From: Ian G Batten (
Date: 11/27/02

From: Ian G Batten <>
Date: 27 Nov 2002 12:43:22 GMT

In article <>,
Richard Caley <> wrote:
> I don't know enough about C2 the interpretation of the certification
> rules to comment in detail, but it doesn't seem to me that it should
> be an issue. Of course, if some system proces put secret information
> in the environment, that would be an issue.

Quite. It's a breach of the higher levels, because clearly you can use
process names, arguments and environment variables as a covert channel.
And quite a high bandwidth one, too. But that's not relevent at C2.

> Conisder, how is it different from the fact that if you put secret
> information in a world readable file in /tmp/ it will be visible to
> everyone?

For people who've actually written code on Unix and know how closely
related the command line arguments and the environment variables are,
it's no surprise. I guess that the naive might be aware that the
command line is public, but slightly surprised by the environment not
being private.


Relevant Pages

  • Re: A more structured approach
    ... I still find Gas fairly cryptic, but I haven't spent much time with it. ... If we started with no command line parameters, this would point at an environment variable, If we started with one or more command line parameters, this might point to one of them, or to the zero that separates command line args from environment variables. ... I suspect what you tried that *didn't* work was a memory to memory compare "cmpb, ...
  • Re: Failed running .bat file from WinXP Explorer
    ... If you use>> anything to the right will be echoed in the command prompt. ... typed in a Command or Run window. ... What does PATHEXT show? ... System environment variables are in the following Registry key: ...
  • Re: Bash bug
    ... Any CGI scripts that use bash are vulnerable, ... The 'env' command is used to set an environment variable then optionally ... It boils down to a problem if any code can set environment variables ... A more comprehensive bug fix is being developed. ...
  • Re: What does %WinDir% mean?
    ... Perhaps there really is no WINDIR variable, and it's just a convention to ... Panel, Advanced tab, Environment Variables button). ... In a command shell, when you run the following command: ... Are you still in the command console after the command ends? ...
  • Re: question about setenv
    ... an external command. ... There do exist programs which set environment variables with the help ... Being an external command, ... setenv isn't a standard command that would be found in /bin or /usr/bin ...