[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] privacy of environment variables



> But a colleague did some experiments (on SuSE 9.3) and found that ps 
only 
> displays the environment for processes you own, which seems very 
sensible. 
> Likewise /proc/pid/environ is only readable by the owner (or by root, of 

> course).

That's not true at all.  ps will show any process on the system.  For 
example, `ps aux` shows every
process running.

The question about environment variables being safe...

The short answer is obviously "no".

What exactly are you trying to accomplish by storing passwords in 
environment variables?

Tim Rainier
Information Services, Kalsec, INC
trainier@xxxxxxxxxx

Bob Vickers <bobv@xxxxxxxxxxxxx> wrote on 11/02/2005 06:08:00 AM:

> I have a question about privacy of environment variables. I was always 
> brought up to believe that you must never store passwords or other 
> sensitive information in environment variables, because the environment 
is 
> visible to other users. This is certainly true on older Unix systems.
> 
> But a colleague did some experiments (on SuSE 9.3) and found that ps 
only 
> displays the environment for processes you own, which seems very 
sensible. 
> Likewise /proc/pid/environ is only readable by the owner (or by root, of 

> course).
> 
> Now I don't want to rely on experiments, because there may be some other 

> mechanism I haven't thought of. Can anyone point me to some 
authoritative 
> information about the privacy of environment variables on modern Linux 
> systems?
> 
> The reason I ask is that my colleague is writing a script which will run 

> rpcclient and smbclient. One option would be to use Expect, but 
> environment variables are a much cleaner and simpler solution providing 
> they are safe.
> 
> Many thanks,
> Bob
> ==============================================================
> Bob Vickers                     R.Vickers@xxxxxxxxxxxxx
> Dept of Computer Science, Royal Holloway, University of London
> 
> 
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here