From: Ian G Batten (
Date: 11/27/02

From: Ian G Batten <>
Date: 27 Nov 2002 12:43:22 GMT

In article <>,
Richard Caley <> wrote:
> I don't know enough about C2 the interpretation of the certification
> rules to comment in detail, but it doesn't seem to me that it should
> be an issue. Of course, if some system proces put secret information
> in the environment, that would be an issue.

Quite. It's a breach of the higher levels, because clearly you can use
process names, arguments and environment variables as a covert channel.
And quite a high bandwidth one, too. But that's not relevent at C2.

> Conisder, how is it different from the fact that if you put secret
> information in a world readable file in /tmp/ it will be visible to
> everyone?

For people who've actually written code on Unix and know how closely
related the command line arguments and the environment variables are,
it's no surprise. I guess that the naive might be aware that the
command line is public, but slightly surprised by the environment not
being private.