KBTAG: kben10001001
URL: http://www.securityportal.com/lskb/10001000/kben10001001.html
Date created: 09/09/2000
Date modified:
Date removed:
Authors(s): Alexander Reelsen ar@rhwd.net
Topic: Debian - specifics
Keywords: Distribution/Debian
Specific notes on Debian GNU/Linux
Though Debian is not aimed as a security-oriented distribution, it pays a lot of attention to this topic. Often, security patches for new programs released are backported to the old ones and updated packages are released quite fast after the bug discovery. You can find security related updates at http://security.debian.org/debian-security.
There are still some services in /etc/inetd.conf enabled, which you just do not need. The safest way to have a good basic inetd.conf is mv /etc/inetd.conf /etc/inetd.conf.old ; touch /etc/inetd.conf. Now can slowly begin enabling services again.
During installation of Debian version greater than 2.2 (potato, the actual one by the time of writing) you are asked, whether you want LILO to create a blank MBR or you want to put into some kind of interactive MBR, where you can boot from floppy or another media. If chose the latter, be aware that anyone can boot from your floppy, regardless you disabled this in your BIOS. To disable this after the installation simply set boot=/dev/hda (or whatever your Linux harddisk is) in your lilo.conf and rerun lilo.
On a standard Debian installation, the name service daemon, BIND, runs as user root and group root. It is possible and quite easy to achieve to run BIND under another's UID. However, running BIND not as root prevents it from detecting and using interfaces automatically, for example if you stick a PCMCIA card into your laptop (anyway, I don't think BIND runs on a laptop per default). Check the README.Debian file in your named documentation directory for more.
Anyway, noone can deny the existing security problems, which occured in the last months concerning BIND, so switchting the user is useful where it is possible. First you should create a seperate user and group for it (don't use either nobody or nogroup for every service not running as root or another user). In this case I will use user and group 'named'.
Now edit /etc/init.d/bind with your favourite editor and change the line beginning with 'start-stop-daemon --start' to
start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g named -u named
All you need to do now is to restart bind via '/etc/init.d/bind restart', and then check your syslog for two entries like this:
Sep 4 15:11:08 nexus named[13439]: group = named Sep 4 15:11:08 nexus named[13439]: user = namedVoila! Your named now does not run as root. To get the best possible BIND security, now build a chroot jail around your daemon.
Since the introduction of PAM (Pluggable Authentication Modules) in Debian 2.2 many applications already authenticate against PAM. /etc/limits is no longer used as well as /etc/login.defs. You should use the configuration files in /etc/security from now on.