Note: This article is part of my OS Install Experiences series.
Next up: a SUSE 10.1 install. It's been a few years since I touched a SUSE distribution (it was something like SUSE Linux 5.3 or so), a lot has happened since then... Here's a rough sketch of the installation and a few superficial remarks and facts related to security.
Install
- First, I downloaded a SUSE 10.1 CD image, burned it on a CD, and booted from that.
- The installer that showed up is graphical, and you can choose between a normal installation, booting a rescue system, or running a memory test (uses memtest86, I presume).
- While the installer runs it merely shows a rotating logo, but you can switch to other consoles (ALT+F1, ALT+F3, ALT+F4) for watching log messages passing by.
- You can choose the language used in the installer, later also your timezone and keyboard layout. You can also check the installation medium, which verifies the checksum of the CD, I guess.
- Next, you'll be asked to accept a license agreement (yeeaah, whatever).
- Your hardware will be automatically detected (worked quite well for me), and after that you can choose between a new install or a system upgrade.
- As for the desktop, you can use GNOME, KDE, text-mode (no desktop), or a "minimal graphical system" (it turns out that means fvwm, at least that's what I think).
- The graphical partitioning tool feels a bit awkward at first, I needed several tries until I figured out how to make it use the layout I wanted it to. The default file system suggested by the tool is ReiserFS.
- There's an explicit option which lets you choose the default run-level for the system (run-level 5 is pre-configured).
- The bootloader, GRUB, recognized the other partitions (Debian stable + unstable), added an entry for SUSE Linux, and created a working setup. Nice, although more control over the process (e.g. naming of the boot options) would be nice.
- Reboot.
- I'm asked to insert CDs 2 and 3, which I don't have (or want), as I only burned CD 1. Clicking "abort" a few times does the trick, and I can continue by choosing a hostname and domain name for the box (hydra + local.domain).
- Now I must enter the root password. Very nice: I have the choice between DES, MD5, or Blowfish (SUSE default) for the hashing/encryption of user passwords.
- Afterwards, the network is configured (automatically, via DHCP). You can enable a firewall at this point, and enable/disable access to the ssh port explicitly. It's also possible to enable "VNC remote administration" (default: off), or configure a proxy.
- Authentication methods for users, available from the installer: local (
/etc/passwd
), LDAP, NIS, Windows Domain. - When adding a new user, there are some options. Per default, the user is in the groups "users" (no per-user groups, it seems), "dialout" and "video", but that can be configured. Password expiration is disabled. The default shell is bash.
- And now... another registration message (in the release notes, actually). May I quote (from my head): The registration procedure transfers zmd's unique device identifier to Novell's registration web service. The information sent may also include OS, version, architecture, and the output of
uname
andhwinfo
, according to that text. More on that later, maybe... - Of course, SUSE Linux comes with SUSE's/Novell's AppArmor enabled by default, but I haven't looked into it, yet.
- Now some problems appeared. More hardware discovery took place, it seems, then the screen turned black (with only a non-blinking cursor in the upper left), no reaction to any input -> I performed a hard reboot.
- After booting, I'm dropped into fvwm (although I chose GNOME in the installer), the reason probably being the forced reboot. After looking around a bit in the menus and stuff, I wanted to start sax2 (to find out what it does), but the screen turned black again -> another hard reboot. Could it be that I don't have enough RAM for this (256 MB)?
- Anyways, at this point I lost interest in playing with the system any further, and gathered the below information for comparison reasons...
Security
Update 2006-06-05: Added netstat output, and answered a bunch of comments.
Update 2006-06-02: Shortened the length of the article on my main webpage as well as the RSS feed. But you can always read the whole article here, of course.
- Portscan from another box:
PORT STATE SERVICE 22/tcp open ssh 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1433/tcp filtered ms-sql-s 1434/tcp filtered ms-sql-m
Not good. A default install should not have any ports open, IMHO. Quite a bunch of Windows ports, eh? To be fair, if the firewall is enabled, none of those will be reachable.
- netstat output:
# netstat -tulp -A inet tcp 0 0 *:sunrpc *:* LISTEN 3174/portmap tcp 0 0 localhost:novell-zen *:* LISTEN 3166/zmd tcp 0 0 *:ipp *:* LISTEN 3326/cupsd tcp 0 0 localhost:smtp *:* LISTEN 3432/master udp 0 0 *:filenet-tms *:* 3132/mdnsd udp 0 0 *:mdns *:* 3132/mdnsd udp 0 0 *:sunrpc *:* 3174/portmap udp 0 0 *:ipp *:* 3326/cupsd # netstat -tulp -A inet6 tcp 0 0 *:ssh *:* LISTEN 3373/sshd tcp 0 0 localhost:smtp *:* LISTEN 3432/master
- Some permissions:
drwx------ 2 root root 168 2006-05-25 01:50 /.gnupg drwxr-xr-x 3 root root 72 2006-05-25 00:58 /home drwx------ 8 root root 432 2006-05-25 01:56 /root drwxrwxrwt 9 root root 504 2006-05-25 01:55 /tmp crw------- 1 root video 10, 175 May 25 04:58 /dev/agpgart crw-r-----+ 1 root root 5, 1 May 2 08:45 /dev/console drwxr-xr-x 6 root root 120 May 25 04:58 /dev/disk crw-rw---- 1 root video 29, 0 May 25 04:58 /dev/fb0 brw-rw----+ 1 uwe disk 2, 0 May 25 04:58 /dev/fd0 crw--w--w- 1 root root 1, 7 May 25 04:58 /dev/full brw-r----- 1 root disk 3, 0 May 25 04:58 /dev/hda* brw-rw----+ 1 uwe disk 22, 64 May 25 04:58 /dev/hdd crw-r----- 1 root kmem 1, 2 May 25 04:58 /dev/kmem crw-rw---- 1 root root 1, 11 May 2 08:45 /dev/kmsg srw-rw-rw- 1 root root 0 May 25 04:58 /dev/log crw-rw---- 1 root lp 6, 0 May 25 04:58 /dev/lp0 crw-r----- 1 root kmem 1, 1 May 25 04:58 /dev/mem crw-rw-rw- 1 root root 1, 3 May 2 08:45 /dev/null crw-r----- 1 root kmem 1, 4 May 25 04:58 /dev/port crw-rw---- 1 root root 10, 1 May 25 04:58 /dev/psaux crw-rw-rw- 1 root tty 2, 0 May 25 04:58 /dev/ptyp* crw-rw-rw- 1 root root 1, 8 May 25 04:58 /dev/random crw-rw-rw- 1 root tty 5, 0 May 2 08:45 /dev/tty crw--w---- 1 root root 4, 0 May 25 04:58 /dev/tty0 crw-rw---- 1 root tty 4, 2 May 25 04:58 /dev/tty[1-6] crw--w---- 1 uwe tty 4, 7 May 25 04:58 /dev/tty[7-9] crw-rw---- 1 root uucp 4, 64 May 2 08:45 /dev/ttyS[0-4] crw------- 1 root uucp 4, 68 May 2 08:45 /dev/ttyS[4-7] crw-rw-rw- 1 root tty 3, 0 May 25 04:58 /dev/ttyp0 crw-r--r-- 1 root root 1, 9 May 25 04:58 /dev/urandom crw--w---- 1 root tty 7, 0 May 25 04:58 /dev/vcs crw-rw---- 1 root tty 7, 1 May 25 04:58 /dev/vcs1 crw-rw---- 1 root tty 7, 129 May 25 04:58 /dev/vcsa1 crw--w---- 1 root tty 7, 130 May 25 04:58 /dev/vcsa2 pr-------- 1 uwe tty 0 May 25 05:01 /dev/xconsole crw-rw-rw- 1 root root 1, 5 May 2 08:45 /dev/zero
Nice: /root has mode 700. Um, /dev/fd0, /dev/hdd, and a few others are owned by me (user "uwe")? Why?
- Default users and shells:
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash mdnsd:x:78:65534:mDNSResponder runtime user:/var/lib/mdnsd:/bin/false messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false news:x:9:13:News system:/etc/news:/bin/bash nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false root:x:0:0:root:/root:/bin/bash sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false suse-ncc:x:102:104:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false uwe:x:1000:100::/home/uwe:/bin/bash
Quite a random mix of /bin/bash and /bin/false as shells, it seems. Notice the absence of /bin/sh.
- Setuid/setgid files:
# find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \; -rwsr-xr-x 1 root root 31668 Apr 23 08:48 /bin/su -rwsr-xr-x 1 root root 35520 Apr 23 03:53 /bin/ping -rwsr-xr-x 1 root audio 20252 Apr 23 04:21 /bin/eject -rwsr-xr-x 1 root root 321981 May 2 08:50 /bin/mount -rwsr-xr-x 1 root root 31696 Apr 23 03:53 /bin/ping6 -rwsr-xr-x 1 root root 117887 May 2 08:50 /bin/umount -rwsr-xr-x 1 root root 5056 May 2 11:14 /opt/kde3/bin/artswrapper -rwsr-xr-x 1 root root 6696 May 2 12:02 /opt/kde3/bin/kpac_dhcp_helper -rwsr-xr-x 1 root trusted 43940 May 2 09:47 /usr/bin/at -rwsr-xr-x 1 root root 836524 May 2 10:28 /usr/bin/gpg -rwsr-xr-x 2 root root 4880 Apr 23 05:09 /usr/bin/man -rwsr-xr-x 1 root root 18720 Apr 23 04:32 /usr/bin/rcp -rwsr-xr-x 1 root root 9340 Apr 23 04:32 /usr/bin/rsh -rwsr-xr-x 1 root shadow 73284 May 2 10:50 /usr/bin/chfn -rwsr-xr-x 1 root shadow 68992 May 2 10:50 /usr/bin/chsh -rwsr-xr-x 1 root root 105084 May 2 09:47 /usr/bin/sudo -rwxr-sr-x 1 root tty 10312 May 2 08:50 /usr/bin/wall -rwsr-xr-x 1 lp sys 10400 Apr 25 19:15 /usr/bin/lppasswd -rwsr-xr-x 1 root trusted 33260 Apr 23 04:36 /usr/bin/crontab -rwsr-xr-x 1 root root 59980 May 2 16:38 /usr/bin/fileshareset -rwsr-xr-x 1 root shadow 75692 May 2 10:50 /usr/bin/chage -rwsr-xr-x 2 root root 4880 Apr 23 05:09 /usr/bin/mandb -rwxr-sr-x 1 root tty 8936 May 2 08:50 /usr/bin/write -rwsr-xr-x 1 root shadow 13388 May 2 10:50 /usr/bin/expiry -rwsr-xr-x 1 root root 15532 May 2 10:50 /usr/bin/newgrp -rwsr-xr-x 1 root shadow 72836 May 2 10:50 /usr/bin/passwd -rwsr-xr-x 1 root shadow 74528 May 2 10:50 /usr/bin/gpasswd -rwsr-xr-x 1 root root 12900 Apr 23 04:32 /usr/bin/rlogin -rwsr-xr-x 1 root root 23990 Apr 29 01:08 /usr/lib/pt_chown -rwxr-sr-x 1 root maildrop 10440 May 2 09:36 /usr/sbin/postdrop -rwxr-sr-x 1 root maildrop 10444 May 2 09:36 /usr/sbin/postqueue -rwxr-sr-x 1 root tty 7288 Apr 23 03:40 /usr/sbin/utempter -rws--x--x 1 root root 1832764 May 2 09:26 /usr/X11R6/bin/Xorg -rwxr-sr-x 1 root shadow 20136 Apr 23 03:54 /sbin/unix_chkpwd -rwsr-x--- 1 root dialout 31700 May 2 09:56 /sbin/isdnctrl -rwxr-sr-x 1 root shadow 6624 Apr 23 04:35 /sbin/unix2_chkpwd
Quite a bunch... I sure hope those "rsh", "rcp", "rlogin", and so on, are ssh aliases in reality (didn't check)...
- World-writable files:
# find / -not -type l -perm -o+w -exec ls -ld '{}' \; srw-rw-rw- 1 root root 0 May 25 23:54 /dev/log crw-rw-rw- 1 root root 1, 5 May 2 08:45 /dev/zero crw-rw-rw- 1 root tty 5, 0 May 2 08:45 /dev/tty crw-rw-rw- 1 root tty 5, 2 May 26 00:02 /dev/ptmx crw-rw-rw- 1 root root 1, 3 May 2 08:45 /dev/null crw-rw-rw- 1 root tty 2, 0 May 25 23:54 /dev/ptyp* crw-rw-rw- 1 root tty 3, 0 May 25 23:54 /dev/ttyp* crw--w--w- 1 root root 1, 7 May 25 23:54 /dev/full crw-rw-rw- 1 root root 1, 8 May 25 23:54 /dev/random drwxrwxrwt 3 root root 60 May 25 23:54 /dev/shm crw-rw-rw- 1 root tty 5, 0 May 2 08:45 /lib/udev/devices/tty crw-rw-rw- 1 root root 1, 3 May 2 08:45 /lib/udev/devices/null crw-rw-rw- 1 root tty 5, 2 May 2 08:45 /lib/udev/devices/ptmx crw-rw-rw- 1 root root 1, 5 May 2 08:45 /lib/udev/devices/zero drwxrwxrwt 10 root root 672 May 26 00:02 /tmp drwxrwxrwt 2 root root 48 Apr 23 03:51 /tmp/.ICE-unix drwxrwxrwt 2 root root 72 May 25 23:54 /tmp/.X11-unix srwxrwxrwx 1 root root 0 May 25 23:54 /tmp/.X11-unix/X0 srw-r--rw- 1 root root 0 May 25 23:54 /var/run/zmd/zmd-web.socket srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/zmd/zmd-remoting.socket srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/dbus/system_bus_socket srw-rw-rw- 1 root root 0 May 25 23:54 /var/run/nscd/socket srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/mdnsd srw-rw-rw- 1 root root 0 May 25 23:54 /var/run/.resmgr_socket drwxrwxrwt 2 root root 48 May 25 23:54 /var/run/uscreens drwxrwxrwt 11 root root 416 May 25 23:55 /var/tmp drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/tmp/vi.recover drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/cache/fonts drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/spool/mail prw--w--w- 1 postfix postfix 0 May 25 23:59 /var/spool/postfix/public/qmgr srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/flush srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/showq prw--w--w- 1 postfix postfix 0 May 26 00:02 /var/spool/postfix/public/pickup srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/cleanup srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/lmtp srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/smtp srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/uucp srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/rewrite srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/discard srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/anvil srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/bsmtp srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/defer srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/cyrus srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/error srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/local srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/relay srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/trace srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/maildrop srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/bounce srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/ifmail srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/scache srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/verify srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/virtual srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/procmail srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/proxymap drwxrwxrwt 8 root root 192 May 25 00:06 /usr/src/packages/RPMS drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i386 drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i486 drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i586 drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i686 drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/athlon drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/noarch drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/BUILD drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SPECS drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SRPMS drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SOURCES
No real files actually, only sockets, device files, and directories. Still, it's quite a lot of them. Do they all really need to be world-writable?
That's it.
Comments, suggestions, flames?