Thanks. I'm mainly looking at this from the point of how your secrets could be accidentally exposed.
I applaud to postfix for sanitising the ENV, and it's very good practice to do so. But are all the frameworks doing it correctly? Maybe some code is then also just spawning new processes without sanitising? You could argue that's a bug then (which I completely agree), but not all projects are run like postfix...
The basic system call, execve, requires that you specify the environment explicitly. The whole idea of an inherited environment is a construct of shells and historic libc functions, and the libc functions that do not have an explicit environment should be deprecated. The man page examples show constructing the environment from scratch, which is best practise: you should never refer to the whole environment, just access individual items from it, ie never reference environ, just getenv etc.
I doubt many projects take the same disciplined (akin to micro-services) approach that postfix does:
... mail delivery is done by daemon processes that have no parental
relationship with user processes. This eliminates a large variety of
potential security exploits with environment variables, signal handlers,
and with other process attributes that UNIX passes on from parent to child.
[edit] sorry for the spam, there was some problem with the submission form.
I applaud to postfix for sanitising the ENV, and it's very good practice to do so. But are all the frameworks doing it correctly? Maybe some code is then also just spawning new processes without sanitising? You could argue that's a bug then (which I completely agree), but not all projects are run like postfix...