On Sat, 13 Aug 2011 09:27:18 +0800, Thomas Goirand <[email protected]> wrote: > On 08/13/2011 12:27 AM, Ansgar Burchardt wrote: > > * No priviledge separation: everything -- including apache -- runs as > > the user "dtc" which also owns config files for apache, bind and > > others. This probably makes this user root-equivalent. > > But the latest Git version uses sbox to jail each customer in a chroot > (running on a union filesystem using aufs), making it quite hard to be > harmful. >
And since the dtc user owns the chroot_template directory. A compromise of the dtc user means that any new chroots should be considered compromised. The www-data user that apache normally runs under has very little privileges for a reason. On sanely setup systems, the www-data user doesn't get to modify many files at all. In your setup, a compromise of the webserver gets to modify the named configuration, the mta configuration, gets to modify, for instance, the ls binary that gets installed into the chroots you mention above...
pgplhoyaej2ja.pgp
Description: PGP signature
