Actually, the wvdialconf program doesn't put your password into the file for
you (at least as of wvdial v1.41). You must manually edit the
/etc/wvdial.conf file and put it in there yourself. However, as
workarounds, you have a couple of options:
1) Run wvdial suid root, and chmod 600 the wvdial.conf file. I don't know
about you, but I'm leary of doing things this way unless absolutely
necessary.
2) Give your primary group write access to /dev/modem (usually /dev/ttyS0 or
/dev/ttyS1), chgrp the /etc/wvdial.conf to your primary group, and chmod it
640.
3) *Recommended* Don't put your password in /etc/wvdial.conf. Use the "Ask
Password = 1" directive instead. This will prompt you for your password,
instead of storing in the file. The other information in /etc/wvdial.conf
really isn't that sensitive.

-Braden

-----Original Message-----
From: Qlo [mailto:qlowmgflat.net]
Sent: Wednesday, August 01, 2001 12:40 PM
To: bugtraqsecurityfocus.com
Subject: Wvdial insecure conf?

I've compiled and installed wvdial (a dialer for dial up connection) and the
program wvdialconf generate a file called wvdial.conf.
In this file : AT strings, username, pass and another setting like
/etc/ppp/options.
But now the problem, with ls -l

-rw-r--r-- 1 root root 335 Aug 1 18:21 wvdial.conf

It's no good...

Bye.

--
Qlo - www.ipv6mania.net (Italian IPv6 Site)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]