Securing Debian HOWTO
Chapter 8 Frequently asked Questions

FIXME: write them, extract from mailing list

8.1 Is Debian more secure than X?

A system is as secure as its administrator is capable of making it.

8.2 Is there are hardening program for Debian?

Yes. Bastille Linux, originally oriented towards some Linux distributions (RedHat and Mandrake) currently works for Debian. Steps are being taken to integrate the changes made to the upstream version, in any case the package in Debian is, of course, name bastille.

Some people believe, however, that a hardening tool does not eliminate the need for good administration.

8.3 How can I make service XYZ more secure?

You will find information in this document to make some services (FTP, Bind) more secure in Debian GNU/Linux. For services not covered here, however, check the program's documentation, or general Linux information. Most of the security guidelines for Unix systems apply also to Debian so securing service X in Debian is, most of the time, like securing the service for any other Linux distribution (or Unix, for that matter).

8.4 Questions regarding users and groups

8.5 Are all system users necessary?

Yes and no. Debian comes with some predefined users (id < 99 as described in Debian Policy) for some services so that installing new services is easy (they are already run by the appropriate user). If you do not intend to install new services, you can safely remove those users who do not own any files in your system and do not run any services.

You can easily find users not owning any files by executing the following command (be sure to run it as root, since a common user might not have enough permissions to go through some sensitive directories):

     cut -f 1 -d : /etc/passwd |
     while read i; do find / -user "$i" | grep -q . && echo "$i"; done

These users are provided by base-passwd. You will find in its documentation more information on how these users are handled in Debian.

The list of default users (with a corresponding group) follows:

• root: Root is (typically) the superuser.
• daemon: Some unprivileged daemons that need to be able to write to some files on disk run as daemon.daemon (portmap, atd, probably others). Daemons that don't need to own any files can run as nobody.nogroup instead, and more complex or security conscious daemons run as dedicated users. The daemon user is also handy for locally installed daemons, probably.
• bin: maintained for historic reasons.
• sys: same as with bin. However, /dev/vcs* and /var/spool/cups are owned by group sys.
• sync: The shell of user sync is /bin/sync. Thus, if its password is set to something easy to guess (such as ""), anyone can sync the system at the console even if they have no account on the system.
• games: Many games are sgid to games so they can write their high score files. This is explained in policy.
• man: The man program (sometimes) runs as user man, so it can write cat pages to /var/cache/man
• lp: Used by printer daemons.
• mail: Mailboxes in /var/mail are owned by group mail, as is explained in policy. The user and group is used for other purposes as well by various MTA's.
• news: Various news servers and other associated programs (such as suck) use user and group news in various ways. Files in the news spool are often owned by user and group news. Programs such as inews that can be used to post news are typically sgid news.
• uucp: The uucp user and group is used by the UUCP subsystem. It owns spool and configuration files. Users in the uucp group may run uucico.
• proxy: Like daemon, this user and group is used by some daemons (specifically, proxy daemons) that don't have dedicated user id's and that need to own files. For example, group proxy is used by pdnsd, and squid runs as user proxy.
• majordom: Majordomo has a statically allocated uid on Debian systems for historical reasons. It is not installed on new systems.
• postgres: Postgresql databases are owned by this user and group. All files in /var/lib/postgresql are owned by this user to enforce proper security.
• www-data: Some web browsers run as www-data. Web content should *not* be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers, including log files, will be owned by www-data.
• backup: So backup/restore responsibilities can be locally delegated to someone without full root permissions.
• operator: Operator is historically (and practically) the only 'user' account that can login remotely, and doesn't depend on NIS/NFS.
• list: Mailing list archives and data are owned by this user and group. Some mailing list programs may run as this user as well.
• irc: Used by irc daemons. A statically allocated user is needed only because of a bug in ircd -- it setuid()s itself to a given UID on startup.
• gnats.
• nobody, nogroup: Daemons that need not own any files run as user nobody and group nogroup. Thus, no files on a system should be owned by this user or group.

Other groups which have no associated user:

• adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.
• tty: Tty devices are owned by this group. This is used by write and wall to enable them to write to other people's tty's.
• disk: Raw access to disks. Mostly equivalent to root access.
• kmem: /dev/kmem and similar files are readably by this group. This is mostly a BSD relic, but any programs that need direct read access to the system's memory can thus be made sgid kmem.
• dialout: Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc.
• dip: THe group's man stands for "Dialup IP". Being in group dip allows you to use a tool such as ppp, dip, wvdial, etc. to dial up a connection. The users in this group cannot configure the modem, they can just run the programs that make use of it.
• fax: Allows members to use fax software to send / receive faxes.
• voice: Voicemail, useful for systems that use modems as answering machines.
• cdrom: This group can be used locally to give a set of users access to a cdrom drive.
• floppy: This group can be used locally to give a set of users access to a floppy drive.
• tape: This group can be used locally to give a set of users access to a tape drive.
• sudo: Members of this group do not need to type their password when using sudo. See /usr/share/doc/sudo/OPTIONS.
• audio: This group can be used locally to give a set of users access to an audio device.
• src: This group owns source code, including files in /usr/src. It can be used locally to give a user the ability to manage system source code.
• shadow: /etc/shadow is readable by this group. Some programs that need to be able to access the file are set gid shadow.
• utmp: This group can write to /var/run/utmp and similar files. Programs that need to be able to write to it are sgid utmp.
• video: This group can be used locally to give a set of users access to an video device.
• staff: Allows users to add local modifications to the system (/usr/local, /home) without needing root privileges. Compare with group "adm", which is more related to monitoring/security.
• users: While Debian systems use the user group system by default (each user has their own group), some prefer to use a more traditional group system. In that system, each user is a member of the 'users' group.

8.5.1 What is the difference between the adm and the staff group?

'adm' are administrators and is mostly useful to allow them to read logfiles without having to su. 'staff' is useful for more helpdesk/junior sysadmins type of people and gives them the ability to do things in /usr/local and create directories in /home.

8.6 Question regarding open ports

8.6.1 Why do I have port 111 open?

Port 111 is sunrpc's portmapper, it is installed by default in all base installations of a Debian system since there is no need to know when a user's program might need RPC to work out correctly. In any case, it is used mostly for NFS. If you do not need it, remove it as explained in Disabling RPC services, Section 5.12.

8.6.2 I have checked I have the following port (XYZ) open, can I close it?

Of course you can, the ports you are leaving open should adhere to your site's policy regarding public services available to other systems. Check if they are open by inetd (see Customize /etc/inetd.conf, Section 4.7) or by other installed packages and take appropriate measures (configure inetd, remove the package, avoid it running on bootup...)

8.7 I have lost my password and cannot access the system!!

The steps you need to take in order to recover from this depends on whether or not you have applied the suggested procedure for limiting access to Lilo and BIOS.

If you have limited both. You need to disable the BIOS features (only boot from hard disk) before proceeding, if you also forgot your BIOS password, you will have to open your system and manually remove the BIOS battery.

If you have bootup of CD-ROM or diskette enable, you can:

• bootup from a rescue disk and start the kernel
• go to the virtual console (Alt+F2)
• mount the hard disk where your /root is
• edit (Debian rescue disk comes with ae) /etc/shadow and change the line:

       root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)
  

  to:

       root::XXXX:X:XXXX:X:::
  

If you are using LILO and have not restricted it. You can:

• Press the Alt, shift or Control key just before the system BIOS finishes, you should get the LILO prompt.
• Type 'linux single', 'linux init=/bin/sh' or 'linux 1' in the prompt.
• you should get to a shell prompt in singleuser mode
• remount read/write the / partition

       mount -o remount,rw /
  

• change the superuser password with passwd (since you are superuser it will not ask for the previous password).

8.8 Questions regarding the Debian security team

8.8.1 The signature on Debian advisories does not verify correctly!

This is most likely a problem on your end. The debian-security-announce list has a filter that only allows messages with a correct signature from one of the security team members to be posted.

Most likely some piece of mail software on your end slightly changes the message that breaks the signature. Make sure your software does not do any MIME encoding or decoding, or tab/space conversions.

Known culprits are fetchmail (with the mimedecode option enabled) and formail (from procmail 3.14 only).

8.8.2 How is security handled for testing and unstable?

The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.

8.8.3 Why are there no official mirrors for security.debian.org?

A: The purpose of security.debian.org is to make security updates available as quickly and easily as possible. Mirrors would add extra complexity that is not needed and can cause frustration if they are not up to date.

8.8.4 How can I reach the security team?

A: Security information can be sent to security@debian.org, which is read by all Debian developers. If you have sensitive information please use team@security.debian.org which only the members of the security team read. If desired email can be encrypted with the Debian Security Contact key (key ID 363CCD95).

8.8.5 How can I help with security?

Please review each problem before reporting it to security@debian.org. If you are able to provide patches, that would speed up the process. Do not simply forward bugtraq mails, since they are received already. Providing additional information, however, is always a good idea.

8.8.6 How are security incidents handled in Debian?

Once the Security Team receives a notification of an incident, one or more members review it and consider Debian/stable vulnerable or not. If our system is vulnerable, it is worked on a fix for the problem. The package maintainer is contacted as well, if he didn't contact the Security Team already. Finally the fix is tested and new packages are prepared, which then are compiled on all stable architectures and uploaded afterwards. After all this tasks are done a Debian Security Advisory (DSA) is sent to public mailing lists.

8.8.7 How is the Security Team composed?

The Debian Security Team currently consists of five members and two secretaries. The Security Team itself appoints people to join the team.