Hello! There are several errors reguarding SuSE 9.1. I would better call them children <http://dict.leo.org/?p=14/p..&search=children>'s <http://dict.leo.org/?p=14/p..&search=s> disease <http://dict.leo.org/?p=14/p..&search=disease>. For users with much linux-practise it will not be a too big problem to solve them, for beginners it is an unsolveable issue and there are damn no support-pages on the SuSE homepage reguarding this issues. For this here are the issues I had and my olutions for this. @SuSE: Why are this well-known problems not fixed within a hotfix? 1) Issue: Coldplug uses by default kernelmodule hw_random which is unable to be loaded e.g. with intel-chipset motherboards. At bootup /etc/init.d/network starts magically SuSEfirewall, but SuSEfirewall should start right after networkinitialization as it can be found in init-scripts. With some networkcards this makes problems, sometimes cards refuse to work after a while or you get driver errors in /var/log/warn: Oct 6 06:25:01 tux-box kernel: NETDEV WATCHDOG: eth0: transmit timed out Oct 6 06:25:01 tux-box kernel: eth0: 21140 transmit timed out, status fc670045, SIA fffffff0 ffffffff 1c09fdc0 fffffec8, resetting... Unfortunately i don't like that. There is no security if there is no answering networkcard. O.K. I would call this bock hack-secure, because there is no network accessible. Hotfix: add hw_random to the file /etc/hotplug/blacklist PLZ fix this dear SuSE-Team!!! 2) Issue: Some services start and stop like they want. O.K. you say this is not security-related, but what happens if your desired service doesn't start because of this issue? Hotfix: Edit /etc/init.d/SERVICE and add the services to start before here: # Requires-Start: SERVICE(LIST)_TO_START_BEFORE yast/system/runleveleditor -> add and remove services and write config. Here you should know, what to do. The next reboot all will do fine. 3) Issue: Networkinitialization is confusing because of missing aliases to the apropriate network cards. If you are planning a firewall, router or gateway you maybe want to know which card is which and without beeing David Copperfield foreseeing which card will boot next time as eth0. SuSE 9.1 with kernel 2.6 uses eth-id instead of eth-aliases in /etc/modules.conf which is empty now (and the system will not care a lot what's inside an empty compatibility-file afaik maybe sooner or later in 9.2). If you use a managed switch with learning function or a license-server you need to have the right order assigned to the cards. If you use eth-id instead of ethx in SuSEfirewall all will work well, except a licenseserver, because as every user is evil the security-solution providers only allow bindings to eth0 for licenserver ehernet-id's. Hotfix: /etc/modprobe.conf.local alias eth0 MODULENAME alias eth1 MODULENAME1 Or using nameif and editing /etc/init.d/network (in the case of same cards) [...] case "$ACTION" in start) echo Setting up network interfaces: date +%s > $NETWORK_RUNFILE # Change begin if [ -e /etc/mactab ] ; then /bin/sleep 1 /sbin/nameif fi # Change end for IFACE in ${INTERFACE:- $LO [...] Edit /etc/mactab # # /etc/mactab # eth0 00:11:22:33:EA:A3 eth1 00:11:22:34:26:26 After the next reboot the cards have the right order as desired and setup in Yast. PLZ dear SuSE-Team fix this as well!!! 4) Issue: Some services can be started chroot, but all others are not offered to be started localhost only or bind to a specific Interface or IP. Hotfix: This binds Samba to 192.168.0.1 and the connected subnet: Edit /etc/samba/smb.conf and restart samba and all related services (nmb, winbind ...) [global] [...] interfaces = 192.168.0.1/255.255.255.0 socket address = 192.168.0.1 bind interfaces only = yes allow hosts = 192.168.0.0/255.255.255.0 [...] This binds mysql to locahost and makes it inaccessbile for external attacks except local exploits from errorous scripts: /etc/init.d/mysql before: $SAFE_MYSQLD \ --user=$mysql_daemon_user \ --pid-file=$pid_file \ --socket=$socket \ --datadir=$datadir &>/dev/null & after: $SAFE_MYSQLD \ --user=$mysql_daemon_user \ --pid-file=$pid_file \ --socket=$socket \ --bind-address=127.0.0.1 \ --datadir=$datadir &>/dev/null & 6) Issue: Winbind loggs the loggs full with errors because of using winbind after installing winbind with samba 3. Hotfix: Edit /etc/securety/pam_unix2.conf before: auth: call_modules=winbind nullok account: call_modules=winbind password: md5 nullok session: none after: auth: nullok account: password: md5 nullok session: none Use different authentification within smba or edit your /etc/pam.d/samba appropriate. As default Samba uses unix-auth, but you can change this and find a better solution. 7) Issue: SSH allows root to login but imo nobody wants to have this. Hotfix: Edit /etc/ssh/sshd_config and restart sshd: PermitRootLogin no 8) Issue: Limiting rights of users is not really setup secure within SuSE. Hotfix: - give www/ftp/samba-users only /bin/false - give admins /bin/bash - edit /etc/limits.conf to your needs to limit users acl's on systemlevel This should be set per default after choosing network services or serverservices packages within Yast (minimal system & no X). 9) Issue: Postfixconfiguration is a mess when using cyrus + imap + sasl-auth/smtp-auth or any other non-standard-setups. Hotfix: Drop the config and forget everything Yast and SuSEconfig is doing, instead read this: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/index.html For many other issues reguarding postfix: http://www.stahl.bau.tu-bs.de/~hildeb/postfix/ 10) Errors within SuSE aren't fixed over many many distributions. There are much more children <http://dict.leo.org/?p=14/p..&search=children>'s <http://dict.leo.org/?p=14/p..&search=s> disease <http://dict.leo.org/?p=14/p..&search=disease>s in SuSE and everytime they aren't fixed, only a small remark on a support-page is written. Issue: Problem XY happens because of not enough testing SuSE's reaction: Look at the support-pages. O.K. I find a solution overytime, but isn't it more easy to implement the fixes as updates? I think you ow us this, because buying SuSE and every updated Distribution cost more, than an everage Windows distribution within their time of support. 11) Commonly used software works well, other more complex setups and their provided software works only after doing a handjob to the configs. O.K. it is easy to say this, but all bulletting boards are full of questions but less in qualified answers. This wouldn't be if there was more whise thinking within Yast and SuSEconfig. SuSEconfig always drops my handedited stuff so I disabled it by default. Linux is linux not depending on the distribution only depending on where the files are. Reguards Philippe