I don't understand your response.  I don't know what chrooted users have
to do with this bug.
The problem is that you are allowing the dtc user to run any program
they wish as root.  This means that any apache vulnerability easily
becomes a remote root vulnerability.  If your intention is to let dtc
run any command as root (which I think is a very bad idea), then what is
the point of having the dtc user at all?

debian typically runs apache as the www-data user which has very few
privileges for good reasons.

stew

p.s.  please include bug#-submit...@bugs.debian.org in replies.

Attachment: pgpOwSdZaBuQR.pgp
Description: PGP signature

Reply via email to