URL:
<https://savannah.gnu.org/bugs/?57766>
Summary: Remove group-write permission from ~/.wget-hsts file
Project: GNU Wget
Submitted by: jrbeilke
Submitted on: Fri 07 Feb 2020 11:16:09 AM CST
Category: Feature Request
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: trunk
Operating System: GNU/Linux
Reproducibility: Every Time
Fixed Release: None
Planned Release: None
Regression: None
Work Required: None
Patch Included: None
_______________________________________________________
Details:
Working on improving the security of our Linux systems and one of the
recommendations is to ensure user dot files are not group or world writable
(CIS DIL 6.2.10), but wget generates the .wget-hsts file for users with group
write permissions.
Here's an example from a fresh Ubuntu 18.04.4 system with wget 1.19.4:
$ ls -al
total 40
drwxr-xr-x 6 vagrant vagrant 4096 Feb 7 17:04 .
drwxr-xr-x 4 root root 4096 Feb 7 17:03 ..
-rw-r--r-- 1 vagrant vagrant 220 Jan 31 15:58 .bash_logout
-rw-r--r-- 1 vagrant vagrant 3771 Jan 31 15:58 .bashrc
drwx------ 2 vagrant vagrant 4096 Feb 7 17:03 .cache
drwx------ 3 vagrant vagrant 4096 Feb 7 17:03 .gnupg
-rw-r--r-- 1 vagrant vagrant 807 Jan 31 15:58 .profile
drwx------ 2 vagrant vagrant 4096 Feb 7 17:03 .ssh
-rw-rw-r-- 1 vagrant vagrant 165 Feb 7 17:04 .wget-hsts
Is there a specific wget feature/functionality that requires the .wget-hsts
file be writable by the group?
If not can the file be generated with 644 permissions instead?
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?57766>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
