Have you ever inspected /proc/<pid>/environ and concluded it contains something which could not possibly be an environment? Or maybe it looked like environment, but could not possibly match what was used by the process?
Let's start with making it clear what the process environment is.
It's just a table with key=value strings passed around during execve(2).
Then the kernel puts it on the stack of the new process and stores the address for possible later use.
There is absolutely no magic involved. When you execute a process you can pass any environment you want.
When someone reads from /proc/<pid>/environ, the kernel grabs environment address it stored during execve and reads from target process' address space.
But is the environment really there? Well, possibly.
Userspace is free to move it wherever it want, and sometimes it has to if the process adds more variables.
As such, if the content looks sane as an environment, you can be reasonably sure this is the environment the process started with. But based on this you cannot know what modifications (if any) were made.
If you really need to know the environment state, your situation is not that bad. POSIX defines 'environ' symbol which is supposed to always point to current environment, so interested parties can easily inspect it by e.g. attaching to the process with gdb.
No comments:
Post a Comment