Actually, the wvdialconf program doesn't put your password into the file for you (at least as of wvdial v1.41). You must manually edit the /etc/wvdial.conf file and put it in there yourself. However, as workarounds, you have a couple of options: 1) Run wvdial suid root, and chmod 600 the wvdial.conf file. I don't know about you, but I'm leary of doing things this way unless absolutely necessary. 2) Give your primary group write access to /dev/modem (usually /dev/ttyS0 or /dev/ttyS1), chgrp the /etc/wvdial.conf to your primary group, and chmod it 640. 3) *Recommended* Don't put your password in /etc/wvdial.conf. Use the "Ask Password = 1" directive instead. This will prompt you for your password, instead of storing in the file. The other information in /etc/wvdial.conf really isn't that sensitive. -Braden -----Original Message----- From: Qlo [mailto:qlo@wmgflat.net] Sent: Wednesday, August 01, 2001 12:40 PM To: bugtraq@securityfocus.com Subject: Wvdial insecure conf? I've compiled and installed wvdial (a dialer for dial up connection) and the program wvdialconf generate a file called wvdial.conf. In this file : AT strings, username, pass and another setting like /etc/ppp/options. But now the problem, with ls -l -rw-r--r-- 1 root root 335 Aug 1 18:21 wvdial.conf It's no good... Bye. -- Qlo - www.ipv6mania.net (Italian IPv6 Site)
