Dar acceso root a la aplicación Cydia

I am making a Cydia app that has permission to install files. I need to be able to gain root access to /Applications for this. I have looked aquí, but it was a little unclear. Could anybody explain it a little better?


preguntado el 10 de marzo de 12 a las 01:03

2 Respuestas

Never use system with setuid! If, for example, a malicious individual were to change the PATH para ser /tmp:$PATH, and this person added their own program to /tmp and named it "ls", then even running this simple code would give them root access to your device:

setuid(0); system("ls");

Instead, you should use the exec family of functions, but not execvp/execlp.

contestado el 04 de mayo de 12 a las 04:05

Another way around that problem is to fully-qualify the command you pass to system(), me gusta /bin/ls en lugar de solo ls. - Nate

@Nate: not quite. export IFS=/ - C0deH4cker

If you're claiming that export IFS=/ convertirá el /bin/ls comando en bin ls, which could run a malicious script named bin placed somewhere in the PATH ... no, it won't. I tried it on a jailbroken iPhone. Also tried export IFS='/'. That's a pretty old exploit, and it looks like the jailbroken iOS shell has that fixed. - Nate

@Nate: Why are you defending the use of system in setuid apps? It is known to be a total failure in terms of security. I just listed two examples of why it is a bad idea. Instead of trying to find hacky, unreliable workarounds, you should be learning a more secure alternative. Now just go back to using gets. - C0deH4cker

The PATH example doesn't apply if you fully-quality the command, as I said. And, I just offered feedback that I don't think the IFS exploit works, either. If I'm wrong, and you think it still does, I'm actually interested to hear how. But two flawed examples isn't much of a case. And, we're talking about a jailbroken device here. Security on jailbroken devices is already suspect, so I'm not sure why you're so worked up about this one. Oh, and I've already learned about using exec functions, as I've mentioned in more than one of my answers. - Nate

puedes usar esto

setuid( 0 ); 
system( "/path/to/script.sh" );

where path to script is a script in your app that would install files


setuid( 0 ); 
system( "cmd" );

where cmd is a command such as

setuid( 0 ); system( "echo Hello World" );

You can also log this way to the /tmp directory or any other place.

setuid( 0 ); system( "echo Hello World >> /tmp/install.log" );

setuid (0); gives it root access and system (cmd); is the actual command

Be careful on how you use this as root has access to everywhere.

respondido 12 mar '13, 01:03

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.