Skip to content

[isolation] [PROC-ENV] Same-UID /proc environ exposes inherited secret-like env keys #1753

Open
Open
[isolation] [PROC-ENV] Same-UID /proc environ exposes inherited secret-like env keys#1753
Labels
automationisolation-testingsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 7, 2026

Summary

A same-UID process can read inherited environment variables of sibling workflow processes through /proc/<pid>/environ. In this run, a sensitive-key name (AWF_ONE_SHOT_TOKENS) was observable across the active process chain, and value length was non-zero. No secret value was copied into this report.

This is an isolation-boundary concern because untrusted code executing as the same user can harvest inherited secret-like env material from other workflow processes.

Boundary Type

Process-isolation / environment-variable isolation boundary violation (/proc same-UID visibility).

Version

  • gh-aw version context: v0.67.2
  • Lock metadata file: .github/workflows/secret-digger-codex.lock.yml
  • compiler_version: v0.67.2
  • cli_version field: not present in lock metadata
  • GH_AW_INFO_CLI_VERSION: v0.67.2

How Found

Focused deep dive on /proc/<pid>/environ behavior using synthetic markers and process-chain sampling.

Key checks:

  1. Enumerated runner-owned process chain (awf-cmd-1.sh -> bash -> node -> codex).
  2. For each PID, checked key presence and value length only (no value logging).
  3. Ran synthetic controls to distinguish exec-time env exposure from runtime setenv behavior.
  4. Verified mitigation differential with PR_SET_DUMPABLE=0.

Reproduction (sanitized)

  1. Start a long-lived process with a marker env var at exec-time:
    • env SYNTH_BOUNDARY_MARKER=preexec-visible sleep 30 &
  2. From a sibling process under same UID, read:
    • tr '\0' '\n' < /proc/<pid>/environ | rg '^SYNTH_BOUNDARY_MARKER='
  3. Observe marker key is visible.
  4. Repeat against target workflow processes and check key names only:
    • tr '\0' '\n' < /proc/<pid>/environ | rg '^AWF_ONE_SHOT_TOKENS='
  5. Optional hardening differential:
    • If target sets PR_SET_DUMPABLE=0, same-UID read of /proc/<pid>/environ becomes unreadable.

Observed Results (sanitized)

  • AWF_ONE_SHOT_TOKENS key visible in multiple runner-owned processes.
  • Non-zero value length observed consistently (len=160) without disclosing content.
  • Short-lived synthetic marker processes were observable in 30/30 trials.
  • PR_SET_DUMPABLE=0 blocked sibling reads of /proc/<pid>/environ in test helper.

Security Impact

Any same-UID code in the job context can scrape inherited secret-like env data from sibling processes via /proc, increasing secret exposure risk.

Suggested Mitigations

  • Avoid placing high-value secrets in process environment when possible.
  • Isolate untrusted and trusted steps/users to different UIDs.
  • Consider stricter procfs hardening (e.g., hidepid=2) where operationally feasible.
  • For sensitive helpers, set PR_SET_DUMPABLE=0 early before handling secrets.
  • Prefer short-lived secret delivery channels that are not globally inherited by child process trees.

Generated by Secret Digger (Codex) ·

  • expires on Apr 8, 2026, 2:55 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationisolation-testingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions