main: wipe SSH password/passphrase from environment memory#46
Open
acts-1631 wants to merge 1 commit into
Open
Conversation
mscp read MSCP_SSH_AUTH_PASSWORD and MSCP_SSH_AUTH_PASSPHRASE via getenv() and kept using the returned pointer for the process lifetime. On Linux, /proc/PID/environ exposes the original exec-time environment block to any local process running as the same uid, so the secret remained readable there for as long as the mscp process ran. Note that unsetenv() alone does not fix this: /proc/PID/environ reflects the raw memory the kernel copied at execve() time, not libc's environ[] bookkeeping that unsetenv()/setenv() manipulate. Verified experimentally: unsetenv() alone leaves the secret fully visible in /proc/PID/environ, while memset()'ing the bytes returned by getenv() actually clears it from that view. Copy the secret to the heap with strdup() and memset() the original environment bytes to zero. This keeps non-interactive usage (scripts, CI pipelines) working exactly as before while removing the secret from /proc/PID/environ for the remainder of the process's life. Verified end-to-end against a local sshd: while a passphrase-gated key-based transfer is in flight, /proc/<mscp-pid>/environ shows MSCP_SSH_AUTH_PASSPHRASE= with an empty value instead of the passphrase.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mscp reads MSCP_SSH_AUTH_PASSWORD and MSCP_SSH_AUTH_PASSPHRASE with getenv() and keeps using that pointer for the life of the process. On Linux, /proc/PID/environ exposes the original environment block to any process running as the same user, so the secret stays readable there the whole time mscp is running.
Just calling unsetenv() doesn't fix this, I checked: /proc/PID/environ reflects the raw memory the kernel set up at exec time, not libc's environ[] array that unsetenv() updates. The fix has to overwrite the actual bytes.
This copies the value with strdup() and then memsets the original bytes to zero, plus calls unsetenv() for good measure. Scripts and CI that set these env vars keep working exactly the same; the only difference is the secret no longer lingers in /proc/PID/environ. Verified this end to end against a local sshd: mid-transfer, /proc//environ shows MSCP_SSH_AUTH_PASSPHRASE= with an empty value instead of the passphrase.