Since the earliest days of unofficial Android ROMs, root access and custom firmwares like CyanogenMod have gone hand in hand. However, future versions of CyanogenMod will take a step back from always-on root, disabling root access by default but allowing users to easily enable it through a menu.

In a statement on their official site, the CM team says that having root access enabled by default represents a "major security risk," one which can be remedied by introducing four user-configurable root options. Root access will be disabled by default, while three additional options will let CM users enable it for ADB only, apps only, or both. So there's nothing to panic about -- your root access will still be there if and when you need it, but your device will be more secure by default as a result.

A good analogy is Android's "unknown sources" option, which allows applications to be loaded directly from an APK file rather than the Google Play Store. It's there for those that want it, but disabled by default for security reasons. As CM matures and its audience grows more mainstream, it makes sense that there's a renewed focus on security.

There's more technical info about exactly how this configurable root access works over at the source link.

Source: CyanogenMod


Reader comments

CyanogenMod 9 makes root access an option, not the default


Funny...I was just thinking about this this morning. I like running alternative ROMs, but I'd like to have a little more peace of mind when running Wallet and things like that. Sounds like this is an ideal solution...hopefully more ROM devs will take note.

I like this idea. I've thought about it being a cool feature in the past. I'm glad to see it come. When I installed CM7 on my Captivate it was mostly because of the vast improvements over the stock ROM, not for all the customization that comes with having that ROM with root access gave me. It's great to have, but I simply wanted my phone to work. My only question is this: If I had to enable root access to put a script in the /etc/init.d folder and then disabled it (similar to enabling and disabling "Unknown Sources" for side-loading) would the script still run on boot?

You need root to write the script to the system partition. Once it is there it will run. You would need root permission to modify it.

What your referring to (etc/init.d) in development terms is called busybox run parts. Run parts allows Linux to execute scripts found in /system/etc/init.d on an ascii character value basis, in numeric alpha order.

In order for this to function certain core changes need to be made on the ROM:
1) Busy box
2) the boot.img needs to be edited to support init.d

As long as those things are present, then it will function. However those will simply let the process take place. In order for you to add or edit anything, that's where root or super user permissions come in to play. Because /system is r/o, and because init.d is in /system, you'll need root permission to add new scripts or edit existing scripts to the directory. That's the only part super user permissons plays in init.d scripting.

Assuming you have busybox, and the boot.img you're using supports run parts, you could add any script you want to init.d, then remove the su.bin all together (essentially killing root access) and the scripts in init.d would continue to function because you didn't touch busy box or the boot.img.

That's probably more detailed than what you were looking for but some people, myself included, enjoy all the technical junk :)


Thank you! I really appreciate that explanation. I'm pretty tech savvy but I don't know much about Linux or Android in their technical aspects. I know enough to be dangerous haha! I've dabbled with some Linux distros but I'm still a novice. Any pieces of info like that is awesome. Thank you again!

What do you mean? When will manufacturers & carriers start giving us root access out of the box?? That's easy...never! I don't think they should either.

The thing you have to understand is that people who do root & flash ROMs to their phones are a VERY SMALL percentage of the overall Android user base. Could you imagine how many warranty claims the manufacturers would have to fill if people who didn't know what they were doing had the ability to delete important system files? It would be a nightmare that all users would have to carry the increased costs of through higher prices for everyone.

I do feel that we should have a simple way to achieve root access since we paid for the device...maybe something like HTC has in place for unlocking their bootloaders where you can go online, select your device, agree that you understand you are voiding your warranty, and then are rooted. I doubt we will ever see that though (at least not here in the U.S.) but we can dream.

I don't think thats really a issue, laptop PC with branded Windows is complitly unlocked, no body stop you to throw away windows or touch system files in the that it stop functioning and i didnt hear any manufacture complain about warranty being a nighmare, not to mention even phones got firmware (i really hate to name it ROM ;p it's not ROM... you can write on it) recovering system. It's probably to prevent possibility to resale hardware with 3rd party firmware (i don't see other reason why they need authetication process for unlocking bootloader... it's not accessable to user until he tries to use it) or manufacture mentality to keep user under wraps, since something like that on PC where user is used to complete freedom would not work.

Does this mean users of Good that get kicked off when root is detected, would no longer get kicked off? I have been unable to root my phone as my company uses Good and and soon as root is detected I'm disabled.

so im not sure how this is different from Superuser...i understand this gives the user more options (ADB, apps only and both) but beyond this is anything really different?