1# How does ADB root/unroot work? 2 3Every couple of months the question is asked to the OWNERS: "How does adb root/unroot work?". Every time, we have to 4dig out the code to remember. Here is a doc to hopefully solve this problem. 5 6## shell uid vs root uid 7 8`adbd` always starts running as user `root`. One of the first things the daemon does is to check 9if it should drop its privileges to run as `shell` user. There are a few read-only properties involved in the decision. 10 11``` 12ro.secure 13ro.debuggable 14``` 15 16On a `user` debug, these properties will never allow `adbd` to remain `root`. However, on `eng` and `userdebug` builds 17they will. 18 19## From CLI to restart 20 21If adbd can remain `root`, it doesn't mean that it should. There is a second level decision dictated by the property 22`service.adb.root`. If set to `1`, adbd remains `root`. Otherwise, it drops to `shell`. 23 24The command `adb root` and `adb unroot` triggers adbd to write `service.adb.root` and restart. 25 26The one catch is that `adbd` cannot call `exit(3)` right away since it must make sure the "success" message makes 27it back to the caller on the host. 28 29The trick is done by tagging any asocket associated with a `root`/`unroot` command to call `exit(3)` when the 30asocket they run upon is closed (see `exit_on_close`). 31 32 33## How adb restarts upon root/unroot 34 35If `adbd` calls `exit(3)`, how does it restart itself? Since it is a critical process, `initd` notices that it is 36gone and restarts it. 37 38