You are not logged in.
Pages: 1
Hi,
As a security analyst I wanted to try a few things about tampering with linux initial ramdisk (backdooring an initramfs).
I saw that in archlinux (current kernel 5.9.1 at the moment) the init script of my initial ramdisk is a 64 bit ELF, and not a shell script as I saw in many resources (a shell script beeing obviously more convenient to backdoor than an ELF).
Why is that so ? My colleague is using debian (10) and has a shell script in the init file of his initial ramdisk. Is it a choice ? Is there an easy way to know what distributions have an elf in the init script, and which one have a shell script ?
Thanks for your answers !
Offline

It probably depends on the tool used to create the initramfs.
archlinux uses mkinitcpio to create the initramfs (although we may switch to dracut ), RedHat / Fedora use dracut I think, no idea what debian uses.
Check https://wiki.archlinux.org/index.php/Mkinitcpio and https://git.archlinux.org/mkinitcpio.git/ for more info about mkinitcpio .
Last edited by Lone_Wolf (2020-10-29 11:47:26)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
 Try clean chroot manager by graysky
Offline
Thanks for the answer, is there a way to see what options are used with mkinitcpio on archlinux when updating the linux kernel ? I don't see any specific option that would tell to mkinitcpio to compile a binary to put as the init script. I looked in mkinitcpio.conf, mkinitcpio.d presets, it looks quite standard.
Offline

the initramfs is whatever you want it to be, you can do anything as in a regular linux userland. so whether to use something like busybox and shell scripts, or systemd, or a standalone binary, is up to initramfs creator
with mkinitcpio you can choose between oldschool initramfs (shell script hooks) or systemd based (systemd "hooks" which install systemd units)
you can check Gentoo Wiki/Custom Initramfs which explains how to create one from scratch (busybox based)
that said, even systemd based initramfs should be easy to backdoor, for example if it runs udev you can spawn custom scripts from udev rule, or you can just replace any binary
it might be more difficult with monolithic binaries but while it would be possible to make one (write custom init script in C or Rust), you don't see this a lot
Online

The initramfs on Arch can by busybox based or systemd based. It all depends on how it's configured.
Offline
Pages: 1