Beware of externally sourced install scripts

nevj · April 9, 2023, 4:09am

Here is a story about how to buy trouble when you dont really need it.

A new Gentoo kernel (6.2.10) was released. I decided to build it. The build process ended with a message that it could not read the file /etc/modules.d and in /boot it had vmlinuz-6.2.10-gentoo-x86_64 but no initramfs-6.2.10-gentoo-x86_64.img. Of course it would not boot.

So what is differernt from last time I built a kernel? I looked back thru my logbook, and yes one thing… I had installed a driver module called 88x2bu.ko for a WiFi dongle. But that was in kernel 6.2.7… how could that affect the new kernel?

Well, I used a an install script downloaded from the manufacturers website called install-driver.sh.
I took a close look at the script, and yes it contains just one line that might be causing trouble

# sets module parameters (driver options) and blacklisted modules
echo ": ---------------------------"
echo
echo "Starting installation."
echo "Installing ${OPTIONS_FILE} to /etc/modprobe.d"
cp -f ${OPTIONS_FILE} /etc/modprobe.d

It copies something to /etc/modprobe.d.
I had a look at what was there and it simply blacklists some other module.
Trouble is… Gentoo does not have a file /etc/modprobe.d, it has a directory /etc/modprobe.d/ which contains various files such as blacklist.conf.
So there is the problem … the kernel build process went looking for a directory/etc/modprobe.d/and it found a file there instead.

So the fix was
rm /etc/modprobe.d
mkdir /etc/modrobe.d
and inside the directory /etc/modprobe.d make the file blacklist.conf containig one line
blacklist rtw88_8822bu

Then rebuild kernel 6.2.10… and it works. Reboot, do update-grub , and it appears ion the grub menu and boots

Solved? Well not so easy.
When I reboot with 6.2.10 kernel the module (called 88x2bu") for the new wifi card is not loaded ?
But if I boot 6.2.7 it is loaded?

So I look where the module is supposed to be
/lib/modules/6.2.10-gentoo-x86_64/kernel/drivers/net/wireless
and sure enough the file 88x2bu.ko is not there
but it is there in
/lib/modules/6.2.7-gentoo-x86_64/kernel/drivers/net/wireless

So when the new kernel was compiled it did not copy the module over from the previous kernel?

So I will put it in by hand

cp /lib/modules/6.2.7-gentoo-x86_64/kernel/drivers/net/wireless/bbx2bu.ko /lib/modules/6.2.10-gentoo-x86_64/kernel/drivers/net/wireless
depmod -a 6.2.10-gentoo-x86_64

Then modinfo 88x2bu works. (Depmod is needed to install it properly)

nevj@mary ~ $ modinfo 88x2bu
filename:       /lib/modules/6.2.10-gentoo-x86_64/kernel/drivers/net/wireless/88x2bu.ko
version:        v5.13.1-20-gbd7c7eb9d.20210702_COEX20210316-18317b7b
author:         Realtek Semiconductor Corp.
description:    Realtek Wireless Lan Driver
...

but ip addr does not list the inteface
So I reboot
then ip sees it

evj@mary ~ $ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 98:90:96:d2:35:50 brd ff:ff:ff:ff:ff:ff
    altname enp0s25
3: wlp0s20u9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
    link/ether d0:37:45:8b:36:68 brd ff:ff:ff:ff:ff:ff
4: wlp0s20u3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 44:01:bb:9f:0f:10 brd ff:ff:ff:ff:ff:ff

It is No4 wlp0s20u3
The other one at No 3 wlp0s20u9 is the internet link.

So it looks like every time one compiles a kernel, one has to reinstall any modules from outside the portage system.
That is much the same as Debian - with a new release one has to add in any externally sourced drivers all over again.

Basically, the modules are part of the kernel and have to be redone if the kernel is changed.

Solved… but there is a lesson to the story

Be careful with install scripts that you may download from external sources. Read the script first to check what it does. It may do something that does not suit your version of Linux

Cheers
Neville

daniel.m.tripp · April 9, 2023, 4:17am

Sage advice!

I hardly ever do that (those dangerous suggestions to “sh http://someones-shell-script.url/script.sh” - actually its more a curl piped to sh or bash)… I always take a look at the shell script and download it instead… If I don’t understand it or it’s way too complex to fully grasp, I skip that path and find some other solution…

nevj · April 9, 2023, 11:09am

I seem to have to relearn that lesson every couple of years.
I did download the script and look at it. But I missed the fact that Gentoo had a different file structure in /etc to what it was assuming.

daniel.m.tripp · April 10, 2023, 12:47am

See even Calibre forces you down that path :

Here’s how they’ve been directing Linux users wanting to install this (it’s pretty good actually) software, since around “forever” :

sudo -v && wget -nv -O- https://download.calibre-ebook.com/linux-installer.sh | sudo sh /dev/stdin

That first “sudo -v” is just to figure out if you’ve got sudo working, which is kinda lame, and “sudo -v” ignores the “ALL=NOPASSWD: ALL” setting for my account in sudoers…

And the script itself is way too long (nearly 1000 lines) for me to debug - these sorts of things look like a great vector to inject some trojan or ransomware into a Linux PC…

Needless to say - last time I installed Calibre, I did it like this anyway :

wget https://download.calibre-ebook.com/linux-installer.sh
chmod +x linux-installer.sh
sudo linux-installer.sh

And - to top it off the author of the script has Kovid (e.g. like “covid”) as his first name!

But - I don’t use Calibre anymore… Stopped using my Kobo e-reader ~9 months ago… Got a 2nd hand iPad Mini (5th gen) and I use Google Play Books (iOS app and website) to manage my library - not to mention just storing epub files on my NAS and cloud storage… Main thing I miss about the Kobo was that it could go for weeks without a charge! The iPad, sometimes I leave it sitting idle for a day (e.g. when I’m at work) and I get home and the battery’s dead but it HASN’T BEEN USED! Seriously F–K YOU APPLE sometimes … Also - having a more generic multiple purpose operating system (i.e. iPadOS vs Kobo O/S) means I can install e-book stores from other vendors like Amazon, or Kobo - and I can buy books from multiple vendors, I’m not locked into Rakuten Kobo’s ecosystem.

nevj · April 10, 2023, 3:42am

What about appimage and flatpak and snap. Are they not equivalent to installer scripts?
I guess the difference is the supplier may be more trustworthy?
Packages are different… the installer is part of your own Linux. That might be a big plus for packages.

I remember now, I used that same driver install script in Debian… no problem there… only in Gentoo.

nevj · April 10, 2023, 1:25pm

@daniel.m.tripp
Looks like I was right

https://forums.linuxmint.com/viewtopic.php?t=336342

When it cones to security, snap, flatpak, and appimage are all full of holes.

daniel.m.tripp · April 10, 2023, 9:25pm

I would say - by and large, curation by the disro vendor is somewhat re-assuring - but even so - still not 100%…

Both Apple and Google have allowed malicious software into their app stores… I think Apple are maybe, probably, slightly ahead of Google in that - i.e. more proactive, as in a lot more restrictive in letting publishers publish apps…

And ALL the App Store vendors, Apple, Google, Microsoft, include their own spyware that comes as “undocumented features” in their own publish software…

nevj · April 10, 2023, 11:37pm

In order of diligence we have
kernel team
distro makers
pak makers
script writers
users span the whole range