nixos/nextcloud: Remove --preserve-env in sudo

This helps supporting sudo-rs, which currently does not implement the --preserve-env flag and probably won't so in the foreseeable future [1]. The replacement just sets both environment variables behind the sudo invocation with env, as sudo-rs also doesn't implement env var lists. The OC_PASS variable is dropped, as it is seemingly unused and would leak through this approach through /proc. [1] https://github.com/memorysafety/sudo-rs/issues/129
2024-06-22 15:56:27 +02:00 · 2024-06-22 15:56:27 +02:00 · af072cfb55
commit af072cfb55
parent cfdae65b07
1 changed files with 3 additions and 3 deletions
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -91,10 +91,10 @@ let
    cd ${webroot}
    sudo=exec
    if [[ "$USER" != nextcloud ]]; then
-      sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
+      sudo='exec /run/wrappers/bin/sudo -u nextcloud'
    fi
-    export NEXTCLOUD_CONFIG_DIR="${datadir}/config"
-    $sudo \
+    $sudo ${pkgs.coreutils}/bin/env \
+      NEXTCLOUD_CONFIG_DIR="${datadir}/config" \
      ${phpCli} \
      occ "$@"
  '';