On Sat, 2009-01-24 at 11:07 +0100, Josselin Mouette wrote: > The question is whether we can consider safe to pass authentication > tokens as environment variables. Either we do, and we fix applications > that pass environment where they shouldn’t. Either we don’t, and we have > to find another way to pass them. You can easily get the environment of a process (of when the process started or the actual value depending on the application) by giving ps the e option. It seems this information is from /proc/<pid>/environ but I don't think all *nixes properly protect the environment. So in general I would say not to put authentication tokens into the environment. However, most applications that do something like that put a reference to the authentication token in the environment (e.g. XAUTHORITY=/tmp/.gdm0QI8NZ) which is ok as long as the access to the real token (socket mostly) is protected. -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Attachment:
signature.asc
Description: This is a digitally signed message part