The inittab file is often one of the first things loaded during the initialization process. This file contains a list of processes that need to be run very early in the boot process, may need a “watchdog” to restart them on crash, and so on. It also often contains the settings for defining and securing TTYs. What we are concerned with is the “respawn” feature, since we want a place to drop a persistent process on the box.
Before we proceed, note that more modern varieties of Linux don’t use inittab, but have similar functions. Red Hat Enterprise Linux (RHEL) version 6 has “upstart” which replaces the inittab with a directory containing individual files per process to be started. RHEL version 7 has “systemd” which uses “unit” files to control just about everything. We’ll cover those in next week’s article. The “inittab” is a SystemV-ism, and OpenBSD doesn’t use it. Instead of “inittab” the startup files begin in the “rc” scripts, and the TTYs are defined and secured in the “/etc/ttys” instead. The reason for this is inittab is tied to the concept of run levels, and OpenBSD doesn’t really have those.
On AIX, the inittab is managed by a set of commands similar to many other base AIX commands (mk-, ch-, rm-, and ls- prefixed.) The mkitab, chitab, rmitab, and lsitab commands create, change (modify,) remove, and list inittab entries (respectively.) Let’s break down an inittab entry, using AIX’s inittab as a base line.
Each entry is colon “:” separated, similarly to /etc/passwd. Lines are commented with a semi-colon “;” at the beginning of the line. The first column is the label for the entry. The second colomn is the run level that triggers the running of this command. The third column is the “action” to take on the command. This is where we define “run this one time at boot” vs. “run this again if it dies.” The last column is “the command(s) to run.” The reason I said “command(s)” is this can be a chain of commands piped together, not just a singular command.
To create an inittab entry (again, using AIX as an example,) we would do something similar to this:
mkitab "softaud:2:respawn:/usr/bin/audit start"
In the above example, we created an inittab entry labeled “softaud” that starts at runlevel 2, respawns on death, and calls the “/usr/bin/audit” command passing it “start” as input. Since “audit” lives at “/usr/sbin/audit” on AIX, this entry is suspect. If we were to leave a persistent script named “audit” in /usr/bin and then add this inittab entry, our script would be respawned on death, and would likely be overlooked by the systems administrators reviewing the file. If we wanted to inject this after the existing entry already labeled as “audit” we could pass that mkitab command the “-i” flag followed by the label we want to append after. Why “-i” for “append?” You would have to ask IBM.
mkitab -i audit "softaud:2:respawn:/usr/bin/audit start"
The possible “actions” that can be passed to an inittab are listed in the man pages, but a few common ones are:
"once" - When the init command enters the run level specified for this record, start the process, do not wait for it to stop and when it does stop do not restart the process. If the system enters a new run level while the process is running, the process is not restarted.
"respawn" - If the process identified in this record does not exist, start the process. If the process currently exists, do nothing and continue scanning the /etc/inittab file.
"wait" - When the init command enters the run level specified for this record, start the process and wait for it to stop. While the init command is in the same run level, all subsequent reads of the /etc/inittab file ignore this object.
Some systems include a commands to make changes to inittab (such as we see with AIX.) Other systems require you to modify the file directly using your favorite editor (vi, for example.)
Whatever your system requires, after a change is made, it only takes effect if you tell the “init” process to re-read the inittab. To do this, you need the “telinit” command, and pass it the “q” option.
telinit q
Once it has been re-read, it will happily respawn the persistent script that was injected. A thorough audit of the inittab would involve going through the list of all commands in the file, checking that those processes exist at the locations given, doing a file type check, checksum check, and when possible, a “contents” check to see that they are legitimate.