RE: Wvdial insecure conf?

["Black, Braden" <BBlack () VSCat com>]

Actually, the wvdialconf program doesn't put your password into the file for
you (at least as of wvdial v1.41).  You must manually edit the
/etc/wvdial.conf file and put it in there yourself.  However, as
workarounds, you have a couple of options:
1) Run wvdial suid root, and chmod 600 the wvdial.conf file.  I don't know
about you, but I'm leary of doing things this way unless absolutely
necessary.
2) Give your primary group write access to /dev/modem (usually /dev/ttyS0 or
/dev/ttyS1), chgrp the /etc/wvdial.conf to your primary group, and chmod it
640.
3) *Recommended* Don't put your password in /etc/wvdial.conf.  Use the "Ask
Password = 1" directive instead.  This will prompt you for your password,
instead of storing in the file.  The other information in /etc/wvdial.conf
really isn't that sensitive.

-Braden

-----Original Message-----
From: Qlo [mailto:qlo () wmgflat net]
Sent: Wednesday, August 01, 2001 12:40 PM
To: bugtraq () securityfocus com
Subject: Wvdial insecure conf?


I've compiled and installed wvdial (a dialer for dial up connection) and the
program wvdialconf generate a file called wvdial.conf.
In this file : AT strings, username, pass and another setting like
/etc/ppp/options.
But now the problem, with ls -l

-rw-r--r-- 1 root root 335 Aug 1 18:21 wvdial.conf

It's no good...

Bye.

--

Qlo - www.ipv6mania.net (Italian IPv6 Site)