Uwe Hermann | A slightly paranoid Debian developer

Note: This article is part of my OS Install Experiences series.

Long time no install, so here goes.

Install

1. First, I downloaded a Mandriva One CD image, burned it on a CD, and booted from that.
2. The (graphical) installer allows you to choose language and country, but there's no German(y). WTF? Maybe I just overlooked it, but I did look twice! When choosing the keyboard layout there is a German layout...
3. After choosing the timezone, a KDE 3.4 live system is started. If you want to install Mandriva, you click the "Install from live system" icon on the desktop. The installation is done in a wizard after that.
4. The partitioning tool is quite nice and has an "expert mode" you can enable to see more info and get more control. It performs all actions immediately, though, (AFAICS) which can lead to trouble.
5. You can choose between LILO or GRUB, and even edit the list of GRUB entries manually (which is nice; many other distributions don't allow that).
6. After a while there were no more windows or messages, so I thought the install was done and rebooted. Obviously I was wrong. GRUB wasn't installed (the old one was still there), so I had to manually boot into the Mandriva installation. From there, the installation continued...
7. After net config (even asked me for a zeroconf hostname), root password, user creation and all the usual stuff, you're dropped in a KDE session and the install is done.

Security

Continue reading here...

• netstat output:
  

  $ netstat -tulpna -A inet -A inet6
  tcp        0      0 0.0.0.0:6566                0.0.0.0:*                   LISTEN      4667/xinetd     
  tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2378/portmap    
  tcp        0      0 0.0.0.0:6000                0.0.0.0:*                   LISTEN      4557/X      
  tcp        0      0 0.0.0.0:688                 0.0.0.0:*                   LISTEN      3898/rpc.statd
  tcp        0      0 127.0.0.1:5335              0.0.0.0:*                   LISTEN      4630/mDNSResponder
  tcp        0      0 :::6000                     :::*                        LISTEN      4557/X            
  udp        0      0 0.0.0.0:682                 0.0.0.0:*                               3898/rpc.statd    
  udp        0      0 0.0.0.0:685                 0.0.0.0:*                               3898/rpc.statd
  udp        0      0 0.0.0.0:68                  0.0.0.0:*                               5108/dhclient 
  udp        0      0 0.0.0.0:5353                0.0.0.0:*                               4630/mDNSResponder
  udp        0      0 0.0.0.0:111                 0.0.0.0:*                               2378/portmap
  

  Quite a lot of stuff, and lots of stuff I'd rather not have exposed to the Internet...

• Some permissions:
  

  drwxr-xr-x   3 root root  4096 Jul 11 02:44 /home/
  lrwxrwxrwx   1 root root    9 Jul 11 02:44 guest -> /home/uwe/
  drwx--x--x  20 uwe  uwe  4096 Jul 19 21:31 /home/uwe/
  drwxrwxrwt  23 root root 14880 Jul 19 21:14 /dev/
  drwx------   9 root root  4096 Jul 19 21:38 /root/
  /dev:
  crw-rw----  1 uwe  audio     14,  12 Jul 19 21:14 adsp
  crw-rw----  1 root video     10, 175 Jul 19 21:14 agpgart
  crw-------  1 uwe  root      10, 134 Jul 19  2006 apm_bios
  crw-rw----  1 uwe  audio     14,   4 Jul 19 21:14 audio
  crw-------  1 uwe  root       5,   1 Jul 19 21:14 console
  crw-rw----  1 uwe  audio     14,   3 Jul 19 21:14 dsp
  brw-rw----  1 uwe  floppy     2,   0 Jul 19  2006 fd*
  crw-rw-rw-  1 root root       1,   7 Jul 19  2006 full
  brw-rw----  1 root root       3,   0 Jul 19  2006 hda*
  prw-------  1 root root            0 Jul 19  2006 initctl|
  crw-r-----  1 root root       1,   2 Jul 19  2006 kmem
  crw-rw----  1 root root       1,  11 Jul 19  2006 kmsg
  srw-rw-rw-  1 root root            0 Jul 19 21:14 log=
  brw-rw----  1 root disk       7,   0 Jul 19 21:14 loop*
  crw-------  1 root root       6,   0 Jul 19  2006 lp0
  brw-rw----  1 root disk       9,   0 Jul 19  2006 md*
  crw-r-----  1 root root       1,   1 Jul 19  2006 mem
  crw-rw----  1 uwe  audio     14,   0 Jul 19 21:14 mixer
  crw-rw-rw-  1 root root       1,   3 Jul 19  2006 null
  crw-rw----  1 uwe  video    195,   0 Jul 19  2006 nvidia0
  crw-rw----  1 uwe  video    195, 255 Jul 19  2006 nvidiactl
  crw-rw----  1 uwe  usb       99,   0 Jul 19  2006 parport0
  crw-r-----  1 root root       1,   4 Jul 19  2006 port
  crw-------  1 root root     108,   0 Jul 19  2006 ppp
  crw-rw----  1 root root      10,   1 Jul 19  2006 psaux
  crw-rw-rw-  1 root tty        5,   2 Jul 19 21:39 ptmx
  brw-rw----  1 root disk       1,   0 Jul 19  2006 ram*
  crw-rw-rw-  1 root root       1,   8 Jul 19  2006 random
  crw-rw----  1 uwe  usb      171,   0 Jul 19  2006 raw1394
  crw-------  1 root root     162,   0 Jul 19  2006 rawctl
  crw-rw----  1 uwe  video     10, 135 Jul 19  2006 rtc
  crw-rw----  1 uwe  audio     14,   1 Jul 19 21:14 sequencer*
  crw-rw----  1 uwe  cdwriter  21,   0 Jul 19  2006 sg*
  brw-rw----  1 uwe  cdrom     11,   0 Jul 19  2006 sr*
  crw-------  1 root root       9,   0 Jul 19  2006 st*
  crw-rw-rw-  1 root tty        5,   0 Jul 19  2006 tty
  crw-rw----  1 root root       4,   0 Jul 19  2006 tty0
  crw-------  1 root root       4,   1 Jul 19 21:14 tty[1-6]
  crw-rw----  1 root tty        4,  10 Jul 19  2006 tty??
  crw-rw----  1 uwe  uucp       4,  64 Jul 19  2006 ttyS*
  cr--r--r--  1 root root       1,   9 Jul 19 21:14 urandom
  crw-rw----  1 root tty        7,   0 Jul 19  2006 vcs*
  crw-rw-rw-  1 root root       1,   5 Jul 19  2006 zero
  

  Several uncommon things to note: /root and /home/uwe permissions look quite good, but /dev is drwxrwxrwt? Doesn't look too good to me...

• Default users and shells:
  

  root:x:0:0:root:/root:/bin/bash
  bin:x:1:1:bin:/bin:/bin/sh
  daemon:x:2:2:daemon:/sbin:/bin/sh
  adm:x:3:4:adm:/var/adm:/bin/sh
  lp:x:4:7:lp:/var/spool/lpd:/bin/sh
  sync:x:5:0:sync:/sbin:/bin/sync
  shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
  halt:x:7:0:halt:/sbin:/sbin/halt
  mail:x:8:12:mail:/var/spool/mail:/bin/sh
  news:x:9:13:news:/var/spool/news:/bin/sh
  uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
  operator:x:11:0:operator:/var:/bin/sh
  games:x:12:100:games:/usr/games:/bin/sh
  nobody:x:65534:65534:Nobody:/:/bin/sh
  rpm:x:13:101:system user for rpm:/var/lib/rpm:/bin/false
  messagebus:x:14:105:system user for dbus:/:/sbin/nologin
  haldaemon:x:15:106:system user for hal:/:/sbin/nologin
  vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
  xfs:x:70:70:system user for xorg-x11:/etc/X11/fs:/bin/false
  rpc:x:71:71:system user for portmap:/:/bin/false
  clamav:x:72:72:system user for clamav:/var/lib/clamav:/bin/sh
  ntp:x:73:73:system user for ntp:/etc/ntp:/bin/false
  saned:x:74:74:system user for saned:/home/saned:/bin/false
  rpcuser:x:75:75:system user for nfs-utils:/var/lib/nfs:/bin/false
  ups:x:76:76:system user for nut:/var/state/ups:/bin/false
  uwe:x:500:500::/home/uwe:/bin/bash
  

• Setuid/setgid files:
  

  # find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;
  -rws--x--x  1 root root 5816 Jan 11  2006 /usr/X11R6/bin/Xwrapper
  -rwsr-xr-x  1 root root 34592 Aug 18  2005 /usr/bin/at
  -rwsr-sr-x  1 root cdwriter 578960 Jul 30  2005 /usr/bin/cdrdao
  -rwsr-xr-x  1 root root 36604 Sep 13  2005 /usr/bin/chage
  -rws--x--x  1 root root 14264 Sep 20  2005 /usr/bin/chfn
  -rws--x--x  1 root root 14104 Sep 20  2005 /usr/bin/chsh
  -rwsr-xr-x  1 root root 22476 Jul 14  2005 /usr/bin/crontab
  -rwsr-xr-x  1 root root 16336 Sep 13  2005 /usr/bin/expiry
  -rwsr-xr-x  1 root root 35100 Sep 13  2005 /usr/bin/gpasswd
  -rwsr-xr-x  1 root root 820764 Feb 14 19:44 /usr/bin/gpg
  -rwsr-xr-x  1 root root 208428 Sep  5  2005 /usr/bin/gpgsm
  -rwsr-xr-x  1 root root 11048 Dec 19  2005 /usr/bin/kcheckpass
  -rwxr-sr-x  1 root nogroup 42988 Dec 19  2005 /usr/bin/kdesud
  -rwsr-xr-x  1 root root 23704 Sep  9  2005 /usr/bin/kdetvv4lsetup
  -rwxr-sr-x  1 root nogroup 11027 Sep 12  2005 /usr/bin/klaptop_acpi_helper
  -rwsr-xr-x  1 root root 568236 Sep  9  2005 /usr/bin/kppp
  -rwsr-x---  1 root sys 22976 Feb 27 14:22 /usr/bin/lbp660
  -rwxr-sr-x  1 root mail 13080 Sep 13  2004 /usr/bin/lockfile
  -rwsr-sr-x  1 root sys 9136 Jan  6  2006 /usr/bin/lppasswd
  -rwsr-x---  1 root sys 11200 Feb 27 14:22 /usr/bin/ml85p
  -rwsr-sr-x  1 root sys 201032 Feb 27 14:22 /usr/bin/mtink
  -rws--x--x  1 root root 19924 Sep 13  2005 /usr/bin/newgrp
  -r-s--x--x  1 root root 15540 Jun 20  2004 /usr/bin/passwd
  -rwsr-xr-x  1 root root 27052 May 18  2004 /usr/bin/ping6
  -rwsr-sr-x  1 root mail 71736 Sep 13  2004 /usr/bin/procmail
  -rwxr-sr-x  1 root slocate 26284 Jan 12  2005 /usr/bin/slocate
  -rwsr-xr-x  1 root root 15706 Sep 12  2005 /usr/bin/smbmnt3
  -rwsr-xr-x  1 root root 12397 Sep 12  2005 /usr/bin/smbumount3
  -rws--x--x  1 root root 67932 Dec  6  2005 /usr/bin/sperl5.8.7
  ---s--x--x  1 root root 105428 Dec 19  2005 /usr/bin/sudo
  ---s--x--x  1 root root 105428 Dec 19  2005 /usr/bin/sudoedit
  -rwsr-sr-x  1 root sys 132268 Feb 27 14:22 /usr/bin/ttink
  -r-xr-sr-x  1 root tty 8072 Aug 23  2005 /usr/bin/wall
  -rwxr-sr-x  1 root tty 8672 Sep 20  2005 /usr/bin/write
  -rwxr-sr-x  1 root mail 8756 Sep 15  2005 /usr/lib/camel-lock-helper-1.2
  -rwxr-sr-x  1 lp sys 4532 Feb 27 14:22 /usr/lib/gimp/2.0/plug-ins/gimp-mtink
  -rws--x--x  1 root root 164528 Feb  3 20:33 /usr/lib/ssh/ssh-keysign
  -rwx--s--x  1 root utmp 9928 Sep  2  2005 /usr/lib/vte/gnome-pty-helper
  -rwsr-xr-x  1 root root 9986 Mar  1 16:36 /usr/sbin/fileshareset
  -rwxr-sr-x  1 root utmp 9928 Aug 16  2005 /usr/sbin/gnome-pty-helper
  -rwsr-xr-t  1 root root 292568 Aug 28  2005 /usr/sbin/pppd
  -rwsr-xr-x  1 root bin 18168 Nov 13  2004 /usr/sbin/traceroute
  -rwsr-xr-x  1 root root 10968 May 18  2004 /usr/sbin/traceroute6
  -rwsr-xr-x  1 root root 26564 Jul 25  2005 /usr/sbin/userhelper
  -rwsr-xr-x  1 root root 11966 Feb 24 19:44 /usr/sbin/usernetctl
  -rwxr-sr-x  1 root utmp 5920 Dec 17  2004 /usr/sbin/utempter
  -rwsr-xr-x  1 root root 108088 Sep 20  2005 /bin/mount
  -rwsr-xr-x  1 root root 18424 Sep 12  2005 /bin/mount.cifs3
  -rwsr-xr-x  1 root root 31180 May 18  2004 /bin/ping
  -rwsr-xr-x  1 root root 20308 Aug 18  2005 /bin/su
  -rwsr-xr-x  1 root root 59740 Sep 20  2005 /bin/umount
  -rwsr-xr-x  1 root root 8408 Sep 12  2005 /bin/umount.cifs3
  -rwxr-sr-x  1 root root 3580 Feb 24 19:44 /sbin/netreport
  -r-s--x--x  1 root root 11129 Sep 19  2005 /sbin/pam_timestamp_check
  -rwsr-xr-x  1 root root 20276 Sep 19  2005 /sbin/pwdb_chkpwd
  -r-sr-xr-x  1 root root 24656 Sep 19  2005 /sbin/unix_chkpwd
  

• World-writable files:
  

  # find / -not -type l -perm -o+w -exec ls -ld '{}' \;
  drwxrwxrwt  23 root root 14880 Jul 19 21:14 /dev
  srw-rw-rw-  1 root root 0 Jul 19 21:14 /dev/log
  crw-rw-rw-  1 root tty 5, 0 Jul 19  2006 /dev/tty
  crw-rw-rw-  1 root tty 5, 2 Jul 19 21:28 /dev/ptmx
  crw-rw-rw-  1 root root 1, 5 Jul 19  2006 /dev/zero
  crw-rw-rw-  1 root root 1, 8 Jul 19  2006 /dev/random
  crw-rw-rw-  1 root root 1, 3 Jul 19  2006 /dev/null
  crw-rw-rw-  1 root root 1, 7 Jul 19  2006 /dev/full
  drwxrwxrwt  2 root root 40 Jul 19  2006 /dev/shm
  drwxrwxrwt  10 root root 4096 Jul 19 21:16 /tmp
  drwxrwxrwt  2 root root 4096 Jul 19 21:15 /tmp/.ICE-unix
  drwxrwxrwt  2 xfs xfs 4096 Jul 19 21:14 /tmp/.font-unix
  srwxrwxrwx  1 xfs xfs 0 Jul 19 21:14 /tmp/.font-unix/fs-1
  drwxrwxrwt  2 root root 4096 Jul 19 21:14 /tmp/.X11-unix
  srwxrwxrwx  1 root root 0 Jul 19 21:14 /tmp/.X11-unix/X0
  drwxrwxrwt  4 root root 4096 Jul 19 21:24 /var/tmp
  drwxrwxrwt  2 root root 4096 Feb 27 14:48 /var/lib/lock/sane
  srw-rw-rw-  1 root root 0 Jul 19 21:14 /var/run/sdp
  srwxrwxrwx  1 root root 0 Jul 19 21:14 /var/run/dbus/system_dbus_socket
  srw-rw-rw-  1 root root 0 Jul 19 21:14 /var/run/xdmctl/dmctl/socket
  srw-rw-rw-  1 root root 0 Jul 19 21:14 /var/run/xdmctl/dmctl-:0/socket
  

That's it.

Comments, suggestions, flames?