[systemd-devel] Environment-variable security?
Michael Chapman
mike at very.puzzling.org
Wed Nov 14 06:39:33 UTC 2018
On Tue, 13 Nov 2018, David Parsley wrote:
> I already scrub the environment when executing external scripts, and I've
> found that even after os.Unsetenv(...) the full environment is available to
> all processes owned by the robot in /proc/<pid>/environ.
I'm a bit hesitent to enter this already-too-heated discussion, but I
think this point here is important.
Yes, a process can clear or sanitize its environment, and once done that
is done you can be confident the variables won't be propagated to child
processes. It is important that this be done as early as possible, of
course.
But this sanitization does not necessarily clean up the _original_
environment passed in from the kernel, and this memory is still readable
to other processes running as that user through that /proc/$pid/environ
file. Certainly, glibc's environment-manipulation functions (i.e.
setenv(3), putenv(3), unsetenv(3) and clearenv(3)) do not overwrite it.
If a process wants to hide this content, it needs to explicitly overwrite
this memory or change its address range using prctl(2). Maybe you can
investigate whether this is possible in Python.
More information about the systemd-devel
mailing list