privacy of environment variables
I have a question about privacy of environment variables. I was always brought up to believe that you must never store passwords or other sensitive information in environment variables, because the environment is visible to other users. This is certainly true on older Unix systems. But a colleague did some experiments (on SuSE 9.3) and found that ps only displays the environment for processes you own, which seems very sensible. Likewise /proc/pid/environ is only readable by the owner (or by root, of course). Now I don't want to rely on experiments, because there may be some other mechanism I haven't thought of. Can anyone point me to some authoritative information about the privacy of environment variables on modern Linux systems? The reason I ask is that my colleague is writing a script which will run rpcclient and smbclient. One option would be to use Expect, but environment variables are a much cleaner and simpler solution providing they are safe. Many thanks, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London
But a colleague did some experiments (on SuSE 9.3) and found that ps only displays the environment for processes you own, which seems very sensible. Likewise /proc/pid/environ is only readable by the owner (or by root, of
course).
That's not true at all. ps will show any process on the system. For example, `ps aux` shows every process running. The question about environment variables being safe... The short answer is obviously "no". What exactly are you trying to accomplish by storing passwords in environment variables? Tim Rainier Information Services, Kalsec, INC trainier@kalsec.com Bob Vickers <bobv@cs.rhul.ac.uk> wrote on 11/02/2005 06:08:00 AM:
I have a question about privacy of environment variables. I was always brought up to believe that you must never store passwords or other sensitive information in environment variables, because the environment is visible to other users. This is certainly true on older Unix systems.
But a colleague did some experiments (on SuSE 9.3) and found that ps only displays the environment for processes you own, which seems very sensible. Likewise /proc/pid/environ is only readable by the owner (or by root, of
course).
Now I don't want to rely on experiments, because there may be some other
mechanism I haven't thought of. Can anyone point me to some authoritative information about the privacy of environment variables on modern Linux systems?
The reason I ask is that my colleague is writing a script which will run
rpcclient and smbclient. One option would be to use Expect, but environment variables are a much cleaner and simpler solution providing they are safe.
Many thanks, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2005-11-02 at 08:37 -0500, trainier@kalsec.com wrote:
That's not true at all. ps will show any process on the system. For example, `ps aux` shows every process running.
Yes, it shows every process, but not the environment of every process, not those of other users (the 'e' option for command 'ps'). At least, not in 9.3. I just tried. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDaXeMtTMYHG2NR9URArv3AJ9AthJXsprR3rtLO6tm8o1kEvs3MACdEXP6 DNCehUeIDoRPMDYTOvzc9Nw= =M3mc -----END PGP SIGNATURE-----
Bob Vickers wrote:
I have a question about privacy of environment variables. I was always brought up to believe that you must never store passwords or other sensitive information in environment variables, because the environment is visible to other users. This is certainly true on older Unix systems.
But a colleague did some experiments (on SuSE 9.3) and found that ps only displays the environment for processes you own, which seems very sensible. Likewise /proc/pid/environ is only readable by the owner (or by root, of course).
Now I don't want to rely on experiments, because there may be some other mechanism I haven't thought of. Can anyone point me to some authoritative information about the privacy of environment variables on modern Linux systems?
I don't have any link at hand that could be considered authoritative but your colleague's observeration is correct. Relying on a protected environment is not portable though and therefore not considered the best solution for passing sensitive data.
The reason I ask is that my colleague is writing a script which will run rpcclient and smbclient. One option would be to use Expect, but environment variables are a much cleaner and simpler solution providing they are safe.
smbclient has an option that tells it to read credentials from a file. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
participants (4)
-
Bob Vickers -
Carlos E. R. -
Ludwig Nussel -
trainier@kalsec.com