vyos-op-run: T8005: sanitize environment variables to prevent malicious variable injection

[dmbaturin]

Change summary

Executing commands with root privileges on behalf of operator-level users in a user-supplied environment defeats the purpose because the user can then influence the execution by overriding environment variables used by the system or scripts — in the simplest case, by placing a script named ip in some location and adding that to $PATH.

We need to execute commands in a carefully-prepared environment that includes only knowingly-safe values.

This solution is modeled after doas — a lightweight alternative to sudo that originates from OpenBSD.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

Related PR(s)

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[jestabro]

This is well reasoned; a quick sanity check reveals no issue with build and run.

[hedrok]

I'm neither OCaml nor security expert, but everything looks quite robust.
I've launched strace like this:

strace -o trace ./vyos_op_run.exe --debug --dry-run show version

I can't see any dependencies on calls/files that non-priviliged user can exploit.

(had to comment out (*let () = Unix.setuid 0 in*) for strace to work)