OS Install Experiences - Part 1: Debian stable + unstable [Update]

Published in www.hermann-uwe.de - 19-05-2006

Note: This article is part of my OS Install Experiences series.

OK, so let's start with something simple: Debian. Simple in the sense that there probably won't be too many surprises for me as a Debian developer (or for most readers of Planet Debian). For other people this might be interesting, though, and some facts are probably interesting to one or the other experienced Debian user/developer, too...

Hardware

A few words on the hardware I'll be installing all these OSes on. It's a cheapo (200 Euros) x86 PC (Intel Celeron, 2 GHz), 80 GB IDE hard drive, 256 MB RAM, ATI Radeon 9200 SE graphics adapter, Realtek PCI ethernet controller, CDROM, USB, and all the other standard stuff. Nothing fancy, really.

Install

  1. First, I downloaded a Debian sarge 3.1r2 CD image, burned it on a CD, and booted from that.
  2. An installer menu showed up, where you can press F3 for boot options. I chose "expert26", which will ask me more questions and give me a 2.6 Linux kernel instead of 2.4.
  3. The installer (newt-based, i.e. not graphical) will now start to boot a base Linux system.
  4. Now, you can choose your language (used in the installer), country, region, and keyboard layout.
  5. You'll be asked which additional kernel modules you want to load (default: all), and whether you want PCMCIA support. Also, you can choose which extra installer components should be loaded (LVM, PPP, serial, IrDA, ...).
  6. Your hardware can be automatically detected (my Realtek card was successfully detected, the "8139too" kernel module was then loaded).
  7. The network was successfully auto-configured via DHCP within seconds.
  8. Now you can choose a hostname and domain name for the box. I used "hydra" as hostname (guess why), and "local.domain" as domain name.

Partitioning

Now the funny part starts: partitioning the disk. As I will be installing >= 10 OSes, this needs a bit of consideration.

I have chosen to create a 10 GB (primary) partition for a Redmond OS I'll be installing later (for games, testing, proprietary software I'm forced to use, and similar things). This will be the first partition and I marked it bootable, as Windows might choke otherwise.

For the rest, I reserved 5 GB for each OS — that should do. So the next two (primary) partitions are 5 GB each. I'll leave these empty for now, as I might encounter obscure OSes which must be installed on primary partitions. Let's hope it won't be more than two ;-) As you can only have four primary partitions, I then had to create a logical partition, which will "contain" any further partitions.

The next three (secondary) partitions are 1 GB each, intended to be used as swap. One of those I marked as swap in order to use it for Debian. Other Linux installations will be able to reuse this one. The other two are reserved in case I encounter OSes which have another form of swap and cannot use Linux swap partitions...

The rest is easy: create twelve 5 GB partitions => lots of space for more OSes. Here's the resulting fdisk output:

Disk /dev/hda: 81.9 GB, 81964302336 bytes
255 heads, 63 sectors/track, 9964 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 1216 9767488+ 83 Linux
/dev/hda2 1217 1824 4883760 83 Linux
/dev/hda3 1825 2432 4883760 83 Linux
/dev/hda4 2433 9964 60500790 5 Extended
/dev/hda5 2433 2554 979933+ 82 Linux swap / Solaris
/dev/hda6 2555 2676 979933+ 83 Linux
/dev/hda7 2677 2798 979933+ 83 Linux
/dev/hda8 2799 3406 4883728+ 83 Linux
/dev/hda9 3407 4014 4883728+ 83 Linux
/dev/hda10 4015 4622 4883728+ 83 Linux
/dev/hda11 4623 5230 4883728+ 83 Linux
/dev/hda12 5231 5838 4883728+ 83 Linux
/dev/hda13 5839 6446 4883728+ 83 Linux
/dev/hda14 6447 7054 4883728+ 83 Linux
/dev/hda15 7055 7662 4883728+ 83 Linux
/dev/hda16 7663 8270 4883728+ 83 Linux
/dev/hda17 8271 8878 4883728+ 83 Linux
/dev/hda18 8879 9486 4883728+ 83 Linux
/dev/hda19 9487 9964 3839503+ 83 Linux
Install, continued

  1. The Debian partitioning tool allowed me to do all of the above via a friendly menu. As it does not modify the partition table until you say "done", I could revert many changes, and play around with different layout ideas until I was satisfied.
  2. Next thing you can choose is the Kernel flavor (386, 686, smp).
  3. You may now configure and install GRUB, the bootloader. I installed it at "(hd0)", the master boot record of the hard disk.
  4. Soon the CD ejects, and you have to reboot.
  5. After a restart (which also shows whether GRUB works fine), you can now choose your timezone, and decide whether you want shadow passwords (say yes!).
  6. Now enter the root password, and decide whether you want to create an additional user account (say yes, and enter a different password here).
  7. You can now configure apt, e.g. tell it which sources you'd like to use (CDROM, FTP, HTTP, ...). You'll be asked whether you want to install software from Debian's "non-free" archive. After choosing a mirror (and proxy settings, if you like), you can (should!) also say yes to the question whether you want security updates...
  8. Finally, you may now choose "tasks" (desktop, web server, file server, ...) your machine should be able to perform; this will influence which packages will be installed. You may choose "manual package selection", of course, if you want more control. I used "desktop".
  9. That's about it. You'll see a few more application-specific questions (configuration of MTA, ssh, fonts, X11, gdm, and others), and after that you'll be left with a GNOME login window.

Security

Continue reading here...

Update 2006-06-05: Added netstat output and the list of world-writable files.
Update 2006-06-02: Shortened the length of the article on my main webpage as well as the RSS feed. But you can always read the whole article here, of course.
Update 2006-05-19: Updated "why is Debian-exim capitalized?" info as per comments, thanks!

I collected some (partly) security-relevant information after that.

  • Portscan from another box:

    PORT STATE SERVICE
    22/tcp open ssh
    111/tcp open rpcbind
    113/tcp open auth
    785/tcp open unknown

    Not good. A default install should not have any ports open, IMHO. There are more daemons running: exim (port 25), and famd (port 771) for example. Those are fine however, as they only listen to the loopback interface and are not exposed to the Internet (eth0).

  • netstat output:

    # netstat -tulp -4 -6
    tcp 0 0 localhost.localdo:mysql *:* LISTEN 3648/mysqld
    tcp 0 0 *:sunrpc *:* LISTEN 2937/portmap
    tcp 0 0 *:www *:* LISTEN 3737/apache
    tcp 0 0 *:auth *:* LISTEN 3583/inetd
    tcp 0 0 localhost.localdoma:914 *:* LISTEN 3706/famd
    tcp 0 0 *:ipp *:* LISTEN 3429/cupsd
    tcp 0 0 localhost.localdom:smtp *:* LISTEN 3525/exim4
    tcp 0 0 *:924 *:* LISTEN 3710/rpc.statd
    tcp6 0 0 *:ssh *:* LISTEN 3696/sshd
    udp 0 0 *:918 *:* 3710/rpc.statd
    udp 0 0 *:921 *:* 3710/rpc.statd
    udp 0 0 *:bootpc *:* 2932/dhclient
    udp 0 0 *:sunrpc *:* 2937/portmap
    udp 0 0 *:ipp *:* 3429/cupsd

  • Some permissions:

    drwxrwsr-x 3 root staff 4096 2006-05-17 22:48 /home
    drwxr-xr-x 11 uwe uwe 4096 2006-05-18 23:19 /home/uwe
    drwxr-xr-x 10 root root 4096 2006-05-17 23:43 /root
    drwxrwxrwt 8 root root 4096 2006-05-17 23:41 /tmp
    /dev:
    crw-rw---- 1 root video 10, 175 2006-05-17 23:13 agpgart
    crw------- 1 root root 5, 1 2006-05-17 23:13 console
    crw-rw---- 1 root audio 14, 3 2006-05-17 23:13 dsp
    brw-rw---- 1 root floppy 2, 0 2006-05-17 23:13 fd0
    crw-rw-rw- 1 root root 1, 7 2006-05-17 23:13 full
    brw-rw---- 1 root disk 3, 0 2006-05-17 23:13 hda*
    brw-rw---- 1 root cdrom 22, 64 2006-05-17 23:13 hdd
    crw-r----- 1 root kmem 1, 2 2006-05-17 23:13 kmem
    crw-rw---- 1 root root 1, 11 2006-05-17 23:13 kmsg
    crw-r----- 1 root kmem 1, 1 2006-05-17 23:13 mem
    crw-rw-rw- 1 root root 1, 3 2006-05-17 23:13 null
    crw-rw-rw- 1 root root 5, 0 2006-05-17 23:13 tty
    crw-rw---- 1 root root 4, 0 2006-05-17 23:13 tty0
    crw------- 1 root root 4, 1 2006-05-17 23:24 tty1
    crw------- 1 root tty 4, 2 2006-05-17 23:13 tty[2-6]
    crw-rw---- 1 root root 4, 7 2006-05-17 23:13 tty7
    [...]
    crw-rw---- 1 root root 4, 63 2006-05-17 23:13 tty63
    crw-rw---- 1 root dialout 4, 64 2006-05-17 23:13 ttyS*
    crw-rw-rw- 1 root root 1, 8 2006-05-17 23:13 random
    cr--r--r-- 1 root root 1, 9 2006-05-17 23:13 urandom
    crw-rw---- 1 root root 7, 1 2006-05-17 23:13 vcs*
    crw-rw-rw- 1 root root 1, 5 2006-05-17 23:13 zero

    Most of that looks sane to me (a "chmod 700 /home/uwe /root" would be nice, though), but maybe it can be tightened/secured a bit more? Ideas?

  • Default users and shells:
    I installed some more popular applications (apache, mysql) to have more data.

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    Debian-exim:x:102:102::/var/spool/exim4:/bin/false
    uwe:x:1000:1000:,,,:/home/uwe:/bin/bash
    identd:x:100:65534::/var/run/identd:/bin/false
    sshd:x:101:65534::/var/run/sshd:/bin/false
    messagebus:x:103:104::/var/run/dbus:/bin/false
    hal:x:106:106:Hardware abstraction layer,,,:/var/run/hal:/bin/false
    saned:x:109:109::/home/saned:/bin/false
    gdm:x:104:110:Gnome Display Manager:/var/lib/gdm:/bin/false
    mysql:x:105:111:MySQL Server,,,:/var/lib/mysql:/bin/false

    Not too good, IMHO. Almost all system accounts have a valid shell instead of /bin/false or /usr/sbin/nologin. Most of those should not need one, and security-wise it's a lot better to not give them a valid shell. The good news is that many daemons (ssh, mysql, etc.) don't have a valid shell. Uh, why is "Debian-exim" capitalized? Update: That's why.

  • Setuid/setgid files:

    # find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;
    -rwxr-sr-x 1 root tty 9784 2005-09-18 09:04 /usr/bin/wall
    -rwsr-xr-x 1 root root 22872 2005-05-18 08:33 /usr/bin/newgrp
    -rwxr-sr-x 1 root shadow 34488 2005-05-18 08:33 /usr/bin/chage
    -rwsr-xr-x 1 root root 28056 2005-05-18 08:33 /usr/bin/chfn
    -rwsr-xr-x 1 root root 28088 2005-05-18 08:33 /usr/bin/chsh
    -rwxr-sr-x 1 root shadow 16696 2005-05-18 08:33 /usr/bin/expiry
    -rwsr-xr-x 1 root root 34904 2005-05-18 08:33 /usr/bin/gpasswd
    -rwsr-xr-x 1 root root 26616 2005-05-18 08:33 /usr/bin/passwd
    -rwsr-xr-x 1 root root 34488 2002-01-18 09:13 /usr/bin/at
    -rwxr-sr-x 1 root tty 7992 2004-11-01 20:29 /usr/bin/bsd-write
    -rwxr-sr-x 1 root crontab 26872 2004-07-28 22:44 /usr/bin/crontab
    -rwxr-sr-x 1 root mail 9860 2004-06-04 17:21 /usr/bin/dotlockfile
    -rwsr-xr-x 1 root root 18136 2004-12-01 08:29 /usr/bin/traceroute.lbl
    -rwsr-xr-x 1 root root 809836 2006-03-10 12:19 /usr/bin/gpg
    -rwxr-sr-x 1 root mail 7764 2006-01-31 01:48 /usr/bin/mutt_dotlock
    -rwsr-sr-x 1 root lp 24184 2004-07-27 23:48 /usr/bin/lpq
    -rwsr-sr-x 1 root lp 22232 2004-07-27 23:48 /usr/bin/lprm
    -rwsr-sr-x 1 root lp 24440 2004-07-27 23:48 /usr/bin/lpr
    -rwsr-xr-x 1 root root 44024 2004-12-12 20:35 /usr/bin/mtr
    -rwsr-sr-x 1 root mail 71640 2005-03-01 16:37 /usr/bin/procmail
    -rwxr-sr-x 1 root mail 12712 2005-03-01 16:37 /usr/bin/lockfile
    -rwxr-sr-x 1 root ssh 57304 2004-11-28 16:33 /usr/bin/ssh-agent
    -rwsr-xr-x 1 root root 10894 2004-06-04 12:02 /usr/bin/fileshareset
    -rwsr-xr-x 1 root root 5144 2006-01-15 14:37 /usr/bin/kgrantpty
    -rwsr-xr-x 1 root root 5588 2006-01-15 14:37 /usr/bin/kpac_dhcp_helper
    -rwsr-xr-x 1 root root 98488 2006-03-20 23:03 /usr/bin/sudo
    -rwsr-xr-- 1 root plugdev 19096 2005-05-18 15:47 /usr/bin/pumount
    -rwsr-xr-- 1 root plugdev 26680 2005-05-18 15:47 /usr/bin/pmount
    -rwxr-sr-x 1 root nogroup 45600 2005-09-08 07:32 /usr/bin/kdesud
    -rwsr-xr-- 1 root dip 575192 2005-05-24 09:18 /usr/bin/kppp
    -rwsr-xr-x 1 root root 544332 2005-04-08 15:53 /usr/bin/gpg2
    -rwxr-sr-x 1 root games 34872 2005-03-02 19:20 /usr/games/same-gnome
    -rwxr-sr-x 1 root games 57152 2005-03-02 19:20 /usr/games/gnomine
    -rwxr-sr-x 1 root games 65752 2005-03-02 19:20 /usr/games/gnome-stones
    -rwxr-sr-x 1 root games 70296 2005-03-02 19:20 /usr/games/mahjongg
    -rwxr-sr-x 1 root games 48952 2005-03-02 19:20 /usr/games/gtali
    -rwxr-sr-x 1 root games 36652 2005-03-02 19:20 /usr/games/gnotravex
    -rwxr-sr-x 1 root games 94200 2005-03-02 19:20 /usr/games/gnobots2
    -rwxr-sr-x 1 root games 28776 2005-03-02 19:20 /usr/games/gnotski
    -rwxr-sr-x 1 root games 42584 2005-03-02 19:20 /usr/games/glines
    -rwxr-sr-x 1 root games 61944 2005-03-02 19:20 /usr/games/gnibbles
    -rwxr-sr-x 1 root games 78096 2005-03-02 19:20 /usr/games/gnometris
    -rwsr-xr-x 1 root root 5668 2006-04-02 15:32 /usr/lib/pt_chown
    -rwxr-sr-x 1 root mail 10940 2006-03-13 14:30 /usr/lib/evolution/2.0/camel/camel-lock-helper
    -rwxr-sr-x 1 root utmp 9144 2005-03-09 18:21 /usr/lib/libvte4/gnome-pty-helper
    -rwsr-xr-x 1 root root 13304 2005-09-06 15:13 /usr/lib/apache/suexec.disabled
    -rwsr-xr-x 1 root root 668568 2006-04-11 14:33 /usr/sbin/exim4
    -rwsr-xr-- 1 root dip 265880 2005-05-05 19:32 /usr/sbin/pppd
    -rwsr-xr-- 1 root dip 29420 2004-09-30 04:13 /usr/sbin/pppoe
    -rwxr-sr-x 1 root lp 32248 2004-07-27 23:48 /usr/sbin/lpc
    -rwsr-sr-x 1 root root 7860 2005-09-02 00:44 /usr/X11R6/bin/X
    -rwsr-xr-x 1 root root 35512 2005-05-18 08:33 /bin/login
    -rwsr-xr-x 1 root root 23416 2005-05-18 08:33 /bin/su
    -rwsr-xr-x 1 root root 68440 2005-09-18 09:04 /bin/mount
    -rwsr-xr-x 1 root root 40920 2005-09-18 09:04 /bin/umount
    -rwsr-xr-x 1 root root 30764 2003-12-22 23:18 /bin/ping
    -rwsr-xr-x 1 root root 26604 2003-12-22 23:18 /bin/ping6
    -r-sr-xr-x 1 root root 15000 2004-06-28 20:39 /sbin/unix_chkpwd

    Quite a bunch, I'd say. The games are "only" "setgid games", but I'd really, really remove them on any production machine which should be halfway secure. Some of those binaries probably need the setuid/setgid bit (su, passwd, ...), but others probably don't. Maybe we should ship more of that non-setuid per default and add a note to the READMEs which tells the admin how he can make the apps setuid if he should want that?

  • World-writable files:

    drwxrwxrwx 4 www-data www-data 4096 2006-05-19 00:19 /var/lib/apache/mod-bandwidth
    drwxrwxrwx 2 www-data www-data 4096 2005-09-06 15:12 /var/lib/apache/mod-bandwidth/master
    drwxrwxrwx 2 www-data www-data 4096 2005-09-06 15:12 /var/lib/apache/mod-bandwidth/link
    drwxrwxrwt 2 root root 4096 2006-06-04 22:37 /var/lock
    drwxrwxrwx 2 root root 4096 2006-05-17 23:17 /var/log/debian-installer/cdebconf
    srwxrwxrwx 1 root root 0 2006-06-04 22:37 /var/run/dbus/system_bus_socket
    srwxrwxrwx 1 mysql mysql 0 2006-06-04 22:38 /var/run/mysqld/mysqld.sock
    drwxrwxrwt 4 root root 4096 2006-05-29 19:33 /var/tmp
    drwxrwxrwt 2 root root 4096 2006-05-18 00:21 /var/tmp/vi.recover
    srwxrwxrwx 1 root root 0 2006-06-04 22:38 /dev/gpmctl
    drwxrwxrwt 2 root root 40 2006-06-05 00:37 /dev/shm
    srw-rw-rw- 1 root root 0 2006-06-04 22:37 /dev/log
    crw-rw-rw- 1 root root 5, 2 2006-06-04 22:49 /dev/ptmx
    crw-rw-rw- 1 root root 1, 5 2006-06-05 00:37 /dev/zero
    crw-rw-rw- 1 root root 1, 8 2006-06-05 00:37 /dev/random
    crw-rw-rw- 1 root root 1, 7 2006-06-05 00:37 /dev/full
    crw-rw-rw- 1 root root 5, 0 2006-06-04 22:37 /dev/tty
    crw-rw-rw- 1 root root 1, 3 2006-06-05 00:37 /dev/null
    crw-rw-rw- 1 root root 1, 3 2006-05-18 00:21 /dev/.static/dev/null
    crw-rw-rw- 1 root root 1, 5 2006-05-18 00:21 /dev/.static/dev/zero
    crw-rw-rw- 1 root root 1, 7 2006-05-18 00:21 /dev/.static/dev/full
    crw-rw-rw- 1 root root 1, 8 2006-05-18 00:21 /dev/.static/dev/random
    crw-rw-rw- 1 root tty 5, 0 2006-05-18 00:21 /dev/.static/dev/tty
    crw-rw-rw- 1 root tty 2, 42 2005-02-26 07:38 /dev/.static/dev/pty*
    crw-rw-rw- 1 root tty 3, 42 2005-02-26 07:38 /dev/.static/dev/tty*
    crw-rw-rw- 1 root tty 5, 2 2005-02-26 07:39 /dev/.static/dev/ptmx
    crw-rw-rw- 1 root root 180, 48 2005-02-26 07:43 /dev/.static/dev/usb/scanner*
    srw-rw-rw- 1 root root 0 2006-05-18 00:46 /dev/.static/dev/log
    drwxrwxrwt 8 root root 4096 2006-06-04 22:41 /tmp
    drwxrwxrwt 2 root root 4096 2006-06-04 22:38 /tmp/.X11-unix
    srwxrwxrwx 1 root root 0 2006-06-04 22:38 /tmp/.X11-unix/X0
    drwxrwxrwt 2 root root 4096 2006-06-04 22:38 /tmp/.ICE-unix
    srwxrwxrwx 1 uwe uwe 0 2006-06-04 22:38 /tmp/.ICE-unix/3949
    srw-rw-rw- 1 root root 0 2006-06-04 22:38 /tmp/.gdm_socket

Ok, so that's it for Debian stable. Unstable is 99% the same, except that you do a "vi /etc/apt/sources.list; apt-get update; apt-get dist-upgrade". I'll do that later maybe, compare the findings, and report notable differences here, but it shouldn't be too many (I guess). Not today, though, I need some sleep now.

Comments, suggestions, flames?

None
A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc.".