[CRITICAL] Environment sanitization incomplete for privilege-separated services #19

New issue

Open

opened 2026-05-11 10:52:01 +00:00 by thabeta · 1 comment

thabeta commented

2026-05-11 10:52:01 +00:00

Owner

Problem

The process spawn code only unsets 6 environment variables:

LD_PRELOAD, LD_LIBRARY_PATH, PYTHONPATH, NODE_PATH, PERL5LIB, RUBYLIB

Many more variables can affect process behavior, especially when running services as different users/groups:

LD_AUDIT -- dynamic linker auditing
LD_DYNAMIC_WEAK -- dynamic linker behavior
GCONV_PATH -- character set conversion
HOSTALIASES -- hostname resolution
RES_OPTIONS -- resolver configuration
TMPDIR -- symlink attack vector
IFS -- shell injection in shim mode
BASH_ENV / ENV -- shell startup files
LD_PROFILE / LD_BIND_NOW -- linker behavior

Impact

A service config with malicious environment variables could escalate privileges, inject libraries, or bypass the intended isolation -- especially for services running with user/group set for privilege separation.

Files

crates/my_init_server/src/process.rs -- sensitive_vars array (appears twice: in spawn_shimmed and spawn_process)

Suggested Fix

Clear all environment variables with env_clear() and only pass through a safe whitelist (PATH, HOME, LANG, TERM, and user-configured env from the service config). Or use a comprehensive blocklist.

## Problem The process spawn code only unsets 6 environment variables: - `LD_PRELOAD`, `LD_LIBRARY_PATH`, `PYTHONPATH`, `NODE_PATH`, `PERL5LIB`, `RUBYLIB` Many more variables can affect process behavior, especially when running services as different users/groups: - `LD_AUDIT` -- dynamic linker auditing - `LD_DYNAMIC_WEAK` -- dynamic linker behavior - `GCONV_PATH` -- character set conversion - `HOSTALIASES` -- hostname resolution - `RES_OPTIONS` -- resolver configuration - `TMPDIR` -- symlink attack vector - `IFS` -- shell injection in shim mode - `BASH_ENV` / `ENV` -- shell startup files - `LD_PROFILE` / `LD_BIND_NOW` -- linker behavior ## Impact A service config with malicious environment variables could escalate privileges, inject libraries, or bypass the intended isolation -- especially for services running with `user`/`group` set for privilege separation. ## Files - `crates/my_init_server/src/process.rs` -- `sensitive_vars` array (appears twice: in `spawn_shimmed` and `spawn_process`) ## Suggested Fix Clear all environment variables with `env_clear()` and only pass through a safe whitelist (PATH, HOME, LANG, TERM, and user-configured `env` from the service config). Or use a comprehensive blocklist.

thabeta added the

critical

security

labels

2026-05-11 10:52:59 +00:00

salmaelsoly commented

2026-05-11 13:30:55 +00:00

Member

Classification: valid-bug — environment sanitization uses incomplete blocklist instead of whitelist approach; only 6 variables unset.

Confirmed by code inspection at crates/my_init_server/src/process.rs:194-202 and 297-305. Both spawn_shimmed and spawn_process unset only 6 env vars: LD_PRELOAD, LD_LIBRARY_PATH, PYTHONPATH, NODE_PATH, PERL5LIB, RUBYLIB. Many more dangerous vars are left unchecked: LD_AUDIT, GCONV_PATH, HOSTALIASES, RES_OPTIONS, TMPDIR, IFS, BASH_ENV, among others. A service running with user/group privilege separation inherits the parent's full root session environment, directly undermining the isolation boundary.

> Classification: valid-bug — environment sanitization uses incomplete blocklist instead of whitelist approach; only 6 variables unset. Confirmed by code inspection at crates/my_init_server/src/process.rs:194-202 and 297-305. Both spawn_shimmed and spawn_process unset only 6 env vars: LD_PRELOAD, LD_LIBRARY_PATH, PYTHONPATH, NODE_PATH, PERL5LIB, RUBYLIB. Many more dangerous vars are left unchecked: LD_AUDIT, GCONV_PATH, HOSTALIASES, RES_OPTIONS, TMPDIR, IFS, BASH_ENV, among others. A service running with user/group privilege separation inherits the parent's full root session environment, directly undermining the isolation boundary.