From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: acme-client: add challenge hook to support dns-01
To: Florian Obser <florian@openbsd.org>, ports@openbsd.org, Evan Silberman <evan@jklol.net>
Date: Sat, 24 Feb 2024 18:07:11 -0700

Christopher Zimmermann <chrisz@openbsd.org> wrote:

> Thanks for your feedback guys. I tried to improve the interface by
> calling the hook for each challenge challenge individually and send
> information from acme-client via environment variables, which are
> checked against a restrictive alphabet. This makes dropping privileges
> easier and passing random crap from the internet harder.
> 
> Privileges can now be dropped with this idiom:
> 
> [ `/usr/bin/who -m |cut -d ' ' -f 1` == 'nobody' ] ||
>   exec /usr/bin/su -s /bin/sh nobody -s "$@" <"$0"

Wow.  Just wow.  No way.  That's the type of stuff people did
in 1999.

These days, we build the minimal narrow layers of communication between
things, and we don't throw a shell script in there that uses "nobody" as
a safe UID (it is not a safe UID).