[systemd-devel] Environment-variable security?
Lennart Poettering
lennart at poettering.net
Fri Nov 30 17:16:10 UTC 2018
On Fr, 30.11.18 17:04, Marek Howard (marekhwd at gmail.com) wrote:
> Lennart Poettering píše v Pá 30. 11. 2018 v 14:53 +0100:
> > On Fr, 30.11.18 14:25, Marek Howard (marekhwd at gmail.com) wrote:
> >
> > > - Lennart keeps repeating that passing secrets via environment variable
> > > is insecure because they are passed down the process tree. They are, if
> > > you choose so in execve(), they are also readable by other processes
> > > running under same user from /proc/$PID/environ just like your
> > > ~/.bashrc or ~/.netrc. (Don't even start telling me that ~/.netrc is
> > > insecure please. Of course it is once you let other users read it.)
> >
> > Well, they are propagated down the process tree *by default*. That's
> > the problem. Almost nothing in this world sanitizes env vars. su/sudo
> > do, but everything passes them on, including across suid/sgid/fcaps
> > priv boundaries.
> >
> > So, it doesn't matter if you *can* suppress them. Fact is that they
> > generally are *not* suppressed, and you can stick your head in the
> > sand as much as you like, but that's not going to change.
>
> I understand, but that's by design and there's nothing wrong with that.
> It's even useful for the case where you want wrap a thing with a
> script.
>
> I still don't understand why this is a problem. If a program expects a
> secret being passed via environment variable, you don't expect this
> program to spawn an executable which can do malicious execution (e.g.
> that could be controlled by network) and if it really does, then that's
> a bug in the program and reading a password from an environment
> variable is least severe of the problems that come from it.
Well, you don't know what libraries and code you use do in the
background. You know, what you you are doing is simply not how you do
security. When you do security you restrict access as much as you can,
you limit propagation. Env vars are the opposite of that.
But anyway, I think this discussion is pointless. I get the impression
that whatever I tell you you'll ignore it anyway, and keep asking
"why, why?".
But maybe it helps if it's not me who tells you this, but some other
web people:
https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/
http://movingfast.io/articles/environment-variables-considered-harmful/
https://blog.fortrabbit.com/how-to-keep-a-secret
That's just what a quick Google reveals.
Anyway, let's leave this discussion with that.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list