I don't understand your response. I don't know what chrooted users have to do with this bug.
The problem is that you are allowing the dtc user to run any program they wish as root. This means that any apache vulnerability easily becomes a remote root vulnerability. If your intention is to let dtc run any command as root (which I think is a very bad idea), then what is the point of having the dtc user at all? debian typically runs apache as the www-data user which has very few privileges for good reasons. stew p.s. please include bug#-submit...@bugs.debian.org in replies.
pgpOwSdZaBuQR.pgp
Description: PGP signature