search

cswl / tsu

Gain root shell on Termux.
ISC License
633 stars 154 forks source link

tsu permission denied issues on oreo #35

Open leo-b opened 5 years ago

leo-b commented 5 years ago

I originally posted this in https://github.com/cswl/tsu/issues/30#issuecomment-460976194:

I am experiencing issues on my Galaxy S7 since an upgrade to Oreo. Downgrading Magisk from 18.1 to a version that worked on Nougat (e.g. 16.3) doesn't help, so I doubt it is a Magisk issue at all.

tsu is able to launch a shell via magisk su but that shell isn't able to run any executable anymore. Re-adding the LD_* variables doesn't help. selinux is permissive.

I don't know if this is related to #33 because some users report that they are using SuperSU. I've also had a look at branch v3.0-stash but it looks incomplete. (E.g. libtsu-magisk.sh is referenced but missing.)

Do you have an explanation for this behavior and is there a known workaround yet?

Here are some details:

From within termux: ``` $ bash -x tsu + getopts :aehps:c opt + test -z /data/data/com.termux/files/usr + test -n '' + test -n '' + LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib + test -n '' + test -z '' + test -x /data/data/com.termux/files/home/.termux/shell + test -x /data/data/com.termux/files/usr/bin/bash + ROOT_SHELL=/data/data/com.termux/files/usr/bin/bash + OLD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib + '[' -e /sbin/magisk ']' + for s in '/magisk/.core/bin/su' '/sbin/su' + '[' -e /magisk/.core/bin/su ']' + for s in '/magisk/.core/bin/su' '/sbin/su' + '[' -e /sbin/su ']' + unset LD_LIBRARY_PATH + SU_BINARY=/sbin/su + '[' -z '' ']' + exec /sbin/su --preserve-environment -c 'LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib PATH=/data/data/com.termux/files/usr/bin:/data/data/com.termux/files/usr/bin/applets:/data/data/com.termux/files/usr/bin:/data/data/com.termux/files/usr/bin/applets:/data/data/com.termux/files/usr/bin:/data/data/com.termux/files/usr/bin/applets /data/data/com.termux/files/usr/bin/bash' # id bash: /data/data/com.termux/files/usr/bin/id: Permission denied # set ANDROID_DATA=/data ANDROID_ROOT=/system BASH=/data/data/com.termux/files/usr/bin/bash BASHOPTS=cmdhist:complete_fullquote:expand_aliases:extquote:force_fignore:hostcomplete:interactive_comments:progcomp:promptvars:sourcepath BASH_ALIASES=() BASH_ARGC=() BASH_ARGV=() BASH_CMDS=() BASH_LINENO=() BASH_SOURCE=() BASH_VERSINFO=([0]="4" [1]="4" [2]="23" [3]="1" [4]="release" [5]="aarch64-unknown-linux-android") BASH_VERSION='4.4.23(1)-release' COLUMNS=144 DIRSTACK=() EUID=0 EXTERNAL_STORAGE=/sdcard GROUPS=() HISTFILE=/data/data/com.termux/files/home/.bash_history HISTFILESIZE=500 HISTSIZE=500 HOME=/data/data/com.termux/files/home HOSTNAME=localhost HOSTTYPE=aarch64 IFS=$' \t\n' LANG=en_US.UTF-8 LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib LINES=65 LOGNAME=u0_a294 MACHTYPE=aarch64-unknown-linux-android MAILCHECK=60 OPTERR=1 OPTIND=1 OSTYPE=linux-android PATH=/data/data/com.termux/files/usr/bin:/data/data/com.termux/files/usr/bin/applets:/data/data/com.termux/files/usr/bin:/data/data/com.termux/files/usr/bin/applets:/data/data/com.termux/files/usr/bin:/data/data/com.termux/files/usr/bin/applets PIPESTATUS=([0]="2") PPID=30596 PREFIX=/data/data/com.termux/files/usr PS1='\$ ' PS2='> ' PS4='+ ' PWD=/data/data/com.termux/files/home SHELL=/data/data/com.termux/files/usr/bin/bash SHELLOPTS=braceexpand:emacs:hashall:histexpand:history:interactive-comments:monitor SHLVL=2 SSH_CLIENT='127.0.0.1 45315 1123' SSH_CONNECTION='127.0.0.1 45315 127.0.0.1 1123' SSH_TTY=/dev/pts/2 TERM=xterm-256color TMPDIR=/data/data/com.termux/files/usr/tmp UID=0 USER=u0_a294 _=--help command_not_found_handle () { /data/data/com.termux/files/usr/libexec/termux/command-not-found "$1" } # LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so id bash: /data/data/com.termux/files/usr/bin/id: Permission denied ```
From adb shell: ``` hero2lte:/ $ /sbin/su hero2lte:/ # for f in /sbin/su /sbin/magisk /sbin/magisk.bin /data/data/com.termux/files/usr/bin/{coreutils,id} /data/data/com.termux/files/usr/lib/libtermux-exec.so; do ls -l $f; file $f; done lrwxrwxrwx 1 root root 12 2019-02-05 18:47 /sbin/su -> /sbin/magisk /sbin/su: symbolic link -rwxr-xr-x 1 root root 94 2019-02-05 18:47 /sbin/magisk /sbin/magisk: /system/bin/sh script -rwxr-xr-x 1 root root 100068 2019-02-05 18:47 /sbin/magisk.bin /sbin/magisk.bin: ELF shared object, 32-bit LSB arm, dynamic (/system/bin/linker), BuildID=04ebe378f4100b5ff7c3eb7da8a17a10836e5ce1, stripped -rwxr-xr-x 1 u0_a294 u0_a294 1054504 2018-07-03 11:20 /data/data/com.termux/files/usr/bin/coreutils /data/data/com.termux/files/usr/bin/coreutils: ELF shared object, 64-bit LSB arm64, dynamic (/system/bin/linker64), for Android 21, built by NDK r17 (4754217), stripped lrwxrwxrwx 1 u0_a294 u0_a294 9 2019-01-29 17:46 /data/data/com.termux/files/usr/bin/id -> coreutils /data/data/com.termux/files/usr/bin/id: symbolic link -rwxr-xr-x 1 u0_a294 u0_a294 5720 2017-10-01 22:13 /data/data/com.termux/files/usr/lib/libtermux-exec.so /data/data/com.termux/files/usr/lib/libtermux-exec.so: ELF shared object, 64-bit LSB arm64, stripped hero2lte:/ # cat /sbin/magisk #!/system/bin/sh unset LD_LIBRARY_PATH unset LD_PRELOAD exec /sbin/magisk.bin "${0##*/}" "$@" hero2lte:/ # env | sort ANDROID_ASSETS=/system/app ANDROID_BOOTLOGO=1 ANDROID_DATA=/data ANDROID_ROOT=/system ANDROID_SOCKET_adbd=8 ANDROID_STORAGE=/storage ASEC_MOUNTPOINT=/mnt/asec BOOTCLASSPATH=/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/okhttp.jar:/system/framework/legacy-test.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/apache-xml.jar:/system/framework/org.apache.http.legacy.boot.jar:/system/framework/smartbondingservice.jar:/system/framework/sprengine.jar:/system/framework/android.hidl.base-V1.0-java.jar:/system/framework/android.hidl.manager-V1.0-java.jar:/system/framework/timakeystore.jar:/system/framework/fipstimakeystore.jar:/system/framework/ucmopensslenginehelper.jar:/system/framework/esecomm.jar:/system/framework/SemAudioThumbnail.jar:/system/framework/knoxsdk.jar:/system/framework/sec_edm.jar:/system/framework/sagearpolicymanager.jar:/system/framework/sec_sdp_sdk.jar:/system/framework/sec_sdp_hidden_sdk.jar:/system/framework/knoxvpnuidtag.jar DOWNLOAD_CACHE=/data/cache ENC_EMULATED_STORAGE_TARGET=/storage/enc_emulated EXTERNAL_STORAGE=/sdcard HOME=/ HOSTNAME=hero2lte KNOX_STORAGE=/data/knox/ext_sdcard LOGNAME=root MC_AUTH_TOKEN_PATH=/efs PATH=/sbin:/system/sbin:/system/bin:/system/xbin:/vendor/bin:/vendor/xbin SHELL=/system/bin/sh SYSTEMSERVERCLASSPATH=/system/framework/services.jar:/system/framework/ethernet-service.jar:/system/framework/wifi-service.jar:/system/framework/samsung-services.jar:/system/framework/hqm.jar:/system/framework/dmf.jar:/system/framework/ssrm.jar TERM=dumb TMPDIR=/data/local/tmp USER=root _=/system/bin/env # getenforce Permissive ```
Comparison of the virtual memory maps of bash ### bash as user termux: ``` $ x=$(
sahad1234black commented 3 years ago

i also getting this bash: /data/data/com.termux/files/usr/bin/applets/ls: Permission denied

how to solve this

android 5.1.1 root supersu

ArcPen commented 3 years ago

I got the same problem. I'm using Samsung Galaxy S4, android 5.0.1, and is rooted using supersu. the prompt goes like this:

$ tsu
# pwd
/data/data/com.termux/files/home
# ls
bash: /data/data/com.termux/files/usr/bin/ls: Permission denied
# whoami
bash: /data/data/com.termux/files/usr/bin/whoami: Permission denied
# what???
bash: /data/data/com.termux/files/usr/libexec/termux/command-not-found: Permission denied

I guess there's something to do with permissions, so I tried chmod -R 777 /data/data/com.termux/files/usr/, but still won't work.

I'm still not sure what caused the problem. In the tsu shell, only the help and few other commands can be executed normally.

I took a screenshot to see what permissions are granted to it: The permissions given

Those paths are started with something like "LD_LIBRARYPATH", but I found that $LD_LIBRARY_PATH_ is empty while $LD_LIBRARY_PATH is not. Does the small underline in the end matter?

Appreciations to your help. Hope to solve this problem.

ArcPen commented 3 years ago

I did as @Grimler91 said in termux/termux-api#269. I updated my rom and I'm using android 7 and magisk for root. Now the problem is gone. The tsu command functions normally.

dyabol commented 1 year ago

I hame same issue on Samsung Galaxy S8 (SM-G950F), newest ROM from 2022-08-19 and Magisk 25.2. Everithing works fine until i start script by Termax bash.

$ sudo ./test

Content of "test":

#!/data/data/com.termux/files/usr/bin/bash

whoami

Result:

test: line 3: /data/data/com.termux/files/usr/bin/whoami: Permission denied

Problem si only in combination of root and Termax bash.