Skip to content

[isolation] [PROC-ENV] Same-UID /proc environ exposes token-like workflow variable across process boundary #1784

Open
Open
[isolation] [PROC-ENV] Same-UID /proc environ exposes token-like workflow variable across process boundary#1784
Labels
automationisolation-testingsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 8, 2026

Summary

A same-UID process can read token-like environment material from sibling processes via /proc/<pid>/environ inside the agent container boundary.

This run confirmed that AWF_ONE_SHOT_TOKENS is visible by key name and non-zero length from multiple runner-owned sibling processes (value intentionally not captured).

Why This Is a Boundary Violation

The sandbox boundary should prevent unrelated in-container processes from observing sensitive runtime credential material from other processes. Current behavior allows same-UID sibling inspection of env data via procfs.

Reproduction (value-safe)

  1. Enumerate runner-owned PIDs.
  2. For each PID, read /proc/<pid>/environ and check only for key presence and value length.
  3. Confirm key AWF_ONE_SHOT_TOKENS appears across multiple sibling processes with non-zero length.

Example methodology (redacted/value-safe):

  • tr '\0' '\n' < /proc/<pid>/environ | grep '^AWF_ONE_SHOT_TOKENS='
  • awk -F= '/^AWF_ONE_SHOT_TOKENS=/{print length($2)}'

Additional Differential Controls Run

  • Synthetic sibling env marker was visible via /proc/<pid>/environ (key only).
  • Synthetic argv marker was visible via /proc/<pid>/cmdline (control channel).
  • env -i clean-room child had no AWF token key (inheritance suppression works when explicitly cleared).
  • Cross-UID control: /proc/1/environ remained unreadable (0 bytes) while /proc/self/environ readable.

Observed Impact

Any same-UID process in the container runtime can enumerate sibling process environments and potentially harvest sensitive env values if present.

Version Information

  • Workflow lock file checked: .github/workflows/secret-digger-codex.lock.yml
  • cli_version field: not present in lock metadata
  • compiler_version: v0.67.2
  • Lock header generated-by version: gh-aw v0.67.2
  • GH_AW_INFO_AWF_VERSION observed in lock content: v0.25.13

Suggested Mitigations

  • Harden procfs visibility (e.g., hidepid=2 where feasible, with compatibility review).
  • Reduce exposure window and process spread of sensitive env vars.
  • Prefer one-shot file descriptor or IPC handoff over environment propagation.
  • Add regression test asserting sibling same-UID cannot read token-bearing env vars.

Generated by Secret Digger (Codex) ·

  • expires on Apr 9, 2026, 6:53 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationisolation-testingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions