WO2018090452A1 - Method and apparatus for protecting root permission - Google Patents

Method and apparatus for protecting root permission Download PDF

Info

Publication number
WO2018090452A1
WO2018090452A1 PCT/CN2016/112615 CN2016112615W WO2018090452A1 WO 2018090452 A1 WO2018090452 A1 WO 2018090452A1 CN 2016112615 W CN2016112615 W CN 2016112615W WO 2018090452 A1 WO2018090452 A1 WO 2018090452A1
Authority
WO
WIPO (PCT)
Prior art keywords
pseudo
program
root
protecting
environment variable
Prior art date
Application number
PCT/CN2016/112615
Other languages
French (fr)
Chinese (zh)
Inventor
韩瑞峰
Original Assignee
深圳Tcl数字技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳Tcl数字技术有限公司 filed Critical 深圳Tcl数字技术有限公司
Publication of WO2018090452A1 publication Critical patent/WO2018090452A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present invention relates to the field of mobile terminal technologies, and in particular, to a method and an apparatus for protecting root rights.
  • root tools At present, users generally use some root tools to root the operating system of the terminal.
  • the basic principles of these root tools basically use some security vulnerabilities to obtain the highest authority, and then any user can log in to the operating system.
  • SU Switch User switch user
  • any application can get root privileges by calling the SU program.
  • the root privilege can bring some convenience to the user, it also exposes the highest privilege of the system. If a malicious program uses the root privilege, it can almost access and modify all the files in the terminal, copy all sensitive information, photos, Video, etc., uploaded to any address specified by the malicious program, the consequences are very serious. In addition, improper operation with root privileges is quite dangerous. A slight delay may cause the terminal to crash, and a serious one may cause the terminal to fail to boot properly. Since the Android system is based on linux, there are many Linux vulnerabilities that can be exploited on the market, and there are many vulnerabilities in the hands of a few people that have not leaked out. Therefore, there is currently no way to completely prevent the terminal from being rooted, and the operating system of the terminal. Once rooted, the root privileges of the terminal are completely exposed, threatening the security of the data in the terminal.
  • the present invention provides a method for protecting root rights, including:
  • the method further includes:
  • the pre-compiled pseudo-SU program is saved in a storage directory corresponding to the pseudo environment variable.
  • the method further includes:
  • the pseudo-environment variable corresponding to the pseudo-SU program in the storage directory is sent to the application.
  • the method further includes:
  • the method further includes:
  • a reminder message or a warning message is added in advance to the pseudo-SU program.
  • the reminder message or the warning message is output to remind the user that the root authority fails to be obtained.
  • the present invention also provides an apparatus for protecting Root authority, the apparatus comprising:
  • An obtaining module configured to acquire, after detecting an operating system root of the terminal, a read priority of a storage directory corresponding to an environment variable storing the SU program in the operating system;
  • a setting module configured to set a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the obtained environment variable, wherein the pseudo environment variable corresponds to the read after the storage directory is set
  • the priority is higher than the read priority of the storage directory corresponding to the obtained environment variable.
  • the adding module is further configured to:
  • the pre-compiled pseudo-SU program is saved in a storage directory corresponding to the pseudo environment variable.
  • the device further comprises:
  • the calling module is configured to send the pseudo-SU variable corresponding to the pseudo-SU program in the storage directory to the application if a call instruction for calling the SU program sent by any application is detected.
  • the adding module is further configured to:
  • the device further comprises:
  • the reminding module is configured to add a reminder message or a warning message to the pseudo-SU program in advance. After receiving the pseudo-SU program, the application may output the reminder message or the warning message to remind the user that the root authority fails to be obtained.
  • the method and device for protecting the root privilege provided by the present invention include: adding a pseudo environment variable to the operating system of the terminal in advance, and acquiring the environment variable of the SU program stored in the operating system after detecting the operating system root of the terminal Corresponding to the read priority of the storage directory, setting the read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the obtained environment variable, so that the pseudo environment variable corresponds to the storage directory setting The read priority is higher than the read priority of the storage directory corresponding to the obtained environment variable.
  • the invention adds a pseudo environment variable in the operating system of the terminal in advance, and sets the reading priority of the storage directory corresponding to the pseudo environment variable to be higher than the reading of the storage directory corresponding to the environment variable storing the SU program in the operating system after the root.
  • the priority is that the application cannot call the stored SU program, and thus cannot obtain any root authority.
  • FIG. 1 is a schematic flowchart of a first embodiment of a method for protecting root rights according to the present invention
  • FIG. 2 is a schematic flowchart of a second embodiment of a method for protecting root rights according to the present invention
  • FIG. 3 is a schematic flowchart of a third embodiment of a method for protecting root rights according to the present invention.
  • FIG. 4 is a schematic diagram of functional modules of a first embodiment of a device for protecting root rights according to the present invention
  • FIG. 5 is a schematic diagram of functional modules of a second embodiment of an apparatus for protecting root rights according to the present invention.
  • FIG. 6 is a schematic diagram of functional modules of a third embodiment of the apparatus for protecting root rights according to the present invention.
  • FIG. 1 is a schematic flowchart of a method for protecting a root privilege according to a first embodiment of the present invention.
  • the method for protecting a root privilege is applied to an operating system of a terminal or a terminal, and the method includes:
  • step S10 a pseudo environment variable is added in advance to the operating system of the terminal.
  • a pseudo environment variable to the operating system of the terminal in advance, and specifically, the terminal may be added before leaving the factory.
  • a pseudo environment variable "/security" is added to the operating system of the terminal before the terminal leaves the factory.
  • the environment variable generally refers to some parameters used in the operating system to specify the operating environment of the operating system, such as the temporary folder location and the system folder location.
  • An environment variable is an object with a specific name in the operating system that contains information that one or more applications will use.
  • the path environment variable in Windows and DOS operating systems when the system is required to run a program without telling the full path of the program, the system should look for the path specified in the path environment variable in addition to the current directory. To find. That is, environment variables are mainly used to specify a program software path, which contains strings such as drive, path or file name, and environment variables control the behavior of multiple programs, only administrators can add, modify or delete operations. System system environment variables.
  • the method further includes:
  • the pre-compiled pseudo-SU program is saved in a storage directory corresponding to the pseudo environment variable.
  • the pseudo-SU program is pre-compiled, and then stored in the storage directory corresponding to the pseudo environment variable, for example, in the storage directory "/security" corresponding to the pseudo environment variable.
  • the normal SU program can make a normal user switch to super user or other users, and can temporarily have the rights of the switched user, and any application can obtain root privileges by calling the SU program.
  • the pseudo-SU program described in this embodiment is an empty program file or a security program that does not include any rights, that is, the application cannot obtain any root authority by calling the pseudo-SU program described in this embodiment.
  • step S20 after the operating system root of the terminal is detected, the read priority of the storage directory corresponding to the environment variable storing the SU program in the operating system is obtained.
  • the root root tool of the operating system stores the compiled SU program in a storage directory corresponding to the environment variable it establishes, for example, the compiled SU program. Stored in the storage directory "/system/bin" or “/system/xbin” corresponding to the environment variable it is created.
  • the storage directory corresponding to the environment variable has a read priority, that is, any application needs to call the read priority of the storage directory corresponding to the environment variable when calling the program in the environment variable, so the implementation For example, after the operating system root of the terminal is detected, the read priority of the storage directory corresponding to the environment variable storing the SU program in the operating system is obtained.
  • Step S30 setting a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the environment variable, wherein the pseudo environment variable corresponds to the read priority after the storage directory is set.
  • the level is higher than the read priority of the storage directory corresponding to the obtained environment variable.
  • any application can only invoke the priority.
  • the high pseudo environment variable corresponds to the pseudo-SU program in the storage directory, and the SU program in the storage directory corresponding to the lower-priority environment variable cannot be called, so that no root authority can be obtained.
  • the method for protecting the root privilege in the embodiment includes: adding a pseudo environment variable to the operating system of the terminal in advance, and after detecting the operating system root of the terminal, acquiring an environment variable corresponding to the SU program stored in the operating system
  • the read priority of the storage directory is set, and the read priority of the storage directory corresponding to the pseudo environment variable is set according to the read priority of the storage directory corresponding to the obtained environment variable, so that the pseudo environment variable is corresponding to the storage directory setting.
  • the read priority is higher than the read priority of the storage directory corresponding to the obtained environment variable.
  • a pseudo environment variable is added in the operating system of the terminal in advance, and the read priority of the storage directory corresponding to the pseudo environment variable is set to be higher than that of the storage directory corresponding to the environment variable of the SU program stored in the operating system after the root.
  • the priority is obtained, so that the application cannot call the stored SU program, and thus the root authority cannot be obtained.
  • the technical problem that the root authority of the terminal is completely exposed after the operating system root of the terminal in the prior art is solved, and the terminal is improved. The security of the internal data.
  • FIG. 2 is a schematic flowchart of a second embodiment of a method for protecting a root privilege according to the foregoing embodiment of the present invention.
  • the above methods for protecting Root permissions include:
  • Step S40 If a call instruction for calling the SU program sent by any application is detected, the pseudo-SU variable corresponding to the pseudo-SU program in the storage directory is sent to the application.
  • the root tool After the operating system root of the terminal, the root tool adds a compiled SU program to the operating system of the terminal, and then any application can obtain the root authority by calling the SU program.
  • the pseudo-environment variable for storing the pseudo-SU program in the embodiment corresponds to the read priority of the storage directory, and is higher than the storage directory corresponding to the environment variable for storing the SU program established by the root tool in the terminal operating system.
  • Read priority so after detecting the call instruction for calling the SU program sent by any application, only the pseudo-SU program corresponding to the higher priority pseudo environment variable can be called, that is, if any random detection is detected,
  • the application sends a call instruction for calling the SU program, and sends the pseudo-environment variable with a higher priority to the application in the storage directory corresponding to the pseudo-SU program.
  • the application can only extract the pseudo environment with higher priority.
  • the variable corresponds to the pseudo-SU program in the storage directory, and the SU program in the storage directory corresponding to the environment variable having the lower priority cannot be extracted.
  • the method for protecting the root authority in the embodiment after detecting the call instruction for calling the SU program sent by any application after the operating system root of the terminal, the pseudo environment variable is corresponding to the storage directory.
  • the pseudo-SU program is sent to the application, so that the application cannot obtain the SU program established by the root tool, and thus cannot obtain any root authority, thereby realizing the purpose of effectively protecting the root authority after the operating system root of the terminal.
  • the method further includes:
  • the SU program established by the root tool is extracted to obtain the root authority.
  • the pre-compiled pseudo-SU program is saved in the pseudo. After the storage directory corresponding to the environment variable, the file attribute of the pseudo-SU program is set to read-only, or the file attribute of the pseudo-SU program is set to be non-deletable.
  • the pseudo-SU program described in this embodiment may be a blank SU program, which does not include any command for invoking the root privilege, so any application cannot obtain any root privilege after obtaining the pseudo-SU program. of.
  • the method for protecting the root authority in the embodiment after saving the pre-compiled pseudo-SU program in the storage directory corresponding to the pseudo environment variable, setting the file attribute of the pseudo-SU program to read-only, or The file attribute of the pseudo SU program is set to be undeleteable.
  • setting the file attribute of the pseudo-SU program to read-only or non-deletable it is possible to effectively prevent the malware from extracting the SU program established by the root tool to obtain the root authority by modifying or deleting the pseudo-SU program.
  • the purpose of effectively protecting the root authority of the terminal after the operating system root of the terminal is implemented.
  • FIG. 3 is a schematic flowchart of a third embodiment of a method for protecting a root privilege according to the present invention.
  • the method for protecting a root privilege according to the embodiment described in FIG. 1 and FIG. also includes:
  • Step S50 Add a reminder message or a warning message to the pseudo-SU program in advance. After receiving the pseudo-SU program, the application may output the reminder message or the warning message to remind the user that the root authority fails to be obtained.
  • a reminder message or a warning message is added to the pseudo-SU program in advance, such as “failure to obtain root authority” or “prohibit obtaining root authority”, etc., to remind the user that the root authority fails to be obtained, or to warn the user for the terminal.
  • the security of the internal data, prohibiting the acquisition of root privileges, and when a malicious application wants to obtain the root program, is used to prompt the user to prevent it.
  • an alert message or a warning message in the pseudo SU program is output.
  • the reminder message or the warning message may be output to the operation interface of the application, or the reminder message or the warning message may be directly outputted to the display interface of the terminal to remind the user.
  • the method for protecting the root authority in the embodiment by adding a reminder message or a warning message to the pseudo-SU program in advance, after receiving the pseudo-SU program by any application, outputting the reminder message or the warning message,
  • the user can be prompted to obtain the root failure after the terminal root, or the user is prompted to obtain the root permission for the security of the data in the terminal, thereby further protecting the data of the terminal after the root is in the terminal. Security.
  • FIG. 4 is a schematic diagram of a functional module of a device for protecting a root privilege according to a first embodiment of the present invention.
  • the device for protecting the root privilege is a part of the terminal, and the device 100 for protecting the root privilege include:
  • the module 10 is added for adding a pseudo environment variable in the operating system of the terminal in advance.
  • a pseudo environment variable to the operating system of the terminal in advance, and specifically, the terminal may be added before leaving the factory.
  • a pseudo environment variable "/security" is added to the operating system of the terminal before the terminal leaves the factory.
  • the environment variable generally refers to some parameters used in the operating system to specify the operating environment of the operating system, such as the temporary folder location and the system folder location.
  • An environment variable is an object with a specific name in the operating system that contains information that one or more applications will use.
  • the path environment variable in Windows and DOS operating systems when the system is required to run a program without telling the full path of the program, the system should look for the path specified in the path environment variable in addition to the current directory. To find. That is, environment variables are mainly used to specify a program software path, which contains strings such as drive, path or file name, and environment variables control the behavior of multiple programs, only administrators can add, modify or delete operations. System system environment variables.
  • adding module 10 is further configured to:
  • the pre-compiled pseudo-SU program is saved in the storage directory corresponding to the pseudo environment variable.
  • the pseudo-SU program is pre-compiled, and then stored in the storage directory corresponding to the pseudo environment variable, for example, in the storage directory "/security" corresponding to the pseudo environment variable.
  • the normal SU program can make a normal user switch to super user or other users, and can temporarily have the rights of the switched user, and any application can obtain root privileges by calling the SU program.
  • the pseudo-SU program described in this embodiment is an empty program file or a security program that does not include any rights, that is, the application cannot obtain any root authority by calling the pseudo-SU program described in this embodiment.
  • the obtaining module 20 is configured to acquire, after detecting the operating system root of the terminal, a read priority of the storage directory corresponding to the environment variable storing the SU program in the operating system.
  • the root root tool of the operating system stores the compiled SU program in a storage directory corresponding to the environment variable it establishes, for example, the compiled SU program is stored.
  • the storage directory "/system/bin” or “/system/xbin” corresponding to the environment variable it establishes.
  • the storage directory corresponding to the environment variable has a read priority, that is, any application needs to call the read priority of the storage directory corresponding to the environment variable when calling the program in the environment variable, so the implementation For example, after the operating system root of the terminal is detected, the read priority of the storage directory corresponding to the environment variable storing the SU program in the operating system is obtained.
  • the setting module 30 is configured to set a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the environment variable, where the pseudo environment variable corresponds to the storage directory setting The read priority is higher than the read priority of the storage directory corresponding to the obtained environment variable.
  • any application can only invoke the priority.
  • the high pseudo environment variable corresponds to the pseudo-SU program in the storage directory, and the SU program in the storage directory corresponding to the lower-priority environment variable cannot be called, so that no root authority can be obtained.
  • the device for protecting the root privilege in the embodiment includes: adding a pseudo environment variable to the operating system of the terminal in advance, and after detecting the operating system root of the terminal, acquiring an environment variable corresponding to the SU program stored in the operating system
  • the read priority of the storage directory is set, and the read priority of the storage directory corresponding to the pseudo environment variable is set according to the read priority of the storage directory corresponding to the obtained environment variable, so that the pseudo environment variable is corresponding to the storage directory setting.
  • the read priority is higher than the read priority of the storage directory corresponding to the obtained environment variable.
  • a pseudo environment variable is added in the operating system of the terminal in advance, and the read priority of the storage directory corresponding to the pseudo environment variable is set to be higher than that of the storage directory corresponding to the environment variable of the SU program stored in the operating system after the root.
  • the priority is obtained, so that the application cannot call the stored SU program, and thus the root authority cannot be obtained.
  • the technical problem that the root authority of the terminal is completely exposed after the operating system root of the terminal in the prior art is solved, and the terminal is improved. The security of the internal data.
  • FIG. 5 is a schematic diagram of a functional module of a second embodiment of the apparatus for protecting the root privilege according to the embodiment of FIG. 4, in this embodiment, after the operating system root of the terminal
  • the device 100 for protecting the root authority further includes:
  • the calling module 40 is configured to send a pseudo-SU program corresponding to the storage directory to the application if the calling instruction for calling the SU program sent by any application is detected.
  • the root tool After the operating system root of the terminal, the root tool adds a compiled SU program to the operating system of the terminal, and then any application can obtain the root authority by calling the SU program.
  • the pseudo-environment variable for storing the pseudo-SU program in the embodiment corresponds to the read priority of the storage directory, and is higher than the storage directory corresponding to the environment variable for storing the SU program established by the root tool in the terminal operating system.
  • Read priority so after detecting the call instruction for calling the SU program sent by any application, only the pseudo-SU program corresponding to the higher priority pseudo environment variable can be called, that is, if any random detection is detected,
  • the application sends a call instruction for calling the SU program, and sends the pseudo-environment variable with a higher priority to the application in the storage directory corresponding to the pseudo-SU program.
  • the application can only extract the pseudo environment with higher priority.
  • the variable corresponds to the pseudo-SU program in the storage directory, and the SU program in the storage directory corresponding to the environment variable having the lower priority cannot be extracted.
  • the apparatus for protecting the root authority after detecting the call instruction for calling the SU program sent by any application after the operating system root of the terminal, the pseudo environment variable is corresponding to the storage directory.
  • the pseudo-SU program is sent to the application, so that the application cannot obtain the SU program established by the root tool, and thus cannot obtain any root authority, thereby realizing the purpose of effectively protecting the root authority after the operating system root of the terminal.
  • the adding module 10 is further configured to:
  • the SU program established by the root tool is extracted to obtain the root authority.
  • the pre-compiled pseudo-SU program is saved in the pseudo. After the storage directory corresponding to the environment variable, the file attribute of the pseudo-SU program is set to read-only, or the file attribute of the pseudo-SU program is set to be non-deletable.
  • the pseudo-SU program described in this embodiment may be a blank SU program, which does not include any command for invoking the root privilege, so any application cannot obtain any root privilege after obtaining the pseudo-SU program. of.
  • the device for protecting the root authority in the embodiment after saving the pre-compiled pseudo-SU program in the storage directory corresponding to the pseudo environment variable, setting the file attribute of the pseudo-SU program to read-only, or The file attribute of the pseudo SU program is set to be undeleteable.
  • setting the file attribute of the pseudo-SU program to read-only or non-deletable it is possible to effectively prevent the malware from extracting the SU program established by the root tool to obtain the root authority by modifying or deleting the pseudo-SU program.
  • the purpose of effectively protecting the root authority of the terminal after the operating system root of the terminal is implemented.
  • FIG. 6 is a schematic diagram of a functional module of a third embodiment of the apparatus for protecting the root privilege according to the embodiment of FIG. 4 and FIG. 5, in the embodiment, the protection of the root privilege
  • the device 100 also includes:
  • the reminding module 50 is configured to add a reminder message or a warning message to the pseudo SU program in advance. After receiving the pseudo SU program, the application may output the reminder message or the warning message to remind the user that the root authority fails to be obtained. .
  • a reminder message or a warning message is added to the pseudo-SU program in advance, such as “failure to obtain root authority” or “prohibit obtaining root authority”, etc., to remind the user that the root authority fails to be obtained, or to warn the user for the terminal.
  • the security of the internal data, prohibiting the acquisition of root privileges, and when a malicious application wants to obtain the root program, is used to prompt the user to prevent it.
  • an alert message or a warning message in the pseudo SU program is output.
  • the reminder message or the warning message may be output to the operation interface of the application, or the reminder message or the warning message may be directly outputted to the display interface of the terminal to remind the user.
  • the apparatus for protecting the root authority in the embodiment by adding a reminder message or a warning message to the pseudo SU program in advance, after receiving the pseudo SU program by any application, outputting the reminder message or the warning message.
  • the user can be prompted to obtain the root failure after the terminal root, or the user is prompted to obtain the root permission for the security of the data in the terminal, thereby further protecting the data of the terminal after the root is in the terminal. Security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

A method and apparatus for protecting root permission, comprising: adding a pseudo environment variable in an operating system of a terminal in advance (S10); obtaining reading priority of a storage directory corresponding to an environment variable for storing a switch user (SU) procedure in the operating system after the root of the operating system of the terminal is detected (S20); and configuring reading priority of a storage directory corresponding to the pseudo environment variable according to the obtained reading priority of the storage directory corresponding to the environment variable, the reading priority of the configured storage directory corresponding to the pseudo environment variable being higher than the obtained reading priority of the storage directory corresponding to the environment variable (S30). The present invention solves the technical problem in existing technology wherein the root permission of a terminal is completely exposed after the operating system of the terminal detects the root and improves the safety of data in the terminal.

Description

保护Root权限的方法及装置  Method and device for protecting root authority
技术领域Technical field
本发明涉及移动终端技术领域,尤其涉及一种保护Root权限的方法及装置。The present invention relates to the field of mobile terminal technologies, and in particular, to a method and an apparatus for protecting root rights.
背景技术Background technique
随着Android产品越来越多,其友好的操作界面,丰富的扩展应用,以及开源性质,都是Android系统目前在智能设备市场上占用率遥遥领先的原因。随着用户对Android系统的深入了解,一些用户开始不满足只拥有普通的用户权限,纷纷对Android终端进行root,以获取更高的权限。With more and more Android products, its friendly operation interface, rich extension applications, and open source nature are the reasons why the Android system is currently leading the smart device market. With the user's in-depth understanding of the Android system, some users are not satisfied with only having ordinary user rights, and they have rooted the Android terminal to obtain higher privileges.
目前,用户一般都是借助于一些root工具来对终端的操作系统进行root,这些root工具的原理基本都是利用一些安全漏洞,获取到最高权限,然后在操作系统中加入一个任何用户都可以登陆的SU(Switch User切换用户)程序,任意应用程序都可以通过调用该SU程序来获得root权限。At present, users generally use some root tools to root the operating system of the terminal. The basic principles of these root tools basically use some security vulnerabilities to obtain the highest authority, and then any user can log in to the operating system. SU (Switch User switch user) program, any application can get root privileges by calling the SU program.
Root权限虽然能够给用户带来某些方面的便利,但是也暴露了系统的最高权限,若有恶意程序利用root权限,几乎可以访问和修改终端内的所有文件,复制所有的敏感信息,照片,视频等等,上传至恶意程序指定的任意地址,后果非常严重。另外,使用root权限进行不当的操作是相当危险的,轻微的可能导致终端死机,严重的则会导致终端无法正常开机。由于Android系统是基于linux的,目前市面上能够利用的linux漏洞很多,而且有很多漏洞掌握在少数人手中并没有泄露出来,故目前并没有办法能够完全的防止终端被root,而终端的操作系统一旦被root之后,终端的root权限就会完全暴露,从而威胁终端内数据的安全性。Although the root privilege can bring some convenience to the user, it also exposes the highest privilege of the system. If a malicious program uses the root privilege, it can almost access and modify all the files in the terminal, copy all sensitive information, photos, Video, etc., uploaded to any address specified by the malicious program, the consequences are very serious. In addition, improper operation with root privileges is quite dangerous. A slight delay may cause the terminal to crash, and a serious one may cause the terminal to fail to boot properly. Since the Android system is based on linux, there are many Linux vulnerabilities that can be exploited on the market, and there are many vulnerabilities in the hands of a few people that have not leaked out. Therefore, there is currently no way to completely prevent the terminal from being rooted, and the operating system of the terminal. Once rooted, the root privileges of the terminal are completely exposed, threatening the security of the data in the terminal.
发明内容Summary of the invention
本发明的主要目的在于提出一种保护Root权限的方法及装置,旨在解决现有技术中终端的操作系统root之后,终端的root权限就会完全暴露的技术问题,提高终端内数据的安全性。The main purpose of the present invention is to provide a method and device for protecting the root privilege, which aims to solve the technical problem that the root privilege of the terminal is completely exposed after the operating system root of the terminal in the prior art, and improve the security of the data in the terminal. .
为实现上述目的,本发明提供一种保护Root权限的方法,包括:To achieve the above object, the present invention provides a method for protecting root rights, including:
预先在终端的操作系统中添加伪环境变量;Add a pseudo environment variable to the operating system of the terminal in advance;
当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级;After detecting the operating system root of the terminal, acquiring an environment variable of the SU program stored in the operating system corresponds to a read priority of the storage directory;
根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,其中,所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。Setting a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the obtained environment variable, wherein the read priority of the pseudo environment variable corresponding to the storage directory setting is higher than The obtained environment variable corresponds to the read priority of the storage directory.
优选地,所述预先在终端的操作系统中添加一个伪环境变量之后还包括:Preferably, after the adding a pseudo environment variable in the operating system of the terminal in advance, the method further includes:
将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中。The pre-compiled pseudo-SU program is saved in a storage directory corresponding to the pseudo environment variable.
优选地,在所述终端的操作系统root之后,所述方法还包括:Preferably, after the operating system root of the terminal, the method further includes:
若检测到任意应用发送的用于调用SU程序的调用指令,则将所述伪环境变量对应存储目录中的伪SU程序发送至所述应用。If a call instruction for calling the SU program sent by any application is detected, the pseudo-environment variable corresponding to the pseudo-SU program in the storage directory is sent to the application.
优选地,所述将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后还包括:Preferably, after the pre-compiled pseudo-SU program is saved in the storage directory corresponding to the pseudo environment variable, the method further includes:
将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。Setting the file attribute of the pseudo-SU program to read-only, or setting the file attribute of the pseudo-SU program to be non-deletable.
优选地,所述方法还包括:Preferably, the method further includes:
预先在所述伪SU程序中添加提醒消息或者警告消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息或者警告消息,以提醒用户获取root权限失败。A reminder message or a warning message is added in advance to the pseudo-SU program. When any application receives the pseudo-SU program, the reminder message or the warning message is output to remind the user that the root authority fails to be obtained.
此外,为实现上述目的,本发明还提供一种保护Root权限的装置,所述装置包括:In addition, in order to achieve the above object, the present invention also provides an apparatus for protecting Root authority, the apparatus comprising:
添加模块,用于预先在终端的操作系统中添加伪环境变量;Adding a module for adding a pseudo environment variable to the operating system of the terminal in advance;
获取模块,用于当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级;An obtaining module, configured to acquire, after detecting an operating system root of the terminal, a read priority of a storage directory corresponding to an environment variable storing the SU program in the operating system;
设置模块,用于根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,其中,所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。a setting module, configured to set a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the obtained environment variable, wherein the pseudo environment variable corresponds to the read after the storage directory is set The priority is higher than the read priority of the storage directory corresponding to the obtained environment variable.
优选地,所述添加模块还用于:Preferably, the adding module is further configured to:
将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中。The pre-compiled pseudo-SU program is saved in a storage directory corresponding to the pseudo environment variable.
优选地,所述装置还包括:Preferably, the device further comprises:
调用模块,用于若检测到任意应用发送的用于调用SU程序的调用指令,则将所述伪环境变量对应存储目录中的伪SU程序发送至所述应用。The calling module is configured to send the pseudo-SU variable corresponding to the pseudo-SU program in the storage directory to the application if a call instruction for calling the SU program sent by any application is detected.
优选地,所述添加模块还用于:Preferably, the adding module is further configured to:
在将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后,将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。After saving the pre-compiled pseudo-SU program in the storage directory corresponding to the pseudo environment variable, setting the file attribute of the pseudo-SU program to read-only, or setting the file attribute of the pseudo-SU program to be unavailable. delete.
优选地,所述装置还包括:Preferably, the device further comprises:
提醒模块,用于预先在所述伪SU程序中添加提醒消息或者警告消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息或者警告消息,以提醒用户获取root权限失败。The reminding module is configured to add a reminder message or a warning message to the pseudo-SU program in advance. After receiving the pseudo-SU program, the application may output the reminder message or the warning message to remind the user that the root authority fails to be obtained.
本发明所提供的保护Root权限的方法及装置,包括预先在终端的操作系统中添加伪环境变量,当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级,根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,使得所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。本发明通过预先在终端的操作系统中添加一个伪环境变量,并设置该伪环境变量对应存储目录的读取优先级高于root之后的操作系统中存储SU程序的环境变量对应存储目录的读取优先级,使得应用程序无法调用存储的SU程序,进而无法获取到任何root权限,解决了现有技术中终端的操作系统root之后,终端的root权限就会完全暴露的技术问题,提高了终端内数据的安全性。The method and device for protecting the root privilege provided by the present invention include: adding a pseudo environment variable to the operating system of the terminal in advance, and acquiring the environment variable of the SU program stored in the operating system after detecting the operating system root of the terminal Corresponding to the read priority of the storage directory, setting the read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the obtained environment variable, so that the pseudo environment variable corresponds to the storage directory setting The read priority is higher than the read priority of the storage directory corresponding to the obtained environment variable. The invention adds a pseudo environment variable in the operating system of the terminal in advance, and sets the reading priority of the storage directory corresponding to the pseudo environment variable to be higher than the reading of the storage directory corresponding to the environment variable storing the SU program in the operating system after the root. The priority is that the application cannot call the stored SU program, and thus cannot obtain any root authority. After solving the problem of the operating system root of the terminal in the prior art, the root authority of the terminal is completely exposed, and the terminal is improved. The security of the data.
附图说明DRAWINGS
图1为本发明保护Root权限的方法第一实施例的流程示意图;1 is a schematic flowchart of a first embodiment of a method for protecting root rights according to the present invention;
图2为本发明保护Root权限的方法第二实施例的流程示意图;2 is a schematic flowchart of a second embodiment of a method for protecting root rights according to the present invention;
图3为本发明保护Root权限的方法第三实施例的流程示意图;3 is a schematic flowchart of a third embodiment of a method for protecting root rights according to the present invention;
图4为本发明保护Root权限的装置第一实施例的功能模块示意图;4 is a schematic diagram of functional modules of a first embodiment of a device for protecting root rights according to the present invention;
图5为本发明保护Root权限的装置第二实施例的功能模块示意图;5 is a schematic diagram of functional modules of a second embodiment of an apparatus for protecting root rights according to the present invention;
图6为本发明保护Root权限的装置第三实施例的功能模块示意图。FIG. 6 is a schematic diagram of functional modules of a third embodiment of the apparatus for protecting root rights according to the present invention.
本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional features, and advantages of the present invention will be further described in conjunction with the embodiments.
具体实施方式detailed description
以下结合说明书附图对本发明的优选实施例进行说明,应当理解,此处所描述的优选实施例仅用于说明和解释本发明,并不用于限定本发明,并且在不冲突的情况下,本发明中的实施例及实施例中的特征可以相互组合。The preferred embodiments of the present invention are described in conjunction with the accompanying drawings, and the preferred embodiments described herein are intended to illustrate and explain the invention, and not to limit the invention, and The embodiments and the features in the embodiments can be combined with each other.
参照图1,图1为本发明保护Root权限的方法第一实施例的流程示意图,在本实施例中,所述保护Root权限的方法应用与终端或者终端的操作系统中,所述方法包括:Referring to FIG. 1 , FIG. 1 is a schematic flowchart of a method for protecting a root privilege according to a first embodiment of the present invention. In this embodiment, the method for protecting a root privilege is applied to an operating system of a terminal or a terminal, and the method includes:
步骤S10,预先在终端的操作系统中添加伪环境变量。In step S10, a pseudo environment variable is added in advance to the operating system of the terminal.
本实施例中,需要预先在终端的操作系统中添加一个伪环境变量,具体可以在终端出厂之前就进行添加。例如,在终端出厂之前在终端的操作系统中添加一个伪环境变量“/security”。In this embodiment, it is necessary to add a pseudo environment variable to the operating system of the terminal in advance, and specifically, the terminal may be added before leaving the factory. For example, a pseudo environment variable "/security" is added to the operating system of the terminal before the terminal leaves the factory.
可以理解的是,环境变量一般是指在操作系统中用来指定操作系统运行环境的一些参数,如临时文件夹位置和系统文件夹位置等。环境变量是在操作系统中一个具有特定名字的对象,它包含了一个或者多个应用程序所将使用到的信息。例如Windows和DOS操作系统中的path环境变量,当要求系统运行一个程序而没有告诉它程序所在的完整路径时,系统除了在当前目录下面寻找此程序外,还应到path环境变量中指定的路径去寻找。即环境变量主要是用于指定一个程序软件的路径,其包含诸如驱动器、路径或文件名之类的字符串,且环境变量控制着多种程序的行为,只有管理员才能添加、修改或删除操作系统系统环境变量。It can be understood that the environment variable generally refers to some parameters used in the operating system to specify the operating environment of the operating system, such as the temporary folder location and the system folder location. An environment variable is an object with a specific name in the operating system that contains information that one or more applications will use. For example, the path environment variable in Windows and DOS operating systems, when the system is required to run a program without telling the full path of the program, the system should look for the path specified in the path environment variable in addition to the current directory. To find. That is, environment variables are mainly used to specify a program software path, which contains strings such as drive, path or file name, and environment variables control the behavior of multiple programs, only administrators can add, modify or delete operations. System system environment variables.
进一步地,上述步骤S10中所述的在终端的操作系统中添加伪环境变量之后还包括:Further, after adding the pseudo environment variable in the operating system of the terminal, which is described in the foregoing step S10, the method further includes:
将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中。The pre-compiled pseudo-SU program is saved in a storage directory corresponding to the pseudo environment variable.
其中,预先编译一个伪SU程序,然后将该伪SU程序保存在上述伪环境变量对应的存储目录中,例如保存在上述伪环境变量对应的存储目录“/security”中。The pseudo-SU program is pre-compiled, and then stored in the storage directory corresponding to the pseudo environment variable, for example, in the storage directory "/security" corresponding to the pseudo environment variable.
其中,正常的SU程序可以让一个普通用户切换为超级用户或其他用户,并可临时拥有所切换用户的权限,及任意应用程序都可通过调用SU程序来获得root权限。而本实施例中所述的伪SU程序为空的程序文件或者不包括任何权限的安全程序,即应用程序通过调用本实施例中所述的伪SU程序时是无法获得任何root权限的。Among them, the normal SU program can make a normal user switch to super user or other users, and can temporarily have the rights of the switched user, and any application can obtain root privileges by calling the SU program. The pseudo-SU program described in this embodiment is an empty program file or a security program that does not include any rights, that is, the application cannot obtain any root authority by calling the pseudo-SU program described in this embodiment.
步骤S20,当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级。In step S20, after the operating system root of the terminal is detected, the read priority of the storage directory corresponding to the environment variable storing the SU program in the operating system is obtained.
本实施例中,当终端的操作系统被root之后,则对操作系统进行root的root工具会将编译好的SU程序存储在其建立的环境变量对应的存储目录中,例如将编译好的SU程序存储在其建立的环境变量对应的存储目录“/system/bin”或“/system/xbin”中。In this embodiment, after the operating system of the terminal is rooted, the root root tool of the operating system stores the compiled SU program in a storage directory corresponding to the environment variable it establishes, for example, the compiled SU program. Stored in the storage directory "/system/bin" or "/system/xbin" corresponding to the environment variable it is created.
其中,在操作系统中,环境变量对应的存储目录都具有读取优先级,即任意应用程序在调用环境变量中的程序时需要按照环境变量对应存储目录的读取优先级进行调用,故本实施例中,当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级。In the operating system, the storage directory corresponding to the environment variable has a read priority, that is, any application needs to call the read priority of the storage directory corresponding to the environment variable when calling the program in the environment variable, so the implementation For example, after the operating system root of the terminal is detected, the read priority of the storage directory corresponding to the environment variable storing the SU program in the operating system is obtained.
步骤S30,根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,其中,所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。Step S30, setting a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the environment variable, wherein the pseudo environment variable corresponds to the read priority after the storage directory is set. The level is higher than the read priority of the storage directory corresponding to the obtained environment variable.
本实施例中,在获取到所述环境变量对应存储目录的读取优先级之后,根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,使得所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。In this embodiment, after obtaining the read priority of the storage directory corresponding to the environment variable, setting the read storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the stored environment variable The priority is such that the read priority of the pseudo environment variable corresponding to the storage directory setting is higher than the read priority of the obtained storage directory corresponding to the environment variable.
其中,当所述伪环境变量对应存储目录的读取优先级设置为高于操作系统root之后建立的所述环境变量对应存储目录的读取优先级之后,任何应用程序都只能调用优先级较高的伪环境变量对应存储目录中的伪SU程序,无法调用优先级较低的所述环境变量对应存储目录中的SU程序,从而无法获取到任何root权限。Wherein, when the read priority of the pseudo environment variable corresponding to the storage directory is set to be higher than the read priority of the storage directory corresponding to the environment variable established after the operating system root, any application can only invoke the priority. The high pseudo environment variable corresponds to the pseudo-SU program in the storage directory, and the SU program in the storage directory corresponding to the lower-priority environment variable cannot be called, so that no root authority can be obtained.
本实施例所述的保护Root权限的方法,包括预先在终端的操作系统中添加伪环境变量,当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级,根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,使得所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。本实施例通过预先在终端的操作系统中添加一个伪环境变量,并设置该伪环境变量对应存储目录的读取优先级高于root之后的操作系统中存储SU程序的环境变量对应存储目录的读取优先级,使得应用程序无法调用存储的SU程序,进而无法获取到任何root权限,解决了现有技术中终端的操作系统root之后,终端的root权限就会完全暴露的技术问题,提高了终端内数据的安全性。The method for protecting the root privilege in the embodiment includes: adding a pseudo environment variable to the operating system of the terminal in advance, and after detecting the operating system root of the terminal, acquiring an environment variable corresponding to the SU program stored in the operating system The read priority of the storage directory is set, and the read priority of the storage directory corresponding to the pseudo environment variable is set according to the read priority of the storage directory corresponding to the obtained environment variable, so that the pseudo environment variable is corresponding to the storage directory setting. The read priority is higher than the read priority of the storage directory corresponding to the obtained environment variable. In this embodiment, a pseudo environment variable is added in the operating system of the terminal in advance, and the read priority of the storage directory corresponding to the pseudo environment variable is set to be higher than that of the storage directory corresponding to the environment variable of the SU program stored in the operating system after the root. The priority is obtained, so that the application cannot call the stored SU program, and thus the root authority cannot be obtained. The technical problem that the root authority of the terminal is completely exposed after the operating system root of the terminal in the prior art is solved, and the terminal is improved. The security of the internal data.
进一步地,参照图2,图2为本发明保护Root权限的方法第二实施例的流程示意图,基于上述图1所述的实施例,本实施例中,在所述终端的操作系统root之后,上述保护Root权限的方法还包括:Further, referring to FIG. 2, FIG. 2 is a schematic flowchart of a second embodiment of a method for protecting a root privilege according to the foregoing embodiment of the present invention. In this embodiment, after the operating system root of the terminal, The above methods for protecting Root permissions include:
步骤S40,若检测到任意应用发送的用于调用SU程序的调用指令,则将所述伪环境变量对应存储目录中的伪SU程序发送至所述应用。Step S40: If a call instruction for calling the SU program sent by any application is detected, the pseudo-SU variable corresponding to the pseudo-SU program in the storage directory is sent to the application.
当所述终端的操作系统root之后,root工具会在所述终端的操作系统中添加一个编译好的SU程序,然后任意应用程序就可以通过调用所述SU程序来获得root权限。After the operating system root of the terminal, the root tool adds a compiled SU program to the operating system of the terminal, and then any application can obtain the root authority by calling the SU program.
其中,由于本实施例中用于存储伪SU程序的伪环境变量对应存储目录的读取优先级,高于root工具在所述终端操作系统中建立的用于存储SU程序的环境变量对应存储目录的读取优先级,故在检测到任意应用发送的用于调用SU程序的调用指令后,都只能调用优先级较高的伪环境变量对应存储目录中的伪SU程序,即若检测到任意应用发送的用于调用SU程序的调用指令,则将优先级较高的所述伪环境变量对应存储目录中的伪SU程序发送至所述应用。The pseudo-environment variable for storing the pseudo-SU program in the embodiment corresponds to the read priority of the storage directory, and is higher than the storage directory corresponding to the environment variable for storing the SU program established by the root tool in the terminal operating system. Read priority, so after detecting the call instruction for calling the SU program sent by any application, only the pseudo-SU program corresponding to the higher priority pseudo environment variable can be called, that is, if any random detection is detected, The application sends a call instruction for calling the SU program, and sends the pseudo-environment variable with a higher priority to the application in the storage directory corresponding to the pseudo-SU program.
其中,本实施例中,在伪环境变量对应存储目录的读取优先级高于所述环境变量对应存储目录的读取优先级的情况下,应用程序只能提取到优先级较高的伪环境变量对应存储目录中的伪SU程序,而不能提取到优先级较低的所述环境变量对应存储目录中的SU程序。In this embodiment, in the case that the read priority of the storage directory corresponding to the pseudo environment variable is higher than the read priority of the storage directory corresponding to the environment variable, the application can only extract the pseudo environment with higher priority. The variable corresponds to the pseudo-SU program in the storage directory, and the SU program in the storage directory corresponding to the environment variable having the lower priority cannot be extracted.
本实施例所述的保护Root权限的方法,在所述终端的操作系统root之后,若检测到任意应用发送的用于调用SU程序的调用指令,则将所述伪环境变量对应存储目录中的伪SU程序发送至所述应用,使得所述应用无法获取到root工具建立的SU程序,从而无法获取到任何root权限,实现了在所述终端的操作系统root之后,有效保护root权限的目的。The method for protecting the root authority in the embodiment, after detecting the call instruction for calling the SU program sent by any application after the operating system root of the terminal, the pseudo environment variable is corresponding to the storage directory. The pseudo-SU program is sent to the application, so that the application cannot obtain the SU program established by the root tool, and thus cannot obtain any root authority, thereby realizing the purpose of effectively protecting the root authority after the operating system root of the terminal.
进一步地,基于上述图1所述的实施例,本实施例中,在将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后还包括:Further, based on the embodiment described in FIG. 1 above, in this embodiment, after the pre-compiled pseudo-SU program is saved in the storage directory corresponding to the pseudo environment variable, the method further includes:
将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。Setting the file attribute of the pseudo-SU program to read-only, or setting the file attribute of the pseudo-SU program to be non-deletable.
其中,为了防止恶意软件修改或者删除上述预先添加的伪SU程序,从而提取root工具建立的SU程序来获得root权限,故本实施例中,在将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后,将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。In order to prevent the malware from modifying or deleting the pre-added pseudo-SU program, the SU program established by the root tool is extracted to obtain the root authority. In this embodiment, the pre-compiled pseudo-SU program is saved in the pseudo. After the storage directory corresponding to the environment variable, the file attribute of the pseudo-SU program is set to read-only, or the file attribute of the pseudo-SU program is set to be non-deletable.
另外,本实施例中所述的伪SU程序可以为空白的SU程序,其不包括任何用于调用root权限的命令,故任意应用在获取到所述伪SU程序之后,是无法获得任何root权限的。In addition, the pseudo-SU program described in this embodiment may be a blank SU program, which does not include any command for invoking the root privilege, so any application cannot obtain any root privilege after obtaining the pseudo-SU program. of.
本实施例所述的保护Root权限的方法,在将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后,将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。本实施例通过将所述伪SU程序的文件属性设置为只读或者不可删除的方式,能够有效防止恶意软件通过修改或者删除所述伪SU程序来提取root工具建立的SU程序以获得root权限,实现了在所述终端的操作系统root之后,有效保护所述终端root权限的目的。The method for protecting the root authority in the embodiment, after saving the pre-compiled pseudo-SU program in the storage directory corresponding to the pseudo environment variable, setting the file attribute of the pseudo-SU program to read-only, or The file attribute of the pseudo SU program is set to be undeleteable. In this embodiment, by setting the file attribute of the pseudo-SU program to read-only or non-deletable, it is possible to effectively prevent the malware from extracting the SU program established by the root tool to obtain the root authority by modifying or deleting the pseudo-SU program. The purpose of effectively protecting the root authority of the terminal after the operating system root of the terminal is implemented.
进一步地,参照图3,图3为本发明保护Root权限的方法第三实施例的流程示意图,基于上述图1和图2所述的实施例,本实施例中,所述保护Root权限的方法还包括:Further, referring to FIG. 3, FIG. 3 is a schematic flowchart of a third embodiment of a method for protecting a root privilege according to the present invention. The method for protecting a root privilege according to the embodiment described in FIG. 1 and FIG. Also includes:
步骤S50,预先在所述伪SU程序中添加提醒消息或者警告消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息或者警告消息,以提醒用户获取root权限失败。Step S50: Add a reminder message or a warning message to the pseudo-SU program in advance. After receiving the pseudo-SU program, the application may output the reminder message or the warning message to remind the user that the root authority fails to be obtained.
本实施例中,预先在所述伪SU程序中添加提醒消息或者警告消息,例如“获取root权限失败”或者“禁止获取root权限”等,用来提醒用户获取root权限失败,或者警告用户为了终端内数据的安全,禁止获取root权限,以及当有恶意应用程序想要获取root程序时,用来及时提示用户进行防范等等。当任意应用接收到所述伪SU程序之后,则输出所述伪SU程序中的提醒消息或者警告消息。In this embodiment, a reminder message or a warning message is added to the pseudo-SU program in advance, such as “failure to obtain root authority” or “prohibit obtaining root authority”, etc., to remind the user that the root authority fails to be obtained, or to warn the user for the terminal. The security of the internal data, prohibiting the acquisition of root privileges, and when a malicious application wants to obtain the root program, is used to prompt the user to prevent it. After any application receives the pseudo SU program, an alert message or a warning message in the pseudo SU program is output.
其中,可以将所述提醒消息或者警告消息输出至所述应用的操作界面,或者也可以直接将所述提醒消息或者警告消息输出终端的显示界面中,以提醒用户。The reminder message or the warning message may be output to the operation interface of the application, or the reminder message or the warning message may be directly outputted to the display interface of the terminal to remind the user.
本实施例所述的保护Root权限的方法,通过预先在所述伪SU程序中添加提醒消息或者警告消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息或者警告消息,以提醒用户获取root权限失败的方式,能够在终端root之后,提醒用户获取root失败,或者提醒用户为了终端内数据的安全禁止该应用获取root权限,从而进一步保护了终端在root之后,终端内数据的安全。The method for protecting the root authority in the embodiment, by adding a reminder message or a warning message to the pseudo-SU program in advance, after receiving the pseudo-SU program by any application, outputting the reminder message or the warning message, In order to remind the user that the root authority fails, the user can be prompted to obtain the root failure after the terminal root, or the user is prompted to obtain the root permission for the security of the data in the terminal, thereby further protecting the data of the terminal after the root is in the terminal. Security.
参照图4,图4为本发明保护Root权限的装置第一实施例的功能模块示意图,在本实施例中,所述保护Root权限的装置为终端中的一部分,所述保护Root权限的装置100包括:Referring to FIG. 4, FIG. 4 is a schematic diagram of a functional module of a device for protecting a root privilege according to a first embodiment of the present invention. In this embodiment, the device for protecting the root privilege is a part of the terminal, and the device 100 for protecting the root privilege include:
添加模块10,用于预先在终端的操作系统中添加伪环境变量。The module 10 is added for adding a pseudo environment variable in the operating system of the terminal in advance.
本实施例中,需要预先在终端的操作系统中添加一个伪环境变量,具体可以在终端出厂之前就进行添加。例如,在终端出厂之前在终端的操作系统中添加一个伪环境变量“/security”。In this embodiment, it is necessary to add a pseudo environment variable to the operating system of the terminal in advance, and specifically, the terminal may be added before leaving the factory. For example, a pseudo environment variable "/security" is added to the operating system of the terminal before the terminal leaves the factory.
可以理解的是,环境变量一般是指在操作系统中用来指定操作系统运行环境的一些参数,如临时文件夹位置和系统文件夹位置等。环境变量是在操作系统中一个具有特定名字的对象,它包含了一个或者多个应用程序所将使用到的信息。例如Windows和DOS操作系统中的path环境变量,当要求系统运行一个程序而没有告诉它程序所在的完整路径时,系统除了在当前目录下面寻找此程序外,还应到path环境变量中指定的路径去寻找。即环境变量主要是用于指定一个程序软件的路径,其包含诸如驱动器、路径或文件名之类的字符串,且环境变量控制着多种程序的行为,只有管理员才能添加、修改或删除操作系统系统环境变量。It can be understood that the environment variable generally refers to some parameters used in the operating system to specify the operating environment of the operating system, such as the temporary folder location and the system folder location. An environment variable is an object with a specific name in the operating system that contains information that one or more applications will use. For example, the path environment variable in Windows and DOS operating systems, when the system is required to run a program without telling the full path of the program, the system should look for the path specified in the path environment variable in addition to the current directory. To find. That is, environment variables are mainly used to specify a program software path, which contains strings such as drive, path or file name, and environment variables control the behavior of multiple programs, only administrators can add, modify or delete operations. System system environment variables.
进一步地,上述添加模块10还用于:Further, the above adding module 10 is further configured to:
在所述终端的操作系统中添加伪环境变量之后,将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中。After the pseudo environment variable is added to the operating system of the terminal, the pre-compiled pseudo-SU program is saved in the storage directory corresponding to the pseudo environment variable.
其中,预先编译一个伪SU程序,然后将该伪SU程序保存在上述伪环境变量对应的存储目录中,例如保存在上述伪环境变量对应的存储目录“/security”中。The pseudo-SU program is pre-compiled, and then stored in the storage directory corresponding to the pseudo environment variable, for example, in the storage directory "/security" corresponding to the pseudo environment variable.
其中,正常的SU程序可以让一个普通用户切换为超级用户或其他用户,并可临时拥有所切换用户的权限,及任意应用程序都可通过调用SU程序来获得root权限。而本实施例中所述的伪SU程序为空的程序文件或者不包括任何权限的安全程序,即应用程序通过调用本实施例中所述的伪SU程序时是无法获得任何root权限的。Among them, the normal SU program can make a normal user switch to super user or other users, and can temporarily have the rights of the switched user, and any application can obtain root privileges by calling the SU program. The pseudo-SU program described in this embodiment is an empty program file or a security program that does not include any rights, that is, the application cannot obtain any root authority by calling the pseudo-SU program described in this embodiment.
获取模块20,用于当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级。The obtaining module 20 is configured to acquire, after detecting the operating system root of the terminal, a read priority of the storage directory corresponding to the environment variable storing the SU program in the operating system.
本实施例中,当终端的操作系统root之后,则对操作系统进行root的root工具会将编译好的SU程序存储在其建立的环境变量对应的存储目录中,例如将编译好的SU程序存储在其建立的环境变量对应的存储目录“/system/bin”或“/system/xbin”中。In this embodiment, after the operating system root of the terminal is rooted, the root root tool of the operating system stores the compiled SU program in a storage directory corresponding to the environment variable it establishes, for example, the compiled SU program is stored. In the storage directory "/system/bin" or "/system/xbin" corresponding to the environment variable it establishes.
其中,在操作系统中,环境变量对应的存储目录都具有读取优先级,即任意应用程序在调用环境变量中的程序时需要按照环境变量对应存储目录的读取优先级进行调用,故本实施例中,当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级。In the operating system, the storage directory corresponding to the environment variable has a read priority, that is, any application needs to call the read priority of the storage directory corresponding to the environment variable when calling the program in the environment variable, so the implementation For example, after the operating system root of the terminal is detected, the read priority of the storage directory corresponding to the environment variable storing the SU program in the operating system is obtained.
设置模块30,用于根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,其中,所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。The setting module 30 is configured to set a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the environment variable, where the pseudo environment variable corresponds to the storage directory setting The read priority is higher than the read priority of the storage directory corresponding to the obtained environment variable.
本实施例中,在获取到所述环境变量对应存储目录的读取优先级之后,根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,使得所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。In this embodiment, after obtaining the read priority of the storage directory corresponding to the environment variable, setting the read storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the stored environment variable The priority is such that the read priority of the pseudo environment variable corresponding to the storage directory setting is higher than the read priority of the obtained storage directory corresponding to the environment variable.
其中,当所述伪环境变量对应存储目录的读取优先级设置为高于操作系统root之后建立的所述环境变量对应存储目录的读取优先级之后,任何应用程序都只能调用优先级较高的伪环境变量对应存储目录中的伪SU程序,无法调用优先级较低的所述环境变量对应存储目录中的SU程序,从而无法获取到任何root权限。Wherein, when the read priority of the pseudo environment variable corresponding to the storage directory is set to be higher than the read priority of the storage directory corresponding to the environment variable established after the operating system root, any application can only invoke the priority. The high pseudo environment variable corresponds to the pseudo-SU program in the storage directory, and the SU program in the storage directory corresponding to the lower-priority environment variable cannot be called, so that no root authority can be obtained.
本实施例所述的保护Root权限的装置,包括预先在终端的操作系统中添加伪环境变量,当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级,根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,使得所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。本实施例通过预先在终端的操作系统中添加一个伪环境变量,并设置该伪环境变量对应存储目录的读取优先级高于root之后的操作系统中存储SU程序的环境变量对应存储目录的读取优先级,使得应用程序无法调用存储的SU程序,进而无法获取到任何root权限,解决了现有技术中终端的操作系统root之后,终端的root权限就会完全暴露的技术问题,提高了终端内数据的安全性。The device for protecting the root privilege in the embodiment includes: adding a pseudo environment variable to the operating system of the terminal in advance, and after detecting the operating system root of the terminal, acquiring an environment variable corresponding to the SU program stored in the operating system The read priority of the storage directory is set, and the read priority of the storage directory corresponding to the pseudo environment variable is set according to the read priority of the storage directory corresponding to the obtained environment variable, so that the pseudo environment variable is corresponding to the storage directory setting. The read priority is higher than the read priority of the storage directory corresponding to the obtained environment variable. In this embodiment, a pseudo environment variable is added in the operating system of the terminal in advance, and the read priority of the storage directory corresponding to the pseudo environment variable is set to be higher than that of the storage directory corresponding to the environment variable of the SU program stored in the operating system after the root. The priority is obtained, so that the application cannot call the stored SU program, and thus the root authority cannot be obtained. The technical problem that the root authority of the terminal is completely exposed after the operating system root of the terminal in the prior art is solved, and the terminal is improved. The security of the internal data.
进一步地,参照图5,图5为本发明保护Root权限的装置第二实施例的功能模块示意图,基于上述图4所述的实施例,本实施例中,在所述终端的操作系统root之后,上述保护Root权限的装置100还包括:Further, referring to FIG. 5, FIG. 5 is a schematic diagram of a functional module of a second embodiment of the apparatus for protecting the root privilege according to the embodiment of FIG. 4, in this embodiment, after the operating system root of the terminal The device 100 for protecting the root authority further includes:
调用模块40,用于若检测到任意应用发送的用于调用SU程序的调用指令,则将所述伪环境变量对应存储目录中的伪SU程序发送至所述应用。The calling module 40 is configured to send a pseudo-SU program corresponding to the storage directory to the application if the calling instruction for calling the SU program sent by any application is detected.
当所述终端的操作系统root之后,root工具会在所述终端的操作系统中添加一个编译好的SU程序,然后任意应用程序就可以通过调用所述SU程序来获得root权限。After the operating system root of the terminal, the root tool adds a compiled SU program to the operating system of the terminal, and then any application can obtain the root authority by calling the SU program.
其中,由于本实施例中用于存储伪SU程序的伪环境变量对应存储目录的读取优先级,高于root工具在所述终端操作系统中建立的用于存储SU程序的环境变量对应存储目录的读取优先级,故在检测到任意应用发送的用于调用SU程序的调用指令后,都只能调用优先级较高的伪环境变量对应存储目录中的伪SU程序,即若检测到任意应用发送的用于调用SU程序的调用指令,则将优先级较高的所述伪环境变量对应存储目录中的伪SU程序发送至所述应用。The pseudo-environment variable for storing the pseudo-SU program in the embodiment corresponds to the read priority of the storage directory, and is higher than the storage directory corresponding to the environment variable for storing the SU program established by the root tool in the terminal operating system. Read priority, so after detecting the call instruction for calling the SU program sent by any application, only the pseudo-SU program corresponding to the higher priority pseudo environment variable can be called, that is, if any random detection is detected, The application sends a call instruction for calling the SU program, and sends the pseudo-environment variable with a higher priority to the application in the storage directory corresponding to the pseudo-SU program.
其中,本实施例中,在伪环境变量对应存储目录的读取优先级高于所述环境变量对应存储目录的读取优先级的情况下,应用程序只能提取到优先级较高的伪环境变量对应存储目录中的伪SU程序,而不能提取到优先级较低的所述环境变量对应存储目录中的SU程序。In this embodiment, in the case that the read priority of the storage directory corresponding to the pseudo environment variable is higher than the read priority of the storage directory corresponding to the environment variable, the application can only extract the pseudo environment with higher priority. The variable corresponds to the pseudo-SU program in the storage directory, and the SU program in the storage directory corresponding to the environment variable having the lower priority cannot be extracted.
本实施例所述的保护Root权限的装置,在所述终端的操作系统root之后,若检测到任意应用发送的用于调用SU程序的调用指令,则将所述伪环境变量对应存储目录中的伪SU程序发送至所述应用,使得所述应用无法获取到root工具建立的SU程序,从而无法获取到任何root权限,实现了在所述终端的操作系统root之后,有效保护root权限的目的。The apparatus for protecting the root authority according to the embodiment, after detecting the call instruction for calling the SU program sent by any application after the operating system root of the terminal, the pseudo environment variable is corresponding to the storage directory. The pseudo-SU program is sent to the application, so that the application cannot obtain the SU program established by the root tool, and thus cannot obtain any root authority, thereby realizing the purpose of effectively protecting the root authority after the operating system root of the terminal.
进一步地,基于上述图4所述的实施例,本实施例中,上述添加模块10还用于:Further, based on the embodiment described in FIG. 4 above, in the embodiment, the adding module 10 is further configured to:
在将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后,将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。After saving the pre-compiled pseudo-SU program in the storage directory corresponding to the pseudo environment variable, setting the file attribute of the pseudo-SU program to read-only, or setting the file attribute of the pseudo-SU program to be unavailable. delete.
其中,为了防止恶意软件修改或者删除上述预先添加的伪SU程序,从而提取root工具建立的SU程序来获得root权限,故本实施例中,在将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后,将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。In order to prevent the malware from modifying or deleting the pre-added pseudo-SU program, the SU program established by the root tool is extracted to obtain the root authority. In this embodiment, the pre-compiled pseudo-SU program is saved in the pseudo. After the storage directory corresponding to the environment variable, the file attribute of the pseudo-SU program is set to read-only, or the file attribute of the pseudo-SU program is set to be non-deletable.
另外,本实施例中所述的伪SU程序可以为空白的SU程序,其不包括任何用于调用root权限的命令,故任意应用在获取到所述伪SU程序之后,是无法获得任何root权限的。In addition, the pseudo-SU program described in this embodiment may be a blank SU program, which does not include any command for invoking the root privilege, so any application cannot obtain any root privilege after obtaining the pseudo-SU program. of.
本实施例所述的保护Root权限的装置,在将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后,将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。本实施例通过将所述伪SU程序的文件属性设置为只读或者不可删除的方式,能够有效防止恶意软件通过修改或者删除所述伪SU程序来提取root工具建立的SU程序以获得root权限,实现了在所述终端的操作系统root之后,有效保护所述终端root权限的目的。The device for protecting the root authority in the embodiment, after saving the pre-compiled pseudo-SU program in the storage directory corresponding to the pseudo environment variable, setting the file attribute of the pseudo-SU program to read-only, or The file attribute of the pseudo SU program is set to be undeleteable. In this embodiment, by setting the file attribute of the pseudo-SU program to read-only or non-deletable, it is possible to effectively prevent the malware from extracting the SU program established by the root tool to obtain the root authority by modifying or deleting the pseudo-SU program. The purpose of effectively protecting the root authority of the terminal after the operating system root of the terminal is implemented.
进一步地,参照图6,图6为本发明保护Root权限的装置第三实施例的功能模块示意图,基于上述图4和图5所述的实施例,本实施例中,所述保护Root权限的装置100还包括:Further, referring to FIG. 6, FIG. 6 is a schematic diagram of a functional module of a third embodiment of the apparatus for protecting the root privilege according to the embodiment of FIG. 4 and FIG. 5, in the embodiment, the protection of the root privilege The device 100 also includes:
提醒模块50,用于预先在所述伪SU程序中添加提醒消息或者警告消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息或者警告消息,以提醒用户获取root权限失败。The reminding module 50 is configured to add a reminder message or a warning message to the pseudo SU program in advance. After receiving the pseudo SU program, the application may output the reminder message or the warning message to remind the user that the root authority fails to be obtained. .
本实施例中,预先在所述伪SU程序中添加提醒消息或者警告信息,例如“获取root权限失败”或者“禁止获取root权限”等,用来提醒用户获取root权限失败,或者警告用户为了终端内数据的安全,禁止获取root权限,以及当有恶意应用程序想要获取root程序时,用来及时提示用户进行防范等等。当任意应用接收到所述伪SU程序之后,则输出所述伪SU程序中的提醒消息或者警告消息。In this embodiment, a reminder message or a warning message is added to the pseudo-SU program in advance, such as “failure to obtain root authority” or “prohibit obtaining root authority”, etc., to remind the user that the root authority fails to be obtained, or to warn the user for the terminal. The security of the internal data, prohibiting the acquisition of root privileges, and when a malicious application wants to obtain the root program, is used to prompt the user to prevent it. After any application receives the pseudo SU program, an alert message or a warning message in the pseudo SU program is output.
其中,可以将所述提醒消息或者警告消息输出至所述应用的操作界面,或者也可以直接将所述提醒消息或者警告消息输出终端的显示界面中,以提醒用户。The reminder message or the warning message may be output to the operation interface of the application, or the reminder message or the warning message may be directly outputted to the display interface of the terminal to remind the user.
本实施例所述的保护Root权限的装置,通过预先在所述伪SU程序中添加提醒消息或者警告消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息或者警告消息,以提醒用户获取root权限失败的方式,能够在终端root之后,提醒用户获取root失败,或者提醒用户为了终端内数据的安全禁止该应用获取root权限,从而进一步保护了终端在root之后,终端内数据的安全。The apparatus for protecting the root authority in the embodiment, by adding a reminder message or a warning message to the pseudo SU program in advance, after receiving the pseudo SU program by any application, outputting the reminder message or the warning message. In order to remind the user that the root authority fails, the user can be prompted to obtain the root failure after the terminal root, or the user is prompted to obtain the root permission for the security of the data in the terminal, thereby further protecting the data of the terminal after the root is in the terminal. Security.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It is to be understood that the term "comprises", "comprising", or any other variants thereof, is intended to encompass a non-exclusive inclusion, such that a process, method, article, or device comprising a series of elements includes those elements. It also includes other elements that are not explicitly listed, or elements that are inherent to such a process, method, article, or device. An element that is defined by the phrase "comprising a ..." does not exclude the presence of additional equivalent elements in the process, method, item, or device that comprises the element.
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present invention are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the foregoing embodiment method can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is better. Implementation. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium, including a plurality of instructions for causing a The terminal device performs the method described in various embodiments of the present invention.
以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only the preferred embodiments of the present invention, and are not intended to limit the scope of the invention, and the equivalent structure or equivalent process transformations made by the description of the present invention and the drawings are directly or indirectly applied to other related technical fields. The same is included in the scope of patent protection of the present invention.

Claims (20)

  1. 一种保护Root权限的方法,其特征在于,所述保护Root权限的方法包括: A method for protecting a root privilege, wherein the method for protecting a root privilege includes:
    预先在终端的操作系统中添加伪环境变量;Add a pseudo environment variable to the operating system of the terminal in advance;
    当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级;After detecting the operating system root of the terminal, acquiring an environment variable of the SU program stored in the operating system corresponds to a read priority of the storage directory;
    根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,其中,所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。Setting a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the obtained environment variable, wherein the read priority of the pseudo environment variable corresponding to the storage directory setting is higher than The obtained environment variable corresponds to the read priority of the storage directory.
  2. 如权利要求1所述的保护Root权限的方法,其特征在于,所述预先在终端的操作系统中添加一个伪环境变量之后还包括:The method for protecting a root privilege according to claim 1, wherein the adding a pseudo environment variable in the operating system of the terminal beforehand further comprises:
    将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中。The pre-compiled pseudo-SU program is saved in a storage directory corresponding to the pseudo environment variable.
  3. 如权利要求2所述的保护Root权限的方法,其特征在于,在所述终端的操作系统root之后,所述保护Root权限的方法还包括:The method for protecting a root privilege according to claim 2, wherein after the operating system root of the terminal, the method for protecting the root privilege further comprises:
    若检测到任意应用发送的用于调用SU程序的调用指令,则将所述伪环境变量对应存储目录中的伪SU程序发送至所述应用。If a call instruction for calling the SU program sent by any application is detected, the pseudo-environment variable corresponding to the pseudo-SU program in the storage directory is sent to the application.
  4. 如权利要求2所述的保护Root权限的方法,其特征在于,所述将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后还包括:The method of claim 2, wherein the pre-compiled pseudo-SU program is saved in the storage directory corresponding to the pseudo environment variable, and further includes:
    将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。Setting the file attribute of the pseudo-SU program to read-only, or setting the file attribute of the pseudo-SU program to be non-deletable.
  5. 如权利要求2所述的保护Root权限的方法,其特征在于,所述伪SU程序为空的程序文件或者不包括任何Root权限的安全程序。The method for protecting root rights according to claim 2, wherein the pseudo-SU program is an empty program file or a security program that does not include any root authority.
  6. 如权利要求3所述的保护Root权限的方法,其特征在于,所述伪SU程序为空的程序文件或者不包括任何Root权限的安全程序。The method for protecting root rights according to claim 3, wherein the pseudo-SU program is an empty program file or a security program that does not include any root authority.
  7. 如权利要求2所述的保护Root权限的方法,其特征在于,所述保护Root权限的方法还包括:The method for protecting the root privilege of claim 2, wherein the method for protecting the root privilege further comprises:
    预先在所述伪SU程序中添加提醒消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息,以提醒用户获取root权限失败。A reminder message is added to the pseudo-SU program in advance. After any application receives the pseudo-SU program, the reminder message is output to remind the user that the root authority fails to be obtained.
  8. 如权利要求7所述的保护Root权限的方法,其特征在于,所述保护Root权限的方法还包括:The method for protecting a root privilege according to claim 7, wherein the method for protecting the root privilege further comprises:
    预先在所述伪SU程序中添加警告消息,当任意应用接收到所述伪SU程序之后,则输出所述警告消息,以警告用户禁止获取root权限。A warning message is added in advance to the pseudo-SU program, and after any application receives the pseudo-SU program, the warning message is output to warn the user to prohibit obtaining root authority.
  9. 如权利要求6所述的保护Root权限的方法,其特征在于,所述保护Root权限的方法还包括:The method for protecting a root privilege according to claim 6, wherein the method for protecting the root privilege further comprises:
    预先在所述伪SU程序中添加提醒消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息,以提醒用户获取root权限失败。A reminder message is added to the pseudo-SU program in advance. After any application receives the pseudo-SU program, the reminder message is output to remind the user that the root authority fails to be obtained.
  10. 如权利要求9所述的保护Root权限的方法,其特征在于,所述保护Root权限的方法还包括:The method for protecting a root privilege according to claim 9, wherein the method for protecting the root privilege further comprises:
    预先在所述伪SU程序中添加警告消息,当任意应用接收到所述伪SU程序之后,则输出所述警告消息,以警告用户禁止获取root权限。A warning message is added in advance to the pseudo-SU program, and after any application receives the pseudo-SU program, the warning message is output to warn the user to prohibit obtaining root authority.
  11. 一种保护Root权限的装置,其特征在于,所述保护Root权限的装置包括:An apparatus for protecting a root privilege, wherein the apparatus for protecting a root privilege includes:
    添加模块,用于预先在终端的操作系统中添加伪环境变量;Adding a module for adding a pseudo environment variable to the operating system of the terminal in advance;
    获取模块,用于当检测到所述终端的操作系统root之后,获取所述操作系统中存储SU程序的环境变量对应存储目录的读取优先级;An obtaining module, configured to acquire, after detecting an operating system root of the terminal, a read priority of a storage directory corresponding to an environment variable storing the SU program in the operating system;
    设置模块,用于根据获取到的所述环境变量对应存储目录的读取优先级设置所述伪环境变量对应存储目录的读取优先级,其中,所述伪环境变量对应存储目录设置后的读取优先级高于获取到的所述环境变量对应存储目录的读取优先级。a setting module, configured to set a read priority of the storage directory corresponding to the pseudo environment variable according to the read priority of the storage directory corresponding to the obtained environment variable, wherein the pseudo environment variable corresponds to the read after the storage directory is set The priority is higher than the read priority of the storage directory corresponding to the obtained environment variable.
  12. 如权利要求11所述的保护Root权限的装置,其特征在于,所述添加模块还用于:The device for protecting root rights according to claim 11, wherein the adding module is further configured to:
    将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中。The pre-compiled pseudo-SU program is saved in a storage directory corresponding to the pseudo environment variable.
  13. 如权利要求12所述的保护Root权限的装置,其特征在于,所述保护Root权限的装置还包括:The device for protecting the root privilege of claim 12, wherein the device for protecting the root privilege further comprises:
    调用模块,用于若检测到任意应用发送的用于调用SU程序的调用指令,则将所述伪环境变量对应存储目录中的伪SU程序发送至所述应用。The calling module is configured to send the pseudo-SU variable corresponding to the pseudo-SU program in the storage directory to the application if a call instruction for calling the SU program sent by any application is detected.
  14. 如权利要求12所述的保护Root权限的装置,其特征在于,所述添加模块还用于:The device for protecting root rights according to claim 12, wherein the adding module is further configured to:
    在将预先编译完成的伪SU程序保存在所述伪环境变量对应的存储目录中之后,将所述伪SU程序的文件属性设置为只读,或者将所述伪SU程序的文件属性设置为不可删除。After saving the pre-compiled pseudo-SU program in the storage directory corresponding to the pseudo environment variable, setting the file attribute of the pseudo-SU program to read-only, or setting the file attribute of the pseudo-SU program to be unavailable. delete.
  15. 如权利要求12所述的保护Root权限的装置,其特征在于,所述伪SU程序为空的程序文件或者不包括任何Root权限的安全程序。The apparatus for protecting root rights according to claim 12, wherein the pseudo-SU program is an empty program file or a security program that does not include any root authority.
  16. 如权利要求13所述的保护Root权限的装置,其特征在于,所述伪SU程序为空的程序文件或者不包括任何Root权限的安全程序。The apparatus for protecting root rights according to claim 13, wherein the pseudo-SU program is an empty program file or a security program that does not include any root authority.
  17. 如权利要求12所述的保护Root权限的装置,其特征在于,所述保护Root权限的装置还包括:The device for protecting the root privilege of claim 12, wherein the device for protecting the root privilege further comprises:
    提醒模块,用于预先在所述伪SU程序中添加提醒消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息,以提醒用户获取root权限失败。The reminding module is configured to add a reminder message to the pseudo-SU program in advance. After receiving the pseudo-SU program, the application may output the reminder message to remind the user that the root authority fails to be obtained.
  18. 如权利要求17所述的保护Root权限的装置,其特征在于,所述提醒模块还用于:The device for protecting the root privilege of claim 17, wherein the reminding module is further configured to:
    预先在所述伪SU程序中添加警告消息,当任意应用接收到所述伪SU程序之后,则输出所述警告消息,以警告用户禁止获取root权限。A warning message is added in advance to the pseudo-SU program, and after any application receives the pseudo-SU program, the warning message is output to warn the user to prohibit obtaining root authority.
  19. 如权利要求16所述的保护Root权限的装置,其特征在于,所述保护Root权限的装置还包括:The device for protecting the root privilege of claim 16, wherein the device for protecting the root privilege further comprises:
    提醒模块,用于预先在所述伪SU程序中添加提醒消息,当任意应用接收到所述伪SU程序之后,则输出所述提醒消息,以提醒用户获取root权限失败。The reminding module is configured to add a reminder message to the pseudo-SU program in advance. After receiving the pseudo-SU program, the application may output the reminder message to remind the user that the root authority fails to be obtained.
  20. 如权利要求19所述的保护Root权限的装置,其特征在于,所述提醒模块还用于:The device for protecting the root privilege of claim 19, wherein the reminding module is further configured to:
    预先在所述伪SU程序中添加警告消息,当任意应用接收到所述伪SU程序之后,则输出所述警告消息,以警告用户禁止获取root权限。A warning message is added in advance to the pseudo-SU program, and after any application receives the pseudo-SU program, the warning message is output to warn the user to prohibit obtaining root authority.
PCT/CN2016/112615 2016-11-17 2016-12-28 Method and apparatus for protecting root permission WO2018090452A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611027602.1 2016-11-17
CN201611027602.1A CN106503570B (en) 2016-11-17 2016-11-17 Method and device for protecting Root authority

Publications (1)

Publication Number Publication Date
WO2018090452A1 true WO2018090452A1 (en) 2018-05-24

Family

ID=58327324

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/112615 WO2018090452A1 (en) 2016-11-17 2016-12-28 Method and apparatus for protecting root permission

Country Status (2)

Country Link
CN (1) CN106503570B (en)
WO (1) WO2018090452A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220538A (en) * 2017-06-27 2017-09-29 广东欧珀移动通信有限公司 Pay class application management method, device and mobile terminal
CN111353149A (en) * 2020-02-20 2020-06-30 广东天波信息技术股份有限公司 Real-time ROOT authority detection method and device of android system
US11803634B2 (en) 2021-02-25 2023-10-31 International Business Machines Corporation Secure preconfigured profile for role-based access control setup
CN115629772B (en) * 2022-09-05 2023-09-19 摩尔线程智能科技(北京)有限责任公司 Kubernetes software installation method and device and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104134036A (en) * 2014-07-26 2014-11-05 珠海市君天电子科技有限公司 Method and device for obtaining Root permission
CN104376263A (en) * 2014-12-09 2015-02-25 北京奇虎科技有限公司 Application behavior intercepting method and application behavior intercepting device
US20150281206A1 (en) * 2012-12-20 2015-10-01 Tencent Technology (Shenzhen) Company Limited Method and Device for Implementing a Process Under a Superuser Privilege, and Mobile Terminal
CN105095742A (en) * 2014-05-15 2015-11-25 宇龙计算机通信科技(深圳)有限公司 Root detection and recovery method for mobile terminal and mobile terminal
CN106529332A (en) * 2016-10-25 2017-03-22 广东欧珀移动通信有限公司 Permission control method and apparatus for mobile terminal, and mobile terminal

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104572158B (en) * 2013-10-29 2019-01-04 腾讯科技(深圳)有限公司 One kind running application program method and device with power user's identity
CN103559431A (en) * 2013-11-11 2014-02-05 北京国双科技有限公司 Detection method, device and system of Android system user permission
CN104239786B (en) * 2014-10-13 2017-08-04 北京奇虎科技有限公司 Exempt from ROOT Initiative Defenses collocation method and device
KR20160074832A (en) * 2014-12-18 2016-06-29 주식회사 안랩 Method and apparatus for detection of rooting by analyzing elf binary
CN105045625B (en) * 2015-07-17 2018-07-31 上海斐讯数据通信技术有限公司 Root authority management-control method under a kind of Android platform
CN105468953A (en) * 2015-12-01 2016-04-06 上海斐讯数据通信技术有限公司 Android system electronic terminal and ROOT permission acquisition method and system for same

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150281206A1 (en) * 2012-12-20 2015-10-01 Tencent Technology (Shenzhen) Company Limited Method and Device for Implementing a Process Under a Superuser Privilege, and Mobile Terminal
CN105095742A (en) * 2014-05-15 2015-11-25 宇龙计算机通信科技(深圳)有限公司 Root detection and recovery method for mobile terminal and mobile terminal
CN104134036A (en) * 2014-07-26 2014-11-05 珠海市君天电子科技有限公司 Method and device for obtaining Root permission
CN104376263A (en) * 2014-12-09 2015-02-25 北京奇虎科技有限公司 Application behavior intercepting method and application behavior intercepting device
CN106529332A (en) * 2016-10-25 2017-03-22 广东欧珀移动通信有限公司 Permission control method and apparatus for mobile terminal, and mobile terminal

Also Published As

Publication number Publication date
CN106503570B (en) 2020-01-14
CN106503570A (en) 2017-03-15

Similar Documents

Publication Publication Date Title
WO2018090452A1 (en) Method and apparatus for protecting root permission
WO2019227557A1 (en) Key management method, device, storage medium and apparatus
WO2018098881A1 (en) Access processing method and device for application
WO2018028121A1 (en) Method and device for managing storage space of data partition
WO2017088664A1 (en) Data processing method and apparatus for cluster file system
WO2019051887A1 (en) Method and device for controlling home appliance, and computer-readable storage medium
WO2013079010A1 (en) Processing method and device in application running
WO2017190450A1 (en) Process closing method and apparatus
WO2020224247A1 (en) Blockchain–based data provenance method, apparatus and device, and readable storage medium
WO2017063366A1 (en) Method and system for starting application
WO2017059686A1 (en) Desktop displaying method and device
WO2013143341A1 (en) Method and device for updating application information of mobile terminal
WO2017041538A1 (en) Terminal user interface controlled display method and device
WO2015196960A1 (en) Method and system for checking security of url for mobile terminal
WO2019205272A1 (en) Virtual machine service providing method, device and equipment and computer readable storage medium
WO2018053963A1 (en) Method and apparatus for upgrading system of smart television
WO2017036204A1 (en) Focus positioning method and device for application switching
WO2017118170A1 (en) Method and system for customizing launcher of mobile terminal
WO2016058258A1 (en) Terminal remote control method and system
WO2017036208A1 (en) Method and system for extracting information in display interface
WO2018233369A1 (en) Copy-on-write based write method and device for virtual disk, and storage medium
WO2012028079A1 (en) Method and device for importing backup data of mobile terminal
WO2017166037A1 (en) Data tampering detection device and method
WO2019085301A1 (en) Missed call feedback method, apparatus and device for fixed phone, and readable storage medium
WO2017215233A1 (en) Terminal power button control method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16921487

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 04/10/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 16921487

Country of ref document: EP

Kind code of ref document: A1