As I mentioned in the last post, I’ve had some annoyances with the root shell since the upgrade to Android 4.3. To recap, from Android 4.3, the traditional way of using su on Android no longer works because Android’s zygote process drops many capabilities, and the entire /system partition is mounted nosuid. SuperSU solves this by proxying requests to a daemon who is not a descendant of zygote, but this messes up terminal window sizing. Additionally, I’ve since switched from SuperSU to koush’s Superuser, which actually makes the root shell even worse, as it doesn’t seem to handle the terminal properly, leading root applications to believe they are connected to a pipe rather than a terminal.
I did several experiments and spent some time reading SSH’s source code. Then I clobbered together several utilities and managed to produce the exact result I wanted: A shell which behaves properly, terminal-wise.
From there I made a daemon which does nearly the same thing as SuperSU’s and Superuser’s su daemon, as well as a complimentary client for requesting applications to be run as root by the daemon. The daemon (pts-daemon) is launched at boot time via init, and is therefore already running as root with all Linux capabilities intact.
When you run the client (pts-shell),
- pts-shell establishes a unix socket connection to pts-daemon.
- pts-shell asks the user for the password and sends it along to the pts-daemon via the unix socket.
- pts-daemon responds with an “OK” or “Authorization Failed”. If all is OK, we continue.
- pts-client opens a pseudo-terminal device and tells pts-daemon the name of the newly created pts device, along with a path and command line arguments to an application to run (for example, /system/bin/sh).
- pts-daemon forks a child process. This child process will then become a process group leader (setsid), open the pseudo-terminal device pts-client created, make that pseudo-terminal device its stdin/stdout/stderr, then finally exec the application pts-client wanted to be run.
- Meanwhile, pts-client changes the termios settings on its stdin, doing things like putting it in raw unbuffered mode and disabling echo. Then it starts pumping bytes between its own stdin/stdout and the pseudo-terminal. In addition, it also traps SIGWINCH, sending TIOCSWINSZ to the pseudo-terminal with the new row and column count whenever it receives that signal.
pts-client is able to receive SIGWINCH because it’s attached directly to the terminal emulator. To clarify, this means that pts-client should not be run from inside a root shell, as this would completely negate the whole reason for using it!
All in all I’m quite happy with how this has worked out. You can see the code on GitHub. If you want to try it out yourself, this is how you can install it:
- Download the update zip and load it using ClockworkMod or TWRP.
- In a root shell, run pts-passwd to set the password for the first time. (You can run this again to change the password.)
- From a regular (non-root) shell, run pts-shell <path to application> any time you want a root shell. (eg. “pts-shell /system/bin/sh”)
I’ve only tested it on a Nexus 10 with koush’s Superuser app, although I’m pretty sure it should work with SuperSU’s as well. Do let me know how it works out for you, if you try it.