Summary
A same-UID process can read token-like environment material from sibling processes via /proc/<pid>/environ inside the agent container boundary.
This run confirmed that AWF_ONE_SHOT_TOKENS is visible by key name and non-zero length from multiple runner-owned sibling processes (value intentionally not captured).
Why This Is a Boundary Violation
The sandbox boundary should prevent unrelated in-container processes from observing sensitive runtime credential material from other processes. Current behavior allows same-UID sibling inspection of env data via procfs.
Reproduction (value-safe)
- Enumerate runner-owned PIDs.
- For each PID, read
/proc/<pid>/environ and check only for key presence and value length.
- Confirm key
AWF_ONE_SHOT_TOKENS appears across multiple sibling processes with non-zero length.
Example methodology (redacted/value-safe):
tr '\0' '\n' < /proc/<pid>/environ | grep '^AWF_ONE_SHOT_TOKENS='awk -F= '/^AWF_ONE_SHOT_TOKENS=/{print length($2)}'
Additional Differential Controls Run
- Synthetic sibling env marker was visible via
/proc/<pid>/environ (key only).
- Synthetic argv marker was visible via
/proc/<pid>/cmdline (control channel).
env -i clean-room child had no AWF token key (inheritance suppression works when explicitly cleared).- Cross-UID control:
/proc/1/environ remained unreadable (0 bytes) while /proc/self/environ readable.
Observed Impact
Any same-UID process in the container runtime can enumerate sibling process environments and potentially harvest sensitive env values if present.
Version Information
- Workflow lock file checked:
.github/workflows/secret-digger-codex.lock.yml
cli_version field: not present in lock metadatacompiler_version: v0.67.2- Lock header generated-by version:
gh-aw v0.67.2
GH_AW_INFO_AWF_VERSION observed in lock content: v0.25.13
Suggested Mitigations
- Harden procfs visibility (e.g.,
hidepid=2 where feasible, with compatibility review).
- Reduce exposure window and process spread of sensitive env vars.
- Prefer one-shot file descriptor or IPC handoff over environment propagation.
- Add regression test asserting sibling same-UID cannot read token-bearing env vars.
Generated by Secret Digger (Codex) · ◷
Summary
A same-UID process can read token-like environment material from sibling processes via
/proc/<pid>/environinside the agent container boundary.This run confirmed that
AWF_ONE_SHOT_TOKENSis visible by key name and non-zero length from multiple runner-owned sibling processes (value intentionally not captured).Why This Is a Boundary Violation
The sandbox boundary should prevent unrelated in-container processes from observing sensitive runtime credential material from other processes. Current behavior allows same-UID sibling inspection of env data via procfs.
Reproduction (value-safe)
/proc/<pid>/environand check only for key presence and value length.AWF_ONE_SHOT_TOKENSappears across multiple sibling processes with non-zero length.Example methodology (redacted/value-safe):
tr '\0' '\n' < /proc/<pid>/environ | grep '^AWF_ONE_SHOT_TOKENS='awk -F= '/^AWF_ONE_SHOT_TOKENS=/{print length($2)}'Additional Differential Controls Run
/proc/<pid>/environ(key only)./proc/<pid>/cmdline(control channel).env -iclean-room child had no AWF token key (inheritance suppression works when explicitly cleared)./proc/1/environremained unreadable (0 bytes) while/proc/self/environreadable.Observed Impact
Any same-UID process in the container runtime can enumerate sibling process environments and potentially harvest sensitive env values if present.
Version Information
.github/workflows/secret-digger-codex.lock.ymlcli_versionfield: not present in lock metadatacompiler_version:v0.67.2gh-aw v0.67.2GH_AW_INFO_AWF_VERSIONobserved in lock content:v0.25.13Suggested Mitigations
hidepid=2where feasible, with compatibility review).