From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sun, 22 Jun 2025 15:44:02 +0000 (+0100)
Subject: homed: do not log new password when debug logs are enabled
X-Git-Tag: v258-rc1~274
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e248790263b63822cdffa399b593a272d7abddc8;p=thirdparty%2Fsystemd.git

homed: do not log new password when debug logs are enabled

systemd-homed[3443]: Sending to worker:
{
  "enforcePasswordPolicy": false,
  "userName": "foobarbaz",
  "perMachine": [
    {
      "storage": "directory",
      "matchMachineId": "c1082742b92c4f7e8d30d6b17f9d3351"
    }
  ],
  "disposition": "regular",
  "lastChangeUSec": 1750606709833174,
  "lastPasswordChangeUSec": 1750606709833174,
  "privileged": {
    "hashedPassword": [
      "$y$j9T$ai2Fshq0ev9W05WL4SoRJ1$EFfe41ACrJKXMCQ83A05n6UW.HrRr9/O4b1x0CXgAXD"
    ]
  },
  "binding": {
    "c1082742b92c4f7e8d30d6b17f9d3351": {
      "blobDirectory": "/var/cache/systemd/home/foobarbaz",
      "uid": 60056,
      "gid": 60056
    }
  },
  "secret": {
    "password": [
      "test"
    ]
  },
  "__systemd_homework_internal_blob_fdmap": {}
}
---

diff --git a/src/home/homed-home.c b/src/home/homed-home.c
index 38da41332be..be6a7bf5150 100644
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@@ -1300,7 +1300,16 @@ static int home_start_work(
         if (stdin_fd < 0)
                 return stdin_fd;
 
-        log_debug("Sending to worker: %s", formatted);
+        if (DEBUG_LOGGING) {
+                _cleanup_(erase_and_freep) char *censored_text = NULL;
+
+                /* Suppress sensitive fields in the debug output */
+                r = sd_json_variant_format(v, /* flags= */ SD_JSON_FORMAT_CENSOR_SENSITIVE, &censored_text);
+                if (r < 0)
+                        return r;
+
+                log_debug("Sending to worker: %s", censored_text);
+        }
 
         stdout_fd = memfd_new("homework-stdout");
         if (stdout_fd < 0)