You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The way ticket rendering is implemented now is that the Dramatiq service worker, running as www-data, invokes the Docker binary directly. Nothing wrong with that per se, except that if anything takes over www-data, they can call Docker, and so they can just mount, rip and tear whatever they want on the system. Figure out a way to strip that privilege from www-data cleanly.
The text was updated successfully, but these errors were encountered:
The way ticket rendering is implemented now is that the Dramatiq service worker, running as www-data, invokes the Docker binary directly. Nothing wrong with that per se, except that if anything takes over www-data, they can call Docker, and so they can just mount, rip and tear whatever they want on the system. Figure out a way to strip that privilege from www-data cleanly.
The text was updated successfully, but these errors were encountered: