Are environment variables visible to unprivileged users on Linux?
I’m trying to determine if, in Linux, environment variables for a process are observable by other (non-root) users.
The immediate use case is putting secrets into environment variables. This is discussed in many places throughout the web as being insecure, but I haven’t been able to zero in on the exact exposure point in Linux.
Note that I am not talking about putting cleartext secrets into files. Also note that I am not talking about exposure to the root account (I view attempting to hide secrets from an adversary with root as a nonstarter).
This question appears to address mine, with comments that classify environment variables as being completely without security, or only simply being obfuscated, but how does one access them?
In my tests one unprivileged user can’t observe environment variables for another user through the process table (‘ps auxwwe’). The commands that set environment variables (e.g. export) are shell builtins which don’t make it onto the process table and by extension aren’t in /proc/$pid/cmdline. /proc/$pid/environ is only readable by the UID of the process owner.
Perhaps the confusion is between different operating systems or versions. Various (recent) sources across the web decry the insecurity of environment variables, but my spot-checking of different linux versions seems to indicate that this isn’t possible going back at least to 2007 (probably further but I don’t have boxes on hand to test).
In Linux, how can a non-privileged user observe environment variables for another’s processes?
As Gilles explained in a very comprehensive answer to a similar question on security.stackexchange.com, process environments are only accessible to the user that owns the process (and root of course).
Environment variables are plenty secure. What the question you linked to is saying is that if the system is compromised, the only security benefit of using environment variables over a configuration file is obscurity. Meaning that if someone has gained root access, they can get to both.
Whether using environment variables for secret data is considered ‘obscure’ is also debatable. This is a very common practice, and therefore I would not consider it such.
You can only access the data stored in an environment variable in 2 places:
1. The running environment of the process
When the process is running, the environment variables of that process can be accessed through /proc/$PID/environ. However, only the user who owns the process, or root, can access that file.
2. The source of the environment variables
If you’re using an init script, and the variables are stored in that init script, the variables can of course be obtained by reading that script.
Or if the environment variables are coming from somewhere else, then wherever that is.
3. ‘ps’ output
Yeah, I know I said 2, and in any decent system, it will be 2. However if the admin doesn’t know what he’s doing, it’s possible to open up a 3rd avenue.
If the process is launched via something like sh -c 'cd /foo/bar; POP=tart /my/executable', then that sh process will be visible in ps:
$ sh -c 'cd /; POP=tart sleep 10' &
[1] 3085
$ ps ax | grep POP
phemmer 3085 14 5 0.0 0.0 SN 00:00 sh -c cd /; POP=tart sleep 10