[pkg-go] Bug#994945: webhook should not run as root by default
Antoine Beaupre
anarcat at debian.org
Thu Sep 23 17:05:43 BST 2021
Package: webhook
Severity: normal
I was surprised to find out that this package starts a user-facing
daemon as root, by default (when the config file is created, that
is).
That seems like poor security, and it seems to me the package should
create a user on install.
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages webhook depends on:
ii libc6 2.31-13
webhook recommends no packages.
webhook suggests no packages.
More information about the Pkg-go-maintainers
mailing list