Environment Variables in Linux: Red Team Exploits and Blue Team Defenses

Environment variables are a foundational concept in Linux-like systems, providing a way to store configuration values, session settings, and system-wide preferences.
They are both powerful tools for legitimate administration and potential attack vectors when misused.

In this article, we'll cover:

  • Basics of environment variables
  • Legitimate usage in Linux
  • Red team exploitation techniques
  • Blue team defense strategies
  • Practical code samples

Understanding Environment Variables

Environment variables are key-value pairs that affect the way running processes behave. They can be system-wide or per-user session.

Example of listing environment variables:

printenv
# or
env

Example of setting an environment variable:

export MY_VAR="HelloWorld"
echo $MY_VAR

Variables can also be set temporarily for a single command:

MY_VAR="TempValue" ./my_program

Common environment variables:

  • PATH — search path for executable files
  • HOME — user's home directory
  • LD_LIBRARY_PATH — dynamic linker search path
  • USER — current username
  • SHELL — current shell path

Red Team Usage and Attacks

From an offensive security perspective, environment variables can be manipulated to achieve privilege escalation, persistence, or data exfiltration.

PATH Hijacking

If a privileged script or binary executes a command without specifying the full path, attackers can modify PATH to run their own malicious executable.

# Attacker sets malicious PATH
export PATH="/tmp/malicious:$PATH"
 
# Create malicious ls binary
echo -e '#!/bin/bash\necho "Owned!"' > /tmp/malicious/ls
chmod +x /tmp/malicious/ls
 
# Now 'ls' runs attacker's script if executed by victim
ls

LD_PRELOAD Injection

Attackers can preload malicious shared libraries before executing binaries.

export LD_PRELOAD=/tmp/malicious.so

If the target program does not sanitize LD_PRELOAD, the malicious .so file runs first.

Information Leakage

Sensitive credentials (API keys, database passwords) are sometimes stored in environment variables. Red teams can harvest them via:

cat /proc/$PID/environ

SSH Backdoor via Environment Variables

Attackers can use AuthorizedKeysCommand in sshd_config to fetch keys from an environment variable source.

Environment variables can be abused to create a stealthy SSH backdoor by influencing how sshd loads authorized keys. Normally, SSH keys are stored in ~/.ssh/authorized_keys, but sshd can be configured to fetch keys dynamically using the AuthorizedKeysCommand directive in /etc/ssh/sshd_config. If this command reads keys from an environment variable—passed at session start or set globally in /etc/environment—an attacker with write access could insert their own public key without touching the authorized keys file, bypassing traditional file integrity checks. For example, in a test VM, you could create a script /usr/local/bin/getkeys.sh that simply prints the contents of an $SSH_BACKDOOR_KEY environment variable, set that variable to contain your public key, and configure AuthorizedKeysCommand /usr/local/bin/getkeys.sh with AuthorizedKeysCommandUser root. After restarting sshd, any client with the matching private key would gain SSH access. This technique works because the key source is abstracted, making it harder to detect—ideal for a red team proof-of-concept. Defensively, blue teams should avoid dynamic key loading from environment variables and strictly control sshd_config permissions.

Blue Team Best Practices

Restrict and Sanitize PATH

  • Always use absolute paths in scripts:
/usr/bin/ls
  • Do not include writable directories in PATH for privileged users.

Clear Sensitive Variables

Unset sensitive environment variables before running privileged commands:

unset API_KEY
unset PASSWORD

Disable Dangerous Variables

In /etc/sudoers:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_reset

Monitor and Audit

  • Use auditd to monitor environment variable changes.
  • Regularly check /proc/$PID/environ for suspicious variables.

Example audit rule:

auditctl -a always,exit -F arch=b64 -S execve -k env_watch

Limit LD_PRELOAD and LD_LIBRARY_PATH Abuse

  • Set ld.so configs to ignore these variables for privileged binaries (/etc/ld.so.preload).
  • Use noexec mount option for /tmp and /dev/shm.

Summary

Environment variables are integral to Linux systems, but they can be weaponized if left unchecked. Red teams exploit them for stealth, privilege escalation, and persistence, while blue teams must enforce strict path usage, sanitize sensitive variables, and monitor for abnormal changes.

By combining operational hygiene with active monitoring, defenders can drastically reduce the risk of environment variable abuse.

Love it? Share this article: