HomeBlogsUwe Hermann's blog

OS Install Experiences - Part 1: Debian stable + unstable [Update]

Fri, 2006-05-19 02:06 — Uwe Hermann

Debian Open Use Logo

Note: This article is part of my OS Install Experiences series.

OK, so let's start with something simple: Debian. Simple in the sense that there probably won't be too many surprises for me as a Debian developer (or for most readers of Planet Debian). For other people this might be interesting, though, and some facts are probably interesting to one or the other experienced Debian user/developer, too...

Hardware

A few words on the hardware I'll be installing all these OSes on. It's a cheapo (200 Euros) x86 PC (Intel Celeron, 2 GHz), 80 GB IDE hard drive, 256 MB RAM, ATI Radeon 9200 SE graphics adapter, Realtek PCI ethernet controller, CDROM, USB, and all the other standard stuff. Nothing fancy, really.

Install

  1. First, I downloaded a Debian sarge 3.1r2 CD image, burned it on a CD, and booted from that.
  2. An installer menu showed up, where you can press F3 for boot options. I chose "expert26", which will ask me more questions and give me a 2.6 Linux kernel instead of 2.4.
  3. The installer (newt-based, i.e. not graphical) will now start to boot a base Linux system.
  4. Now, you can choose your language (used in the installer), country, region, and keyboard layout.
  5. You'll be asked which additional kernel modules you want to load (default: all), and whether you want PCMCIA support. Also, you can choose which extra installer components should be loaded (LVM, PPP, serial, IrDA, ...).
  6. Your hardware can be automatically detected (my Realtek card was successfully detected, the "8139too" kernel module was then loaded).
  7. The network was successfully auto-configured via DHCP within seconds.
  8. Now you can choose a hostname and domain name for the box. I used "hydra" as hostname (guess why), and "local.domain" as domain name.

Partitioning

Now the funny part starts: partitioning the disk. As I will be installing >= 10 OSes, this needs a bit of consideration.

I have chosen to create a 10 GB (primary) partition for a Redmond OS I'll be installing later (for games, testing, proprietary software I'm forced to use, and similar things). This will be the first partition and I marked it bootable, as Windows might choke otherwise.

For the rest, I reserved 5 GB for each OS — that should do. So the next two (primary) partitions are 5 GB each. I'll leave these empty for now, as I might encounter obscure OSes which must be installed on primary partitions. Let's hope it won't be more than two ;-) As you can only have four primary partitions, I then had to create a logical partition, which will "contain" any further partitions.

The next three (secondary) partitions are 1 GB each, intended to be used as swap. One of those I marked as swap in order to use it for Debian. Other Linux installations will be able to reuse this one. The other two are reserved in case I encounter OSes which have another form of swap and cannot use Linux swap partitions...

The rest is easy: create twelve 5 GB partitions => lots of space for more OSes. Here's the resulting fdisk output:

Disk /dev/hda: 81.9 GB, 81964302336 bytes
255 heads, 63 sectors/track, 9964 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

      Device Boot      Start         End      Blocks   Id  System
   /dev/hda1   *           1        1216     9767488+  83  Linux
   /dev/hda2            1217        1824     4883760   83  Linux
   /dev/hda3            1825        2432     4883760   83  Linux
   /dev/hda4            2433        9964    60500790    5  Extended
   /dev/hda5            2433        2554      979933+  82  Linux swap / Solaris
   /dev/hda6            2555        2676      979933+  83  Linux
   /dev/hda7            2677        2798      979933+  83  Linux
   /dev/hda8            2799        3406     4883728+  83  Linux
   /dev/hda9            3407        4014     4883728+  83  Linux
   /dev/hda10           4015        4622     4883728+  83  Linux
   /dev/hda11           4623        5230     4883728+  83  Linux
   /dev/hda12           5231        5838     4883728+  83  Linux
   /dev/hda13           5839        6446     4883728+  83  Linux
   /dev/hda14           6447        7054     4883728+  83  Linux
   /dev/hda15           7055        7662     4883728+  83  Linux
   /dev/hda16           7663        8270     4883728+  83  Linux
   /dev/hda17           8271        8878     4883728+  83  Linux
   /dev/hda18           8879        9486     4883728+  83  Linux
   /dev/hda19           9487        9964     3839503+  83  Linux

Install, continued

  1. The Debian partitioning tool allowed me to do all of the above via a friendly menu. As it does not modify the partition table until you say "done", I could revert many changes, and play around with different layout ideas until I was satisfied.
  2. Next thing you can choose is the Kernel flavor (386, 686, smp).
  3. You may now configure and install GRUB, the bootloader. I installed it at "(hd0)", the master boot record of the hard disk.
  4. Soon the CD ejects, and you have to reboot.
  5. After a restart (which also shows whether GRUB works fine), you can now choose your timezone, and decide whether you want shadow passwords (say yes!).
  6. Now enter the root password, and decide whether you want to create an additional user account (say yes, and enter a different password here).
  7. You can now configure apt, e.g. tell it which sources you'd like to use (CDROM, FTP, HTTP, ...). You'll be asked whether you want to install software from Debian's "non-free" archive. After choosing a mirror (and proxy settings, if you like), you can (should!) also say yes to the question whether you want security updates...
  8. Finally, you may now choose "tasks" (desktop, web server, file server, ...) your machine should be able to perform; this will influence which packages will be installed. You may choose "manual package selection", of course, if you want more control. I used "desktop".
  9. That's about it. You'll see a few more application-specific questions (configuration of MTA, ssh, fonts, X11, gdm, and others), and after that you'll be left with a GNOME login window.

Security

Continue reading here...

Update 2006-06-05: Added netstat output and the list of world-writable files.
Update 2006-06-02: Shortened the length of the article on my main webpage as well as the RSS feed. But you can always read the whole article here, of course.
Update 2006-05-19: Updated "why is Debian-exim capitalized?" info as per comments, thanks!

I collected some (partly) security-relevant information after that.

  • Portscan from another box:
    PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
113/tcp open  auth
785/tcp open  unknown

    Not good. A default install should not have any ports open, IMHO. There are more daemons running: exim (port 25), and famd (port 771) for example. Those are fine however, as they only listen to the loopback interface and are not exposed to the Internet (eth0).

  • netstat output:
    # netstat -tulp -4 -6
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     3648/mysqld
tcp        0      0 *:sunrpc                *:*                     LISTEN     2937/portmap
tcp        0      0 *:www                   *:*                     LISTEN     3737/apache
tcp        0      0 *:auth                  *:*                     LISTEN     3583/inetd
tcp        0      0 localhost.localdoma:914 *:*                     LISTEN     3706/famd
tcp        0      0 *:ipp                   *:*                     LISTEN     3429/cupsd
tcp        0      0 localhost.localdom:smtp *:*                     LISTEN     3525/exim4
tcp        0      0 *:924                   *:*                     LISTEN     3710/rpc.statd
tcp6       0      0 *:ssh                   *:*                     LISTEN     3696/sshd
udp        0      0 *:918                   *:*                                3710/rpc.statd
udp        0      0 *:921                   *:*                                3710/rpc.statd
udp        0      0 *:bootpc                *:*                                2932/dhclient
udp        0      0 *:sunrpc                *:*                                2937/portmap
udp        0      0 *:ipp                   *:*                                3429/cupsd
  • Some permissions:
    drwxrwsr-x   3 root staff  4096 2006-05-17 22:48 /home
drwxr-xr-x  11 uwe uwe     4096 2006-05-18 23:19 /home/uwe
drwxr-xr-x  10 root root   4096 2006-05-17 23:43 /root
drwxrwxrwt   8 root root   4096 2006-05-17 23:41 /tmp
/dev:
crw-rw----  1 root video    10, 175 2006-05-17 23:13 agpgart
crw-------  1 root root      5,   1 2006-05-17 23:13 console
crw-rw----  1 root audio    14,   3 2006-05-17 23:13 dsp
brw-rw----  1 root floppy    2,   0 2006-05-17 23:13 fd0
crw-rw-rw-  1 root root      1,   7 2006-05-17 23:13 full
brw-rw----  1 root disk      3,   0 2006-05-17 23:13 hda*
brw-rw----  1 root cdrom    22,  64 2006-05-17 23:13 hdd
crw-r-----  1 root kmem      1,   2 2006-05-17 23:13 kmem
crw-rw----  1 root root      1,  11 2006-05-17 23:13 kmsg
crw-r-----  1 root kmem      1,   1 2006-05-17 23:13 mem
crw-rw-rw-  1 root root      1,   3 2006-05-17 23:13 null
crw-rw-rw-  1 root root      5,   0 2006-05-17 23:13 tty
crw-rw----  1 root root      4,   0 2006-05-17 23:13 tty0
crw-------  1 root root      4,   1 2006-05-17 23:24 tty1
crw-------  1 root tty       4,   2 2006-05-17 23:13 tty[2-6]
crw-rw----  1 root root      4,   7 2006-05-17 23:13 tty7
[...]
crw-rw----  1 root root      4,  63 2006-05-17 23:13 tty63
crw-rw----  1 root dialout   4,  64 2006-05-17 23:13 ttyS*
crw-rw-rw-  1 root root      1,   8 2006-05-17 23:13 random
cr--r--r--  1 root root      1,   9 2006-05-17 23:13 urandom
crw-rw----  1 root root      7,   1 2006-05-17 23:13 vcs*
crw-rw-rw-  1 root root      1,   5 2006-05-17 23:13 zero

    Most of that looks sane to me (a "chmod 700 /home/uwe /root" would be nice, though), but maybe it can be tightened/secured a bit more? Ideas?

  • Default users and shells:
    I installed some more popular applications (apache, mysql) to have more data.

    root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:102:102::/var/spool/exim4:/bin/false
uwe:x:1000:1000:,,,:/home/uwe:/bin/bash
identd:x:100:65534::/var/run/identd:/bin/false
sshd:x:101:65534::/var/run/sshd:/bin/false
messagebus:x:103:104::/var/run/dbus:/bin/false
hal:x:106:106:Hardware abstraction layer,,,:/var/run/hal:/bin/false
saned:x:109:109::/home/saned:/bin/false
gdm:x:104:110:Gnome Display Manager:/var/lib/gdm:/bin/false
mysql:x:105:111:MySQL Server,,,:/var/lib/mysql:/bin/false

    Not too good, IMHO. Almost all system accounts have a valid shell instead of /bin/false or /usr/sbin/nologin. Most of those should not need one, and security-wise it's a lot better to not give them a valid shell. The good news is that many daemons (ssh, mysql, etc.) don't have a valid shell. Uh, why is "Debian-exim" capitalized? Update: That's why.

  • Setuid/setgid files:
    # find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;
-rwxr-sr-x  1 root tty 9784 2005-09-18 09:04 /usr/bin/wall
-rwsr-xr-x  1 root root 22872 2005-05-18 08:33 /usr/bin/newgrp
-rwxr-sr-x  1 root shadow 34488 2005-05-18 08:33 /usr/bin/chage
-rwsr-xr-x  1 root root 28056 2005-05-18 08:33 /usr/bin/chfn
-rwsr-xr-x  1 root root 28088 2005-05-18 08:33 /usr/bin/chsh
-rwxr-sr-x  1 root shadow 16696 2005-05-18 08:33 /usr/bin/expiry
-rwsr-xr-x  1 root root 34904 2005-05-18 08:33 /usr/bin/gpasswd
-rwsr-xr-x  1 root root 26616 2005-05-18 08:33 /usr/bin/passwd
-rwsr-xr-x  1 root root 34488 2002-01-18 09:13 /usr/bin/at
-rwxr-sr-x  1 root tty 7992 2004-11-01 20:29 /usr/bin/bsd-write
-rwxr-sr-x  1 root crontab 26872 2004-07-28 22:44 /usr/bin/crontab
-rwxr-sr-x  1 root mail 9860 2004-06-04 17:21 /usr/bin/dotlockfile
-rwsr-xr-x  1 root root 18136 2004-12-01 08:29 /usr/bin/traceroute.lbl
-rwsr-xr-x  1 root root 809836 2006-03-10 12:19 /usr/bin/gpg
-rwxr-sr-x  1 root mail 7764 2006-01-31 01:48 /usr/bin/mutt_dotlock
-rwsr-sr-x  1 root lp 24184 2004-07-27 23:48 /usr/bin/lpq
-rwsr-sr-x  1 root lp 22232 2004-07-27 23:48 /usr/bin/lprm
-rwsr-sr-x  1 root lp 24440 2004-07-27 23:48 /usr/bin/lpr
-rwsr-xr-x  1 root root 44024 2004-12-12 20:35 /usr/bin/mtr
-rwsr-sr-x  1 root mail 71640 2005-03-01 16:37 /usr/bin/procmail
-rwxr-sr-x  1 root mail 12712 2005-03-01 16:37 /usr/bin/lockfile
-rwxr-sr-x  1 root ssh 57304 2004-11-28 16:33 /usr/bin/ssh-agent
-rwsr-xr-x  1 root root 10894 2004-06-04 12:02 /usr/bin/fileshareset
-rwsr-xr-x  1 root root 5144 2006-01-15 14:37 /usr/bin/kgrantpty
-rwsr-xr-x  1 root root 5588 2006-01-15 14:37 /usr/bin/kpac_dhcp_helper
-rwsr-xr-x  1 root root 98488 2006-03-20 23:03 /usr/bin/sudo
-rwsr-xr--  1 root plugdev 19096 2005-05-18 15:47 /usr/bin/pumount
-rwsr-xr--  1 root plugdev 26680 2005-05-18 15:47 /usr/bin/pmount
-rwxr-sr-x  1 root nogroup 45600 2005-09-08 07:32 /usr/bin/kdesud
-rwsr-xr--  1 root dip 575192 2005-05-24 09:18 /usr/bin/kppp
-rwsr-xr-x  1 root root 544332 2005-04-08 15:53 /usr/bin/gpg2
-rwxr-sr-x  1 root games 34872 2005-03-02 19:20 /usr/games/same-gnome
-rwxr-sr-x  1 root games 57152 2005-03-02 19:20 /usr/games/gnomine
-rwxr-sr-x  1 root games 65752 2005-03-02 19:20 /usr/games/gnome-stones
-rwxr-sr-x  1 root games 70296 2005-03-02 19:20 /usr/games/mahjongg
-rwxr-sr-x  1 root games 48952 2005-03-02 19:20 /usr/games/gtali
-rwxr-sr-x  1 root games 36652 2005-03-02 19:20 /usr/games/gnotravex
-rwxr-sr-x  1 root games 94200 2005-03-02 19:20 /usr/games/gnobots2
-rwxr-sr-x  1 root games 28776 2005-03-02 19:20 /usr/games/gnotski
-rwxr-sr-x  1 root games 42584 2005-03-02 19:20 /usr/games/glines
-rwxr-sr-x  1 root games 61944 2005-03-02 19:20 /usr/games/gnibbles
-rwxr-sr-x  1 root games 78096 2005-03-02 19:20 /usr/games/gnometris
-rwsr-xr-x  1 root root 5668 2006-04-02 15:32 /usr/lib/pt_chown
-rwxr-sr-x  1 root mail 10940 2006-03-13 14:30 /usr/lib/evolution/2.0/camel/camel-lock-helper
-rwxr-sr-x  1 root utmp 9144 2005-03-09 18:21 /usr/lib/libvte4/gnome-pty-helper
-rwsr-xr-x  1 root root 13304 2005-09-06 15:13 /usr/lib/apache/suexec.disabled
-rwsr-xr-x  1 root root 668568 2006-04-11 14:33 /usr/sbin/exim4
-rwsr-xr--  1 root dip 265880 2005-05-05 19:32 /usr/sbin/pppd
-rwsr-xr--  1 root dip 29420 2004-09-30 04:13 /usr/sbin/pppoe
-rwxr-sr-x  1 root lp 32248 2004-07-27 23:48 /usr/sbin/lpc
-rwsr-sr-x  1 root root 7860 2005-09-02 00:44 /usr/X11R6/bin/X
-rwsr-xr-x  1 root root 35512 2005-05-18 08:33 /bin/login
-rwsr-xr-x  1 root root 23416 2005-05-18 08:33 /bin/su
-rwsr-xr-x  1 root root 68440 2005-09-18 09:04 /bin/mount
-rwsr-xr-x  1 root root 40920 2005-09-18 09:04 /bin/umount
-rwsr-xr-x  1 root root 30764 2003-12-22 23:18 /bin/ping
-rwsr-xr-x  1 root root 26604 2003-12-22 23:18 /bin/ping6
-r-sr-xr-x  1 root root 15000 2004-06-28 20:39 /sbin/unix_chkpwd

    Quite a bunch, I'd say. The games are "only" "setgid games", but I'd really, really remove them on any production machine which should be halfway secure. Some of those binaries probably need the setuid/setgid bit (su, passwd, ...), but others probably don't. Maybe we should ship more of that non-setuid per default and add a note to the READMEs which tells the admin how he can make the apps setuid if he should want that?

  • World-writable files:
    drwxrwxrwx  4 www-data www-data 4096 2006-05-19 00:19 /var/lib/apache/mod-bandwidth
drwxrwxrwx  2 www-data www-data 4096 2005-09-06 15:12 /var/lib/apache/mod-bandwidth/master
drwxrwxrwx  2 www-data www-data 4096 2005-09-06 15:12 /var/lib/apache/mod-bandwidth/link
drwxrwxrwt  2 root root 4096 2006-06-04 22:37 /var/lock
drwxrwxrwx  2 root root 4096 2006-05-17 23:17 /var/log/debian-installer/cdebconf
srwxrwxrwx  1 root root 0 2006-06-04 22:37 /var/run/dbus/system_bus_socket
srwxrwxrwx  1 mysql mysql 0 2006-06-04 22:38 /var/run/mysqld/mysqld.sock
drwxrwxrwt  4 root root 4096 2006-05-29 19:33 /var/tmp
drwxrwxrwt  2 root root 4096 2006-05-18 00:21 /var/tmp/vi.recover
srwxrwxrwx  1 root root 0 2006-06-04 22:38 /dev/gpmctl
drwxrwxrwt  2 root root 40 2006-06-05 00:37 /dev/shm
srw-rw-rw-  1 root root 0 2006-06-04 22:37 /dev/log
crw-rw-rw-  1 root root 5, 2 2006-06-04 22:49 /dev/ptmx
crw-rw-rw-  1 root root 1, 5 2006-06-05 00:37 /dev/zero
crw-rw-rw-  1 root root 1, 8 2006-06-05 00:37 /dev/random
crw-rw-rw-  1 root root 1, 7 2006-06-05 00:37 /dev/full
crw-rw-rw-  1 root root 5, 0 2006-06-04 22:37 /dev/tty
crw-rw-rw-  1 root root 1, 3 2006-06-05 00:37 /dev/null
crw-rw-rw-  1 root root 1, 3 2006-05-18 00:21 /dev/.static/dev/null
crw-rw-rw-  1 root root 1, 5 2006-05-18 00:21 /dev/.static/dev/zero
crw-rw-rw-  1 root root 1, 7 2006-05-18 00:21 /dev/.static/dev/full
crw-rw-rw-  1 root root 1, 8 2006-05-18 00:21 /dev/.static/dev/random
crw-rw-rw-  1 root tty 5, 0 2006-05-18 00:21 /dev/.static/dev/tty
crw-rw-rw-  1 root tty 2, 42 2005-02-26 07:38 /dev/.static/dev/pty*
crw-rw-rw-  1 root tty 3, 42 2005-02-26 07:38 /dev/.static/dev/tty*
crw-rw-rw-  1 root tty 5, 2 2005-02-26 07:39 /dev/.static/dev/ptmx
crw-rw-rw-  1 root root 180, 48 2005-02-26 07:43 /dev/.static/dev/usb/scanner*
srw-rw-rw-  1 root root 0 2006-05-18 00:46 /dev/.static/dev/log
drwxrwxrwt  8 root root 4096 2006-06-04 22:41 /tmp
drwxrwxrwt  2 root root 4096 2006-06-04 22:38 /tmp/.X11-unix
srwxrwxrwx  1 root root 0 2006-06-04 22:38 /tmp/.X11-unix/X0
drwxrwxrwt  2 root root 4096 2006-06-04 22:38 /tmp/.ICE-unix
srwxrwxrwx  1 uwe uwe 0 2006-06-04 22:38 /tmp/.ICE-unix/3949
srw-rw-rw-  1 root root 0 2006-06-04 22:38 /tmp/.gdm_socket

Ok, so that's it for Debian stable. Unstable is 99% the same, except that you do a "vi /etc/apt/sources.list; apt-get update; apt-get dist-upgrade". I'll do that later maybe, compare the findings, and report notable differences here, but it shouldn't be too many (I guess). Not today, though, I need some sleep now.

Comments, suggestions, flames?

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Fri, 2006-05-19 10:33 — Thijs Kinkhorst (not verified)

Unstable not the same

Hello Uwe,
You say that unstable is aboun 99% the same, but I dare to disagree: when installing unstable, I'd also use the installer images (etch beta 2, or even better, the daily builds). There have been quite some improvements since sarge, like a graphical installer, eliminating the second stage after reboot, and more general improvements and polish. A different experience indeed.
Thijs

Fri, 2006-05-19 11:17 — Uwe Hermann

unstable

Hi Thijs,

agreed. I'll use etch images and do a fresh install for comparison purposes. In this specific case I was referring to the security stuff (permissions, accounts, etc.) which I think will not have changed dramatically... I'll have a look anyways, though.

Sat, 2006-05-20 01:11 — Rudy Godoy (not verified)

home dir permissions

Last time I installed, a couple of weeks ago, using the etch b2 image
debconf asks if you want to have world readable $HOME directories. I believe the default is 'yes'.

Fri, 2006-05-26 17:11 — Uwe Hermann

homedir permissions

OK, thanks. I tried a weeky CD image recently but I had some problems, so I couldn't yet verify that. Will do later, though...

Uwe.

Fri, 2006-05-19 09:43 — Marc 'Zugschlus' Haber (not verified)

Why is Debian-exim capitalized?

See http://pkg-exim4.alioth.debian.org/README/README.Debian.html#id2454285

The packages in Debian sarge have the same information, only not so well organized.

Fri, 2006-05-19 11:21 — Uwe Hermann

Debian-exim

Thanks a lot! I updated the page respectively...

It still looks a bit awkward to have capitalized account names. I'd like debian-exim better, but that's not an option, I guess :)

Fri, 2006-05-19 08:26 — Craig (not verified)

Why Debian-exim?

The README.Debian-accountname file, packaged with exim4-base, explains this.

Fri, 2006-05-19 11:22 — Uwe Hermann

Debian-exim

Thanks Craig! Page updated, see comment above...