About Root

Linux and Unix-like systems are originally designed for multi-user，and different users own different privileges. "root" is the only superuser who owns all privileges of system and can do everything. 

About setUID

Before discuss how to root system, there is a very important term, setUID, we should know. As We already know normal file has three privileges "rwx" - read, write and excute. 
For example: 
ls /bin/cat -al
-rwxr-xr-x 1 root root 47904  14 Jan  2015 /bin/cat

ls /etc/shadow -al
-rw-r----- 1 root shadow 3504  19 Feb 14:01 /etc/shadow

In Linux OS, user's passwords are recorded in /etc/shadow, and only root can write. How could other users  modify their passwords? That is all attributed to setUID. 
ls /usr/bin/passwd -al
-rwsr-xr-x 1 root root 47032  16 Jul  2015 /usr/bin/passwd

Except "wrx", there is another privilege “s” , and it is "setUID" which allow normal user temporarily own the privilege of root.

Root in android

We use command "su" to change user from normal user to root，but in standard Android OS DOSE NOT allow normal user change to root for security reasons. So what we should do is giving the privillege to normal users include adb, debug console , apps and so on .

How to root system

Allow debug console to have the privileges of root. 

Build in "su" command to /system/xbin/su. 

Allow adb to to have the privileges of root. 

setprop ro.secure = 1

Allow apps to have the privileges of root. 

Step 1：
Remove the limitation of only AID_ROOT and AID_SHELL can use the command "su".
It is built into /system/xbin/su.

diff --git a/system/extras/su/su.cpp b/system/extras/su/su.cpp
index ee1526ef93..f7d931a5e3 100644
--- a/system/extras/su/su.cpp
+++ b/system/extras/su/su.cpp
@@ -81,8 +81,10 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
 }
 
 int main(int argc, char** argv) {
+/*
     uid_t current_uid = getuid();
     if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+*/
 
     // Handle -h and --help.
     ++argv;

Step 2：
Change the privilege of command su.
It is built into /system/lib/libcutils.so .

diff --git a/system/core/libcutils/fs_config.cpp b/system/core/libcutils/fs_config.cpp
index cc96ff8546..fce8cb32ab 100644
--- a/system/core/libcutils/fs_config.cpp
+++ b/system/core/libcutils/fs_config.cpp
@@ -166,7 +166,8 @@ static const struct fs_path_config android_files[] = {
     // the following two files are INTENTIONALLY set-uid, but they
     // are NOT included on user builds.
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
-    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/su" },
 
     // the following files have enhanced capabilities and ARE included
     // in user builds.

Step 3：
Remove the mechanism of DropCapabilities.
It is built into /system/lib/libandroid_runtime.so .

diff --git a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
index e1c2cb0deb..50750f4ee3 100644
--- a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
+++ b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
@@ -241,6 +241,7 @@ static void EnableKeepCapabilities(JNIEnv* env) {
 }
 
 static void DropCapabilitiesBoundingSet(JNIEnv* env) {
+/*
   for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
     int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
     if (rc == -1) {
@@ -253,6 +254,7 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) {
       }
     }
   }
+*/
 }

Step 4：
（This step only need do in Android6.0）
It is built into /system/bin/app_process32 .

diff --git a/frameworks/base/cmds/app_process/app_main.cpp b/frameworks/base/cmds/app_process/app_main.cpp
index 2e023825a2..770939f231 100644
--- a/frameworks/base/cmds/app_process/app_main.cpp
+++ b/frameworks/base/cmds/app_process/app_main.cpp
@@ -185,6 +185,7 @@ static const char ZYGOTE_NICE_NAME[] = "zygote";
 
 int main(int argc, char* const argv[])
 {
+#if 0
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
         // Older kernels don't understand PR_SET_NO_NEW_PRIVS and return
         // EINVAL. Don't die on such kernels.
@@ -193,6 +194,7 @@ int main(int argc, char* const argv[])
             return 12;
         }
     }
+#endif
 
     AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
     // Process command line arguments

Summary :

There are two methods to allow apps to have the privileges of root. One is to build all the above changing into Android system, and the other is to build all the above changing into libraries and push them into android system on runtime.