[pkg-go] 'webhook' package has a security oversight

[Bercel Varga]

hi,

the webhook package, as it's packaged on debian right now contains a
systemd unit *without* a User= field. That means if a user was to use this
systemd unit for running webhook automatically, webhook would be running as
root, and all user scripts would inherit that root user.

the security implications of this alone aren't catastrophic, as the worst
that could happen is user-written scripts running as root, dispatched by an
attacker's POST request, but i'm sure this could be chained together along
with other vulnerabilities to do all kinds of nasty stuff.

just thought i'd let you know,
bercel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-go-maintainers/attachments/20260130/90c59b02/attachment.htm>