[systemd-devel] Environment-variable security?

[Marek Howard]

Lennart Poettering píše v Pá 30. 11. 2018 v 18:16 +0100:
> On Fr, 30.11.18 17:04, Marek Howard (marekhwd at gmail.com) wrote:
> > I understand, but that's by design and there's nothing wrong with that.
> > It's even useful for the case where you want wrap a thing with a
> > script.
> > 
> > I still don't understand why this is a problem. If a program expects a
> > secret being passed via environment variable, you don't expect this
> > program to spawn an executable which can do malicious execution (e.g.
> > that could be controlled by network) and if it really does, then that's
> > a bug in the program and reading a password from an environment
> > variable is least severe of the problems that come from it.
> 
> Well, you don't know what libraries and code you use do in the
> background. You know, what you you are doing is simply not how you do
> security. When you do security you restrict access as much as you can,
> you limit propagation. Env vars are the opposite of that.
> 
> But anyway, I think this discussion is pointless. I get the impression
> that whatever I tell you you'll ignore it anyway, and keep asking
> "why, why?".

I get the same impression of you. I've repeated several times that
having libraries read environment variables is least sever concern if
you really expect code you execute to be malicious.

If using dedicated configuration file with secrets is supposed to
remedy it, then please explain to me how please. Because I've the
impression that if a malicious library can read environment variables,
it can pretty much read that configuration file as well.

And if you're that security conscious that you restrict system calls,
what are the odds that you forget to clean the environment?