hi, the webhook package, as it's packaged on debian right now contains a systemd unit *without* a User= field. That means if a user was to use this systemd unit for running webhook automatically, webhook would be running as root, and all user scripts would inherit that root user.
the security implications of this alone aren't catastrophic, as the worst that could happen is user-written scripts running as root, dispatched by an attacker's POST request, but i'm sure this could be chained together along with other vulnerabilities to do all kinds of nasty stuff. just thought i'd let you know, bercel
_______________________________________________ Pkg-go-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
