Use safe_getenv rather than getenv.

[rixed]

When a process has privileges, the kernel sanitizes the environment file (removing LD_*).
The libc goes further, and offers a secure_getenv that returns no environment at all when the caller has some priviledges, which is intended for libraries whenever trusting the environment would not be wise.
In OCaml the logic goes the other way: Unix.getenv will return no environment whenever the process has any priviledge, and one must call safe_getenv to read the real environment (the one already sanitized by the kernel).
As a result, a proviledged program using cmdliner will not see the envvars (even though they are defined, exported, and "strace -e execve" shows them, which is a bit confusing (ask me how I know ;))

I propose that cmdliner uses safe_getenv to get the command line values. After all, the user program defines those values so if the program is indeed priviledged the user can't be caught by surprise.

[dbuenzli]

cmdliner uses Sys.getenv and will not depend on C or Unix. It's an implicit contract with the users. I don't think this is a problem specific to cmdliner it's a problem for anyone using Sys.getenv. My feeling is that cmdliner is not the right place to solve this.