Package: isdnutils-base Version: 1:3.3.0.20041110-1 Severity: normal If users are not in the group "dialout", they are not allowed to dial or hangup the isdn interface ippp0, because the permission to /dev/isdnctrl0 is being denied:
[EMAIL PROTECTED]:~$ /usr/sbin/isdnctrl hangup ippp0 Can't open /dev/isdninfo or /dev/isdn/isdninfo: Permission denied [EMAIL PROTECTED]:~$ ls -l /dev/isdnctrl0 crw-rw---- 1 root dialout 45, 64 2005-02-11 17:23 /dev/isdnctrl0 OK so far. In order to allow the dial/hangup to a normal user, I add the user to the group "dialout": [EMAIL PROTECTED]:~# adduser username dialout Adding user `username' to group `dialout'... Done. By default, /usr/sbin/isdnctrl does NOT allow users to call it with arguments other than some essential ones: [EMAIL PROTECTED]:~$ /usr/sbin/isdnctrl list ippp0 Only the dial,hangup,addlink,removelink and status commands are allowed for none root users Ok, now the user is allowed to dial and hangup, and _seemingly_ not allowed to change the numbers which are to dial on "isdnctrl dial ippp0". But if you look into the sourcecode of isdnctrl and search for "Only the dial,hangup,addlink,removelink and status", you will recognize that any user is able to remove the "if statement" of the above mentioned security check and then simply recompile isdnctrl. After that, the membership of group "dialout" also allows the user to change the numbers that are to be dialled. This makes me afraid of "dialers". Setting isdnctrl setuid root would make the need for group "dialout" unneccesary, but it would probably not be the best idea. My current workaround is to use "sudo" instead of adding the user to group dialout, but then /dev/isdnctrl0 does NOT need to be owned by group "dialout" anymore (as created by MAKEDEV). So /dev/isdnctrl* should be chown'ed to user and group "root:root". Daniel. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: i386 (i586) Kernel: Linux 2.6.8-2-386 Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) Versions of packages isdnutils-base depends on: ii debconf 1.4.30.11 Debian configuration management sy ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libncurses5 5.4-4 Shared libraries for terminal hand ii makedev 2.3.1-75 Creates device files in /dev -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
