OS Install Experiences - Part 5: Mandriva

Note: This article is part of my OS Install Experiences series.

Long time no install, so here goes.

Install

  1. First, I downloaded a Mandriva One CD image, burned it on a CD, and booted from that.
  2. The (graphical) installer allows you to choose language and country, but there's no German(y). WTF? Maybe I just overlooked it, but I did look twice! When choosing the keyboard layout there is a German layout...
  3. After choosing the timezone, a KDE 3.4 live system is started. If you want to install Mandriva, you click the "Install from live system" icon on the desktop. The installation is done in a wizard after that.
  4. The partitioning tool is quite nice and has an "expert mode" you can enable to see more info and get more control. It performs all actions immediately, though, (AFAICS) which can lead to trouble.
  5. You can choose between LILO or GRUB, and even edit the list of GRUB entries manually (which is nice; many other distributions don't allow that).
  6. After a while there were no more windows or messages, so I thought the install was done and rebooted. Obviously I was wrong. GRUB wasn't installed (the old one was still there), so I had to manually boot into the Mandriva installation. From there, the installation continued...
  7. After net config (even asked me for a zeroconf hostname), root password, user creation and all the usual stuff, you're dropped in a KDE session and the install is done.

Security

Continue reading here...

  • netstat output:
    $ netstat -tulpna -A inet -A inet6
    tcp        0      0 0.0.0.0:6566                0.0.0.0:*                   LISTEN      4667/xinetd     
    tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2378/portmap    
    tcp        0      0 0.0.0.0:6000                0.0.0.0:*                   LISTEN      4557/X      
    tcp        0      0 0.0.0.0:688                 0.0.0.0:*                   LISTEN      3898/rpc.statd
    tcp        0      0 127.0.0.1:5335              0.0.0.0:*                   LISTEN      4630/mDNSResponder
    tcp        0      0 :::6000                     :::*                        LISTEN      4557/X            
    udp        0      0 0.0.0.0:682                 0.0.0.0:*                               3898/rpc.statd    
    udp        0      0 0.0.0.0:685                 0.0.0.0:*                               3898/rpc.statd
    udp        0      0 0.0.0.0:68                  0.0.0.0:*                               5108/dhclient 
    udp        0      0 0.0.0.0:5353                0.0.0.0:*                               4630/mDNSResponder
    udp        0      0 0.0.0.0:111                 0.0.0.0:*                               2378/portmap
    

    Quite a lot of stuff, and lots of stuff I'd rather not have exposed to the Internet...

  • Some permissions:
    drwxr-xr-x   3 root root  4096 Jul 11 02:44 /home/
    lrwxrwxrwx   1 root root    9 Jul 11 02:44 guest -> /home/uwe/
    drwx--x--x  20 uwe  uwe  4096 Jul 19 21:31 /home/uwe/
    drwxrwxrwt  23 root root 14880 Jul 19 21:14 /dev/
    drwx------   9 root root  4096 Jul 19 21:38 /root/
    /dev:
    crw-rw----  1 uwe  audio     14,  12 Jul 19 21:14 adsp
    crw-rw----  1 root video     10, 175 Jul 19 21:14 agpgart
    crw-------  1 uwe  root      10, 134 Jul 19  2006 apm_bios
    crw-rw----  1 uwe  audio     14,   4 Jul 19 21:14 audio
    crw-------  1 uwe  root       5,   1 Jul 19 21:14 console
    crw-rw----  1 uwe  audio     14,   3 Jul 19 21:14 dsp
    brw-rw----  1 uwe  floppy     2,   0 Jul 19  2006 fd*
    crw-rw-rw-  1 root root       1,   7 Jul 19  2006 full
    brw-rw----  1 root root       3,   0 Jul 19  2006 hda*
    prw-------  1 root root            0 Jul 19  2006 initctl|
    crw-r-----  1 root root       1,   2 Jul 19  2006 kmem
    crw-rw----  1 root root       1,  11 Jul 19  2006 kmsg
    srw-rw-rw-  1 root root            0 Jul 19 21:14 log=
    brw-rw----  1 root disk       7,   0 Jul 19 21:14 loop*
    crw-------  1 root root       6,   0 Jul 19  2006 lp0
    brw-rw----  1 root disk       9,   0 Jul 19  2006 md*
    crw-r-----  1 root root       1,   1 Jul 19  2006 mem
    crw-rw----  1 uwe  audio     14,   0 Jul 19 21:14 mixer
    crw-rw-rw-  1 root root       1,   3 Jul 19  2006 null
    crw-rw----  1 uwe  video    195,   0 Jul 19  2006 nvidia0
    crw-rw----  1 uwe  video    195, 255 Jul 19  2006 nvidiactl
    crw-rw----  1 uwe  usb       99,   0 Jul 19  2006 parport0
    crw-r-----  1 root root       1,   4 Jul 19  2006 port
    crw-------  1 root root     108,   0 Jul 19  2006 ppp
    crw-rw----  1 root root      10,   1 Jul 19  2006 psaux
    crw-rw-rw-  1 root tty        5,   2 Jul 19 21:39 ptmx
    brw-rw----  1 root disk       1,   0 Jul 19  2006 ram*
    crw-rw-rw-  1 root root       1,   8 Jul 19  2006 random
    crw-rw----  1 uwe  usb      171,   0 Jul 19  2006 raw1394
    crw-------  1 root root     162,   0 Jul 19  2006 rawctl
    crw-rw----  1 uwe  video     10, 135 Jul 19  2006 rtc
    crw-rw----  1 uwe  audio     14,   1 Jul 19 21:14 sequencer*
    crw-rw----  1 uwe  cdwriter  21,   0 Jul 19  2006 sg*
    brw-rw----  1 uwe  cdrom     11,   0 Jul 19  2006 sr*
    crw-------  1 root root       9,   0 Jul 19  2006 st*
    crw-rw-rw-  1 root tty        5,   0 Jul 19  2006 tty
    crw-rw----  1 root root       4,   0 Jul 19  2006 tty0
    crw-------  1 root root       4,   1 Jul 19 21:14 tty[1-6]
    crw-rw----  1 root tty        4,  10 Jul 19  2006 tty??
    crw-rw----  1 uwe  uucp       4,  64 Jul 19  2006 ttyS*
    cr--r--r--  1 root root       1,   9 Jul 19 21:14 urandom
    crw-rw----  1 root tty        7,   0 Jul 19  2006 vcs*
    crw-rw-rw-  1 root root       1,   5 Jul 19  2006 zero
    

    Several uncommon things to note: /root and /home/uwe permissions look quite good, but /dev is drwxrwxrwt? Doesn't look too good to me...

  • Default users and shells:
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/bin/sh
    daemon:x:2:2:daemon:/sbin:/bin/sh
    adm:x:3:4:adm:/var/adm:/bin/sh
    lp:x:4:7:lp:/var/spool/lpd:/bin/sh
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/var/spool/mail:/bin/sh
    news:x:9:13:news:/var/spool/news:/bin/sh
    uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
    operator:x:11:0:operator:/var:/bin/sh
    games:x:12:100:games:/usr/games:/bin/sh
    nobody:x:65534:65534:Nobody:/:/bin/sh
    rpm:x:13:101:system user for rpm:/var/lib/rpm:/bin/false
    messagebus:x:14:105:system user for dbus:/:/sbin/nologin
    haldaemon:x:15:106:system user for hal:/:/sbin/nologin
    vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
    xfs:x:70:70:system user for xorg-x11:/etc/X11/fs:/bin/false
    rpc:x:71:71:system user for portmap:/:/bin/false
    clamav:x:72:72:system user for clamav:/var/lib/clamav:/bin/sh
    ntp:x:73:73:system user for ntp:/etc/ntp:/bin/false
    saned:x:74:74:system user for saned:/home/saned:/bin/false
    rpcuser:x:75:75:system user for nfs-utils:/var/lib/nfs:/bin/false
    ups:x:76:76:system user for nut:/var/state/ups:/bin/false
    uwe:x:500:500::/home/uwe:/bin/bash
    
  • Setuid/setgid files:
    # find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;
    -rws--x--x  1 root root 5816 Jan 11  2006 /usr/X11R6/bin/Xwrapper
    -rwsr-xr-x  1 root root 34592 Aug 18  2005 /usr/bin/at
    -rwsr-sr-x  1 root cdwriter 578960 Jul 30  2005 /usr/bin/cdrdao
    -rwsr-xr-x  1 root root 36604 Sep 13  2005 /usr/bin/chage
    -rws--x--x  1 root root 14264 Sep 20  2005 /usr/bin/chfn
    -rws--x--x  1 root root 14104 Sep 20  2005 /usr/bin/chsh
    -rwsr-xr-x  1 root root 22476 Jul 14  2005 /usr/bin/crontab
    -rwsr-xr-x  1 root root 16336 Sep 13  2005 /usr/bin/expiry
    -rwsr-xr-x  1 root root 35100 Sep 13  2005 /usr/bin/gpasswd
    -rwsr-xr-x  1 root root 820764 Feb 14 19:44 /usr/bin/gpg
    -rwsr-xr-x  1 root root 208428 Sep  5  2005 /usr/bin/gpgsm
    -rwsr-xr-x  1 root root 11048 Dec 19  2005 /usr/bin/kcheckpass
    -rwxr-sr-x  1 root nogroup 42988 Dec 19  2005 /usr/bin/kdesud
    -rwsr-xr-x  1 root root 23704 Sep  9  2005 /usr/bin/kdetvv4lsetup
    -rwxr-sr-x  1 root nogroup 11027 Sep 12  2005 /usr/bin/klaptop_acpi_helper
    -rwsr-xr-x  1 root root 568236 Sep  9  2005 /usr/bin/kppp
    -rwsr-x---  1 root sys 22976 Feb 27 14:22 /usr/bin/lbp660
    -rwxr-sr-x  1 root mail 13080 Sep 13  2004 /usr/bin/lockfile
    -rwsr-sr-x  1 root sys 9136 Jan  6  2006 /usr/bin/lppasswd
    -rwsr-x---  1 root sys 11200 Feb 27 14:22 /usr/bin/ml85p
    -rwsr-sr-x  1 root sys 201032 Feb 27 14:22 /usr/bin/mtink
    -rws--x--x  1 root root 19924 Sep 13  2005 /usr/bin/newgrp
    -r-s--x--x  1 root root 15540 Jun 20  2004 /usr/bin/passwd
    -rwsr-xr-x  1 root root 27052 May 18  2004 /usr/bin/ping6
    -rwsr-sr-x  1 root mail 71736 Sep 13  2004 /usr/bin/procmail
    -rwxr-sr-x  1 root slocate 26284 Jan 12  2005 /usr/bin/slocate
    -rwsr-xr-x  1 root root 15706 Sep 12  2005 /usr/bin/smbmnt3
    -rwsr-xr-x  1 root root 12397 Sep 12  2005 /usr/bin/smbumount3
    -rws--x--x  1 root root 67932 Dec  6  2005 /usr/bin/sperl5.8.7
    ---s--x--x  1 root root 105428 Dec 19  2005 /usr/bin/sudo
    ---s--x--x  1 root root 105428 Dec 19  2005 /usr/bin/sudoedit
    -rwsr-sr-x  1 root sys 132268 Feb 27 14:22 /usr/bin/ttink
    -r-xr-sr-x  1 root tty 8072 Aug 23  2005 /usr/bin/wall
    -rwxr-sr-x  1 root tty 8672 Sep 20  2005 /usr/bin/write
    -rwxr-sr-x  1 root mail 8756 Sep 15  2005 /usr/lib/camel-lock-helper-1.2
    -rwxr-sr-x  1 lp sys 4532 Feb 27 14:22 /usr/lib/gimp/2.0/plug-ins/gimp-mtink
    -rws--x--x  1 root root 164528 Feb  3 20:33 /usr/lib/ssh/ssh-keysign
    -rwx--s--x  1 root utmp 9928 Sep  2  2005 /usr/lib/vte/gnome-pty-helper
    -rwsr-xr-x  1 root root 9986 Mar  1 16:36 /usr/sbin/fileshareset
    -rwxr-sr-x  1 root utmp 9928 Aug 16  2005 /usr/sbin/gnome-pty-helper
    -rwsr-xr-t  1 root root 292568 Aug 28  2005 /usr/sbin/pppd
    -rwsr-xr-x  1 root bin 18168 Nov 13  2004 /usr/sbin/traceroute
    -rwsr-xr-x  1 root root 10968 May 18  2004 /usr/sbin/traceroute6
    -rwsr-xr-x  1 root root 26564 Jul 25  2005 /usr/sbin/userhelper
    -rwsr-xr-x  1 root root 11966 Feb 24 19:44 /usr/sbin/usernetctl
    -rwxr-sr-x  1 root utmp 5920 Dec 17  2004 /usr/sbin/utempter
    -rwsr-xr-x  1 root root 108088 Sep 20  2005 /bin/mount
    -rwsr-xr-x  1 root root 18424 Sep 12  2005 /bin/mount.cifs3
    -rwsr-xr-x  1 root root 31180 May 18  2004 /bin/ping
    -rwsr-xr-x  1 root root 20308 Aug 18  2005 /bin/su
    -rwsr-xr-x  1 root root 59740 Sep 20  2005 /bin/umount
    -rwsr-xr-x  1 root root 8408 Sep 12  2005 /bin/umount.cifs3
    -rwxr-sr-x  1 root root 3580 Feb 24 19:44 /sbin/netreport
    -r-s--x--x  1 root root 11129 Sep 19  2005 /sbin/pam_timestamp_check
    -rwsr-xr-x  1 root root 20276 Sep 19  2005 /sbin/pwdb_chkpwd
    -r-sr-xr-x  1 root root 24656 Sep 19  2005 /sbin/unix_chkpwd
    
  • World-writable files:
    # find / -not -type l -perm -o+w -exec ls -ld '{}' \;
    drwxrwxrwt  23 root root 14880 Jul 19 21:14 /dev
    srw-rw-rw-  1 root root 0 Jul 19 21:14 /dev/log
    crw-rw-rw-  1 root tty 5, 0 Jul 19  2006 /dev/tty
    crw-rw-rw-  1 root tty 5, 2 Jul 19 21:28 /dev/ptmx
    crw-rw-rw-  1 root root 1, 5 Jul 19  2006 /dev/zero
    crw-rw-rw-  1 root root 1, 8 Jul 19  2006 /dev/random
    crw-rw-rw-  1 root root 1, 3 Jul 19  2006 /dev/null
    crw-rw-rw-  1 root root 1, 7 Jul 19  2006 /dev/full
    drwxrwxrwt  2 root root 40 Jul 19  2006 /dev/shm
    drwxrwxrwt  10 root root 4096 Jul 19 21:16 /tmp
    drwxrwxrwt  2 root root 4096 Jul 19 21:15 /tmp/.ICE-unix
    drwxrwxrwt  2 xfs xfs 4096 Jul 19 21:14 /tmp/.font-unix
    srwxrwxrwx  1 xfs xfs 0 Jul 19 21:14 /tmp/.font-unix/fs-1
    drwxrwxrwt  2 root root 4096 Jul 19 21:14 /tmp/.X11-unix
    srwxrwxrwx  1 root root 0 Jul 19 21:14 /tmp/.X11-unix/X0
    drwxrwxrwt  4 root root 4096 Jul 19 21:24 /var/tmp
    drwxrwxrwt  2 root root 4096 Feb 27 14:48 /var/lib/lock/sane
    srw-rw-rw-  1 root root 0 Jul 19 21:14 /var/run/sdp
    srwxrwxrwx  1 root root 0 Jul 19 21:14 /var/run/dbus/system_dbus_socket
    srw-rw-rw-  1 root root 0 Jul 19 21:14 /var/run/xdmctl/dmctl/socket
    srw-rw-rw-  1 root root 0 Jul 19 21:14 /var/run/xdmctl/dmctl-:0/socket
    

That's it.

Comments, suggestions, flames?

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

The security chapter is insteresing

I think turning this into a very very simple 'test your system for basic security stuff' bash script might be cool. It could be a starter for a more general script that rates the security of a box, installation or distro. How interesting would it be to list a page with all the mayor distros ranked by the amount of results that 'find / -not -type l -perm -o+w -exec ls -ld '{}' \;' give, for example?

Hi Bèr, Well, a comparison

Hi Bèr,

Well, a comparison of some sort would probably be nice, but I don't think you can really make any quantitative statements - security is just too complex an issue.

More world-writable files doesn't necessarily mean you're less secure, and there are many many more important issues which I did not check at all while installing the OSes so far...

I never had a look at

I never had a look at Mandriva One but I can say that the mandriva installer is very nice. You can even configure a firewall/choose the security level for Mandriva. Mandriva has various security levels from the undocumented one (0 = login as root without a password) to (5 ? = paranoid: a hell lot of checks and a secure kernel...)

Their Mandriva control center is one of the coolest things I've ever seen. I'm thinking about porting it to Debian.

Try again with the 2006 ISOs and I think you might be impressed.