OS Install Experiences - Part 2: SUSE Linux [Update]

Note: This article is part of my OS Install Experiences series.

Next up: a SUSE 10.1 install. It's been a few years since I touched a SUSE distribution (it was something like SUSE Linux 5.3 or so), a lot has happened since then... Here's a rough sketch of the installation and a few superficial remarks and facts related to security.

Install

  1. First, I downloaded a SUSE 10.1 CD image, burned it on a CD, and booted from that.
  2. The installer that showed up is graphical, and you can choose between a normal installation, booting a rescue system, or running a memory test (uses memtest86, I presume).
  3. While the installer runs it merely shows a rotating logo, but you can switch to other consoles (ALT+F1, ALT+F3, ALT+F4) for watching log messages passing by.
  4. You can choose the language used in the installer, later also your timezone and keyboard layout. You can also check the installation medium, which verifies the checksum of the CD, I guess.
  5. Next, you'll be asked to accept a license agreement (yeeaah, whatever).
  6. Your hardware will be automatically detected (worked quite well for me), and after that you can choose between a new install or a system upgrade.
  7. As for the desktop, you can use GNOME, KDE, text-mode (no desktop), or a "minimal graphical system" (it turns out that means fvwm, at least that's what I think).
  8. The graphical partitioning tool feels a bit awkward at first, I needed several tries until I figured out how to make it use the layout I wanted it to. The default file system suggested by the tool is ReiserFS.
  9. There's an explicit option which lets you choose the default run-level for the system (run-level 5 is pre-configured).
  10. The bootloader, GRUB, recognized the other partitions (Debian stable + unstable), added an entry for SUSE Linux, and created a working setup. Nice, although more control over the process (e.g. naming of the boot options) would be nice.
  11. Reboot.
  12. I'm asked to insert CDs 2 and 3, which I don't have (or want), as I only burned CD 1. Clicking "abort" a few times does the trick, and I can continue by choosing a hostname and domain name for the box (hydra + local.domain).
  13. Now I must enter the root password. Very nice: I have the choice between DES, MD5, or Blowfish (SUSE default) for the hashing/encryption of user passwords.
  14. Afterwards, the network is configured (automatically, via DHCP). You can enable a firewall at this point, and enable/disable access to the ssh port explicitly. It's also possible to enable "VNC remote administration" (default: off), or configure a proxy.
  15. Authentication methods for users, available from the installer: local (/etc/passwd), LDAP, NIS, Windows Domain.
  16. When adding a new user, there are some options. Per default, the user is in the groups "users" (no per-user groups, it seems), "dialout" and "video", but that can be configured. Password expiration is disabled. The default shell is bash.
  17. And now... another registration message (in the release notes, actually). May I quote (from my head): The registration procedure transfers zmd's unique device identifier to Novell's registration web service. The information sent may also include OS, version, architecture, and the output of uname and hwinfo, according to that text. More on that later, maybe...
  18. Of course, SUSE Linux comes with SUSE's/Novell's AppArmor enabled by default, but I haven't looked into it, yet.
  19. Now some problems appeared. More hardware discovery took place, it seems, then the screen turned black (with only a non-blinking cursor in the upper left), no reaction to any input -> I performed a hard reboot.
  20. After booting, I'm dropped into fvwm (although I chose GNOME in the installer), the reason probably being the forced reboot. After looking around a bit in the menus and stuff, I wanted to start sax2 (to find out what it does), but the screen turned black again -> another hard reboot. Could it be that I don't have enough RAM for this (256 MB)?
  21. Anyways, at this point I lost interest in playing with the system any further, and gathered the below information for comparison reasons...

Security

Continue reading here...

Update 2006-06-05: Added netstat output, and answered a bunch of comments.
Update 2006-06-02: Shortened the length of the article on my main webpage as well as the RSS feed. But you can always read the whole article here, of course.

  • Portscan from another box:
    PORT     STATE    SERVICE
    22/tcp   open     ssh
    135/tcp  filtered msrpc
    137/tcp  filtered netbios-ns
    138/tcp  filtered netbios-dgm
    139/tcp  filtered netbios-ssn
    445/tcp  filtered microsoft-ds
    1433/tcp filtered ms-sql-s
    1434/tcp filtered ms-sql-m
    

    Not good. A default install should not have any ports open, IMHO. Quite a bunch of Windows ports, eh? To be fair, if the firewall is enabled, none of those will be reachable.

  • netstat output:
    # netstat -tulp -A inet
    tcp        0      0 *:sunrpc                *:*                     LISTEN      3174/portmap
    tcp        0      0 localhost:novell-zen    *:*                     LISTEN      3166/zmd
    tcp        0      0 *:ipp                   *:*                     LISTEN      3326/cupsd
    tcp        0      0 localhost:smtp          *:*                     LISTEN      3432/master
    udp        0      0 *:filenet-tms           *:*                                 3132/mdnsd
    udp        0      0 *:mdns                  *:*                                 3132/mdnsd
    udp        0      0 *:sunrpc                *:*                                 3174/portmap
    udp        0      0 *:ipp                   *:*                                 3326/cupsd
    
    # netstat -tulp -A inet6
    tcp        0      0 *:ssh                   *:*                     LISTEN      3373/sshd      
    tcp        0      0 localhost:smtp          *:*                     LISTEN      3432/master
    
  • Some permissions:
    drwx------  2 root root  168 2006-05-25 01:50 /.gnupg
    drwxr-xr-x  3 root root   72 2006-05-25 00:58 /home
    drwx------  8 root root  432 2006-05-25 01:56 /root
    drwxrwxrwt  9 root root  504 2006-05-25 01:55 /tmp
    crw-------  1 root video  10, 175 May 25 04:58 /dev/agpgart
    crw-r-----+ 1 root root    5,   1 May  2 08:45 /dev/console
    drwxr-xr-x  6 root root       120 May 25 04:58 /dev/disk
    crw-rw----  1 root video  29,   0 May 25 04:58 /dev/fb0
    brw-rw----+ 1 uwe  disk    2,   0 May 25 04:58 /dev/fd0
    crw--w--w-  1 root root    1,   7 May 25 04:58 /dev/full
    brw-r-----  1 root disk    3,   0 May 25 04:58 /dev/hda*
    brw-rw----+ 1 uwe  disk   22,  64 May 25 04:58 /dev/hdd
    crw-r-----  1 root kmem    1,   2 May 25 04:58 /dev/kmem
    crw-rw----  1 root root    1,  11 May  2 08:45 /dev/kmsg
    srw-rw-rw-  1 root root         0 May 25 04:58 /dev/log
    crw-rw----  1 root lp      6,   0 May 25 04:58 /dev/lp0
    crw-r-----  1 root kmem    1,   1 May 25 04:58 /dev/mem
    crw-rw-rw-  1 root root    1,   3 May  2 08:45 /dev/null
    crw-r-----  1 root kmem    1,   4 May 25 04:58 /dev/port
    crw-rw----  1 root root   10,   1 May 25 04:58 /dev/psaux
    crw-rw-rw-  1 root tty     2,   0 May 25 04:58 /dev/ptyp*
    crw-rw-rw-  1 root root    1,   8 May 25 04:58 /dev/random
    crw-rw-rw-  1 root tty     5,   0 May  2 08:45 /dev/tty
    crw--w----  1 root root    4,   0 May 25 04:58 /dev/tty0
    crw-rw----  1 root tty     4,   2 May 25 04:58 /dev/tty[1-6]
    crw--w----  1 uwe  tty     4,   7 May 25 04:58 /dev/tty[7-9]
    crw-rw----  1 root uucp    4,  64 May  2 08:45 /dev/ttyS[0-4]
    crw-------  1 root uucp    4,  68 May  2 08:45 /dev/ttyS[4-7]
    crw-rw-rw-  1 root tty     3,   0 May 25 04:58 /dev/ttyp0
    crw-r--r--  1 root root    1,   9 May 25 04:58 /dev/urandom
    crw--w----  1 root tty     7,   0 May 25 04:58 /dev/vcs
    crw-rw----  1 root tty     7,   1 May 25 04:58 /dev/vcs1
    crw-rw----  1 root tty     7, 129 May 25 04:58 /dev/vcsa1
    crw--w----  1 root tty     7, 130 May 25 04:58 /dev/vcsa2
    pr--------  1 uwe  tty          0 May 25 05:01 /dev/xconsole
    crw-rw-rw-  1 root root    1,   5 May  2 08:45 /dev/zero
    

    Nice: /root has mode 700. Um, /dev/fd0, /dev/hdd, and a few others are owned by me (user "uwe")? Why?

  • Default users and shells:
    at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
    bin:x:1:1:bin:/bin:/bin/bash
    daemon:x:2:2:Daemon:/sbin:/bin/bash
    ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
    games:x:12:100:Games account:/var/games:/bin/bash
    haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
    lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
    mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
    man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
    mdnsd:x:78:65534:mDNSResponder runtime user:/var/lib/mdnsd:/bin/false
    messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false
    news:x:9:13:News system:/etc/news:/bin/bash
    nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
    ntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/false
    postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
    root:x:0:0:root:/root:/bin/bash
    sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
    suse-ncc:x:102:104:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
    uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
    wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
    uwe:x:1000:100::/home/uwe:/bin/bash
    

    Quite a random mix of /bin/bash and /bin/false as shells, it seems. Notice the absence of /bin/sh.

  • Setuid/setgid files:
    # find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;
    -rwsr-xr-x 1 root root 31668 Apr 23 08:48 /bin/su
    -rwsr-xr-x 1 root root 35520 Apr 23 03:53 /bin/ping
    -rwsr-xr-x 1 root audio 20252 Apr 23 04:21 /bin/eject
    -rwsr-xr-x 1 root root 321981 May  2 08:50 /bin/mount
    -rwsr-xr-x 1 root root 31696 Apr 23 03:53 /bin/ping6
    -rwsr-xr-x 1 root root 117887 May  2 08:50 /bin/umount
    -rwsr-xr-x 1 root root 5056 May  2 11:14 /opt/kde3/bin/artswrapper
    -rwsr-xr-x 1 root root 6696 May  2 12:02 /opt/kde3/bin/kpac_dhcp_helper
    -rwsr-xr-x 1 root trusted 43940 May  2 09:47 /usr/bin/at
    -rwsr-xr-x 1 root root 836524 May  2 10:28 /usr/bin/gpg
    -rwsr-xr-x 2 root root 4880 Apr 23 05:09 /usr/bin/man
    -rwsr-xr-x 1 root root 18720 Apr 23 04:32 /usr/bin/rcp
    -rwsr-xr-x 1 root root 9340 Apr 23 04:32 /usr/bin/rsh
    -rwsr-xr-x 1 root shadow 73284 May  2 10:50 /usr/bin/chfn
    -rwsr-xr-x 1 root shadow 68992 May  2 10:50 /usr/bin/chsh
    -rwsr-xr-x 1 root root 105084 May  2 09:47 /usr/bin/sudo
    -rwxr-sr-x 1 root tty 10312 May  2 08:50 /usr/bin/wall
    -rwsr-xr-x 1 lp sys 10400 Apr 25 19:15 /usr/bin/lppasswd
    -rwsr-xr-x 1 root trusted 33260 Apr 23 04:36 /usr/bin/crontab
    -rwsr-xr-x 1 root root 59980 May  2 16:38 /usr/bin/fileshareset
    -rwsr-xr-x 1 root shadow 75692 May  2 10:50 /usr/bin/chage
    -rwsr-xr-x 2 root root 4880 Apr 23 05:09 /usr/bin/mandb
    -rwxr-sr-x 1 root tty 8936 May  2 08:50 /usr/bin/write
    -rwsr-xr-x 1 root shadow 13388 May  2 10:50 /usr/bin/expiry
    -rwsr-xr-x 1 root root 15532 May  2 10:50 /usr/bin/newgrp
    -rwsr-xr-x 1 root shadow 72836 May  2 10:50 /usr/bin/passwd
    -rwsr-xr-x 1 root shadow 74528 May  2 10:50 /usr/bin/gpasswd
    -rwsr-xr-x 1 root root 12900 Apr 23 04:32 /usr/bin/rlogin
    -rwsr-xr-x 1 root root 23990 Apr 29 01:08 /usr/lib/pt_chown
    -rwxr-sr-x 1 root maildrop 10440 May  2 09:36 /usr/sbin/postdrop
    -rwxr-sr-x 1 root maildrop 10444 May  2 09:36 /usr/sbin/postqueue
    -rwxr-sr-x 1 root tty 7288 Apr 23 03:40 /usr/sbin/utempter
    -rws--x--x 1 root root 1832764 May  2 09:26 /usr/X11R6/bin/Xorg
    -rwxr-sr-x 1 root shadow 20136 Apr 23 03:54 /sbin/unix_chkpwd
    -rwsr-x--- 1 root dialout 31700 May  2 09:56 /sbin/isdnctrl
    -rwxr-sr-x 1 root shadow 6624 Apr 23 04:35 /sbin/unix2_chkpwd
    

    Quite a bunch... I sure hope those "rsh", "rcp", "rlogin", and so on, are ssh aliases in reality (didn't check)...

  • World-writable files:
    # find / -not -type l -perm -o+w -exec ls -ld '{}' \;
    srw-rw-rw- 1 root root 0 May 25 23:54 /dev/log
    crw-rw-rw- 1 root root 1, 5 May  2 08:45 /dev/zero
    crw-rw-rw- 1 root tty 5, 0 May  2 08:45 /dev/tty
    crw-rw-rw- 1 root tty 5, 2 May 26 00:02 /dev/ptmx
    crw-rw-rw- 1 root root 1, 3 May  2 08:45 /dev/null
    crw-rw-rw- 1 root tty 2, 0 May 25 23:54 /dev/ptyp*
    crw-rw-rw- 1 root tty 3, 0 May 25 23:54 /dev/ttyp*
    crw--w--w- 1 root root 1, 7 May 25 23:54 /dev/full
    crw-rw-rw- 1 root root 1, 8 May 25 23:54 /dev/random
    drwxrwxrwt 3 root root 60 May 25 23:54 /dev/shm
    crw-rw-rw- 1 root tty 5, 0 May  2 08:45 /lib/udev/devices/tty
    crw-rw-rw- 1 root root 1, 3 May  2 08:45 /lib/udev/devices/null
    crw-rw-rw- 1 root tty 5, 2 May  2 08:45 /lib/udev/devices/ptmx
    crw-rw-rw- 1 root root 1, 5 May  2 08:45 /lib/udev/devices/zero
    drwxrwxrwt 10 root root 672 May 26 00:02 /tmp
    drwxrwxrwt 2 root root 48 Apr 23 03:51 /tmp/.ICE-unix
    drwxrwxrwt 2 root root 72 May 25 23:54 /tmp/.X11-unix
    srwxrwxrwx 1 root root 0 May 25 23:54 /tmp/.X11-unix/X0
    srw-r--rw- 1 root root 0 May 25 23:54 /var/run/zmd/zmd-web.socket
    srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/zmd/zmd-remoting.socket
    srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/dbus/system_bus_socket
    srw-rw-rw- 1 root root 0 May 25 23:54 /var/run/nscd/socket
    srwxrwxrwx 1 root root 0 May 25 23:54 /var/run/mdnsd
    srw-rw-rw- 1 root root 0 May 25 23:54 /var/run/.resmgr_socket
    drwxrwxrwt 2 root root 48 May 25 23:54 /var/run/uscreens
    drwxrwxrwt 11 root root 416 May 25 23:55 /var/tmp
    drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/tmp/vi.recover
    drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/cache/fonts
    drwxrwxrwt 2 root root 48 Apr 23 03:51 /var/spool/mail
    prw--w--w- 1 postfix postfix 0 May 25 23:59 /var/spool/postfix/public/qmgr
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/flush
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/showq
    prw--w--w- 1 postfix postfix 0 May 26 00:02 /var/spool/postfix/public/pickup
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/public/cleanup
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/lmtp
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/smtp
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/uucp
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/rewrite
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/discard
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/anvil
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/bsmtp
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/defer
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/cyrus
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/error
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/local
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/relay
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/trace
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/maildrop
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/bounce
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/ifmail
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/scache
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/verify
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/virtual
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/procmail
    srw-rw-rw- 1 postfix postfix 0 May 25 23:54 /var/spool/postfix/private/proxymap
    drwxrwxrwt 8 root root 192 May 25 00:06 /usr/src/packages/RPMS
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i386
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i486
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i586
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/i686
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/athlon
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/RPMS/noarch
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/BUILD
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SPECS
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SRPMS
    drwxrwxrwt 2 root root 48 Apr 23 02:28 /usr/src/packages/SOURCES
    

    No real files actually, only sockets, device files, and directories. Still, it's quite a lot of them. Do they all really need to be world-writable?

That's it.

Comments, suggestions, flames?

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

crypted partition

You can also crypt the partitions easily with the SUSE partinionner... juste a few more clicks
But it's does not allow to crypt the swap :-/

RTFM ;-P

If you're going to use nmap and draw conslusions from its output, it'd be nice if you would RTFM.

"Open" means just that: a connection to that port is accepted, as in, a SYN packet gets a SYN,ACK back.

"Filtered" means that a connection to that port is not answered. I.e., the SYN packet is dropped to the floor. These ports aren't open, they're closed. Since there's no reply whatsoever, it also happens to mean they're firewalled. iptables -j DENY.

The other 1000 or so ports which nmap also tested turn out to be "closed", i.e., SYN packets result in an ICMP port-unreachable packet being sent back. These aren't explicitely firewalled, but they're not necessarily open, either.

If you want to be sure about the state of a port, what you really want to do is run 'netstat -tlp' and 'iptables -L' on the machine itself. Nmap can only guess.

"Conclusion" is such a hard

"Conclusion" is such a hard word. Let's call it observations ;)
Ok, seriously though, you're correct of course. I'll attach netstat output to each of the posts, too, in future (and also for Debian + SUSE, soon).

I think you mean "iptables -j DROP", btw ;)

Cheers, Uwe.

pam_console?

The devices owned by you could be because of pam_console as you're the only user logged in. If you haven't wiped it yet, have a look at the files /etc/security/console.* and see what they've got. May solve the mystery.

pam

Hm, I didn't find any *pam_console* anywhere in /etc. There's a lot of stuff in /etc/pam.d, but nothing looks relevant there... What am I looking for exactly?

Another idea I had is that it's related to udev somehow, but that doesn't seem to be the case either, from what I can see.

Disclaimer: I don't know enough about PAM or udev to be able to really tell for sure...

Device ownership

The strange owners of some device nodes for removable media might be some pam setup that chowns them to the "locally" logged on user.

i think some "desktop" distros do such things.

Which PAM config option

Which PAM config option would do such a thing exactly? I didn't find anything upon a quick glance...

a bit googling says

a bit googling says relavants to look at are:
/etc/logindevperm
/etc/pam.d/* look for pam_devperm

resmgr might be linked overriding file permissions on some accesses too

see also: http://lists.debian.org/debian-wnpp/2003/06/msg00106.html

It looks like i really should test some other distros than debian some time...

devperm etc.

Ideed, that seems to be it. There's signs of resmgr and devperm in /etc, so I guess that's what going on...

Thanks, Uwe.

Filtered ports

Except for ssh those ports are not open but FILTERED. Connection attempts are most likely blocked by your or your provider's firewall so that not even the "port closed" information is returned.

Noted, thanks :) netstat

Noted, thanks :) netstat output will follow, soon.

/.gnupg

What created /.gnupg, and why?

Package signing key

Ok, a gpg --list-keys returns "SuSE Package Signing Key", so I guess that's what it's used for.

I didn't investigate any further, though...

That's a very good question.

That's a very good question. I have no idea, yet, but will check the release notes. Maybe it's used for verification of packages or of the CD image or something...