Re: Environment-variable security?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fr, 30.11.18 14:25, Marek Howard (marekhwd@xxxxxxxxx) wrote:

> - Lennart keeps repeating that passing secrets via environment variable
> is insecure because they are passed down the process tree. They are, if
> you choose so in execve(), they are also readable by other processes
> running under same user from /proc/$PID/environ just like your
> ~/.bashrc or ~/.netrc. (Don't even start telling me that ~/.netrc is
> insecure please. Of course it is once you let other users read it.)

Well, they are propagated down the process tree *by default*. That's
the problem. Almost nothing in this world sanitizes env vars. su/sudo
do, but everything passes them on, including across suid/sgid/fcaps
priv boundaries.

So, it doesn't matter if you *can* suppress them. Fact is that they
generally are *not* suppressed, and you can stick your head in the
sand as much as you like, but that's not going to change.

Why do you think the per-session, per-user, per-process, per-thread
kernel keyring was added if env vars would be fine? Precisely because
you can limit exactly how the passwords are propagated, and every
access to them requires a priv check. And that's what you want here:
control of propagation and access checks on read.

If you store the files in some file, and set an env var to the file
you'll get the access checks at least (though still no propagation
controler), which is why I am proposing that to you.

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux