Can environment variables created for a unix account be viewable by another account?

Question

If I run a program that accepts configs from environment variables under non-privileged user userA; can a user with root access read those environment varibles ?

score 2 · Answer 1 · answered Nov 04 '16 at 22:14

Usually the user root has no problems to see such variables. At least one way to do this is simply using the ps command:

# as non-privileged user
user@system$ foo=bar sleep 500

# as root
root@system# ps axe
... 0:00 sleep 500 foo=bar TERM=xterm ...

Visibility to another non-privileged account instead is usually not given.

score 0 · Answer 2 · answered Nov 05 '16 at 07:24

Yes, root can see such environment variables but the way to display them vary depending on the OS.

Under Linux, in addition the ps axe command already suggested, you might use:

$ pgrep apache | head -1
2510
$ sudo strings -a /proc/2510/environ
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/

On Solaris, if the UCB utilities are installed, /usr/ucb/ps axe will work, otherwise, there is a dedicated command to display environment variables:

# pargs -e 613
613:    /usr/sbin/syslogd
envp[0]: LC_COLLATE=fr_FR.UTF-8
envp[1]: LC_CTYPE=fr_FR.UTF-8
envp[2]: LC_MESSAGES=fr.UTF-8
envp[3]: LC_MONETARY=fr_FR.UTF-8
envp[4]: LC_NUMERIC=fr_FR.UTF-8
envp[5]: LC_TIME=fr_FR.UTF-8
envp[6]: PATH=/usr/sbin:/usr/bin
envp[7]: SMF_FMRI=svc:/system/system-log:default
envp[8]: SMF_METHOD=/lib/svc/method/system-log
envp[9]: SMF_RESTARTER=svc:/system/svc/restarter:default
envp[10]: TZ=Europe/Paris

AIX is providing a specific ps option to display process environments:

# ps ewww

Under HPUX, you need to attach a debugger to the process and display the _environ array contents, e.g.:

# gdb <pid>
p ((char**)_environ)[0]@10

This will display the first ten environment variables.

ps e option originates from BSD so should be available on all *BSD variants but on OS X, you should use ps -axe.

Can environment variables created for a unix account be viewable by another account?

2 Answers2