2016년 1월 2일 토요일

Setting permissions to use Android Debug Bridge as regular user

Android Debug Bridge (adb) is used to communicate with an Android phone connected by usb cable. It is a native linux program, although there are ways to run it in Windows. Without some setup, however, regular users cannot run adb, and must use sudo. This is not good practice, however, and can pose a security risk.

In July 2015, I submitted an answer to a question on StackOverflow regarding adb permissions. The accepted answer suggests setting the SUID bit (4XXX in octal) on the adb binary in /usr/bin but this is basically the same thing as sudo adb because SUID bit gives all users who run the file the same privileges as the file owner (root owns adb binary).

The answer I suggested uses Access Control Lists (ACL) to add the current user to the list of users allowed to run /usr/bin/adb using setfacl. This workaround was valid in July 2015, but stopped working in Archlinux several months later. Now the canonical way to allow the regular user to invoke adb is to make sure a udev rule for your Android device exists.

I use the Archlinux package android-udev which includes the USB ID's for most Android smartphones. If your device doesn't exist in the rules file, you can simply add its USB ID to /usr/lib/udev/rules.d/51-android.rules and send a pull request to the upstream repo of android-udev.