[systemd-devel] Environment-variable security?

Marek Howard marekhwd at gmail.com
Fri Nov 30 16:04:39 UTC 2018


Lennart Poettering píše v Pá 30. 11. 2018 v 14:53 +0100:
> On Fr, 30.11.18 14:25, Marek Howard (marekhwd at gmail.com) wrote:
> 
> > - Lennart keeps repeating that passing secrets via environment variable
> > is insecure because they are passed down the process tree. They are, if
> > you choose so in execve(), they are also readable by other processes
> > running under same user from /proc/$PID/environ just like your
> > ~/.bashrc or ~/.netrc. (Don't even start telling me that ~/.netrc is
> > insecure please. Of course it is once you let other users read it.)
> 
> Well, they are propagated down the process tree *by default*. That's
> the problem. Almost nothing in this world sanitizes env vars. su/sudo
> do, but everything passes them on, including across suid/sgid/fcaps
> priv boundaries.
> 
> So, it doesn't matter if you *can* suppress them. Fact is that they
> generally are *not* suppressed, and you can stick your head in the
> sand as much as you like, but that's not going to change.

I understand, but that's by design and there's nothing wrong with that.
It's even useful for the case where you want wrap a thing with a
script.

I still don't understand why this is a problem. If a program expects a
secret being passed via environment variable, you don't expect this
program to spawn an executable which can do malicious execution (e.g.
that could be controlled by network) and if it really does, then that's
a bug in the program and reading a password from an environment
variable is least severe of the problems that come from it.



More information about the systemd-devel mailing list