[systemd-devel] Environment-variable security?
Lennart Poettering
lennart at poettering.net
Fri Nov 30 13:53:57 UTC 2018
On Fr, 30.11.18 14:25, Marek Howard (marekhwd at gmail.com) wrote:
> - Lennart keeps repeating that passing secrets via environment variable
> is insecure because they are passed down the process tree. They are, if
> you choose so in execve(), they are also readable by other processes
> running under same user from /proc/$PID/environ just like your
> ~/.bashrc or ~/.netrc. (Don't even start telling me that ~/.netrc is
> insecure please. Of course it is once you let other users read it.)
Well, they are propagated down the process tree *by default*. That's
the problem. Almost nothing in this world sanitizes env vars. su/sudo
do, but everything passes them on, including across suid/sgid/fcaps
priv boundaries.
So, it doesn't matter if you *can* suppress them. Fact is that they
generally are *not* suppressed, and you can stick your head in the
sand as much as you like, but that's not going to change.
Why do you think the per-session, per-user, per-process, per-thread
kernel keyring was added if env vars would be fine? Precisely because
you can limit exactly how the passwords are propagated, and every
access to them requires a priv check. And that's what you want here:
control of propagation and access checks on read.
If you store the files in some file, and set an env var to the file
you'll get the access checks at least (though still no propagation
controler), which is why I am proposing that to you.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list