Uwe Hermann | A slightly paranoid Debian developer

Note: This article is part of my OS Install Experiences series.

Next up: a SUSE 10.1 install. It's been a few years since I touched a SUSE distribution (it was something like SUSE Linux 5.3 or so), a lot has happened since then... Here's a rough sketch of the installation and a few superficial remarks and facts related to security.

Install

1. First, I downloaded a SUSE 10.1 CD image, burned it on a CD, and booted from that.
2. The installer that showed up is graphical, and you can choose between a normal installation, booting a rescue system, or running a memory test (uses memtest86, I presume).
3. While the installer runs it merely shows a rotating logo, but you can switch to other consoles (ALT+F1, ALT+F3, ALT+F4) for watching log messages passing by.
4. You can choose the language used in the installer, later also your timezone and keyboard layout. You can also check the installation medium, which verifies the checksum of the CD, I guess.
5. Next, you'll be asked to accept a license agreement (yeeaah, whatever).
6. Your hardware will be automatically detected (worked quite well for me), and after that you can choose between a new install or a system upgrade.
7. As for the desktop, you can use GNOME, KDE, text-mode (no desktop), or a "minimal graphical system" (it turns out that means fvwm, at least that's what I think).
8. The graphical partitioning tool feels a bit awkward at first, I needed several tries until I figured out how to make it use the layout I wanted it to. The default file system suggested by the tool is ReiserFS.
9. There's an explicit option which lets you choose the default run-level for the system (run-level 5 is pre-configured).
10. The bootloader, GRUB, recognized the other partitions (Debian stable + unstable), added an entry for SUSE Linux, and created a working setup. Nice, although more control over the process (e.g. naming of the boot options) would be nice.
11. Reboot.
12. I'm asked to insert CDs 2 and 3, which I don't have (or want), as I only burned CD 1. Clicking "abort" a few times does the trick, and I can continue by choosing a hostname and domain name for the box (hydra + local.domain).
13. Now I must enter the root password. Very nice: I have the choice between DES, MD5, or Blowfish (SUSE default) for the hashing/encryption of user passwords.
14. Afterwards, the network is configured (automatically, via DHCP). You can enable a firewall at this point, and enable/disable access to the ssh port explicitly. It's also possible to enable "VNC remote administration" (default: off), or configure a proxy.
15. Authentication methods for users, available from the installer: local (/etc/passwd), LDAP, NIS, Windows Domain.
16. When adding a new user, there are some options. Per default, the user is in the groups "users" (no per-user groups, it seems), "dialout" and "video", but that can be configured. Password expiration is disabled. The default shell is bash.
17. And now... another registration message (in the release notes, actually). May I quote (from my head): The registration procedure transfers zmd's unique device identifier to Novell's registration web service. The information sent may also include OS, version, architecture, and the output of uname and hwinfo, according to that text. More on that later, maybe...
18. Of course, SUSE Linux comes with SUSE's/Novell's AppArmor enabled by default, but I haven't looked into it, yet.
19. Now some problems appeared. More hardware discovery took place, it seems, then the screen turned black (with only a non-blinking cursor in the upper left), no reaction to any input -> I performed a hard reboot.
20. After booting, I'm dropped into fvwm (although I chose GNOME in the installer), the reason probably being the forced reboot. After looking around a bit in the menus and stuff, I wanted to start sax2 (to find out what it does), but the screen turned black again -> another hard reboot. Could it be that I don't have enough RAM for this (256 MB)?
21. Anyways, at this point I lost interest in playing with the system any further, and gathered the below information for comparison reasons...

Security

Continue reading here...

Update 2006-06-05: Added netstat output, and answered a bunch of comments.
Update 2006-06-02: Shortened the length of the article on my main webpage as well as the RSS feed. But you can always read the whole article here, of course.

Note: This article is part of my OS Install Experiences series.

OK, so let's start with something simple: Debian. Simple in the sense that there probably won't be too many surprises for me as a Debian developer (or for most readers of Planet Debian). For other people this might be interesting, though, and some facts are probably interesting to one or the other experienced Debian user/developer, too...

Hardware

A few words on the hardware I'll be installing all these OSes on. It's a cheapo (200 Euros) x86 PC (Intel Celeron, 2 GHz), 80 GB IDE hard drive, 256 MB RAM, ATI Radeon 9200 SE graphics adapter, Realtek PCI ethernet controller, CDROM, USB, and all the other standard stuff. Nothing fancy, really.

Install

1. First, I downloaded a Debian sarge 3.1r2 CD image, burned it on a CD, and booted from that.
2. An installer menu showed up, where you can press F3 for boot options. I chose "expert26", which will ask me more questions and give me a 2.6 Linux kernel instead of 2.4.
3. The installer (newt-based, i.e. not graphical) will now start to boot a base Linux system.
4. Now, you can choose your language (used in the installer), country, region, and keyboard layout.
5. You'll be asked which additional kernel modules you want to load (default: all), and whether you want PCMCIA support. Also, you can choose which extra installer components should be loaded (LVM, PPP, serial, IrDA, ...).
6. Your hardware can be automatically detected (my Realtek card was successfully detected, the "8139too" kernel module was then loaded).
7. The network was successfully auto-configured via DHCP within seconds.
8. Now you can choose a hostname and domain name for the box. I used "hydra" as hostname (guess why), and "local.domain" as domain name.

Partitioning

Now the funny part starts: partitioning the disk. As I will be installing >= 10 OSes, this needs a bit of consideration.

I have chosen to create a 10 GB (primary) partition for a Redmond OS I'll be installing later (for games, testing, proprietary software I'm forced to use, and similar things). This will be the first partition and I marked it bootable, as Windows might choke otherwise.

For the rest, I reserved 5 GB for each OS — that should do. So the next two (primary) partitions are 5 GB each. I'll leave these empty for now, as I might encounter obscure OSes which must be installed on primary partitions. Let's hope it won't be more than two ;-) As you can only have four primary partitions, I then had to create a logical partition, which will "contain" any further partitions.

The next three (secondary) partitions are 1 GB each, intended to be used as swap. One of those I marked as swap in order to use it for Debian. Other Linux installations will be able to reuse this one. The other two are reserved in case I encounter OSes which have another form of swap and cannot use Linux swap partitions...

The rest is easy: create twelve 5 GB partitions => lots of space for more OSes. Here's the resulting fdisk output:

Disk /dev/hda: 81.9 GB, 81964302336 bytes
255 heads, 63 sectors/track, 9964 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

      Device Boot      Start         End      Blocks   Id  System
   /dev/hda1   *           1        1216     9767488+  83  Linux
   /dev/hda2            1217        1824     4883760   83  Linux
   /dev/hda3            1825        2432     4883760   83  Linux
   /dev/hda4            2433        9964    60500790    5  Extended
   /dev/hda5            2433        2554      979933+  82  Linux swap / Solaris
   /dev/hda6            2555        2676      979933+  83  Linux
   /dev/hda7            2677        2798      979933+  83  Linux
   /dev/hda8            2799        3406     4883728+  83  Linux
   /dev/hda9            3407        4014     4883728+  83  Linux
   /dev/hda10           4015        4622     4883728+  83  Linux
   /dev/hda11           4623        5230     4883728+  83  Linux
   /dev/hda12           5231        5838     4883728+  83  Linux
   /dev/hda13           5839        6446     4883728+  83  Linux
   /dev/hda14           6447        7054     4883728+  83  Linux
   /dev/hda15           7055        7662     4883728+  83  Linux
   /dev/hda16           7663        8270     4883728+  83  Linux
   /dev/hda17           8271        8878     4883728+  83  Linux
   /dev/hda18           8879        9486     4883728+  83  Linux
   /dev/hda19           9487        9964     3839503+  83  Linux

Install, continued

1. The Debian partitioning tool allowed me to do all of the above via a friendly menu. As it does not modify the partition table until you say "done", I could revert many changes, and play around with different layout ideas until I was satisfied.
2. Next thing you can choose is the Kernel flavor (386, 686, smp).
3. You may now configure and install GRUB, the bootloader. I installed it at "(hd0)", the master boot record of the hard disk.
4. Soon the CD ejects, and you have to reboot.
5. After a restart (which also shows whether GRUB works fine), you can now choose your timezone, and decide whether you want shadow passwords (say yes!).
6. Now enter the root password, and decide whether you want to create an additional user account (say yes, and enter a different password here).
7. You can now configure apt, e.g. tell it which sources you'd like to use (CDROM, FTP, HTTP, ...). You'll be asked whether you want to install software from Debian's "non-free" archive. After choosing a mirror (and proxy settings, if you like), you can (should!) also say yes to the question whether you want security updates...
8. Finally, you may now choose "tasks" (desktop, web server, file server, ...) your machine should be able to perform; this will influence which packages will be installed. You may choose "manual package selection", of course, if you want more control. I used "desktop".
9. That's about it. You'll see a few more application-specific questions (configuration of MTA, ssh, fonts, X11, gdm, and others), and after that you'll be left with a GNOME login window.

Security

Continue reading here...

Update 2006-06-05: Added netstat output and the list of world-writable files.
Update 2006-06-02: Shortened the length of the article on my main webpage as well as the RSS feed. But you can always read the whole article here, of course.
Update 2006-05-19: Updated "why is Debian-exim capitalized?" info as per comments, thanks!

Over the next few days or weeks I intend to install quite a bunch of free (as in beer) operating systems on one of my machines.

This has several reasons and benefits:

• I want to get an overview of most popular OSes out there and hands-on experiences on how to install them and partly also how to administer and use them.
• As I intend to not delete the OSes after the install, I'll have a massive-multi-boot system (>= 10 OSes) in the end. Managing to get this alone working might prove to be not exactly trivial... but definately interesting.
• Recently I started a disussion on the debian-devel mailing list about which system users on a Debian system should get a valid shell (/bin/sh, for example) and which should only get something like /bin/false [1]. While I install all these OSes, I will create a comparison chart of which users have a valid shell and which don't on every other Unix-like OS I install. This will be quite interesting, I guess, and it might help others package maintainers to decide whether or not to give certain system users a valid shell.
• It's a lot of fun :)

On the list I plan to install are most major (free) Unix-like operating systems, e.g. Debian, Ubuntu, Gentoo, Fedora Core, OpenSuSE, OpenBSD, FreeBSD, NetBSD, PC-BSD, OpenSolaris, and whatever else I can find out there. Basically, if I can download a CD image for free off the net, it's fine.

I'll be writing one small blog article per OS, stating my experiences, gotchas, pros and cons I noticed etc. If you have any suggestions for OSes or distributions I should look at, or ideas about other aspects of the OSes I could compare, please leave a comment.

[1] It has been pointed out that /usr/sbin/nologin or something similar is probably better than /bin/false, because it logs login attempts at these accounts (/bin/false doesn't).

Update: Articles published so far:

• Part 5: Mandriva
• Part 4: Ubuntu
• Part 3: PC-BSD
• Part 2: SUSE Linux
• Part 1: Debian stable + unstable