From f0ed07330cd559e4971946201ef749d55ef9bcaa Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Fri, 17 Apr 2020 14:42:24 +0200 Subject: [PATCH] dns plugin: reset environment MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit in addition to switching to nobody:nogroup, to reduce things exposed to the dnsapi plugins Signed-off-by: Fabian Grünbichler --- src/PVE/ACME/DNSChallenge.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/ACME/DNSChallenge.pm b/src/PVE/ACME/DNSChallenge.pm index 8e61c25..869f858 100644 --- a/src/PVE/ACME/DNSChallenge.pm +++ b/src/PVE/ACME/DNSChallenge.pm @@ -160,7 +160,7 @@ my $proxmox_acme_command = sub { # for security reasons, we execute the command as nobody # we can't verify that the code of the DNSPlugins are harmless. - my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"]; + my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"]; # The order of the parameters passed to proxmox-acme is important # proxmox-acme $plugin <$domain|$alias> $txtvalue [$plugin_conf_string] -- 2.39.2