userdb: when loading a user record from JSON, mark 'secret' section in JSON variant...

When we load a user record we retain a reference to the original JSON.
Thus the loaded objects might live at least as long as our user record
object, hence we better make sure we set the 'sensitive' flag for the
'secret' section if it's not marked like that yet.

This is paranoia only: we already should be setting this flag properly
earlier, when acquiring the json variant in the first place. But it's
better to be safe than sorry.

diff --git a/src/shared/user-record.c b/src/shared/user-record.c
index 20f5d9224648c10da22dc87f9de4bbe79f577919..09e96f0c9a5ce3b9ad2d3d74a497d8d4e06cb55e 100644 (file)
--- a/src/shared/user-record.c
+++ b/src/shared/user-record.c
@@ -1531,6 +1531,11 @@ int user_group_record_mangle(
         if (USER_RECORD_STRIP_MASK(load_flags) == _USER_RECORD_MASK_MAX) /* strip everything? */
                 return json_log(v, json_flags, SYNTHETIC_ERRNO(EINVAL), "Stripping everything from record, refusing.");
 
+        /* Extra safety: mark the "secret" part (that contains literal passwords and such) as sensitive, so
+         * that it is not included in debug output and erased from memory when we are done. We do this for
+         * any record that passes through here. */
+        sd_json_variant_sensitive(sd_json_variant_by_key(v, "secret"));
+
         /* Check if we have the special sections and if they match our flags set */
         FOREACH_ELEMENT(i, mask_field) {
                 sd_json_variant *e, *k;