Skip to content

Overview

SystemD is the de facto Linux init system on modern distributions.

A process runs in its own user address space, a protected space which can't be disturbed by other users

  • all processes on a Linux system are child processes of a common parent: the init process which is executed by the kernel at boot time (PID 1)
  • every Linux process inherits the environment (PATH variable, etc) and other attributes of its parent process

Every process has a parent; a process can spawn children in a process that is actually made of two separate system calls.

  • Shell-internal commands (cd, echo, etc. and variable assignments) do not spawn child processes
  • Shell scripts are executed by spawning a sub-shell, which becomes the script's parent
  • External commands are spawned as children of the parent as described above

Bootloaders like GRUB (GRand Unified Bootloader) turn on power supplies and scan buses and interfaces to locate the kernel image and the root filesystem. LILO (LInux LOader) is also another bootloader that can be found on older Linux systems.

Microcontrollers may be listening when the system is nominally off; they typically have their own BIOS and kernels and are inaccessible from the main system:

  • Baseboard Management Controller (BMC) responds to wake-on-LAN (WOL)
  • Intel Management Engine (IME) x64 software suite for remote management of systems; firmware is based on Minix and runs on the Platform Controller Hub processor, not the main CPU
  • System Management Mode (SMM) launches UEFI software

Linux kernel is typically named vmlinux (or vmlinuz when compressed). Kernel ring buffer contains messages related to the Linux kernel. A ring buffer is a data structure that is always the same size; old messages are discarded as new ones come in, once the buffer is full. dmesg is used to see its contents, and the messages are also stored in /var/log/dmesg

Kernel modules can be loaded, listed, or removed from the running kernel.

Security

Similar to DLL files on Windows systems, .so ("shared object") library files on Linux allow code to be shared by various processes. They are vulnerable to injection attacks.

Library injection vulnerability

One file in particular, linux-vdso.so.1, finds and locates other shared libraries and is mapped by the kernel into the address space of every process. This library-loading mechanism can be exploited through the use of the environment variable LD_PRELOAD, which is considered the most convenient way to load a shared library in a process at startup. If defined, this variable is read by the system and the library is loaded immediately after linux-vdso.so.1 into every process that is run.

This attack can be detected using the osquery tool. This tool represents the system as a relational database which can then be queried, in particular against the process_envs table.

Filesystem access control lists (FACL) allow you to grant permissions to more than one group, i.e. in cases where more than one department of a corporation needs access to the same files.
They are made up of access control entries (ACE). FACL permissions will be indicated in a ls -l command by the presence of a "+" after the symbolic notation for the traditional UGO permissions. Acl is a dependency of systemd.

To enable it, add ",acl" to options in fstab file, then mount/unmount disk. If enabling FACL on root partition, system has to be rebooted.

Glossary

ALSA

Advanced Linux Sound Architecture (ALSA) replaced the earlier "Open Sound System". (src)

ALSA kernel modules are designed to offer an interface that "corresponds to that of the hardware" to keep the modules simple, and similar cards will offer a similar interface. ALSA kernel modules offer two interfaces: operational and configuration

Operational interface are exposed at /dev/, with 3 main types of devices:

  • PCM devices, for recording or playing digitized sound samples, come in two varieties - output and input - and are numbered from 0, which is generally for analog multichannel sound.
  • CTL or controls are for manipulating the internal mixer and routing of the card. Controls come in 3 types;
    • Playback controls are associated with an output device or copy (input-to-output) routes
    • Capture controls are associated with an input device or copy (output-to-input) routes
    • Feature controls drive features of the card or mixer, usually just a switch to enable or disable the feature, though some also have levels. The Master Volume control is the most typical example, which allows control of the internal amplifier feature of the card. A more interesting example is that of a 3D spatializer that can be represented by a switch to enable or disable it as well as two levels.
  • MIDI to control the MIDI port, if it exists
  • Optionally, sequencer devices may also exist if the card has a builtin sound synthesizer with an associated timer device

Configuration interfaces are exposed at /proc/asound/ tree (ref amixer)

Cards have input or output sockets, and the mixer is controlled by the CTL device and routes sound samples among devices and sockets.

Typical channel assignments - 0: front left - 1: front right - 2: rear left - 3: rear right

Berkeley Software Distribution (BSD)

BSD began in the 70s and was based on AT&T original code. First source distributions required user to purchase a source license from AT&T, since much of the BSD source was derivative of UNIX.

Berkeley finally released a "wholly-BSD" product as Network Release 1 in 1989, which satisfied vendor demand for the TCP/IP networking code for PC.

Work immediately began to reconstruct the remaining functionality of UNIX, which was completed in Network Release 2, released in 1991, which was based entirely on Berkeley code. Eventually this resulted in the 386BSD distribution, which then spawned five interrelated BSD distros: BSDI (now Wind River), NetBSD, FreeBSD, OpenBSD, and Darwin/Mac OS X

Unix System Laboratories (USL) sued BSDI after BSDI attempted to market its product as a real UNIX, and other BSD distributions were affected by disputed code. Ultimately 3 out of the 18,000 files that made up the Network Release 2 distribution were removed, which became known as BSD-lite, released in 1994. This legal dispute was partly to blame for Linux's rapid ascent in popularity.

Distributions

  • Alpine Linux is a security-oriented, lightweight Linux distribution used in containers and hardware.
  • Clear Linux is a rolling release distro from Intel with a custom package management system based on bundles, collections of packages that contain everything an application requires, including dependencies. Clear's update process also has the ability to do delta downloads, preserving bandwidth. It does not provide access with unusual licenses, like ZFS, Chrome, or FFmpeg.
  • SUSE
    • OpenSUSE Leap is a rebuild of SUSE Linux Enterprise Server, similar to how CentOS was historically a rebuild of RHEL.
    • SUSE Linux Enterprise Server (SLES) ("slee") is SUSE's fixed-release distribution of Linux intended for enterprises, and as such is comparable to Red Hat's RHEL.
display manager
Basically display managers are the login screens, while the GUI manipulated during normal use represents the desktop environment (i.e. GNOME, KDE, XFCE, etc).
initrd ("initial RAM disk")
A temporary file system that's loaded into memory when the system boots

Pipewire

Pipewire is a media server intended to facilitate audio and video handling in Linux as a replacement for PulseAudio and JACK. It exposes a graph-based processing engine that abstracts audio and video devices.

PulseAudio

PulseAudio is a sound server for POSIX OSes and a fixture on many Linux distributions.

PulseAudio is built around sources and sinks (i.e. devices) connected to source outputs and sink inputs (streams)

  • Source is an input device that produces samples, usually running a thread with its own event loop, generating sample chunks which are posted to all connected source outputs
  • Source output is a recording stream which consumes samples from a source
  • Sink is an output device that consumes samples, usually running a thread with its own event loop mixing sample chunks from connect sink inputs
  • Sink input is a playback stream, connected to a sink and producing samples for it
qmail

MTA designed as a drop-in replacement for Sendmail, notable for being the first to be "security-aware". Its various modular subcomponents run independently and are mutually untrustful. It uses SMTP to exchange messages with other MTAs.

It was written by Dan Bernstein, a professor of mathematics famous for litigating against the US government with regard to export controls on encryption algorithms. qmail was deprecated and removed from Arch repos in 2005.

SMB
Client/server protocol developed in the early 1980s by Intel, Microsoft, and IBM that has become the native protocol for file and printer sharing on Windows. It is implemented in the Samba application suite.

WSL

Windows Subsystem for Linux (WSL) is shipped with Windows and tied to the Windows release cycle. Windows ships from a single massive codebase, of which WSL is part. WSL was written mostly in C and and has 3 million monthly active users.

WSL implements user services to connect to WSL distros and to run Windows-native applications like CMD.exe. WSL implements a 9P Protocol file server to provide seamless integration of the virtualized Linux filesystem and that of the Windows host.

WSL 1 worked under a translation architecture where system calls were translated to NT kernel calls. This meant that applications that used system calls that were newer or more difficult to implement, like GUI applications or Docker, did not run on v1.

WSL2 shifted to a lighweight virtualization model using the Linux kernel. Now Docker runs on WSL2 and GUI applications can run by using an X server.

WSL v1 is available on Azure VMs if nested virtualization is enabled. WSL2 support is forthcoming.

VHDs for WSL distributions are available at %LOCALAPPDATA%\Packages\<PackageFamilyName>\LocalState where <PackageFamilyName> reflects the name of the Microsoft Store package of the distro, i.e.:

  • CanonicalGroupLimited.Ubuntu20.04onWindows_79rhkp1fndgsc
  • TheDebianProject.DebianGNULinux_76v4gfsz19hv4
# Install distro
wsl.exe --install -d Ubuntu-20.04

# Remove distro
wsl.exe --unregister Ubuntu-20.04

By default, WSL appears to copy the Windows native hosts file at %SystemRoot%\System32\drivers\etc\hosts to the distro's /etc/hosts file.