Commit af072cfb authored by Mynacol's avatar Mynacol
Browse files

nixos/nextcloud: Remove --preserve-env in sudo 

This helps supporting sudo-rs, which currently does not implement the
--preserve-env flag and probably won't so in the foreseeable future [1].

The replacement just sets both environment variables behind the sudo
invocation with env, as sudo-rs also doesn't implement env var lists.

The OC_PASS variable is dropped, as it is seemingly unused and would
leak through this approach through /proc.

[1] https://github.com/memorysafety/sudo-rs/issues/129
parent cfdae65b

nixos/modules/services/web-apps/nextcloud.nix

+3 −3
Original line number Diff line number Diff line
@@ -91,10 +91,10 @@ let 
    cd ${webroot}

    sudo=exec

    if [[ "$USER" != nextcloud ]]; then

      sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'

      sudo='exec /run/wrappers/bin/sudo -u nextcloud'

    fi

    export NEXTCLOUD_CONFIG_DIR="${datadir}/config"

    $sudo \

    $sudo ${pkgs.coreutils}/bin/env \

      NEXTCLOUD_CONFIG_DIR="${datadir}/config" \

      ${phpCli} \

      occ "$@"

  '';