In (multi-user) Android there are
UIDs like these:
Those seem different to the usual
UIDs used for the applications. What is their purpose? Is this a way to make files available to all applications (share between applications of a user account)?
Android reserves UIDs / GIDs ranging from
19999 for apps.
AID_EVERYBODY is one of the special groups, which is used to control app's read / write ability to external storage (
/sdcard). This group has GID 9997 for device owner. If there are profiles or multiple users, GID takes form
XX is UserID. So
u11_everybody resolves to UID
Starting with Android 6, every app has it's own view of
/sdcard, which is controlled by exposing
/data/media/[UserID] with different permissions. This is achieved by making use of an emulated filesystem (previously
sdcardfs) and mount namespaces. For device owner i.e. UserId
/sdcard appears with following three VIEWs of permission sets:
voldetc., permissions appear as
android.permission.READ_EXTERNAL_STORAGE, permissions appear as
android.permission.WRITE_EXTERNAL_STORAGE, permissions appear as
Considering three distinct
VIEWs, we come with four situations:
0have always R/W access to
/sdcard. However if a non-privileged process running in root mount namespace wants R/W access to
/sdcard, that would be controlled by group AID_SDCARD_RW (GID
1015). An example is ADB daemon which runs with UID / GID
1015in its supplementarry groups.
Since every app runs with its unique UID in a separate mount namespace:
READ/WRITE_EXTERNAL_STORAGEpermissions won't be able to read or write to
/sdcard, but with one exception. Let's take example of app
10500. Apart from internal data directory
/data/data/com/xyz, app has a
/sdcard/Android/data/com.xyzwith owner UID
10500. So this directory is always readable / writable by the app.
/sdcard/Android/datais traversable for all apps, but no R/W access.
Since every app is a member of
everybody (9997) group:
READ_EXTERNAL_STORAGEpermission will be able to read the
/sdcardin addition to previous permission.
WRITE_EXTERNAL_STORAGEpermission will be able to write to
/sdcardin addition to previous two permissions. So the app has full R/W access to shared / external
Public Storageincluding other apps'
In the same way it works for other user accounts / profiles.
Opaque Binary Blobs: (OBB)
Some apps need additional storage to save large files which can't be included in
.apk file due to 100MB maximum size limit. There are two possible
obb locations where these files are saved:
/sdcard/Android/obb/. The former was introduced before multi-users concept, so it's only available to device owner. Later is available to apps in multi-user accounts / profiles as well.
Access to former is controlled the same way as to
/sdcard, while later is always accessible by an app as is the private external storage.