From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Fri, 17 Apr 2020 12:42:24 +0000 (+0200)
Subject: dns plugin: reset environment
X-Git-Url: https://git.proxmox.com/?p=proxmox-acme.git;a=commitdiff_plain;h=f0ed07330cd559e4971946201ef749d55ef9bcaa

dns plugin: reset environment

in addition to switching to nobody:nogroup, to reduce things exposed to
the dnsapi plugins

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

diff --git a/src/PVE/ACME/DNSChallenge.pm b/src/PVE/ACME/DNSChallenge.pm
index 8e61c25..869f858 100644
--- a/src/PVE/ACME/DNSChallenge.pm
+++ b/src/PVE/ACME/DNSChallenge.pm
@@ -160,7 +160,7 @@ my $proxmox_acme_command = sub {
 
     # for security reasons, we execute the command as nobody
     # we can't verify that the code of the DNSPlugins are harmless.
-    my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"];
+    my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
 
     # The order of the parameters passed to proxmox-acme is important
     # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]