Re: agrsm048 successful connection on 2.6.33, and update for 2.6.31

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jacques,

I believe Joshua answered WHY the issue rises when he stated the
following:

"Wvdial can't hand over to pppd as a normal user. You need to run wvdial
as root or with sudo."

I was trying to determine if the solution of allowing only members of
the dip group to dial-out was a feasible workaround to the security
issue you raised in your reply.  (Please note that my Ubuntu 8.04.4 LTS
upgraded from Ubuntu 6.06 LTS was pre-setup in this manner).  

I guess that even though the dip group reduces the number of users
having access to the Internet via dial-up, it still employs the use of
setuid on pppd; thus, is still a security issue due to pppd being
executed with the rights of root via setuid.  

Regards,

Ken

On Fri, 2010-03-26 at 08:05 +0300, Jacques Goldberg wrote:
> Sure, Keneth, but may I suggest to always quote WHY the issue rises in  
> addition to how to "solve" it?
> A major security risk of a remote hacker penetrating the system if 
> wvdial/ppp is not running as super-user.
> 
> Jacques
> 
> eneth W Jones wrote:
> > Joshua,
> >
> > To resolve the issue of running /usr/sbin/pppd (via wvdial or Gnome PPP)
> > as a non-sudo/regular user...is there anything wrong with doing the
> > following:
> >
> > First,
> >
> > Check to see if the group called dip exists on your system:
> >
> > $ cat /etc/group | grep "dip"
> > dip:x:30:hjones
> >
> > Per the above, the dip group exists on my system, and my USERNAME hjones
> > is a member of this group.  
> >
> > If the dip group exists, but your USERNAME is not included in the dip
> > group run the following command:
> >
> > $ sudo gpasswd -a USERNAME dip
> >
> >
> > However; more than likely you will need to create the dip group, and add
> > your USERNAME to the dip group.  So... 
> >
> > Second,
> >
> > $ sudo groupadd -g 30 dip
> > $ sudo gpasswd -a USERNAME dip
> >
> > As a result, the file /etc/group will be updated with a line; e.g., 
> >
> > dip:x:30:<USERNAME>
> >
> > Third,
> >
> > Set the group and permissions on /usr/sbin/pppd file so that any member
> > of the dip group can execute /usr/sbin/pppd.
> >
> > $ sudo chgrp dip /usr/sbin/pppd
> > $ sudo chmod u+s,o= /usr/sbin/pppd
> >
> > .....
> >
> > Nick, FYI the wvdial program uses the /etc/wvdial.conf for its
> > configuration setting file which you already know.  
> >
> > However, you may not know that Gnome PPP (the graphical front-end for
> > wvdial) uses a separate /home/USERNAME/.wvdial.conf for its
> > configuration setting file. 
> >
> > So, if you're using Gnome PPP you need to be looking at .wvdial.conf in
> > your home directory (BTW: the dot before wvdial.conf means the file is
> > hidden in case you didn't know) to see what settings are in effect for
> > pppd.    
> >
> > On Thu, 2010-03-25 at 09:20 +1100, Joshua Gordon Crawford wrote:
> >   
> >> On 25 March 2010 09:16, Nick <soapduk@xxxxxxxxx> wrote:
> >>     
> >>> Hi Joshua and list,
> >>>
> >>> I feel a little silly right about now, but also optimistic at the same time...
> >>>
> >>> You see, I was just reading a Ubuntu forum about the carrier check
> >>> issue and there someone asked if certain settings were on/off in
> >>> Gnome-PPP. Since I was using PPP I decided to have a look for such
> >>> settings, and there I saw the Carrier Check box ticked, even though I
> >>> had set it to off in wvdial.conf. Obviously PPP was overriding or
> >>> bypassing that option in wvdial. This is my mistake and I should have
> >>> mentioned I was using PPP.
> >>>
> >>> This is what now happens when I dial-up:
> >>>
> >>> --> WvDial: Internet dialer version 1.60
> >>> --> Initializing modem.
> >>> --> Sending: ATZ
> >>> ATZ
> >>> OK
> >>> --> Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
> >>> ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
> >>> OK
> >>> --> Modem initialized.
> >>> --> Sending: ATM1L3DT086700006
> >>> --> Waiting for carrier.
> >>> ATM1L3DT086700006
> >>> CONNECT 50666 V44
> >>> --> Carrier detected.  Waiting for prompt.
> >>> ** Lucent APX Terminal Server **
> >>> Login:
> >>> --> Carrier detected.  Starting PPP immediately.
> >>> --> Unable to run /usr/sbin/pppd.
> >>> --> Check permissions, or specify a "PPPD Path" option in wvdial.conf.
> >>>       
> >> Wvdial can't hand over to pppd as a normal user. You need to run
> >> wvdial as root or with sudo.
> >>
> >>     
> >>> ** Lucent APX Terminal Server **
> >>> Login: Idle Timeout--> Looks like a login prompt.
> >>> --> Sending: USERNAME
> >>> USERNAME
> >>> Password:
> >>> --> Looks like a password prompt.
> >>> --> Sending: (password)
> >>>     L2TP: Starting session
> >>>     Primary server '203.97.60.34'
> >>> ~[7f]}#@!}!}!} }8}"}&} }*} } }#}$@#}%}&i[12]>P}'}"}(}"Ck~
> >>> --> PPP negotiation detected.
> >>> --> Unable to run /usr/sbin/pppd.
> >>> --> Check permissions, or specify a "PPPD Path" option in wvdial.conf.
> >>> ~[7f]}#@!}!}"} }8}"}&} }*} } }#}$@#}%}&i[12]>P}'}"}(}" y~
> >>>
> >>> And then it keeps repeating those bottom 4 lines over and over.
> >>>
> >>> If I try stupid mode it or a combination of the two it only says this:
> >>>
> >>> --> WvDial: Internet dialer version 1.60
> >>> --> Initializing modem.
> >>> --> Sending: ATZ
> >>> ATZ
> >>> OK
> >>> --> Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
> >>> ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
> >>> OK
> >>> --> Modem initialized.
> >>> --> Sending: ATM1L3DT086700006
> >>> --> Waiting for carrier.
> >>> ATM1L3DT086700006
> >>> CONNECT 50666 V44
> >>> --> Carrier detected.  Starting PPP immediately.
> >>> --> Unable to run /usr/sbin/pppd.
> >>> --> Check permissions, or specify a "PPPD Path" option in wvdial.conf.
> >>> ** Lucent APX Terminal Server **
> >>> Login: Idle Timeout
> >>>
> >>> As for noise the phone line sounds crystal clear. I tried pulling out
> >>> the ADSL from the phone line but it's the same result.
> >>>
> >>> I don't know what a PPPD Path option is. If anyone has any clues as to
> >>> whereabouts to go from here I would be grateful.
> >>>       
> >> Looks good from here on. Just the permissions issue with pppd.
> >>
> >>     
> >>> Regards
> >>>
> >>> Nick
> >>>
> >>> On Wed, Mar 24, 2010 at 16:26, Joshua Gordon Crawford
> >>> <jgcrawford@xxxxxxxxx> wrote:
> >>>       
> >>>> On 23 March 2010 06:53, Nick <soapduk@xxxxxxxxx> wrote:
> >>>>         
> >>>>> Hi Joshua,
> >>>>>
> >>>>> Sorry for my late reply,
> >>>>>
> >>>>> On Fri, Mar 19, 2010 at 00:16, Joshua Gordon Crawford
> >>>>> <jgcrawford@xxxxxxxxx> wrote:
> >>>>>           
> >>>>>> It seems at this point that the driver is working correctly, and we're
> >>>>>> left with a line quality issue.
> >>>>>>
> >>>>>> When you use the phone on that line, does it sound noisy (crackly,
> >>>>>> windy, etc)? Are there other phones or devices connected to the line,
> >>>>>> in other rooms, etc? Can you test with a different line, e.g. at a
> >>>>>> friend's house?
> >>>>>>
> >>>>>> Is the modem new or used? I had to replace a modem a few years back
> >>>>>> because _it_ had become noisy and couldn't hold the carrier.
> >>>>>>             
> >>>>> The modem isn't new, but it would have been new when this computer was
> >>>>> purchased. Is there a way to find out if this one has become noisy?
> >>>>>           
> >>>> You might  be able to hear it when the modem dials.
> >>>>
> >>>>         
> >>>>> No the line doesn't sound noisy. I had my ADSL and another phone
> >>>>> plugged into the same jack, which I have now removed, but I'm still
> >>>>> getting the errors. In fact, I've just removed all the devices in the
> >>>>> house connected. Actually there is an alarm here that connects to the
> >>>>> phone line - don't know if that affects it, or how to disconnect it. I
> >>>>> haven't tried a friend's house but will see if I can do that.
> >>>>>           
> >>>> Any other device on the line could be causing some noise. I don't know
> >>>> how ADSL filtering might affect 56k modems.
> >>>>
> >>>>         
> >>>>> it looks as though there is another error here, the Login x3 and
> >>>>> Password Idle Timeout:
> >>>>>
> >>>>> ATM1L3DT086700006
> >>>>> CONNECT 50666 V44
> >>>>> --> Carrier detected.  Waiting for prompt.
> >>>>> --> Connected, but carrier signal lost!  Retrying...
> >>>>> --> Sending: ATM1L3DT086700006
> >>>>> --> Waiting for carrier.
> >>>>> ** Lucent APX Terminal Server **
> >>>>> Login:
> >>>>> Login:
> >>>>> Login:
> >>>>> Login: ATM1L3DT086700006
> >>>>> Password: Idle Timeout
> >>>>> --> Timed out while dialing.  Trying again.
> >>>>> --> Sending: ATM1L3DT086700006
> >>>>> --> Waiting for carrier.
> >>>>> NO CARRIER
> >>>>> ATM1L3DT086700006
> >>>>> --> No Carrier!  Trying again.
> >>>>> --> Sending: ATM1L3DT086700006
> >>>>> --> Waiting for carrier.
> >>>>> NO CARRIER
> >>>>> ATM1L3DT086700006
> >>>>> --> No Carrier!  Trying again.
> >>>>> --> Maximum Attempts Exceeded..Aborting!!
> >>>>> --> Disconnecting at Tue Mar 23 08:39:03 2010
> >>>>>
> >>>>> or does that relate to the existing 'No Carrier' problem?
> >>>>>           
> >>>> Yes. Wvdial tries to dial again when the ISP is waiting for a
> >>>> password. The "Carrier Check = No" option  is supposed to handle that.
> >>>>
> >>>> If you can, test the modem in Windows and see what its log says.
> >>>>
> >>>>         
> >>>>>>> A slightly off-topic question: I note that the modem wasn't detected
> >>>>>>> when I rebooted just now. Is it advisable to run wvdialconf as a
> >>>>>>> startup 'script'?
> >>>>>>>               
> >>>>>> The driver needs to be loaded after each reboot, and the symlink
> >>>>>> created. For now you can do that manually by running agrsm-test, but
> >>>>>> later it can be automated.
> >>>>>>
> >>>>>> Quoting agrsm_howto.txt (in the source directory):
> >>>>>>
> >>>>>> Automation - Do NOT do this until full functionality of the modem is
> >>>>>> achieved, or testing the issues will be confused. The following SINGLE LINE
> >>>>>> can be added (depending upon your Linux distro) to /etc/modprobe.conf or
> >>>>>> (Debian/Ubuntu) a file with folder /etc/modprobe.d/, perhaps
> >>>>>>        /etc/modprobe.d/agrsm.conf
> >>>>>>
> >>>>>> install agrserial modprobe --ignore-install agrmodem ; modprobe
> >>>>>> --ignore-install agrserial ; test -e /dev/ttyAGS3 ; ln -s /dev/ttyAGS3
> >>>>>> /dev/ttySAGR ; ln -s /dev/ttyAGS3 /dev/modem
> >>>>>>
> >>>>>> <end quote>
> >>>>>>
> >>>>>> The howto then implies you need to modprobe agrserial manually each
> >>>>>> time you boot, but that can also be done automatically, by adding
> >>>>>> agrserial to /etc/modules.
> >>>>>>             
> >>>>> OK, thanks.
> >>>>>
> >>>>> Nick
> >>>>>
> >>>>>           
> >>>>>> --
> >>>>>> Joshua Crawford ... http://geocities.com/mortarn
> >>>>>>
> >>>>>> http://www.rewardscentral.com.au/Join/Default.aspx?refer=mortarn
> >>>>>> Be rewarded! Join RewardsCentral today!
> >>>>>>
> >>>>>>             
> >>>>
> >>>> --
> >>>> Joshua Crawford ... http://geocities.com/mortarn
> >>>>
> >>>> http://www.rewardscentral.com.au/Join/Default.aspx?refer=mortarn
> >>>> Be rewarded! Join RewardsCentral today!
> >>>>         
> >>
> >>     
> >
> >   
> 
> 


[Index of Archives]     [Linux Media Development]     [Asterisk]     [DCCP]     [Netdev]     [X.org]     [Xfree86]     [Fedora Women]     [Linux USB]

  Powered by Linux