。比如dev目录下的设备文件,一般用户主是root,而且对其他用户不开放读写能力。用户使用设备一般通过系统调用如ioctl,而系统调用属于受信代码。
Android的问题是,引入的这些系统用户,实际上在权限方面是无法与普通uid区分的,如果系统用户能访问一个设备,那么一般用户也能。所以,Andoid没有别的选择,只能默认开启设备文件的全局读写。这在systemcore/init/device.c做 了定义:
{ "/dev/urandom", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/ashmem", 0666, AID_ROOT, AID_ROOT, 0 },
{ "/dev/binder", 0666, AID_ROOT, AID_ROOT, 0 },
设备文件当然还是存放于/dev目录下,但dev目录的填充不是由udev做的,而是由Android的init进程做的。这个步骤由make_device函数完成,各个设备的权限来自于上述device.c文件的规定。
这种设备权限分配的潜在危险是,任何用户进程都可以操作设备,如果底层设备驱动有漏洞,那么整个系统的安全性就是存在风险的,而UNIX系统最大的安全隐患,正是来自于设备驱动。
Android Permission 1. 文件(夹)读写权限
init.rc 中建立test1 test2 test3 文件夹
mkdir /data/misc/test1 0770 root root
mkdir /data/misc/test2 0770 wifi wifi
mkdir /data/misc/test3 0770 system misc
其中
test1 目录的owner是root, group 也是root
test2 目录的owner是wifi , group 也是wifi
test3 目录的owner是system , group 是misc (任何用户都属于group misc)
service xxxx /system/bin/xxxx
user root
disabled
oneshot
service yyyy /system/bin/yyyy
user system
disabled
oneshot
service zzzz /system/bin/zzzz
user wifi
disabled
oneshot
结果:
xxxx 服务可以访问 test1, test2, test3
yyyy 服务可以访问 test3
zzzz 服务可以访问 test2, test3
Android 中mkdir 的定义
view plaincopy to clipboardprint?
1.int do_mkdir(int nargs, char **args)
2.{
3. mode_t mode = 0755;
4.
5. /* mkdir <path> [mode] [owner] [group] */
6.
7. if (nargs >= 3) {
8. mode = strtoul(args[2], 0,
9. }
10.
11. if (mkdir(args[1], mode)) {
12. return -errno;
13. }
14.
15. if (nargs >= 4) {
16. uid_t uid = decode_uid(args[3]);
17. gid_t gid = -1;
18.
19. if (nargs == 5) {
20. gid = decode_uid(args[4]);
21. }
22.
23. if (chown(args[1], uid, gid)) {
24. return -errno;
25. }
26. }
27.
28. return 0;
29.}
int do_mkdir(int nargs, char **args) { mode_t mode = 0755; /* mkdir <path> [mode] [owner] [group] */ if (nargs >= 3) { mode = strtoul(args[2], 0,
2. Property 权限
Android Property 也是有权限的。
2.1 以前缀 ctl. 开头的控制属性, 设置前,Android 代码会调用函数check_control_perms()检查调用者的 user id 和 group id
view plaincopy to clipboardprint?
1.struct {
2. const char *service;
3. unsigned int uid;
4. unsigned int gid;
5.} control_perms[] = {
6. { "dumpstate",AID_SHELL, AID_LOG },
7. {NULL, 0, 0 }
8.};
9.
10.static int check_control_perms(const char *name, int uid, int gid) {
11. int i;
12. if (uid == AID_SYSTEM || uid == AID_ROOT)
13. return 1;
14.
15. /* Search the ACL */
16. for (i = 0; control_perms[i].service; i++) {
17. if (strcmp(control_perms[i].service, name) == 0) {
18. if ((uid && control_perms[i].uid == uid) ||
19. (gid && control_perms[i].gid == gid)) {
20. return 1;
21. }
22. }
23. }
24. return 0;
25.}
struct { const char *service; unsigned int uid; unsigned int gid; } control_perms[] = { { "dumpstate",AID_SHELL, AID_LOG }, {NULL, 0, 0 } }; static int check_control_perms(const char *name, int uid, int gid) { int i; if (uid == AID_SYSTEM || uid == AID_ROOT) return 1; /* Search the ACL */ for (i = 0; control_perms[i].service; i++) { if (strcmp(control_perms[i].service, name) == 0) { if ((uid && control_perms[i].uid == uid) || (gid && control_perms[i].gid == gid)) { return 1; } } } return 0; }
2.2 其它属性, 设置前,Android 代码会调用函数check_perms()检查调用者的 user id 和 group id
check_perms(msg.name, cr.uid, cr.gid)
view plaincopy to clipboardprint?
1.struct {
2. const char *prefix;
3. unsigned int uid;
4. unsigned int gid;
5.} property_perms[] = {
6. { "net.rmnet0.", AID_RADIO, 0 },
7. { "net.gprs.", AID_RADIO, 0 },
8. { "net.ppp", AID_RADIO, 0 },
9. { "ril.", AID_RADIO, 0 },
10. { "gsm.", AID_RADIO, 0 },
11. { "persist.radio", AID_RADIO, 0 },
12. { "net.dns", AID_RADIO, 0 },
13. { "net.", AID_SYSTEM, 0 },
14. { "dev.", AID_SYSTEM, 0 },
15. { "runtime.", AID_SYSTEM, 0 },
16. { "hw.", AID_SYSTEM, 0 },
17. { "sys.", AID_SYSTEM, 0 },
18. { "service.", AID_SYSTEM, 0 },
19. { "wlan.", AID_SYSTEM, 0 },
20. { "dhcp.", AID_SYSTEM, 0 },
21. { "dhcp.", AID_DHCP, 0 },
22. { "vpn.", AID_SYSTEM, 0 },
23. { "vpn.", AID_VPN, 0 },
24. { "debug.", AID_SHELL, 0 },
25. { "log.", AID_SHELL, 0 },
26. { "service.adb.root", AID_SHELL, 0 },
27. { "persist.sys.", AID_SYSTEM, 0 },
28. { "persist.service.", AID_SYSTEM, 0 },
29. { NULL, 0, 0 }
30.};
31.
32.static int check_perms(const char *name, unsigned int uid, int gid)
33.{
34. int i;
35. if (uid == 0)
36. return 1;
37.
38. if(!strncmp(name, "ro.", 3))
39. name +=3;
40.
41. for (i = 0; property_perms[i].prefix; i++) {
42. int tmp;
43. if (strncmp(property_perms[i].prefix, name,
44. strlen(property_perms[i].prefix)) == 0) {
45. if ((uid && property_perms[i].uid == uid) ||
46. (gid && property_perms[i].gid == gid)) {
47. return 1;
48. }
49. }
50. }
51.
52. return 0;
53.}
struct { const char *prefix; unsigned int uid; unsigned int gid; } property_perms[] = { { "net.rmnet0.", AID_RADIO, 0 }, { "net.gprs.", AID_RADIO, 0 }, { "net.ppp", AID_RADIO, 0 }, { "ril.", AID_RADIO, 0 }, { "gsm.", AID_RADIO, 0 }, { "persist.radio", AID_RADIO, 0 }, { "net.dns", AID_RADIO, 0 }, { "net.", AID_SYSTEM, 0 }, { "dev.", AID_SYSTEM, 0 }, { "runtime.", AID_SYSTEM, 0 }, { "hw.", AID_SYSTEM, 0 }, { "sys.", AID_SYSTEM, 0 }, { "service.", AID_SYSTEM, 0 }, { "wlan.", AID_SYSTEM, 0 }, { "dhcp.", AID_SYSTEM, 0 }, { "dhcp.", AID_DHCP, 0 }, { "vpn.", AID_SYSTEM, 0 }, { "vpn.", AID_VPN, 0 }, { "debug.", AID_SHELL, 0 }, { "log.", AID_SHELL, 0 }, { "service.adb.root", AID_SHELL, 0 }, { "persist.sys.", AID_SYSTEM, 0 }, { "persist.service.", AID_SYSTEM, 0 }, { NULL, 0, 0 } }; static int check_perms(const char *name, unsigned int uid, int gid) { int i; if (uid == 0) return 1; if(!strncmp(name, "ro.", 3)) name +=3; for (i = 0; property_perms[i].prefix; i++) { int tmp; if (strncmp(property_perms[i].prefix, name, strlen(property_perms[i].prefix)) == 0) { if ((uid && property_perms[i].uid == uid) || (gid && property_perms[i].gid == gid)) { return 1; } } } return 0; }
从代码中可以看到, 任何不以property_perms[] 中定义的前缀开头的property 是
无法被除root以外的用户访问的,包括system用户。
3. 最后补充Android 的uid gid 定义
view plaincopy to clipboardprint?
1.#define AID_ROOT 0 /* traditional unix root user */
2.
3.#define AID_SYSTEM 1000 /* system server */
4.
5.#define AID_RADIO 1001 /* telephony subsystem, RIL */
6.#define AID_BLUETOOTH 1002 /* bluetooth subsystem */
7.#define AID_GRAPHICS 1003 /* graphics devices */
8.#define AID_INPUT 1004 /* input devices */
9.#define AID_AUDIO 1005 /* audio devices */
10.#define AID_CAMERA 1006 /* camera devices */
11.#define AID_LOG 1007 /* log devices */
12.#define AID_COMPASS 1008 /* compass device */
13.#define AID_MOUNT 1009 /* mountd socket */
14.#define AID_WIFI 1010 /* wifi subsystem */
15.#define AID_ADB 1011 /* android debug bridge (adbd) */
16.#define AID_INSTALL 1012 /* group for installing packages */
17.#define AID_MEDIA 1013 /* mediaserver process */
18.#define AID_DHCP 1014 /* dhcp client */
19.#define AID_SDCARD_RW 1015 /* external storage write access */
20.#define AID_VPN 1016 /* vpn system */
21.#define AID_KEYSTORE 1017 /* keystore subsystem */
22.
23.#define AID_SHELL 2000 /* adb and debug shell user */
24.#define AID_CACHE 2001 /* cache access */
25.#define AID_DIAG 2002 /* access to diagnostic resources */
26.
27./* The 3000 series are intended for use as supplemental group id's only.
28. * They indicate special Android capabilities that the kernel is aware of. */
29.#define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */
30.#define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */
31.#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
32.#define AID_NET_RAW 3004 /* can create raw INET sockets */
33.#define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */
34.
35.#define AID_MISC 9998 /* access to misc storage */
36.#define AID_NOBODY 9999
37.
38.#define AID_APP 10000 /* first app user */
#define AID_ROOT 0 /* traditional unix root user */ #define AID_SYSTEM 1000 /* system server */ #define AID_RADIO 1001 /* telephony subsystem, RIL */ #define AID_BLUETOOTH 1002 /* bluetooth subsystem */ #define AID_GRAPHICS 1003 /* graphics devices */ #define AID_INPUT 1004 /* input devices */ #define AID_AUDIO 1005 /* audio devices */ #define AID_CAMERA 1006 /* camera devices */ #define AID_LOG 1007 /* log devices */ #define AID_COMPASS 1008 /* compass device */ #define AID_MOUNT 1009 /* mountd socket */ #define AID_WIFI 1010 /* wifi subsystem */ #define AID_ADB 1011 /* android debug bridge (adbd) */ #define AID_INSTALL 1012 /* group for installing packages */ #define AID_MEDIA 1013 /* mediaserver process */ #define AID_DHCP 1014 /* dhcp client */ #define AID_SDCARD_RW 1015 /* external storage write access */ #define AID_VPN 1016 /* vpn system */ #define AID_KEYSTORE 1017 /* keystore subsystem */ #define AID_SHELL 2000 /* adb and debug shell user */ #define AID_CACHE 2001 /* cache access */ #define AID_DIAG 2002 /* access to diagnostic resources */ /* The 3000 series are intended for use as supplemental group id's only. * They indicate special Android capabilities that the kernel is aware of. */ #define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */ #define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */ #define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */ #define AID_NET_RAW 3004 /* can create raw INET sockets */ #define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */ #define AID_MISC 9998 /* access to misc storage */ #define AID_NOBODY 9999 #define AID_APP 10000 /* first app user */
可见root (AID_ROOT = 0) 的权限最高, app (AID_APP = 10000) 权限最低, misc (AID_MISC = 9998) 权限倒数第三低。
所以#1 中描述的目录test3的group 属性设置成了 misc, 则除了 app/nobody 这两个用户,
android系统中其它所有用户都有该目录的group权限!
本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/evilcode/archive/2011/01/04/6115730.aspx