Skip to content

[isolation] [PROCESS-ISOLATION] Same-UID /proc environ exposes AWF token-bearing variable metadata #1746

Open
Open
[isolation] [PROCESS-ISOLATION] Same-UID /proc environ exposes AWF token-bearing variable metadata#1746
Labels
automationisolation-testingsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 7, 2026

Summary

During a deep dive on process isolation boundaries, a same-UID process could read another same-UID process environment via /proc/<pid>/environ and observe the presence and non-zero length of AWF_ONE_SHOT_TOKENS.

No secret values were captured or stored. Only key presence and value length were observed.

Boundary Violation Type

Process-isolation / information-leak boundary issue:

  • Cross-process metadata disclosure within the same UID
  • Secret-bearing environment key names and value length are observable from sibling processes

Environment and Version

  • Repository: github/gh-aw-firewall
  • Workflow run: 24081590441
  • Lock file: .github/workflows/secret-digger-codex.lock.yml
  • cli_version field: not present in lock metadata
  • compiler_version: v0.67.2
  • Header generated-by gh-aw: v0.67.2
  • Workflow context variable GH_AW_INFO_CLI_VERSION: v0.67.2

Methodology (value-suppressed)

  1. Enumerated runner-owned PIDs and selected active same-UID targets.
  2. Read /proc/<pid>/environ as same UID and performed key-only checks for AWF_ONE_SHOT_TOKENS.
  3. Measured only value length (non-zero) without storing content.
  4. Ran cross-UID negative controls on /proc/1/* and namespace symlinks.

Reproduction Steps

  1. Inside the agent/container session, list same-UID processes:
    • ps -u runner -o pid=
  2. For each PID, check key-only presence in environ:
    • tr '\0' '\n' < /proc/<pid>/environ | rg '^AWF_ONE_SHOT_TOKENS='
  3. Measure length only (no value output):
    • tr '\0' '\n' < /proc/<pid>/environ | awk -F= '/^AWF_ONE_SHOT_TOKENS=/{print length($2); exit}'
  4. Confirm cross-UID controls as negative control:
    • dd if=/proc/1/environ bs=1 count=128 status=none | wc -c (expected zero)

Observed Results

  • Multiple same-UID PIDs exposed AWF_ONE_SHOT_TOKENS key presence.
  • Value length was non-zero for sampled PIDs.
  • /proc/1/environ and /proc/1/ns/* remained unreadable from the runner user, indicating cross-UID controls exist.

Security Impact

A process running under the same UID can infer secret-bearing environment variable existence and size from sibling processes. This weakens isolation assumptions for multi-process agent workflows where same-UID process boundaries are expected to reduce secret observability.

Suggested Hardening Directions

  • Reduce secret-bearing env var lifetime and process fanout.
  • Prefer file-descriptor/one-shot IPC delivery over inherited environment for sensitive material.
  • Evaluate hidepid/procfs hardening tradeoffs for workload compatibility.
  • Consider moving secret mediation out of same-UID process visibility paths.

Generated by Secret Digger (Codex) ·

  • expires on Apr 8, 2026, 12:42 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationisolation-testingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions