Summary
A same-UID process isolation boundary issue is reproducible in the Secret Digger Codex run: token-bearing environment metadata is observable from sibling runner processes via /proc/<pid>/environ.
This report intentionally avoids all secret values. Only key names and length-only signals were used.
Boundary Type
Process isolation / environment isolation boundary violation.
What Was Observed
- Multiple
runner-owned processes expose the key name AWF_ONE_SHOT_TOKENS in /proc/<pid>/environ.
- The corresponding value is non-empty by length-only measurement (
len=159) across sampled PIDs.
- Cross-UID protections still work for root-owned PID 1 (
/proc/1/{cwd,root,exe,ns/*} denied), but same-UID visibility remains.
Methodology (sanitized)
- Enumerate
runner PIDs from process table.
- Read
/proc/<pid>/environ for those PIDs and parse null-delimited entries.
- Check key presence for
AWF_ONE_SHOT_TOKENS and capture only value length (no value output).
- Run differential controls:
- same-UID vs root-owned
/proc/<pid> readability (io/sched/limits, symlinks)
- kernel/user namespace hardening probes (
unshare -U/-Ur, /proc/sys/kernel/ns_last_pid write attempt)
Reproduction Steps
- In the workflow container, list runner-owned PIDs:
ps -eo pid,user,comm --no-headers | awk '$2=="runner"{print $1}'
- For each PID, inspect environment entries by key only:
tr '\0' '\n' < /proc/<pid>/environ | awk -F= '$1=="AWF_ONE_SHOT_TOKENS"{print $1, length($2)}'
- Observe key visibility and non-zero length across multiple same-UID processes.
Security Impact
An agent process can observe sensitive-token metadata from sibling same-UID processes via procfs. Even when values are not logged by policy, this confirms cross-process secret material exposure in-process namespace.
Version Reporting
- Workflow run:
24161828045
- Lock file:
.github/workflows/secret-digger-codex.lock.yml
cli_version field: not present in lock metadataGH_AW_INFO_CLI_VERSION: v0.67.2compiler_version: v0.67.2
Notes
- No secret values were extracted, copied, or included.
- Duplicate issues are expected for this testing workflow by design.
Generated by Secret Digger (Codex) · ◷
Summary
A same-UID process isolation boundary issue is reproducible in the Secret Digger Codex run: token-bearing environment metadata is observable from sibling runner processes via
/proc/<pid>/environ.This report intentionally avoids all secret values. Only key names and length-only signals were used.
Boundary Type
Process isolation / environment isolation boundary violation.
What Was Observed
runner-owned processes expose the key nameAWF_ONE_SHOT_TOKENSin/proc/<pid>/environ.len=159) across sampled PIDs./proc/1/{cwd,root,exe,ns/*}denied), but same-UID visibility remains.Methodology (sanitized)
runnerPIDs from process table./proc/<pid>/environfor those PIDs and parse null-delimited entries.AWF_ONE_SHOT_TOKENSand capture only value length (no value output)./proc/<pid>readability (io/sched/limits, symlinks)unshare -U/-Ur,/proc/sys/kernel/ns_last_pidwrite attempt)Reproduction Steps
ps -eo pid,user,comm --no-headers | awk '$2=="runner"{print $1}'tr '\0' '\n' < /proc/<pid>/environ | awk -F= '$1=="AWF_ONE_SHOT_TOKENS"{print $1, length($2)}'Security Impact
An agent process can observe sensitive-token metadata from sibling same-UID processes via procfs. Even when values are not logged by policy, this confirms cross-process secret material exposure in-process namespace.
Version Reporting
24161828045.github/workflows/secret-digger-codex.lock.ymlcli_versionfield: not present in lock metadataGH_AW_INFO_CLI_VERSION:v0.67.2compiler_version:v0.67.2Notes