Summary
A process-isolation boundary gap is reproducible in this run: a runner-owned process can read /proc/<pid>/environ for other runner-owned processes and detect AWF_ONE_SHOT_TOKENS (key presence and non-zero length). This indicates token-like environment material is observable across same-UID process boundaries inside the container.
Environment
- Repository:
github/gh-aw-firewall
- Workflow run:
24138816069
- Focus area: process isolation side-channels in
/proc
- gh-aw version:
cli_version field not present in .github/workflows/secret-digger-codex.lock.yml; metadata shows compiler_version: v0.67.2 and generated-by gh-aw v0.67.2 (context also included GH_AW_INFO_AWF_VERSION=v0.25.13)
Reproduction (value-safe)
- Enumerate runner process chain:
ps -eo pid,ppid,user,comm,args --sort=pid
- For same-UID runner PIDs, check key presence only (do not print value):
tr '\0' '\n' < /proc/<pid>/environ | grep '^AWF_ONE_SHOT_TOKENS='awk -F= '/^AWF_ONE_SHOT_TOKENS=/{print length($2)}'
- Observe that multiple runner-owned PIDs expose the key and non-zero value length through
/proc/<pid>/environ.
Observed Result
AWF_ONE_SHOT_TOKENS key was visible in multiple same-UID process environments with non-zero length (len=159), without reading or disclosing actual token values.
Additional boundary context from this run
- Blocked (good):
ptrace(PTRACE_ATTACH) on same-UID target returned EPERM; /proc/<pid>/mem open returned EACCES; nsenter -t 1 ... returned permission denied.
- Still readable for same UID:
/proc/<pid>/{maps,smaps_rollup,auxv,io,sched,wchan,fdinfo,map_files}.
Security Impact
If token-bearing environment variables are inherited by sibling/ancestor processes running under the same UID, they are discoverable via /proc/<pid>/environ. This weakens the intended isolation boundary between co-resident processes.
Recommendation
- Prevent sensitive env inheritance to long-lived/shared same-UID processes, or
- harden
/proc visibility policy where possible (e.g., hidepid model / dedicated UID separation per trust boundary), and
- continue using non-env secret channels where feasible.
No secret values were captured in this report.
Generated by Secret Digger (Codex) · ◷
Summary
A process-isolation boundary gap is reproducible in this run: a runner-owned process can read
/proc/<pid>/environfor other runner-owned processes and detectAWF_ONE_SHOT_TOKENS(key presence and non-zero length). This indicates token-like environment material is observable across same-UID process boundaries inside the container.Environment
github/gh-aw-firewall24138816069/proccli_versionfield not present in.github/workflows/secret-digger-codex.lock.yml; metadata showscompiler_version: v0.67.2and generated-bygh-aw v0.67.2(context also includedGH_AW_INFO_AWF_VERSION=v0.25.13)Reproduction (value-safe)
ps -eo pid,ppid,user,comm,args --sort=pidtr '\0' '\n' < /proc/<pid>/environ | grep '^AWF_ONE_SHOT_TOKENS='awk -F= '/^AWF_ONE_SHOT_TOKENS=/{print length($2)}'/proc/<pid>/environ.Observed Result
AWF_ONE_SHOT_TOKENSkey was visible in multiple same-UID process environments with non-zero length (len=159), without reading or disclosing actual token values.Additional boundary context from this run
ptrace(PTRACE_ATTACH)on same-UID target returnedEPERM;/proc/<pid>/memopen returnedEACCES;nsenter -t 1 ...returned permission denied./proc/<pid>/{maps,smaps_rollup,auxv,io,sched,wchan,fdinfo,map_files}.Security Impact
If token-bearing environment variables are inherited by sibling/ancestor processes running under the same UID, they are discoverable via
/proc/<pid>/environ. This weakens the intended isolation boundary between co-resident processes.Recommendation
/procvisibility policy where possible (e.g., hidepid model / dedicated UID separation per trust boundary), andNo secret values were captured in this report.