Linux is an interpreter
By analyzing a mysterious shell script that recursively executes itself using kexec, this article explores the technical perspective that the Linux kernel acts as an interpreter for initrds.
This is a standalone addendum to an earlier four-part series. Reading the previous parts is not required.
In a previous article, I left you with this mysterious command.
curl https://astrid.tech/rkx.gz | gunzip | sudo sh
What does it do? This can’t possibly be safe to run, can it? Am I distributing malware to you? Fine, fine, I’ll open it up and show you what’s inside.
Reverse Engineering
First, we download it:
astrid@chungus /tmp ❯ curl https://astrid.tech/rkx.gz | gunzip > rkx
What kind of a file is it?
astrid@chungus /tmp ❯ file rkx
rkx: POSIX shell script, ASCII text executable
It’s a shell script, but it's a 20 megabyte shell script filled with base64 data. Let’s peek at its head and tail:
#!/bin/sh
set -x
if [ "$(id -u)" -ne 0 ]; then
echo "Please ensure you are running as root/sudo"
exit 1
fi
if ! command -v kexec && command -v base64 && command -v cpio 2>&1 >/dev/null ; then
echo "Please ensure kexec-tools, base64, and cpio are installed"
exit 1
fi
base64 -d <<912367yuiogrjklhsdijlslksdawuil234ui > r
MDcwNzAxMDAwQjI0MDkwMDAwNDE2RDAwMDBGRkZFMDAwMEZGRkUwMDAwMDAwMzAwMDAwMDAxMDAw
...
912367yuiogrjklhsdijlslksdawuil234ui
cpio -uidv < r "k" > k
kexec --load k --initrd r --reuse-cmdline
kexec --exec
Altogether, this script ensures the user is root, decodes 20MB of base64 into a cpio archive named "r", extracts a kernel "k", and uses kexec to replace the current OS with this new kernel and ramdisk.
The Recursive Loop
Inside the extracted ramdisk, the /init script looks like this:
#!/bin/sh
mkdir -p /proc
mount -t proc proc /proc
find / | grep -v /r | grep -v /proc | cpio -vo -H newc > /r
kexec --load /k --initrd /r --reuse-cmdline
kexec --exec
This is a Linux distro that recursively calls kexec on itself!
Linux as an Interpreter
Think about how you run an executable. You pass it into another program that interprets and runs the instructions, like sh myscript.sh or python3 myscript.py. In this context, initrds are programs, and Linux kernels are interpreter programs for initrds.
Tail-call Optimization
Using kexec for recursion is a form of tail-call optimization. You aren't nesting Linux kernels; you are replacing each kernel with a new one. The new stack frame doesn't overwrite the old one—it builds a new Linux interpreter stack frame in a different part of memory and executes it.
This setup is essentially a Quine of the Linux initrd interpreter—a self-contained program that can produce a copy of itself. It demonstrates that at a low level, the boundary between an operating system and a simple interpreter is thinner than it seems.
Source: Hacker News
