Re: Environment-variable security?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fr, 30.11.18 17:04, Marek Howard (marekhwd@xxxxxxxxx) wrote:

> Lennart Poettering píše v Pá 30. 11. 2018 v 14:53 +0100:
> > On Fr, 30.11.18 14:25, Marek Howard (marekhwd@xxxxxxxxx) wrote:
> > 
> > > - Lennart keeps repeating that passing secrets via environment variable
> > > is insecure because they are passed down the process tree. They are, if
> > > you choose so in execve(), they are also readable by other processes
> > > running under same user from /proc/$PID/environ just like your
> > > ~/.bashrc or ~/.netrc. (Don't even start telling me that ~/.netrc is
> > > insecure please. Of course it is once you let other users read it.)
> > 
> > Well, they are propagated down the process tree *by default*. That's
> > the problem. Almost nothing in this world sanitizes env vars. su/sudo
> > do, but everything passes them on, including across suid/sgid/fcaps
> > priv boundaries.
> > 
> > So, it doesn't matter if you *can* suppress them. Fact is that they
> > generally are *not* suppressed, and you can stick your head in the
> > sand as much as you like, but that's not going to change.
> 
> I understand, but that's by design and there's nothing wrong with that.
> It's even useful for the case where you want wrap a thing with a
> script.
> 
> I still don't understand why this is a problem. If a program expects a
> secret being passed via environment variable, you don't expect this
> program to spawn an executable which can do malicious execution (e.g.
> that could be controlled by network) and if it really does, then that's
> a bug in the program and reading a password from an environment
> variable is least severe of the problems that come from it.

Well, you don't know what libraries and code you use do in the
background. You know, what you you are doing is simply not how you do
security. When you do security you restrict access as much as you can,
you limit propagation. Env vars are the opposite of that.

But anyway, I think this discussion is pointless. I get the impression
that whatever I tell you you'll ignore it anyway, and keep asking
"why, why?".

But maybe it helps if it's not me who tells you this, but some other
web people:

https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/
http://movingfast.io/articles/environment-variables-considered-harmful/
https://blog.fortrabbit.com/how-to-keep-a-secret

That's just what a quick Google reveals.

Anyway, let's leave this discussion with that.

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux