github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3350] Error: too many environment variables #2102

New issue

Closed

opened 2026-05-05 08:46:53 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:46:53 -06:00

Owner

Originally created by @matu3ba on GitHub (Apr 13, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3350

Currently the number of environment variables is restricted to 100 in firejail.h.

#define MAX_ENVS 100	// some sane maximum number of environment variables

For tmux or screen (or weird shell quirks) these however blow up to in my case 171. When I call from within tmux git push/pull, this fails with fprintf(stderr, "Error: too many environment variables\n");. Any standard shell uses ~80 environment variables (printenv | wl -l).
What is the advisory for such programs? Do there exist techniques to drop the variables for the program call, so it has no access to the unnecessary environment information or is this still wild west-like?

Originally created by @matu3ba on GitHub (Apr 13, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3350 Currently the number of environment variables is restricted to 100 in `firejail.h`. ``` #define MAX_ENVS 100 // some sane maximum number of environment variables ``` For tmux or screen (or weird shell quirks) these however blow up to in my case 171. When I call from within tmux git push/pull, this fails with `fprintf(stderr, "Error: too many environment variables\n");`. Any standard shell uses ~80 environment variables (`printenv | wl -l`). What is the advisory for such programs? Do there exist techniques to drop the variables for the program call, so it has no access to the unnecessary environment information or is this still wild west-like?

gitea-mirror closed this issue

2026-05-05 08:46:54 -06:00

gitea-mirror commented

2026-05-05 08:46:56 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 13, 2020):

You can add somethingl like this to a .local:

rmenv FOO
rmenv BAR
rmenv DISPLAY
rmenv LC_ALL
rmenv XDG_SESSION_TYPE
rmenv XAUTHORITY

@rusty-snake commented on GitHub (Apr 13, 2020): You can add somethingl like this to a .local: ``` rmenv FOO rmenv BAR rmenv DISPLAY rmenv LC_ALL rmenv XDG_SESSION_TYPE rmenv XAUTHORITY ```

gitea-mirror commented

2026-05-05 08:46:57 -06:00

Author

Owner

@topimiettinen commented on GitHub (Apr 13, 2020):

I have 64 variables, so 100 seemed to have some safety margin. But 256 would be fine too.

If a variable is only used by a certain CLI program (for example LS_COLORS for ls), you can use bash aliases:
v=$(vivid)
alias ls="LS_COLORS=$v /bin/ls --color=auto"

GNU coreutils contain env program, which can be used for cleaning of the environment.

The environment variables could be used for a classic stack smashing attack. Using 256 variables, each MAX_ENV_LEN (4096+32), totals a bit more than 1MB, which should not be enough for the attack on 64 bit system.

How do screen and tmux use the variables? Manual pages for tmux and screen don't mention anything special.

@topimiettinen commented on GitHub (Apr 13, 2020): I have 64 variables, so 100 seemed to have some safety margin. But 256 would be fine too. If a variable is only used by a certain CLI program (for example LS_COLORS for ls), you can use bash aliases: v=$(vivid) alias ls="LS_COLORS=$v /bin/ls --color=auto" GNU coreutils contain `env` program, which can be used for cleaning of the environment. The environment variables could be used for a classic [stack smashing attack](https://insecure.org/stf/smashstack.html). Using 256 variables, each MAX_ENV_LEN (4096+32), totals a bit more than 1MB, which should not be enough for the attack on 64 bit system. How do screen and tmux use the variables? Manual pages for [tmux](http://man.openbsd.org/OpenBSD-current/man1/tmux.1#ENVIRONMENT) and [screen](https://www.gnu.org/software/screen/manual/screen.html#Environment) don't mention anything special.

gitea-mirror commented

2026-05-05 08:46:57 -06:00

Author

Owner

@matu3ba commented on GitHub (Apr 15, 2020):

@topimiettinen I use tmux with a quirk to run in appimages.
I do use oh my tmux, but other enhancements usually are configured via environment variables.
printenv | grep tmux | wc -l
88

@matu3ba commented on GitHub (Apr 15, 2020): @topimiettinen I use tmux with a quirk to run in appimages. I do use `oh my tmux`, but other enhancements usually are configured via environment variables. `printenv | grep tmux | wc -l` 88

gitea-mirror commented

2026-05-05 08:46:59 -06:00

Author

Owner

@matu3ba commented on GitHub (Apr 15, 2020):

You can add somethingl like this to a .local:
rmenv FOO
rmenv BAR
rmenv DISPLAY
rmenv LC_ALL
rmenv XDG_SESSION_TYPE
rmenv XAUTHORITY

This does not seem to support globbing ie rmenv tmux* or rmenv tmux.*, but unset does neither.

@matu3ba commented on GitHub (Apr 15, 2020): > You can add somethingl like this to a .local: > > ``` > rmenv FOO > rmenv BAR > rmenv DISPLAY > rmenv LC_ALL > rmenv XDG_SESSION_TYPE > rmenv XAUTHORITY > ``` This does not seem to support globbing ie `rmenv tmux*` or `rmenv tmux.*`, but `unset` does neither.

gitea-mirror commented

2026-05-05 08:47:00 -06:00

Author

Owner

@Grinkers commented on GitHub (Apr 25, 2020):

I normally have about 80 variables and after using byobu (tmux) I end up with 105. It looks like it's used for things like color, window naming, etc sort of things.

For the time being, I've just set MAX_ENVS to 256.

@Grinkers commented on GitHub (Apr 25, 2020): I normally have about 80 variables and after using byobu (tmux) I end up with 105. It looks like it's used for things like color, window naming, etc sort of things. For the time being, I've just set MAX_ENVS to 256.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2102

No description provided.

Rows
Columns