Unix Environment Variables: Account Visibility

TL;DR

Generally, environment variables set for one Unix account are not directly visible to other accounts. However, there are ways another user could potentially see them, especially if the files containing the variables have incorrect permissions or through process inspection. This guide explains how environment variables work and what precautions you should take.

Understanding Environment Variables

Environment variables store configuration information that programs use. They’re typically set in shell startup files (like .bashrc, .zshrc, etc.) or directly within a shell session.

How Visibility Works

1. Separate Processes: Each Unix account runs its own processes with their own environment. A process can’t normally access the environment of another unrelated process.
2. Shell Startup Files: Environment variables defined in a user’s shell startup files are loaded when that user logs in or starts a new shell session. These files are typically located in the user’s home directory.
3. File Permissions: The key to visibility lies in file permissions. If a user has read access to another user’s shell startup files, they can see the variables defined within them.

Steps to Check and Secure Environment Variables

1. Check File Permissions: Verify that your shell startup files (e.g., .bashrc, .zshrc) have appropriate permissions.
   • Use the command ls -l ~/.bashrc (or replace with your shell’s file).
   • The output should look something like this: -rw------- 1 user user ... ~/.bashrc. The -rw------- part is important; it means only the owner (you) has read and write permissions.
2. Correct Permissions if Necessary: If your shell startup files are world-readable, change the permissions.

   chmod 600 ~/.bashrc

   This command sets the permissions so only you can read and write to the file.

3. Avoid Exporting Sensitive Information: Don’t store passwords, API keys, or other sensitive data directly in environment variables.
   • Consider using a secrets management tool instead.
4. Process Inspection (Advanced): A malicious user with sufficient privileges could potentially inspect running processes to see environment variables.
   • This is less common but possible, especially if a process is running with elevated permissions or has been compromised.
   • Regularly review running processes and their owners using tools like ps or top.
5. Check for Variables in Common Files: Sometimes variables are set globally (e.g., in /etc/environment).

   cat /etc/environment

   These files may be readable by all users.

6. Using `env` command: You can view your own environment variables using the env command.

   env

   This will list all currently set environment variables for your session. This does not show other user’s variables.

Summary

While Unix accounts generally have isolated environments, it’s crucial to protect the confidentiality of your shell startup files and avoid storing sensitive information in environment variables. Proper file permissions are the most important step in preventing unauthorized access.