OS Install Experiences - Part 2: SUSE Linux [Update]

Note: This article is part of my OS Install Experiences series.

Next up: a SUSE 10.1 install. It's been a few years since I touched a SUSE distribution (it was something like SUSE Linux 5.3 or so), a lot has happened since then... Here's a rough sketch of the installation and a few superficial remarks and facts related to security.

Install

First, I downloaded a SUSE 10.1 CD image, burned it on a CD, and booted from that.
The installer that showed up is graphical, and you can choose between a normal installation, booting a rescue system, or running a memory test (uses memtest86, I presume).
While the installer runs it merely shows a rotating logo, but you can switch to other consoles (ALT+F1, ALT+F3, ALT+F4) for watching log messages passing by.
You can choose the language used in the installer, later also your timezone and keyboard layout. You can also check the installation medium, which verifies the checksum of the CD, I guess.
Next, you'll be asked to accept a license agreement (yeeaah, whatever).
Your hardware will be automatically detected (worked quite well for me), and after that you can choose between a new install or a system upgrade.
As for the desktop, you can use GNOME, KDE, text-mode (no desktop), or a "minimal graphical system" (it turns out that means fvwm, at least that's what I think).
The graphical partitioning tool feels a bit awkward at first, I needed several tries until I figured out how to make it use the layout I wanted it to. The default file system suggested by the tool is ReiserFS.
There's an explicit option which lets you choose the default run-level for the system (run-level 5 is pre-configured).
The bootloader, GRUB, recognized the other partitions (Debian stable + unstable), added an entry for SUSE Linux, and created a working setup. Nice, although more control over the process (e.g. naming of the boot options) would be nice.
Reboot.
I'm asked to insert CDs 2 and 3, which I don't have (or want), as I only burned CD 1. Clicking "abort" a few times does the trick, and I can continue by choosing a hostname and domain name for the box (hydra + local.domain).
Now I must enter the root password. Very nice: I have the choice between DES, MD5, or Blowfish (SUSE default) for the hashing/encryption of user passwords.
Afterwards, the network is configured (automatically, via DHCP). You can enable a firewall at this point, and enable/disable access to the ssh port explicitly. It's also possible to enable "VNC remote administration" (default: off), or configure a proxy.
Authentication methods for users, available from the installer: local (/etc/passwd), LDAP, NIS, Windows Domain.
When adding a new user, there are some options. Per default, the user is in the groups "users" (no per-user groups, it seems), "dialout" and "video", but that can be configured. Password expiration is disabled. The default shell is bash.
And now... another registration message (in the release notes, actually). May I quote (from my head): The registration procedure transfers zmd's unique device identifier to Novell's registration web service. The information sent may also include OS, version, architecture, and the output of uname and hwinfo, according to that text. More on that later, maybe...
Of course, SUSE Linux comes with SUSE's/Novell's AppArmor enabled by default, but I haven't looked into it, yet.
Now some problems appeared. More hardware discovery took place, it seems, then the screen turned black (with only a non-blinking cursor in the upper left), no reaction to any input -> I performed a hard reboot.
After booting, I'm dropped into fvwm (although I chose GNOME in the installer), the reason probably being the forced reboot. After looking around a bit in the menus and stuff, I wanted to start sax2 (to find out what it does), but the screen turned black again -> another hard reboot. Could it be that I don't have enough RAM for this (256 MB)?
Anyways, at this point I lost interest in playing with the system any further, and gathered the below information for comparison reasons...

Security

Continue reading here...

Update 2006-06-05: Added netstat output, and answered a bunch of comments.
Update 2006-06-02: Shortened the length of the article on my main webpage as well as the RSS feed. But you can always read the whole article here, of course.

Portscan from another box:

PORT     STATE    SERVICE
22/tcp   open     ssh
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
1433/tcp filtered ms-sql-s
1434/tcp filtered ms-sql-m

Not good. A default install should not have any ports open, IMHO. Quite a bunch of Windows ports, eh? To be fair, if the firewall is enabled, none of those will be reachable.

netstat output:

# netstat -tulp -A inet
tcp        0      0 *:sunrpc                *:*                     LISTEN      3174/portmap
tcp        0      0 localhost:novell-zen    *:*                     LISTEN      3166/zmd
tcp        0      0 *:ipp                   *:*                     LISTEN      3326/cupsd
tcp        0      0 localhost:smtp          *:*                     LISTEN      3432/master
udp        0      0 *:filenet-tms           *:*                                 3132/mdnsd
udp        0      0 *:mdns                  *:*                                 3132/mdnsd
udp        0      0 *:sunrpc                *:*                                 3174/portmap
udp        0      0 *:ipp                   *:*                                 3326/cupsd

# netstat -tulp -A inet6
tcp        0      0 *:ssh                   *:*                     LISTEN      3373/sshd      
tcp        0      0 localhost:smtp          *:*                     LISTEN      3432/master

Some permissions:

drwx------  2 root root  168 2006-05-25 01:50 /.gnupg
drwxr-xr-x  3 root root   72 2006-05-25 00:58 /home
drwx------  8 root root  432 2006-05-25 01:56 /root
drwxrwxrwt  9 root root  504 2006-05-25 01:55 /tmp
crw-------  1 root video  10, 175 May 25 04:58 /dev/agpgart
crw-r-----+ 1 root root    5,   1 May  2 08:45 /dev/console
drwxr-xr-x  6 root root       120 May 25 04:58 /dev/disk
crw-rw----  1 root video  29,   0 May 25 04:58 /dev/fb0
brw-rw----+ 1 uwe  disk    2,   0 May 25 04:58 /dev/fd0
crw--w--w-  1 root root    1,   7 May 25 04:58 /dev/full
brw-r-----  1 root disk    3,   0 May 25 04:58 /dev/hda*
brw-rw----+ 1 uwe  disk   22,  64 May 25 04:58 /dev/hdd
crw-r-----  1 root kmem    1,   2 May 25 04:58 /dev/kmem
crw-rw----  1 root root    1,  11 May  2 08:45 /dev/kmsg
srw-rw-rw-  1 root root         0 May 25 04:58 /dev/log
crw-rw----  1 root lp      6,   0 May 25 04:58 /dev/lp0
crw-r-----  1 root kmem    1,   1 May 25 04:58 /dev/mem
crw-rw-rw-  1 root root    1,   3 May  2 08:45 /dev/null
crw-r-----  1 root kmem    1,   4 May 25 04:58 /dev/port
crw-rw----  1 root root   10,   1 May 25 04:58 /dev/psaux
crw-rw-rw-  1 root tty     2,   0 May 25 04:58 /dev/ptyp*
crw-rw-rw-  1 root root    1,   8 May 25 04:58 /dev/random
crw-rw-rw-  1 root tty     5,   0 May  2 08:45 /dev/tty
crw--w----  1 root root    4,   0 May 25 04:58 /dev/tty0
crw-rw----  1 root tty     4,   2 May 25 04:58 /dev/tty[1-6]
crw--w----  1 uwe  tty     4,   7 May 25 04:58 /dev/tty[7-9]
crw-rw----  1 root uucp    4,  64 May  2 08:45 /dev/ttyS[0-4]
crw-------  1 root uucp    4,  68 May  2 08:45 /dev/ttyS[4-7]
crw-rw-rw-  1 root tty     3,   0 May 25 04:58 /dev/ttyp0
crw-r--r--  1 root root    1,   9 May 25 04:58 /dev/urandom
crw--w----  1 root tty     7,   0 May 25 04:58 /dev/vcs
crw-rw----  1 root tty     7,   1 May 25 04:58 /dev/vcs1
crw-rw----  1 root tty     7, 129 May 25 04:58 /dev/vcsa1
crw--w----  1 root tty     7, 130 May 25 04:58 /dev/vcsa2
pr--------  1 uwe  tty          0 May 25 05:01 /dev/xconsole
crw-rw-rw-  1 root root    1,   5 May  2 08:45 /dev/zero

Nice: /root has mode 700. Um, /dev/fd0, /dev/hdd, and a few others are owned by me (user "uwe")? Why?

Default users and shells:

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
mdnsd:x:78:65534:mDNSResponder runtime user:/var/lib/mdnsd:/bin/false
messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
root:x:0:0:root:/root:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:102:104:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
uwe:x:1000:100::/home/uwe:/bin/bash

Quite a random mix of /bin/bash and /bin/false as shells, it seems. Notice the absence of /bin/sh.

Setuid/setgid files:

# find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;
-rwsr-xr-x 1 root root 31668 Apr 23 08:48 /bin/su
-rwsr-xr-x 1 root root 35520 Apr 23 03:53 /bin/ping
-rwsr-xr-x 1 root audio 20252 Apr 23 04:21 /bin/eject
-rwsr-xr-x 1 root root 321981 May  2 08:50 /bin/mount
-rwsr-xr-x 1 root root 31696 Apr 23 03:53 /bin/ping6
-rwsr-xr-x 1 root root 117887 May  2 08:50 /bin/umount
-rwsr-xr-x 1 root root 5056 May  2 11:14 /opt/kde3/bin/artswrapper
-rwsr-xr-x 1 root root 6696 May  2 12:02 /opt/kde3/bin/kpac_dhcp_helper
-rwsr-xr-x 1 root trusted 43940 May  2 09:47 /usr/bin/at
-rwsr-xr-x 1 root root 836524 May  2 10:28 /usr/bin/gpg
-rwsr-xr-x 2 root root 4880 Apr 23 05:09 /usr/bin/man
-rwsr-xr-x 1 root root 18720 Apr 23 04:32 /usr/bin/rcp
-rwsr-xr-x 1 root root 9340 Apr 23 04:32 /usr/bin/rsh
-rwsr-xr-x 1 root shadow 73284 May  2 10:50 /usr/bin/chfn
-rwsr-xr-x 1 root shadow 68992 May  2 10:50 /usr/bin/chsh
-rwsr-xr-x 1 root root 105084 May  2 09:47 /usr/bin/sudo
-rwxr-sr-x 1 root tty 10312 May  2 08:50 /usr/bin/wall
-rwsr-xr-x 1 lp sys 10400 Apr 25 19:15 /usr/bin/lppasswd
-rwsr-xr-x 1 root trusted 33260 Apr 23 04:36 /usr/bin/crontab
-rwsr-xr-x 1 root root 59980 May  2 16:38 /usr/bin/fileshareset
-rwsr-xr-x 1 root shadow 75692 May  2 10:50 /usr/bin/chage
-rwsr-xr-x 2 root root 4880 Apr 23 05:09 /usr/bin/mandb
-rwxr-sr-x 1 root tty 8936 May  2 08:50 /usr/bin/write
-rwsr-xr-x 1 root shadow 13388 May  2 10:50 /usr/bin/expiry
-rwsr-xr-x 1 root root 15532 May  2 10:50 /usr/bin/newgrp
-rwsr-xr-x 1 root shadow 72836 May  2 10:50 /usr/bin/passwd
-rwsr-xr-x 1 root shadow 74528 May  2 10:50 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 12900 Apr 23 04:32 /usr/bin/rlogin
-rwsr-xr-x 1 root root 23990 Apr 29 01:08 /usr/lib/pt_chown
-rwxr-sr-x 1 root maildrop 10440 May  2 09:36 /usr/sbin/postdrop
-rwxr-sr-x 1 root maildrop 10444 May  2 09:36 /usr/sbin/postqueue
-rwxr-sr-x 1 root tty 7288 Apr 23 03:40 /usr/sbin/utempter
-rws--x--x 1 root root 1832764 May  2 09:26 /usr/X11R6/bin/Xorg
-rwxr-sr-x 1 root shadow 20136 Apr 23 03:54 /sbin/unix_chkpwd
-rwsr-x--- 1 root dialout 31700 May  2 09:56 /sbin/isdnctrl
-rwxr-sr-x 1 root shadow 6624 Apr 23 04:35 /sbin/unix2_chkpwd

Quite a bunch... I sure hope those "rsh", "rcp", "rlogin", and so on, are ssh aliases in reality (didn't check)...

World-writable files:

# find / -not -type l -perm -o+w -exec ls -ld '{}' \;
srw-rw-rw- 1 root root 0 May 25 23:54 /dev/log
crw-rw-rw- 1 root root 1, 5 May  2 08:45 /dev/zero
crw-rw-rw- 1 root tty 5, 0 May  2 08:45 /dev/tty
crw-rw-rw- 1 root tty 5, 2 May 26 00:02 /dev/ptmx
crw-rw-rw- 1 root root 1, 3 May  2 08:45 /dev/null
crw-rw-rw- 1 root tty 2, 0 May 25 23:54 /dev/ptyp*
crw-rw-rw- 1 root tty 3, 0 May 25 23:54 /dev/ttyp*
crw--w--w- 1 root root 1, 7 May 25 23:54 /dev/full
crw-rw-rw- 1 root root 1, 8 May 25 23:54 /dev/random
drwxrwxrwt 3 root root 60 May 25 23:54 /dev/shm
crw-rw-rw- 1 root tty 5, 0 May  2 08:45 /lib/udev/devices/tty
crw-rw-rw- 1 root root 1, 3 May  2 08:45 /lib/udev/devices/null
crw-rw-rw- 1 root tty 5, 2 May  2 08:45 /lib/udev/devices/ptmx
crw-rw-rw- 1 root root 1, 5 May  2 08:45 /lib/udev/devices/zero
drwxrwxrwt 10 root root 672 May 26 00:02 /tmp
drwxrwxrwt 2 root root 48 Apr 23 03:51 /tmp/.ICE-unix
drwxrwxrwt 2 root root 72 May 25 23:54 /tmp/.X11-unix
srwxrwxrwx 1 root root 0 May 25 23:54 /tmp/.X11-unix/X0
srw-r--rw- 1 root root 0 May 25 23:54 /var/run/zmd/zmd-web.socket
srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/zmd/zmd-remoting.socket
srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/dbus/system_bus_socket
srw-rw-rw- 1 root root 0 May 25 23:54 /var/run/nscd/socket
srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/mdnsd
srw-rw-rw- 1 root root 0 May 25 23:54 /var/run/.resmgr_socket
drwxrwxrwt 2 root root 48 May 25 23:54 /var/run/uscreens
drwxrwxrwt 11 root root 416 May 25 23:55 /var/tmp
drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/tmp/vi.recover
drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/cache/fonts
drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/spool/mail
prw--w--w- 1 postfix postfix 0 May 25 23:59 /var/spool/postfix/public/qmgr
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/flush
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/showq
prw--w--w- 1 postfix postfix 0 May 26 00:02 /var/spool/postfix/public/pickup
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/cleanup
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/lmtp
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/smtp
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/uucp
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/rewrite
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/discard
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/anvil
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/bsmtp
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/defer
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/cyrus
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/error
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/local
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/relay
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/trace
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/maildrop
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/bounce
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/ifmail
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/scache
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/verify
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/virtual
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/procmail
srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/proxymap
drwxrwxrwt 8 root root 192 May 25 00:06 /usr/src/packages/RPMS
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i386
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i486
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i586
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i686
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/athlon
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/noarch
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/BUILD
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SPECS
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SRPMS
drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SOURCES

No real files actually, only sockets, device files, and directories. Still, it's quite a lot of them. Do they all really need to be world-writable?

That's it.

Comments, suggestions, flames?