[22083] in bugtraq
RE: Wvdial insecure conf?
daemon@ATHENA.MIT.EDU (Black, Braden)
Thu Aug 2 11:53:24 2001
Message-ID: <5A223F8E6A58D31198CA00805F952B130667A32A@vsc-exchange.limited.com>
From: "Black, Braden" <BBlack@VSCat.com>
To: "'Qlo'" <qlo@wmgflat.net>, bugtraq@securityfocus.com
Date: Thu, 2 Aug 2001 10:46:35 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Actually, the wvdialconf program doesn't put your password into the file for
you (at least as of wvdial v1.41). You must manually edit the
/etc/wvdial.conf file and put it in there yourself. However, as
workarounds, you have a couple of options:
1) Run wvdial suid root, and chmod 600 the wvdial.conf file. I don't know
about you, but I'm leary of doing things this way unless absolutely
necessary.
2) Give your primary group write access to /dev/modem (usually /dev/ttyS0 or
/dev/ttyS1), chgrp the /etc/wvdial.conf to your primary group, and chmod it
640.
3) *Recommended* Don't put your password in /etc/wvdial.conf. Use the "Ask
Password = 1" directive instead. This will prompt you for your password,
instead of storing in the file. The other information in /etc/wvdial.conf
really isn't that sensitive.
-Braden
-----Original Message-----
From: Qlo [mailto:qlo@wmgflat.net]
Sent: Wednesday, August 01, 2001 12:40 PM
To: bugtraq@securityfocus.com
Subject: Wvdial insecure conf?
I've compiled and installed wvdial (a dialer for dial up connection) and the
program wvdialconf generate a file called wvdial.conf.
In this file : AT strings, username, pass and another setting like
/etc/ppp/options.
But now the problem, with ls -l
-rw-r--r-- 1 root root 335 Aug 1 18:21 wvdial.conf
It's no good...
Bye.
--
Qlo - www.ipv6mania.net (Italian IPv6 Site)
