See someone unused environment variable

Question

Let's say I log in as Bob to host server. Then i do :

export MYSEC='secret'

Let's say Alice has access to the same host and also sudo permissions.

How can Alice see the value of MYSEC?

Note : let's say Bob never closes the session so the value remains there and we allow Alice to work

score 1 · Answer 1 · answered May 14 '19 at 20:36

1

Alice dumps memory of the shell process that Bob has running, opens the dump in a hex editor, looks for MYSEC, then looks at value.

Used vs Unused has no bearing.

answered May 14 '19 at 20:36

Don Simon

71
3

Awesome. Can you elaborate on how to do the memory dump? – Matias Barrios May 14 '19 at 20:37

score 1 · Answer 2 · answered May 15 '19 at 07:18

1

Scraping memory is waaaaaay overcomplicating things. Just look in /proc/<pid>/environ, for any <pid> owned by bob in which he set the environment variable of interest, and out it'll drop. The entries in that file are NULL-separated by default; for display purposes, cat /proc/<pid>/environ | tr '\0' '\n' is suggested.

answered May 15 '19 at 07:18

womble

96,255
29
175
230

That works for any _child_ of the shell where bob exported the var (if the child lives long enough to look at) but not the shell itself. – dave_thompson_085 May 15 '19 at 09:11

score 0 · Answer 3 · answered May 15 '19 at 00:23

Well, for anyone interested in how to do this :

Alice logs in and searches for the PID of Bob's Bash session.

Let's say is 34232.

Then Alice makes a memory dump of this as :

gdb -p 34232
gcore memory_dump.bin
quit

Now open the file with vim and search for the name of the variable. It is repeated several times. Just hit n until you find it.

See someone unused environment variable

3 Answers3