0

It appears that a new Linux process inherits its parent's

  • present working directory,
  • umask,
  • process group (getpgid) and
  • process session (getsid).

Also, the parent's PID becomes the new process's PPID.

Given an empty environment, does a new Linux process inherit anything else?

I ask because I wish to let an untrustworthy caller spawn a trustworthy process, which itself spawns more trustworthy processes. The caller is not to be allowed to influence the trustworthy processes' operation.

(See also this related question.)

thb
  • 1,125
  • 12
  • 21
  • In addition to this, real and effective userID/GroupID, the environment (including `PATH`), cgroups etcetera. Your parent process may even be running under `qemu` or `virtualbox`, in which case all bets are off. – Ljm Dullaart Feb 16 '21 at 17:23
  • 1
    A note on the environment: the environment is not inherited from the parent process in the same sense as the current directory or the umask. The environment is passed to the new program when it was s started using the execve system call. Thus the untrusted caller can put whatever it wants in the environment, and it is the responsibility of the new program to sanitize it. – Johan Myréen Feb 17 '21 at 07:28
  • @JohanMyréen: other than the current directory and the umask, is any state inherited about which I should be concerned? – thb Feb 17 '21 at 14:55
  • Open files remain open across a call to execve, unless marked close-on-exec. May I ask what you are trying to achieve? Is the trusted process setuid or setguid? If not, how are you going to prevent the untrusted program from doing directly (without calling the rusted program) whatever you don't want it to fool the trusted program to do? – Johan Myréen Feb 17 '21 at 18:40
  • @JohanMyréen Thank you. A full explanation would surely bore you, but inadvertent interference is more likely than a deliberate assault. In brief, here is my sequence: 1. The untrusted caller invokes a trusted wrapper. 2. Passing only LC_MESSAGES and the working directory, the trusted wrapper invokes a trusted shell script in a clean environment. 3. The trusted shell script, whose environment is clean except for LC_MESSAGES and the working directory, invokes various other programs. Nothing is setuid or setguid. – thb Feb 17 '21 at 21:36
  • 1
    Ok, if avoiding inadvertent interference is the goal, this may work. But keep in mind that the "attacker" can easily bypass your wrapper. – Johan Myréen Feb 18 '21 at 06:22

0 Answers0