• Programmer Belch@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    10
    ·
    9 months ago

    Does rooting your device make you the root user or just gives you access to superuser utilities?

    In linux systems the root user shouldn’t be used for daily use, you just make an user account with permission to use sudo, doas or su.

    • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      2
      ·
      9 months ago

      If you root your phone, at least with most tools, you don’t become the root user. Apps that use root access have to request it, and you’ll have to allow it in the root tool you flashed.

      Example pop-up from SuperSU:

      • Programmer Belch@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        So google is lying about rooted devices, they seem as secure as an OEM letting an user sideload apps or google themselves letting malware apps inside their store

      • evo@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        11
        ·
        9 months ago

        Lol. So if you use an exploit to gain SU what makes you think a malicious app can’t do the same? Or better yet, find a new exploit in the SU management software you installed. As soon as you root, you can no longer guarantee root activities are not taking place unbeknownst to you…

        • michaelmrose@lemmy.world
          link
          fedilink
          English
          arrow-up
          16
          arrow-down
          1
          ·
          9 months ago

          if you use an exploit to gain SU what makes you think a malicious app can’t do the same

          They can. 99% of computer security is still not installing malware or being tricked into taking actions that enable your own harm. That said often rooting methods involve physically pressing keys while booting to access the boot loader, ADB, running things with with expansive permissions. Malicious apps install via play store with reasonable permissions will generally have a much harder time breaking out of the sandbox.

          Or better yet, find a new exploit in the SU management software you installed

          Historically “sudo” tools haven’t been the source of many issues whereas a multitude of problems flowed from complex memory unsafe code.

          As soon as you root, you can no longer guarantee root activities are not taking place unbeknownst to you

          You can never guarantee this however if you are careful what you install you will remain safe same as it was before.

        • notfromhere@lemmy.ml
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          3
          ·
          9 months ago

          That goes for unrooted phones as well. The danger with rooting a phone comes from the automated software that is doing the initial rooting. It could install anything in there and the user would be none the wiser. Once it’s rooted and permissions are requested via the superuser app, it’s not any more dangerous than a non-rooted phone, assuming nothing malicious was installed during the rooting process, that is.

          • evo@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            5
            ·
            9 months ago

            Once it’s rooted and permissions are requested via the superuser app

            And you expect this piece of community software (that is often closed source to avoid detection by safetynet) is perfect? Never had any bugs or exploits?

            it’s not any more dangerous than a non-rooted phone

            The SU software itself is an attack vector. One with the ultimate payoff (root access). When you root the device you install a window in what was otherwise a solid wall. It is inherently less secure and I can’t understand how a knowledgeable person would argue otherwise.

            • michaelmrose@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 months ago

              SU software has been a thing for about as long as android about 20 years or about. Has otherwise legitimate su been a source of unattended exploiting?

              The obvious risk factors are that users shall be tricked into granting inappropriate permissions to otherwise malicious or compromised software that they have deliberately installed. Outside of mobile platforms this is considered an acceptable risk that competent users can consistently successfully manage on their own hardware.

              In fact if you look at actual users even those with very limited technical know how the primary thing that

              The secondary risk is that users with no legit source of tools to root

            • notfromhere@lemmy.ml
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              2
              ·
              edit-2
              9 months ago

              I agree with what you’re saying, but all software is insecure and it should be up to the user what their risk tolerance is. Instead, users’ control of their equipment is whittled down and before long the only choice will be deal with it or don’t play. Pinephone comes to mind as a phone with root access that is somewhat secure, but it also has latent vulnerabilities that could be exploited as its version of sudo is also an attack vector. Everything is a trade off especially in software/tech.

              • evo@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                1
                ·
                9 months ago

                but all software is insecure and it should be up to the user what their risk tolerance is

                Yes. And app developers/companies should in turn do the same. A banking app and a lemmy app probably don’t have the same security requirements. Each needs to apply the appropriate security constraints, and if that means not allowing rooted decices that’s fair imo.