You are not logged in.

#1 2020-10-29 11:19:34

almandin
Member
Registered: 2014-02-23
Posts: 31

initial ramdisk and init script

Hi,

As a security analyst I wanted to try a few things about tampering with linux initial ramdisk (backdooring an initramfs).

I saw that in archlinux (current kernel 5.9.1 at the moment) the init script of my initial ramdisk is a 64 bit ELF, and not a shell script as I saw in many resources (a shell script beeing obviously more convenient to backdoor than an ELF).

Why is that so ? My colleague is using debian (10) and has a  shell script in the init file of his initial ramdisk. Is it a choice ? Is there an easy way to know what distributions have an elf in the init script, and which one have a shell script ?

Thanks for your answers !

Offline

#2 2020-10-29 11:47:14

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 8,593

Re: initial ramdisk and init script

It probably depends on the tool used to create the initramfs.
archlinux uses mkinitcpio to create the initramfs (although we may switch to dracut ), RedHat / Fedora use dracut I think, no idea what debian uses.

Check https://wiki.archlinux.org/index.php/Mkinitcpio and https://git.archlinux.org/mkinitcpio.git/ for more info about mkinitcpio .

Last edited by Lone_Wolf (2020-10-29 11:47:26)


Multi-init booting with apg Openrc and systemd coexisting
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#3 2020-10-29 12:13:56

almandin
Member
Registered: 2014-02-23
Posts: 31

Re: initial ramdisk and init script

Thanks for the answer, is there a way to see what options are used with mkinitcpio on archlinux when updating the linux kernel ? I don't see any specific option that would tell to mkinitcpio to compile a binary to put as the init script. I looked in mkinitcpio.conf, mkinitcpio.d presets, it looks quite standard.

Offline

#4 2020-10-29 12:37:02

frostschutz
Member
Registered: 2013-11-15
Posts: 993

Re: initial ramdisk and init script

the initramfs is whatever you want it to be, you can do anything as in a regular linux userland. so whether to use something like busybox and shell scripts, or systemd, or a standalone binary, is up to initramfs creator

with mkinitcpio you can choose between oldschool initramfs (shell script hooks) or systemd based (systemd "hooks" which install systemd units)

you can check Gentoo Wiki/Custom Initramfs which explains how to create one from scratch (busybox based)

that said, even systemd based initramfs should be easy to backdoor, for example if it runs udev you can spawn custom scripts from udev rule, or you can just replace any binary

it might be more difficult with monolithic binaries but while it would be possible to make one (write custom init script in C or Rust), you don't see this a lot

Online

#5 2020-10-29 12:38:18

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 8,047

Re: initial ramdisk and init script

The initramfs on Arch can by busybox based or systemd based. It all depends on how it's configured.

Offline

Board footer

Powered by FluxBB