vyos-op-run — the command runner that gives operator-level users a way to execute commands that require root privileges — has the suid bit and executes privileged commands on behalf of unprivileged users.

The security of that rests upon the fact that vyos-op-run only executes commands that are associated with operational command definitions via the <command> tag and the fact that it rejects arguments that contain non-alphanumeric characters.

However, if it executes commands in a user-supplied environment, that allows a malicious operator user to execute arbitrary commands. The simplest case is that the user can supply a custom $PATH that points to a directory with a malicious script called ip.

#!/bin/sh

echo "This is a malicious version of iproute2!"
/sbin/ip $@

Then PATH=/tmp:$PATH vyos-op-run show interfaces or another commands that uses ip would end up calling that script instead of the real /sbin/ip.

There is no way we can allow operator-level users supply their own environment variables to vyos-op-run when it has any potential for arbitrary code execution.

The solution can be modeled after sudo or, for a simpler example to follow, doas: https://github.com/Duncaen/OpenDoas/blob/master/env.c#L106-L111