dns plugin: reset environment

in addition to switching to nobody:nogroup, to reduce things exposed to
the dnsapi plugins

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/ACME/DNSChallenge.pm b/src/PVE/ACME/DNSChallenge.pm
index 8e61c254e8368c75a67a85142606187b0c49541e..869f858ba0884b82fb65772117e13a612ee3a9ab 100644 (file)
--- a/src/PVE/ACME/DNSChallenge.pm
+++ b/src/PVE/ACME/DNSChallenge.pm
@@ -160,7 +160,7 @@ my $proxmox_acme_command = sub {
 
     # for security reasons, we execute the command as nobody
     # we can't verify that the code of the DNSPlugins are harmless.
-    my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"];
+    my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
 
     # The order of the parameters passed to proxmox-acme is important
     # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]