Skip to main content
Unix & Linux

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

6
  • 12
    But there will still be a short window during which /proc/pid/cmdline will show the secret (same as when curl tries to hide the password it is given on the command line). While you're at using LD_PRELOAD, you could wrap main so that the secret is copied from the environment to the argv that main receives. Like call LD_PRELOAD=x SECRET=y cmd where you call main() with argv[] being [argv[0], getenv("SECRET")] Commented Nov 11, 2017 at 16:31
  • You cannot use the environment to hide a secret as it is visible via /proc/pid/environ. This may be overwritable in the same way as the args, but it leaves the same window. Commented Nov 11, 2017 at 17:59
  • 11
    /proc/pid/cmdline is public, /proc/pid/environ is not. There were some systems where ps (a setuid executable there) exposed the environ of any process, but I don't think you'll come across any nowadays. The environment is generally considered safe enough. Not safe to prying from processes with the same euid, but those can often read the memory of processes by the same euid anyway, so there's not much you can do about it. Commented Nov 11, 2017 at 19:45
  • 4
    @StéphaneChazelas: If one uses the environment to pass secrets, ideally the wrapper that forwards it to the main method of the wrapped program also removes the environment variable to avoid accidental leakage to child processes. Alternatively the wrapper could read all command-line arguments from a file. Commented Nov 13, 2017 at 21:06
  • @DavidFoerster, good point. I've updated my answer to take that into account. Commented Nov 14, 2017 at 7:22