[systemd-devel] Environment-variable security?

Marek Howard marekhwd at gmail.com
Wed Nov 14 00:35:38 UTC 2018


Lennart Poettering píše v Út 13. 11. 2018 v 15:17 +0100:
> On Di, 13.11.18 07:49, David Parsley (parsley at linuxjedi.org) wrote:
> 
> > I disagree; privacy of environment variables to individual users on the
> > system is as fundamental as Unix file permissions. If a privileged process
> > (systemd) is configured to start a service and provide environment
> > variables to an unprivileged service account, it is a reasonable
> > expectation that said environment is only available to root and the service
> > account (and it's child processes), and not other arbitrary
> > users/processes. From a system security engineering perspective, it would
> > be better if systemd didn't start a service at all with 0600 on the unit
> > file, rather than violate the principle of Unix environment privacy, and in
> > fact should actually just check the world-read bit.
> 
> Well, you are of course welcome to ignore whatever I say, but again,
> environment blocks are leaky, they propagate down the process tree,
> and are *not* generally understood as being secret.

It is not *that* common to pass secrets via environment variable but
it's nothing unusual, and many programs offer this interface. OpenVPN
comes to bind. Where such interface is offered, propagating down the
process tree is usually not a concern, because such programs usually
don't fork "untrusted" programs.

It's quite handy way to pass secrets and as I said above, there's
really no risk if it's done in cases where it makes sense. Of course
systemd leaking it to everyone makes it not usable with systemd, but
that's not really a problem with environment variables.



More information about the systemd-devel mailing list