Note: This article is part of my OS Install Experiences series.
OK, so let's start with something simple:
Debian. Simple in the sense that there probably won't be too many surprises for me as a Debian developer (or for most readers of
Planet Debian). For other people this might be interesting, though, and
some facts are probably interesting to one or the other experienced Debian user/developer, too...
Hardware
A few words on the hardware I'll be installing all these OSes on. It's a cheapo (200 Euros) x86 PC (Intel Celeron, 2 GHz), 80 GB IDE hard drive, 256 MB RAM, ATI Radeon 9200 SE graphics adapter, Realtek PCI ethernet controller, CDROM, USB, and all the other standard stuff. Nothing fancy, really.
Install
- First, I downloaded a Debian sarge 3.1r2 CD image, burned it on a CD, and booted from that.
- An installer menu showed up, where you can press F3 for boot options. I chose "expert26", which will ask me more questions and give me a 2.6 Linux kernel instead of 2.4.
- The installer (newt-based, i.e. not graphical) will now start to boot a base Linux system.
- Now, you can choose your language (used in the installer), country, region, and keyboard layout.
- You'll be asked which additional kernel modules you want to load (default: all), and whether you want PCMCIA support. Also, you can choose which extra installer components should be loaded (LVM, PPP, serial, IrDA, ...).
- Your hardware can be automatically detected (my Realtek card was successfully detected, the "8139too" kernel module was then loaded).
- The network was successfully auto-configured via DHCP within seconds.
- Now you can choose a hostname and domain name for the box. I used "hydra" as hostname (guess why), and "local.domain" as domain name.
Partitioning
Now the funny part starts: partitioning the disk. As I will be installing >= 10 OSes, this needs a bit of consideration.
I have chosen to create a 10 GB (primary) partition for a Redmond OS I'll be installing later (for games, testing, proprietary software I'm forced to use, and similar things). This will be the first partition and I marked it bootable, as Windows might choke otherwise.
For the rest, I reserved 5 GB for each OS — that should do. So the next two (primary) partitions are 5 GB each. I'll leave these empty for now, as I might encounter obscure OSes which
must be installed on primary partitions. Let's hope it won't be more than two ;-) As you can only have four primary partitions, I then had to create a logical partition, which will "contain" any further partitions.
The next three (secondary) partitions are 1 GB each, intended to be used as swap. One of those I marked as swap in order to use it for Debian. Other Linux installations will be able to reuse this one. The other two are reserved in case I encounter OSes which have another form of swap and cannot use Linux swap partitions...
The rest is easy: create twelve 5 GB partitions => lots of space for more OSes. Here's the resulting fdisk output:
Disk /dev/hda: 81.9 GB, 81964302336 bytes
255 heads, 63 sectors/track, 9964 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/hda1 * 1 1216 9767488+ 83 Linux
/dev/hda2 1217 1824 4883760 83 Linux
/dev/hda3 1825 2432 4883760 83 Linux
/dev/hda4 2433 9964 60500790 5 Extended
/dev/hda5 2433 2554 979933+ 82 Linux swap / Solaris
/dev/hda6 2555 2676 979933+ 83 Linux
/dev/hda7 2677 2798 979933+ 83 Linux
/dev/hda8 2799 3406 4883728+ 83 Linux
/dev/hda9 3407 4014 4883728+ 83 Linux
/dev/hda10 4015 4622 4883728+ 83 Linux
/dev/hda11 4623 5230 4883728+ 83 Linux
/dev/hda12 5231 5838 4883728+ 83 Linux
/dev/hda13 5839 6446 4883728+ 83 Linux
/dev/hda14 6447 7054 4883728+ 83 Linux
/dev/hda15 7055 7662 4883728+ 83 Linux
/dev/hda16 7663 8270 4883728+ 83 Linux
/dev/hda17 8271 8878 4883728+ 83 Linux
/dev/hda18 8879 9486 4883728+ 83 Linux
/dev/hda19 9487 9964 3839503+ 83 Linux
Install, continued
- The Debian partitioning tool allowed me to do all of the above via a friendly menu. As it does not modify the partition table until you say "done", I could revert many changes, and play around with different layout ideas until I was satisfied.
- Next thing you can choose is the Kernel flavor (386, 686, smp).
- You may now configure and install GRUB, the bootloader. I installed it at "(hd0)", the master boot record of the hard disk.
- Soon the CD ejects, and you have to reboot.
- After a restart (which also shows whether GRUB works fine), you can now choose your timezone, and decide whether you want shadow passwords (say yes!).
- Now enter the root password, and decide whether you want to create an additional user account (say yes, and enter a different password here).
- You can now configure apt, e.g. tell it which sources you'd like to use (CDROM, FTP, HTTP, ...). You'll be asked whether you want to install software from Debian's "non-free" archive. After choosing a mirror (and proxy settings, if you like), you can (should!) also say yes to the question whether you want security updates...
- Finally, you may now choose "tasks" (desktop, web server, file server, ...) your machine should be able to perform; this will influence which packages will be installed. You may choose "manual package selection", of course, if you want more control. I used "desktop".
- That's about it. You'll see a few more application-specific questions (configuration of MTA, ssh, fonts, X11, gdm, and others), and after that you'll be left with a GNOME login window.
Security
I collected some (partly) security-relevant information after that.
- Portscan from another box:
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
113/tcp open auth
785/tcp open unknown
Not good. A default install should not have any ports open, IMHO. There are more daemons running: exim (port 25), and famd (port 771) for example. Those are fine however, as they only listen to the loopback interface and are not exposed to the Internet (eth0).
- Some permissions:
drwxrwsr-x 3 root staff 4096 2006-05-17 22:48 /home
drwxr-xr-x 11 uwe uwe 4096 2006-05-18 23:19 /home/uwe
drwxr-xr-x 10 root root 4096 2006-05-17 23:43 /root
drwxrwxrwt 8 root root 4096 2006-05-17 23:41 /tmp
/dev:
crw-rw---- 1 root video 10, 175 2006-05-17 23:13 agpgart
crw------- 1 root root 5, 1 2006-05-17 23:13 console
crw-rw---- 1 root audio 14, 3 2006-05-17 23:13 dsp
brw-rw---- 1 root floppy 2, 0 2006-05-17 23:13 fd0
crw-rw-rw- 1 root root 1, 7 2006-05-17 23:13 full
brw-rw---- 1 root disk 3, 0 2006-05-17 23:13 hda*
brw-rw---- 1 root cdrom 22, 64 2006-05-17 23:13 hdd
crw-r----- 1 root kmem 1, 2 2006-05-17 23:13 kmem
crw-rw---- 1 root root 1, 11 2006-05-17 23:13 kmsg
crw-r----- 1 root kmem 1, 1 2006-05-17 23:13 mem
crw-rw-rw- 1 root root 1, 3 2006-05-17 23:13 null
crw-rw-rw- 1 root root 5, 0 2006-05-17 23:13 tty
crw-rw---- 1 root root 4, 0 2006-05-17 23:13 tty0
crw------- 1 root root 4, 1 2006-05-17 23:24 tty1
crw------- 1 root tty 4, 2 2006-05-17 23:13 tty[2-6]
crw-rw---- 1 root root 4, 7 2006-05-17 23:13 tty7
[...]
crw-rw---- 1 root root 4, 63 2006-05-17 23:13 tty63
crw-rw---- 1 root dialout 4, 64 2006-05-17 23:13 ttyS*
crw-rw-rw- 1 root root 1, 8 2006-05-17 23:13 random
cr--r--r-- 1 root root 1, 9 2006-05-17 23:13 urandom
crw-rw---- 1 root root 7, 1 2006-05-17 23:13 vcs*
crw-rw-rw- 1 root root 1, 5 2006-05-17 23:13 zero
Most of that looks sane to me (a "chmod 700 /home/uwe /root" would be nice, though), but maybe it can be tightened/secured a bit more? Ideas?
- Default users and shells:
I installed some more popular applications (apache, mysql) to have more data.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:102:102::/var/spool/exim4:/bin/false
uwe:x:1000:1000:,,,:/home/uwe:/bin/bash
identd:x:100:65534::/var/run/identd:/bin/false
sshd:x:101:65534::/var/run/sshd:/bin/false
messagebus:x:103:104::/var/run/dbus:/bin/false
hal:x:106:106:Hardware abstraction layer,,,:/var/run/hal:/bin/false
saned:x:109:109::/home/saned:/bin/false
gdm:x:104:110:Gnome Display Manager:/var/lib/gdm:/bin/false
mysql:x:105:111:MySQL Server,,,:/var/lib/mysql:/bin/false
Not too good, IMHO. Almost all system accounts have a valid shell instead of /bin/false or /usr/sbin/nologin. Most of those should not need one, and security-wise it's a lot better to not give them a valid shell. The good news is that many daemons (ssh, mysql, etc.) don't have a valid shell. Uh, why is "Debian-exim" capitalized? Update: That's why.
- Setuid/setgid files:
# find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld ' ' \;
-rwxr-sr-x 1 root tty 9784 2005-09-18 09:04 /usr/bin/wall
-rwsr-xr-x 1 root root 22872 2005-05-18 08:33 /usr/bin/newgrp
-rwxr-sr-x 1 root shadow 34488 2005-05-18 08:33 /usr/bin/chage
-rwsr-xr-x 1 root root 28056 2005-05-18 08:33 /usr/bin/chfn
-rwsr-xr-x 1 root root 28088 2005-05-18 08:33 /usr/bin/chsh
-rwxr-sr-x 1 root shadow 16696 2005-05-18 08:33 /usr/bin/expiry
-rwsr-xr-x 1 root root 34904 2005-05-18 08:33 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 26616 2005-05-18 08:33 /usr/bin/passwd
-rwsr-xr-x 1 root root 34488 2002-01-18 09:13 /usr/bin/at
-rwxr-sr-x 1 root tty 7992 2004-11-01 20:29 /usr/bin/bsd-write
-rwxr-sr-x 1 root crontab 26872 2004-07-28 22:44 /usr/bin/crontab
-rwxr-sr-x 1 root mail 9860 2004-06-04 17:21 /usr/bin/dotlockfile
-rwsr-xr-x 1 root root 18136 2004-12-01 08:29 /usr/bin/traceroute.lbl
-rwsr-xr-x 1 root root 809836 2006-03-10 12:19 /usr/bin/gpg
-rwxr-sr-x 1 root mail 7764 2006-01-31 01:48 /usr/bin/mutt_dotlock
-rwsr-sr-x 1 root lp 24184 2004-07-27 23:48 /usr/bin/lpq
-rwsr-sr-x 1 root lp 22232 2004-07-27 23:48 /usr/bin/lprm
-rwsr-sr-x 1 root lp 24440 2004-07-27 23:48 /usr/bin/lpr
-rwsr-xr-x 1 root root 44024 2004-12-12 20:35 /usr/bin/mtr
-rwsr-sr-x 1 root mail 71640 2005-03-01 16:37 /usr/bin/procmail
-rwxr-sr-x 1 root mail 12712 2005-03-01 16:37 /usr/bin/lockfile
-rwxr-sr-x 1 root ssh 57304 2004-11-28 16:33 /usr/bin/ssh-agent
-rwsr-xr-x 1 root root 10894 2004-06-04 12:02 /usr/bin/fileshareset
-rwsr-xr-x 1 root root 5144 2006-01-15 14:37 /usr/bin/kgrantpty
-rwsr-xr-x 1 root root 5588 2006-01-15 14:37 /usr/bin/kpac_dhcp_helper
-rwsr-xr-x 1 root root 98488 2006-03-20 23:03 /usr/bin/sudo
-rwsr-xr-- 1 root plugdev 19096 2005-05-18 15:47 /usr/bin/pumount
-rwsr-xr-- 1 root plugdev 26680 2005-05-18 15:47 /usr/bin/pmount
-rwxr-sr-x 1 root nogroup 45600 2005-09-08 07:32 /usr/bin/kdesud
-rwsr-xr-- 1 root dip 575192 2005-05-24 09:18 /usr/bin/kppp
-rwsr-xr-x 1 root root 544332 2005-04-08 15:53 /usr/bin/gpg2
-rwxr-sr-x 1 root games 34872 2005-03-02 19:20 /usr/games/same-gnome
-rwxr-sr-x 1 root games 57152 2005-03-02 19:20 /usr/games/gnomine
-rwxr-sr-x 1 root games 65752 2005-03-02 19:20 /usr/games/gnome-stones
-rwxr-sr-x 1 root games 70296 2005-03-02 19:20 /usr/games/mahjongg
-rwxr-sr-x 1 root games 48952 2005-03-02 19:20 /usr/games/gtali
-rwxr-sr-x 1 root games 36652 2005-03-02 19:20 /usr/games/gnotravex
-rwxr-sr-x 1 root games 94200 2005-03-02 19:20 /usr/games/gnobots2
-rwxr-sr-x 1 root games 28776 2005-03-02 19:20 /usr/games/gnotski
-rwxr-sr-x 1 root games 42584 2005-03-02 19:20 /usr/games/glines
-rwxr-sr-x 1 root games 61944 2005-03-02 19:20 /usr/games/gnibbles
-rwxr-sr-x 1 root games 78096 2005-03-02 19:20 /usr/games/gnometris
-rwsr-xr-x 1 root root 5668 2006-04-02 15:32 /usr/lib/pt_chown
-rwxr-sr-x 1 root mail 10940 2006-03-13 14:30 /usr/lib/evolution/2.0/camel/camel-lock-helper
-rwxr-sr-x 1 root utmp 9144 2005-03-09 18:21 /usr/lib/libvte4/gnome-pty-helper
-rwsr-xr-x 1 root root 13304 2005-09-06 15:13 /usr/lib/apache/suexec.disabled
-rwsr-xr-x 1 root root 668568 2006-04-11 14:33 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 265880 2005-05-05 19:32 /usr/sbin/pppd
-rwsr-xr-- 1 root dip 29420 2004-09-30 04:13 /usr/sbin/pppoe
-rwxr-sr-x 1 root lp 32248 2004-07-27 23:48 /usr/sbin/lpc
-rwsr-sr-x 1 root root 7860 2005-09-02 00:44 /usr/X11R6/bin/X
-rwsr-xr-x 1 root root 35512 2005-05-18 08:33 /bin/login
-rwsr-xr-x 1 root root 23416 2005-05-18 08:33 /bin/su
-rwsr-xr-x 1 root root 68440 2005-09-18 09:04 /bin/mount
-rwsr-xr-x 1 root root 40920 2005-09-18 09:04 /bin/umount
-rwsr-xr-x 1 root root 30764 2003-12-22 23:18 /bin/ping
-rwsr-xr-x 1 root root 26604 2003-12-22 23:18 /bin/ping6
-r-sr-xr-x 1 root root 15000 2004-06-28 20:39 /sbin/unix_chkpwd
Quite a bunch, I'd say. The games are "only" "setgid games", but I'd really, really remove them on any production machine which should be halfway secure. Some of those binaries probably need the setuid/setgid bit (su, passwd, ...), but others probably don't. Maybe we should ship more of that non-setuid per default and add a note to the READMEs which tells the admin how he can make the apps setuid if he should want that?
Ok, so that's it for Debian stable. Unstable is 99% the same, except that you do a "vi /etc/apt/sources.list; apt-get update; apt-get dist-upgrade". I'll do that later maybe, compare the findings, and report notable differences here, but it shouldn't be too many (I guess). Not today, though, I need some sleep now.
Comments, suggestions, flames?
Update 2006-05-19: Updated "why is Debian-exim capitalized?" info as per comments, thanks!