[pkg-go] Bug#994945: webhook should not run as root by default

Antoine Beaupre anarcat at debian.org
Thu Sep 23 17:05:43 BST 2021

Package: webhook
Severity: normal

I was surprised to find out that this package starts a user-facing
daemon as root, by default (when the config file is created, that

That seems like poor security, and it seems to me the package should
create a user on install.

-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages webhook depends on:
ii  libc6  2.31-13

webhook recommends no packages.

webhook suggests no packages.

More information about the Pkg-go-maintainers mailing list