Skip to content

[isolation] [PROCESS-ENV-BOUNDARY] Same-UID /proc environ exposes inherited token-like variables across process boundary #1788

Open
Open
[isolation] [PROCESS-ENV-BOUNDARY] Same-UID /proc environ exposes inherited token-like variables across process boundary#1788
Labels
automationisolation-testingsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 8, 2026

Summary

A same-UID process inside the agent container can read inherited environment variables from unrelated sibling processes via /proc/<pid>/environ. In this run, the token-like key AWF_ONE_SHOT_TOKENS was repeatedly observable across multiple runner-owned processes with non-zero value length (value not captured).

This indicates an isolation boundary gap for secret-bearing env vars between co-tenant same-UID processes inside the sandbox.

Boundary Violation Type

Process isolation / secret isolation boundary violation:

  • Surface: /proc/<pid>/environ
  • Scope: same UID (runner) unrelated processes
  • Impact: token-like env material is discoverable by key and readable in principle through procfs unless mitigated by target process attributes

Methodology (sanitized)

Focused deep dive on process boundary behavior with synthetic controls:

  1. Baseline process map and procfs posture (/proc mount options, ptrace_scope, suid_dumpable).
  2. Detached same-UID synthetic process (setsid env SD_SYNTH_A=... sleep) and external read of /proc/<pid>/environ.
  3. AWF process-chain census for key presence + value length only (AWF_ONE_SHOT_TOKENS) across awf-cmd-1.sh, bash, node, codex PIDs.
  4. Cross-UID negative control against /proc/1/environ (unreadable as expected).
  5. Differential helper tests:
    • PR_SET_DUMPABLE=0 process became non-readable via sibling /proc/<pid>/environ.
    • Toggle test (dumpable 1 -> 0 -> 1) showed visibility present, then blocked, then restored.

No secret values were printed, stored, or transmitted.

Reproduction Steps (sanitized)

  1. Start a same-UID detached process with inherited marker env:
    • setsid env SD_SYNTH_A=<marker> sleep 40 &
  2. From another same-UID process, test procfs visibility:
    • tr '\0' '\n' < /proc/<pid>/environ | grep '^SD_SYNTH_A='
  3. Repeat with active runner-owned process PIDs for key-only/length-only checks on AWF_ONE_SHOT_TOKENS.
  4. Validate control:
    • /proc/1/environ remains unreadable.
  5. Optional differential:
    • Run target process with PR_SET_DUMPABLE=0; sibling procfs env read should fail.

Observed Results

  • Same-UID detached synthetic process env key visible via procfs.
  • AWF_ONE_SHOT_TOKENS key visible with non-zero length across multiple runner-owned PIDs.
  • Root-owned PID 1 environ not readable from runner context.
  • Dumpable toggle confirmed dynamic visibility gating.

Version Info

  • Workflow run: 24128645516
  • Lock file: .github/workflows/secret-digger-codex.lock.yml
  • compiler_version: v0.67.2
  • GH_AW_INFO_CLI_VERSION: v0.67.2
  • cli_version field: not present in lock metadata

Suggested Mitigations

  • Prefer secret delivery mechanisms not exposed through process environment inheritance.
  • For sensitive helper processes, set PR_SET_DUMPABLE=0 where feasible.
  • Consider procfs hardening strategies (e.g., hidepid or stricter process separation) in environments where same-UID co-tenancy exists.
  • Minimize lifetime/scope of secret-like env vars in long-lived parent processes.

Generated by Secret Digger (Codex) ·

  • expires on Apr 9, 2026, 9:45 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationisolation-testingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions