Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [suse-security] privacy of environment variables
From: Ludwig Nussel (ludwig.nusselsuse.de)
Date: Wed Nov 02 2005 - 08:51:22 CST
Bob Vickers wrote:
> I have a question about privacy of environment variables. I was always
> brought up to believe that you must never store passwords or other
> sensitive information in environment variables, because the environment is
> visible to other users. This is certainly true on older Unix systems.
> But a colleague did some experiments (on SuSE 9.3) and found that ps only
> displays the environment for processes you own, which seems very sensible.
> Likewise /proc/pid/environ is only readable by the owner (or by root, of
> Now I don't want to rely on experiments, because there may be some other
> mechanism I haven't thought of. Can anyone point me to some authoritative
> information about the privacy of environment variables on modern Linux
I don't have any link at hand that could be considered authoritative
but your colleague's observeration is correct. Relying on a
protected environment is not portable though and therefore not
considered the best solution for passing sensitive data.
> The reason I ask is that my colleague is writing a script which will run
> rpcclient and smbclient. One option would be to use Expect, but
> environment variables are a much cleaner and simpler solution providing
> they are safe.
smbclient has an option that tells it to read credentials from a
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here