wget security

[sneader]

I have a potential new customer that is asking if we allow customers to use wget. I tried it with a random hosting account and I get:

[email protected] [~]# wget http://www.example.com/index.htm
-bash: /usr/bin/wget: Permission denied

I see that /usr/bin/wget has 700 permissions and is owned by root.

I'm assuming there are security repercussions of allowing wget for users. Anyway, I'd appreciate any general discussion about wget security, alternatives for users, etc.

Thanks!

- Scott

 

[brianoz]

There are horrible security repercussions - hackers use it to download their toolkits when they are trying to crack into your accounts, so keeping it turned off will save you a whole world of pain!

The two alternatives I can think of from the top of my head are:

create a wget group, make it perm 710 and change it's group to wget, and add users to wget group as needed

groupadd wget
chgrp wget /usr/bin/wget
chmod 710 /usr/bin/wget
usermod (options) username

(read the manual for relevant usermod options)

create a separate binary called "wget.4x" and tell only some users what the name of the binary is, with permissions 755:

cp /usr/bin/wget /usr/local/bin/wget.4x
chmod 711  /usr/local/bin/wget.4x

This second method is probably the easiest ...

 

[sneader]

Thanks very much!!

- Scott