subject:"\[bug #57766\] Remove group\-write permission from \~\/.wget\-hsts file"

Re: [bug #57766] Remove group-write permission from ~/.wget-hsts file

2020-02-09 Thread L A Walsh


On 2020/02/07 09:16, Jon Beilke wrote:

Working on improving the security of our Linux systems and one of the
recommendations is to ensure user dot files are not group or world writable
(CIS DIL 6.2.10), but wget generates the .wget-hsts file for users with group
write permissions.
  

=
   That's fine for some security setups, but I create each user with
their own group.  I really want to keep group write permissions and want
to get people to realize that having every end-user dictate their idea
of the "correct" security policy for all other systems is a route
to chaos.

   More specifically, I have different login id's on different systems
(like some specific to a host and others to a domain),  but I want them to
have the same access to group-owned files.  Relying on program creators
to implement your desired security policy doesn't seem wise and does
cause disruption to people who don't use your security policy.

   Anyway -- something to think about?

[bug #57766] Remove group-write permission from ~/.wget-hsts file

2020-02-07 Thread Jon Beilke

Follow-up Comment #3, bug #57766 (project wget):

Found the issue, one of our provisioning scripts was temporarily overriding
the umask while setting up another service and that service was making a wget
call thus generating the .wget-hsts file with the extra group write
permission.

Thanks again for the umask recommendation.

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #57766] Remove group-write permission from ~/.wget-hsts file

2020-02-07 Thread Jon Beilke

Follow-up Comment #2, bug #57766 (project wget):

Thanks Tim.

The umask is set to 027 which should leave group write permissions off the
.wget-hsts file based on your comment, but I'll keep digging to make sure I'm
not missing anything.

$ umask
0027

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #57766] Remove group-write permission from ~/.wget-hsts file

2020-02-07 Thread Tim Ruehsen

Update of bug #57766 (project wget):

  Status:None => Invalid
 Assigned to:None => rockdaboot 
 Open/Closed:Open => Closed 

___

Follow-up Comment #1:

We use POSIX fopen(fname, "w"). The file permissions are masked by your umask
setting.

>From the man page of fopen:
   Any created file will have the mode S_IRUSR | S_IWUSR | S_IRGRP |
S_IWGRP | S_IROTH | S_IWOTH (0666), as modi‐
   fied by the process's umask value (see umask(2)).

So if you are concerned about security, the umask is the first thing to check
and adjust.

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #57766] Remove group-write permission from ~/.wget-hsts file

2020-02-07 Thread Jon Beilke

URL:
  

 Summary: Remove group-write permission from ~/.wget-hsts file
 Project: GNU Wget
Submitted by: jrbeilke
Submitted on: Fri 07 Feb 2020 11:16:09 AM CST
Category: Feature Request
Severity: 3 - Normal
Priority: 5 - Normal
  Status: None
 Privacy: Public
 Assigned to: None
 Originator Name: 
Originator Email: 
 Open/Closed: Open
 Discussion Lock: Any
 Release: trunk
Operating System: GNU/Linux
 Reproducibility: Every Time
   Fixed Release: None
 Planned Release: None
  Regression: None
   Work Required: None
  Patch Included: None

___

Details:

Working on improving the security of our Linux systems and one of the
recommendations is to ensure user dot files are not group or world writable
(CIS DIL 6.2.10), but wget generates the .wget-hsts file for users with group
write permissions.

Here's an example from a fresh Ubuntu 18.04.4 system with wget 1.19.4:
$ ls -al
total 40
drwxr-xr-x 6 vagrant vagrant 4096 Feb  7 17:04 .
drwxr-xr-x 4 rootroot4096 Feb  7 17:03 ..
-rw-r--r-- 1 vagrant vagrant  220 Jan 31 15:58 .bash_logout
-rw-r--r-- 1 vagrant vagrant 3771 Jan 31 15:58 .bashrc
drwx-- 2 vagrant vagrant 4096 Feb  7 17:03 .cache
drwx-- 3 vagrant vagrant 4096 Feb  7 17:03 .gnupg
-rw-r--r-- 1 vagrant vagrant  807 Jan 31 15:58 .profile
drwx-- 2 vagrant vagrant 4096 Feb  7 17:03 .ssh
-rw-rw-r-- 1 vagrant vagrant  165 Feb  7 17:04 .wget-hsts

Is there a specific wget feature/functionality that requires the .wget-hsts
file be writable by the group?

If not can the file be generated with 644 permissions instead?




___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

Re: [bug #57766] Remove group-write permission from ~/.wget-hsts file

[bug #57766] Remove group-write permission from ~/.wget-hsts file

[bug #57766] Remove group-write permission from ~/.wget-hsts file

[bug #57766] Remove group-write permission from ~/.wget-hsts file

[bug #57766] Remove group-write permission from ~/.wget-hsts file

5 matches

Site Navigation

Mail list logo

Footer information