OS environment not passed to plugin exec.Command

[arodd]

Describe the bug
When launching an external plugin binary, the vault process environment is not passed into the plugin command execution. This is important for things like the Oracle vault plugin that leverages an external client library that is by default installed in a non-standard library path "/usr/lib/oracle/12.2/client64/lib". When passing an LD_LIBRARY_PATH variable to the vault process that includes this path, it is not passed on to the plugin execution environment.

To Reproduce
Steps to reproduce the behavior:

1. Start the vault process with an updated LD_LIBRARY_PATH variable

$ LD_LIBRARY_PATH=/usr/lib/oracle/12.2/client64/lib vault server -config=/etc/vault/vault.hcl -log-level=trace

2. Enable and configure the Oracle plugin as defined in the below documentation.
   https://www.vaultproject.io/docs/secrets/databases/oracle.html#setup
3. The vault logs report they are unable to locate the shared library files because they are not in the standard paths.

Expected behavior
It is expected that the Vault process would pass the OS environment(including LD_LIBRARY_PATH) into the secondary plugin process so that it can find the client libraries outside of the standard library paths.

Environment:

• Vault Server Version (retrieve with vault status): 0.10.4
• Vault CLI Version (retrieve with vault version): 0.10.4
• Server Operating System/Architecture: Centos 7 Linux x86_64

Vault server configuration file(s):

plugin_directory = "/var/lib/vault/plugins"
ui = true

storage "file" {
  path = "/var/lib/vault/data"
}

listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_disable = 1
}

Additional context

vault/helper/pluginutil/runner.go

Line 68 in df18871

cmd.Env = append(cmd.Env, env...)

os.Environ() could be included which would then pass the current process environment into the plugin execution environment.

[jefferai]

Vault doesn't pass the OS environment on purpose; various sensitive values can be in the env vars used when starting Vault and we don't want to pass those to plugins. (We may not know the full spectrum of what they are, so simply overwriting isn't enough.)

We could add a field of allowed pass-through environment variables to the plugin catalog. Then you can specify which ones should be passed through to the child process. Or, we could allow directly specifying key-value pairs. Or both (e.g. we could have passthrough_env and additional_env or so).

[jefferai]

(Also, the easy workaround is to update ld.so.conf -- in fact on my system, it appears I already have an /etc/ld.so.conf.d/oracle.conf with that exact value in it).

[arodd]

That makes sense that we wouldn't necessarily want to pass them all through in certain situations. I think adding key value pairs or a whitelist to the catalog configuration would cover the use cases. I could see the whitelist being desired in certain situations if you were passing unique values per server instance for some reason(not necessarily applicable with LD_LIBRARY_PATH). The note around overriding the default library configuration system-wide is useful as well, Thanks!