homed: do not log new password when debug logs are enabled

systemd-homed[3443]: Sending to worker:
{
  "enforcePasswordPolicy": false,
  "userName": "foobarbaz",
  "perMachine": [
    {
      "storage": "directory",
      "matchMachineId": "c1082742b92c4f7e8d30d6b17f9d3351"
    }
  ],
  "disposition": "regular",
  "lastChangeUSec": 1750606709833174,
  "lastPasswordChangeUSec": 1750606709833174,
  "privileged": {
    "hashedPassword": [
      "$y$j9T$ai2Fshq0ev9W05WL4SoRJ1$EFfe41ACrJKXMCQ83A05n6UW.HrRr9/O4b1x0CXgAXD"
    ]
  },
  "binding": {
    "c1082742b92c4f7e8d30d6b17f9d3351": {
      "blobDirectory": "/var/cache/systemd/home/foobarbaz",
      "uid": 60056,
      "gid": 60056
    }
  },
  "secret": {
    "password": [
      "test"
    ]
  },
  "__systemd_homework_internal_blob_fdmap": {}
}

(cherry picked from commit e248790263b63822cdffa399b593a272d7abddc8)
(cherry picked from commit a283e832dabd35d9f6e6aace0525ecf4f6372b57)

diff --git a/src/home/homed-home.c b/src/home/homed-home.c
index 757881c2e6021719199c089c83f678d5a2648f19..46d6c6c3861e08d066b7bf8951435396b9b042e6 100644 (file)
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@@ -1269,7 +1269,16 @@ static int home_start_work(
         if (stdin_fd < 0)
                 return stdin_fd;
 
-        log_debug("Sending to worker: %s", formatted);
+        if (DEBUG_LOGGING) {
+                _cleanup_(erase_and_freep) char *censored_text = NULL;
+
+                /* Suppress sensitive fields in the debug output */
+                r = json_variant_format(v, /* flags= */ JSON_FORMAT_CENSOR_SENSITIVE, &censored_text);
+                if (r < 0)
+                        return r;
+
+                log_debug("Sending to worker: %s", censored_text);
+        }
 
         stdout_fd = memfd_create_wrapper("homework-stdout", MFD_CLOEXEC | MFD_NOEXEC_SEAL);
         if (stdout_fd < 0)